Friday, September 10, 2010

Complete DHS Daily Report for September 10, 2010

Daily Report

Top Stories

•WWMT 3 Kalamazoo reports that tests of water samples from two water-storage facilities in Kalamazoo, Michigan that were recently breached show the city’s water supply has not been contaminated, police and city officials said September 9. (See item 30)

30. September 9, WWMT 3 Kalamazoo – (Michigan) Police investigating breach at Kalamazoo’s water supply. Tests of water samples from two water-storage facilities in Kalamazoo, Michigan that were recently breached show that the city’s water supply has not been contaminated, police and city officials said September 9. Officials from the department of public services collected bacteriological and chemical samples from storage facilities on Beech, Blakeslee, and North Dartmouth streets after Public Safety officers were called September 7 to the Blakeslee and Dartmouth sites and found that fencing at both locations had been cut. Officials said they still plan to drain and inspect a storage tank at the Blakeslee facility early September 10 that was breached during the incidents. The tank will be cleaned and disinfected and water samples will be taken from the tank for further testing before it is put back into service late next week. Meanwhile, police are increasing patrols near the city’s water storage facilities, the public safety chief said. Source:

•The Department of Justice is investigating a handful of apparently anti-Muslim incidents, including attacks against individuals and vandalism and other incidents at mosques or mosque construction sites, in Texas, Tennessee, California, and New York, according to the Associated Press.(See item 48)

48. September 8, Associated Press – (National) DOJ investigating at least 5 anti-Muslim acts. The Department of Justice is investigating a handful of apparently anti-Muslim incidents in Texas, Tennessee, California, and New York. FBI agents and civil rights division investigators also are looking into vandalism and other incidents at mosques or mosque construction sites. The open criminal investigations were confirmed by civil rights division spokeswoman in response to a query from the Associated Press. The incidents have followed sustained criticism of the planned mosque near the former site of the World Trade Center in lower Manhattan in New York City. Early plans for the project, known as Park51, call for a 500-seat auditorium, a September 11 memorial, and prayer space. Among the incidents under investigation as potential hate crimes, all dating from July and August: A Muslim cab driver in New York City had his face and throat slashed in a suspected hate crime. Arson was committed at the site of a future mosque in Murfreesboro, Tennessee, where leaders of the local Islamic Center won permission in the spring to build a new mosque after outgrowing their rented space. A brick nearly smashed a window at the Madera Islamic Center in central California, where signs were left behind that read, “Wake up America, the enemy is here,” and “No temple for the god of terrorism.” A fire was set and graffiti was left at the Dar El-

Eman Islamic Center in Arlington, Texas. Police arrested five teenagers after the son of one of the founders of a mosque in Waterport, New York, on Lake Ontario was sideswiped by a sport utility vehicle. One teen was charged with firing a shotgun in the air near the mosque a few days earlier. Source:


Banking and Finance Sector

14. September 8, IDG News Service – (International) Report: RBS WorldPay hacker gets four years’ probation. The mastermind behind one of the biggest hacking paydays in history has been sentenced to 4 years’ probation and a $8.9 million fine, according to published reports. The 28-year-old suspect was sentenced September 8 according to Bloomberg News. He is considered the leader of a group of criminals who organized a 2008 precision strike on RBS WorldPay, the payment processing division of the Royal Bank of Scotland. In addition to his probation, the criminal must also pay back more than $8.9 million to RBS WorldPay. Russia is trying to fight a reputation for being soft on cybercrime, but this light sentence won’t do much to change that perception, according to analysts. Security experts said that the suspect falls into the same category of such highly accomplished cybercriminals of the caliber of the hacker best known for hacking into retailer TJX Companies and the Heartland Payment Systems payment-processing network. In March, that hacker was sentenced to 20 years in federal prison. Source:

15. September 8, – (Maine) State police seize more than $1 million from truck on Interstate 95 in York. State police are not ready to say why a truck stopped for a routine inspection September 3 in York, Maine was transporting more than $1 million in $20 bills neatly bundled and placed in orange plastic buckets. “We’re looking into its source, where it was coming from and where it was going,” a Maine Public Safety Department spokesman said September 6. “We’re pretty sure it wasn’t going to the bank.” By September 7, an FBI official in the Portsmouth, New Hampshire office classified the case as an immigration and customs enforcement issue, but added little else. The Maine State Police Commercial Vehicle Enforcement Unit stopped the Texas-registered truck in the southbound lanes of Interstate 95 about noon September 3. The driver, a 35-year-old male, and the passenger, a 46-year-old male, were found to be in possession of false logs, police said. A subsequent search of the truck’s trailer yielded U.S. currency estimated to be in excess of $1 million. Source:

16. September 8, KIAH 39 Houston – (Texas) Bicycle bandit wanted for six area bank robberies. FBI investigators need help identifying a bank robber. The suspect’s most recent robbery happened September 7 at Comerica Bank, 15701 Kingfield Drive in Houston, Texas. At about 1:45 p.m., he entered the bank and gave a teller a threatening demand note, officials said. The note stated, “I have a gun ... Put all the money in the bag or I will shoot you.” The “Bicycle Bandit” is called such because he fled his first scene on a bicycle, but he seems to have abandoned that practice. According to the FBI Bank Robbery Task Force, the teller gave the man some cash and he fled on foot in an unknown location. No one was injured and no getaway vehicle — not even a bicycle — was observed, investigators said. The Bicycle Bandit is described as a black male, 37-42 years old, between 5 feet 9 inches and 6 feet tall with a slim build and a bald head. During the robbery on Kingfield Drive, he wore a black shirt with a blue design on the front and dark jeans, officials said. Source:,0,810860.story

17. September 8, Associated Press – (Washington) ‘Mrs. Doubtfire’ accused of 6 Seattle bank hits. A woman the FBI is calling the “Mrs. Doubtfire Bandit” has held up six banks since April 2010 in the Seattle, Washington area. She hands tellers a note threatening a weapon and violence. Surveillance photos of the woman remind agents of the movie character “Mrs. Doubtfire,” although the suspect is 5-foot-4, 110 pounds and looks gaunt. Source:

Information Technology

38. September 8, The Register – (International) Adobe Reader 0day under active attack. Researchers have uncovered sophisticated attack code circulating on the net that exploits a critical vulnerability in the most recent version of Adobe Reader. The click-and-get-hacked exploit spreads through e-mail that contains a booby-trapped PDF file that remains virtually undetected by most anti-virus programs, according to the security researcher who first alerted Adobe to the threat. It was being sent to a small group of individuals who “work on common issues,” he said, causing him to believe they were narrowly selected by the attackers. On September 8, Adobe confirmed that the vulnerability affects Reader 9.3.4 and earlier versions for Windows, Mac OS X, and Unix. The company’s security team is in the process of figuring out when it will release a patch. Adobe is working with security companies to help them develop detection and quarantine techniques to contain any attacks. In the meantime, there are no mitigations users can take other than to exercise due care in opening PDF documents. It may also make sense to use an alternate PDF viewer such as FoxIT, but it is not yet been confirmed that other programs are not vulnerable. The malicious PDF, which also exploits Adobe Acrobat, uses some highly sophisticated techniques to ensure success. It contains three separate font packages so it works on multiple versions of the Adobe programs, and it also has been designed to bypass protections such as ASLR, or address space layout randomization and DEP, and data execution prevention, which are built in to more recent versions of Microsoft Windows. Source:

39. September 8, IDG News Service – (International) After Google incident, Wi-Fi data collection goes on. Four months ago, amidst a backlash from government regulators and privacy advocates, Google stopped collecting Wi-Fi data with its Street View cars. But that doesn’t mean Google has stopped collecting wireless data altogether, and neither have other companies such as Apple. Instead of sending out cars to sniff out wireless networks, Google is now crowdsourcing the operation, with users of its Android phones and location-aware mobile applications doing the reconnaissance work for it. In the past few months, Apple has quietly started building a similar database, leveraging its large base of users to log basic Wi-Fi data. There are others: A Boston, Massachusetts company, Skyhook Wireless, has been logging wireless access points for years, as has its competitor, Navizon of Miami Beach, Florida. It is a trend that has been spurred by the intense interest in applications such as FourSquare and Facebook Places. As it becomes increasingly important for programs that run on a user’s phone to know exactly where a person is — to be location-aware in industry parlance — having a way of figuring out exactly where a person is becomes critical. But the companies collecting this data have not come under much scrutiny, many users do not understand how the data is being collected or why, and security experts are just now starting to discover some of the ways this information could be misused. Source:

40. September 8, TrendLabs Malware Blog – (International) New fake facebook spam waves sent through cutwail/pushdo botnet. Who said that Cutwail/Pushdo botnet was dead? The recent Cutwail/Pushdo takedown was a great help on stopping this huge botnet in sending spammed messages all over the world. Yesterday, however, a new wave of fake Facebook messages was sent through some Cutwail zombies for about 30 minutes, for a total of approximately 5,000 spammed e-mails. The spammed message informs user that they received a private message and contains a bogus Facebook link which actually points users to a Canadian pharmacy Web site hosted in China. As of this writing, however, the said site is no longer online. This recent Pushdo/Cutwail update shows us that the spammers behind this botnet are on the move, and rebuilding their servers, domains, and the rest of their infrastructure in order to restore their botnet. Source:

41. September 8, DarkReading – (International) Microsoft gets legal approval to acquire former Waledac domains. A federal court judge recommended that Microsoft be allowed to acquire the 276 Internet domains that formerly drove the Waledac botnet, which plagued users and enterprises for more than 1 year. According to a USA Today report, the U.S. District Court of Eastern Virginia has granted a motion that, in effect, gives Microsoft permanent ownership of the Web domains once used by the Waledac cybergang to send instructions to hundreds of thousands of “bot” PCs. The idea is to put the botnet permanently out of business by taking its component parts out of the cybercriminals’ hands, Microsoft said in a blog. “Our legal action to permanently shut down the botnet has been successful, and we have begun working with Internet service providers and CERTs to help customers remove the Waledac infection from their computers,” Microsoft said. The number of unique IP addresses infected by Waledac, which was taken down earlier this year, is steadily declining, Microsoft said. “As of August 30th, there were just more than 58,000 unique IP addresses infected with Waledac malware,” the company said. “That’s down from nearly 64,000 addresses during the week of July 23rd.” Source:

42. September 9, Help Net Security – (International) Android SMS Trojan delivered via SEO techniques. Android users searching for pornography on their smart phones could be in for a costly surprise. During the course of researching the origin for the first SMS Trojan for Android devices, Help Net Security found a new Android package masquerading as a porn media player but which instead sends SMS messages to premium rate numbers. The SMS messages cost $6 each and are sent silently in the background without the user’s knowledge. The latest malware (detected as Trojan-SMS.AndroidOS.FakePlayer.b) is being distributed via clever search engine optimization (SEO) techniques, a clear sign that cyber-criminals are making every effort to infect mobile devices. The use of SEO is a significant development that confirms our belief that mobile malware — especially on Android devices — is a potentially lucrative business for malicious hackers. The code in the latest variant is similar to the first version and I’m pretty sure the same person (or group) is involved in creating and distributing this Trojan. It is currently targeting Android users in Russia. Source:

43. September 9, Help Net Security – (International) Multiple vulnerabilities in Cisco Wireless LAN Controllers. The Cisco WLC family of devices is affected by two denial of service vulnerabilities, three privilege escalation vulnerabilities, and two access control list bypass vulnerabilities. An attacker with the ability to send a malicious IKE packet to an affected Cisco WLC could cause the device to crash and reload. This vulnerability can be exploited from both wired and wireless segments. IKE is enabled by default in the WLC and cannot be disabled. Only traffic destined to the Cisco WLC could trigger this vulnerability. A TCP three-way handshake is needed in order to exploit this vulnerability. Three privilege escalation vulnerabilities exist in the Cisco WLCs that could allow an authenticated attacker with read-only privileges to modify the device configuration. Two vulnerabilities exist in the Cisco WLCs that could allow an unauthenticated attacker to bypass policies that should be enforced by CPU-based ACLs. No other ACL types are affected by these vulnerabilities. Source:

44. September 9, Computerworld – (International) Mass injections and malware infections at Media Temple. Since at least the spring of 2010, a swarm of infections have been found in Media Temple Web hosted sites. It provides Web hosting for ABC, Adobe, NBC, Starbucks, Sony, Time, Toyota, Volkswagen and approximately 350,000 other domains internationally. Many of its sites run WordPress which is a wildly popular target to hackers and cyber criminals. Google Safe Browsing diagnostics states that of the 66,060 Media Temple sites tested in the last 90 days, 12,423 had malicious content. Some 311 sites have functioned as intermediaries to infect 900 other sites. Also in the last 90 days, 28 Media Temple hosted sites have distributed malware to 650 other sites. Source:

45. September 9, The H Security – (International) iOS 4.1 released for iPhone and iPod touch. Apple has released version 4.1 of its iOS operating system for iPhone and iPod Touch devices. The major update includes a number of new features and addresses several critical security vulnerabilities in the mobile OS. In total, the 4.1 release of iOS closes a total of 24 security holes, 20 of which are related to the WebKit rendering engine used by the OS’s Safari web browser. The company says that all of the WebKit issues could allow an attacker to inject and execute arbitrary code. Apart from the security fixes, after updating their devices, iPhone 4 users can shoot high dynamic range (HDR) photos and upload HD videos via Wi-Fi to YouTube and MobileMe. Users with iPhone 4, 3GS or iPod Touch (2nd generation or later) devices can also play games against their friends using Game Center. Other changes include the addition of support for the Audio/Video Remote Control Profile (AVRCP) Bluetooth profile, allowing users to control media playback on their mobile devices using, for example, Bluetooth headphones, performance improvements on older devices like the iPhone 3G, and heavy integration with Apple’s iTunes Ping social network. Source:

Communications Sector

46. September 8, Grand Forks Herald – (Minnesota) Phone service restored in NW Minnesota. Telephone service was restored late September 7 to about 10,000 customers in four northwestern Minnesota counties, nearly 7 hours after a fiber-optic cable was cut near Holt. Phones were back in service by about 10:15 p.m., the office manager for Wikstrom Telephone Co. in Karlstad, Minnesota said. The outage covered large portions of Roseau, Lake of the Woods, Kittson and Marshall counties. The outage affected all 6,000 of Wikstrom’s customers, and 4,000 customers of Century Telephone Co. in the four counties. “Some had everything out, some only had local service out,” the office manager said. In some areas, the outage affected both landlines and cell phones, local emergency dispatchers said. Source:

47. September 8, Salem Sunbeam – (New Jersey) Three charged with cutting telephone lines in Salem, other counties for scrap; damage estimated at $1M. Three Pittsgrove, New Jersey residents have been charged with theft in connection with the cutting of telephone wire from utility poles near Pittsgrove Township, state police said September 8. The value of the stolen wire, and the cost of materials and labor to restore thousands of Verizon customers’ service, is estimated by the telecommunications company at $1 million, state police said. A 30-, 35- and 44-year-old were arrested in connection with the incidents, according to state police. They were charged with theft, criminal intent, conspiracy to commit theft, and criminal mischief, police said. The materials were reportedly sold on the scrap metal market. According to reports, police said a Verizon employee contacted the Bridgeton Barracks of the state police September 3 after observing multiple sections of telephone wire that had been cut on Almond Road, and were left on the shoulder of the roadway. After responding to the area, troopers reportedly located one suspect leaving a corn field near Parvins Mill Road and Garden Road, according to state police. Police said they learned the three individuals were allegedly responsible for stealing telephone cable in Salem, Gloucester and Cumberland counties. Source:

For another story, see item 44 above in the Information Technology Sector