Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, July 31, 2008

Complete DHS Daily Report for July 31, 2008

Daily Report

• Reuters reports that a moderate earthquake spared Los Angeles oil refineries, pipelines, nuclear plants, and the city’s electrical grid on Tuesday, but caused some minor local power outages. (See item 1)

• According to the Associated Press, in a report aimed at the next president, security specialists are proposing a vast overhaul of the U.S. security system, declaring it problem-plagued. (See item 35)

Banking and Finance Sector

14. July 30, Daily Local – (Pennsylvania) Phishing scam hits area banks. First National Bank of Chester County, Pennsylvania, said Tuesday it has been a victim of a phishing scam. On Monday afternoon and Tuesday, fraudulent e-mails, telephone calls, and cell phone calls were sent to customers and non-customers by phishing scammers, according to the bank. The bogus e-mailed messages and telephone calls describe an urgent reason why customers must “verify” or “re-submit” personal or confidential information by clicking on a link embedded in the e-mail message or by calling a telephone number. These fraudulent e-mails calls have been designed to look as if they come from First National and contain the First National logo, the bank said. The scammers are believed to be located in a foreign country and First National Bank is working with law enforcement authorities to discover the identity of those involved in the scam, said the executive vice president at the bank. The bank is also working with law enforcement agencies to have the unauthorized communications and fraudulent Web sites terminated. First National Bank immediately began notifying customers via e-mail of the scams and informing them not to respond to requests for information. Source:

15. July 30, CCH Wall Street – (National) SEC halts $20M scam. At the U.S. Securities and Exchange Commission’s request, a California federal court has frozen the assets of an investment advisor who allegedly stole $20 million from more than 200 clients. According to the regulator, starting in at least 2000 and continuing well into 2008, the suspect solicited money from hundreds of investors by purporting to be an investment expert capable of generating outrageously large returns with absolutely no risk. But instead, he spent their money on lavish personal expenses. And in classic Ponzi scheme-fashion, he often transferred money from new clients to favored clients in order to create the illusion of profitable trading. Source:

16. July 29, Better Business Bureau of Northern Indiana – (Indiana) BBB of Northern Indiana warns of scam. The Better Business Bureau of Northern Indiana and the Indiana Bankers Association (IBA) are reporting recent phishing scams in the northern Indiana area. Callers posing as representatives from the State of Indiana or the Department of Financial Institutions have been contacting individuals asking for personal information, including bank account numbers, allegedly to ensure that deposits are insured by the Federal Deposit Insurance Corporation. These calls are fraudulent. Automated calls claiming to represent banks call individuals and allege that their debit cards have been canceled. The recorded message tells recipients to call a phone number, where they are asked to provide card numbers, expiration dates, and PINs. These calls are fraudulent. These scams appear to be targeted to specific geographic areas. Source:

Information Technology

40. July 30, IDG News Service – (International) Hotels to spy on Olympics guests, says U.S. senator. A Kansas senator reiterated accusations Tuesday that China is forcing foreign-owned hotels to install electronic eavesdropping equipment ahead of next month’s Olympics. The network monitoring equipment, which the senator claims includes both hardware and software, will allow the country’s Public Security Bureau to monitor the Internet activities of guests and collate records of what they do online. He first made these accusations in early May, without citing the names of any of the hotel chains allegedly involved. He said that he now has copies of translations of the original order, which “alludes to harsh punishment for failure to comply with the order,” a statement said. “The hotels have asked us to preserve their anonymity; in order to protect their safety, and in return for their courage in coming forward, I cannot divulge their identities.... On the other hand, these hotel chains have invested millions of dollars in their Chinese properties, and while they wish to find a way to reverse this order, if they are specifically identified, they could face severe retaliation…” he said. The senator’s accusations book-end allegations made in June by two U.S. Congressmen that China-based hackers had attacked computers in their offices, including ones that may have contained information on Chinese dissidents. Source:

41. July 29, Computerworld – (International) DNS patches cause problems, developers admit. Patches released earlier this month to quash a critical bug in the Domain Name System (DNS) have slowed servers running Berkeley Internet Name Domain (BIND), the Internet’s most popular DNS software, and crippled some systems using Windows Server. The head of the Internet Systems Consortium (ISC), the group responsible for the BIND software, acknowledged that there were problems with the July 8 fix that was rolled out as part of a multivendor update meant to patch a cache poisoning flaw discovered months ago. “During the development cycle, we became aware of a potential performance issue on high-traffic recursive servers, defined as those seeing a query volume of greater than 10,000/queries per second,” he said in a message posted Monday afternoon to a BIND mailing list. “Given the limited time frame and associated risks, we chose to finish the patches ASAP and accelerate our work on the next point releases that would address the high-volume server performance concerns.” “Our immediate goal was to make patches publicly available as soon as possible,” he explained. Versions of the second update, which will be designated P2 when they are unveiled, are currently available in beta form for BIND 9.4.3 and BIND 9.5.1. Source:

42. July 29, PCWorld – (International) New browsers fight the malware scourge. The latest browsers are fighting back against the never-ending assault from online crooks who want to sneak malware infections through customers’ browser and onto their PC. Firefox 3, Opera 9.5, and, soon, Internet Explorer 8 add new security features that block known malware sites. Hackers slip nearly invisible code onto a vulnerable but benign Web site, forcing it to become an unwitting foot soldier in the malware war. A successful hijacking in July of a site for Sony PlayStation games demonstrates that sites both large and small can fall victim to this tactic. “The bad guys are putting a lot of effort into mass hacking,” says the chief research officer of antivirus maker AVG Technologies. “They routinely hack 20,000 to 40,000 sites in a day” with automated tools, he says. The new features in the latest browsers work much as existing antiphishing filters do. In Firefox 2, Mozilla uses Google’s blacklist of known phishing sites. If people mistakenly click a link to a URL on that list, they will see a warning instead of the site. Firefox 3 also blocks the display of pages on Google’s list of known malware sites. Firefox 3 grabs the most recent blacklist about every 30 minutes, according to a spokesperson, and checks the sites people visit against that local list. Firefox 2 has an option to always check sites you visit against Google’s online list so as

to catch the very latest entries, but Firefox 3 provides no such option. Source:

43. July 29, Washington Post Blog – (International) Three quarters of malicious web sites are hacked. Three-quarters of all Web sites that try to foist malicious software on visitors are legitimate sites that have been hacked, according to a report released Tuesday by Websense, an online security company that scans more than 40 million Web sites hourly for signs that they may have been compromised by hackers. Most of these compromised sites are social networking communities and some of the Internet’s most popular destinations. The report found that 60 percent of the top 100 most popular sites this year have either hosted malware or forwarded visitors to malicious sites. The company also says that nine out of 10 of those compromised sites were social networking or Web search sites. Typically, the hacked sites are advertised through junk e-mail. According to Websense, nearly 30 percent of those links lead to sites that try to plant software which steals passwords and other sensitive data from victims. The remainders of the spam links attempt to install software that lets attackers control the systems from afar, and/or install additional software without the owner’s knowledge. The findings mirror other recent research. In May, Web site vulnerability scanning company ScanSafe found that 68 percent of Web-based malware was pushed out via compromised Web sites. Source:

Communications Sector

44. July 29, Long Beach Press Telegram – (California) Post-quake traffic clogs cell-phone lines. Many cell phone users were not able to make calls during and immediately after Tuesday’s earthquake in California as a result of high call volumes, several phone companies said. Three of the largest wireless companies, AT&T, T-Mobile, and Verizon, all reported high call volumes during and immediately after the earthquake. An AT&T spokesman said in a statement that the company saw network congestion on both land-line and wireless networks, which is common after an earthquake. According to the statement, network congestion occurs when too many people are trying to use the network at the same time. The public relations spokesman for Verizon Wireless said its call volume was 40 percent higher than projected for the earthquake, adding that with extremely high call volumes, it becomes necessary for phone companies to start blocking calls. Making up the volume are one-time callers and those who call multiple times trying to get through. Source:

45. July 29, Minneapolis Star-Tribune – (Minnesota) Telecom sues Monticello over city’s plan to build its own high-speed network. A failure to communicate between Monticello, Minnesota, and TDS Telecom, its chief phone and cable provider, is threatening to short-circuit plans to make the city one of the most wired communities in the nation. Both Monticello and TDS Telecom are constructing multi-million dollar fiber-optic networks that will directly connect to every home, office, and business in the city. When the networks come online in the next year or so, they would be among only about 45 in the country that provides such connectivity. But Monticello – a city of about 11,000 in northern Wright County – also may be the only locale where the public and private sectors are competing so directly for paying customers. The acrimony from such direct competition has led to the filing of what may become a precedent-setting lawsuit by TDS questioning whether municipalities can use revenue bonds to create fiber-optic networks. Monticello – which maintains that the fiber-optic network is a public convenience and thus eligible for revenue bond financing – countersued to have the case dismissed. The Wright County District Judge, who took the matter under advisement last month following a hearing, could rule in the case as early as next week. Source:

Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, July 30, 2008

Complete DHS Daily Report for July 30, 2008

Daily Report

• The Associated Press reports that authorities in Ohio have evacuated areas around the post offices of two Ohio communities because of the discovery of what appear to be unexploded pipe bombs. (See item 17)

• According to the Atlanta Journal-Constitution, Georgia’s largest health insurer sent an estimated 202,000 benefits letters containing personal and health information to the wrong addresses last week, in a privacy breach that raised concerns about potential identity theft. (See item 27)

Banking and Finance Sector

8. July 29, Bradenton Herald – (Florida) Local men charged in $83M bank fraud. Three Sarasota men and one from Tampa are facing numerous federal charges that they bilked banks out of almost $83 million on several land sales in Manatee and Sarasota counties. They are accused of defrauding seven banks through a complex scheme involving seven real-estate transactions, four of them in Manatee, from 2004 to 2006. The FBI began investigating the men’s dealings as part of Operation Malicious Mortgage, a fraud crackdown that so far has netted more than 400 arrests nationwide. Source:

9. July 28, KGO 7 San Francisco – (National) Macy’s security breach halts card service. Macy’s had to notify 4,100 customers across the country who hold a Macy’s Visa credit card – not the regular charge card. Macy’s says there was a massive security breach at a Visa processing center in England. Thieves got hold of Visa account numbers and started making unauthorized charges, mainly at gas stations. Macy’s is freezing the accounts of all 4,100 holders of the Macy’s Visa card, but only those who had any transactions processed in England. Macy’s advises customers to check for any unauthorized charges on their Macy’s Visa. The company says, so far, it appears only account numbers were stolen, not personal information. Source:

10. July 28, Associated Press – (National) Four indicted in $20 million mortgage scheme. Two real estate agents and a married couple who ran nursing homes are facing federal charges alleging they defrauded several banks of $20 million dollars in a complicated mortgage scheme. The four face 126 counts of conspiracy, bank fraud, wire fraud, money laundering and other crimes. The alleged scheme ran between 2002 and 2007 and involved recruiting people to pose as buyers for almost 20 properties, many of them nursing homes in the suburbs east of San Francisco, according to the indictment. The real estate agents are accused of obtaining loans for the “straw buyers” using false income and employment information. Federal prosecutors allege two of the suspects recruited many of the buyers and funneled loan money into their own bank accounts. Source:

Information Technology

36. July 29, IDG News Service – (National) Oracle issues warning over dangerous WebLogic flaw. Oracle Corp. is scrambling to create an emergency patch for a severe vulnerability in the company’s WebLogic server, as exploit code is circulating on the Web. The company issued a rare security alert today, the first off-schedule warning since it introduced a regularly scheduled patch release cycle more than three years ago. The problem lies in the Apache plug-in for the Oracle WebLogic Server and Express products (formerly known as BEA WebLogic), both application servers. The vulnerability can be exploited over a network without a need for a username or password, Oracle wrote in an advisory. The flaw can result in “compromising the confidentiality, integrity and availability of the targeted system.” The problem scores a 10.0, the most serious rating, on the CVSS (Common Vulnerability Scoring System) scale, a framework used to evaluate the risks of a particular flaw. Oracle advised administrators to implement a work-around while it is working to create a patch. Source:

Communications Sector

37. July 29, Associated Press – (West Virginia) W.Va. still struggling with cell phone gaps. Dropped calls and bad connections are all too familiar to West Virginia cell phone users, but the state says things are improving. The State Homeland Security Director told lawmakers Monday that his agency has worked with businesses and local governments to install 11 cell towers throughout the state in the last year. Persistent problems with cell coverage remain, though. The head of the state Public Service Commission’s consumer advocate division, said those problems stem more from coverage gaps as opposed to so-called dead zones. His office estimates it costs as much as $500,000 to build a cell phone tower in West Virginia. Source:

38. July 29, Times Herald-Record – (National) Verizon strike looms; contract talks go on. Verizon officials and union workers were still in contract negotiations Monday as a strike deadline approached. Union workers have voted to strike if an agreement is not reached by the expiration of the current contract at midnight Saturday. One of the major disputes is what union officials say is the outsourcing of many jobs to non-union subcontractors. A spokesman for Local 1101 of the Communications Workers of America, the union that represents many of the workers, cited what he said were $5.5 billion in Verizon profits and $82 million paid to its top five executives in 2007 as evidence the company can afford what workers are asking for. A Verizon spokesman declined to comment on the negotiations, but said a strike would not affect customer service. The timing of a strike could be bad for Verizon, which just began rolling out its new fiber-optic FiOS service in the region, meant to offer an alternative to cable TV and to ameliorate the loss of land-line customers. The strike could involve as many as 65,000 workers from New England to Virginia. Verizon employs about 600 people in the region. Source:

39. July 29, Associated Press – (National) MSU, local company work on satellite development. Mississippi State University and InfiniSat, a technology business in Starkville, are working together to develop small, low-cost satellites for the U.S. market. The satellites would gather information for wide range of projects, from weather prediction to disaster monitoring and communication. MSU and InfiniSat are working with federal research agencies to develop affordable, effective technologies that can be put into use quickly. The director of the Northern Gulf Institute, an MSU-based cooperative program of the National Oceanic and Atmospheric Administration says the goal is to build “a full spaceflight mission operations and training center for Mississippi” with the power to track and communicate with satellites overhead. Source:

Tuesday, July 29, 2008

Complete DHS Daily Report for July 29, 2008

Daily Report

• The Associated Press reports that excessive flooding in the Midwest destroyed tons of valuable topsoil throughout the region. Environmental groups say there are risks to opening up conservation program land to planting. (See item 12)

• According to the Associated Press, a road along Dillon Reservoir that Denver Water utility officials closed over security concerns, opened Friday to two-axle passenger and emergency vehicles, but will be closed from 10 p.m. to 6 a.m. (See item 30)

Banking and Finance Sector

6. July 27, Scotsman – (International) Banks warned of computer ‘super bug’ that can change identity. United Kingdom banks and other financial institutions are being warned to be extra vigilant following the release on the internet of a new so-called “PC super bug” designed to steal online banking log-on details on an unprecedented scale. Cyber criminals have let loose a virus called Limbo 2 Trojan, which, according to security experts, is an extremely nasty bug developed specifically to worm its way into finance websites in order to cause maximum damage. Security firm Prevx said the difference this time is that the new bug has been developed specifically to evade the vast majority of anti-virus computer systems. Such systems are devised by global IT security firms including McAfee, Symantec, and AVG. Finance houses all over the world rely on them to provide adequate protection. It is estimated that a single data breach can cost a big firm more than £3m to rectify. Prevx reported that the Trojan bug features a changeable shell with a pliable cloak coming in many guises and variants to try to fool security systems and slip past conventional signature-based anti-virus detection. This involves illegal technology that generates fake information boxes on a compromised computer, asking the user to enter more information than usual. While this is happening, passwords, credit card information and other personal details are transmitted to the malware’s criminal operator to then exploit financially. Source:

7. July 25, New York Times – (National) New York sues UBS for securities fraud. The attorney general of New York accused UBS of consumer and securities fraud on Thursday, saying the bank had misled investors when it sold them auction-rate securities. Auction-rate securities are preferred shares or debt instruments with rates that reset regularly, usually every week, in auctions overseen by the brokerage firms that originally sold them. But the $300 billion market for these instruments collapsed in February, trapping investors who had been told that they were safe and easy to cash in. Even as a senior executive at UBS called the market “a complete loser,” the bank continued to pitch the securities as short-term, liquid investments, according to the civil complaint filed by the attorney general of New York. At the same time, seven executives at the bank sold their personal holdings of the securities, which totaled $21 million, to avoid losses, according to the complaint. UBS halted the auctions of these securities on February 13, leaving more than 50,000 UBS customers holding about $37 billion in the investments, according to the complaint. These investors, including city governments, companies, individual investors, remain unable to sell them in many cases. Source:

Information Technology

20. July 28, BBC – (International) China becomes biggest net nation. China now has the world’s largest net-using population, say official figures. More than 253 million people in the country are now online, according to statistics from the China Internet Network Information Center (CNNIC). The figure is higher than the 223 million that the U.S. mustered in June, according to Nielsen Online. Net penetration in the U.S. stands at 71 percent compared to 19 percent in China, suggesting it will eventually vastly outstrip the U.S. The development is significant because the U.S. has had the largest net-using population since people started recording how many people were online. The 2008 figure is up 56 percent in a year, said CNNIC. Analysts expect the total to grow by about 18 percent per annum and hit 490 million by 2012. About 95 percent of those going online connect via high-speed links. Take up of broadband has been boosted by deals offered by China’s fixed line phone firms as they fight to win customers away from mobile operators. China’s mobile phone-using population stands at about 500 million people. Source:

21. July 27, PC Magazine – (International) Beware fake malware cleaner programs. Chinese hackers are sending out malware masquerading as the Trend Micro Virus Clean Tool, according to Trend. The example in the linked Trend blog is in Chinese, so perhaps the threat is only real in China and Taiwan. But the example is instructive. The threat arrives as an e-mail which looks like it came from Trend Micro and the malware comes as an attachment to it. The use of an attachment is by itself unusual, as malware distribution has largely moved to using links to hijacked web sites where the malware is hosted. The Trend blog says the attachment is named iClean20.EXE, but the screen shot of the e-mail shows it as a .RAR file which probably itself contains iClean20.EXE. iClean20.EXE drops two files, one of which is the genuine Trend Virus Clean Tool, and the other the malware, detected by Trend as BKDR_POISON.GO. By pointing the user to the actually cleaning tool they may distract them from the malware. BKDR_POISON.GO opens a random port and allows a remote user to execute commands on the affected system. Source:

Communications Sector

22. July 28, Computerworld – (California) City missed steps to avoid network lockout. A San Francisco city official lost administrative control of the network’s routers and switches for more than a week after an IT worker allegedly reset passwords and refused to reveal them prior to and after his arrest on July 13. A network administrator in the city’s Department of Telecommunications and Information Services (DTIS) was charged with locking up the network and with planting network devices that enabled illegal remote access to the network. The FiberWAN system carries almost 60 percent of the city government’s traffic. Users and analysts interviewed last week said that the city could have avoided the recent turmoil by implementing stronger configuration management techniques along with processes that could quickly detect when someone was attempting to bypass network controls. A senior network engineer at DataWare Services suggested that anytime it takes more than 48 hours to restore access to a locked-down network that indicates that “basic network administration standards” are not in place. Source: