Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, July 6, 2010

Complete DHS Daily Report for July 6, 2010

Daily Report

Top Stories

• According to the Rochester-Post Bulletin, a corrupted computer-activation code is responsible for several Rochester, Minnesota weather sirens failing to sound during a June 17 storm that included damaging winds and one or more tornadoes. (See item 39)

39. July 1, Rochester Post-Bulletin – (Minnesota) Month of glitches preceded siren failure on night of tornado. A corrupted computer-activation code is responsible for several northwest Rochester, Minnesota weather sirens failing to sound during a June 17 storm that included damaging winds and one or more tornadoes. Officials from Olmsted County Emergency Management July 1 described, in detail, to county commissioners a host of technical glitches that preceded the damaging storm by about a month. Officials apologized for the failure and for reactions to criticism in the days after the storm that sounded “flip” to some commissioners. “Up until the 17th, I thought we had the greatest system in the country,” said the county’s deputy director of the Emergency Operations Center. “Nobody is more embarrassed and ashamed that this system failed.” Problems began in the third week of May, when the county installed a new version of siren-controller software. However, the software caused the system to “lock up.” The county’s tech-support staff, together with the software vendor, thought they had corrected the problem, but the system “locked up” again June 12. Two days later, the county re-installed the previous version of the software. But when they did that, apparently the code controlling Zone 5, a group of sirens covering northwest Rochester, became corrupted. Source:

• The Christian Science Monitor reports that about 400 people felt sick after swimming in oily water in the Gulf of Mexico off of Santa Rosa Island in Florida after a local official acted against the advice of federal health authorities and opened beaches. (See item 51)

51. July 2, Christian Science Monitor – (Florida) After Gulf swimmers report illness, questions about opening a beach. Santa Rosa Island officials flew the double-red, no swimming flag over Pensacola Beach in Florida after a swath of thick oil washed ashore from the Gulf of Mexico oil spill June 23. Two days later, against the warnings of federal health officials and based on a visual survey of the beach, the local island authority director reopened the beaches for swimming, urging residents and tourists to come back to the beach. Officials left the ultimate decision on whether it was safe to swim to beachgoers. This week, health officials in Escambia County, Florida reported that about 400 people claimed they felt sick after visiting the beach and swimming in the Gulf. Testing by the University of West Florida in recent days has indicated small amounts of dissolved petrochemicals in the water near Pensacola Beach. Federal officials have urged caution about swimming in areas not only near the spill, but also where oil actually came ashore, and where tides buried some of the oil smudges. Federally managed National Seashore beaches on both sides of Pensacola Beach remained closed to swimming. Source:


Banking and Finance Sector

15. July 1, KPTV 12 Portland – (Oregon) Bomb threat made at Sandy bank. A man who robbed a U.S. Bank branch in Sandy, Oregon threatened employees with a gun and made a bomb threat as he left the bank, police said. The man escaped with an unknown amount of money and told bank employees he was going to blow up the bank, according to a representative with the Sandy Police Department. He left behind a paper bag which he claimed was a bomb, police said. The bank was evacuated and the robbery was reported to police, who rushed to the scene. A Portland Police Bureau bomb squad was headed to the area to examine the bag. They determined it was not an explosive device. Source:

16. July 1, Associated Press – (New York) NY ex-bank computer tech admits ID theft, $1M scam. Prosecutors said a computer technician has admitted to using a three-month stint at a New York bank to steal 2,000 other employees’ identities, and then use them for years to loot about $1 million from charities. The Manhattan District Attorney’s office said July 1 that the suspect pleaded guilty to computer tampering and other charges. The charges carry a potential of up to 25 years in prison. Prosecutors said the suspect is expected to receive five to 15 years in prison at his July 21 sentencing, and has agreed to forfeit about $468,000. Prosecutors said the suspect used the stolen identities to open bank accounts as coffers for money he covertly transferred from charities that released banking information to ease donations. Source:

17. July 1, The Bank of Glen Burnie – (Maryland) The Bank of Glen Burnie advises of online banking e-mail phishing scam. The Bank of Glen Burnie, Maryland is alerting consumers about an e-mail phishing scam designed to look like an online expiration warning from the bank. The e-mail informs customers that their account will be deleted if they do not update it by July 2, 2010. Consumers are urged to click on a Web site link to update their online account. This is a scam. The link goes to a Web site login, which looks exactly like The Bank of Glen Burnie’s log-in page, but is not associated with the bank. Customers are asked to provide their username and password and anyone who provides the data is at risk of identity theft. The Bank of Glen Burnie’s Web site is at The Bank of Glen Burnie has not, and does not, request personal information in an e-mail. Source:

Information Technology

41. July 2, Help Net Security – (International) Spam now a vehicle for heavy malware distribution. AppRiver released a detailed summary and analysis of spam and malware trends traced between January and June 2010. During this timeframe, they quarantined more than 26 billion spam messages to protect its customer base of 45,000 corporations and six million mailboxes. “Spam today is much more than just a nuisance, it is a vehicle for heavy malware distribution and other serious security threats,” said the senior security analyst at AppRiver. “For example, more than 1-in-10 junk messages contained a virus during the past six months, making malware distribution a serious cause for concern. With many countries now on board with the cap and trade system, scammers have found a lucrative opportunity to exploit the global quest to go green. Source:

42. July 2, The H Security – (International) Phishing under the name of Wikipedia. A new HTML phishing scam has seen a large number of spam e-mails prompting recipients to verify an alleged Wikipedia account by clicking on a link that appears to point to the official Wikipedia site. The e-mails contain such texts as “Someone from the IP address has registered the account ‘iamjustsendingthisleter’ with this e-mail address on the English Wikipedia”, where the IP address corresponds to that of the spamming computer (bot), and the alleged Wikipedia account is the spam recipient’s e-mail account. While the included links appear to lead to the trusted service, when clicked, they take users to infected Web sites that the perpetrators may have injected with all sorts of dubious content, for example pill advertisements, malicious JavaScript code, or both. Source:

43. July 1, Krebs on Security – (International) Top apps largely forgo Windows security protections. Many of the most widely used third-party software applications for Microsoft Windows do not take advantage of two major lines of defense built into the operating system that can help block attacks from hackers and viruses, according to research released July 1. Attackers usually craft software exploits so that they write data or programs to very specific, static sections in the operating system’s memory. To counter this, Microsoft introduced with Windows Vista (and Windows 7) a feature called address space layout randomization, which constantly moves these memory points to different positions. Another defensive feature called data execution prevention — first introduced with Windows XP Service Pack 2 back in 2004 — attempts to make it so that even if an attacker succeeds in guessing the location of the memory point they are seeking, the code placed there will not execute or run. These protections are available to any application built to run on top of the operation system. But according to a new analysis by software vulnerability management firm Secunia, half of the third-party apps they looked at fail to leverage either feature. Source:

44. July 1, PC Advisor UK – (International) Tabnapping on the increase. The use of Tabnapping, a recently-identified phishing technique, is on the rise, says Panda Labs. Tabnabbing exploits tabbed browser system in modern Web browsers such as Firefox and Internet Explorer, making users believe they are viewing a familiar Web page such as Gmail, Hotmail or Facebook. Cybercriminals can then steal the logins and passwords when users enter them on the hoax pages. According to Panda’s latest Quarterly Report on IT Threats, the technique is likely to be employed by more and more cybercriminals, and users should close all tabs they are not actively using. Panda also revealed the number of Trojans being used on the Web has surged, and they now account for about 52 percent of all malware. The number of viruses has also increased. Viruses account for 24 percent of all Web malware. The security firm said Taiwan had the most number of infections, with just over 50 percent of all global infections happening in the country, while Russia and Turkey were close behind. Panda also noted that attacks on social networks, fake-antivirus software and poisoned links in search engines continued to be popular techniques used by cyber criminals. Source:

45. July 1, eWeek – (International) Microsoft Office 2010 security flaw reportedly found. Researchers at Vupen Security say they have uncovered a security vulnerability in Microsoft Office 2010. However, their discovery has been met with criticism from Microsoft, which complaints that it has not received technical details of the bug. Microsoft officials are upset researchers chose not to notify the company of their findings. The Vupen researchers said they discovered a memory-corruption flaw that could be used by an attacker to execute code. The company June 22 said it “created a code execution exploit which works with Office 2010 and bypasses DEP (Data Execution Prevention) and Office File Validation features.” The bug, the Vupen CEO told eWeek, is caused by a heap-corruption error when processing malformed data within an Excel document. While technical details of the bug have not been disclosed, Vupen said, “our [government] customers who are members of the Vupen Threat Protection Program have access to the full binary analysis of the vulnerability” as well as detection guidance. But Vupen has not given the vulnerability details to Microsoft. Source:

46. July 1, The Register – (International) Adobe auto-launch peril not fully purged, researcher says. A security researcher saID he can force Adobe Systems’ widely used PDF readers to execute potentially malicious commands despite an emergency security fix the company released recently. The update Adobe added to its Reader and Acrobat applications contained a patch designed to prevent attackers from using the apps to launch potentially dangerous commands or files on end users’ machines. But a senior security researcher at Viet Nam–based Bkis Internet Security, said he can bypass the fix by doing nothing more than putting quotation marks around the command he wants a targeted machine to remotely execute. The weakness was first demonstrated by a researcher and later expanded by others. Adobe had said it wanted to find a way to eliminate the threat without removing powerful functionality relied on by some users. On July 1, the senior security researcher published the proof-of-concept, showing how a booby-trapped PDF file can still be used to override settings designed to block the auto-launch feature and open the Windows calculator. It works by using the command “calc.exe” rather than calc.exe. Source:

Communications Sector

47. July 2, IDG News Service – (National) U.S. to announce $795 million in new broadband subsidies. The President’s administration will announce nearly $795 million in grants and loans for broadband deployment projects across the nation July 2, officials with two federal agencies said. The U.S. National Telecommunications and Information Administration (NTIA) and the U.S. Rural Utilities Service (RUS) will officially announce awards for 66 new broadband projects that will touch all 50 states, the officials said. The money, from the American Recovery and Reinvestment Act passed by the U.S. Congress in early 2009, is expected to create or save about 5,000 jobs, officials said. The top goal for the grants and loans is to immediately create American jobs, while another goal is to give an economic boost to some areas of the country by providing new broadband service said the secretary of the Department of Commerce, the parent agency of the NTIA. The new broadband subsidies will bring service to 685,000 businesses, 900 health-care facilities, and 2,400 schools, he said. Source:

48. July 2, Florence Times Daily – (Alabama) Two stations temporarily go off the air. Two URBan Radio Broadcasting stations in Muscle Shoals, Alabama could remain off the air for as long as a month while they find a new home, company officials said July 1. The two AM stations — WLAY and WVNA — have been off the air since June 28. The regional director of programming for URBan said owners of the property that has been the site of the stations’ tower for decades had plans to triple the monthly lease payment, forcing his company to relocate. He said he has contacted representatives of most of the shows that have been airing and they have been understanding and will return when the stations resume broadcasts. The first step toward returning to the air will be getting permission from the Federal Communications Commission to move the transmitter. Also, company officials must find a new site for the tower. Source:

49. July 1, RadioWorld – (Texas) KPFT returns to air. Pacifica station KPFT(FM) in Houston, Texas is back on the air after a 36-hour outage due to vandalism. The general manager said the site manager and tower owner estimated damages at around $10,000. He said thieves broke into the station’s tower facility late June 27 and cut through locks and disconnected a “drop line,” a high-voltage wire 30 feet off the ground, cutting power to the tower. The transmitter building was damaged and had to be repaired before the electrical service could be restored. The Harris County Sheriff’s Office is investigating the incident. KPFT was still operating on its translator in Galveston, on FM 89.5, and on its Web site. Source:

50. June 30, Star Local News – (Texas) Contractor leaves residents without service. Verizon lines were cut during construction the last week of June, leaving hundreds of Carrollton, Texas residents without services including telephone and Internet. Verizon placed the blame for the cut lines on private contractor Future Telecom Inc. Future Telcom claimed the fault lies with two separate sub-contractors — Aleman Construction and Sosa Construction. In addition to lines being cut, a water main and gas main were also hit during construction, flooding and damaging more Verizon lines. The mayor and other city officials were unaware that citizens were without Verizon’s services for days. Verizon’s workers had been working 12-hour shifts to correct the problem and have been able to restore services to the community. Verizon is looking for reimbursement for the damaged lines from Future Telecom. However, the investigation is ongoing. Source: