Department of Homeland Security Daily Open Source Infrastructure Report

Friday, May 7, 2010

Complete DHS Daily Report for May 7, 2010

Daily Report

Top Stories

 The Associated Press reports that a truck explosion and fire at the AGE Refining facility in San Antonio on Wednesday threatened to ignite nearby fuel supplies. Residents and businesses were urged to stay at least one mile from the fire. The National Parks Traveler also reports that the explosion temporarily closed parts of San Antonio Missions National Historic Park. (See items 4 and 61)

4. May 5, Associated Press – (Texas) Fuel fire stabilized after San Antonio refinery explosion. One person was critically burned and one person remains missing following an explosion and fire at a San Antonio refinery. San Antonio’s fire chief says they are still looking for the driver of a truck that exploded late Wednesday morning, causing chain reaction blasts at the AGE Refining facility on the city’s southeast side. The driver of another truck has been hospitalized with critical burn injuries. The fire chief says several other workers have been treated for injuries, but they have accounted for everyone but the driver of the truck that exploded. He says they are working to figure out if they can reach shut-off valves that would cut off the fuel while they tamp the flames down. A black plume of smoke was visible 40 miles away as firefighters went going door-to-door urging residents to stay at least one mile from the fire, which threatens to ignite nearby fuel supplies. The company, which serves the U.S. Air Force, handles jet fuel and diesel. The fire also affected plane and bus travel in the area, according to officials. Source:

61. May 6, National Parks Traveler – (Texas) Refinery accident causes brief concerns at San Antonio Missions National Historical Park. An explosion at a jet fuel and diesel refinery May 5 in San Antonio, Texas temporarily closed parts of a nearby national park. Two structures that are part of San Antonio Missions National Historic Park were closed temporarily and precautionary measures were taken for possible contamination of important waterways. Officials were concerned that the refinery fire could ignite nearby fuel tanks holding hundreds of thousands of gallons of jet fuel. Park officials immediately responded by closing Mission San Juan and Mission Espada, two of the four key historic sites in the park. The park visitor center at Mission San Jose remained open during the incident, with park officials closely monitoring the situation due to the large cloud of smoke created by the fire. The fourth key site in the park, Mission Concepcion, was not affected. Park officials said the park staff worked closely with emergency haz-mat teams to identify the locations of critical park resources located immediately adjacent to the refinery. Aggressive work by 100 firefighters brought the fire under control without further damage. The park was back open for business May 6, according to park officials. Source:

 The Register reports that Facebook engineers on Wednesday disabled the site’s live chat function after people outside the company discovered a bug that allowed users to eavesdrop on their friends’ conversations. (See item 53) conversations. (See item 53 below in the Information Technology Sector.)


Banking and Finance Sector

22. May 6, South Florida Business Journal – (Florida) Seven South Floridians charged in mortgage fraud scheme. Seven South Floridians were indicted on charges they took part in a mortgage fraud scheme that defrauded three financial institutions out of about $5 million in loans. Each were charged with one count of conspiracy to commit wire and bank fraud. According to the indictment, unsealed Wednesday, two of the men were employed at Infinity Mortgage Solutions in Miami and were involved in the fraudulent financing of mortgages for at least eight residential properties in Miami-Dade County. The two allegedly recruited individuals to pose as purchasers of the properties, according to a news release from the U.S. attorney for the Southern District of Florida. The others acted as straw buyers. Once the properties were purchased, the men allegedly made mortgage payments until the properties could be flipped at an inflated price and used the profits to purchase more properties, according to the news release. “Eventually, they stopped making the loan payments and the properties went into foreclosure, resulting in significant losses to Countrywide Home Loans, Fremont Investment & Loan, WMC Mortgage and other lenders,” the news release stated. If convicted, they face up to 20 years in prison on each count of conspiracy and wire fraud. Source:

23. May 5, IDG News Service – (International) Hacker develops multi-platform rootkit for ATMs. One year after his Black Hat talk on Automated Teller Machine security vulnerabilities was yanked by his employer, a security researcher plans to deliver the talk and disclose a new ATM rootkit (bugs in the software used to run the machines) at the computer security conference. He will demonstrate several ways of attacking ATM machines, including remote, network-based attacks. He will also reveal a “multi-platform ATM rootkit,” and will discuss things that the ATM industry can do to protect itself from such attacks. He was set to discuss ATM security problems at last year’s conference, but his employer, Juniper Networks, made him pull the presentation after getting complaints from an ATM maker that was worried that the information he had discovered could be misused. Source:

24. May 5, eWeek – (International) How cyber-crooks turn stolen data into money on eBay. In a quickswapping scheme, a cyber-crook will use sites such as eBay or Amazon to offer an expensive item at a cheap price. After a deal is reached, the scammer will make an enticing offer — they will agree to ship the item to the buyer and only accept payment after the person has checked it out. Next, the scammer will use credit card information he or she previously pilfered with malware such as Zeus to purchase the item and send it to the buyer. After the buyer sends the agreed payment via Western Union or WebMoney, the scammer disappears, leaving the person whose card was stolen with an illegal charge and the quickswapping buyer at risk of having the item confiscated by police as stolen merchandise. While quickswapping is new, it is very similar to a reshipping scam. “As recently as two or three years ago, these types of scams were run by one to two individuals or groups, but as online fraud increases in both numbers and sophistication there has become a growing need for specialization within each portion of the scam,” the senior manager of identity protection and verification at RSA told eWeek. Source:

25. May 5, Reuters – (New Jersey) N.J. exec pleads guilty over online stock scam. The New Jersey executive admitted on Wednesday to one count of conspiracy to commit wire fraud before a U.S. district judge in Newark, New Jersey, U.S. Investigators including the U.S. Securities and Exchange Commission accused the executive and a colleague of diverting money from clients of three companies they ran, despite saying the money was being invested safely. The men diverted money from clients of their Sherbourne Capital Management Ltd and Sherbourne Financial Ltd, to their payroll services company Ameripay LLC, and diverted money from Ameripay clients to cover other obligations. The Saddle Brook resident was released on bail pending an August 4 sentencing, where under recommended federal guidelines he could receive a prison term of 97 to 121 months plus a fine. He also agreed to make $10.2 million of restitution to victims. The scheme ran from December 2004 to May 2009, and that the case against the colleague is still pending. Source:

26. May 4, KYW 3 Philadelphia – (Pennsylvania) Gauze-wearing bandit uses improvised explosive device to Rob Wyncote Bank. The FBI is searching for a bandit who used an apparent improvised explosive device to rob a Montgomery County bank Tuesday afternoon. The heist happened shortly before 3 p.m. at the Citizens Bank branch located at 3201 West Cheltenham Avenue in Wyncote, Pennsylvania. According to investigators, the suspect entered the bank carrying a bag. He presented a threatening demand note to a teller, and displayed what appeared to be an improvised explosive device in the bag he was carrying. After obtaining an undisclosed amount of cash, the suspect fled the scene on foot. Source:

27. May 4, DarkReading – (International) Adobe’s new privacy feature for Flash clashes with online fraud detection. When Adobe releases Flash Player 10.1 in the next couple of months, users of the application will have clearer, easier-to-set privacy options for their browser cookies. But more user privacy comes at the expense of fraud detection processes: The upgraded software is likely to disrupt some ecommerce and online banking sites that rely on cookies as another layer to authenticate their customers. Many ecommerce and online banking sites use these so-called user “tags” to confirm the user is legitimate and to prevent unauthorized access to legit user accounts on their sites. But Adobe’s move to let users wipe Flash cookies clean signals the end of this practice, security experts say, making it obsolete in the next three years. If Flash’s new privacy features are widely adopted by users, then it will have a major ripple effect on online banking, says a vice president and analyst at Gartner. Businesses will be forced to adopt different fraud prevention approaches, which she says is good news for fraud detection: “Banks and others will have to rely on more sophisticated technologies,” she says. “Flash objects and cookies are good at identifying good people, but they do nothing to identify bad people. Bad people aren’t going to have these objects on their PCs.” Some of the largest financial institutions and ecommerce players already are starting to implement alternative authentication methods, she says. She suggests clientless device identification as well as secure downloads of tagging software users can be prompted to execute. Source:

Information Technology

51. May 6, Computerworld – (International) Security firm reveals Microsoft’s ‘silent’ patches. Microsoft silently patched three vulnerabilities last month, two of them affecting enterprise mission-critical Exchange mail servers, without calling out the bugs in the accompanying advisories, a security expert said Thursday. Two of the three unannounced vulnerabilities, and the most serious of the trio, were packaged with MS10-024, an update to Exchange and Windows SMTP Service that Microsoft issued April 13 and tagged as “important,” its second-highest threat ranking. According to the chief technology officer of Core Security Technologies, Microsoft patched the bugs, but failed to disclose that it had done so. Source:

52. May 6, Help Net Security – (International) Security risks of web application programming languages. A new WhiteHat report examined the security of specific programming languages. Nearly 1,700 business-critical websites were evaluated to provide organizations with insight into the relative security of the development frameworks they deploy, and the associated vulnerabilities that put them at risk. Perl had the highest average number of historical vulnerabilities found at 45 percent followed by Cold Fusion at 34 percent. Additionally, Perl, Cold Fusion, JSP and PHP were most likely to contain at least one serious vulnerability at approximately 80 percent of the time. Among the lowest historical vulnerability averages were ASPX (Microsoft’s .NET) and DO (Struts Java) with 19 percent and 20 percent, respectively. WhiteHat’s latest report contains data collected between January 1, 2006 and March 25, 2010, and finds that the percentage of high, critical or urgent issues continue to slowly increase. Vulnerability remediation rates are climbing as well, particularly in the Urgent and Critical categories, with an average rate of roughly 70 percent. Still, with up to 30 percent of vulnerabilities remaining open for an average of nearly three months, many websites remain in an uncomfortable risk position. Cross-Site Scripting (XSS) maintains its position in the Top 10 list along with many other common classes of attack. Cross-Site Request Forgery (CSRF) did not make the Top 10 list for languages such as Perl and PHP, but Directory Indexing did. The diversity of vulnerability issues across languages can be attributed to the fact that one website can possess hundreds of unique issues from a specific class such as XSS and Content Spoofing, while other sites may not contain any. Source:

53. May 5, The Register – (International) Facebook bug allowed users to eavesdrop on chats. Facebook engineers on Wednesday disabled the site’s live chat function after people outside the company discovered a bug that allowed users to eavesdrop on their friends’ conversations. The site also had to take emergency action to correct a separate hole that allowed users to see their friends’ pending friend requests. Ironically, the gaffes were the result of a new “preview my profile” service Facebook added late last month in an effort to give users more control over their privacy settings. In a statement issued a few hours after the bug was reported by TechCrunch, Facebook said it temporarily suspended the chat function while it patched the information leak. With that work completed, it said it expected to turn chat back on “shortly.” Over the past month, Facebook has been under siege by a variety of critics who say the site is imperiling the privacy of its 400 million or so users. Source:

54. May 5, InformationWeek – (California) Gmail ditched by major university. In a potential blow to Google’s efforts to establish itself as a major player in enterprise software, a leading public university has ended its evaluation of Gmail as the official e-mail program for its 30,000 faculty and staff members. In a joint letter last week to employees, the University of California-Davis CIO, Academic Senate IT chair, and Campus Council IT chair said the school decided to end its Gmail pilot because faculty members doubted Google’s ability to keep their correspondences private. The UC Davis IT leaders’ letter additionally stated that “outsourcing e-mail may not be in compliance with the University of California Electronic Communications Policy.” Google officials insisted that their privacy controls are adequate. “By and large, it’s not typical of what we’re seeing in the market. We’re seeing lots of schools move their students and faculty onto Gmail,” said a business development manager in the Google Apps for Education group, who also noted that UC Davis students are continuing to use the service and that Gmail users’ privacy is protected by contractual assurances that govern data handling. Source:

Communications Sector

55. May 4, Data Center Knowledge – (Virginia) Terremark extinguishes fire, stays online. Early on April 30, a fire broke out in one of the data center electrical rooms at Terremark’s NAP of the Capital Region in Culpeper, Virginia. The facility remained online throughout the entire event. The incident happened at about 12:30 a.m. in a basement electrical room in Data Center B, the second of the two operational facilities at the NAP of the Capital Region. “We had a fault in the medium voltage room,” said the Senior VP of Infrastructure for Terremark. A preliminary investigation points to a malfunction in a transformer. “The UPS and generators responded as they were designed to, and the customers upstairs didn’t realize anything had happened,” he said. Terremark staff were able to isolate the room from the rest of the facility’s operations, and along with the local fire department, used halon extinguishers to contain and put out the fire. He also noted the value of a good relationship with local emergency officials. “When we opened this facility, we invited the fire department and local emergency officials to come and tour the place and ask any questions they had,” he said. “The fire department knows what risks exist, and in which areas. We were able to isolate the problem, and prove to them that there was no power to that room, and they didn’t make us shut down.” Data Center B remains on generator power as Terremark repairs and replaces the equipment in the electrical room where the incident occurred. In the meantime, the generators are supported by more than 520,000 gallons of on-site diesel storage. Source:

56. May 3, DatacenterDynamics – (Texas) Network outages disrupt traffic for The Planet data center customers. Technical support team of data center service provider The Planet was left to dig through a tall pile of SLA request tickets from customers who suffered effects of network outages that affected the company’s Houston and Dallas data centers late Sunday and throughout Monday morning. The first outage that affected two Houston facilities was followed by another disruption on Monday morning, affecting Dallas and Houston facilities. The first outage began around 11:45 p.m. on Sunday and service was fully restored in about 1.5 hours, according to a supervisor for the company’s overnight technical support. The network issue, affecting connectivity in The Planet’s core network in Houston was caused by failure of one of four border routers there “to properly maintain standard routing protocols.” The issue prevented some customers’ servers from being able to connect to the Internet. Besides inability of traffic headed for the said router to move within The Planet’s core network, the traffic also could not reach several Internet transit providers directly connected to the device. The company did not provide any more specifics about the issue’s root cause, saying only that it had isolated the router from the network and had “escalated the issue to our vendor for further analysis.” The vendor’s name was not disclosed. According to initial analysis, the second disruption, which happened around 8 a.m. on Monday, was caused by “a circuit between Dallas and Houston, according to a post on The Planet’s Twitter feed. The issue had been fixed by the time the update was posted. The company said it believed the two issues were unrelated. Source: