Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, July 1, 2010

Complete DHS Daily Report for July 1, 2010

Daily Report

Top Stories

• A Missouri Department of Veterans Affairs (VA) hospital is under fire because it may have exposed more than 1,800 veterans to life-threatening diseases such as hepatitis and HIV, according to CNN. (See item 40)

40. June 30, CNN – (Missouri) VA hospital may have infected 1,800 veterans with HIV. A Missouri Department of Veterans Affairs (VA) hospital is under fire because it may have exposed more than 1,800 veterans to life-threatening diseases such as hepatitis and HIV. John Cochran VA Medical Center in St. Louis has recently mailed letters to 1,812 veterans telling them they may have contracted hepatitis B, hepatitis C and human immunodeficiency virus (HIV) after visiting the medical center for dental work, said a Democratic U.S. Representative from Missouri. He is calling for an investigation into the issue and has sent a letter to the U.S. President about it. “This is absolutely unacceptable,” said the Representative. “No veteran who has served and risked their life for this great nation should have to worry about their personal safety when receiving much needed health-care services from a Veterans Administration hospital.” The issue stems from a failure to clean dental instruments properly, the hospital told CNN affiliate KSDK. The association chief of staff at the hospital told the affiliate that some dental technicians broke protocol by handwashing tools before putting them in cleaning machines. Source:

• Almost 300 National Guard members from four states helped to battle flood waters last week and through the weekend, U.S. Army News Service reports. (See item 72)

72. June 29, U.S. Army News Service – (National) National Guard battles flood waters in four states. Almost 300 National Guard members from four states helped to battle flood waters last week and through the weekend. In South Dakota, 130 soldiers from the 200th Engineer Company and the 153rd Engineer Battalion helped to fill sandbags in the towns of Huron, Woonsocket, and Bonilla. The mission was to lay about 20,000 sandbags in Woonsocket to channel water through the town, while 3,000 sandbags were staged in Bonilla. In Missouri, the governor called up soldiers with vehicle support to remove debris from the northwest counties of Mingo, Logan, Wyoming, and McDowell. Missions continued over the weekend in the region as Guardsmen manned traffic-control points and assisted law enforcement in patrolling the sparsely populated areas. Guard officials said the dams in the Dakotas are full and the Army Corps of Engineers plans to let out water to release pressure on them, which will increase the water flow in the Missouri River. North Dakota has a UH-60 helicopter and its 10-man crew on standby to respond if needed to evacuate residents unable to use the roads in the Devils Lake area. West Virginia has almost 100 Guardsmen cleaning up the debris that residents found in their homes in Wyoming County. About 55 counties in West Virginia have been affected by rain and rapid snow melt since the spring. Source:


Banking and Finance Sector

16. June 30, WKYC 3 Cleveland – (Ohio) Low-tech ‘Bonnie and Clyde’ indicted for bank scheme. A husband and wife allegedly slipped nearly $1 million out of a former National City Bank Branch in Strongsville, Ohio over the course of 4 years. The wife worked as a teller at the branch and allegedly slipped cash along with phony checks and money orders to her husband when he would pose as a customer. Over nearly four years of visits, the wife allegedly gave her husband $923,471. Source:

17. June 29, Bloomberg – (International) Banks financing Mexico gangs admitted in Wells Fargo deal. Drug smugglers caught with 5.7 tons of cocaine near Mexico City had bought the DC-9 jet they flew with laundered funds they transferred through two of the biggest banks in the U.S.: Wachovia Corp. and Bank of America Corp., Bloomberg Markets magazine reports in its August 2010 issue. This was no isolated incident. Wachovia, it turns out, had made a habit of helping move money for Mexican drug smugglers. Wells Fargo & Co., which bought Wachovia in 2008, has admitted in court that its unit failed to monitor and report suspected money laundering by narcotics traffickers — including the cash used to buy four planes that shipped a total of 22 tons of cocaine. The admission came in an agreement that Charlotte, North Carolina-based Wachovia struck with federal prosecutors in March, and it sheds light on the largely undocumented role of U.S. banks in contributing to the violent drug trade that has convulsed Mexico for the past four years. Source:

18. June 29, Reuters – (International) U.S. charges 18 in Colombian money-laundering case. Prosecutors have charged 18 people in an international money-laundering conspiracy that they said moved millions of dollars of Colombian drug profits through the United States, Colombia, Guatemala, Hungary, and other countries. An undercover investigation named Operation Circling Vultures has resulted in 17 arrests on charges related to laundering drug profits for traffickers around the world. One more suspect is still at large officials said June 29. An unnamed cooperating witness introduced U.S. agents to Colombian peso brokers. Undercover agents then spent months monitoring money-laundering operations in the United States, Panama and Guatemala, among other locations, a statement by the U.S. attorney’s office said. Source:

19. June 29, United States Department of Justice – (Florida) Miami man indicted for purchasing, selling and using stolen credit-card information. A Miami man was charged June 29 with buying, selling and using stolen credit-card information. The suspect was charged in a three-count indictment returned today by a federal grand jury in Miami with: conspiracy to traffic in unauthorized credit card numbers and to possess unauthorized credit card numbers with intent to defraud; trafficking in unauthorized credit card numbers; and fraudulent possession of equipment to make credit cards. According to the indictment, from November 2007 through May 2009, the suspect allegedly purchased credit-card information that had been stolen and obtained by fraudulent means from co-conspirators whom he met through the Internet. The suspect allegedly resold that information to others, who used it to make fraudulent credit card purchases. In addition, the suspect allegedly personally manufactured credit cards using the information he had purchased. In total, the suspect purchased approximately 26,669 credit card numbers during the course of the scheme, the indictment alleged. Source:

20. June 29, New York Times – (New York) Circuit breaker kicks stopping trades of Citigroup. An experimental circuit breaker for stock markets that was put in place after last month’s so-called flash crash kicked in for the second time June 29 after an erroneous trade caused a sudden plunge in the price of Citigroup shares. Trading in the shares of Citigroup, one of the most heavily traded stocks in the United States, was paused for five minutes at 1:03 p.m. after an over-the-counter trade of about 8,821 shares was posted at a price of $3.3174, or 12.7 percent lower than the $3.80 price of the previous trade. The trade was later canceled, according to a spokeswoman for the Financial Industry Regulatory Authority, which regulates brokerage firms. Even so, Citigroup shares closed 5 percent lower for the day, at $3.79. The circuit breaker rules, put in place across all stock markets two weeks ago on the recommendation of the Securities and Exchange Commission, require exchanges to pause trading for five minutes in any individual Standard & Poor’s 500 stock that moves 10 percent or more in either direction in a five-minute period. The circuit-breaker program, which is being tested for six months, was started in response to a minicrash May 6 that affected a range of stocks and caused a rapid, 1,000-point decline in the Dow Jones Industrial Average. Source:

Information Technology

51. June 30, IDG News Service – (International) Sony says 535,000 laptops at risk of overheating. More than half a million Sony laptops sold this year contain a software bug that could lead them to overheat, the company said June 30. Sony has recorded 39 cases of overheating among Vaio F and C series laptops that have been on sale since January. In some cases, the overheating has led the laptop case to deform. A bug in the heat-management system of the BIOS software is to blame. Sony is asking users to either update the software themselves or return their laptops so it can apply the update. The fault affects 535,000 computers, although Sony is asking a total of 646,000 owners to update their machines. The additional 111,000 machines are susceptible to several less serious problems that have also been found in the software, said Sony. BIOS is present in every PC and runs below the operating system, controlling the most basic functions of the computer and interaction between major components. It is usually invisible to users except for a BIOS start-up message that is typically seen when a PC boots. The problem affects machines sold both in Japan and the rest of the world. Affected models sold outside Japan are the VPCCW25FG/B, VPCCW25FG/P and VPCCW25FG/W. Source:

52. June 30, The H Security – (International) Adobe Reader and Acrobat updates close 17 critical holes. Adobe has released updates 9.3.3 and 8.2.3 for its Reader and Acrobat products to close 17 holes. The vendor said that all the holes can be exploited to inject and execute code. Simply visiting a specially crafted Web page with a vulnerable Reader plug-in is enough for an attack to be successful. Among the holes is the flaw in the authplay.dll library for playing embedded Flash content. After almost three months, Adobe has finally also decided to make it harder for attackers to exploit the /launch function to execute code. The function is part of the PDF specification and can be used for executing embedded scripts and EXE files. Although Adobe Reader asks users to agree to the execution of the file, this dialogue can be designed in such a way that users have no idea they may be allowing an infection into their systems. The vendor previously maintained that the feature is essentially useful and only becomes a problem when misused. Source:

53. June 30, Help Net Security – (International) Virus production from Russia increases again. Virus production from Russia is on the upswing again, after a temporary decline last month when Russian hosting service PROXIEZ-NET – notoriously used by criminal gangs – was taken down in early May. This is according to analysis of Internet threats in June by Network Box. Russia is now responsible for 7.4 percent of the world’s malware, and is back to being in the top four virus-producing countries, behind the U.S. (13 percent), Korea (10.1 percent) and India (9.2 percent). This follows a similar pattern to malware production after the McColo shutdown in the U.S. in November 2008 when the U.S’s threat production decreased dramatically temporarily, but was back up to normal levels within a month. Levels of viruses and spam from the U.K. remain high. The U.K. has the dubious honor of being the world’s fourth-largest producer of spam, with 4.1 percent of spam originating from the U.K., the same as last month. This is behind the U.S. (11.1 percent), India (8 percent) and Brazil (4.2 percent). Source:

54. June 30, The Register – (International) Google Chrome will block out-of-date plug-ins. Google will soon prevent insecure versions of plug-ins from running on top of its Chrome browser to make sure they don’t contain security bugs that can be exploited by malicious Web sites. In a blog post, members of Google’s security team said the feature will prevent Chrome from running “certain out-of-date plug-ins.” It will also help users find updates. The announcement comes a few months after anti-virus maker F-Secure said Adobe’s Reader application replaced Microsoft Word as the program that’s most often exploited in targeted malware campaigns, like the one that Google disclosed in January that exposed sensitive intellectual property. F-Secure said the increase is “primarily because there has been more vulnerabilities in Adobe Acrobat/Reader than in the Microsoft Office applications.” Other plug-ins, such as Adobe’s Flash Player and Oracle’s Java Virtual Machine, are also routinely attacked. The ability to run scores of browser plug-ins makes it hard for users to keep their systems fully patched. Mozilla recently addressed this problem by notifying users who run out-of-date add-ons on top of Firefox. Google seems to be going one step further by blocking them altogether. Source:

55. June 29, DarkReading – (International) Researchers report vulnerability in Microsoft Office 2010. Researchers at VUPEN Security in France said they found one of the first vulnerabilities in Microsoft’s new Office Excel 2010 application, but have not yet officially reported it to Microsoft. The CEO and director of research at VUPEN said the flaw is a heap corruption vulnerability that, if exploited, would let an attacker run arbitrary code on the victim’s machine and take over the machine once the user opened a specially crafted Office document. “We are currently verifying if the vulnerability affects previous versions of Office. What we have seen so far is that the vulnerable code is only present in Office 2010,” he said. VUPEN also has found a separate, potential bug in Word 2010. “But the analysis of this potential flaw to determine its exploitability is still ongoing,” he said. Even so, the CEO said Office 2010 is much more secure than previous versions of the software. The group manager for response communications at Microsoft said Microsoft is “aware” of the vulnerability discovery claim, but does not have the details to verify it. Source:

56. June 29, CNET News – (International) experiences hours-long outage. experienced a widespread outage June 29 that lasted, at least for many customers, more than three hours, and displayed blank or partial pages instead of product listings. By mid-afternoon, Amazon’s home page was devoid of any product photographs and showed only a list of categories on the left of the screen. Searching for items often did not work, and customers’ shopping carts and saved item lists were temporarily displayed as empty. At an annual revenue of nearly $27 billion, Amazon faces a potential loss of an average of $51,400 per minute when its site is offline. A post on an Amazon seller community form at 12:47 p.m. PDT said: “We are currently experiencing an issue that is impacting customers’ ability to place orders on the website.” A follow-up announcement an hour later said the problem had not been resolved. Source:

57. June 29, Minneapolis Star Tribune – (Minnesota; National) Investigators raid Chanhassen firm. Federal authorities and New York organized-crime detectives are investigating a Chanhassen, Minnesota firm that sells used and refurbished computer parts on suspicion of marketing a wide range of counterfeit components apparently originating in Asia. Investigators seized what they believe are 150 counterfeit parts last week from Focus Technology, including 23 Hewlett-Packard memory units, 80 IBM memory units and 47 Cisco components. The president of Focus Technology, said June 28 that the seizure involved a fraction of the firm’s inventory. He acknowledged, though, that his firm received a “cease and desist” letter in December 2008 from IBM Systems and Technology Group, demanding that it stop selling counterfeit IBM parts. The president said his firm tries to sell only authentic products, but a flood of counterfeits from Asia makes that hard. He said his firm is cooperating “100 percent” with investigators. Counterfeit computer parts have turned up in military equipment and led to numerous failures, according to a 2008 investigation by Business Week. The article said counterfeit Cisco routers made in China pose a serious espionage threat. In May, the Associated Press reported on Operation Network Raider, which the Justice Department said has led to 30 felony convictions and the seizure of $143 million in counterfeit network equipment made in China. Source:

For more stories, see items 58 and 62 below in the Communications Sector

Communications Sector

58. June 30, The Register – (International) Regular domains beat smut sites at hosting malware. New research pours scorn on the comforting but erroneous belief that Windows surfers who avoid smut on the Web are likely to avoid exposure to malware. A study by free anti-virus firm Avast found 99 infected legitimate domains for every infected adult Web site. In the UK, Avast found that more infected domains contained the word “London” (such as the blog section of than the word “sex”. Among the domains labeled as infected by Avast was the smart phones section of the Vodafone UK Web site. The mobile phone operator’s site contained a malicious JavaScript redirect script that attempted to take advantage of an unpatched Windows Help and Support Center flaw (CVE-2010-1885) to infect the machines of visiting surfers. HTML files from sub-domain still contain malicious code at the time of writing, but point to a site containing the attack payload site that has been pulled offline. The type of attack against Vodafone is typical of one in five of the Web site infections identified by Avast. The anti-virus firm’s results were culled from anonymous security incident logs submitted by users of its security software since the middle of last year. Data submitted includes information on the malware type and visited Web site. Infected sites recorded by the study include Brazilian software-download site Baixaki and a variety of small business Web sites in Germany. Avast said a declining rate of the infections on ‘adult’ Web sites during its study emerged as a clear trend. Source:

59. June 29, Mid Hudson News – (New York) Phone, Internet service interrupted. Frontier Communications said customers in portions of Orange, Sullivan and Dutchess counties in New York were experiencing outages that affect Internet, voicemail and voice over Internet protocol phone service June 29. A fiber cut in Virginia has been identified as the source, and Frontier is working to restore the services as soon as possible. Communications traffic was being rerouted and partial restoration was expected by 11 a.m. June 29. Source:

60. June 29, The Eugene Register-Guard – (Oregon) Phone outage hits Lowell. An unknown problem temporarily disrupted phone service early June 29, leaving Lowell, Oregon residents unable to reach emergency services over land lines. The outage apparently affected some cell-phone service as well, preventing residents from making outgoing calls. The outage lasted more than three hours, and service was restored shortly before 8 a.m. The cause of the outage is unknown. Source:

61. June 29, Honolulu Star-Advertiser – (Hawaii) AT&T cell customers in Kona lose service for 2 hours. AT&T cellular customers in North Kona, Hawaii lost service for about two hours June 28 due to an undisclosed technical problem, a company spokesman said. The outage began at about 9:45 a.m. and was resolved by 11:45 a.m. the spokesman said. Attendees at a convention at the Hilton Waikoloa Village were among those who lost their AT&T coverage during the outage. Source:

62. June 29, Federal Computer Week – (International) Australia taps ISPs to fight ‘zombies’. A new voluntary code of conduct for Australian Internet Service Providers (ISPs) that’s designed to mitigate cyber threats is getting attention in Washington, prompting discussion about how ISPs can help bolster cybersecurity. The Internet Industry Code of Practice is designed to be a consistent way for Australian ISPs to inform, educate and protect their users from cybersecurity risks, according to the document. The code was drawn up by the Australian Internet Industry Association (IIA) in conjunction with Australia’s Broadband, Communications and the Digital Economy Department and the attorney general’s department. A primary focus of the icode is to reduce threats posed by computers that have been hijacked to act as zombies and participate in botnet attacks. The code includes a notification system for compromised computers, a standardized information resource for users, a way for ISPs to access the latest threat information, and a reporting mechanism for ISPs to let Australian computer emergency readiness team know about extreme threats. ISPs that comply with the code, which goes into effect December 1, can display a “trustmark” that shows customers they adhere to the code. Source:

63. June 28, KGUN 9 Tucson – (Arizona) Phone outage hanging up local businesses. The phones for people and businesses near Park Place Mall in Tucson, Arizona have been down since June 24, and Qwest says the area may go without service for most of the week. The problem is that bundles of tiny wires are being repaired one at a time. They were damaged after a contractor tore them with some digging equipment. Since June 24, store managers have had to find workarounds for processing credit-cards transactions. Source: