Department of Homeland Security Daily Open Source Infrastructure Report

Friday, July 30, 2010

Complete DHS Daily Report for July 30, 2010

Daily Report

Top Stories

• Fire destroyed a chemical plant in Northeast Clarke County Georgia early July 28, sending plumes of toxic smoke into the air and chemicals into a nearby creek, according to the Athens Banner-Herald. (See item 6)

6. July 29, Athens Banner-Herald – (Georgia) Fire destroys chemical plant. Fire destroyed a chemical plant in Northeast Clarke County Georgia early July 28, sending plumes of toxic smoke into the air and chemicals into a nearby creek. The fire at J&J Chemical Co. began about midnight and burned through most of the day. After battling the blaze for several hours, Athens-Clarke fire crews withdrew from the building because of the intense heat and toxic fumes and waited for the fire to burn itself out. Fire investigators planned to begin searching for a cause July 29, after the remains of the chemical plant have cooled down. J&J Chemical manufactures restroom deodorizers, graffiti remover and other products that contain toxic chemicals. The company’s 30,000-square-foot Athens plant was destroyed. No one was in the building when the fire began, and no firefighters were hurt battling the blaze. Authorities were concerned the fire might pose a public health risk as it consumed untold gallons of glutaraldehyde — a toxin that can irritate eyes, nose, throat and lungs, along with causing headaches, drowsiness and dizziness. People at Athens Technical College and nearby businesses were cautioned to stay inside, and authorities evacuated employees of McAnn Aerospace Machining Corp., located next to the chemical plant. But hazardous materials response teams from Athens-Clarke County and the University of Georgia tested the air within a half-mile radius of the chemical plant and determined the levels of toxins were within safe limits. Blue dye from the plant did make its way to a nearby creek, and officials with the state environmental protection division will assess the damage and monitor cleanup work. Source:

• Homeland Security Today reports that based on intelligence indicating that Al Qaeda and associated movements continue to express interest in attacking U.S. mass transit systems, the Government Accountability Office (GAO) has issued a redacted version of a classified report on “explosives detection technologies [that] are available or in development that could help secure passenger rail systems.” (See item 22)

22. July 29, Homeland Security Today – (National) Passenger rail systems vulnerable, GAO study says. Based on intelligence indicating that Al Qaeda and associated movements continue to express interest in attacking U.S. mass transit systems, the Government Accountability Office (GAO) has issued a redacted version of a classified report on “explosives detection technologies [that] are available or in development that could help secure passenger rail systems.” However, GAO noted that “while these technologies show promise in certain environments, their potential limitations in the rail environment need to be considered and their use tailored to individual rail systems.” In its report, Explosives Detection Technologies to Protect Passenger Rail, GAO did not make any specific recommendations, but it did raise “various policy considerations.” The report pointed to the fact that the TSA and passenger rail operators share the responsibility for security, which is said could complicate decisions. In addition, the GAO recommended the use of risk-management principles to guide decision-making related to technology and resource allocation. Source:


Banking and Finance Sector

15. July 29, Daniweb – (International) Black Hat conference demonstration reveals ATM security risk. At the Black Hat conference in Las Vegas, IOActive’s director of security research gave a demonstration of how he learned to crack the security of various stand alone ATMs after coming across several errors and security weaknesses in their [software] coding, allowing him to gain full access to the machines’ safes. He wrote multiple programs to exploit some of the machines’ weaknesses including one that allows him to gain remote entry without the need of a password, which he calls Dillinger, and a second program, Scrooge, that relies on a back-door entry with the ability to conceal itself from the machine’s main operating system. In the case of Triton’s ATMs, the researcher found the motherboard of the machine was sorely lacking in physical security, and once he had gained access to it, he was easily able to use a similar back-door technique then simply trick the machine into thinking that the hack was actually a legitimate update. So far, the researcher has attempted to hack four different ATMs and, as he demonstrated at the conference, he has found that the same “game over vulnerability” has enabled him to crack every one of them. Source:

16. July 29, Consumer Affairs – (National) Electronic payments association warns of new phishing scam. The Electronic Payments Association said it has received reports that individuals and/or companies have received a fraudulent e-mail that has the appearance of having been sent from National Automated Clearing House Association (NACHA). The subject line of the e-mail states: “Unauthorized ACH Transaction.” The e-mail includes a link that redirects the individual to a fake Web page and contains a link that is almost certainly an executable virus with malware. NACHA said it does not process nor touch the ACH transactions that flow to and from organizations and financial institutions. It also does not send communications to individuals or organizations about individual ACH transactions that they originate or receive. Source:

17. July 29, Green Bay Press-Gazette – (Wisconsin) Green Bay police warn of credit card scam. Several residents in Green Bay, Wisconsin, have reported a caller asking for credit card information because a bank account is overdrawn, is suspended due to security measures or to activate an account. Green Bay police are reminding residents not to give out personal information over the phone after a recent credit-card scam. Residents should call the police or a banking institution if they receive one of these calls. Source:

18. July 29, The Age – (International) ATM skimmers fleece millions from Melbourne bank customers. Police have released images of five men believed to linked to an international ATM skimming scam that has fleeced millions of dollars from Melbourne, Australia, bank customers this year. At least 28 machines around Melbourne have been compromised since March in an elaborate scheme believed to have links to Eastern European crime gangs. The crime syndicate is one of two that are preying on Melburnians and stealing their card details and cash. In a separate scam, Melbourne shop workers are being offered upwards of $40,000 to let scammers tamper with their Eftpos machines, enabling them to steal the PINs and card details of shoppers. The devices, including a card reader and a pinhole camera, had been placed on ATMs outside banks and on stand-alone machines with a high turnover of customers, including at large shopping centers. All banks were being targeted. Source:

19. July 28, KMGH 7 Denver – (Colorado) More than 12 stations hit by gas pump skimmers. Thieves have placed credit-card skimming devices in the housing of gas pumps at 12 stations in Colorado. Federal authorities are tight-lipped about the investigation, so it is up to station owners and customers to take steps to protect sensitive information. However, a representative from the Colorado Wyoming Petroleum Marketers Association said: “The gasoline industry has just finished a nationwide system upgrade that [only] secures customer information on the back end,” so that once the credit card information is processed at the pump, it is triple encoded and cannot be stored at the station itself. He added that the only remaining access point for people who want to compromise this information is at the beginning of the transaction at the pump. The petroleum industry representative recommends paying with cash, or taking a credit card to the station’s attendant inside. Source:

Information Technology

38. July 29, – (International) 100 million Facebook accounts exposed. The details of 100 million Facebook users have been posted online by a security analyst, in a stark demonstration of the potential privacy weaknesses of social networks. In a detailed blog post, an analyst from Skull Security explained that he used a simple piece of code to perform the scrape, which took any data not already locked down within personal privacy settings. However, as of the morning of July 29, his Web site and the blog post were unavailable. The list of users has been shared on peer-to-peer site The Pirate Bay, and included in the packaged files are names and Facebook URLs. Facebook explained that the information that was taken had already been made public by users. However, the firm is investigating whether the collection of information in this way was a violation of its terms and conditions. A senior technology consultant at security firm Sophos concurred with Facebook’s stance, explaining that it was enabled by lax user controls. He said he hoped the incident would prompt social network users to harden their security settings. Source:

39. July 29, IDG News Service – (International) Verizon: Data breaches often caused by configuration errors. Hackers appear to be increasingly counting on configuration problems and programming errors rather than software vulnerabilities in order to steal information from computer systems, according to a new study from Verizon. Verizon said it found that a surprising and “even shocking” trend is continuing: There are fewer attacks that focus on software vulnerabilities than attacks that focus on configuration weaknesses or sloppy coding of an application. In 2009, there was not a “single confirmed intrusion that exploited a patchable vulnerability,” the report said. The finding has caused Verizon to question whether patching regimes — while important — need to be done more efficiently given the trend in how attacks are occurring. In other findings, some 97 percent of the malicious software found to have stolen data in 2009 was customized in some way. Source:

40. July 29, Compterworld – (International) Microsoft’s bug reports fail to produce prompt patches. According to data released July 28 by Microsoft, third-party developers patched just 45 percent of the vulnerabilities that Microsoft’s security team reported to them during the 12 months from July 2009 to June 2010. The newest number, however, was more than triple that during the year-long stretch through June 2009, when developers patched 13 percent of the bugs Microsoft reported. The data came from a progress report issued by the Microsoft Vulnerability Research, or MSVR. Microsoft tried to explain the sluggish patching pace of its MSVR partners. “Most vulnerabilities identified ... since July 2009 have not yet been resolved,” the progress report admitted. “This is not entirely surprising — in most cases the vulnerabilities ... have been low-level architecture issues that are not easy to resolve, and vendors require considerable time to develop an effective resolution and test it thoroughly.” The pattern was repeated in a July 2009 episode that Microsoft touted as a good example of the MSVR program at work. Source:

41. July 29, Compterworld – (International) Malware openly available in China, researchers say. China’s rapid emergence as a hotspot for criminal hacking activities is enabled by the open and unfettered availability of sophisticated hacking tools, according to security researchers attending the Black Hat conference July 28. Many of the hacking tools are inexpensive, highly customizable, and easy to use. Most of the early users of the malware products have sought to steal from online gaming accounts inside China. But now experts are seeing much broader use of such tools. Hackers in China are developing malicious software “almost like a commercial product,” said the founder of Attack Research, a Los Alamos, New Mexico-based security firm. The products come complete with version numbers, product advertising, end-user license agreements, and 24-hour support services, he said. Source:

42. July 29, SC Magazine UK – (International) Apple issues patch for Safari, as details of AutoFill vulnerability will be demonstrated today at the Black Hat conference. Apple has issued a fix for its Safari browser ahead of a demonstration of a vulnerability at the Black Hat conference. The founder and CTO of WhiteHat Security will present the vulnerability at the conference in Las Vegas July 29. According to Kaspersky’s Threat Post Web site, the major update to Safari includes a number of security fixes, most importantly a patch for the AutoFill vulnerability, which was recently disclosed by the CTO. Safari 5.0, which was released July 28 by Apple, gives users protection against several flaws, including the AutoFill weakness, which enabled attackers to harvest a user’s personal information from the browser. The new version of Safari also fixes 14 vulnerabilities in WebKit. The director of operations at nCircle said: “With or without the Black Hat related hype, this release contains enough critical bugs to warrant quick installation.” Source:

43. July 29, Help Net Security – (International) Trojan masquerades as iPhone jailbreaking software. An e-mail campaigned targeting iPhone users who might want to jailbreak their device has been detected by BitDefender. Only a few days after U.S. federal regulators decided and announced that the practice was not illegal, cybercriminals have seized the opportunity to infect more systems, and the e-mail started hitting inboxes all over the world. Clicking on the offered link will initiate a download of the iphone3gs-3g.exe file, which is actually a generic keylogger Trojan that records and sends everything the victim writes on the computer to a specific e-mail address. Source:

44. July 28, Softpedia – (International) Scareware scheme abuses Firefox ‘What’s New’ page. Security researchers warn that a new scareware distribution campaign is using a fake copy of the “Firefox Updated” page to trick users into installing a rogue antivirus program. The problem occurs because Firefox 3.5.3, Mozilla also checks if Flash Player is up-to-date when the browser is upgraded. If an old version of the plug-in is detected, a warning message encouraging users to install the latest variant, is displayed on the “whatsnew” page. This is the page that automatically opens on first run after a successful Firefox update. According to F-Secure, scammers are now looking to capitalize on the trust users instinctively place in Mozilla by creating rogue copies of the “whatsnew” page. The rogue pages appear to have been created using the “Firefox Updated” site template for Firefox 3.6.7. The regular Flash Player update warning message is displayed, but users do not even have to click the contained link, as a file called ff-update.exe is served for download automatically. This executable is the installer for a fake antivirus called SecurityTool. Source:

45. July 27, Softpedia – (International) LNK vulnerability exploited by more families of malware. Antivirus companies are warning that virus writers are slowly adopting the exploit targeting the currently unpatched Windows LNK vulnerability in their creations. New families of malware to leverage this flaw in order to propagate and infect systems are Chmine, Vobfus, Sality, and ZeuS. The new Windows shortcut-processing bug allows attackers to execute potentially malicious code by tricking users into simply opening a folder containing malformed LNK files. Given the flaw’s broad attack surface, security researchers and antivirus vendors predicted that it will not be long until malware writers integrate the exploit into the threats they develop — and they were right. ESET reported July 22 that a new keylogger Chymine is exploiting the LNK flaw to infect computers. Just a day later, Microsoft announced that another malware family called Vobfus is now leveraging the LNK vulnerability to execute automatically. Now, Trend Micro and F-Secure both warn that hackers behind Sality, a family of file infectors, have adopted the LNK exploit and are using it to spread a variant of the notorious polymorphic viruses. ZeuS, otherwise known as Zbot, usually spreads through e-mail spam and this latest variant is not different in that respect. Source:

Communications Sector

46. July 29, Associated Press – (International) Al-Qaida-linked group claims TV bombing in Baghdad. An al-Qaida-linked group claimed responsibility July 29 for a bombing earlier this week targeting the Baghdad offices of a pan-Arab television station, describing the deadly attack that killed six people as a victory against a “corrupt channel.” A statement posted on the Web site of the Islamic State of Iraq said the operation was carried out by a “hero of Islam” and was intended to hit the “mouthpieces of the wicked and evil.” The Arabic-language news channel Al-Arabiya is one of the most popular in the Middle East, but is perceived by insurgents as being pro-Western. A suicide bomber driving a minibus July 26 drove through at least two checkpoints before pulling up to the front of the station’s Baghdad office and blowing himself and his vehicle up. The massive blast blew out windows in the two-story Al-Arabiya building and left much of the interior in shambles, with doors hanging off their frames. None of the dead were employees of the network. Source:

47. July 29, DeKalb Daily Chronicle – (Illinois) Frontier Communications takes over local phone service. Flooding that caused about 80 households in DeKalb, Illinois, to lose telephone service the week of July 26 came right after landline service provider Frontier Communications took over local phone service from Verizon on July 1. The service outage was caused by standing water on underground copper cable, Frontier’s general manager said. Since Frontier just inherited the lines about four weeks ago, it could not have prevented the outage, but crews have been working around the clock since July 26 in an effort to repair the problem. As of July 28, there was no estimate on when customers could expect service to be restored. The $5.3 billion deal inked July 1 transferred phone lines in 14 states, including Illinois, from Verizon to Frontier. With more than 4 million customers in 27 states, Frontier is now the nation’s largest rural phone service provider. The company has taken over all of Verizon’s landline services in the area, including local and long-distance phone, high-speed Internet and television. Verizon Wireless customers are not affected. Source:

48. July 29, Eureka Times-Standard – (California) Trinidad, Westhaven land lines busy to outside calls. The city of Trinidad, California, made two incident reports to AT&T Inc. July 28 regarding residents’ inability to call out of the area on telephone lines. For the last two days, Trinidad and Westhaven residents have received busy signals when dialing numbers that do not have a 677 prefix. If people from outside the area try to call a 677 number, they also receive a busy signal. While the city submitted one report July 27 and two reports July 28, the city manager said July 28 that the phone company has not been in contact with the city, and he does not know when the problem will be fixed. A spokeswoman for AT&T, did not say when the outage would be fixed. While city employees have had verbal confirmation from residents around town, the lack of land line access to the rest of the community seems to have gone unnoticed by most residents since most people use their cell phones. Internet service, which sometimes requires a land line, is also unaffected. Source:

49. July 29, Southwest Times Record – (Oklahoma) Cut line knocks out LeFlore phones. A cut to a fiber-optic cable July 28 caused outages to landline phones, cell phones and data usage such as credit-card transactions in LeFlore County Oklahoma, according to a spokesperson for AT&T. The 911 system also went down, but was rerouted to Haskell County, where employees communicated with LeFlore County by radio, the Pocola Emergency Management director said. Several businesses in LeFlore County had to close because they could not provide transactions with debit and credit cards. The cut was caused by a third party in the Spiro area, and crews were addressing the problem most of the day, a spokesman for AT&T said. It was unclear how many customers were affected because three other phones companies lease space on AT&T’s fiber-optic cable. Emergency personnel could not use their numeric pagers to notify fire and emergency personnel of emergencies because they were down as well. The line was repaired by 6 p.m. July 28. Source: