Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, February 25, 2010

Complete DHS Daily Report for February 25, 2010

Daily Report

Top Stories

 CNN reports that a gunman wounded two students Tuesday at Deer Creek Middle School in Littleton, Colorado as classes were letting out. A teacher tackled the gunman as he was preparing to fire again. (See item 25)

25. February 24, CNN – (Colorado) School shooting suspect identified. The man suspected of shooting two students at a Littleton, Colorado, middle school has been identified authorities said Wednesday. The suspect, age 32, was arrested after the incident Tuesday at Deer Creek Middle School and is scheduled to appear in court Wednesday morning, according to the Jefferson County Sheriff’s Office. He is facing two counts of attempted first-degree murder, the sheriff’s office said. He is accused of shooting two students as classes were letting out at 3:15 p.m. Tuesday. A 6-foot-5 former college basketball player who is a math teacher and track coach tackled the suspected gunman as he was preparing to fire again, CNN affiliate KMGH reported. “[The shooter] was trying to rack another round,” the teacher told the station. “I knew he couldn’t get another round in before I got to him, so I grabbed him.” Source:

 The Washington Post reports that, for the first time, U.S. officials plan to embed American intelligence agents in Mexican law enforcement units to help pursue drug cartel leaders and their hit men operating in Juarez, according to U.S. and Mexican officials. (See item 33)

33. February 24, Washington Post – (International) U.S. to embed agents in Mexican law enforcement units battling cartels in Juarez. For the first time, U.S. officials plan to embed American intelligence agents in Mexican law enforcement units to help pursue drug cartel leaders and their hit men operating in the most violent city in Mexico, according to U.S. and Mexican officials. The increasingly close partnership between the two countries, born of frustration over the exploding death toll in Ciudad Juarez, would place U.S. agents and analysts in a Mexican command center in this border city to share drug intelligence gathered from informants and intercepted communications. Until recently, U.S. law enforcement agencies have been reluctant to share sensitive intelligence with their Mexican counterparts for fear they were either corrupt or incompetent. And U.S. agents have been wary of operating inside Mexican command centers for fear they would be targeted for execution in the sensational violence and lawlessness in Ciudad Juarez that left more than 2,600 people dead last year. But those attitudes are changing amid strong support from Washington for the Mexican president’s war against the cartels, including a $1.4 billion aid package. Source:


Banking and Finance Sector

8. February 24, Reading Eagle – (Pennsylvania) Ex-National Penn Bank officer charged in $4.4 million embezzlement scheme. Federal authorities on February 23 charged a former National Penn Bank officer with embezzling more than $4.4 million and using the money to pay off debts and buy property and vehicles. Prosecutors said a former vice president of loan operations created lines of credit using fictitious names and electronically transferred the funds into accounts held by herself and relatives. The 62 year old suspect of Boyertown is charged with one count each of bank fraud, embezzlement by a bank employee and filing a false tax return, a U.S. attorney said. She remains free pending arraignment. The suspect filed a tax return for 2007 that did not include $719,571 in income, prosecutors said. Prosecutors said the suspect, while employed at the Boyertown-based bank, spent much of the money on vehicles, several residences and other items. They said she also transferred hundreds of thousands of dollars to relatives and others. The National Penn senior vice president for corporate communications said in a statement that no customer funds were lost. Source:

9. February 24, Miami Herald – (Florida) Suspect charged in string of South Florida bank robberies. A prolific bank robber — who once served almost 10 years in federal prison for a string of heists — is believed to be behind at least eight recent South Florida bank robberies, an FBI spokeswoman confirmed on February 23. Police arrested the 55 year old suspect about noon on February 23 outside a Miami Springs restaurant, the spokesman said. He has been charged with two counts of bank robbery, but more charges could be filed, she said. The suspect, who decades ago was known as “the Joker” bank robber because he would present a note that said, “This is no joke,” was arrested in December 1990. He pleaded guilty in 1991 and served more than eight years in prison, according to the affidavit. By 2010, the suspect’s method of robbing a bank had not changed, authorities said, but his nickname did: the Old Man Bandit. He hit banks — some of the biggest names in the industry including Citibank, Wachovia, HSBC and Bank of America — from Palm Beach Gardens to Pinecrest over the past two years, authorities said. Source:

10. February 23, TechWorld – (International) Virtualized USB key beats keyloggers. Is this the future of online banking? US company IronKey has come up with a USB drive that can be used to access accounts virtually without involving the operating system or applications that cause so many of today’s security problems. Aimed at companies that want to protect corporate bank accounts, Trusted Access for Banking is actually a standard IronKey USB drive that runs a walled or ‘hardened’ Linux virtual environment inside the PC’s OS. It comes complete with its own browser hardwired to access only a particular bank service, and incorporates RSA Secure ID tokens for authentication. According to an IronKey spokesman, the PCs used for corporate bank access were now considered so insecure that companies were being lumbered with impractical remedies such as having to dedicate a specific PC to be used only for bank access. Using IronKey Trusted Access, companies could simply plug the drive into any PC, and without the need for any additional drivers or software, after which the host PC was given a precautionary scan for malware, including specialized banking Trojans such as Zeus. Source:

11. February 23, KOKI 23 Tulsa – (National) Tulsa’s “granddad bandit” wanted. He is dubbed the “Granddad Bandit” and the FBI believes he has hit 18 banks in a dozen states, including Midtown Tulsa’s Valley National Bank in December. Now the FBI is launching a campaign to capture him. They have posted wanted pictures of the bandit on Tulsa’s Lamar digital billboards and across the nation. Since April 2009, authorities believe he has been traveling all across the nation. Investigators say he started in Houston, headed east Georgia, then to Alabama, up to the state of New York and down to Florida. The man then headed to Oklahoma to Tulsa’s Valley National Bank in December.The FBI says he has also hit banks in Arkansas, Kansas, Michigan, Mississippi, Tennessee and Virginia. The FBI is offering a $10,000 reward for information that leads to an arrest and conviction in these interstate bank robberies. Source:

12. February 22, Associated Press – (California) ‘Blue note’ bandit charged with 14 robberies in OC. An Orange County man has been charged with robbing 14 grocery store bank branches. Prosecutors say the 50-year-old suspect of Laguna Niguel was charged in Superior Court on February 22 with 14 felony counts of robbery. If convicted, he faces 18 years in prison. Because the robber sometimes used blue pieces of paper for demands, the Federal Bureau of Investigation dubbed him the “blue note bandit.” Prosecutors say the suspect carried out the robberies to support a drug habit and pay off major debts. Conviction on all counts would make the suspect Orange County’s most prolific bank robber. Source:

For another story, see item 43 below in Information Technology

Information Technology

38. February 24, – (International) Intel latest to admit January hacking attack. Intel has become the latest company to admit being targeted for a system intrusion earlier this year. The company said on February 23 in a filing with the US Securities and Exchange Commission that it was the target of an attack early last month around the same time that Google and Adobe were subject to their high-profile attacks. “We regularly face attempts by others to gain unauthorized access through the internet to our IT systems by, for example, masquerading as authorized users or the surreptitious introduction of software,” the company said. Intel said later that, other than the timing, there was nothing to suggest that the incident was related to the attempts to compromise systems at Google and other vendors. Source:

39. February 24, SC Magazine – (International) Major long-standing flaw revealed in Microsoft Windows operating systems that could be crashed using code. Microsoft Windows operating systems can be crashed just by running simple code. In a major long-standing vulnerability in the Windows operating system, identified by 2X Software, it could affect PCs and servers running anything from the latest Windows 7/Server 2008 versions to Windows 2000/Server 2003. The flaw was discovered by 2X Software’s testing tools that resulted in a blue screen and system reboot. It claimed that the code needed to crash the system is very easy to develop and perfectly legal, with no ‘tricks’ or unusual techniques being required. With just a few lines of code an application can be created that will crash the whole Windows system and the flaw can be easily used inside malicious applications to generate a denial-of-service (DoS) attack. The problem can be easily corrected within the OS code by validating the arguments passed to the API. It said that as the vulnerability appears to have been introduced during the development of the Windows 2000 Operating System (as Windows NT 4.0 is unaffected), it is around ten years old. It is also present on 64-bit versions of the operating system (having tested Windows 2008). Source:

40. February 23, Computerworld – (International) Adobe patches critical bug in Flash, Reader download tool. Adobe on February 23 patched a critical vulnerability in the Windows utility used to download the company’s two most popular products, Adobe Reader and Flash Player. It was the second time in the last six weeks that Adobe fixed a flaw in Download Manager, the program it installs on PCs when customers download Reader or Flash Player. The bug, Adobe acknowledged in an advisory, “potentially allow[s] an attacker to download and install unauthorized software onto a user’s system.” An Israeli security researcher disclosed the vulnerability recently, when he said that attackers could use the Download Manager to forcibly download and install any executable file, including attack code. Download Manager is not the update mechanism for Reader and Flash Player — that’s dubbed Adobe Update Manager — but instead oversees file transfers from Adobe’s site. Although Download Manager is automatically removed from a Windows PC the next time the machine is restarted, the researcher said it still posed a danger because some systems remain powered on for days or even weeks between reboots. Source:

41. February 23, CNET News – (International) Experts warn of catastrophe from cyberattacks. Computer-based network attacks are slowly bleeding U.S. businesses of revenue and market advantage, while the government faces the prospect of losing in an all-out cyberwar, experts told Senators in a hearing on February 23. “If the nation went to war today in a cyberwar, we would lose,” said the executive vice president of Booz Allen Hamilton’s national security business and a former director of national security and national intelligence. “We’re the most vulnerable. We’re the most connected. We have the most to lose.” The U.S. will not be able to mitigate the risk from cyberattack until the government gets more actively involved in protecting the nation’s network, which may not occur until after a “catastrophic event” happens, he said in testimony during a hearing of the Senate Committee on Commerce, Science and Transportation. The subject of the hearing was the Cyber Security Act of 2009, which would regulate organizations and companies that provide critical infrastructure for the U.S., require licensing and certification for cybersecurity professionals, and provide funding for grant and scholarship programs. The U.S. House of Representatives passed its version of the Cyber Security Act earlier this month. The bill is necessary and overdue, said a senior fellow at the nonprofit Center for Strategic and International Studies (CSIS). The U.S. is “under attack every day, losing every day vital secrets. We can not wait,” he said. “We need a new framework for cybersecurity and this bill helps provide that.” “A cyberattack would be like being bled to death and not noticing it and that’s kind of what’s happening now,” the senior fellow said when asked to define what a cyber attack is. “The cyberattack is mainly espionage, some crime,” he added, noting as an example an attack in which $9.8 million was extracted from ATMs over a three-day weekend. Source:

42. February 23, DarkReading – (International) Attack unmasks user behind the browser. A group of researchers have discovered a simple way to reveal the identity of a user based on his interactions with social networks. The ‘deanonymization’ attack uses social network groups as well as some traditional browser history-stealing tactics to narrow down and find the user behind the browser. The researchers were able to deanonymize more than half of the users in their initial test using their attack method, which entailed their joining and crawling groups within social networks, such as Germany’s Xing business social network and Facebook, using a fake profile. They then matched pilfered browsing histories with social-network group members to “fingerprint” and identify them. “Without using the group info, an attack that only uses history stealing is infeasible in a real-world scenario. So, in fact, it is the combination of history-stealing and group information that is novel,” said a post-doctoral researcher with the International Secure Systems Lab of the Vienna University of Technology in Austria, who co-developed the proof-of-concept. Criminals could use this for phishing and targeted attacks. The attack requires only that the victim visit a malicious Website that contains the attack code — there’s no malicious link, per se. Source:

43. February 23, – (International) VeriSign targets e-retailers with Trust Seal. Web authentication firm VeriSign launched on February 23 a new service designed to offer e-commerce firms that do not need SSL certificates a new way to secure and build greater consumer trust in their sites. VeriSign Trust Seal has been created specifically for companies, usually at the smaller end of the e-commerce market, that do not require the vendor’s SSL service and trust mark because they outsource transactions to a third party. Organizations that buy the service will be able to display VeriSign’s familiar checkmark logo alongside the words ‘VeriSign Trusted’, and will therefore attract customers by showing that they are not a scam or phishing site, the firm said. The service also includes a new site scanning service, offered by a third-party provider, which will let administrators keep sites free from malware and the ‘drive-by download’ attacks such malware can enable. VeriSign claimed that the service could also keep sites from being blacklisted by browsers, search engines and anti-virus software. Source:

For more stories, see items 44, 46, and 47 below in the Communications Sector

Communications Sector

44. February 24, The Register – (National) Comcast (finally) brings security extensions to DNS. Comcast - one of the largest ISPs in the US - has deployed new technology designed to protect the internet against a well-known form of attack that allows attackers to surreptitiously lure end users to impostor websites. For now, Comcast users who want to use the technology, known as DNSSEC, or DNS Security Extensions, must manually configure their preference by changing their DNS server’s IP addresses to and, Comcast said on February 23. By the end of next year, the ISP plans to make DNSSEC available to all of its customers. The move came as OpenDNS, which operates publicly available domain name system servers for free, criticized DNSSEC and said it was jump starting a competing measure known as DNSCurve. An OpenDNS engineer said it uses much stronger cryptography than DNSSEC and is also much easier to deploy and maintain. A recent survey found that only 20 percent of US government agencies had deployed DNSSEC, despite a December 31 deadline to adopt the standard. The technical imperfections of DNSSEC aside, its uneven adoption is also a major limitation because it is effective only if it is used uniformly across the internet. Source:

45. February 24, LR Mobile – (International) New Zealand’s 3G network nightmare. The recent 3G network outages in New Zealand are the stuff of nightmares for carriers and their suppliers, and after yet another network failure on February 23 the mobile woes deepened for Telecom New Zealand Ltd. and its 3G supplier, Alcatel-Lucent. After suffering major outages on its new “XT” 3G network during the past month that have affected some 200,000 customers, the Telecom New Zealand CEO says he has put AlcaLu on notice, according to reports. On February 24, The CEO of Alcatel-Lucent apologized to Telecom New Zealand customers in an interview on Radio New Zealand. “We have to take a responsibility,” he said. “We have way too many issues in the network, and we have to fix them.” The cause of Tuesday’s network failure has not yet been identified. But the outage occurred just days after Telecom New Zealand announced what caused the XT outage at the end of January and the measures it was taking to resolve the network problems. According to the operator’s statement, the January outage was due to “traffic surges in the network overloading the radio network controller in Christchurch. During the outage on 27 January, the traffic surge was caused by thousands of users suddenly re-registering after a separate network routing fault took down some cell sites.” Source:

46. February 24, The Register – (International) Hordes of new threats ahead for mobile networks. Malware on smartphones is just the first in a series of new security threats for mobile networks ushered in by the embrace of internet technologies, according to mobile phone encryption firms. The chief executive of GSMK CryptoPhone warns that criminal gangs are able to steal private information and undermine fair business trading thanks to advances in technology that have made attacks possible on low-cost kit. Years ago such attacks were only possible for intelligence agencies, but have now become feasible as a means of industrial espionage. The first and most ambitious line of attack involves spoofing femtocells to feign that an individual or organization is the user’s mobile network provider, while in fact they are taking over the network traffic. This can be accomplished using cheap hardware and some free open-source software. The second line of attack involves passively intercepting and decrypting mobile network traffic, by exploiting the latest cryptographic advances in breaking GSM’s built-in encryption algorithms. A third line of attack involves remote takeover of mobile devices by using tricks such as BlackBerry Service Book updates, Trojans and SIM Toolkit attacks. Source:

47. February 23, Network World – (International) Top-rated cell phones also rank high in radiation emissions. An environmental activist group has issued its latest list of popular cell phones that emit comparatively high levels of RF radiation, though all are within federal limits. The press release and full report on new 2010 cell phones by the Environmental Working Group (EWG), based in Washington, D.C., are intended in part to highlight the fact that technology writers and product reviewers rarely evaluate radiation emissions when rating cell phones. The press release singles out four recent, well-reviewed cell phones: Motorola Droid, Blackberry Bold 9700, LG Chocolate Touch and HTC Nexus One by Google. “EWG has found that all four phones’ emissions are pushing the edge of radiofrequency radiation safety limits set by the Federal Communications Commission (FCC),” according to the group’s press release. A separate document, “Cell Phone Radiation Science Review,” charges, among other things, that “Current FCC standards fail to provide an adequate margin of safety for cell phone radiation exposure and lack a meaningful biological basis.” Using the FCC’s data, EWG finds that the four phones (others are listed in the press release) have SAR levels close to the FCC maximum: Droid, 1.50 W/kg; Nexus One, 1.39; Bold 9700, 1.55, and LG Chocolate Touch, 1.46. Source: