Department of Homeland Security Daily Open Source Infrastructure Report

Friday, July 16, 2010

Complete DHS Daily Report for July 16, 2010

Daily Report

Top Stories

• Scientists are reporting early signs that the Gulf of Mexico oil spill is altering the marine food web by killing or tainting some creatures, and spurring the growth of others more suited to a fouled environment, according to The Associated Press. (See item 35)

35. July 14, Associated Press – (National) Scientists say Gulf spill altering food web. Scientists are reporting early signs that the Gulf of Mexico oil spill is altering the marine food web by killing or tainting some creatures and spurring the growth of others more suited to a fouled environment. Near the spill site, researchers have documented a massive die-off of pyrosomes — cucumber-shaped, gelatinous organisms fed on by endangered sea turtles. Along the coast, droplets of oil are being found inside the shells of young crabs that are a mainstay in the diet of fish, turtles and shorebirds. And at the base of the food web, tiny organisms that consume oil and gas are proliferating. If such impacts continue, the scientists warn of a grim reshuffling of sea life that could over time cascade through the ecosystem and imperil the region’s multibillion-dollar fishing industry. Federal wildlife officials say the impacts are not irreversible, and no tainted seafood has yet been found. But the U.S. representative who chairs a House committee investigating the spill warned July 13 that the problem is just unfolding, and toxic oil could be entering seafood stocks as predators eat contaminated marine life. Source:

• The Register reports that Mozilla has disabled and block-listed a Firefox add-on containing code that nabs log-in data sent to any Web site and reroutes it to a remote server. Known as Mozilla Sniffer, the add-on was uploaded to the Firefox add-on site June 6, and the malicious code was found July 13, after which the add-on was block-listed. See item 52 below in the Information Technology Sector


Banking and Finance Sector

20. July 15, Computerworld – (International) Visa moves to reduce payment card data in retail systems. A new payment-card, security initiative launched by Visa Inc. July 14 could eliminate the need for retailers and other organizations to store full, 16-digit, credit- and debit-card numbers on their systems. The move comes in response to long-standing pressure from the National Retail Federation, which insists that merchants should not be required to store the information because of security risks. Many must do so because credit-card-issuing banks and the merchant’s own financial institutions require the full, 16-digit primary account number (PAN) in order to resolve refunds, charge backs and other customer disputes. In some cases, large retailers also voluntarily store PAN data, either because they need it internally or because of legacy systems. Visa itself does not require merchants to store PAN data, but it does require them to protect the data in accordance with Payment Card Industry Data Security Standards. Under the initiative unveiled, Visa will push card issuers and acquiring banks to allow merchants to present truncated, disguised or otherwise masked card numbers for dispute resolution cases. Some organizations permit this already, but the goal is to make the practice broader, said the head of global payment system security at Visa. Source:

21. July 15, Wall Sreet Journal – (New York) NYSE sets new trading collars. The New York Stock Exchange’s electronic exchange will introduce new limits designed to prevent erroneous trades that have triggered trading halts installed after the market’s “flash crash” in May. The rules will prevent the buying or selling of stocks at a price outside of set limits, the exchange said. “This would help prevent the erroneous trades from taking place to begin with,” said a spokesman for NYSE Euronext, owner of the Big Board. Since the exchanges established a market-wide, circuit-breaker pilot program last month in response to the May 6 “flash crash,” trading halts have been triggered in three stocks following erroneous trades: Washington Post Co., Citigroup Inc. and Anadarko Petroleum Corp. The circuit breakers, established for all individual stocks in the Standard & Poor’s 500-stock index, halt trading in a stock for five minutes if its price moves 10 percent up or down within five minutes. The spokesman said the circuit breakers will remain in place, but likely will occur less frequently with the new system. Source:

22. July 15, Jefferson City News Tribune – (Missouri) ‘Phishing’ scam targeted local bank. An identity “phishing” scam discovered July 13 has targeted Mid America Bank customers who use mobile/wireless service provided by AT&T. The president of the Wardsville, Missouri-based bank said the bank’s phone lines were inundated with calls from customers and non-customers. They had received calls stating their debit/credit cards had been inactivated. The caller asked them to press “1” to reactivate the card, then attempted to get their personal account information. Two customers notified Mid-America that they provided information about their debit cards. The bank “hotcarded” the cards to freeze any account activity, the bank’s IT systems administrator said. No funds have been illegally withdrawn through the scam. If customers report that they gave out their banking information and money is withdrawn from an account, the bank has protection through its credit card company to reimburse the losses. Source:

23. July 15, Biloxi-Gulfport Sun Herald – (International) FINRA warns investors of social media-linked ponzi schemes, high-yield investment programs. The Financial Industry Regulatory Authority (FINRA) warned investors today about Internet-based Ponzi schemes called high-yield investment programs (HYIPs), which purport to offer returns of 20, 30, 100 percent or more per day. HYIPs are unregistered investments sold by unlicensed individuals using sophisticated-looking Web sites. The con artists behind HYIPs are experts at using social media — including YouTube, Twitter and Facebook — to lure investors and create the illusion of social consensus that these investments are legitimate, but FINRA wants investors to know that HYIPs are just Internet-based scams. FINRA’s investor alert HYIPs — Hazardous to Your Investment Portfolio said many HYIPs have a worldwide reach: The recently exposed Pathway to Prosperity scheme allegedly defrauded more than 40,000 investors in more than 120 countries of $70 million. The FBI noted that the number of new HYIP investigations during fiscal year 2009 increased more than 100 percent over fiscal year 2008. In order to combat this growing online fraud, FINRA will use search-engine advertising to direct online investors searching for HYIPS to its investor alert. “HYIPs are old-fashioned Ponzi schemes dressed up for a Web 2.0 world. Some of these schemes encourage people to bring in new victims, while others entice investors to ‘ride the Ponzi’ by attempting to get in and get out before the scheme collapses,” said the FINRA senior vice president. “By using Google AdWords, we are hoping to reach anyone searching the Internet for HYIPs before they fall into the hands of con artists.” Source:

24. July 15, MSNBC – (National) Financial reform bill clears key Senate hurdle. The Senate has cleared a sweeping bank regulation bill for final passage by breaking through a Republican blockade. The Senate voted 60-38 July 15 to end debate on the bill. That paved the way for Congress to send the U.S. President a crackdown on banks and Wall Street that in some ways is tougher than what he sought. The 2,300-page bill aims to address regulatory weaknesses blamed for the 2008 financial crisis. It gives regulators broad authority to rein in banks, limit risk-taking by financial firms and supervise previously unregulated trading. It also makes it easier to liquidate large, financially interconnected institutions, and it creates a new consumer protection bureau to guard against lending abuses. The measure has already passed the House of Representatives. Source:

25. July 14, Miami Herald – (Florida) Six arrested in another South Florida mortgage fraud scam. Six South Floridians were arrested July 14 on charges of grand degree theft for their involvement in a mortgage scam that netted more than $2 million in fraudulent mortgages, the state department of financial services division of insurance fraud said. Investigators found that the vice president of Bal Bay Properties, and his 28-year-old son, who was working for his father’s company, recruited straw buyers who were offered $3,000 each to allow their names to be used on mortgage loan applications. The homes were bought with the understanding that the properties would be quit-claimed to an actual buyer. All the homes bought through the scam eventually went into foreclosure since buyers could not be found for any of them. In recent weeks, 20 other people in South Florida have been charged for their roles in mortgage-fraud schemes. They were involved in a scam to buy 14 properties that yielded $8 million in profits. Another ring recently busted involved police officers, an FBI agent, attorneys and mortgage brokers, who are accused of faking documents to collect $16.5 million in loans they used to buy and flip 38 condos and homes in Broward and Palm Beach counties. Source:

26. July 14, UPI – (National) Fla. man indicted in $880M Ponzi scheme. A Florida man was indicted July 14 in an alleged $880 million Ponzi scheme tied to a phantom grocery-distribution business, authorities in New Jersey said. The 41-year-old suspect of Miami Beach, who is the former owner and chief executive officer of Capitol Investments USA Inc., is accused of soliciting hundreds of millions of dollars from people in New Jersey and elsewhere who thought they were investing in his wholesale grocery-distribution enterprise. Federal authorities allege Capitol had no active wholesale grocery business at the time, and from 2005 to 2009 the suspect used new investor funds to make principal and interest payments to earlier investors. He allegedly siphoned off $35 million to underwrite his lavish lifestyle. The July 14 indictment is a follow-up to a criminal complaint that led him to surrender to FBI and Internal Revenue Service agents April 21. He is now charged with securities fraud, money laundering and conspiracy to commit securities and wire fraud. Source:

Information Technology

52. July 15, The Register – (International) Mozilla snuffs password pilfering Firefox add-on. Mozilla has disabled and block-listed a Firefox add-on containing code that nabs log-in data sent to any Web site and reroutes it to a remote server. The add-on — known as Mozilla Sniffer — was uploaded to the Firefox add-on site June 6, and the malicious code was discovered July 13, after which the add-on was block-listed. This means netizens who installed the add-on will be prompted to remove it. Mozilla said that anyone who installed the add-on should also change their Web passwords. “If a user installs this add-on and submits a log-in form with a password field, all form data will be submitted to a remote location,” Mozilla said in a July 14 blog post. It added that the remote server charged with collecting passwords appeared to be down. According to Mozilla, the Sniffer was downloaded about 1,800 times, and as of July 14, there were 334 active users. The add-on had not been reviewed by Mozilla. It was marked as “experimental,” meaning that anyone who attempted to install it received a warning that the code had not been reviewed. Such unreviewed add-ons are merely scanned for viruses, trojans, and other malware. Mozilla also said it had discovered a security vulnerability in version 3.0.1 of a far more popular add-on known as CoolPreviews, which displays previews of Web pages when a mouse is moved over links. Version 3.0.1 and earlier versions have been disabled, and a patched add-on has been uploaded to According to Mozilla, the add-on could execute remote JavaScript code with local chrome privileges, giving an attacker control over the user’s machine. “If a user has a vulnerable version installed and clicks on a malicious link that targets the add-on, the code in the malicious link will run with local privileges, potentially gaining access to the file system and allowing code download and execution,” Mozilla said. Source:

53. July 15, Krebs on Security – (International) Experts warn of new Windows shortcut flaw. Researchers have discovered a sophisticated new strain of malicious software that piggybacks on USB storage devices and leverages what appears to be a previously unknown security vulnerability in the way Microsoft Windows processes shortcut files. VirusBlokAda, an anti-virus company based in Belarus, said June 17 its specialists found two, new malware samples that were capable of infecting a fully-patched Windows 7 system if a user were to view the contents of an infected USB drive with a common file manager such as Windows Explorer. USB-borne malware is extremely common, and most malware that propagates via USB and other removable drives traditionally has taken advantage of the Windows Autorun or Autoplay feature. But according to VirusBlokAda, this strain of malware leverages a vulnerability in the method Windows uses for handling shortcut files. Shortcut files — or those ending in the “.lnk” extension — are Windows files that link easy-to-recognize icons to specific executable programs, and are typically placed on the user’s desktop or start menu. Typically, a shortcut doesn’t do anything until a user clicks its icon. But VirusBlokAda found that malicious shortcut files are capable of executing automatically if they are written to a USB drive that is later accessed by Windows Explorer. “So you just have to open the infected USB storage device using [Windows] Explorer or any other file manager which can display icons (for i.e. Total Commander) to infect your Operating System and allow execution of the malware,” wrote an anti-virus expert with the company in a July advisory. Source:

54. July 15, The H Security – (International) Cisco switches with SNMP vulnerability. A firmware flaw in Cisco’s Industrial Ethernet 3000 switches causes the community strings chosen by the admin to be overwritten after every reboot. This allows attackers to read and edit the configuration parameters in a local network via the “public” and “private” standard strings – without further access restrictions. By default, SNMP is disabled on the devices. Firmware versions 12.2 from 12.2(52)SE are affected. Cisco offers a workaround which initially removes the standard strings immediately and, as a second step, removes them from the configuration after every system start. The vendor said that firmware version 12.2(55)SE, in which the flaw has been fixed, will be released in August. Source:

55. July 14, DarkReading – (International) Researchers: Asprox botnet is resurging. The botnet Asprox, long known for its spamming capabilities, resurged in June, according to a new first-half lab report by M86 Security. Asprox, which also uses SQL injection techniques to infect vulnerable application service provider (ASP) sites on a large scale, showed a spike in activity in June, infecting more than 10,000 ASPs in a three-day period, M86 said. The bot downloads instructions, which include target ASP Web sites, and then performs an SQL injection attack that attempts to poison data in the underlying SQL database serving the site. The botnet used a simple Google search to seek out additional vulnerable ASP sites, M86 said. Asprox is typical of the new breed of combined attacks that grew significantly in the first half of 2010, according to the report, which outlines a number of trends in spam and malware. Source:

56. July 14, SC Magazine – (International) Employees become the weak link in a cyber crime attack. Employees are now targets within organizations rather than the network. The head of new technologies, identity protection and verification at RSA claimed that employees can not only harm a company by accidental downloads or by leaking data, but they also are the new target of cyber criminals. He said: “The adversary has changed, today it is a very well developed economy in a complex environment that is developed over a number of years. He pointed to the Aurora attack from January, which he said was achieved with a simple phishing attack by targeting the employee and getting a way in. With recent surveys from Sourcefire and Unisys pointing to the threat posed by employees using personal devices, which are generally unmanaged for work purposes, the head of new technologies noted this complicate thing. But when asked if a CISO would tell them to stop using it, he replied: “There is a level of dilemma for the security manager who wants to enable productivity and efficiency but wants to be productive.” Source:

57. July 14, – (International) Users still failing on basic security patching. A report into Internet security has found that vulnerability patching is still woefully inadequate among computer users. Just one of the top 10 exploited flaws in M86 Security’s analysis of the first half of 2010 had been patched this year, while one fix was issued in 2006 and the majority were at least two years old. Half of the flaws were in Microsoft products, namely Internet Explorer and Access Snapshot, and in video-streaming controls. “The attackers go for low-hanging fruit,” the vice president of technology at M86 Security, told The level of client vulnerabilities and the differing access needs of users makes it difficult for IT departments to run a coherent patching strategy, and makes locking down users an imperfect solution. Ideally almost no users should have administrative access but this is seldom realistic. Hackers are also becoming increasingly smart about hampering attempts to block their code. M86 Security detailed a new attack using JavaScript in conjunction with Adobe’s ActionScript software, which sets up a communications channel via Flash so that only half of the attack code is exposed. Source:

Communications Sector

58. July 14, Data Center Knowledge – (National) Data centers with no UPS or generator. Yahoo is considering going without uninterruptible power supply (UPS) and generators — a seemingly radical concept after data centers without chillers — for some future data-center projects. It’s not alone in advocating design choices that represent a huge departure from current practice. A number of data-center designers are urging clients to consider limiting UPS support to loads that are genuinely critical. The head of data-center operations at Yahoo, said in his keynote at 7Ã.24 Exchange conference in June that the Internet portal is exploring scenarios in which it would build data centers without generators or UPS, and use its network to route around any power outages that occur at those facilities. That is a strategy that only the largest data-center providers can contemplate, as it requires multiple data centers in major network capacity. Google has pursued a similar strategy during maintenance on some of its data centers, shifting capacity to other facilities. Google, Microsoft and Yahoo have all built new data centers that operate without chillers, eliminating one of the most power-intensive pieces of equipment from their infrastructure. This has been accomplished by building new facilities in locations that support fresh air cooling. Eliminating key components in power infrastructure is a tougher challenge, given the data center industry’s focus on redundancy and reliability. Source:

59. July 14, Redwood Times – (California) Severed cable cuts service to 101Netlink customers. 101Netlink in northern California experienced an outage of all Internet and voice services July 6 from 10:42 a.m. to 5:36 p.m. The outage was caused by a highway contractor doing horizontal drilling to reinforce a potential landslide area on Hwy. 253 between Ukiah and Manchester. The cut fiber is owned by Level3 Communications. 101Netlink is investigating why there was not adequate supervision to avoid the outage. 101Netlink is partnering with IPNetworks to bring a redundant fiber over Hwy. 36 from Hwy. 5 to Eureka. Once this alternate fiber is in place, a fiber cut will not affect service. Source:

60. July 14, IDG News Service – (National) All but 3 U.S. states seek Google’s fiber network help. Communities in every U.S. state but three — Delaware, Florida and South Dakota — have applied to become test markets for Google’s planned high-speed broadband network. Approximately 1,100 communities and 194,000 individuals responded to Google’s request for information about communities interested in getting the network, Google said. The company launched the site this week and said it is designed to thank people for their enthusiasm and share information about the project. In February, Google announced plans to build what it calls an “ultra-high-speed” fiber network in one or more trial locations. It plans to deliver 1 gigabit-per-second fiber connections to 50,000 to 500,000 people. End users will pay a “competitive price” for the access, Google said. The U.S. ranks behind many developed countries in terms of broadband services based on throughput. According to an October 2009 report by the Organization for Economic Cooperation and Development, the U.S. ranks 23rd in the world, behind Poland, Greece, the Czech Republic and others, based on average advertised broadband download speed. Source: