Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, August 11, 2010

Complete DHS Daily Report for August 11, 2010

Daily Report

Top Stories

• Reuters reports that with temperatures soaring around the 100-degree F mark this week across the U.S. Southeast, the Tennessee Valley Authority and local power companies Monday urged customers to conserve electricity to help maintain grid reliability. (See item 1)

1. August 10, Reuters – (National) TVA urges power conservation due to heat wave. With temperatures soaring around the 100-degree F mark this week across the U.S. Southeast, the Tennessee Valley Authority and local power companies August 9 urged customers to conserve electricity to help maintain grid reliability and save money. The above normal temperatures have kept at least one of TVA’s power plant’s, the 3,274-megawatt Browns Ferry nuclear plant in Alabama, operating at reduced power or shut for several days since mid July due to high water temperatures in the Tennessee River, which the plant uses for cooling. TVA customers used more than 31,700 MW on August 4. The system’s all-time record is 33,482 megawatts set on August 16, 2007. The Electric Reliability Council of Texas set a new demand record on August 4 of 63,594 MW, exceeding the previous record of 63,400 MW on July 13, 2009. Extreme temperatures and high humidity across Arkansas, Louisiana, and Texas also sent electric usage in American Electric Power Co Inc’s Southwestern Electric Power Co to a new all-time high level. Source:

• The Columbia Basin Herald reports that a car was damaged by a bomb the night of August 7 while parked at Lamb Weston/BSW, a potato processing plant, in Warden, Washington. ATF is assisting in the investigation. (See item 30)

30. August 9, Columbia Basin Herald – (Washington) Bomb damages car in Warden. A car was damaged by a bomb the night of August 7 while parked at Lamb Weston/BSW in Warden. No one was injured by the blast and there was no damage to nearby vehicles or the potato processing plant, according to the public information officer for Grant County Emergency Management. Investigators determined the bomb was set off inside the car. When it exploded, it blew the windows out of the vehicle. “The sound of an explosion had been heard throughout the town, and a plant security guard reported a car had exploded in the parking lot,” he said. Warden police are being assisted in their investigation by the Bureau of Alcohol, Tobacco, Firearms and Explosives and the Grant County Sheriff’s Office. “To protect the integrity of the investigation, this is the only information which will be publicly released. Further information will likely be released at a later date,” the public information officer stated. Source:


Banking and Finance Sector

16. August 10, – (International) Zeus botnet compromises 3,000 UK bank accounts. Security experts have uncovered yet another Zeus attack targeted at the customers of a specific UK bank, which has compromised over 3,000 accounts and transferred in excess of £600,000 from victims’ accounts to its creators. M86 Security revealed that customers of the UK-headquartered financial company, which it refuses to name, have so far been hit for £675,000 by the Zeus v3 attacks. The web-based malware infects the unprotected desktops of users visiting certain infected web pages, installing a browser plug-in which pops up to ask the user to log-in to their bank, according to the M86 vice president of technical strategy. It then cleverly checks the account balance of the user and, if it is over £800, will proceed to issue a money transfer transaction. “At least 3,000 accounts have been compromised and this dates back to 5 July. We are working with the bank and law enforcement and the investigation is ongoing,” he said. This kind of man-in-the-browser attack will circumvent traditional two-factor authentication devices, so bank customers should use safe browsing tools to avoid infection and keep a close eye on their account activity for any unusual behavior. Source:

17. August 10, Grand Rapids Press – (Michigan) Details of how Fifth Third Bank worker concealed $1 million ATM scheme revealed at sentencing. A 27-year-old suspect who concealed an embezzlement scheme in Kalamazoo for five years totaling $950,000 was sentenced to serve 41 months in prison for thievery. The woman who headed the bank’s probe said the suspect manipulated the system by essentially keeping two sets of books and perpetuating the fraud “every single day.” The U.S. District Judge observed that knowing her job inside and out gave the suspect the opportunity to hide the theft and that she systematically thwarted internal policies designed to prevent similar crimes. The suspect frequently offered to cover others duties. Upon admitting the embezzlement, the suspect told authorities that she keyed in higher amounts of cash than she actually put in or took out of an ATM machine at the branch where she worked. At times, she took $10,000 in a single day. She would make the corresponding transaction to keep the balances in tune, but it would allow her to siphon the cash difference. She stole the mail of the bank manager — who was one of three employees fired in the wake of the crime — as another method to hide the offense. Source:

18. August 9, WSYR 9 Syracuse – (New York) Syracuse Firefighter facing charges for remarks. A Syracuse City firefighter is accused of making threatening remarks to a deputy chief and threatening violence at a department credit union on Wilkinson Street in Downtown Syracuse, New York. Police arrested the 47-year-old suspect on august 7 and have since charged him with making a terrorist threat, which is a felony. According to court documents, the suspect had not worked at the fire department for several months. He had been on leave using sick days. He had also been subject to disciplinary action and recently received a 44-day suspension. According to documents, it was after he received his latest paycheck that he started making threats. On August 5, when City Fire Department paychecks were issued, the suspect received only partial pay as his suspension without pay kicked in. Around noon that same day, the suspect confronted the deputy fire chief on the street. Court papers say the deputy fire chief was alarmed and believed the suspect meant his name would be seen in the obituaries of the newspaper. On August 6, the suspect entered the credit union and spoke to an employee. Court documents reveal that, during the conversation, the suspect said, “What do they want me to do? The same thing as that guy up north?” Allegedly, the suspect was referring to a Connecticut man who recently went on a deadly rampage. The suspect has since said the credit union employee misinterpreted his reference to the Connecticut rampage. He has said he had no intention of doing any such thing. Source:

19. August 9, – (National) Minnesota man charged with $80 million bank Ponzi scheme. A 40-year-old Lakeville man was charged August 9 in federal court in the District of Minnesota with operating a Ponzi scheme that resulted in a total estimated loss of $79.5 million for 17 lenders. The suspect was charged with one count of bank fraud and one count of filing a false income tax return in connection to this crime. The Information alleges that the suspect conducted the scheme from 2005 through March of 2009. The scheme purportedly involved overselling participation in large commercial and personal loans arranged by him through his company, First United Funding (“FUF”). The suspect’s alleged scheme involved selling more than 100 percent participation in at least ten different loans arranged through FUF. In other words, he purportedly sold loan participation to banks after already selling that same participation to other banks. In each instance, the suspect failed to disclose that the total participation exceeded 100 percent of the original loan, making it impossible for the participating bank to receive the full amount of money expected. Source:

Information Technology

46. August 10, Computer Weekly – (International) Android phones hit by text-based Trojan. Google’s Android mobile operating system has been hit by its first text-based Trojan, according to security firm Kaspersky Labs. The malicious software, called Trojan-SMS.AndroidOS.FakePlayer.a, has hit a number of mobile devices, the company said. The Trojan poses as a harmless media player application. Users are prompted to install a file of just over 13Kbytes with the standard Android extension .apk. Once installed, it sends text messages to premium rate numbers controlled by cyber criminals, who collect all the payments made from victims’ accounts. The Trojan-SMS category is currently the most widespread class of malware for mobile phones, but Trojan-SMS.AndroidOS.FakePlayer.a is the first to specifically target the Android platform, Kaspersky said. But it is not the first case of Android devices becoming infected, with the first Android spyware appearing in “isolated” cases in 2009, the security firm said. Kaspersky Lab plans to release software aimed at protecting the Android operating system in early 2011, he said. Source:

47. August 10, IDG News Service – (International) S. Korean police raid Google’s office over Street View. Police in South Korea raided Google offices August 10 in an investigation of the company’s Street View mapping project, the latest instance of a country scrutinizing the company’s collection of Wi-Fi data. The Korean National Police said in a statement that they have launched an investigation into unauthorized data collection and illegal wiretapping. Google officials in London confirmed the raid. “We will cooperate with the investigation and answer any questions they have,” the company said in a statement. The investigation comes as Google has resumed collecting Street View imagery in several countries after facing queries from regulators in others over the program. Source:

48. August 10, The H Security – (International) Vulnerability in OpenSSL 1.0.x. A security expert has pointed out a security issue in the 1.0 branch of OpenSSL that potentially allows SSL servers to compromise clients. Apparently the hole can be exploited simply by sending a specially crafted certificate to the client, causing deallocated memory to be accessed in the ssl3_get_key_exchange function (in ssl\s3_clnt.c). While this usually only causes an application to crash, it can potentially also be exploited to execute injected code. The expert included a certificate and a flawed key for recreating the problem in the report he released on the Full Disclosure mailing list. When tested briefly by the The H’s associates at heise Security on an current Ubuntu 10.04 system with OpenSSL 0.9.8k, a certificate belonging to an RSA key of only 4006 bits in length (and where q is not prime) only produced a warning that the certificate was flawed. As virtually none of the Linux distributions use OpenSSL 1.0.x, the hole is unlikely to create major concerns. An update has yet to be released by the OpenSSL developers, but the issue is already being discussed on the OpenSSL developer mailing list. Source:

49. August 10, Help Net Security – (International) 6 million malicious files found in the past 3 months. Malware has reached its highest levels, making the first six months of 2010 the most active half-year ever for total malware production, according to a new McAfee report. At the same time, spam leveled out with only 2.5 percent growth from Q1 2010. Malware continued to soar in Q2 2010, as there were 10 million new pieces cataloged in the first half of this year. Consistent with last quarter, threats on portable storage devices took the lead for the most popular malware, followed by fake anti-virus software and social media specific malware. With approximately 55,000 new pieces of malware that appear everyday, globally AutoRun malware and password-stealing Trojans round out the Top Two malware threats. After reaching its highest point in Q3 2009, with nearly 175 billion messages per day spam rates have hit a plateau. Cybercriminals took advantage of anticipation on and hype of the FIFA World Cup in South Africa, and used various methods to promote scams and search-engine “poisoning.” Globally, the most popular types of spam varied from country to country with some interesting findings. For instance, delivery status notifications, or non-delivery receipt spam, were the most popular in United States, Italy, Spain, China, Great Britain, Brazil, Germany and Australia. Source:

50. August 10, SC Magazine – (International) Claims that anti-virus detections are inadequate are dismissed by vendors. Even the most popular anti-virus signature-based solutions detect less than 19 percent of malware threats. A report by Cyveillance claimed that traditional anti-virus vendors ‘continue to lag behind online criminals when it comes to detecting and protecting against new and quickly evolving threats on the internet’. Cyveillance tested 13 popular anti-virus solutions to determine their detection rate over a 30-day period, and found that popular solutions only detect an average of 18 per cent of new malware attacks. By day eight the solutions averaged a 45.7 percent detection rate, rising to 56.6 percent on day 15, 60.3 percent by day 22 and 61.7 percent after 30 days. The most capable solution on a zero-day detection, according to the report, is F-Secure with 27 percent of detections, followed by Kaspersky Lab and McAfee with 22 percent each. Symantec comes next with 21 percent and Sophos with 20 percent. It claimed that as it takes an average of 11.6 days to ‘catch up’ with malware, ‘users should not rely on the AV industry as their only line of defence’. Source:

51. August 10, Computerworld – (International) Registry hack allows Windows XP SP2 patching. People still running the now-retired Windows XP Service Pack 2 (SP2) can trick the operating system into installing security updates, a researcher said August 9. The hack requires an edit of a single key in the Windows registry, said a security adviser with Helsinki, Finland-based antivirus vendor F-Secure, who spelled out the tweak in a blog post. “It turns out that an SP2 system will think it’s [Service Pack 3] if you edit this key: ‘HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Windows,’ and edit the DWORD value ‘CSDVersion’ from 200 to 300, [then] reboot,” the security adviser said. According to Microsoft, CSDVersion specifies the name of the most recent service pack installed on the PC. In other words, the hack disguises XP SP2 as SP3 when Microsoft’s security updates determine whether the PC is eligible for a patch. With the hack, the security adviser was able to force a Windows XP SP2 system to install the emergency patch Microsoft issued last week for a critical vulnerability in Windows’ parsing of shortcut files. Source:

52. August 10, The Register – (International) Germany bans BlackBerrys and iPhones on snooping fears. The German government has advised ministers not to use BlackBerry and iPhone devices due to “a dramatic increase of attacks against” its networks. A general ban on the use of smartphones in certain German ministries is also being considered, the federal interior minister confirmed to the country’s business daily newspaper Handelsblatt August 9. He said that ministers and senior civil servants had been told to instead use Simko2 gadgets offered by T-Systems, following advice from the German federal office for information security (BSI). Berlin expressed concern that data for the BlackBerry smartphone passes through two Research in Motion centers in the UK and Canada. The interior minister added that there was a possible risk of “political IT attacks” from organized crime and foreign intelligence agencies and said that such harm to the government could increase with the use of the BlackBerry and other smartphones. His comments came after Canada-based RIM was forced to shift servers to Saudi Arabia after that country briefly banned use of the BlackBerry. Source:

53. August 9, DarkReading – (International) Microsoft investigates new zero day reported in Windows kernel. On the eve of one of the largest patch days of the year, Microsoft is investigating yet another zero-day flaw in Windows — and one that affects even the newest versions of the operating system. The heap-overflow flaw is in the Windows kernel and would allow an attacker to take control of targeted Windows XP SP3, Windows Server 2003 R2 Enterprise SP2, Windows Vista Business SP1, Windows 7, and Windows Server 2008 SP2 machines, according to advisories posted about the flaw in the past days. The flaw, along with a proof-of-concept (PoC), was disclosed by a researcher called “Arkon.” August already has been a busy month for Microsoft: After issuing an emergency patch last week for the recently exposed Windows Shell vulnerability (a.k.a. .LNK, the Windows shortcut link), Microsoft is set tomorrow to release 14 security bulletins patching 34 vulnerabilities. And now it is facing yet another zero-day investigation. “Microsoft is investigating reports of a possible vulnerability in the Windows kernel. Upon completion of the investigation, Microsoft will take appropriate actions to protect customers,” said a group manager for response communications at Microsoft, in a statement on August 9. Source:

Communications Sector

54. August 9, Seattle Post-Intelligencer – (National) Tumwater teen hacker sentenced for crashing Comcast. A 20-year-old Tumwater, Washington, resident and two other men were charged August 9 in the May 2008 hack of and its e-mail system. About 20 million people lost access to their e-mail for a period of hours. All three pleaded guilty to related charges, and the Tumwater resident was sentenced to four months in federal detention. He was charged with computer crimes in November after federal prosecutors unveiled allegations that he and two other members of a hacker group “Kryogeniks” had briefly taken over the in an apparent prank. “Defiant,” “EBK” and “Slacker” are alleged to have hacked into the Comcast server and redirected users to a Web page bragging of their activity. Though the men’s actions only cut most users off of the site for about 90 minutes, the interruption cost Comcast about $128,600, according to court documents. Source:

55. August 9, Muskogee Phoenix – (Oklahoma) Cable services cut to Wagoner customers. Cable television, Internet and other services were expected to be restored to the Wagoner, Oklahoma, area late August 9, a Suddenlink Communications official said. A fiber-optic cable crossing the McClellan-Kerr Navigation Channel between Muskogee and Wagoner apparently was damaged by river traffic, the official said. Services to several hundred customers in Wagoner were interrupted. The director of corporate communications said he could not specify how many customers or exactly what services were affected. “We’ve rushed in extra help from other Suddenlink service areas and our crews are working hard to repair the damage,” the Suddenlink Muskogee system manager said. Source:

56. August 9, Taft Independent – (California) Taft, Westside Verizon telephone line disruption. Verizon long distance telephone service in Taft and West Kern County, California, has been disrupted causing residents and local businesses to place only local calls. According to a Verizon telephone spokesman, the cause of the interruption is unknown and that the company is trying to determine the cause. Local residents in Taft and Maricopa have complained that they are only able to make local calls. Local buisnesses have not been able to use credit card processing machines due to the lack of long distance service interuption. Verizon is working to restire service as quickly as possible, the Verizon spokesman said. Source:

57. August 9, New York Times – (National) Google and Verizon offer a vision for managing Internet traffic. Google and Verizon on August 9 introduced a proposal for how Internet service should be regulated — and were immediately criticized by groups that favor keeping the network as open as possible. According to the proposal, Internet service providers would not be able to block producers of online content or offer them a paid “fast lane.” It says the Federal Communications Commission should have the authority to stop or fine any rule-breakers. The proposal, however, carves out exceptions for Internet access over cellphone networks, and for potential new services that broadband providers could offer. In a joint blog post, the companies said these could include things like health care monitoring, “advanced educational services, or new entertainment and gaming options.” The two companies are hoping to influence regulators and lawmakers in the debate over a principle known as net neutrality, which holds that Internet users should have equal access to all types of information online. But some proponents of net neutrality say that by excluding wireless and other online services, Google and Verizon are creating a loophole that could allow carriers to circumvent regulation meant to ensure openness. Source:

58. August 9, NextGov – (National) Agencies rush to replace aging satellite to predict damaging solar storms. Every 11 years, solar activity intensifies, and the next peak in activity is scheduled for 2013. Such conditions would interfere with modern high-frequency radio communications and GPS navigation. “The whole thing about going into another active period of solar activity is: It’s going to happen. We just don’t know when, we don’t know the severity of it, but we know it has happened,” the FEMA Administrator said in June at the U.S. government’s annual space weather conference, which focused on critical infrastructure protection. To gauge the severity and timing of solar hyperactivity, the federal government has transmitted data in real-time from the Advanced Composition Explorer (ACE) satellite since 1997. The Air Force is expected to launch NASA’s replacement for ACE, called the Deep Space Climate Observatory, in December 2013. The fiscal 2011 budget requested a small amount — $9.5 million — for the effort, and Senate appropriators in July approved that level of spending. The European Space Agency and NOAA are identifying gaps in ground-based observations and space-borne surveillance not covered by ACE. Source:

59. August 9, Statesboro News – (International) Domain name registration and SEO fees scam halted. The Federal Trade Commission has permanently halted the operations of Canadian con artists who allegedly posed as domain name registrars and convinced thousands of U.S. consumers, small businesses and non-profit organizations to pay bogus bills by leading them to believe they would lose their Web site addresses unless they paid. Settlement and default judgment orders signed by the court will bar the deceptive practices in the future. In June 2008, the FTC charged Toronto-based Internet Listing Service with sending fake invoices to small businesses and others, listing the existing domain name of the consumer’s Web site or a slight variation on the domain name, such as substituting “.org” for “.com.” The invoices appeared to come from the businesses’ existing domain name registrar and instructed them to pay for an annual “WEBSITE ADDRESS LISTING.” The invoices also claimed to include a search engine optimization service. Most consumers who received the “invoices” were led to believe that they had to pay them to maintain their registrations of domain names. Other consumers were induced to pay based on Internet Listing Service’s claims that its “Search Optimization” service would “direct mass traffic” to their sites and that their “proven search engine listing service” would result in “a substantial increase in traffic.” The FTC’s complaint charged that most consumers who paid the defendants’ invoices did not receive any domain name registration services and that the “search optimization” service did not result in increased traffic to the consumers’ Web sites. Source:

60. August 6, Hickory Daily Record – (North Carolina) Copper thieves hit cell tower. Police suspect theives broke into the cell phone tower complex at 1319 Second Street SE behind Peoples Bank sometime between 8 a.m. and 1:30 p.m. August 4. Once inside the 8-foot high barbed wire-topped fence, they cut copper wires from the base of the tower and the amplifier at the base of the tower. Copper bars from at least three batteries were stolen as well. The tower is operated by AT&T and Sprint. The stolen copper was worth $4,500, according to the police report. The site attendant reported the theft when he arrived at the site and found the four locks on the gate were unlocked and the gate was open. The Hickory Police Department is investigating the theft. Source: