Wednesday, September 15, 2010

Complete DHS Daily Report for September 15, 2010

Daily Report

Top Stories

•An ominous theme has emerged from the deadly pipeline explosion in California: There are thousands of aging more than 50-year-old pipes — past the normal life expectancy of steel pipes — just like it nationwide, and many experience mishaps. Federal officials have recorded 2,840 significant gas pipeline accidents since 1990, more than a third causing deaths and significant injuries. (See item1)

1.September 14, The Associated Press – (National) Aging gas pipes at risk of explosion nationwide.An ominous theme has emerged from the wreckage of a deadly pipeline explosion in California: There are thousands of pipes just like it nationwide. The pipe was more than 50 years old — right around the life expectancy for steel pipes. It was part of a transmission line that had an “unacceptably high” risk of failure. And it was in a densely populated area. Thousands of pipelines nationwide fit the same bill, and they frequently experience mishaps. Federal officials have recorded 2,840 significant gas pipeline accidents since 1990, more than a third causing deaths and significant injuries. Utilities have been under pressure for years to better inspect and replace aging gas pipes many of them laid years before the suburbs expanded over them and now are at risk of leaking or erupting. But the effort has fallen short. Critics said the regulatory system is ripe for problems because the government leaves it up to the companies to do inspections, and utilities are reluctant to spend the money necessary to properly fix and replace decrepit pipelines. Source:

•Accordingto Agence France-Presse, Whistleblower Web site WikiLeaks is teaming up with news outlets to release a “massive cache” of classified U.S. military field reports on the conflict in Iraq — a leak one journalism group called the “biggest leak of military intelligence” ever — Newsweek magazine reported September 10. (See item 41)

41. September 10, Agence France-Presse – (International) WikiLeaks to release cache of Iraq war documents: Newsweek. Whistleblower Web site WikiLeaks is teaming up with news outlets to release a “massive cache” of classified U.S. military field reports on the conflict in Iraq, Newsweek magazine reported September 10. Newsweek quoted the editor of The Bureau of Investigative Journalism, a London-based journalism nonprofit, as saying the material constitutes the “biggest leak of military intelligence” ever. Newsweek said the stash of Iraq documents held by WikiLeaks is believed to be about three times as large as the number of U.S. military field reports on Afghanistan released earlier this year by WikiLeaks. WikiLeaks, in collaboration with The New York Times, Britain’s Guardian and Der Spiegel of Germany, published 77,000 Afghan war documents in July, and has said it will release another 15,000 related documents soon. The editor told Newsweek that his organization was working with WikiLeaks and television and print media in several countries on stories and programs based on the Iraq documents. He declined to identify the news organizations involved, but said they would release the material simultaneously several weeks from now. Source:


Banking and Finance Sector

12. September 14, The Register – (International) Crypto weakness leaves online banking apps open to attack. Flaws in the way Web applications handle encrypted session cookies might leave online banking accounts open to attack. The security risk stems from a cryptographic weakness in Web applications developed using Microsoft’s ASP.Net framework. ASP.Net uses the U.S. government-approved AES encryption algorithm to secure the cookies generated by applications during online banking sessions. However, implementation flaws in how ASP.NET handles errors when the encrypted data in a cookie has been modified give clues to a potential attacker that would allow him to narrow down the possible range of the keys used in an online banking session. Attacks based on this weakness might allow a hacker to decrypt sniffed cookies or forge authentications tickets, among other attacks. Two researchers have developed a Padding Oracle Exploit Tool to demonstrate the feasibility of the attack, an extension of their previous research on similar flaws in JavaServer Faces and other Web frameworks. Source:

13. September 13, WCMH 4 Columbus – (Ohio) FBI: ‘Church Lady Bandit’ targets sixth bank. Authorities are searching for a woman who robbed a bank in Columbus, Ohio September 13. According to the FBI, a woman dubbed the “Church Lady Bandit” entered the Key Bank at 1990 E. Dublin-Granville Road at about 2:07 p.m. and held up a note for a teller to read. The note stated that the woman was robbing the bank and would shoot the teller if he did not give her money. Although no weapon was observed, the teller complied and gave the robber money and a dye-pack from his drawer. The suspect fled the scene and was observed trying to squeeze through a fence at a nearby apartment complex when the dye-pack exploded. She fled around the apartment building in a ball of red smoke. Monday’s robbery is the sixth bank the Church Lady Bandit has robbed since 2006. Source:

14. September 13, Seer Press News – (National) U.S. lacking in credit card fraud protection. The United States is a technological powerhouse but it is apparently lacking in the area of credit card fraud protection. Meanwhile, other developed countries are moving towards using more secure bank cards featuring extra layers of protection against fraud criminals. A few American banks are discreetly thinking about adopting the new technology for better credit card fraud protection, but are discouraged by the costs of overhauling point-of-sale terminals utilizing magnetic-stripe cards that have been used by the industry for decades. Canada, Europe, and advanced economies in Asia are adopting new technologies to safeguard transactions and consumer identities, but the United States has not kept pace with them and is becoming increasingly vulnerable. “The U.S. is becoming the most favored nation for credit card fraud,” said a senior analyst with the Aite Group. Source:

15. September 13, Canon City Daily Record – (Colorado) Sunflower Bank warns of phone scam. Sunflower Bank alerted customers that fraudulent telephone messages were being sent out to Canon City, Colorado residents that state their debit card has been compromised or suspended. The message asks individuals to press “one” then enter their card number and expiration date. A spokeswoman of Sunflower Bank said the bank began receiving calls September 10 from customers and non-customers, indicating that the calls were targeting Canon City phone numbers. She said the police department has been informed, and if anyone did give out any personal information, they are asked to call their bank immediately. The spokeswoman advised residents to not give out any personal information and if in doubt, hang up and call the bank directly to verify. Source:

16. September 10, DarkReading – (International) Newly discovered World Cup database breach exposed 250,000 attendees’ details. Hundreds of thousands of attendees at the 2006 World Cup international soccer tournament in Germany were put at risk of identity theft, though the major breach of a Federation Internationale de Football Association (FIFA) database was only recently uncovered. Initially reported by Norwegian newspaper Dagbladet, the breach came to light when an employee of the firm in charge of World Cup 2010 ticketing, circulated an e-mail peddling more than 250,000 2006 World Cup customer details, including such personal information as birth dates and passport information. According to the director of security strategy at database monitoring firm Imperva, the interesting hook to this story is that the customer data in question came from the Germany event 4 years ago and not the South African World Cup this summer. He said the event is indicative of a number of failures, including carelessness with older databases and unused data, a failure to think beyond the conclusion of the event, and a failure to have a full data security protection and destruction strategy. The firm in charge of ticketing and ticketing data at the South African World Cup, Match, a subsidiary of U.K.-based Byrom, was not in charge of ticketing for Germany’s World Cup. It did confirm that it was its own employee who appeared to be responsible for the data’s dissemination. However, it categorically denied the data came from its own database. Source:

Information Technology

44. September 14, Help Net Security – (International) Global botnet offering DDoS services. Damballa discovered a botnet that offers pay-for-delivery DDoS attacks. The IMDDOS botnet, named after the commercial name on the botnet Web site, has grown to one of the largest active global botnets in less than 4 months from initial testing. The infected hosts used in the DDoS attacks have become unwitting participants in the botnet and are widespread. The vast majority of infected hosts are in China, with the United States being in the top 10 countries affected. ISPs worldwide were affected, including the majority of North American ISPs, and a number of major corporate networks are hosting bot agents for the IMDDOS botnet. The IMDDOS botnet offers a commercial service for delivering DDoS attacks against any desired target. Hosted in China, this publicly available service is available for lease to anyone willing to establish an online account, input the domain(s) they wish to attack, and pay for the service. Throughout the Damballa period of study, the botnet grew very quickly. Following testing by the criminal operators in April 2010, it reached a production peak of activity with 25,000 unique Recursive DNS (RDNS) lookups per hour attempting to resolve to the botnet’s command-and-control (CnC) servers. Source:

45. September 14, Computerworld – (International) Researchers clash over possible return of Google attackers. Researchers September 13 clashed over whether recent attacks that exploit a bug in Adobe Reader are the work of the group that hacked Google and dozens of other major corporations late last year. On one side, Mountain View, Calif.-based antivirus giant Symantec, whose security analysts said they have found evidence suggesting the group which wormed its way into Google’s corporate network in December 2009 is back in business. On the other, Atlanta’s much smaller SecureWorks, where a researcher said Symantec had “comingled” evidence of two separate attacks. At issue were recent PDF-based exploits attached to messages touting a renowned golf swing coach that have exploited an unpatched bug in Adobe’s popular Reader PDF viewer. Security experts have called that exploit “scary” and “clever” for the way it sidesteps critical Windows defenses designed to isolate malicious code and make it harder to execute malware. Those attacks went public last week, when a independent security researcher reported the flaw to Adobe, then published her preliminary findings. Adobe issued a security warning, and September 13 announced it would patch the problem early next month. Source:

46. September 13, The Register – (International) Critical Flash vuln under active attack, Adobe warns. On September 13, Adobe Systems warned of a critical vulnerability in the most recent version of its Flash Player that is being actively exploited in the wild. The vulnerability affects Flash Player for Windows, Macintosh, Linux, Solaris, and Android operating systems, Adobe said in an advisory. “There are reports that this vulnerability is being actively exploited in the wild against Adobe Flash Player on Windows,” the warning said, without elaborating. The latest versions of Adobe’s Reader and Acrobat applications are vulnerable to the same flaw, but there is no evidence they are being exploited. The advisory credited a researcher of the Shadowserver Foundation for working with Adobe’s security team on the vulnerability. The disclosure means there are at least two unpatched flaws in widely used Adobe applications presently under attack. Source:

47. September 13, TrendLabs Malware Blog – (International) Mehika Twitter botnet targets Twitter users. Leveraging social networking sites to gain control of user systems, and to make them part of botnets is no longer a new tactic. In recent research, TrendLabs came across malware that uses a Twitter account to send out commands to the new Mehika Twitter botnet’s zombies. But why are cybercriminals using a social networking site to send out commands to botnet zombies? The answer is simple. Using a social networking site does not require installation, configuration, and command-and-control (C&C) server management. Instead, posting messages in a specific account can instantly send out commands and instructions to zombies. Also, because social networking sites have thousands or even millions of user profiles, locating a suspicious account is difficult. Source:

For another story, see item 12 above in Banking and Finance Sector

Communications Sector

48. September 14, Chico Enterprise-Record – (California) Chico Christian radio station reports huge copper wire theft. Local Christian Talk radio station KKXX, with offices in Chico, California, has reported the theft of a large quantity of copper wire being used to ground its transmitter on the Paradise ridge. It is the second such loss suffered by the station in 2 years. After the radio station lost its mobile studio in the Humboldt Fire 2 years ago, thieves struck and stole 120 copper grounding wires, each about 250 feet in length. The radio station September 13 learned copper wire thieves had hit them again, this time taking about 22,000 feet of No. 10 wire, which was apparently bundled into lengths of 10 to 20 feet. The manager said the station was never knocked off the air. “They apparently knew what they were doing,” he said. “They left just enough wire to allow us to broadcast.” He noted thieves avoided a locked gate by taking a back road to the antenna. After the first theft in 2008, he said wires were replaced and a concrete footing was poured about every 10 to 15 feet along the length of the wire in hopes of discouraging future thefts. “They just cut the wires between the concrete and bundled it up,” he said. The theft was reported to the Butte County Sheriff’s Office. The wire is estimated to be worth between 20 and 30 cents per foot. Source:

49. September 13, Wilmington Star-News – (North Carolina) Time Warner Cable Road Runner customers’ e-mail service troubled. Residential customers of Time Warner Road Runner Internet service lost e-mail service over the weekend, but service has been restored, a Time Warner Cable spokeswoman in Wilmington, North Carolina, said September 13. The outage occurred September 11 and was repaired by 11 p.m. September 12, a communications manager for the coastal region and Fayetteville said. However, some customers in the Wilmington area said they were still without service early September 13. Source:

50. September 13, Austin American-Statesman – (Texas) Phone service restored to northwestern Williamson County AT&T customers. Phone service to parts of northwestern Williamson County, Texas, was down September 13 because of a fiber optics line that was cut between Leander and Burnet, according to a press release. The service outage also affected parts of Burnet and Lampasas counties, a Williamson County spokeswoman said. An AT&T spokesman said the line was cut around 1:30 p.m., and he expected service to be restored around 6 p.m. As of 4:30 p.m. September 13, service was restored to those customers, an AT&T spokesman said. Source: