Department of Homeland Security Daily Open Source Infrastructure Report

Monday, August 23, 2010

Complete DHS Daily Report for August 23, 2010

Daily Report

Top Stories

• Malware may have been a contributory cause of a fatal Spanair crash that killed 154 people near Madrid, Spain two years ago, according to The Register. (See item 17)

17. August 20, The Register – (International) Trojan-ridden warning system implicated in Spanair crash. Malware may have been a contributory cause of a fatal Spanair crash that killed 154 people two years ago. Spanair flight number JK 5022 crashed with 172 on board moments after taking off from Madrid’s Barajas Airport on a scheduled flight to Las Palmas, Spain August 20, 2008. Just 18 survived the crash and subsequent fire aboard the McDonnell Douglas MD-82 aircraft. The airline’s central computer, which registered technical problems on planes, was infected by Trojans at the time of the fatal crash and this resulted in a failure to raise an alarm over multiple problems, according to Spanish daily El Pais. The plane took off with flaps and slats retracted, something that should in any case have been picked up by the pilots during pre-flight checks or triggered an internal warning on the plane. Neither happened, with tragic consequences, according to a report by independent crash investigators. The accident on take-off happened after pilots had abandoned an earlier take-off attempt, and a day after two other reported problems on board. If the airlines’ central computer was working properly, a take-off after three warnings would not have been allowed, thereby averting the tragedy. A mechanic who checked the plane before take-off, and an airport maintenance chief, are under investigation and face possible manslaughter charges. An investigating judge has ordered Spanair to supply data on the state of its systems at the time of the crash. An investigation commission is due to report on the case by December. Source:

• Associated Press reports that the U.S. for the first time is publicly warning about the Chinese military’s use of civilian computer experts in clandestine cyber attacks aimed at American companies and government agencies.(See item 42)

42. August 19, Associated Press – (International) Pentagon takes aim at China cyber threat. The U.S. for the first time is publicly warning about the Chinese military’s use of civilian computer experts in clandestine cyber attacks aimed at American companies and government agencies. In a move that is being seen as a pointed signal to Beijing, the Pentagon laid out its concerns this week in a carefully worded report. The People’s Liberation Army, the Pentagon said, is using “information warfare units” to develop viruses to attack enemy computer systems and networks, and those units include civilian computer professionals. The assertion shines a light on a quandary that has troubled American authorities for some time: How does the U.S. deal with cyber espionage emanating from China and almost certainly directed by the government — despite the fact that U.S. officials don’t have or can’t show proof of those ties? Asked about the civilian hackers, a Defense Department spokesman said the Pentagon is concerned about any potential threat to its computer networks. The Pentagon, said a spokesman will monitor the PLA’s buildup of its cyberwarfare capabilities, and “will continue to develop capabilities to counter any potential threat.” Source:


Banking and Finance Sector

11. August 20, BNO News – (Oregon) Bomb threat at Aloha, Oregon bank closes highway. A bomb threat at a bank in Aloha, Oregon forced the closure of a busy highway for nearly two hours August 19, authorities said. Deputies of the Washington County Sheriff’s Office responded to a 911 call from the bank located at 19091 SW Tualatin Valley Highway in Aloha at approximately 5.56 p.m. The highway is locally better known as TV Highway or Highway 8. “The caller made undisclosed demands and threatened to detonate a bomb in or near the bank if those demands were not met,” said a police sergeant. “Sheriff’s deputies quickly arrived on the scene and shut down SW TV Highway at SW 185th Avenue and SW 198th Avenue to protect motorists.” The bank and some adjacent business were evacuated while the metropolitan explosives disposal unit looked for an explosive device, but they did not locate anything suspicious. Source:

12. August 19, Tech News Daily – (International) Top phishing gang turns to Malware. An Internet security report released August 20 said phishing attacks dropped 10 percent from April to June 2010 year-over-year. While reassuring at first glance, the report states cybercriminals have shifted their schemes from old-school phishing e-mail attacks — which are designed to trick users into revealing personal information — to distributing Zeus malware, a more insidious form of cybercrime. Phishing attacks by Avalanche, one of the most prolific cybercriminal gangs (responsible for two-thirds of the world’s phishing attacks in the second half of 2009), have disappeared, but other criminals have moved in to take its place, according to Internet Identity (IID). Phishing targets have shifted from banks to gaming, e-commerce and social networking sites, aiming to steal log-in information. However, Avalanche and others have turned to distributing Zeus malware which is capable of hijacking computers, then stealing banking, social networking and e-mail account logins, and making that information available as part of a criminal network. Once the malware has entered the user’s computer, the identity theft is automatic ― eliminating the need for the unsuspecting user to supply personal information in response to a fraudulent email. The U.S. continues to lead the world as the top hosting country for the origin of phishing scams. Canada moved from seventh to second in the report. Germany, U.K., France round out the top five. Russia and China are at the bottom of the list, according to the IID report. The sources for Zeus malware show a different worldwide distribution. Europe takes the top spot with 24 percent of malicious addresses, followed by China at 22 percent and the U.S. at 18 percent, reported Russian-based security software provider, Kaspersky Labs. Source:

13. August 19, Gainesville Sun – (National) Credit card skimmers may be part of international scam. The rash of credit card fraud cases connected to skimmers on area gas pumps appears to be part of an international scam, according to the National Association of Convenience Stores (NACS) and the Alachua County Sheriff’s Office (ACSO). Federal investigators said the scam is widespread in Florida — primarily along interstates — and has been found in other states. Florida has become a prime target for credit card skimmers at gas stations this summer in large part because of its ranking as third behind California and Texas in the number of convenience stores, according to the nation’s largest convenience store trade organization. The Sunshine State is home to 9,223 convenience stores, and 7,280 of those stores — or almost 79 percent — have gas pumps, according to NACS, which represents 49 of the 50 top convenience store chains in the nation. An ACSO spokesman said one pattern investigators have noticed is that the card numbers are not used in the same area where they were stolen. Investigators in St. Johns County had documented about 200 victims so far this year, with most reporting card thefts during the summer months. The spokesman said he expects at least 200 victims to be identified in Alachua County this year. Source:

14. August 19, Maine Public Broadcasting Network – (National) Maine AG warns of credit card scam. Maine’s attorney general is warning people to beware of an “advance fee” credit card scam that’s targeting Maine residents. The attorney general said the scammers, who claim to be from “PeoplesChoice Savings,” are offering a credit card with a $2,000 credit line. In exchange, they ask for $200 and the victim’s bank account information so they can withdraw the funds. Officials with the PeoplesChoice Credit Union, which has several branches in southern Maine, said they have received several calls from consumers about the offer, which they emphasize they have nothing to do with. The attorney general said such advance fee credit card offers are fraudulent, and prey on people desperate for cash. She said consumers should never give out bank account or other personal identifying information over the phone or Internet without confirming the requestor’s identity. Source:

15. August 19, KGTV 10 San Diego – (California) Man claiming to have bomb in bank robbery arrested. A suspected bank robber who claimed to have a bomb while robbing a bank in San Diego, California was arrested August 19, according to authorities. The incident happened at the Wells Fargo Bank on 685 Saturn Boulevard shortly after 5 p.m. According to police, the 45-year-old suspect entered the bank and said he had a bomb inside a fanny pack. Police said a teller was able to call authorities, and they arrested the suspect after he left the bank with an undisclosed amount of money. The suspect apparently left the fanny pack behind. Police said the suspect claimed to have an accomplice, and employees and bank customers were able to safely evacuate the branch as police summoned a bomb-sniffing dog to the scene. No bomb or threatening device was found, police said. Source:

16. August 19, WTVC 9 Chattanooga – (Tennessee) Arrest made in attempted Ringgold bank robbery. A bomb scare at a Ringgold, Tennessee bank shut down the area off Highway 151 for several hours August 19. Police said it was an attempted robbery, and they have got one man in custody. It started with a phone call to FSG bank on Poplar Springs Road around 2 p.m. “They (bank employees) told us that he called on the phone and said there was an explosive device somewhere,” said the Ringgold police chief. That call sent five police and fire agencies to the area with guns drawn. Authorities soon evacuated the building. All of the FSG bank employees got out unharmed. The police chief said after a few tense moments, they caught the man in the parking lot. He said the man never got into the building, but because of the bomb threat, the GBI Bomb Squad sent in a bomb defusing robot to assess the situation. However, investigators found no evidence of a bomb. Source:

Information Technology

46. August 20, The Register – (International) Researcher: Code-execution bug affects 200 Windows apps. About 200 Windows applications are vulnerable to remote code-execution attacks that exploit a bug in the way the programs load binary files for the Microsoft operating system, a security researcher said August 19. The critical vulnerability, which has already been patched in Apple’s iTunes media player for Windows and VMware Tools, will be especially challenging to fix, because each application will ultimately need to receive its own patch, the CEO of application security consultancy Acros Security, told The Register. He agreed with a fellow researcher who on August 18 said the critical vulnerability is trivial to exploit. At the time, the second researcher estimated 40 programs were vulnerable, but security experts from Slovenia-based Acros have found that about 200 of the 220 applications they have tested so far suffer from what they are calling the binary-planting bug. They have yet to complete their inquiry. Acros researchers alerted Microsoft to the vulnerability about four months ago and have been working with members of its security team since then to coordinate a fix with the many affected parties. So far, what is known about the vulnerability comes mostly from an advisory Acros issued for the iTunes patch. The bug allows attackers to execute malicious code on Windows machines by getting the media player to open a file located on the same network share as a maliciously designed DLL file, it said. In some cases, the bugs can be exploited to execute EXE files and other types of binaries, as well, the researcher said. Source:

47. August 20, Help Net Security – (International) Rogue AV uses legitimate uninstallers to cripple computers. The fact that some rogue AV solutions try to prevent the real ones from doing their job is widely known in the security community, but CoreGuard Antivirus — a “popular” fake AV solution - has been spotted utilizing legitimate software uninstallers to trick users into uninstalling their legitimate security software. When the malicious file is executed, a message box opens up. Clicking on the “OK” button — or even on the “Close” button — starts the installer of the antivirus in question. Symantec researchers reveal that the fake solution searches for uninstaller information in the Windows registry and launches the right uninstaller for certain legitimate AV solution installed on the system, such as products from Microsoft, AVG, Symantec, Spyware Doctor, and Zone Labs. It then tries to download “AnVi Antivirus,” another rogue AV that is actually a clone of CoreGuard Antivirus. Source:

48. August 20, Computerworld – (International) Google patches 10 Chrome bugs, pays out $10K in bounties. Google August 19 patched 10 vulnerabilities in Chrome, but did not award any of the researchers who reported bugs the new top-dollar reward of $3,133. The security update to Chrome 5.0.375.125 fixed two vulnerabilities rated “critical,” Google’s most serious threat rating, seven labeled “high” and another pegged as “medium.” Google divulged no details of the vulnerabilities, and as is its custom, blocked public access to its bug-tracking database, a practice meant to keep attackers from using the information before most users have upgraded. Some rivals, such as Mozilla, do the same; others, like Microsoft, do not. Google often blocks access to information on serious vulnerabilities for two months or longer. Of the 10 vulnerabilities, two could apparently be exploited by malicious files, including SVG image files and MIME-type files. Others could potentially be used to spoof the address bar’s contents or reveal a password. According to a blog post by a researcher of the Chrome team, Google also added a workaround for a critical bug in non-Google code. Source:

49. August 19, Krebs on Security – (International) Adobe issues Acrobat, Reader security patches. Adobe Systems Inc. issued software updates August 19 to fix at least two security vulnerabilities in its widely-used Acrobat and PDF Reader products. Updates are available for Windows, Mac and UNIX versions of these programs. Acrobat and Reader users can update to the latest version, v. 9.3.4, using the built-in updater, by clicking “Help” and then “Check for Updates.” The August 19 update is an out-of-cycle release for Adobe, which recently moved to a quarterly patch release schedule. The company said the update addresses a vulnerability that was demonstrated at the Black Hat security conference in Las Vegas. The release notes also reference a flaw detailed by a researcher back in March. Adobe said it is not aware of any active attacks that are exploiting either of these bugs. Source:

50. August 19, The Register – (International) Linux kernel purged of five-year-old root access bug. The Linux kernel has finally been purged of a privilege-escalation vulnerability that for at least half a decade allowed untrusted local users to gain unfettered rights to the operating system’s most secure locations. Maintainers of the central Linux component issued a patch recently that killed the bug, which allowed unprivileged users to gain root access. While Linux overlords stopped short of declaring it a security vulnerability, they stressed that the patch should be installed as soon as possible. The vulnerability was described as long ago as 2005 by a researcher, but it remained largely overlooked until a researcher at Invisible Things Lab started investigating related issues. In a PDF paper published August 17, he outlined a method that exploits the underlying bug using the Xorg server, which is instrumental in providing graphical user interface functions in Linux and is also referred to as the X server. The memory-corruption bug stems from two memory regions of the X server that grow in the opposite directions in the address space, an attribute inherited from the x86 architecture designed by Intel. Attackers can force the two regions to collide, causing critical control data to be replaced with values that allow the X server to be hijacked. The bulletin accompanying the kernel fix described the implementation of “a guard page below a grow-down stack segment.” It’s a fairly exotic exploit, and can only be used locally, unless combined with an unrelated vulnerability. Source:

51. August 19, InformationWeek – (International) Chrome, Safari see surge in vulnerabilities. Web application vulnerabilities during the first two quarters of 2010 represent a smaller percentage (66 percent) of total commercial application vulnerabilities (4,019) than they did during the latter two quarters of 2009 (82 percent of 2652). But Web application vulnerabilities during the first half of the year (2,645) were about the same as the total number of vulnerabilities in commercial apps detected during the second half of 2009, while the overall number of application vulnerabilities in 2010 increased by 50 percent. As noted in the Cenzic Q1,Q2 2010 Trends Report, some 60 percent of these Web vulnerabilities still have no fix available and exploit code is publicly available for about 45 percent of them. Comparing the Q1/Q2 2010 period to the Q3/Q4 2009 period, the report observes that while Mozilla Firefox and Microsoft Internet Explorer had fewer vulnerabilities (59 vs. 77 and 40 vs. 44, respectively), Apple Safari and Google Chrome exhibited far more vulnerabilities (83 vs. 25 and 69 vs. 25). Nonetheless, all browser makers have addressed vulnerabilities promptly, Cenzic says. Cenzic attributes the soaring number of vulnerabilities in Safari and Chrome toWebKit, the open-source rendering engine used in both browsers, and to iPhone and Android flaws. Source:

For more stories, see item 12 above in the Banking and Finance Sector

Communications Sector

52. August 19, IDG News Service – (National) Trade groups oppose mandatory FM on mobile devices. Trade groups representing consumer electronics makers and mobile carriers have voiced opposition to a recent proposal by the radio and recording industries to require all mobile devices in the U.S. to include FM receivers. The proposal, made by the National Association of Broadcasters (NAB), comes as the trade group attempts to come to an agreement with a group affiliated with the Recording Industry Association of America (RIAA) in a longstanding battle over whether radio stations should pay royalties to record labels and performers for playing their songs. The NAB released the framework of a potential compromise over so-called performance royalties earlier this month: Radio stations would pay a royalty of 1 percent or less, and in exchange the U.S. Congress would require all mobile devices to include FM receiver chips. Source:

53. August 19, – (International) BlackBerry emails can be monitored, says India. Indian officials may have come up with a way of monitoring encrypted corporate e-mails sent from BlackBerry devices, according to a government source. The method involves intercepting and making a copy of a corporate e-mail at the moment it is sent to a company’s enterprise server, and then sending it on to the ISP’s monitoring systems. “Enterprise mail services offered on BlackBerry platforms and other services provided on virtual private networks can possibly be monitored by feeding back a clear e-mail from the enterprise e-mail server to the monitoring system located at each of the ISPs’ premises,” said the Indian Department of Telecommunications, according to a report in the local Economic Times. It is still unclear whether the Indian authorities are looking to decrypt data, or would be happy with monitoring encrypted communications. Source:

54. August 19, Compterworld – (National) RFID tags found to work better in building ducts. A research team at North Carolina State University has used a building ventilation duct to at least triple the normal distance that radio waves emitted from passive radio frequency identification (RFID) tags can travel over open space. The discovery means that a small, inexpensive RFID tag could be used to wirelessly transmit data from any temperature sensor, smoke detector, carbon monoxide monitor or a sensor to detect chemical, biological or radiological agents in a large building, according to one of the main researchers and head of the university’s department of electrical and computer engineering. He told R&D magazine that using the RFID tags with electronic sensors could be “immediately economically viable” because it would mean the wiring and the labor to install the wiring would not be needed to connect a building’s various sensors. The research will be published in the September issue of Proceedings of the IEEE, according to a synopsis in R&D Magazine. Source: