Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, June 22, 2010

Complete DHS Daily Report for June 22, 2010

Daily Report

Top Stories

• The 76-year-old water plant that serves Annapolis, Maryland, is teetering on the edge of failure, putting Annapolitans at risk of losing potable tap water and threatening to hinder fire service, officials warned the city council June 17, the Annapolis Capital reported. (See item 35)

35. June 18, Annapolis Capital – (Maryland) City’s water plant may fail. The 76-year-old water plant that serves Annapolis, Maryland, is teetering on the edge of failure, putting Annapolitans at risk of losing potable tap water and threatening to hinder fire service, officials warned the city council June 17. The plant off Defense Highway in Parole, Maryland is in imminent danger of going out of service and needs to be overhauled or replaced as soon as possible, officials said. If some parts of the plant fail, the city could be out of water in as little as 24 hours, they said. The plant, which went into service in 1934, was designed to treat and pump 10 million gallons of water per day. But with age, the volume has dwindled to 8 million, still enough to meet the city’s average need of 5 million gallons per day. The last major upgrade was in 1954. Literally held together with pieces of duct tape and strips of rubber, the water plant’s parts are so old that replacements are no longer on the market. Some parts would have to be manufactured to replace faulty ones. Projections show it will take between $52 million and $55 million to refurbish the plant or between $48 million and $50 million to rebuild a new facility adjacent to the old one. The chief administrative officer said it would take four years to overhaul or replace the current system if designs were drawn up today and the replacement was expected to last 75 years. Once work was finished, the city could try to form a partnership with the county for running the plant. That way, he said, if the city’s plant had to close in an emergency, the county’s system could still provide city residents with water, and vice versa. Source: http://www.hometownannapolis.com/news/top/2010/06/18-04/Citys-water-plant-may-fail.html

• According to the Arizona Daily Sun, 300 firefighters are battling a 5,000-acre wild-lands fire burning northeast of Schultz Pass in Arizona. No structures had been lost as of June 20, but containment was at 0 percent. (See item 66)

66. June 21, Arizona Daily Sun – (Arizona) Up in smoke: Schultz fire chars 5,000 acres; 750 homes evacuated. Three hundred firefighters are battling a 5,000-acre wild-lands fire burning northeast of Schultz Pass in Arizona. No structures had been lost as of June 20, but containment was at 0 percent. The Schultz fire was reported around 11 a.m. June 20 near Forest Road 420 — Schultz Pass Road. It was the second major wildfire in two days. The Hardy fire south of I-40 Saturday burned 300 acres and forced 170 homes to be evacuated. Officials on Sunday evacuated Horse Camp along FR 556 and about 750 homes in nearby Timberline and Wupatki Trails neighborhoods west of Highway 89. About 170 animals from the Second Chance shelter were moved to the Fort Tuthill County Park. The shelter had previously been an evacuation site for animals at the Coconino Humane Association, which was evacuated June 19 in response to the Hardy fire. Northbound Highway 89 was closed at Silver Saddle Road. Southbound Highway 89 was closed 2 1/2 miles north of Sunset Crater. The Sunset Crater and Wupatki national monuments were closed and evacuated. Source: http://www.azdailysun.com/news/local/article_b533ea2a-f302-5748-b8b9-e7d966dffde4.html

Details

Banking and Finance Sector

13. June 20, The Associated Press – (International) Twin car bombs kill 28 near bank in Baghdad. Two suicide car bombers struck a crowded area outside a state-run bank June 20 in Baghdad, killing nearly 30 people in the latest attack targeting a high-profile part of the capital. The blast, which tore the glass facade off the three-story Trade Bank of Iraq building, leaving chairs and desks exposed, occurred shortly after 11 a.m. as the area was packed with people at the start of the local work week. Iraqi officials initially said the explosives-packed cars were parked a few hundred yards apart, but later said the attacks were staged by suicide bombers. The chairman of the Trade Bank of Iraq — which was established to facilitate international trade and reconstruction efforts after the 2003 U.S.-led invasion — said five guards were among the dead, and that six others were wounded. “The work of building Iraq’s economic strength ... goes on uninterrupted, as does the work of the bank, which will be open for business tomorrow,” the chairman said in a statement after the attack. Source: http://www.google.com/hostednews/ap/article/ALeqM5hwK_CSpBxsNuVUEaDuOwmSSCiqGwD9GF5QJ00


14. June 19, Bank Info Security – (Nevada) 1 bank closed June 18. State and federal regulators closed one bank June 18. This closing raises to 92 the number of failed institutions so far in 2010. Nevada Security Bank, Reno, Nevada, was closed by the Nevada Financial Institutions Division, which appointed the Federal Deposit Insurance Corporation as receiver. Umpqua Bank, Roseburg, Oregon will assume all of the deposits of Nevada Security Bank. The five branches of Nevada Security Bank will reopen as branches of Umpqua Bank. Nevada Security Bank had approximately $480.3 million in assets. The estimated cost to the Deposit Insurance Fund will be $80.9 million. Source: http://www.bankinfosecurity.com/articles.php?art_id=2668


15. June 18, SCMagazine – (National) Security budgets stable or increasing at financial firms. Despite the current global recession, information-security budgets at financial institutions generally are staying stable, and many even have increased, according to a study conducted by accounting and consulting firm Deloitte. The seventh annual survey of security spending and priorities at financial institutions worldwide, released June 17 found that 56 percent of information-security budgets have increased. Additionally, the survey found there was a 20 percent drop this year in the percentage of respondents who said a lack of sufficient budget is a major barrier to information security (36 percent in 2010, compared to 56 percent in 2009). Further, respondents at more than 70 percent of organizations said they are planning to implement at least one new security technology in the next 12 months. When it comes to security priorities, the largest percentage of respondents cited identity and access management followed by data protection, security-infrastructure improvement, regulatory and legislative compliance and compliance remediation. Source: http://www.scmagazineus.com/security-budgets-stable-or-increasing-at-financial-firms/article/172793/


16. June 18, The Register – (National) Microsoft and eBay build fraudster blacklist. Microsoft is teaming up with eBay and several other organizations to create a blacklist of fraudulently obtained log-in details for online services or compromised credit card numbers. Other members include PayPal, the Federal Trade Commission, National Consumers League and the American Bankers Association. The service goes live today and will allow investigators to quickly inform banks, for instance, of dodgy card use. Previously, if security researchers uncovered a phishing attack, informing all the different institutions that may have had accounts compromised was a real hassle. The Internet Fraud Alert makes clear that it does not offer help for consumers, who should contact their bank or whichever institution holds their account. According to experts, the problem with such a system could be the false positives: people who have done nothing wrong but find their account details on the blacklist. Source: http://www.theregister.co.uk/2010/06/18/microsoft_ebay_fraud/


17. June 18, Farmington Daily Times – (Colorado; New Mexico; National) FBI investigates credit card scam. More than 270 credit card accounts were used in purchases across the country after the computer systems at two Serious Texas Bar-B-Q restaurants in Durango, Colorado were breached between February and April, a FBI special agent said. The FBI took over the case after people in the region filed reports with law enforcement agencies. The security breach was mitigated in late April, and the company no longer is vulnerable to the cyber thieves, he said. If people paid for a meal at either restaurant with a credit or debit card during the breach, their account numbers still may be in the hands of crooks. The chief operating officer at Citizen’s Bank in Farmington, New Mexico said some of the bank’s customer account numbers were stolen, though he would not say how many. The consumers will get their money back after they go through a “dispute process,” he said. The co-owner of Serious Texas Bar-B-Q said the problem was a nationwide attack against companies who used Aloha Software. He said his company was notified of the security breach by Mastercard in April, and the restaurant spent $600 to have its software upgraded by April 28. Two weeks ago, the restaurant was contacted by Durango police, which said people who ate at the restaurant during the three-month security breach were reporting fraudulent charges. Source: http://www.daily-times.com/ci_15331917


18. June 18, Lowell Sun – (Massachusetts) Billerica police warn of scams. Police are warning unsuspecting Billerica, Massachusetts residents of several telephone scams designed to defraud them of money, and urge anyone receiving suspicious solicitations to contact their local police department or the FBI. The latest scam involves a legitimate company known as Consumer Impressions Inc., of Texas. Residents receive a package, which they have not ordered, from the company, with instructions on how to participate as a “Mystery Shopper.” Included in the package is a cashier’s check, usually from Citibank, for a large amount of money, sometimes in the thousands of dollars, made out to the resident. The instructions ask the resident to shop at a local superstore, such as Walmart, then send a smaller portion of the funds back to the company via Western Union. It takes about three days for the bank to notify the participant that the check was fraudulent. Another scam, according to Billerica police, was recently reported by the Council on Aging, which reported that a senior citizen was recently contacted by a person posing as a representative from a pharmaceutical company offering a free item. The caller began asking for personal information that could have been used for fraudulent purposes. In recent months, residents have reported receiving calls from people claiming to be holding a family member hostage and demanding the target send money immediately to a specific address or the hostage would be harmed. Police believe it to be part of a nationwide organized fraud. In most cases, police are able to quickly determine that the person allegedly being held is not in jeopardy and, in fact, is not even aware of the call. In other cases, area residents have been receiving calls from people claiming to be either law-enforcement representatives or attorneys saying that a family member is in custody and urging residents to send bail money or attorney fees via Western Union to secure their release. Most of those calls originate from outside the country, particularly Canada, police said. Source: http://www.istockanalyst.com/article/viewiStockNews/articleid/4228096


Information Technology


48. June 21, The New New Internet – (International) Zeus malware distributed via terror-themed spam. Spammers are notorious for latching on to the most recent trend in an effort to increase click rates. Recently, a spam campaign containing Zeus malware utilized recent concerns over terrorism to send messages which appeared to be sent by the Department of Homeland Security, Transportation Security Administration and Department of Defense. Researchers at Sophos Labs have discovered a low-yield campaign that targets government users with enticing subjects like “Report on Defending and Operating in a Contested Cyber Domain” and “RE: Al-Qaeda in the Arabian Peninsula.” “Unlike some of the other Zbot runs we’ve seen, this current run is relatively low volume,” writes a SophosLabs Canada researcher in a blog post. “Nevertheless, this trickery by the Zbot crew is not new. They’ve tried to spoof other agencies such as the NSA (National Security Agency) back in February, going as far as coming up with a spam run that ‘reports’ on their own attacks.” The e-mails contain links to the supposed reports, which actually are zip files containing the Zeus Trojan. Source: http://www.thenewnewinternet.com/2010/06/21/zeus-malware-distributed-via-terror-themed-spam/


49. June 21, The Register – (International) Security firms taking days to block malware. Anti-malware vendors can take up to 92.48 hours to block malicious sites, potentially leaving clients in blissful ignorance of threats to their systems in the meantime. Security researchers ISS Labs reviewed a range of endpoint security products from 10 big-name security vendors and their response to “socially engineered or consensual malware threats.” It said 15,000 to 50,000 such threats per day were presenting themselves. Effectiveness rates varied from a 35-percent block rate to 88.3 percent. Vendors’ average times to respond to new threats ranged from 4.62 hours to 92.48 hours, with the high end turned in by Panda, IDC said. Of the 10 vendors profiled, just three managed response times of less than 30 hours. The researchers concluded that vendors with “in the cloud reputation systems” kept much more malware off their clients’ desktops. However, most vendors do not have such systems, or, the report concluded, they are still immature and have yet to have an impact on detection rates. Vendors covered by the survey were: AVG, Norman, ESET, Panda, F-Secure, Sophos, Kaspersky, Symantec, McAfee and Trend Micro. Source: http://www.theregister.co.uk/2010/06/21/malware_delays/


50. June 18, DarkReading – (International) Looking for vulns in all the right places? Experts say you might be missing a few. The biggest vulnerabilities in the enterprise might be items people see every day — and just don’t think about. Experts say that vulnerability assessments often overlook the everyday dangers: Network-attached devices that aren’t computers; paper documents; passwords posted in plain view; portable storage devices. Most of these are technologies that would never be taken into account by a traditional vulnerability scan. Yet they could lead to data leaks just as surely as a keylogger or a data-stealing Trojan, experts say. “Peripheral devices on the network may have capabilities the business doesn’t know of,” said a delivery manager for custom testing at security assessment firm ICSA. “And those capabilities can create security vulnerabilities.” Printers, fax machines, and multifunction devices with persistent storage could all serve as entry points for a sophisticated hacker. And the presence of internal storage might not be clear at first glance, nor does it necessarily show up on traditional security audits. A thorough vulnerability assessment should include examining all hard-copy devices for internal-storage capability — this could require contacting the manufacturer or even opening the machine. Enterprises also should take steps to ensure that digital files are wiped from these devices as soon as the hard copy is produced or the fax transmitted. This could mean purchasing and installing additional software from the manufacturer. Source: http://www.darkreading.com/vulnerability_management/security/perimeter/showArticle.jhtml?articleID=225700674


51. June 18, The H Security – (International) Automatic web encryption (almost) everywhere. The HTTPS Everywhere extension for Firefox automatically redirects users to secure SSL connections when they access certain Web pages – if this is supported by the server. Jointly developed by the Tor Project and the Electronic Frontier Foundation (EFF), the extension was inspired by the search engine modification Google implemented to make browsers send all their search queries via HTTPS. Google had previously already adjusted its Google Mail service so that Web-browser connections to the service are protected via SSL by default. This prevents attackers from accessing sensitive data (even in unsecured wireless networks). HTTPS Everywhere further expands this function and simply redirects the browser to the secure page by rewriting the URL. According to the developers, however, the extension first checks whether the page returns identical content via http and via https. At present, the plug-in is still in beta phase and only rewrites selected URLs, for instance those of Google Search, Wikipedia, Twitter, Facebook, The New York Times, The Washington Post, PayPal, EFF, Tor and Ixquick. However, it is relatively easy for users to add further rules for other domains. Source: http://www.h-online.com/security/news/item/Automatic-web-encryption-almost-everywhere-1025472.html


52. June 18, Computerworld – (International) Apple sneaks anti-malware update into Snow Leopard. Ten months after it debuted rudimentary malware scanning in Snow Leopard, Apple this week quietly added a signature for a third piece of malware, security researchers reported June 18. According to U.K-based antivirus vendor Sophos and U.S. Mac security company Intego, Mac OS X 10.6.4, which Apple released June 15, includes an update to XProtect. Dubbed that because the malware signatures are contained within Snow Leopard’s “XProtect.plist” file, the feature debuted in August 2009 with the launch of Mac OS X 10.6. At the time, Apple included detection for only two pieces of malware, Trojan horses named “RSPlug.a” and “Iservice” by Symantec. The 10.6.4 update added a scanning signature for another Trojan, which Symantec has labeled as “HellRTS.” According to Sophos, which calls the same Trojan “OSX/Pinhead-B,” and like Symantec has had protection in place since April, hackers have disguised the threat as iPhoto, the photo-management software that ships with new Macs. The masquerade is meant to dupe users into installing the backdoor malware. Source: http://www.computerworld.com/s/article/9178227/Apple_sneaks_anti_malware_update_into_Snow_Leopard


53. June 18, Help Net Security – (International) HTML files redirect users to malicious sites, evade mail server antivirus. Facebook, Twitter and Skype are Internet behemoths, counting hundreds of millions users each, so it is not surprising that many malicious e-mail campaigns masquerade as legitimate notices coming from these three sources. The number of e-mails that try to trick recipients into downloading malicious files has surged in the last few days. Users are notified that their Twitter or Facebook password has been reset, that they should check details of purchases effected through Skype, that they have messages waiting for them, etc. What these e-mails have in common is that they contain a .html file, which changes name from e-mail to e-mail, but always contains a a script that redirects the users to a Web site rife with malicious code that tries to exploit vulnerabilities in Adobe, Internet Explorer and Java, and through them download malware onto the users’ computer. A Bkis security researcher thinks this is the birth of a new trend. According to him, attackers will be switching to these kind of malicious files for two reasons: A lot of people have learned by now that .exe and .zip files in attachments are probably bad news and they delete the e-mail, but .html files have managed to avoid looking instantly suspicious; and secondly, these .html attachments don’t contain any kind of malicious or exploit code, which makes them perfect for bypassing antivirus programs integrated in mail servers or antivirus solutions in general. Source: http://www.net-security.org/malware_news.php?id=1381


Communications Sector

54. June 21, The Associated Press – (International) Twitter traffic spikes with World Cup goals. Twitter, a social networking site, is seeing huge traffic when a big goal is scored in the soccer tournament. Though Twitter normally sees about 750 tweets per second on an average day, there were 2,940 tweets per second, then a record, after Japan scored against Cameroon on June 21. Nearly as much traffic was reported after Brazil’s first goal against North Korea on June 21, as well as after Mexico’s tying goal against South Africa on June 11. Twitter has yet to announce its numbers for Friday’s U.S.-Slovenia 2-2 draw, which was likely to have caused huge amounts of activity. Enormous traffic from the World Cup has contributed to frequent outage problems for Twitter. The site is postponing a planned network overhaul until the World Cup is over. Source: http://www.usatoday.com/tech/news/2010-06-21-twitter-world-cup_N.htm


55. June 21, WhatsUp Gold – (International) Ipswitch survey reveals corporate bandwidth use across Europe to double during World Cup. Ipswitch Inc.’s Network Management Division, developer of the WhatsUp Gold suite of innovative IT management solutions, today released the results from its World Cup Network Traffic Calculator. Over the past two weeks, WhatsUp Gold has collected over 1000 responses related to average bandwidth use and the predicted increase during the 30 days of the tournament in network traffic directly related to the World Cup. According to the calculator, bandwidth use is expected to increase by 38.85% in participating World Cup Nations to 86.89% during matches. In Europe the figure is expected to double, from 40.25% current average bandwidth use, to 78.67% during key match times. In the UK, despite the culture for some businesses to close during England matches, bandwidth use is still expected to increase by 30.79% to 71.85% of total capacity. In host nation South Africa, IT Managers are bracing themselves for network bandwidth to be completely maxed out to 100% from a base average of 58% during a typical working day. Despite not being typically thought of as a football watching nation, the US is somewhat surprisingly expecting bandwidth use to rise to over 80% during some key matches. Source: http://www.sbwire.com/press-releases/sbwire-48201.htm


56. June 18, IDG News Service – (National) FCC group crafting plans to open up mobile spectrum. The Federal Communications Commission (FCC) Spectrum Task Force laid out preliminary ideas June 18 for making frequencies now used for satellite services available for conventional mobile broadband. The group is considering proposing to the FCC a Notice of Proposed Rulemaking for the satellite-related radio spectrum that would be presented at the Commission’s next meeting July 15. The task force was formed recently to execute an intention stated in the National Broadband Plan for freeing up 500MHz of spectrum for mobile broadband by 2020. The group will propose that frequencies be allocated within the “S” band — one of three bands in the mobile satellite services range — for pure terrestrial wireless broadband services, either fixed or mobile, said the group’s co-chair, who also heads the FCC’s Office of Engineering and Technology. Currently, holders of spectrum in that band can only build terrestrial networks to complement their satellite systems. The FCC has already taken action to make more spectrum available for mobile broadband. Earlier this year, it approved the acquisition of satellite phone service provider SkyTerra, which holds spectrum in the “L” band, by Harbinger Capital Partners. By 2015, Harbinger plans to deploy a terrestrial 4G (fourth-generation) mobile data service that can be used in conjunction with its satellite offering, according to the FCC. This could create another high-speed mobile network that would compete with those of the major carriers, while including some service to rural areas that many cellular networks don’t reach today. Source: http://www.computerworld.com/s/article/9178238/FCC_group_crafting_plans_to_open_up_mobile_spectrum


57. June 18, KSL 5 Salt Lake City – (Utah) Thousands lose service after construction crews cut Comcast line. Thousands of Internet, cable and phone customers in the southwest part of the Salt Lake Valley lost service for several hours June 18. Turns out, the blame lies with a Murray construction crew that was drilling in the wrong spot. Comcast says one of its fiber-optic cable lines was severed about 9 a.m. by a crew from an unidentified company, working in the road at 5400 South and 700 West. “The fiber-optic cut was caused by another company not related to Comcast,” said a Comcast spokesman. The break caused thousands of Comcast customers to lost service in South Jordan, West Jordan, Riverton, Bluffdale, Herriman and parts of Murray and Taylorsville. A Comcast company says it now has service restored to most areas affected, except parts of Murray and Taylorsville. Source: http://www.ksl.com/?nid=148&sid=11224010