Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, August 10, 2010

Complete DHS Daily Report for August 10, 2010

Daily Report

Top Stories

• According to the Wall Street Journal, the Federal Aviation Administration has proposed mandatory fixes to Boeing 747-400 airliners to ensure that concerns about potentially hazardous takeoffs are addressed. (See item 18)

18. August 9, Reuters – (National) US FAA orders fixes in Boeing 747s. The U.S. Federal Aviation Administration has proposed mandatory fixes to Boeing 747-400 airliners to ensure that concerns about potentially hazardous takeoffs are addressed, the Wall Street Journal said. The U.S. air-safety regulator, the week of August 2, moved to require certain engine-related wiring changes. According to the agency, the fixes are necessary to avoid potentially dangerous retraction of flaps, or panels that deploy from the wings to provide extra lift during takeoffs. FAA said that the retracting flaps during critical early phases of flight could result in reduced climb performance and consequent collision with terrain and obstacles, the paper said. The regulators directive will cover nearly 100 Boeing 747s flown by U.S. carriers and equipped with engines manufactured by both General Electric and Pratt & Whitney. A Boeing spokeswoman told the paper that the company issued service bulletins earlier this year urging airlines to voluntarily make the modifications, but only the FAA can mandate U.S. carriers to make such fixes. Source:

• KTVT 11 Fort Worth reports that the FBI and U.S. Postal Inspectors confirm they are investigating the delivery of more suspicious letters in North Texas. By August 6, letters were delivered to Raytheon in Garland, a Raytheon plant on the property of Texas Instruments in Dallas, Rocket Air Supply company in Arlington, and an aerospace company in Grand Prairie. Two letters were also found at a Raytheon office in the Boston area. (See item 21)

21. August 6, KTVT 11 Fort Worth – (Texas) 13 white powder letters delivered in DFW area. The FBI and U.S. Postal Inspectors confirm they are investigating the delivery of more suspicious letters in North Texas. They now say the total number of letters is 13, following the discovery of the newest one in North Dallas late Friday afternoon. The first letters were found on August 5. By 5 p.m. six letters containing white powder had been delivered to locations across the metroplex. By 11 a.m. on August 6 CBS 11 News learned of five additional letters that had been received. By 5 p.m. on the 6th, the total had risen to 13, according to investigators. Four additional letters arrived the morning of August 6th. They were delivered to a company in Arlington, the Raytheon in Garland, another aerospace company in Grand Prairie, a Raytheon plant on the property of Texas Instruments in Dallas, and Rocket Air Supply company on 111th Street in Arlington. Friday afternoon it was learned that two letters were also found at a Raytheon office in the Boston area. There is no word on if all the letters were sent from the same person or location and investigators. While federal officials would not say if the envelopes contained anything besides the white powder, they are investigating if all of the letter deliveries are related, including an additional one found in the mail room of the Israeli Embassy in Washington. Source:


Banking and Finance Sector

12. August 9, The Register – (International) Corrupt repair engineer jailed for bank fraud attempt. A corrupt laptop repair engineer has gone to jail for nine months after he was convicted of hacking into the laptop of one of his customers. The 30-year-old suspect was caught browsing through pictures in a private folder and attempting to hack into an online banking account during a Sky News investigation into computer repair services. As part of the investigation a laptop with a simple fault, rigged to ensure that its webcam covertly filmed “repairs”, was deposited at Laptop Revival in Hammersmith. He used his access to the machine to attempt to access Facebook, eBay and online banking accounts using a “password file” left on the machine. A total of six attempts were made to access the online banking account, Sky News reports. Sky News passed on the results of its investigation to the Met Police, who subsequently charged the suspect with attempted fraud. Source:

13. August 7, Computerworld – (International) Alleged RBS WorldPay hacker extradited to U.S. One of the alleged masterminds of a 2008 precision strike on payment processor RBS WorldPay has been extradited from Estonia to face U.S. justice. The 26-year-old suspect, of Tallinn, Estonia, was arraigned August 6 in federal court in Atlanta. He faces a variety of hacking and fraud charges connected to one of the most successful computer crimes ever. Prosecutors say that the suspect was one of the leaders of a gang that managed to hack into the RBS WorldPay network, and then clone payroll debit cards — used by employees to withdraw their salaries from debit and ATM machines on payday. They distributed the cards to a worldwide network of cashiers, who were instructed to withdraw money within a 12-hour window. Hitting 2,100 ATMs, they took in $9.4 million, prosecutors say. RBS WorldPay is the payment processing division of the Royal Bank of Scotland Group. As the money was leaving the network, the suspect and the group’s mastermind monitored the RBS WorldPay systems and then attempt to cover their footsteps by destroying data, prosecutors say. Source:

14. August 7, Bank Info Security – (National) One bank fails on Aug. 6. Federal and state banking regulators closed one bank August 6. Earlier in the week, the National Credit Union Administration closed two institutions. There have now been 123 total banking failures so far in 2010. Ravenswood Bank, Chicago, Illinois, was closed by the Illinois Department of Financial and Professional Regulation - Division of Banking. The Federal Deposit Insurance Corporation (FDIC) was appointed receiver. The FDIC entered into a purchase and assumption agreement with Northbrook Bank and Trust Company, Northbrook, Illinois, to assume all of the deposits of Ravenswood Bank. The estimated cost to the Deposit Insurance Fund (DIF) will be $68.1 million. To recap the credit union failures from earlier in the week of August 2: The NCUA liquidated Certified Federal Credit Union of Commerce, California, on July 31. The NCUA immediately signed an agreement with Vons Employees Federal Credit Union of El Monte, California, to assume the assets and liabilities of Certified. Certified had $37.6 million in assets. The NCUA has placed Kappa Alpha Psi Federal Credit Union of Addison, Texas, into liquidation. The NCUA made the decision to close Kappa Alpha Psi FCU and discontinue its operation after determining the credit union is minimally capitalized and there are no reasonable prospects for the credit union to achieve adequate capitalization. Kappa Alpha Psi had $780,000 in assets. Source:

15. August 6, Bank Info Security – (Texas) Fraud spree hits Texas town. Police in Sanger, Texas, say hackers stole credit and debit card information from at least 200 Sanger area residents. Reports of fraudulent charges are occurring all over the United States, says a Sanger police Detective. Sanger is 50 miles northwest of Dallas. The source of the stolen card data is a compromised server that stored information transmitted to payment processors for credit cards at an unidentified Sanger business. The stolen credit card account numbers were likely sold to criminals who created counterfeit or “cloned” cards. Fraud reports began appearing July 20. They involve eight to 10 area banks, and about 200 instances have been reported so far. The Denton County Sheriff’s Office in Texas also has received reports from residents who have been caught up in the massive fraud. According to sheriff’s reports, one man said his Texas Work Commission debit card was used at a store in Arizona, and a woman reported that her card was used in North Carolina. The criminals who perpetrated the card data theft were not local residents. “At this time we don’t believe local people are involved in the crime,” he says. “We’ve turned over information to the Secret Service and are working with them on the case.” Source:

16. August 5, San Francisco Chronicle – (California) Ex-bank manager pleads guilty in fraud. A former San Jose bank manager is expected to spend six years in state prison after pleading guilty to embezzling more than $550,000, primarily from elderly clients, police said. The 37-year-old suspect entered guilty pleas July 30 to theft from an elder, fraud and forgery, drawing to a close an investigation by the financial crimes division of the San Jose Police Department. The suspect has agreed to pay $553,000 in restitution to Wells Fargo Bank, which has already reimbursed the customers he victimized, said a Santa Clara County deputy district attorney. He is expected to be sentenced on October 5. Investigators believe the suspect victimized customers of the Wells Fargo Bank on Lincoln Avenue in San Jose, where he used to be a manager. The thefts continued even after the susepct left the bank in February 2009, police said. He would visit people at their homes, talk them into making investments and then steer their cashier checks his way, investigators said. The case began in January, after a customer and her daughter visited the branch. The daughter wanted to know why her mother was being visited by a bank employee and why her investments were not showing up in her account. When there was no satisfactory answer from bank officials, the daughter called the police. Source:

Information Technology

36. August 9, The Register – (International) DNS made easy rallies after punishing DDoS attack. DNS Made Easy has restored services following a vicious denial of service that peaked at 50Gbps August 7. The identity of the perpetrators and their motives remain unclear. One possible scenario is that hackers with a grudge against the site hired a botnet to swamp DNS Made Easy with useless traffic. The firm said it experienced 1.5 hours of actual downtime during the attack, which lasted eight hours. Carriers including Level3, GlobalCrossing, Tinet, Tata, and Deutsche Telekom assisted in blocking the attack, which due to its size flooded network backbones with junk. DNS Made Easy specializes in global IP Anycast enterprise DNS services, so it is not exactly a likely target for internet attacks, especially one of such ferocity. The SANS Institute’s Internet Storm Centre is among the many security watchers keen to learn more about the attack. Source:

37. August 6, DarkReading – (International) Attitudes about PC and mobile device security converging, study says. The thought process surrounding PC and laptop security is quickly being integrated with strategies for protecting mobile and portable devices, according to a study published the week of August 2. “Managing and Securing Corporate and Personal Mobile Devices in Financial Services,” a study conducted by Forrester Consulting on behalf of Fiberlink Communications Corp., collects feedback from financial services IT leaders on the top security priorities for personal mobile devices. More than half of financial services enterprises already support personally owned mobile devices, according to the study. More than one-third of the IT professionals indicated that their enterprise supports multiple mobile operating systems (OSs), with 10 percent supporting four or more. In an effort to avoid getting spread too thin, IT often provides minimal support for these OSs, introducing vulnerabilities and threats, the report says. Eighty-six percent of respondents have already deployed a strong password policy for smartphones, the study says. Other popularly deployed strategies include full disk encryption (71 percent), remote lock/wipe (64 percent), and asset and activity visibility and management (66 percent) across all types of mobile devices. Source:

38. August 6, – (International) Experts uncover flaws in ‘private browsing’. Security experts have warned that many claims about the resilience of ‘secure browsing’ features are overstated, and that private surfing may be anything but. The researchers at Stanford University are due to discuss their findings at the Usenix Security Symposium in Washington. The top four browsers - Internet Explorer, Firefox, Safari and Chrome - suffer from weak security in their secure browsing options, according to the report, and often fail to prevent user history being exposed. The browsers are also inconsistent in the way they deliver private browsing. Firefox and Chrome protect against web attacks, for example, but Safari protects only against local access. Firefox treats elements of its security differently, according to the research, and exposes some detail even in secure mode. All four browsers contain “privacy violations”, the report said. Source:

39. August 6, – (International) Spam analysis shows that it pays to be polite. A study of the words used in different types of junk email has revealed some of the tactics used by spammers. MessageLabs Intelligence studied shortened URL spam, and split the data into four types: sales, phishing, malware and targeted attacks. In each case the security firm classified the words used in the headers into a top 10 format. The most common word in sales spam is ‘Viagra’, reflecting the popularity of pharmaceutical spam, which makes up around three quarters of all sales spam. ‘Prices’ is the second most common word, followed by ‘special’ and ‘discount’. The top word for phishing and malware spam is ‘account’, highlighting the financial targets commonly sought by the spammers. ‘PayPal’ is popular with phishers, while malware writers favour ‘attached’ or ‘attachment’. However, ‘please’ was the top word for targeted attacks, and it was also in the top five for phishing and malware spam. A senior analyst at MessageLabs Intelligence told that politeness is a key factor in successful spam. Source:

40. August 6, The Register – (International) Unpatched kernel-level vuln affects all Windows versions. Researchers have identified a kernel-level vulnerability in Windows that allows attackers to gain escalated privileges and may also allow them to remotely execute malicious code. All versions of the Microsoft OS are affected, including the heavily fortified Windows 7. The buffer overflow, which was originally reported here, can be exploited to escalate privileges or crash vulnerable machines, IT research company Vupen said. The flaw may also allow attackers to execute arbitrary code with kernel privileges. The bug resides in the “CreateDIBPalette()” function of a device driver known as “Win32k.sys.” It is exploited by pasting a large number of color values into an improperly allocated buffer, potentially allowing attackers to sneak in malicious payloads, vulnerability tracking service Secunia warned. It affects fully patched installations of every supported Windows platform, from Windows XP SP 3 to Windows Vista, 7, and Server 2008. The latter three versions contain several defenses designed to lessen the effect of security vulnerabilities. It would not be surprising if code execution attacks were possible only on earlier versions that don’t have the defenses, which include DEP, or data execution prevention, and ASLR, short for address space layout randomization. There are no reports of the vulnerability being exploited in the wild. Source:

Communications Sector

41. August 9, Anchoarge Daily News – (Alaska) Satellite may disrupt Bush Web service. As many as 35,000 people in rural Alaska may lose Internet access, long-distance phone service or both for hours at a time the week of August 9 because of a “zombie” satellite that has wandered off course and is expected to scramble the signals of the Bush’s main telecommunications provider. “Almost every single person out in rural Alaska uses one of those services somehow,” said a spokesman for General Communication Inc. GCI is airing radio ads, posting fliers and plans to send text messages to cell phone customers warning residents in roughly 100 communities — mainly in Western and Northern Alaska — of the potential outages. The disruptions to GCI service are expected to begin early August 11 and continue until early August 14 in blocks of time that will last 90 minutes to 5 1/2 hours, mostly in the morning and at night. Source:

42. August 6, Radio Ink – (West Virginia) WWVA/Wheeling back on the air. Clear Channel heritage News/Talker WWVA/Wheeling, West Virginia, is back on the air August 6 after all three of its towers were knocked down in severe storms August 4. The station was up August 5 from about 10:30 until 1 a.m. but, says the WWVA site, “technical difficulties” knocked it off the air again for a few hours until the morning of August 6. WWVA is operating for now at reduced power and with temporary equipment, but says the signal “covers the listening area extremely well.” There is no word yet on when the 50,000-watt station will be back to full power. The station site also has a video walkthrough of the tower site and a striking aerial photo of the leveled towers. With WWVA back on the air, Adult Standards clustermate WBBD, which temporarily took over WWVA’s programming, has gone back to its regular lineup. Source:

43. August 6, Huber Heights Chronicle – (Ohio) Lightning damages WSWO radio, FM 101.1 and 97.7. WSWO radio, FM 101.1 and 97.7, had their Huber Heights, Ohio, studios damaged by lightning on the morning of August 4. The evaluation of damage by station engineers is continuing at “Ultimate Oldies Radio.” According to the Station Manager, an antenna on the roof of the studios at 6126 Chambersburg Road took a direct lightning hit. An antenna, transmission cables and grounding wires were destroyed. The lightning traveled through the antenna cables into the studios, where over $10,000 worth of equipment was damaged. Items already identified as inoperable include a just-purchased mixer board, power supplies, an automation computer, a radio receiver for relaying remote events, an FM processor and a microwave transmitter. The station manager estimates the live broadcast capability at the studios will be out four to six weeks. All programming will continue from an automation computer running at the station’s transmitter site. Source:

For another story, see item 36 above in the Information Technology Sector