Department of Homeland Security Daily Open Source Infrastructure Report

Monday, February 1, 2010

Complete DHS Daily Report for February 1, 2010

Daily Report

Top Stories

 The Associated Press reports that an Amtrak passenger who alarmed fellow passengers in Colorado by talking about terrorist threats on a cell phone was pulled from the train and faces a felony charge of endangering public transportation. He was arrested Tuesday on an Amtrak passage from Los Angeles to Chicago. (See item 21)


21. January 29, Associated Press – (Colorado) Amtrak passenger carrying anarchist literature detained in Colorado after overheard threats. An Amtrak passenger who alarmed fellow passengers in Colorado by talking about terrorist threats on a cell phone was pulled from the train and faces a felony charge of endangering public transportation. The 64 year-old suspect, who was recently released from prison, was arrested Tuesday on an Amtrak passage from Los Angeles to Chicago. Passengers on the train alerted authorities after hearing the man from Elizabeth, New Jersey, mention al-Qaida and make threats in a cell phone conversation. Police said in an affidavit that passengers overheard the suspect saying he hadn't killed anyone yet, and that he talked about going to jail. Passengers say the man said, "We have to work in small groups. They can hold you for 18 months. Do they have security on these trains? Are you with me or not?" One passenger said he heard the suspect mention al-Qaida, saying, "17th century tactics won't work, we have 21st century tactics." The conductor said the suspect had a tan blanket over his entire body so the conductor could not see what he was doing. The suspect was taken into custody at the La Junta train station in southeastern Colorado. Police said he was not armed or carrying explosives. He was carrying propaganda for an anarchist group called Afrikan Liberation Army. The suspect was released Thursday night after posting $30,000 bond, said the Otero Country sheriff. The suspect's next court date in Otero County District Court is February 5. An FBI spokeswoman did not immediately have any information. Source: http://www.latimes.com/news/nationworld/nation/wire/sns-ap-us-colorado-train-threat,0,7652045.story


 The Register reports that the Central Intelligence Agency, PayPal, and hundreds of other organizations are under an unexplained assault that is bombarding their Web sites with millions of compute-intensive requests. The torrent started about a week ago and appears to be caused by recent changes made to a botnet known as Pushdo. (See item 37)


37. January 29, The Register – (International) CIA, PayPal under bizarre SSL assault. The Central Intelligence Agency, PayPal, and hundreds of other organizations are under an unexplained assault that is bombarding their websites with millions of compute-intensive requests. The "massive" flood of requests is made over the websites' SSL, or secure-sockets layer, port, causing them to consume more resources than normal connections, according to researchers at Shadowserver Foundation, a volunteer security collective. The torrent started about a week ago and appears to be caused by recent changes made to a botnet known as Pushdo. "What do I mean by massive? I mean you are likely seeing an unexpected increase in traffic by several million hits spread out across several hundred thousand IP addresses," a Shadowserver researcher wrote. "This might be a big deal if you're used to only getting a few hundred or thousands of hits a day or you don't have unlimited bandwidth." Shadowserver has identified 315 websites that are the recipients of the SSL assault. In addition to cia.gov and paypal.com, other sites include yahoo.com, americanexpress.com, and sans.org. It is not clear why Pushdo has unleashed the torrent. Infected PCs appear to initiate the SSL connections, along with a bit of junk, disconnect, and then repeat the cycle. They do not request any resources from the Web site or do anything else. "We find it hard to believe this much activity would be used to make the bots blend in with normal traffic, but at the same time it doesn't quite look like a DDoS either," he wrote. Security mavens are not sure what targeted sites can do to thwart the attacks. Changing IP addresses may provide a temporary reprieve. Source: http://www.theregister.co.uk/2010/01/29/strange_ssl_web_attack/


Details

Banking and Finance Sector

10. January 29, SC Magazine – (Oklahoma; National) Financial sites hit by malware and phishing scams as tax weekend beckons. As the deadline for global tax returns to be filed ends this weekend, residents of the US state of Oklahoma have been hit by a security scare. The chief research officer at AVG, detected that the Oklahoma State Tax website was hacked and infective recently, warning users not to go there ‘because until they clean it, it is dangerous'. When visited, the standard home page was present but an Adobe licence agreement appeared encouraging users to accept it. The researcher said that a look at the source reveals code ‘which is probably the culprit'. He said: “It's a simple hack, and probably just happened on January 27th because lots of our users are reporting it today. I expect that the web guys at OK Tax will remove the hacked html pretty quickly, but the bigger issue will be figuring out how the bad guys got in." In another incident, a security researcher at M86 Security, detected that the American Bankers Association (ABA) has been used as a lure by the Pushdo/Cutwail/Zeus gang, as spam was sent this week informing the recipient of an ‘unauthorised transaction billed to your bank card'. A link, along with financial details, is given which leads to the ABA website with the amount of the transaction and transaction ID. the security researcher said that clicking on the 'Generate Transaction Report' will prompt you to download the file transactionreport.exe, and this is the Zeus/Zbot Trojan horse. Source: http://www.scmagazineuk.com/financial-sites-hit-by-malware-and-phishing-scams-as-tax-weekend-beckons/article/162618/


11. January 29, North Carolina Bankers Association – (North Carolina) NC bankers and the FBI escalate war on bank robbers. The FBI and the North Carolina Bankers Association have joined forces to launch a new weapon to wage war on bank robbers. In December 2009, the FBI and NCBA unveiled a new web site, www.ncbankrobbers.com, as way to quickly get the word out when a bank robbery occurs. The web site is designed to provide information about the cases by including photographs, videos and other important details about the robbery. When the new web site was launched, officials expressed the hope it would reduce bank robberies. The SVP and Regulatory Counsel with the North Carolina Bankers Association said, "We hoped the web site would increase the odds against bank robbers. But the results have exceeded our expectations. It looks like we're on to something." The SVP is referring to the recent arrest of the so-called "Bearcat Bandit." According to press reports, only minutes after he attempted a robbery at a BB&T office in Mocksville, North Carolina, last Christmas Eve, a witness recognized the robber from the newly-launched website and called the police. The robber was promptly arrested at a local gas station and now faces multiple state and federal changes. The arrest of the Bearcat Bandit made him the fifth suspect featured on the website to be captured since the website was launched less than 60 days ago. Source: http://www.1888pressrelease.com/nc-bankers-and-the-fbi-escalate-war-on-bank-robbers-pr-181424.html


12. January 29, Milton Patriot Ledger – (Massachusetts) Police break scary ATM skimming ring in Greater Boston. Police say they have made the first dent in a sophisticated scheme to drain people’s bank accounts. The Bulgarian native arrested in Quincy and charged with trying to use a forged ATM card at a Citizens Bank on Hancock Street is part of a much larger operation of so-called skimmers, police say. Skimming is the practice of using bank-card readers to swipe people’s account information off ATM cards and capturing PIN numbers with tiny cameras. The information is then downloaded to a blank gift card or store card – any card with a magnetic strip will do – and used with the PIN number to access bank accounts. So far, police say, the skimming operation uncovered in Quincy has netted thieves hundreds of thousands of dollars across eastern Massachusetts. A Quincy police sergeant is among those whose information was stolen. At the time of his arrest, authorities say, the suspect was carrying eight Dunkin’ Donuts gift cards that had been re-coded with people’s bank card information. He was arraigned on January 28 in Quincy District Court for larceny over $250, improper use of a credit card, larceny of a credit card, and identity fraud. He also faces charges out of Milton. Source: http://www.wickedlocal.com/milton/news/x1685422766/Police-break-scary-ATM-skimming-ring-in-Greater-Boston


13. January 28, U.S. Department of Justice – (Texas) Texas attorney convicted for role in pump-and-dump stock manipulation schemes. A 51 year old from Dallas was indicted on March 12, 2009, and on January 28 was found guilty of one count of conspiracy to commit registration violations, securities fraud and nine counts of wire fraud. According to court records and evidence at trial, the defendant, an attorney in Dallas and a former attorney with the SEC, was retained by Phoenix attorney who pleaded guilty in March 2009 in the Eastern District of Virginia to conspiracy to commit securities fraud. According to the indictment, from approximately March 2004 through October 2004, the pair evaded federal securities registration requirements and provided co-conspirators with millions of unregistered and “free-trading” shares of nine companies’ common stock that the co-conspirators could not have otherwise legally obtained. Many of the shares were subsequently sold by co-conspirators to investors in the general public. By evading the registration requirements, the co-conspirators were able to hide from the investing public the actual financial condition and business operations of the companies. In connection with Emerging Holdings, MassClick and China Score, evidence at trial showed that the defendant knowingly participated in a conspiracy known as a ”pump-and-dump” scheme to manipulate the price of these companies’ securities. Co-conspirators falsely manipulated the price and volume of some of the companies’ stock by making materially false and misleading statements in press releases and in spam e-mails to tens of millions of e-mail addresses throughout the United States in an effort to create artificial demand for the three companies’ stock. Source: http://www.justice.gov/opa/pr/2010/January/10-ag-101.html


14. January 28, NationalCreditReport.com – (National) NationalCreditReport.com issues consumer advisory to warn consumers about credit report scams originating from Craigslist. NationalCreditReport.com issued a consumer advisory Thursday warning consumers of credit report scams. Consumers may become victims of such scams on Craigslist and other online classified listing sites as a result of responding to what they believe is a legitimate rental property or job posting. The scams appear on Craigslist and other classified websites offering an apartment for rent or a job posting and consumers respond to the listings via email. Once the consumer's inquiry is received, the consumer then becomes engaged in what they believe is legitimate communication between a potential employer or property manager. The alleged employer or property manager will include a link to a free credit report website, asking the consumer to go to the site to get their free report. The consumer is then instructed to email their credit report and/or credit score to the potential employer or property manager so they can "verify their employment or housing history" and proceed with the job or apartment application process. NationalCreditReport.com does not authorize or condone this type activity and warns all consumers not to share their credit report or credit score with anyone they do not know, as this is an open invitation for credit fraud and identity theft. Sites such as Craigslist.com have also recognized credit report scams and posted their own warnings such as this one to guide the public. www.craigslist.org/about/scams. Source: http://www.pr-inside.com/nationalcreditreport-com-issues-consumer-r1692226.htm


15. January 28, KNXV 15 Phoenix – (Arizona) PD: Man tries to rob Surprise bank using fake explosives. Officials say a man was arrested on January 28 after it was discovered he tried to rob a Surprise bank using a fake explosive device. A Surprise police department spokesperson said when officers first encountered the suspect, he told police he had been robbed and officers noticed cuts on the man's arms. After the suspect was escorted to the hospital, police discovered a suspicious device in his possession. The spokesman said the Glendale police department bomb squad was called in to investigate the device. Crews were able to determine the device was not real, but a simulated explosive. As police continued to investigate the incident it was discovered he had earlier in the day entered a Chase Bank near Cotton Lane and Bell Road with the device, and left without making any transaction. The spokesman said police also found the suspect with a handwritten note stating that he had an explosive device. Source: http://www.abc15.com/content/news/westvalley/surprise/story/PD-Man-tries-to-rob-Surprise-bank-using-fake/NOk2hNTJvU2MeFo6cX127A.cspx


16. January 28, Fairbanks Daily News Miner – (Alaska) Security breach may affect 77,000 public employees, retirees in Alaska, raising threat of identity theft. The Alaska attorney general announced on January 28 that the State of Alaska has reached a settlement with PricewaterhouseCoopers LLP to provide credit protection for about 77,000 former and current public employees whose names and confidential information were misplaced by the professional services firm. The lost personal information is for the public employees and retirees who were participants in the Public Employees Retirement System and the Teachers Retirement System in 2003-2004. “In this settlement, PricewaterhouseCoopers has accepted responsibility for this security failure,” the attorney general said. ”Most importantly, the firm has agreed to protect Alaskans by paying for identity theft protection and credit-monitoring, or a security freeze, for each of the 77,000 Alaskans who are potentially affected by this failure and by ensuring that Alaskans are reimbursed for losses that they might incur as a result of ID theft caused by this breach.” The attorney general also noted that other provisions of the settlement protect the state’s finances by, for example, requiring PricewaterhouseCoopers to pay for up to $100,000 of the cost of notifying affected individuals. Source: http://newsminer.com/pages/full_story/push?blog-entry-Security+breach+may+affect+77-000+Alaskans%20&id=5689968&instance=blogs_editors_desk


For another story, see item 37 below in the Information Technology Sector


Information Technology


36. January 29, Network World – (International) Stolen Twitter accounts can fetch $1,000. According to researchers at Kaspersky Lab, cybercriminals are trying to sell hacked Twitter user names and passwords on-line for hundreds of dollars. Since 2005, the bad guys have been developing new data-stealing malware that is now a growing problem on the Internet. Some of these programs look for banking passwords, others hunt for on-line gaming credentials. But the fastest-growing data stealers are generic spying programs that try to steal as much information as possible from their victims, said a Kaspersky researcher, speaking at a press event on January 29. In 2009, Kaspersky identified about 70,000 of these programs — twice as many as the year before, and close to three times the number of banking password stealing programs. They are popular because criminals are starting to realize that they can do better than simply swiping credit card numbers. The researcher has seen Gmail accounts for sale on Russian hacker forums, (asking price 2,500 roubles, or $82) RapidShare accounts going for $5 per month, as well as Skype, instant messaging and Facebook credentials being offered. Asking prices can vary greatly, depending on the name of the account and the number of followers, but attackers are looking for an initial, trusted, stepping stone from which to send malicious Twitter messages and, ideally, infect more machines. Source: http://www.networkworld.com/news/2010/012910-stolen-twitter-accounts-can-fetch.html?hpg1=bn


37. January 29, The Register – (International) CIA, PayPal under bizarre SSL assault. The Central Intelligence Agency, PayPal, and hundreds of other organizations are under an unexplained assault that is bombarding their websites with millions of compute-intensive requests. The "massive" flood of requests is made over the websites' SSL, or secure-sockets layer, port, causing them to consume more resources than normal connections, according to researchers at Shadowserver Foundation, a volunteer security collective. The torrent started about a week ago and appears to be caused by recent changes made to a botnet known as Pushdo. "What do I mean by massive? I mean you are likely seeing an unexpected increase in traffic by several million hits spread out across several hundred thousand IP addresses," a Shadowserver researcher wrote. "This might be a big deal if you're used to only getting a few hundred or thousands of hits a day or you don't have unlimited bandwidth." Shadowserver has identified 315 websites that are the recipients of the SSL assault. In addition to cia.gov and paypal.com, other sites include yahoo.com, americanexpress.com, and sans.org. It is not clear why Pushdo has unleashed the torrent. Infected PCs appear to initiate the SSL connections, along with a bit of junk, disconnect, and then repeat the cycle. They do not request any resources from the Web site or do anything else. "We find it hard to believe this much activity would be used to make the bots blend in with normal traffic, but at the same time it doesn't quite look like a DDoS either," he wrote. Security mavens are not sure what targeted sites can do to thwart the attacks. Changing IP addresses may provide a temporary reprieve. Source: http://www.theregister.co.uk/2010/01/29/strange_ssl_web_attack/


38. January 29, SC Magazine – (International) Warnings made of application bug in new Facebook dashboard, as SEO poisoning causes concern after 'unnamed app' reports by users. A week of fresh bugs in Facebook has ended with a warning about a privacy oversight in the new Facebook dashboard. Blog site allfacebook.com has reported that users can view the latest applications that their friends have been using whether or not they want you to. It said that while Facebook will ‘probably' resolve this issue before launch, beta games and applications dashboards are visible to everybody. A developer told the site: “I may not want my boss to know that I'm playing games during work hours. Or I may not want my friends knowing that I ran the ‘How Perverted are You?' application.” A blogger reported that hundreds of people were continuing to post status updates about the issue and while users are claiming that it is spyware, Facebook has reported that it is a bug which should not damage your account or computer in any way. Source: http://www.scmagazineuk.com/warnings-made-of-application-bug-in-new-facebook-dashboard-as-seo-poisoning-causes-concern-after-unnamed-app-reports-by-users/article/162631/


39. January 29, The Register – (International) Experts fret over iPad security risks. Apple's much hyped iPad tablet may come tightly locked down but the device is still likely to be affected by many of the security issues that affect the iPhone, as well as some of its own. Security experts polled by The Register were concerned about a variety of risks, in particular phishing attacks and browser exploits. The senior technology consultant at Sophos commented: "The iPad, from the sound of things, will be as locked down as the iPhone. Hackers will no doubt try to jailbreak it. But the main threat would be phishing and browser exploits." Malware related risks may also trouble the iPad. The only risks to affect the iPhone to date have relied on a very small but well publicised number of threats that exploited default passwords and open SSH shells on jailbroken iPhones. However, while the iPad uses the same OS as the iPhone, it is more powerful; that means attacks based on doctored PDF files may potentially become a risk, explained a technical director of PandaLabs. Source: http://www.theregister.co.uk/2010/01/29/ipad_security/


40. January 28, Network World – (International) Phishing scam targets users of Adobe PDF Reader. A new phishing scam is trying to fool people into thinking it comes from Adobe, announcing a new version of PDF Reader/Writer. The message is making its way into e-mail boxes today, and the real Adobe urged any recipients to simply delete it. The phishing scam has a subject line "download and upgrade Adobe PDF Reader – Writer for Windows," includes a fake version of Adobe's logo and provides links that would lead to malicious code or other trouble if a victim clicked on them. The e-mail appears to come from Adobe newsletter@pdf-adobe.org, which is part of the scam. "It has come to Adobe's attention that e-mail messages purporting to offer a download of the Adobe Reader have been sent by entities claiming to be Adobe," the company said in a statement warning about it. "Many of these e-mails are signed as 'Adobe PDF' (or similar), and in some instances require recipients to register and/or provide personal information. Please be aware that these e-mails are phishing scams and have not been sent by Adobe or on Adobe's behalf." Source: http://www.networkworld.com/news/2010/012810-phishing-scam-adobe.html


Communications Sector

41. January 29, IDG News Services – (National) FBI arrests alleged cable modem hacker. U.S. federal authorities arrested a 26-year-old man on January 28 for allegedly selling modified cable modems that enabled free Internet access, according to the U.S. Department of Justice. The suspect, of New Bedford, Massachusetts, is charged with one count of conspiracy and one count of wire fraud. If convicted, he could face up to 20 years in prison for each charge, and a $250,000 fine. He allegedly ran a now-defunct Web site called Massmodz.com, where hacked modems were sold. The modems had been modified in order to spoof the device's MAC (Media Access Control) address. It is possible then to either obtain free Internet access or make it appear that a different modem is obtaining access. Authorities alleged that the suspect sold two of the modified modems to an undercover FBI agent. He also allegedly posted to YouTube showing how to get free Internet access through modified cable modems. Source: http://www.computerworld.com/s/article/9149980/FBI_arrests_alleged_cable_modem_hacker


42. January 29, Palm Springs Desert Sun – (California) Phone service expected to be restored for 500 in Indio today after weeklong outage. Verizon expects to restore phone and Internet service should be restored to hundreds of Indio customers affected by an outage that began January 21, the company said. A Verizon spokesman said about 500 customers around Jackson Street between avenues 44 and 46 lost landline phone and DSL Internet service during a rainstorm on January 21. He said the outage was caused by a wet cable with cracked insulation. "Some water got inside, and that obviously causes electrical shorts when you have water mixing with electrical signals," he said. "We're replacing that whole section of cable." He said he was not aware of other large outages in the Coachella Valley caused by the storms. He said some smaller cables were similarly affected, but each of those outages only affected a handful of customers for a day or two. Source: http://www.mydesert.com/article/20100129/NEWS01/100129009/0/PREPSPORTS/Phone-service-expected-to-be-restored-for-500-in-Indio-today-after-weeklong-outage


43. January 29, CNET News – (National) T-Mobile data issues hit Nexus One owners. Nexus One owners are complaining of a widespread data outage Friday morning on T-Mobile's network. As with most reports of outages, it is always difficult to get a sense of just how many people are being affected. But Google's customer support forums are full of Nexus One owners reporting that they are unable to access the data network, and other news outlets are getting tips from their readers that something is amiss. A Google employee confirmed there was some sort of problem with T-Mobile's data network in a forum message: "We're aware of reports with T-Mobile data connections, including the error: 'To connect to the Internet with the device you are using, you'll need a webConnect data plan.' We're currently working with T-Mobile to resolve this issue." A T-Mobile representative did not immediately respond to a request seeking more information on the outage. Source: http://news.cnet.com/8301-30684_3-10444283-265.html


44. January 28, Green Bay Press-Gazette – (Wisconsin) WBAY, WPNE TV channels to be off air in Green Bay because of transmission problems. Channel 2, is experiencing transmission problems, and finding the cause will take six channels off the air starting at 9 a.m. on January 29. “It’s a short or flash-over occurring in the transmission system,” said the Green Bay station's general manager. WBAY is temporarily operating at low power, and viewers in outlying areas who receive its three digital channels may be affected. WPNE-TV, Channel 38, uses the same antenna on Scray’s Hill southeast of the city, so the shutdown will affect its three digital channels. The shutdown may last six hours. The shutdown will affect most cable systems, DirecTV customers and over-the-air viewers. Not all viewers might be affected. WBAY feeds its signal directly to Dish TV and AT&T U-Verse, and the signal probably will remain on those systems, the manager said. The testing won’t be the end of the disruptions. Source: http://www.greenbaypressgazette.com/article/20100128/GPG0101/100128169/1207/GPG01/Transmission-woes-will-take-6-WBAY--WPNE-channels-off-air-Friday


45. January 27, Redwood Times – (California) Emergency preparedness reviews earthquake, storms. The Southern Humboldt Emergency Preparedness Team met at the Garberville Cal Fire station on January 22. The recent earthquake and the series of storms that resulted in slides and road closures were on the minds of the team members. A spokesman of the Shelter Cove Fire Department reported that after the earthquake the Shelter Cove community lost its communication system. A new microwave Verizon installed on the communication tower failed and left the community without cell phone coverage or emergency 911 coverage for two days. A number of elderly people were left without their lifeline alert service. Because these individuals don’t drive and their phones are their only lifeline to the world, the spokesman and other SCFD personnel made the rounds of the lifeline households to make sure that everything was all right. A spokesman of the Southern Humboldt Amateur Radio Club reported that the local 14679 repeater has been off the air. Apparently some wildlife got into the system and caused damage. The 14733 repeater on Grasshopper Peak is available, he said. It has a positive offset, he said, and good coverage of the area from Eureka to Piercy. Source: http://www.redwoodtimes.com/garbervillenews/ci_14278623


For another story, see item 37