Department of Homeland Security Daily Open Source Infrastructure Report

Friday, May 21, 2010

Complete DHS Daily Report for May 21, 2010

Daily Report

Top Stories

 Los Angeles’ mayor Wednesday defiantly rejected a warning by a top Arizona utilities official that the state could cut off power to Los Angeles should the city proceed with its boycott of all things Arizona. A commissioner on the five-member Arizona Corporation Commission, wrote a letter to the mayor slamming his city council’s decision to boycott the Grand Canyon State — in protest of its immigration law — by suspending official travel there and ending future contracts with state businesses. Noting that a quarter of Los Angeles’ electricity comes from Arizona power plants, he threatened to pull the plug if the city council does not reconsider. (See 1)

May 19, FOX News – (Arizona; California) L.A. mayor dismisses warning that Arizona could cut off power over boycott. Los Angeles’ mayor Wednesday defiantly rejected a warning by a top Arizona utilities official that the state could cut off power to Los Angeles should the city proceed with its boycott of all things Arizona. A commissioner on the five-member Arizona Corporation Commission, wrote a letter to the mayor slamming his city council’s decision to boycott the Grand Canyon State — in protest of its immigration law — by suspending official travel there and ending future contracts with state businesses. Noting that a quarter of Los Angeles’ electricity comes from Arizona power plants, he threatened to pull the plug if the city council does not reconsider. “I am confident that Arizona’s utilities would be happy to take those electrons off your hands,” he wrote. “If, however, you find that the City Council lacks the strength of its convictions to turn off the lights in Los Angeles and boycott Arizona power, please reconsider the wisdom of attempting to harm Arizona’s economy.” The Arizona commissioner told FoxNews.com that he was speaking for himself, not the entire commission, though he has the support of at least one other member. But Arizona has some serious leverage over Los Angeles, as well as the rest of California. The state and city get electricity from a nuclear power plant outside Phoenix, as well as from coal-fired power plants in northern Arizona and two, giant hydroelectric power generators along the Colorado River. Source: http://www.foxnews.com/politics/2010/05/19/arizona-official-threatens-cut-los-angeles-power-payback-boycott/

 A man attempting to board a flight from Puerto Rico to Boston was arrested with a carry-on bag stocked with four box cutters, a switchblade knife, a stun gun and information aboutNew York City, federal law enforcement officials said Wednesday. The man was stopped Tuesday at an airport security checkpoint after the screening of a carry-on bag led to a physical search that turned up the dangerous items, authorities said. (See 22)

22. May 19, Los Angeles Times – (Puerto Rico) Box cutters found in carry-on bag for flight from Puerto Rico to Boston. A man attempting to board a flight from Puerto Rico to Boston was arrested with a carry-on bag stocked with four box cutters, a switchblade knife, a stun gun and information about New York City, federal law enforcement officials said Wednesday. The man was stopped Tuesday at an airport security checkpoint after the screening of a carry-on bag led to a physical search that turned up the dangerous items, authorities said. He also carried pepper spray, two lighters, matches, scissors, a flight simulation program and a wire device that sets off an electric charge, authorities said. The man was arrested and charged with attempting to carry dangerous weapons aboard Jet Blue Flight 860, which was about to depart from Puerto Rico’s Luis Munoz Marin International Airport in Carolina, Puerto Rico. “We’re still looking into his motive, still determining if he has any ties to any specific terrorist organization,” said a government source who has been briefed on the arrest but who was not authorized to discuss it. Terrorism, he said, “is not ruled out.” A second government official said it appeared “highly unlikely” that the man had direct connections to a radical Muslim organization. He added that investigators were trying to determine whether the man suffers from a military service disability. Source: http://www.latimes.com/news/nationworld/nation/la-na-flight-arrest-20100520,0,693427.story

Details

Banking and Finance Sector

12. May 20, Help Net Security – (International) Twitter malware campaign features a banking Trojan and keylogger combo. A malware campaign that uses fake Twitter accounts and sends out messages marked with popular hashtags, containing the text “haha this is the funniest video ive ever seen” and a malicious shortened link, has been launched. The messages pop-up when users search for trending topics. The shortened links in the messages all point to a Web page that hosts a Java exploit whose goal is to drop a keylogger/banking Trojan on the visiting computer. F-Secure advises everybody who does not need Java in their browser to disable it, making this kind of attack misses its mark. Source: http://www.net-security.org/malware_news.php?id=1349


13. May 20, SpamfighterNews – (International) Phishing Web sites of top Indian financial institutions deceiving customers. Security company Symantec has disclosed in its latest study that cyber crooks are attacking online customers by launching phishing sites in the name of reputed Indian banks and financial institutions. The number of phishing sites on Indian government bank brands surged by 35 percent from February to March 2010. RBI (The Reserve Bank of India) was one of the crucial targets. Thus, from the example of RBI, Symantec informed that although the phishing site of RBI carried the RBI logo, the Web page is totally different from the authentic RBI Web site. The fake Web page is designed by using a single template, enabling hackers to spoof several brands just by replacing the logo and some keywords. Phishing sites that spoof other brands by making use of this design template are hosted on the same IP with distinct domain names. Further, Symantec stated that phishing mail carries an URL link. After clicking the link, the attacked user will reach a site showing the name of a government department or a bank. The mail asks the user to reveal private details such as- bank account number and log-in password. Fascinatingly, most of the phishing sites designed during March 2010 have URL extension .in, reportedly showing that they are Indian sites. But after examination, it was disclosed that the servers of these sites are situated in the U.S. Source: http://www.spamfighter.com/News-14425-Phishing-Websites-of-Top-Indian-Financial-Institutions-Deceiving-Customers.htm


14. May 20, Greeley Tribune – (Colorado) Credit card phone scam back on the line in Greeley area. For at least the third time this year, con artists are calling cell phone numbers in the Greeley, Colorado area and telling people their accounts or credit cards have been canceled. In most cases, the targets of the scam are told their account at the Weld Schools Credit Union needs to be updated, and they are told to call another number. There, they receive instructions to leave their credit card number so the matter can be corrected. In other cases, the targets of the scam are told their ATM card was canceled and they need to leave the number on a phone message. Police and bank officials said the calls are a scam, attempting to get the victims’ credit card numbers. At the credit union, the marketing director said about 500 people have called in the last few days to ask if there is a problem with their accounts. A Greeley police fraud investigator said the best thing to do when one receives such a call is to hang up. Source: http://www.greeleytribune.com/article/20100520/NEWS/100519612/1002&parentprofile=1001


15. May 19, Pasco Suncoast News – (Florida) Skimming device found on ATM at New Port Richey bank. Detectives with the Pasco County Sheriff’s Office are searching for a pair who placed a skimming device and a pin-hole camera on a New Port Richey, Florida bank’s ATM machine Saturday, May 15 in an attempt to steal ATM card account numbers and pin codes. The skimming device was found at the Bank of America’s River Crossing branch, located at 5242 Little Road, according to the sheriff’s office. The report said the first suspect was wearing a hat and driving what appears to be a Dodge minivan. He placed the skimming device on the ATM at 8:35 a.m. This suspect was trailed by an associate, wearing a baseball cap and driving a 4-door BMW, the report noted. The skimming device was discovered and retrieved by a customer at 8:42 a.m., who then took the device to another Bank of America branch to ask about the object. The suspects returned at 9:45 a.m. and removed a pin-hole camera which was not detected by the customer, the report said.

Source: http://suncoastpasco.tbo.com/content/2010/may/19/190827/skimmer-device-found-new-port-richey-bank-atm/


16. May 19, IDG News Service – (International) Heartland, MasterCard settle over data breach. Heartland Payment Systems has made a third settlement deal, this time with MasterCard, related to a massive data breach two years ago at the card payments processor. As part of the deal, Heartland has agreed to pay as much as US$41.1 million to MasterCard issuers that lost money as a result of the data breach. The deal is contingent on financial institutions representing 80 percent of the affected MasterCard accounts accepting the offer by June 25. MasterCard is recommending that issuers accept the offer. Heartland has already agreed to settlements with Visa, worth $60 million, and with American Express, for $3.6 million. Source: http://www.pcworld.com/businesscenter/article/196711/


17. May 19, KYW 3 Philadephia – (Pennsylvania) Bandit sought in robberies of 3 Philadelphia banks. The FBI and the Philadelphia, Pennsylvania Police Department are searching for a suspect who has robbed three banks within a matter of days. The latest robbery occurred May 18 at the Polonia Bank branch located at 2646 East Allegheny Avenue. Investigators believe the suspect also robbed the Beneficial Bank branch located at 826 East Allegheny Avenue on Monday, May 10, and the Third Federal Bank branch located at 2330 East York Street on Saturday, May 15. In all three incidents, the thief made threatening verbal demands to the teller and then fled the scene on foot after obtaining cash. There have been no injuries in the robberies. Source: http://cbs3.com/topstories/FBI.Philadelphia.Kensington.2.1702004.html


18. May 19, WSAZ 3 Huntington/Charleston – (Kentucky) Man dressed as woman arrested for attempted bank bombing. Prestonsburg, Kentucky Police said a suspect in an attempted bank bombing entered the BB&T bank located on Glynnview Plaza twice before he was taken into custody. Police said he first walked in and asked about opening a safety-deposit box. The bank informed the suspect that they do not have safety-deposit boxes, and he left. BB&T called the police after the man left because he was acting suspicious. The suspect then entered the bank a second time asking to open a checking account. BB&T then called the police again. Police said that the suspect was carrying a purse full of explosives, but it was not able to detonate. Police also said his wife has cancer and he just lost his job. A Prestonsburg police detective said the suspect was trying to disguise himself as a woman, wearing lipstick, glasses and a wig. He has not been charged yet. Source: http://www.wsaz.com/news/headlines/94281099.html


Information Technology


42. May 20, The New New Internet – (International) Over 80 Chinese government Web sites hacked. In China, 81 government Web sites were hacked from May 10 to May 16, according to a report by the National Computer Network Emergency Response Technical Team. This represents a drop in attacks by 35 percent from the previous week. As of noon May 17, at least 29 of the Web sites were still down. In China, a number of threats are exploited by malware and unpatched systems. China has one of the largest rates of pirated software, which allows cyber criminals easy access to systems that remain unpatched. Between May 2 and May 9, 124 government Web sites were hacked. “The report revealed 150 .CN malicious domain names, five malicious codes and five software loopholes. And .xorg.pl, a malicious domain group registered in Poland, has more than 100 malicious domain names and has been used to tamper with many Chinese Web sites and users,” according to The People’s Daily. Source: http://www.thenewnewinternet.com/2010/05/20/over-80-chinese-government-websites-hacked/


43. May 20, Federal Computer Week – (National) Microsoft to give governments heads up on security vulnerabilities. Microsoft will share technical information on security vulnerabilities with some government organizations before it publicly releases security patches to help governments protect critical infrastructure. Government organizations that participate in both of two existing Microsoft programs designed to share security information with governments can get advance access to the vulnerability data through a new pilot program named the Defensive Information Sharing Program (DISP). Microsoft will start the pilot program this summer and begin the full program later this year, Microsoft’s group manager for response communications said in an e-mail statement. The group manager said early access to that information would let the government organizations get an early start on risk assessment and mitigation. “This will allow members [of DISP] more time to prioritize creating and disseminating authoritative guidance for increasing network defensive posture actions,” the group manager said. DISP is one of two pilot programs that a senior security program manager lead in the Microsoft Security Response Center, detailed in a blog post May 17. The senior security program manager also described another program to share with governments known as the Critical Infrastructure Partner Program. It provides insights on security policy such as approaches to help protect critical infrastructures. Source: http://fcw.com/articles/2010/05/19/web-microsoft-patch.aspx


44. May 19, DarkReading – (National) Hacking the security infrastructure. Security tools are some of the most trusted and critical devices in an organization — and that is exactly what makes them so attractive to potential attackers. A trio of researchers who discovered vulnerabilities in Cisco firewalls and in Cisco and McAfee security-management software will demonstrate proof-of-concept attacks against these products at the upcoming Black Hat USA conference. “There’s a good degree of trust in [security] devices. Once someone gains access to them, they can directly modify the security posture of the organization — [including] opening additional access from the Internet to further compromise additional resources,” said a firewall engineer at SecureWorks. “Both the firewall and intrusion prevention system (IPS) often act as choke points where traffic from a number of hosts passes through. Attackers may be able to intercept [traffic] and compromise credentials.” But organizations typically overlook the security of their security products. Despite the critical posture of a firewall, IPS, or security-management console, organizations rarely include them in their vulnerability and risk assessments, said the engineer and his colleagues, the director of research and security engineer at SecureWorks, who will present their research at Black Hat in July. Source: http://www.darkreading.com/vulnerability_management/security/perimeter/showArticle.jhtml?articleID=224900427


45. May 19, IDG News Service – (International) Microsoft chases ‘click laundering’. Microsoft said it has uncovered a new kind of click fraud, filing two lawsuits against people it said are using the scam. One of the suits, filed in the U.S. District Court for the Western District of Washington, accuses the Web site RedOrbit.com and the site’s president of using click laundering, a term Microsoft came up with to describe a new way of boosting the number of clicks on advertisements on a Web site. “What was at one point thought to be highly or almost impossible to do, we have uncovered it is technically possible to do,” said an attorney in Microsoft’s digital crimes unit. Microsoft accuses RedOrbit, which was once an approved site on its AdCenter network, of using botnets and so-called parked sites to dramatically drive up the number of clicks on ads on the RedOrbit site. But rather than simply use the botnets and sites to direct clicks to ads on RedOrbit.com as fraudsters commonly do, RedOrbit directed the traffic to its own servers where it scraped out the traffic-referring information and replaced it with code that made it look like the traffic came directly to the approved RedOrbit site, Microsoft said. Parked sites are sites with little value that typically only include long lists of links or search bars that return lists of links. Microsoft said it discovered the potential fraud early in 2009 when it noticed hits from RedOrbit.com spiked from an average of 75 a day to around 10,000 a day, said the general counsel for Microsoft. Source: http://www.computerworld.com/s/article/9176995/Microsoft_chases_click_laundering


For another story, see item 47 below in the Communications Sector


Communications Sector

46. May 20, The Gloucester County Times – (New Jersey; Pennsylvania) Copper thieves blamed in Woolwich phone service outage. Phone service was shut down to a number of residents in Woolwich Township, New Jersey until the early morning hours of Monday after thieves swiped Verizon telephone wire on Kings Highway. The theft occurred sometime late May 16 or early May 17 near Moravian Church Road. “Our guys checked around and there’s no evidence out there,” a Woolwich police captain said. “According to the Verizon people, it looks like someone cut it with a hacksaw or Sawzall.” A spokesman for Verizon said the thieves made off with a 215-foot section of 900-pair phone wire. It’s not a common occurrence, but it’s not uncommon, he noted. It’s a relatively new thing for this part of the state, but similar incidents are widespread elsewhere. “We’re dealing with a spate of thefts out in Western Pennsylvania,” the spokesman said. “On Monday, we put out a $50,000 reward for the arrest and conviction of those responsible.” Source: http://www.nj.com/gloucester/index.ssf?/base/news-15/1274360777233200.xml&coll=8


47. May 19, The Register – (California) ISP shuttered for hosting ‘witches’ brew’ of spam, child porn. A federal judge has permanently pulled the plug on a California Web-hosting provider accused of harboring a “witches’ brew” of pernicious content on behalf of child pornographers, spammers, and malware purveyors. San Jose, California–based 3FN.net, which also operated under the name Pricewert, was also ordered to liquidate all assets and surrender more than $1 million in illegal profits. The ruling by the U.S. district judge was in response to a complaint filed in June in which Federal Trade Commission (FTC) lawyers portrayed 3FN as a haven for some of the Internet’s most objectionable content. FTC attorneys cited a mountain of evidence to support their claims, including Instant Message transcripts from high-level 3FN employees and logs from NASA servers that showed attacks originating from IP addresses controlled by 3FN. They also submitted findings from a computer-forensics expert of the University of Alabama at Birmingham, NASA’s office of the inspector general, and researchers from Spamhaus and Symantec in proving the allegations. Source: http://www.theregister.co.uk/2010/05/19/3fn_permanently_shuttered/


48. May 17, WLKY 32 Louisville – (Kentucky) Police search for waverly park copper thieves. Louisville, Kentucky metro police (LMPD) are looking for three people who stole copper from the Waverly Hills tower site in Waverly Park. The theft happened at about 3:30 p.m. Surveillance pictures provided by LMPD showed three people. Police are looking for two white men and a white woman who cut the lock to the gated complex and stole copper belonging to Metro Safe and AT&T. The vehicle appeared to be a dark-colored, two-door Saturn. Source: http://www.wlky.com/news/23581673/detail.html