Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, July 22, 2010

Complete DHS Daily Report for July 22, 2010

Daily Report

Top Stories

• A United Airlines jetliner headed from Washington D.C. to Los Angeles was diverted to Denver on July 20 after it encountered turbulence, and more than 20 people were injured, according to the Washington Post. Rescue personnel indicated that most of the injuries were not severe.

23. July 21, Washington Post – (Colorado) More than 20 injured in turbulence on United Airlines flight from D.C.; plane diverted to Denver. A United Airlines jetliner headed from Washington D.C. to Los Angeles was diverted to Denver on July 20 after it encountered turbulence, and more than 20 people were injured. Rescue personnel indicated that most of the injuries were not severe. The twin engine Boeing 777 carried 255 passengers and a crew of 10. A spokeswoman for Denver Health Medical Center said more than 20 people had been taken to Denver area hospitals. She said most of the injuries appeared to be “moderate head, neck and back injuries.” In describing the incident, a Federal Aviation Administration spokesman said the flight “encountered severe turbulence above Kansas.” It was not known what caused the turbulence or whether it was associated with thunderstorms, which are typical over the Plains states at this time of year. Source:

• IDG News Service reported that Siemens confirmed July 21 that one of its customers was hit by a new worm designed to steal secrets from industrial control systems. See item 51 below in the Information Technology Sector.


Banking and Finance Sector

16. July 21, CBC News – (International) Credit union hit by card-skimming ‘bank robber’. A Quebec, Canada man is facing charges in the wake of an automated banking machine skimming fraud uncovered July 18 in Saskatoon, Saskatchewan. Police reported July 20 that they were tipped off by staff at a Saskatoon hotel, who discovered an unusual amount of cash in a guest room. Saskatoon police found about $100,000 in the room in $20 bills. Police said that as many as 600 debit cards may have been compromised in the scam, which they believed began July 17 and continued into July 18. In the weekend scam, a retail store was used to read and collect data from debit cards. All affected customers were being contacted and would be reimbursed. Police said their investigation continues and that the accused man may have had accomplices. Source:

17. July 21, Orlando Business Journal – (National) Orlando among top areas for mortgage fraud. The Orlando area and the state of Florida topped a list of cities and states at high risk for mortgage fraud, according to CoreLogic Inc. The research firm’s 2010 Fraud Trends Report listed Orlando as having one of the highest-risk ZIP codes in the United States, along with Miami, Atlanta, Detroit and Jamaica, N.Y., with an average fraud rate of three to four times the national rate. Additionally, Orlando had five of the 10 highest-risk streets in the nation, where nearly every loan booked appeared to have fraudulent information, and the foreclosure rate on the streets was 50 percent or higher. Meanwhile, Florida joined California, Georgia, North Carolina and South Carolina as having the highest risk in the nation for fraudulent loans and subsequent default, the report said. To produce the study, CoreLogic analyzed 80 million loan applications between 2005 and the fourth quarter of 2009 and then looked at the underlying application, property, and credit and loan information to track fraud risk over time. Source:

18. July 21, WHPTV 21 Harrisburg – (Pennsylvania) Credit card scam. Credit card scamming incidents in the Harrisburg, Pennsylvania area began July 16 when a man called several restaurants along the Carlisle Pike in Hampden Township saying he was a police officer conducting a fraud investigation. He said he needed all of the credit card information from cards used that day. At least two restaurant employees believed the scam. So far, police have identified at least 80 compromised accounts, including five that were used to make illegal purchases in New Jersey. Police are warning people to check account statements for unauthorized purchases. Source:

19. July 20, Dayton Daily News – (Ohio) More reports filed on fake bank security breaches. Police are still getting reports of residents being contacted about a fake security breach at Brookville National Bank in Brookville, Ohio. Police first started receiving reports about the fake security breach notices July 10. The latest reports occurred July 19. Residents told police they received automated messages to land-line phones and cell phones advising them of the breach and prompting them to enter their account information. The residents are told that they need to enter their account information to reactivate their accounts. Phone carriers Verizon, Frontier and Time Warner, as well as the local branch of the FBI, have all been notified about the messages. Authorities believe the calls are being made out of the United States and that the suspects are “spoofing” phone numbers, a process that allows different phone numbers to show up on the victim’s caller ID’s. Source:

20. July 20, Housing Predictor – (Texas) Bank of America charged in home loan scheme. A massive class action lawsuit has been filed against Bank of America (BofA) by the nonprofit Texas Housing Justice League (THJL), representing 15 mortgage holders charging the nation’s biggest bank with “a systematic home loan servicing scheme.” The lawsuit may eventually involve thousands of Texas mortgage holders, who charge they have suffered abuse and financial damage at the hands of BofA employees. Only three of the homeowners have been foreclosed as a result of problems. The suit was filed in U.S. federal court in Victoria, Texas. The lawsuit alleges that BofA mortgage holders have suffered hours of telephone run around, misleading and inconsistent information, lost correspondence, verbal abuse, and extensive delays in efforts to get home mortgages modified. “The facts in this case reveal the harsh reality that underlies the loan servicer’s press statements about loan modifications and forbearance agreements following the collapse of the U.S. housing market,” the suit states. “This is not an isolated case,” said an attorney who represents the plaintiffs in the lawsuit. “It is the normal way the bank handles business.” Source:

21. July 20, WLS 7 Chicago – (Illinois) FBI on the hunt for ‘quick change bandit’. A series of bank robberies in the Chicago, Illinois area has FBI agents on the hunt for a man they are calling the “quick change bandit.” Officials believe the same bandit is responsible for at least three holdups since December 2010. The latest happened July 3 at a North Community Bank branch on North Wells. He is nicknamed the “quick change bandit” because he changes his clothes as soon as he leaves the bank. No injuries were reported in any of the holdups. Source:

22. July 19, Canadian Press – (International) Swedish prosecutors charge 10 men in $5 million helicopter heist. Swedish prosecutors July 19 charged 10 men with robbery for stealing 39 million Swedish kronor ($5.3 million) from a Stockholm cash depot in 2009 in a helicopter heist. A prosecutor said five men were charged with aggravated robbery and five with complicity, in one of the largest police investigations in Swedish history. Police said three masked gunmen last September dropped onto the roof of a Stockholm cash depot from a helicopter, broke into the building through a roof window, and set off explosions inside before hoisting themselves and their haul back up on rope lines. Police said they have recovered some cash, but noted most remains missing and that at least two unidentified suspects remain at large. If found guilty, the men face prison terms of up to 10 years. Nine of the suspects are Swedes and one is Syrian. All the men, aged between 23 and 38, have denied the charges. The prosecutor said Swedish police were tipped off already in August by police in Serbia that robbers planned a heist with a helicopter and expected to steal 10 million euro ($13 million). He said the robbers had tried, but failed to recruit a helicopter pilot in Serbia, before finding another pilot in Sweden. The five men charged with robbery include the suspected helicopter pilot, one man suspected of breaking into the depot, and three men suspected of using fake explosives to stop police from getting to the scene. The other five are suspected of planning the attack in different ways, providing explosives, and faking an alibi for the pilot by staging a minor car accident involving his vehicle at the time of the robbery. Source:

Information Technology

51. July 21, IDG News Service – (International) Siemens confirms German customer hit by Stuxnet espionage worm. Siemens confirmed July 21 that one of its customers has been hit by a new worm designed to steal secrets from industrial control systems. To date, the company has been notified of one attack, on a German manufacturer that Siemens declined to identify. The company is trying to determine whether the attack caused damage. The worm, called Stuxnet, was first spotted in June, when it infected systems at an unidentified Iranian organization, according to the head of the antivirus kernel department at VirusBlokAda, in Minsk, Belarus. The unidentified victim, which does not own the type of SCADA (supervisory control and data acquisition) systems targeted by the worm, “told us their workstations serially rebooted without any reason,” the head of the department said in an e-mail message July 20. VirusBlokAda soon received reports of the malware from “all over the Middle East,” he added. Microsoft said that it had logged infection attempts in the U.S., Indonesia, India, and Iran. Security vendor Symantec is now logging about 9,000 infection attempts per day. Source:

52. July 21, Help Net Security – (International) Google updates its anti-spam engine to block recent JavaScript attacks. Google has updated its Postini anti-spam engine following the recent surge in e-mails containing obfuscated JavaScript attacks. These e-mails are a hybrid between virus and spam messages, and are designed to look like legitimate, Non Delivery Report messages. “In some cases, the message may have forwarded the user’s browser to a pharma site or tried to download something unexpected, which is more virus-like. Since the messages contained classic JavaScript which generates code, the messages could change themselves and take multiple forms, making them challenging to identify,” reads a post on the official Google blog. “Fortunately, our spam traps were receiving these messages early, providing our engineers with advanced warning which allowed us to write manual filters and escalate to our anti-virus partners quickly.” The Postini engine processes more than 3 billion e-mail messages per day, and it has registered an upsurge in the volume of spam (16 percent more compared to Q1 2010), and a lesser increase (3 percent) in virus traffic. But when compared to Q2 2009, virus traffic has increased 260 percent. Among other relevant threats, Google mentions the false social networking messages, those tied to major news stories, false shipping e-mails, and the “friend in need” phishing messages. Source:

53. July 21, Krebs on Security – (International) Tool blunts threat from Windows shortcut flaw. Microsoft released July 21 a stopgap fix to help Windows users protect themselves against threats that may target a newly discovered, critical security hole that is present in every supported version of Windows. Recently, reported security researchers in Belarus had found a sophisticated strain of malware that was exploiting a flaw in the way Windows handles shortcut files. Experts determined the malware was used to attack computers that interact with networks responsible for controlling operations of large, distributed and sensitive systems, such as manufacturing and power plants. Microsoft’s first advisory acknowledging the security hole said customers could disable the vulnerable component by editing the Windows registry. However, such editing can be dicey for people less experienced with Windows because one errant change can cause system-wide problems. In an updated advisory posted July 20, Microsoft added instructions for using a much simpler, point-and-click “FixIt” tool to disable the flawed Windows features. The tool allows Windows users to nix the vulnerable component by clicking the “FixIt” icon, following the prompts, and then rebooting the system. However, making this change could make it significantly more difficult for regular users to navigate their computer and desktop, as it removes the graphical representation of icons on the Task bar and Start menu bar and replaces them with plain, white icons. Source:

54. July 21, The Register – (International) Firefox update guards hen house. Mozilla has pushed out a new version of Firefox that fixes numerous security holes, some critical. Firefox version 3.6.7 addresses 14 vulnerabilities, 8 of which are described as critical. The most serious flaws involve the handling of malformed PNG images, memory bugs and other code execution risks. The cross-platform update, published July 20, also aims to tackle a variety of stability glitches, as explained in Mozilla’s release notes. In other client-side patching news, Apple released a new version of iTunes for Windows machines. The 9.2.1 updates deals with a buffer overflow vulnerability involving the handling of itpc: URLs. Left unfixed, the flaw creates a possible route for hackers to inject hostile code onto vulnerable Windows boxes, providing they first trick users into opening dodgy links on contaminated Web sites. Source:

55. July 21, Sophos – (International) Dell warns of malware on motherboards. Dell has published a warning on its support forum that some of its server motherboards are infected with Windows malware. The admission, posted in response to a customer who wished to confirm that a telephone call he had received from a Dell representative was genuine, confirmed that “a small number of PowerEdge server motherboards” may contain spyware in its embedded server management firmware. Dell said it has created a list of affected customers, and that they are formally notifying them of the security problem via letter. No specifics have been offered as to which malware has infected the motherboards, or what it does. Source:

56. July 20, Computerworld – (National) DHS, vendors unveil open source intrusion detection engine. The Open Information Security Foundation (OISF), a group funded by the U.S Department of Homeland Security (DHS) and several security vendors, this week released an open-source engine built to detect and prevent network intrusions. The Suricata 1.0 engine is touted as a replacement for the 12-year-old Snort open source technology that over the years has emerged as a sort of de facto standard for detecting and preventing intrusions. Snort currently claims close to 300,000 registered users and over 4 million downloads. Nearly 100 vendors currently have added Snort to network security devices. Earlier this month, Amazon announced it selected Snort to deliver IPS protection for its Web services customers. The OISF president said Suricata is designed to address limitations in the older Snort tool. For example, Suricata’s multi-threaded architecture can support high performance multi-core and multiprocesser systems. Snort is designed for the single-processor systems that dominated the tech world when it was created. The new engine also offers native IP reputation-filtering capabilities that allow Suricata-based intrusion-detection and intrusion-prevention devices to flag traffic from known bad sources. In addition, Suricata supports an automated protocol detection capability that enables protocol-specific security rules to be applied to a network stream, regardless of the port from which the traffic originated from. Source:

57. July 20, The Register – (International) IE and Safari lets attackers steal user names and addresses. The Internet Explorer, Firefox, Chrome, and Safari browsers are susceptible to attacks that allow Webmasters to glean highly sensitive information about the people visiting their sites, including their full names, e-mail addresses, location, and even stored passwords, a security researcher said. In a talk scheduled for the Black Hat security conference in Las Vegas, the CTO of White Hat Security plans to detail critical weaknesses that are enabled by default in the browsers, which are the four biggest by market share. The vulnerabilities have yet to be purged by the respective browser makers despite months, and in some cases, years of notice. Among the most serious is a vulnerability in Apple’s Safari and earlier versions of Microsoft’s IE that exposes names, e-mail addresses, and other sensitive information when a user visits a booby-trapped Web site. The attack exploits the browsers’ autocomplete feature used to automatically enter commonly typed text into Web sites. It works by creating a Web page with fields carrying titles such as “First Name,” “Last Name,” “Email Address,” and “Credit Card Number” and then adding javascript that simulates the user entering various letters, numbers or keystrokes into each one. Source:

58. July 20, DarkReading – (International) Researcher pinpoints widespread common flaw among VxWorks devices. A researcher will reveal how a misconfiguration by developers using the VxWorks operating system found in many embedded systems has left a trail of vulnerable products across various vendors’ products. The researcher, who is also the chief security officer and Metasploit chief architect at Rapid7, so far has found some 200 to 300 different products connected to the Internet that contain a diagnostics service or feature from VxWorks that leaves them susceptible to getting hacked. These devices include VoIP equipment and switches, DSL concentrators, industrial automation systems for SCADA environments, and Fibre Channel switches. The diagnostics service for developers can be abused by an attacker if left either purposely or inadvertently active in the software. “The service allows access to read memory, write memory, and even power cycle the device. Combined, that is enough to steal data, backdoor the running firmware image, and otherwise take control over the device,” he said. “This feature shouldn’t be enabled” in production mode, but instead deactivated, he said. Source:

59. July 20, Sophos – (International) In-store Fuji photo kiosks spread malware. It appears FujiFilm is installing anti-virus protection onto its devices since reports begto come in from Australia earlier in July that some Windows-based Fuji photo kioswere infected by malware, and spreading worms to unsuspecting shoppers when theinserted their SD cards and memory sticks to print out their digital snaps. But this isthe only solution. Another way to prevent infection is to ensure data can only be reafrom the customers’ SD card or USB stick, not written to it. At least that way the device could become infected — but would not spread the malware further. Normalfalse false false EN-US ZH-CN X-NONE MicrosoftInternetExplorer4 /* Style Definitions */ table.MsoNormalTable {mso-style-name:”Table Normal”; mso-tstylerowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:”“; mso-padding-alt:0in 5.4pt 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widoworphan; font-size:11.0pt; font-family:”Calibri”,”sans-serif”; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mhansi-theme-font:minor-latin;} Source:

For another story, see item 63 below in the Communications Sector

Communications Sector

60. July 21, Sierra Vista Herald – (Arizona) Truck topples poles; TV, net service troubled. Thousands of customers of cable and Internet provider Cox in Cochise County, Arizona, were without television service late July 20 after a fiber-optic cable was damaged in Benson. The director of systems operations for Cox in Sierra Vista said a fiber-optic cable was damaged in the Benson area. About 6 p.m., a cable hanging over Ocotillo Road was pulled down by a “high-profile” vehicle passing underneath. “The poles on both sides of the road were pulled down,” causing temporary power outages for Benson, St. David and the unincorporated community of Cochise, a spokesperson for Sulpher Springs Valley Electric Cooperative said. Electricity was restored to these affected areas in about 5 minutes. Around the same time, cable television service was disrupted for Benson, Sierra Vista and Fort Huachuca. Cox crews were working late July 20 to determine whether the same incident was to blame for the damage to the fiber-optic line. Cox equipment automatically switched over to a backup system, allowing for limited use of landline phones and cable Internet in each of these areas, including Douglas. Once crews located the damaged fiber-optic cable, repair work began. Repairs were expected to be completed by midnight. Source:

61. July 20, WAVY 10 Hampton Roads – (Virginia) Cut lines put Verizon service on hold. A Verizon spokesman said a contractor cut fiber-optic lines in Williamsburg, Virginia, July 20 at around 2 p.m., and affected customers were unable to make long distance calls or dial out of their three digit prefix. Customers could still dial locally from their landline phones. Shortly before 5 p.m., Verizon restored phone and internet service to the majority of the affected customers in Williamsburg and surrounding communities, by rerouting the services to other Verizon fiber-optic lines. Some customers’ service in the area remains affected by damaged fiber-optic lines the company cannot re-route. It was not known how many customers were affected. Verizon said crews will continue to work until service to these customers is fully restored. Source:

62. July 20, IDG News Service – (National) FCC: Broadband deployment isn’t happening fast enough. Between 14 million and 24 million U.S. residents do not have access to broadband service, and deployment is not happening fast enough, a report from the Federal Communications Commission (FCC) concluded. Broadband is not being rolled out to unserved areas in a timely manner, and immediate prospects for deployment to U.S. residents without service are “bleak,” the FCC said in the broadband deployment report, released July 20. This is the first time, since the FCC began issuing the reports in 1999, that the agency has concluded that broadband isn’t being deployed fast enough. “The report points out the great broadband successes in the United States, including as many as 290 million Americans who have gained access to broadband over the past decade,” the FCC chairman said. “But the statute requires more. It requires the agency to reach a conclusion about whether all — not some, not most — Americans are being served in a reasonable and timely fashion.” The report focuses on ways to speed broadband deployment, including revamping the FCC’s Universal Service Fund to support broadband, increasing the amount of wireless spectrum available for commercial and unlicensed uses, and collecting better broadband data to assist policymakers and consumers. Source:

63. July 19, Government Computer News – (International) DNSSEC now fully deployed on the Internet root. Operators of the Internet’s authoritative root zone the week of July 12 completed deployment of enhanced security protocols at the top level of the Domain Name System. The Internet’s 13 root zone DNS servers have been digitally signed using the DNS Security Extensions (DNSSEC) since May. On July 15, the signed root zone was made available and a trust anchor was published with cryptographic keys that will allow users to verify the authenticity of DNS address requests. To be fully effective, DNSSEC must be deployed throughout the Internet’s domains, but the publication of the trust anchor for the Internet root means it now is possible to begin linking together the “islands of trust” that have been created by the deployment of DNSSEC in isolated domains, such as .gov and .org. The DNS root zone, which contains the records needed to resolve the domain names used by people to IP addresses used by routers and servers, is overseen by the Commerce Department’s National Telecommunications and Information Administration and the files are managed by VeriSign Inc. Source: