Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, August 25, 2010

Complete DHS Daily Report for August 25, 2010

Daily Report

Top Stories

•According to Reuters, crews were working August 23 to control an oil well blowout that has forced evacuation of homes and businesses near Belle Rose, Louisiana, about 70 miles west of New Orleans, officials said.(See item 5)

5. August 23, Reuters – (Louisiana) Crews work to shut 2nd Louisiana oil well blowout. Crews were working August 23 to control an oil well blowout that has forced evacuation of homes and businesses near Belle Rose, Louisiana, about 70 miles west of New Orleans, officials said. No one was hurt when the blowout began August 11. But six homes and two businesses were evacuated and stretches of road closed in a 1-mile perimeter around the well that has gushed as high as 200 feet into the air. The well, owned by Mantle Oil and Gas LLC of Friendswood, Texas, was being completed by Cajun Well Service of Breaux Bridge, Louisiana, when the blowout happened, officials said. Drilling of a relief well to control the blowout began over the weekend and could take 3 to 6 weeks, a news release from the Assumption Parish Office of Homeland Security and Emergency Preparedness said. More than 44,000 barrels (1.8 million gallons) of oil, gas condensate and brine have been captured inside a dike around the well since the blowout began, and the spill was being vacuumed up, officials said. Source:

•Seven people are in intensive care, and 130 people have sought treatment, one day after an August 23 ammonia leak at a coastal Alabama plant that freezes chickens, Associated Press reports.(See item 32)

32. August 25, Associated Press – (Alabama) 7 in intensive care after Ala. ammonia leak. Seven people are in intensive care a day after an ammonia leak at a coastal Alabama plant that freezes chickens. About 130 people have sought treatment since ammonia spilled August 23 at Millard Refrigerated Services in Theodore, creating a vapor cloud that also caused respiratory problems for people working nearby. Officials said four people were in intensive care at the University of South Alabama Medical Center August 24, and three more were in intensive care at Infirmary West. Hospitals said people are still showing up with complaints. Many of those taken to hospitals were working with BP’s oil spill response along the Theodore Industrial Canal. Source:


Banking and Finance Sector

15. August 24, Associated Press – (International) U.K. fines Zurich Insurance for losing customer data. Britain’s financial regulator August 24 imposed a record fine of $3.5 million on Zurich Insurance PLC for losing confidential data on 46,000 customers. The Financial Services Authority (FSA) said the security breach — which included the loss of identity information and in some cases details of bank accounts, credit cards and insured assets — could have exposed customers to significant losses although there is no evidence the data was misused. The FSA said Zurich Insurance, part of Switzerland’s Zurich Financial Services Group, outsourced some data work to the company’s South African unit, which lost an unencrypted back-up tape in August 2008. The FSA said the loss was not discovered until a year later. “Zurich U.K. let its customers down badly,” said the FSA’s director of enforcement and financial crime. She said the company failed to oversee the outsourcing arrangement effectively and did not have full control over the data being processed. “To make matters worse, Zurich U.K. was oblivious to the data loss incident until a year later,” she said. The fine was the largest ever imposed by the FSA on a single company for a data loss, even though Zurich Insurance got a 30 percent discount from the maximum because it cooperated with the investigation. Source:

16. August 24, Bank Info Security – (International) An end to ‘empty envelope’ fraud. It has been nearly six years since the passage of Check 21, the Check Clearing for the 21st Century Act, but the banking industry has not fully embraced it. Check 21 is the federal law that gives electronic check images value legally equivalent to paper checks. It also speeds the delivery and exchange of check images. Other advantages have been realized, too, such as the ability for merchants to remotely deposit check images, and for institutions to eliminate deposit envelopes. Many large institutions have emerged as leaders in the automated, “envelope-free” ATM movement, but a senior analyst at Aite Group LLC said this is isolated. That’s because a large percentage of mid-sized firms, and most small banks and credit unions, have made few strides. The analyst estimates that 50 percent of the country’s bank- and credit-union-owned ATMs still rely on envelopes, which keeps the door open for fraud. Empty-envelope fraud is perpetrated by accountholders who deposit envelopes that are either completely empty or hold deposits of cash or checks for amounts that are less than what they have keyed in at the ATM. Banks and credit unions don’t catch the fraud until the envelopes are opened, often several days after the actual deposit has been made. Imaged deposits eliminate empty-envelope fraud, since deposits are imaged and verified in real-time, as they are inserted into the ATM. Source:

17. August 23, IDG News Service – (International) Apple can’t stop ongoing iTunes charge scam. Users of Apple’s iTunes services should keep a close eye on PayPal and credit card statements for fraudulent iTunes charges. For more than a year, scammers have been racking up unauthorized charges on iTunes accounts, leaving Apple’s customers to clean up the mess. Tech Crunch and the San Jose Mercury News report that the scam drains hundreds of dollars or more from accounts and that consumers have been complaining about the problem since at least early 2009. The number of people being hit by the fraudsters now seems to be growing, however. PayPal, which is often processing the unauthorized charges, confirmed August 23 that customers are being reimbursed for the fraud. The fraud “is happening on the iTunes side,” a PayPal spokeswoman said via e-mail. She referred further questions about the scam to Apple. Scammers appear to be gaining access to the accounts by sending out fake phishing e-mail messages that try to trick users into disclosing their iTunes user names and passwords. Those credentials are then used to pile on charges for music or iTunes gift codes. Apple said that victims of the fraud must work things out with their banks and credit card companies. Source:

18. August 23, DarkReading – (International) Cybercriminals bilked Calgary company of $1.8 million in payment card scam. The U.S. Secret Service and Canadian authorities have busted a credit- and debit-card fraud ring that stole nearly $2 million from a Calgary-based short-term credit and financial services firm by falsifying the value of prepaid debit cards offered by the company, according to reports. Authorities in Calgary did not reveal the company that was hacked. The firm was bilked of money when the fraudsters inflated the value of the cards and then withdrew the cash from bank machines across Canada and in other countries, reported. Among the four Montreal-based suspects arrested in the case was an Israeli living in Montreal. authorities are trying to confirm whether he is the hacker of the same name — aka “The Analyzer” — who in 1998 broke into Pentagon computers. A 29-year-old suspect was charged with six counts of fraudulent use of credit card data and another fraud count; a 30-year-old suspect, of Montreal, was charged with 23 counts of fraudulent use of credit-card data and another fraud count; a 28-year-old suspect, was charged with four counts of fraudulent use of credit-card data and two other fraud counts; and a 33-year-old suspect, was charged with one count of fraudulent use of credit-card data and one other fraud count. According to the report, there may be U.S. victims as well, as the Secret Service is still investigating the case. Vancouver authorities were working with the Secret Service in another case when they were alerted of the investigation by Calgary authorities. Source:

19. August 23, Associated Press – (National) Judge approves Countrywide ID theft settlement. A federal judge August 23 granted final approval to a settlement between Countrywide Financial Corp. and millions of customers left at high risk for identity theft because of a security breach. Countrywide, now owned by Bank of America, will provide free credit monitoring for up to 17 million people whose financial information was exposed, according to the settlement. That group includes anyone who obtained a mortgage and anyone who used Countrywide to service a mortgage before July 1, 2008. People could be reimbursed up to $50,000 for each time their identity was stolen. They would have to prove they lost something of value, were not already reimbursed, and that the theft stemmed from the Countrywide breach. The U.S. district judge of Paducah, Kentucky who oversaw more than three-dozen lawsuits related to the security breach, granted class-action status to the lawsuit and gave final approval of the settlement August 23. Attorneys for the plaintiffs say Countrywide Financial had all their clients’ financial information including mortgage information, credit card, and Social Security numbers and birth dates. Source:

20. August 23, Reuters – (International) No bomb found at Mexico bourse, operations normal. No bomb has been found at the headquarters of Mexico City’s stock exchange and operations at the bourse continue normally, said a communications official at the exchange. An anonymous bomb threat was called into Mexico City police earlier August 23. Source:

Information Technology

53. August 24, Help Net Security – (International) Malware peddlers engaged in celebrity mass killings. Plane crashes and car accidents are the preferred methods of killing off celebrities in order to lure e-mail recipients into opening a malicious attachment, Symantec reports. Many names are rotated in the template e-mails sent in this recent malicious spam run, professing either that the celebrity in question was killed when a plane crashed into a mountainside or in an automobile accident. To find out more about the accident, potential victims are urged to download the attached file (Hot, which actually contains the ZeuS Trojan, waiting to be run. Even if the discrepancy between the name in the subject line and the actual content of the e-mail escaped a person’s notice, they can be sure it is never a good idea to open attachments or links contained in unsolicited e-mails. Perhaps the sender name or e-mail looks like it belongs to a reputable news agency, but that information can be faked. Source:

54. August 24, Help Net Security – (International) DEFCON survey reveals vast scale of cloud hacking. An in-depth survey carried out among 100 people at the 2010 DEFCON conference in Las Vegas has revealed that an overwhelming 96 percent of respondents said they believed the cloud would open up more hacking opportunities for them. “While ‘only’ 12 percent said they hacked cloud systems for financial gain, that still means a sizeable headache for any IT manager planning to migrate their IT resources into the cloud,” said Fortify’s chief privacy officer (CPO). According to the CPO, when one review the prediction from numerous analysts that at the start of 2010, 20 percent of businesses would have IT resources in the cloud within four years, one can appreciate the potential scale and complexity of the security issues involved. In the many predictions, he explained, 20 percent of organizations would own no appreciable IT assets, but would instead rely on cloud computing resources — the same resources that 45 percent of the DEFCON attendees in the survey cheerfully admitted to already having tried to hack. Breaking down the survey responses, 21 percent believe that SaaS cloud systems are viewed as being the most vulnerable, with 33 percent of the hackers having discovered public DNS vulnerabilities, followed by log files (16 percent) and communication profiles (12 percent) in their cloud travels. Source:

55. August 23, DarkReading – (International) Mobile devices threaten enterprises from within. Today, most office workers carry mobile phones into work. Much of the time, the devices are more advanced smartphones, such as Android-based phones, Blackberry devices, or Apple iPhones. The employees almost never consider the security implications of bringing connected devices behind a company’s firewall. Yet the trend has not escaped the notice of chief security officers and information-technology administrators. Smartphones are becoming prolific within enterprises, but the security teams do not really have a handle on how to secure the devices, said the CEO of Lookout, a mobile security firm. “They have spent a vast amount of resources in terms of dollars and time to defend their corporate networks and the traditional network security perimeter, but the mobile device รข€¦ has trusted access to the very critical data at the soft and chewy center of the company,” he said. “It’s almost a Trojan horse into the enterprise itself.” In other words, insider attacks may come not from a malicious employee, but from an ignorant employee bringing a compromised device into the workplace. The conclusion is not a surprise: Over the past year, security researchers and attacker have increasingly focused on smartphones and other mobile platforms. The attention highlighted a bevy of potential attack scenarios, including information leakage and outright control of the personal devices. Source:

56. August 23, Computerworld – (International) Microsoft releases tool to block DLL load hijacking attacks. Microsoft August 23 responded to reports of potential zero-day attacks against a large number of Windows programs by publishing a tool it said would block known exploits. However, the company declined to confirm whether any of its own applications are vulnerable, saying it is currently investigating Microsoft-made software.The advisory was its first public reaction to a wave of reports from researchers that developers have left a large number of Windows programs open to attack. Many Windows applications do not call code libraries — dubbed “dynamic-link library,” or “DLL” — using the full pathname, but instead use only the filename, giving hackers wiggle room. Criminals can exploit that by tricking the application into loading a malicious file with the same name as the required DLL. The result: Hackers can hijack the PC and plant malware on the machine. Microsoft went to lengths today to tell users that the flaw isn’t in Windows. Because application developers, not Windows, are to blame, Microsoft can’t patch the operating system without crippling an unknown number of programs that run on the platform. Instead, Microsoft and third-party developers must sniff out which of their programs are vulnerable, then patch each separately. To ward off attacks until then, Microsoft has, as expected, released a tool that blocks the loading of DLLs from remote directories, such as those on USB drives, Web sites and an organization’s network, all possible vectors. Source:

57. August 23, Computerworld – (International) Hacking toolkit publishes DLL hijacking exploit. The appearance August 23 of exploit code for the DLL loading issue that reportedly affects hundreds of Windows applications means hackers will probably start hammering on PCs shortly, security experts argued. “Once it makes it into Metasploit, it doesn’t take much more to execute an attack,” said the director of security operations for nCircle Security. “The hard part has already been done for [hackers].” The director was referring to the release earlier August 23 of exploit code by the founder of the Metasploit open-source hacking toolkit. The founder of Metasploit also issued an auditing tool that records vulnerable applications, information which can then be used to launch the exploit code that he crafted and added to Metasploit. Together, the tool and exploit create an effective “point-and-shoot” attack, said the founder. “With it in Metasploit, people will definitely be looking at these [vulnerabilities],” said the CTO at Qualys. “They gain a lot of visibility once in Metasploit, and I’d expect to see some kind of public exploit in the next couple of weeks.” According to reports that first appeared recently, developers, including Microsoft’s, have misused a crucial function of Windows, leaving a large number of Windows programs vulnerable to attack because of the way they load components. Source:

Communications Sector

58. August 23, KSNT 27 Topeka – (Kansas) 911 system failure. Residents were unable to make 911 calls to the Shawnee County, Kansas, Sheriff’s office in areas near Silver Lake and Rossville. The Shawnee County Emergency Communications Center has reported this outage to CenturyLink, the service provider in these communities. Citizens were asked to call non-emergency numbers to report emergencies. The outage was reported August 23 just before 2 p.m., and CenturyLink was notified immediately. Source:

59. August 23, IDG News Service – (International) Microsoft BPOS cloud suite hit by access problems. Access to various Microsoft hosted software products for businesses in North America was affected August 23 due to a performance issue with its data center in the region. The problem lasted more than 2 hours, between 8:30 a.m. and 10:45 a.m. U.S. Eastern Time, and impacted “some customers in North America” who experienced “intermittent access to our data center,” Microsoft said in a statement. “The outage was caused by a network issue that is now fully resolved, and service has returned to normal. During the duration of the issue, customers were updated regularly via our normal communication channels,” Microsoft added. Earlier, Microsoft alerted potentially affected customers with a notice distributed via a syndicated feed, which stated that customers could experience “timeouts” with a number of hosted services, including Business Productivity Online Suite (BPOS), Exchange Online, SharePoint Online, Office Live Meeting and Office Communications Online. Also among the services impacted were the Administration Center, Sign-In application, My Company Portal and Customer Portal of Microsoft Online Services, according to the alert. Source:

60. August 20, KY3 Springfield – (Missouri) Thieves target telephone lines for valuable copper. Copper thieves have been targeting the Springfield, Missouri area’s lines of communication. “We’ve had several thefts recently where people have cut down our cables,” said AT&T’s regional director. Those AT&T lines were in northern Greene County, and were stolen from at least two different locations. The company said the lines cut were some main trunk lines that serve numerous customers. Also, at least 400 feet of Windstream’s lines in southern Polk County were ripped off early August 20, leaving dozens of locals without a dial tone. Service to most customers was expected to be restored by Friday evening. Source: