Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, May 20, 2010

Complete DHS Daily Report for May 20, 2010

Daily Report

Top Stories

 The Boston Globe reports that the Boston Fire Department (BFD) said a chlorine leak in a truck near Boston College has been contained. A BFD spokesman said an entry team of firefighters found one of the chlorine cylinders was leaking on the box truck Tuesday. “They fixed the leak and ventilated the vehicle,” he said. People were being allowed back on the college’s campus, where two buildings had been evacuated, and Beacon Street is being reopened in the area. (See item 6)

6. May 18, Boston Globe – (Massachusetts) Chlorine leak near BC is fixed. A chlorine leak in a truck near Boston College has been contained, the Boston Fire Department said. A spokesman said an entry team of firefighters found one of the chlorine cylinders was leaking on the box truck Tuesday. “They fixed the leak and ventilated the vehicle,” he said. People were being allowed back on the college’s campus, where two buildings had been evacuated, and Beacon Street is being reopened in the area. The truck for Airgas, a company that distributes industrial and medical gases, had delivered 10 chlorine tanks to the Dedham Water Department, and was on its way to deliver gases to the college when the driver noticed there might be residual chlorine leaking from an empty cylinder, authorities said. “The driver noticed a possible leak, pulled over about 12:15 p.m., and notified the fire department,” the spokesman said. Officials declared a Level 3 Haz-mat situation, shutting down a section of Beacon Street from the Chestnut Hill Reservoir to College Road in Newton, Massachusetts. No injuries were reported. A Boston College spokesman said the Merkert Chemistry Building and Campion Hall, which houses the Lynch School of Education, had been evacuated. He said that classes at the college were already over and today was the last day of exams so there were few students around. The truck had picked up eight empty chlorine cylinders at the Dedham Water Department. It was also carrying propane and hydrogen gas in separate tanks inside the vehicle. Source:

 According to The McDowell News, a mixture of chemicals at Walmart in McDowell County, North Carolina Tuesday evening, forced the evacuation of the store and sent a dozen people to the hospital. The Marion, North Carolina fire chief said an employee combined a couple of cleaners in the back of the store in preparation of scouring the bathrooms. (See item 70)

70. May 19, The McDowell News – (North Carolina) Walmart evacuated; 12 sent to hospital. A mixture of chemicals at Walmart in McDowell County, North Carolina Tuesday evening forced the evacuation of the store and sent a dozen people to the hospital. The Marion, North Carolina fire chief said an employee combined a couple of cleaners in the back of the store in preparation of scouring the bathrooms. He stated that he is not positive what chemicals were mixed, but he believes it was an absorbent substance used in RV tanks and Clorox. The employee was overcome by fumes, and the smell eventually got to others. The EMS director said 12 people were transported to McDowell Hospital, complaining of respiratory and eye irritations. Twelve more refused treatment or transport at the scene. The majority, if not all, of the patients were employees. The call came into the 911 center at 6:03 p.m. Members of the Marion Fire Department, McDowell County EMS, McDowell County Rescue Squad, Marion Police Department, and McDowell County Emergency Management responded to the scene and immediately evacuated the building. The fire chief stated that he got samples of the mixture, and that officials will continue to examine it. Walmart reopened shortly after 8 p.m. Source:


Banking and Finance Sector

22. May 19, SC Magazine – (National) US regulators form plans to encourage banks to better protect customers from online fraud. A panel of regulators in the U.S. are drafting plans to force banks to protect their customers better from a surge in online account fraud. According to a report in the Financial Times (FT), a panel with representatives from the FDIC, the Federal Reserve System and other agencies is reacting to the rapid evolution of malicious computer programs designed to drain accounts. Among its plans is to require financial institutions to contact customers through means beside the Internet, following European banks actions in placing calls to clients’ mobile phones to ensure that they intend to transfer money. The FT report also claimed that banks were warned in 2005 not to rely merely on user names and static passwords, which has led to U.S. institutions adopting two-factor authentication for big depositors. However, directives from the FDIC and others have allowed banks to skip that step if they had multiple layers of security checks to flag suspicious money movement. Source:

23. May 19, Australian Broadcasting Corporation – (International) Anarchist group threatens G20 summit. A Canadian anarchist group has claimed responsibility for a firebomb attack in Ottawa on the country’s largest commercial bank, and is threatening to disrupt next months’ G8 and G20 summits in Ontario. In a statement after the attack, a self-proclaimed group of anarchists said the Royal Bank was targeted because it was a sponsor of the Vancouver Olympic Games, which the group claims was held on stolen indigenous land. They also say the Royal is a major backer of Alberta’s tar sands, which they describe as one of the most destructive industrial projects in human history. The statement was posted on a Web site along with a video showing the attack on the bank. The group has vowed to take their protest to Ontario for the G8 and G20 summits, where they say decisions will be made to further exploit people and the environment. Source:

24. May 18, Marketwatch – (National) Schapiro: SEC may push for market circuit-breakers. The Securities & Exchange Commission chairwoman said May 18 she expects her agency to issue preliminary findings on its inquiries into the “flash crash” on May 6, when the Dow Jones Industrial Average plunged nearly 1,000 points. Speaking via a video link to the CFA Institute’s 2010 Annual Conference in Boston, the chairwoman said that her agency, in conjunction with the Commodity Futures Trading Commission, has been “looking at a number of issues that can be remediated quickly, even before the exact cause of the crash is known.” Among the likely recommendations, she said is the implementation of circuit-breakers or “speed bumps” that give stocks “the opportunity to pause throughout all markets.” Source:

25. May 18, Krebs on Security – (International) Fraud bazaar hacked., a German online forum dedicated to helping criminals trade and sell financial data stolen through hacking, has itself been hacked. The once-guarded contents of its servers are now being traded on public file-sharing networks, leading to the exposure of potentially identifying information on the forum’s users as well as countless passwords and credit card accounts swiped from unsuspecting victims. The breach involves at least three separate files being traded on The largest is a database file containing what appear to be all of the communications among nearly 5,000 forum members, including the contents of private, one-to-one messages that subscribers to these forums typically use to negotiate the sale of stolen goods. Another file includes the user names, e-mail addresses and in many cases the passwords of forum users. A third file — which includes what appear to be Internet addresses assigned to the various users when those users first signed up as members — also features a breezy explanation of how the forum was compromised. The top portion of this file includes an oblique reference to the party apparently responsible for the site compromise, noting that the file is the inaugural issue of Owned and Exposed, no doubt the first of many such “e-zines” to come from this group. The leaked database contains no small amount of password and banking information for many innocent victims. In addition, these types of vigilante attacks typically come with hidden cost: For one thing, while it may be true that law enforcement officials could use some of this information to locate people engaged in computer trespass, and in buying or selling stolen personal and financial data, the public release of this information could just as easily prompt those individuals to abandon those accounts and Internet addresses, and even potentially jeopardize ongoing investigations. Source:

26. May 18, ComputerWorld – (National) Smart credit cards arrive in U.S. — finally. Credit cards featuring smart-card technology have been standard fare around the world for several years now — but not in the U.S., where financial institutions have continued using cards based on less-secure magnetic stripe technology. That may finally be about to change. Last week, the United Nations Federal Credit Union (UNFCU) became the first financial institution in the U.S. to unveil plans to issue credit cards that comply with the Europay MasterCard Visa (EMV) smartcard standard. The credit union’s new Platinum Visa EMV cards will be issued to about 5,000 of its most high-value customers and can be used anywhere EMV cards are accepted. Cards based on the EMV standard use an embedded microprocessor instead of a magnetic stripe to store cardholder data and all of the other information needed to use the card for a transaction. Many financial institutions that issue EMV Chip cards also require cardholders to enter a Personal Identification Number (PIN) as an added security measure when using the card. Chip-and-PIN credit cards are considered to be significantly safer than cards with magnetic stripes, which has led to the widespread adoption of EMV smartcards across Europe and in several other countries. EMVCo, an organization run by MasterCard, Visa, American Express and others to administer the EMV standard, estimates that close to a billion EMV cards were in use worldwide in 2009. Source:

27. May 18, Help Net Security – (International) Phishing page steals prepaid debit card account information. Many people do not have a regular or a big enough income to receive a debit card, but would still like to have one since it can be really handy when settling bills or shopping online. The answer to this problem? Prepaid debit cards. The good thing about this option is that if card information is stolen and misused by cyber criminals, the monetary loss is limited to the (usually) small amount of money one has in one’s account. Since these cards are regularly used by low- to mid-income citizens, who really can not afford to lose even that amount, Symantec’s revelation that there are phishing sites out there that are posing as the main Web site of a well-known prepaid debit-card service will provide an almost lifesaving warning. The phishing site notifies the users that their account has been limited, and requires them to enter confidential information in order to re-activate the account. The inserted data is now in possession of the fraudsters behind this scheme, and it can be used to clean out the account. The pages’ URL is randomly changed to avoid anti-phishing detection, but they are hosted on the same set of Internet Protocol addresses. According to Symantec, the attack method was prominent during the first half of May. Source:

28. May 17, Chicago Sun-Times – (Chicago) FBI offers $10K reward for info on ‘Citibank Bandit’. The FBI is offering a reward of up to $10,000 for information about the “Citibank Bandit,” responsible for the robbery of 11 banks, six of which were Citibank branches, in and around the downtown Chicago area since February 2009. The most recent incident was an attempted robbery on January 29 at the Midwest Bank branch at 500 W. Monroe. According to witnesses, the robber entered the bank, announced a robbery and handed the teller a note claiming to be armed with a weapon and threatening harm if his demands for cash were not met. The teller turned her back on the robber, and when she turned back, both he and the note were gone, a release from the FBI said. No shots were fired in any of the robberies and no injuries were reported. Source:

Information Technology

58. May 19, Network World – (International) Nanotech will be focus for future criminal hackers. Criminal hackers once rejoiced in manipulating the new digital phone systems in the 1960s and 1970s; then they moved on to using modems and hacking into mainframes in the 1970s and 1980s; then they exploited the new local area network technology and the burgeoning Internet in the 1980s. Malware writers moved from boot-sector viruses on floppy disks in the 1980s to file-infector viruses and then to macro viruses in the 1990s and vigorously exploited worms and Trojans for botnets in the recent decade. So what’s next on the horizon? Recently a report in the “Random Samples” column by a contributor to SCIENCE magazine for Feb. 19, 2010 (Vol 327, p 927) told of the fuss in France “over the pros and cons of nanotechnology.” Apparently in late January 2010, “the committee organizing the series of 17 debates threw in the towel, replacing the final two meetings with ‘Internet workshops’ and making the wrap-up event in Paris on 23 February by invitation only.” The changes were the result of “heckling by antinanotech protesters in five cities.” The question remains, however, of whether the agents of change are and will be taking the lessons of information security into account as they explore the possibilities of new technology. For example, the nanoparticles called polyamidoamine dendrimers (PAMAM) “cause lung damage by triggering a type of programmed cell deathâ_¦.” The anti-nanotech organization NANOCEO (Nanotechnology Citizen Engagement Organization) has an enormous list of articles and scientific reports about the potential environmental risks of nanotechnology. Source:

59. May 19, Help Net Security – (International) Microsoft warns of flaw affecting 64-bit Windows 7. A vulnerability in the Canonical Display Driver (cdd.dll) in 64-bit versions of Windows 7 and Windows Server 2008 R2, and Windows Server 2008 R2 for Itanium-based Systems, could allow remote code execution. “The Windows Canonical Display Driver does not properly parse information copied from user mode to kernel mode,” states Microsoft in a security advisory published May 19. “In most scenarios, an attacker who successfully exploited this vulnerability could cause the affected system to stop responding and automatically restart. It is also theoretically possible, but unlikely due to memory randomization, that an attacker who successfully exploited this vulnerability could run arbitrary code. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” To take advantage of the vulnerability, the attackers would have to trick the user into viewing a “specially crafted image file with an affected application,” likely hosted on a malicious Web site. To do that, it is likely that they would employ social engineering tactics such as sending an e-mail or an instant message containing the malicious link and purporting to be from a user’s friend and with a link back to a curious/funny image, video, or test. Source:

60. May 19, The Register – (National) Man accused of DDoSing conservative talking heads. Federal prosecutors have accused a man of carrying out a series of botnet offenses including attacks that brought down the Web sites of conservative talking heads. The suspect was an undergraduate student at the University of Akron in Ohio at the time of the distributed denial-of-service (DDoS) attacks, which lasted over a five-day period in March 2008, prosecutors alleged in court documents. The attacks on, and “rendered each website inoperable, at least temporarily, and required intervention and repair by the owners of such sites, and caused damages or losses which exceeded $5,000,” they wrote. The suspect, who went by the handle “FrostAie,” also stands accused of using his botnet to launch a much bigger assault on a University of Akron server that knocked out the college’s entire network, depriving “tens of thousands of students, faculty and staff members” of connectivity for more than eight hours. Prosecutors said the attack appeared to be a mistake and that the intended target was an unnamed gaming server that was hosted on the university network. The outage cost the university more than $10,000. Prosecutors also accuse the suspect of using his botnet to steal credit card information. When agents raided the suspect’s dorm room on March 28 2008, they allegedly retrieved almost 3,000 stolen log-in credentials, and 136 pieces of data for compromising card accounts. Source:

61. May 19, CSO – (International) Expert: Skype worm no cause for panic. Security research firm Bkis earlier in May warned of a vicious virus targeting both Skype and Yahoo! Messenger. Bkis said in a blog post the attack involved inserting malicious URLs into chat windows with sophisticated social engineering hooks. Each time, the messages sent have different contents, noted Bkis researchers. Examples include “Does my new hair style look good? bad? perfect?” “My printer is about to be thrown through a window if this pic wont come our right. You see anything wrong with it?” The message contains a link to a Web page that appears to lead to a JPEG or image file. “The users are more easily tricked into clicking the link by these messages, because users tend to think that “their friend(s)” are asking for advice,” Bkis said in its posting. “If a user clicks the link, his browser will immediately load to a website with Rapidshare-like interface, and a .zip file will be available for download.” The W32.Skyhoo.Worm, as it was named by Bkis, automatically exits if the victim’s computer is not installed with Skype or Yahoo! Messenger, and automatically sends messages with different contents containing malicious URLs to user names in the Skype/Yahoo! Messenger friend list of the user. The owner of the Web site and author of ‘Skype Me! From Single User to Small Enterprise and Beyond ,’ spoke to CSO earlier this year about Skype’s benefits and challenges in the business environment. According to the owner and author it is not Skype’s fault for this attack. Instead, the focus should be on awareness among users if they are using Skype in the workplace and they should be given a warning about social engineering rather than worrying about the application’s security. Source:

62. May 18, Websense – (International) Zeus is forwarding Adobe updates again. Websense Security Lab ThreatSeeker Network has detected a new batch of malicious e-mails containing Zeus payloads. This campaign is very similar to another which Adobe reported on a couple of weeks ago. The social engineering tricks on this campaign have gotten considerably better. The messages appear to be forwarded from a director of information services who apparently received update instructions directly from an associate at Adobe. The message from the Adobe associate states that the update link is to patch CVE-2010-0193. There are two links in the message that lead to the same IP address hosting a PDF file for instructions and an executable that is meant to be the patch to apply. The executable file named adbp932b.exe (SHA1 0632f562c6c89903b56da235af237dc4b72efeb3) has minimal coverage of about 7 percent. The attackers sending these messages have taken their social engineering tactics even further with the executable file linked in the messages. There is a new executable hosted on the attacker’s IP address (SHA1 7af53e5924b45ebcb48d8b17e20b66a5979600f3) which seems to behave like a typical installer. There are even setup prompts and a EULA as one moves along in the installation but once the installation is complete, a backdoor is installed on the victim’s computer. Because there is such a small amount of messages the fact that this installer is infecting with a backdoor, Websense believe this to be another targeted attack. Source:

63. May 18, IDG News Service – (International) Facebook fixing embarrassing privacy bug. Facebook is fixing a Web programming bug that could have allowed hackers to alter profile pages or make restricted information public. The flaw was discovered last week and reported to Facebook by a senior security analyst with security firm Alert Logic. The bug has to do with the way that Facebook checked to make sure that browsers connecting with the site were the ones they claimed to be. Facebook’s servers use code called a “post_form_id” token to check that the browser trying to do something — liking a group, for example — was actually the browser that had logged into the account. Facebook’s servers check this token before making any changes to the user’s page, but the analyst discovered that when he simply deleted the token from messages, he could change many settings on any Facebook account. Facebook worked with Alert Logic to fix the bug, known as a cross-site request forgery (CSRF), a Facebook spokesman confirmed in an e-mail message. “It’s now fixed,” he said. “We’re not aware of any cases in which it was used maliciously.” But as of late afternoon May 18 after the spokesman sent his e-mail, Facebook had not completely fixed the issue. For testing purposes, the researcher created a Web page with an invisible iFrame HTML element that he programmed in Javascript. When the IDG News Service clicked on this page while logged into Facebook, it made the Facebook user automatically “like” several pages with no further interaction. Source:

64. May 18, IDG News Service – (National) FTC targets privacy concerns related to copy machines. The U.S. Federal Trade Commission has begun contacting copy machine makers, resellers and office-supply stores about privacy concerns over the thousands of images that can potentially be stored on the machines’ hard drives. The FTC chairman, in a letter to a U.S. Representative, said the agency has been working to alert copy-machine manufacturers and sellers of the privacy risks of the information that many copy machines store on their hard drives. The FTC is trying to “determine whether they are warning their customers about these risks ... and whether manufacturers and resellers are providing options for secure copying,” the chairman wrote in a letter released May 18 by the Representative’s office. CBS News, in a report that aired April 19, said that nearly every copy machine built since 2002 stores documents copied, scanned and e-mailed by the machines on their hard drives. The report found sensitive health and law-enforcement investigation information on copy machines ready to be resold. The Representative, in an April 29 letter to the FTC, called on the agency to investigate privacy concerns related to copy machines. Source:

65. May 18, Help Net Security – (International) Combat the malvertising threat. Malicious advertising, also referred to as “malvertising,” is a relatively new attack vector for cyber criminals that is quickly on the rise. With malvertising, fake malicious ads are delivered (often via advertising networks) to well-known Web sites as a way to reach millions of users at once on Web sites they normally trust. Unlike typical spam or virus attacks, which rely on victims to click on a link in an e-mail or accidentally download an infected program, malvertising attacks are presented on popular Web sites and can download malicious code directly onto a user’s computer when the victim views the compromised ad. By infiltrating an entire ad network, the criminal gains access to a broad number of syndicated Web sites that can spread malicious code even further. Millions of users have been infected by malvertising threats recently, as evidenced by the high-profile attacks on The New York Times, Gizmodo, TechCrunch, and other sites. Based on data generated from Dasient’s telemetry system, there are approximately 1.3-million malicious ads viewed per day. Traditionally, many publishers and ad networks only respond to a bad ad when a user complains about the problem, and one complaint could mean thousands have been infected already by a malvertisement. To deal with the threat, publishers and ad networks have had to manually investigate reports of bad ads, which takes time and resources. Because attacks are sporadic, it makes the source of the bad ad very hard to pin down. To-date, publishers and ad networks have not had an automated solution to address the malvertising problem. Source:

66. May 17, Technology Review – (International) Commercial quantum cryptography system hacked. When it comes to secure messaging, experts say nothing beats quantum cryptography, a method that offers perfect security. Messages sent in this way can never be cracked by an eavesdropper, no matter how powerful, according to experts. At least, that is the theory. On May 17, three researchers at the University of Toronto in Canada said they have broken a commercial quantum cryptography system made by the Geneva-based quantum technology startup ID Quantique, the first successful attack of its kind on a commercially available system. Any proof that quantum cryptography is perfect relies on assumptions that do not always hold true in the real world. Identify one of these weaknesses and a loophole is found that can be exploited to hack such a system. The new attack is based on assumptions made about the types of errors that creep in to quantum messages. However, it is impossible to get rid of errors entirely, so some errors must be tolerated. Various proofs show that if the quantum bit error rate is less than 20 percent, the message is secure. However, these proofs assume that the errors are the result of noise from the environment. The researcher say that one key assumption is that the sender can prepare the required quantum states without errors. She then sends these states to the receiver and together they use them to generate a secret key that can be used as a one-time pad to send a secure message. But in the real world, the sender always introduces some errors into the quantum states she prepares and it is this that the researcher have exploited to break the system. Source:

Communications Sector

67. May 19, BBC – (International) Europe outlines plan to boost broadband by 2020. Half of European households will have broadband speeds of 30Mbps (megabits per second) by 2020, the European Union has pledged. It also promised universal broadband coverage by 2013 while getting half of Europeans using public services and shopping online by 2015. It is part of the European Union’s five-year plan for the digital economy. The raft of measures were announced by the newly-appointed digital affairs commissioner. The EU’s digital agenda will see over 30 laws introduced over the next three years. Laying out her plans, the commissioner said that the EU invested 40 percent less in technology than the U.S. It meant that nearly a third of Europeans had never used the Internet and only 1 percent had access to fiber-based high-speed networks. In order to catch up, EU governments must double their annual spending on research and development to 11bn euros (£9.4bn) by 2020. Source:

68. May 18, Government Technology – (National) FCC waivers and funding could fuel nationwide public safety network. The FCC took a significant step toward building a nationwide public safety network last week by clearing the way for 21 cities, counties and states to begin building their own fourth-generation wireless networks. The commission gave conditional approval May 12 to waiver requests from New Jersey, Los Angeles County, Boston and 18 other entities to start creating 4G networks known as Long Term Evolution (LTE) networks. These networks could begin to form a nationwide interoperable wireless network that has been sought by public safety officials since September 11, 2001 terrorist attacks on the U.S. The FCC’s National Broadband Plan calls for creating a nationwide public safety network within the 700 MHz D Block of radio spectrum formerly used by television broadcasters. In 2008, the commission attempted to auction the D Block spectrum to commercial telecom providers, with the winner required to build a nationwide network and share it with public safety agencies. But there were no takers, and a new D Block auction is not expected until 2011. The LTE networks approved last week will use 10 MHz of spectrum that public safety was granted in 1997. But the FCC required that the new networks be compatible with the proposed national D Block 700 MHz network. Source: