Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, August 26, 2010

Complete DHS Daily Report for August 26, 2010

Daily Report

Top Stories

•According to United Press International, three gang members were in custody in Moldova after allegedly trying to sell uranium they had brought into the country illegally, authorities said.(See item 7)

7. August 24, United Press International – (International) Alleged Moldovan uranium dealers arrested. Three gang members were in custody in Moldova after allegedly trying to sell uranium they had brought into the country illegally, authorities said. The Russian TV network RT reported August 24 the suspects were looking for a buyer for nearly 4.4 pounds of the radioactive material. Their asking price was $11.4 million. It was not known where the uranium originated, RT said. “The group had seven members; three of them have been seized,” the prosecutor in the case said. “Some of the suspects have previously been tried in Russia and Romania for similar crimes. Two members of the gang are former Moldovan policeman.” The uranium, which could have been used for military purposes, was being kept in a basement where the level of radiation was about 60 times higher than the acceptable norm, authorities said. Some of the uranium has been sent to the United States for examination, and the rest is being stored in a special container at the Moldovan Ministry of Internal Affairs. Source:

•Now it is official: The most significant breach of U.S. military computers was caused by a flash drive inserted into a U.S. military laptop on a post in the Middle East in 2008, the Washington Post reported. (See item 32)

32. August 24, Washington Post – (National) Defense official discloses cyberattack. Now it is official: The most significant breach of U.S. military computers was caused by a flash drive inserted into a U.S. military laptop on a post in the Middle East in 2008. In an article to be published August 25 in Foreign Affairs discussing the Pentagon’s cyberstrategy, the Deputy Defense Secretary said malicious code placed on the drive by a foreign intelligence agency uploaded itself onto a network run by the U.S. military’s Central Command. “That code spread undetected on both classified and unclassified systems, establishing what amounted to a digital beachhead, from which data could be transferred to servers under foreign control,” he said in the article. “It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary.” The Deputy Defense Secretary’s decision to declassify an incident that Defense officials had kept secret reflects the Pentagon’s desire to raise congressional and public concern over the threats facing U.S. computer systems, experts said. Source:


Banking and Finance Sector

13. August 25, Computerworld – (National) Visa offers new guidance on securing payment applications. Visa August 24 announced a set of security best practices for vendors of payment applications, and for the systems integrators and resellers responsible for implementing and managing them. The guidelines are designed to address continuing vulnerabilities in the payment chain stemming from insecure implementations of applications that are used in credit and debit card transactions, according to Visa’s head of global payment system security. The existing Payment Application Data Security Standard (PA-DSS) administered by the PCI Security Council, already requires developers of payment applications to implement specific security controls in software. For instance, the standard requires application vendors and developers to ensure applications do not store prohibited cardholder and authentication data. However, while the software itself may be secure, several vulnerabilities continue to persist because of improper configurations and other implementation errors, he said. Visa’s guidelines were developed in collaboration with the SANS Institute, a Bethesda, Maryland-based security training and certification organization. The best practices touch upon 10 different issues, and include a mix of technology and process-related advice. Source:

14. August 25, Associated Press – (Georgia) Authorities warn of gas credit scam. Tifton, Georgia, area authorities are warning motorists that thieves may be stealing credit card numbers using gas pumps. Investigators in the city and the county are working together investigating several instances where individuals used their cards in Tifton and then discovered someone in California or Las Vegas, Nevada, had used their account information to steal hundreds of dollars. A Tifton Police Department detective said the altered gas pumps grab a customer’s information when they slide their card. Police are investigating two cases where individuals discovered someone in Las Vegas had stolen hundreds of dollars from their accountd. They are urging motorists to use cash when possible. Source:

15. August 25, Homeland Security Today – (International) ‘Strippers’ put U.S. homeland security at risk. Recently, Britain’s Barclays Bank became the latest foreign bank to be penalized hundreds of millions of dollars for allegedly helping U.S.-sanctioned parties clandestinely move large sums of money through the American financial system. Barclays agreed to pay $298 million for allegedly helping clients in Iran, Cuba, Libya, Sudan and Burma by “stripping” international wire transfer messages, that is, by removing any reference to the sanctioned parties so that the U.S. banks clearing the transactions did not know that a sanctioned party was involved and therefore did not block or freeze the transaction. This practice was commonplace among European banks just a few years ago. Such “stripping” transactions typically violate America’s Trading with the Enemy Act and International Emergency Economic Powers Act. Source:

16. August 25, Houston Chronicle – (Texas) XXXL Bandit strikes in Clear Lake again. Investigators believe the bank robber they are calling the “XXXL Bandit” hit a credit union inside a Clear Lake City, Texas, grocery store again recently. The FBI reports that the Associated Federal Credit Union in the Kroger store at 16400 El Camino Real was held up around 2 p.m. August 23 by a familiar figure of “uniquely large stature.” The robber had no weapon, but he handed a demand note to one of the tellers and received cash. He then fled on foot. The suspect is described as a white man between 28 and 35 years old. He’s 5 foot 10 to 5 foot 11, 275 to 300 pounds and cleanly shaven. He wore a white and maroon baseball cap, a red pull-over shirt, shorts and sunglasses. Source:

17. August 24, Arkansas City Traveler – (Kansas) Union State Bank warns of telephone scam targeting area. Customers of Union State Bank in Arkansas City, Kansas should be aware of a phone scam. People who receive an automated call asking for their debit or credit card number, expiration date and PIN umber should not provide that information over the phone, a local banker said August 24. Source:

Information Technology

39. August 25, Help Net Security – (International) Increasing security on mobile applications will extend adoption. Many of today’s mobile applications have limited functionality from a lack of overall security, according to an Entrust study. And for mobile applications that feature transaction-based capabilities, the requirement for security is greater, highlighting a key concern for deploying organizations. Regardless of industry, organizations, retailers and financial institutions are using dedicated mobile applications. Entrust’s survey suggests that more organizations are developing or considering use of mobile applications if security, cost and ease-of-use requirements can be balanced. Application security remains a top concern, regardless of whether or not the organization had deployed transactional mobile applications in the past. Specifically, more than 50 percent of organizations that had not deployed such applications ranked it as one of their top three concerns, and more than 40 percent of those that had deployed the applications continued to rank it as a key concern. From an adoption standpoint, the survey discovered that about 80 percent of organizations offer online transactions via Web sites. Many of these organizations, however, do not yet offer this capability to mobile users. Of those that do, only 31 percent of the online services and capabilities are available via the mobile platform. Source:

40. August 25, – (International) Three million bogus YouTube pages discovered. Security firm Zscaler has discovered nearly 3 million phony YouTube pages, pushing unsuspecting users towards fake anti-virus (AV) downloads. The firm’s network security engineer explained in a blog post that the pages, which have all been indexed by Google, can be found by searching for ‘Hot Video.’ ‘‘The fake YouTube video page is covered by an invisible Flash layer and the Flash object automatically redirects the user to a fake AV page,’’ he explained. The HTML code on the pages includes links to legitimate sites such as, in order to make sure the content is indexed by search engines. The fake AV software is hosted on several domains, and are undetected by most security tools. Google Safe Browsing does not block 90 percent of these pages in Firefox, while the detection rate among AV vendors is only 11 percent. Source:

41. August 25, Help Net Security – (International) The dramatic increase of vulnerability disclosures. Vulnerability disclosures are increasing dramatically, having reached record levels for the first half of 2010, according to the IBM X-Force 2010 Mid-Year Trend and Risk Report released August 25. Overall, 4,396 new vulnerabilities were documented by the X-Force Research and Development team in the first half of 2010, a 36 percent increase over the same time period last year. Over half, 55 percent, of all disclosed vulnerabilities had no vendor-supplied patch at the end of the period. According to the report, Web application vulnerabilities continued to be the leading threat, accounting for more than half of all public disclosures. In addition, covert attacks increased in complexity hidden within JavaScript and PDFs, while cloud and virtualization were noted as key future topics for enterprise organizations. In the first-half of 2010, organizations are doing more to identify and disclose security vulnerabilities than ever before. This is having positive effects on the industry by driving more open collaboration to identify and eliminate vulnerabilities before cybercriminals can exploit them. Source:

42. August 25, IDG News Service – (International) Adobe fixes 20 vulnerabilities in Shockwave Player. Adobe Systems patched 20 security vulnerabilities in its Shockwave Player August 24. Most of the flaws could allow an attacker to run their own code on an affected computer. The vulnerabilities are in versions of Shockwave Player up to version, on both Apple’s Mac OS X and Microsoft Windows. The patched version is, according to an Adobe advisory. Eighteen of the problems could lead to code execution, while the remaining two are denial of service issues, one of which could possibly lead to remote code execution. Shockwave Player is used to display content created by Adobe’s Director program, which offers advanced tools for creating interactive content, including Flash. The Director application can be used for creating 3D models, high-quality images and full-screen or long-form digital content, and offers greater control over how those elements are displayed. Source:

43. August 25, The H Security – (International) Apple releases Security Update for Mac OS X. Apple has released Security Update 2010-005 for its Leopard (Mac OS X 10.5.8 client and server) and Snow Leopard (Mac OS X 10.6.4 client and server) operating systems, resolving a total of 13 vulnerabilities – eight rated critical. Security Update 2010-005 addresses a buffer overflow in Samba that could allow an unauthenticated remote attacker to cause a Denial-of-Service (DoS), or execute arbitrary code on a user’s system. The issue was corrected in a Samba 3.3 update 2 months ago. A heap buffer overflow in the way CoreGraphics’ handles PDF files, which could lead to the execution of arbitrary code has been fixed. A second PDF vulnerability in the way that Apple Type Services’ handles embedded fonts that could lead to code execution has also been closed. For an attack to be successful, a victim must first open a specially crafted PDF file. Other changes include fixes for network interception issues and a buffer overflow in PHP’s libpng library. Additionally, the update includes the 0.96.1 release of the open source ClamAV anti-virus toolkit used only by Mac OS X Server systems, closing several DoS vulnerabilities. The included version of PHP has also been upgraded from 5.3.1 to 5.3.2. Source:

44. August 24, eWeek – (International) Symantec: Rustock botnet pumps most spam despite shrinking. A new report from Symantec put the Rustock botnet at the top of the heap for spamming in spite of the fact the number of infected computers under its control was slashed nearly in half. Rustock retained the top spot as the busiest spam-sending botnet on the Web this month despite the fact the number of bots under its control shrank. According to Symantec’s August 2010 MessageLabs Intelligence Report, Rustock increased its output from 32 percent of botnet spam in April to 41 percent in August. Ironically, this happened even though the number of Rustock bots dropping from 2.5 million to 1.3 million during that same period, researchers found. “Rustock has shrunk in size perhaps as a result of infected computers being cleaned or replaced,” speculated a MessageLabs Intelligence senior analyst for Symantec Hosted Services. “It is likely that a new variant of the Rustock botnet has been created to replace the bots that it has lost. This usually involves a new version of the Trojan code being deployed, which at first appears as a new, unknown botnet. I would expect the botnet to grow again over the coming weeks and months.” In the meantime, Rustock has turned off its use of TLS encryption because of the large amount of computing resources it consumes. By turning off TLS encryption, the botnet can send great volumes of spam –- in this case, 192 spam e-mails per minute instead of 96. Source:

45. August 24, The Register – (International) Firefox, uTorrent, and PowerPoint hit by Windows DLL bug. A day after Microsoft confirmed a vulnerability in Windows applications that executes malicious code on end-user PCs, the first exploits have been released targeting programs including the Firefox browser, uTorrent BitTorrent client, and Microsoft PowerPoint. The attack code was posted August 24 to the Exploit Database. It included exploits for the Wireshark packet sniffer, Windows Live e-mail and Microsoft MovieMaker, in addition to those for the most recent versions of Firefox, uTorrent and PowerPoint. As many as 200 applications may be vulnerable to the so-called binary planting or DLL preloading attacks, according to the CEO of Acros Security, the Slovenia-based company that warned Microsoft of the issue 4 months ago. Microsoft said August 23 that the flaw stems from applications that do not explicitly state the full path name of DLL files and other binaries associated with the program. As a result, each application will have to be patched separately, rather than through a single Windows update. In addition to the four exploits, the CSO and chief architect of the Metasploit project has released an auditing tool to identify vulnerable applications. When combined with a module added to the Metasploit framework for penetration testers and hackers, it provides most of what is needed to exploit vulnerable programs. Source:

46. August 24, SC Magazine – (International) DDoS botnet family discovered targeting scores of sites. A new family of bots is responsible for nearly 200 distributed denial-of-service attacks targeting Web sites in China, the United States, South Korea and Germany, according to researchers at security firm Arbor Networks. The bot family, which has been dubbed “YoyoDDoS” after the hostname of one of its initial command-and-control (C&C) servers, was first detected in March. To date, Arbor Networks has processed more than 70 variants from the family and identified at least 34 C&C servers, all but three located in China. DDoS attacks use large numbers of compromised PCs to flood a targeted Web site with traffic with the goal of knocking it offline. Out of the 180 YoyoDDoS attacks that have been identified, 126 of them targeted IP addresses in China, while 32 targeted victims in the United States, 9 in South Korea, and 5 in Germany. Many online merchants have been targeted, including sites selling auto parts and cosmetics, a researcher said. Several gaming and gambling sites also were attacked, along with a Web site-hosting provider, a music forum and a personal blog. The attacks typically last from a few hours to 2 days, he added. Several sites have been attacked continuously for 24 to 48 hours. Source:

Communications Sector

47. August 25, Port Huron Times Herald – (Michigan) Phone outage reported. Frontier Communications, formerly Verizon, has notified St. Clair County, Michigan, Central Dispatch of a general land line telephone outage. This outage will affect 911 services. Residents who have an emergency and do not have a dial tone are asked to travel to the nearest fire department, according to a statement from Central Dispatch. These areas may include: Grant Township, Burtchville Township, Brockway Township, Jeddo, Avoca, Mussey Township, Kenockee Township, Lynn Township, Capac, Memphis, and Yale. Frontier Communications will inform Central Dispatch when the problem has been located and fixed. It does not appear that the outage is affecting cellular service. Source:

48. August 24, Mitchell Daily Republic – (South Dakota) Qwest 995 prefix outage repaired Tuesday afternoon. Qwest Communications encountered a major outage August 23 and 24, leaving many Mitchell, South Dakota, residents who are not Qwest customers unable to call any numbers with the 995 prefix for more than 24 hours. The outage affected area residents who are customers of Mitchell Telecom, Midcontinent and Santel communications, Verizon Wireless and Alltel Communications, according to THE Mitchell Department of Public Safety. The outage did not affect businesses that use a private telephone network within their company. A translation error stopped certain phone numbers from going through, a Qwest spokeswoman for South Dakota in Minneapolis said. The problem does not occur often, she said. Mitchell Telecom reported the problem at 4 p.m. August 23, and Qwest resolved it about noon August 24. Source:

49. August 24, Wisconsin State Journal – (Wisconsin) TDS restores DSL service to 5,500 customers. An Internet outage left approximately 5,500 TDS customers in Middleton, Cross Plains and Black Earth, Wisconsin, without service August 24. A TDS spokeswoman said the outage was due to a hardware problem. Crews began work at about 1 a.m., and service was restored at approximately 4 p.m. The outage affected the company’s DSL customers, but not the networks that many larger businesses have. “Larger businesses were able to continue on,” the spokeswoman said. “But smaller businesses or home-based businesses might have been impacted.” Source: