Department of Homeland Security Daily Open Source Infrastructure Report

Monday, April 19, 2010

Complete DHS Daily Report for April 19, 2010

Daily Report

Top Stories

 According to the Associated Press, a Texas man has been jailed after allegedly jumping the fence surrounding a nuclear-missile launch site in northwest North Dakota maintained by Minot Air Force Base. (See item 40)

40. April 16, Associated Press – (North Dakota) Nuclear missile protestor arrested in ND. A Texas man has been jailed after allegedly jumping the fence surrounding a nuclear-missile launch site in northwest North Dakota. Authorities identified the man as being from of San Antonio. The suspect told The Minot Daily News in a telephone call from the missile site before he was arrested that he was peacefully protesting nuclear weapons. An FBI Special Agent said the investigation was ongoing but that terrorism did not appear to be involved. The suspect was jailed on felony, criminal trespass charges. Authorities did not immediately decide on possible federal charges. The Minuteman III missiles that dot the northwest North Dakota countryside are maintained by Minot Air Force Base. Source:

 KXO 1230 El Centro reports that the Imperial Irrigation District and the Bureau of Reclamation are assessing damage to the All-American Canal siphon where it passes over the New River in California. The damage was caused by the April 4 earthquake and subsequent aftershocks. (See item 72)

72. April 15, KXO 1230 El Centro – (California) Damage to All-American Canal detected. The Imperial Irrigation District (IID) and the Bureau of Reclamation are assessing damage to the All-American Canal siphon where it passes over the New River in California. The damage was caused by the Easter Sunday, April 4, earthquake and subsequent aftershocks. Seepage has been detected at three points in the structure, according to the IID chief adminstrative officer and EOC director. He said that an incident command post has been established at the project site and the immediate area has been secured. “ While this is a key facility in the IID water delivery system and it warrants careful monitoring in the days ahead,” he said, “the seepage problem has been isolated and mitigation efforts performed by the bureau and IID staff at the site appear to have stabilized the situation.” It has been determined that the twin overhead siphons carrying water from the All-American Canal across the New River west of Calexico are structurally sound , and there is no risk to the district’s water users or the general public. Source:


Banking and Finance Sector

18. April 16, New York Times – (New York) U.S. accuses Goldman Sachs of fraud. Goldman Sachs, which emerged relatively unscathed from the financial crisis, was accused of securities fraud in a civil suit filed on April 16 by the Securities and Exchange Commission (SEC). The SEC claimed the bank created and sold a mortgage investment that was secretly devised to fail. The move marked the first time that regulators have taken action against a Wall Street deal that helped investors capitalize on the collapse of the housing market. Goldman itself profited by betting against the very mortgage investments that it sold to its customers. The suit also named a vice president at Goldman who helped create and sell the investment. The instrument in the SEC case, called Abacus 2007-AC1, was one of 25 deals Goldman created so the bank and select clients could bet against the housing market. Those deals, which were the subject of a December article in The New York Times, initially protected Goldman from losses when the mortgage market disintegrated, and later yielded profits. As the Abacus deals plunged in value, Goldman and certain hedge funds made money on their negative bets, while the Goldman clients who bought the $10.9 billion in investments lost billions of dollars. Source:

19. April 16, Minneapolis Star Tribune – (Minnesota) Recovered: Stolen data on 3 million student loan borrowers. Stolen personal information on more than three million student-loan borrowers was recovered during the discovery in Minneapolis of two safes containing CDs and floppy discs, Minnesota investigators said April 16. The safes were stolen sometime over the March 20-21 weekend from the Oakdale headquarters of Education Credit Management Corp. (ECMC), a nonprofit that services and insures student loans, according to the state Bureau of Criminal Apprehension (BCA). The safes were found about 48 hours later in Minneapolis, the agency said. According to BCA, the personal information on the digital media does not appear to have been compromised. The thieves stole information on about 3.3 million customers, including names, addresses, dates of birth and Social Security Numbers. The crooks did not obtain bank account or other financial information. Source:

20. April 15, Associated Press – (California) 18 arrested in Bay Area mortgage fraud case. Federal authorities have arrested 18 people in the San Francisco Bay area in a $10-million, mortgage-fraud case. Indictments against the defendants were unsealed on April 14, the same day the suspects were taken into custody. Authorities said that between 2005 and 2009, the defendants misrepresented buyer’ incomes, identities and other information in order to obtain mortgage loans from banks and other lenders. The defendants include current or former bank employees, real estate agents and one mortgage broker. A FBI spokesman said the losses added up to at least $10 million. He said some of the defendants worked together on the loan applications and all 18 are believed to have some affiliation with each other. Source:

21. April 15, eWeek – (International) PayPal patches critical security vulnerabilities. PayPal said it has closed a number of security holes uncovered by an Avnet Technologies security researcher, including one that could have allowed an attacker to access PayPal’s back-end system for business- and premier-account reports and acquire a mountain of data. A security researcher has uncovered multiple vulnerabilities affecting PayPal, the most critical of which could have enabled attackers to access PayPal’s business and premier reports back-end system. The vulnerabilities were patched recently by PayPal after a security researcher of Avnet Technologies brought the vulnerabilities to the site’s attention. The most critical bug was a permission-flow problem in, and could have potentially exposed a massive amount of customer data. “An attacker was able to access and watch any other user’s financial, orders and report information with unauthorized access to the report backend application,” the researcher explained. “When users have a premier account or business account the transaction details of their orders are saved in the reports application â_¦ an attacker can look at any finance reports of premier or business accounts in the PayPal reports application and get a full month [and] day summary of the orders reports.” Source:

22. April 15, Anderson Independent-Mail – (South Carolina) Secret Service urges caution after discovery of credit card skimming scheme. The United States Secret Service (USSS) said it has found evidence of an international credit and debit card fraud scheme in South Carolina and is urging consumers to exercise caution. The special agent in charge of the USSS field office in Columbia, said about 10 ATMs in the Upstate, Midlands and Pee Dee regions of South Carolina have been found with skimming devices attached to their card readers capable of capturing a credit or debit card’s account information. He said investigators have traced the skimmers to a Bulgarian crime organization that has been linked to compromised bank accounts in Indiana, Ohio, Michigan, Illinois and South Carolina. Remote ATMs, those that are not located at a local bank branch, are the most susceptible to skimming, the special agent said. Source:

23. April 15, WKRC 12 Cincinnati – (Ohio) Hairless robber wore Hollywood movie mask. Police said an accused serial bank robber, known as the “hairless” robber, was able to target four Cincinnati-area banks and a pharmacy in the span of three hours because he was slipping in and out of a sophisticated disguise. The 30-year-old suspect is being held on $3 million dollars bond on charges that he was the “man behind the mask” in a string of April 9 robberies. He allegedly held up the Key Bank in the Brentwood Shopping Center in Finneytown, then the Fifth Third bank in the Woodlawn Kroger, followed by the Key Bank near Tri-County Mall, the CVS in Springdale, and the Franklin Savings and Loan in Forest Park. Police said he also robbed the Chaco Bank in Forest Park, March 5. In each case, the suspect wore a Hollywood movie mask that is known as “The Player” which changed his appearance and made him look African-American. Police said the suspect was able to elude them easily because he was likely taking the mask off between robberies and driving to each location as a white man ... when police were looking for a black man. Source:

24. April 6, Homeland Security Today – (International) US escalating money-laundering probes. Authorities in both the United States and Mexico have publicly recognized the homeland security threat posed by the dirty cash that flows virtually unchecked across the international frontier. Wachovia Bank recently agreed to pay $160 million to settle allegations by the Treasury and Justice departments that it operated with a weak anti-money laundering regime between May 2003 and June 2008. While the fine suffered by Wachovia is relatively large, it is not the first bank targeted by Treasury and Justice for laundering drug money for Mexican casas de cambio. In September 2007, Union Bank of California (UBOC) agreed to pay $31.6 million for similar transgressions. Immigration and Customs Enforcement, the largest investigative agency in DHS, is well aware of this activity, as are other law enforcers and bank regulators. However, as long as the veritable river of drug cash continues to flow southward into Mexico, these funds are going to find their way back into the U.S. financial system via American banks with perilous risk appetites and weak controls. Source:

Information Technology

49. April 16, The Register – (International) Attacks exploit unpatched weakness in Adobe apps. Criminals behind the notorious Zeus-crimeware package have begun exploiting an unpatched hole in the widely used portable document format to install malware on end-user computers. The booby-trapped PDF documents arrive in e-mails that purport to contain a billing invoice, according to a post from M86 Security Labs. If the user opens the documents and clicks through a series of dialog boxes, PDF readers from Adobe will execute a file that makes the PC a part of a botnet (The FoxIT reader will automatically save the malicious file on the user’s hard drive.) The exploit is a ham-handed exploit of a feature included in the PDF specification that allows documents to automatically run code. That is because it requires javascript to be turned on and it does not alter the wording of one of the dialog boxes, as a security researcher showed was possible. Source:

50. April 16, IDG News Service – (International) China reports millions of Conficker worm infections. China last year hosted more than one in four of the world’s computers infected with a major variant of the Conficker worm, according to an official report, highlighting the wide reach of malware inside the country. China had about 7 million Internet Protocol (IP) addresses infected with Cornficker B at the end of last year, according to a recent annual security report posted on the Web site of China’s National Computer Network Emergency Response Technical Team. The number of infections varied during the second half of the year, which the report covered, but was higher than five million during all but one week. The huge figures gave China up to 28 percent of the world’s Conficker B infections depending on the week, the report showed. The controllers of Conficker so far have hardly used their network of infected computers, but they could potentially use it to launch a crippling denial-of-service attack by ordering all of the computers to contact a victim server at the same time. Source:

51. April 15, DarkReading – (International) IE 8 security features could be turned against users, researchers say. The good news is that Microsoft’s Internet Explorer 8 browser offers a new set of filters designed to prevent some cross-site scripting (XSS) attacks. The bad news is that those same filters could be used to enable XSS attacks. That was the gist of a presentation on April 15 by two security researchers at the Black Hat Europe conference in Barcelona, Spain. In a paper presented at the conference, the researchers described several methods that attackers could use to enable XSS on sites that would otherwise be immune to XSS. “There’s an irony here because you’re using filters that are designed to improve security to launch attacks on sites that take security seriously,” said one of the researchers during a telephone interview prior to the presentation. The vulnerabilities were found in several filters that Microsoft added to IE 8 to help identify and “neuter” simple XSS attacks, the researcher explained. “The neutering mechanism can be abused by an attacker to block benign content on a page,” the paper said, altering the way a page is rendered. “For example, embedded JavaScript can be blocked from executing by ‘faking’ an XSS attack.” This approach could paradoxically be used to disable JavaScript code that would otherwise protect the site, thus allowing an attack, the researchers said. Source:

52. April 15, SC Magazine – (International) Apache Software Foundation confirms that it was attacked last week via employees clicking on an obfuscated Web link. The Apache Software Foundation has confirmed that it was hit by a direct, targeted attack, specifically the server hosting its issue-tracking software. The Apache infrastructure team confirmed that it uses a donated instance of Atlassian JIRA as an issue tracker for its projects, which it uses to track issues and requests. In a report, it said that on April 5, the attackers opened a new issue, INFRA-2591, via a compromised, Slicehost server. This issue contained a message claiming “I’ve got this error while browsing some projects in JIRA” with a Web link included via a URL-shortening service. It claimed that the specific URL redirected back to the Apache instance of JIRA, at a URL containing a cross-site scripting (XSS) attack. The attack was crafted to steal the session cookie from the user logged-in to JIRA and when this issue was opened against the infrastructure team, several of its administrators clicked on the link. This compromised their sessions, including their JIRA administrator rights. At the same time, the attackers started a brute force attack against the JIRA login.jsp, attempting hundreds of thousands of password combinations, and on April 6 one of these was successful. The report claimed: “Having gained administrator privileges on a JIRA account, the attackers used this account to disable notifications for a project, and to change the path used to upload attachments.” Source:

53. April 15, DarkReading – (International) SAP, other ERP applications at risk of targeted attacks. Backdoor Trojan viruses and rootkits that let attackers gain a foothold and remain entrenched in a compromised system aren’t just for Windows PCs anymore — SAP and other enterprise resource planning (ERP) applications are also susceptible to this form of attack. A researcher at Black Hat Europe in Barcelona, Spain this week demonstrated techniques for inserting backdoors into SAP applications to enable attackers to gain control of them. The director of research and development at Onapsis said an attacker would initially exploit weak, database protections or vulnerabilities in the underlying operating system, for instance, to gain access to the SAP apps and data. The hacks do not exploit any new or existing vulnerabilities in SAP. Once the system is compromised, the attacker would grab the necessary, elevated privileges to insert the stealthy backdoor code and remain under the radar to pilfer sensitive information. With the backdoor presence, the attacker could modify a victim company’s electronic payments to a vendor, for example. “So every automated payment to that vendor would go to the attacker’s [bank] account [instead],” the director said. Source:

54. April 15, BBC – (International) Porn virus publishes web history of victims on the net. A new type of malware infects PCs using file-share sites and publishes the user’s net history on a public Web site before demanding a fee for its removal. The Japanese trojan virus installs itself on computers using a popular file-share service called Winni, used by up to 200 million people. It targets those downloading illegal copies of games in the Hentai genre, an explicit form of anime. Website Yomiuri claims that 5,500 people have so far admitted to being infected. The virus, known as Kenzero, is being monitored by Web-security firm Trend Micro in Japan. Masquerading as a game-installation screen, it requests the PC owner’s personal details. It then takes screen grabs of the user’s Web history and publishes them online in their name, before sending an e-mail or pop-up screen demanding a credit card payment of 1,500 yen (£10) to “settle your violation of copyright law” and remove the Web page. Source:

55. April 15, ZDNet – (International) Google: Scareware accounts for 15 percent of all malware. In an upcoming research paper entitled “The Nocebo Effect on the Web: An Analysis of Fake AV distribution”, Google’s Security Team is about to release the results from a 13-month study into the growth of fake-security software, also known as scareware or Fake AV. The analysis is based on 240-million Web pages used as a sample with 11,000 domains involved in Fake AV distribution discovered based on the sample. Some of the other findings: fake AV currently accounts for 15 percent of all malware Google detects on the web; fake AV attacks account for 60 percent of the malware discovered on domains that include trending keywords; and fake AV is responsible for 50 percent of all malware delivered via advertisements. Google researchers were able to identify only a small number of domains despite the fact that 60 percent of the domains hijacking trending topics serve scareware, and that 50 percent of all malware delivered through malvertising is fake AV. Source:

56. April 15, ComputerWorld – (International) Zeus botnet exploits unpatched PDF flaw. The Zeus botnet is now using an unpatched flaw in Adobe’s PDF document format to infect users with malicious code, security researchers said on April 15. The attacks come less than a week after other experts predicted that hackers would soon exploit the “/Launch” design flaw in PDF documents to install malware on unsuspecting users’ computers. The just-spotted Zeus variant uses a malicious PDF file that embeds the attack code in the document, said the CTO of San Diego, California-based security company Websense. When users open the rogue PDF, they are asked to save a PDF file called “Royal_Mail_Delivery_Notice.pdf.” That file, however, is actually a Windows executable that when it runs, hijacks the PC. Zeus is the first major botnet to exploit a PDF’s /Launch feature, which is, strictly speaking, not a security vulnerability but actually a design function of Adobe’s specification. Earlier in April, a Belgium researcher demonstrated how a multistage attack using /Launch could successfully exploit a fully-patched copy of Adobe Reader or Acrobat. Source:

57. April 15, DarkReading – (International) Databases at risk of man-in-the-middle attacks. A set of Oracle vulnerabilities that makes the platform vulnerable to man-in-the-middle (MITM) attacks highlights the weaknesses of database protocols and serves as a warning to organizations to take a look at how they handle their database traffic. At Black Hat Europe on April 15, two researchers of Trustwave’s SpiderLabs security team demonstrated how attackers can take advantage of database information that is often transmitted in clear text by using common MITM attacks to downgrade the authentication mechanism, obtain leaked operating system (OS) credentials, and hijack sessions to issue their own queries. The researchers demonstrated the approach using a new proof-of-concept tool they developed, called thicknet. According to one of the researchers, the lessons that should be gained from their findings are not limited in scope to the Oracle world. “Takeover on a live session is applicable to other databases,” the researcher said. “We [discussed] this during our presentation today [April 15] and believe we can extend the support of our tool, thicknet, to abuse other databases in the future.” Source:

For another story, see item 21 above in the Banking and Finance Sector

Communications Sector

58. April 15, Jackson County Times-Journal – (Ohio) Time Warner Cable service interruptions due to gunshots. Ohio residents experiencing loss of cable service provided by Time Warner in the past 24 hours can now take solace in knowing that the problem has been fixed, for the most part. In speaking with the vice president of communications for Time Warner Cable Mid-Ohio Division, the Jackson County Times-Journal learned that most all service was restored by around 1 p.m. April 15. She stated that thousands of customers in the area were without cable service for approximately 15 hours or more. The reason why the service was not available is unusual. According to a lieutenant of the Jackson County Sheriff’s Office (JCSO), two gunshots fired in the western part of Jackson County on April 14 caused service interruptions for folks in Pike, Jackson and Vinton counties. The shots damaged Time Warner’s fiber-optic lines, thus causing the outages. At this time, few details are being released as the incident remains under investigation with the JCSO. A suspect has been named and charges are being prepared for delivery to a Jackson County prosecuting attorney. Source:

59. April 15, GPS World – (International) Failure imminent for WAAS GEO satellite. The Federal Aviation Administration (FAA) announced Thursday that one of two Wide Area Augmentation System (WAAS) GEO satellites will drift out of usable orbit within two to four weeks. Earlier this week, Intelsat announced it had lost control of its Galaxy 15 satellite that hosts the WAAS Satellite Based Augmentation System (SBAS) transponder used by the FAA. The FAA said it is monitoring the satellite, but that failure is imminent. When G-15 is out of usuable orbit, WAAS will be disrupted for users in northwest Alaska. The rest of the WAAS service area — U.S., Canada, Mexico — will operate normally but will be reduced to a single point of failure with only one WAAS-broadcasting satellite remaining. The FAA is investigating at least two, alternative solutions. One calls for using Inmarsat 3, which was previously used by WAAS before switching to Galaxy 15 in 2006. The other requires acceleration of the testing of Inmarsat 4-F3. Testing is already in progress and scheduled for completion in December 2010. But neither of the proposed, two solutions is an immediate one. The FAA stated that integrating POR back into operational WAAS would take 12 to 16 months. The quickest solution would be to accelerate the implementation of PRN 133, which might enable to FAA to shave 1 to 2 months off of the original, target date. The FAA also reported that with only a single WAAS GEO broadcasting satellite, users might experience a temporary loss of service 3 to 5 times this year for up to five minutes each while WAAS Uplink Station Switchovers occur. Source: