Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, August 7, 2008

Complete DHS Daily Report for August 7, 2008

Daily Report

• According to CNN, 11 people were indicted Tuesday for allegedly stealing more than 40 million credit and debit card numbers. It is believed to be the largest hacking case that the U.S. Justice Department has ever tried to prosecute. (See item 13)

• Fox News reports that a map of the U.S. president’s motorcade route to Camp David was found last week when police searched the Bethesda, Maryland, home of a teenager accused of stockpiling weapons and bomb-making materials. (See item 27)

Banking and Finance Sector

12. August 6, Business Week – (National) Prosecutors take down alleged online scam. On August 5, federal investigators raided the founder of the company Ad Surf Daily (ASD) office and the Bowdoin home in Quincy, Florida, and filed a civil complaint against the company. The U.S. Attorney’s office in Washington, D.C., alleges in the suit that ASD defrauded more than 100,000 people with promises of online riches. Prosecutors, who seized more than $53 million in ASD assets from Bank of America (BAC), had been alerted to the alleged scam by numerous complaints, including many from children whose parents had been enticed by ASD’s online promotional material. In the complaint, prosecutors contend that Ad Surf Daily, which operated out of a flower shop in Quincy, had no legitimate business model. Instead, the company relied on new investors to pay old investors—the definition of a Ponzi or “pyramid” scheme. ASD used online videos to become one of the most successful companies at drawing in participants. Government officials believe that ASD raked in more than $100 million with its seemingly sincere YouTube videos and podcasts, broadcasting the new business opportunities in the online advertising market. ASD members used that new Web technology over the weekend to calm clients who found their bank accounts frozen.


13. August 5, CNN – (National) Justice: Hackers steal 40 million credit card numbers. Eleven people were indicted Tuesday for allegedly stealing more than 40 million credit and debit card numbers, federal authorities said. The indictments, which alleged that at least nine major U.S. retailers were hacked, were unsealed Tuesday in Boston, Massachusetts, and San Diego, California, prosecutors said. It is believed to be the largest hacking case that the Justice Department has ever tried to prosecute. Three of the defendants are from the United States; three are from Estonia; three are from Ukraine, two are from China and one is from Belarus. The remaining individual is known only by an alias and authorities do not know where that person is. Under the indictments, three Miami, Florida, men are accused of hacking into the wireless computer networks of retailers including TJX Companies, whose stores include Marshall’s and T.J. Maxx, BJ’s Wholesale Club, OfficeMax, Barnes and Noble and Sports Authority, among others. The three men installed “sniffer” programs designed to capture credit card numbers, passwords and account information as they moved through the retailers’ card processing networks, said a U.S. attorney in Boston. The three then concealed the data in encrypted computer servers they controlled in the United States and Eastern Europe, the Justice Department said. Some credit and debit card numbers were sold on the Internet, and were “cashed out” by encoding the numbers on the magnetic strips of blank cards. “The defendants then used these cards to withdraw tens of thousands of dollars at a time from ATMs,” authorities said. They used anonymous Internet-based currencies to conceal and launder their proceeds, as well as channeling funds through bank accounts in Eastern Europe, the department said. “The 41 million credit and debit numbers were used internationally,” said the attorney. Source:

Information Technology

29. August 6, Associated Press – (International) Giant online security hole getting fixed, slowly. An underlying flaw revealed nearly a month ago in the Domain Name System (DNS), a network of millions of servers that translate words typed into Web browsers into numerical codes that computers can understand, is allowing criminals to silently redirect traffic to Web sites under their control. The problem is being fixed, but its extent remains unknown and many people are still at risk. The gaping security hole enables a scam that targets ordinary people typing in a legitimate Web address. It happens because hackers are now able to manipulate the machines that help computers find Web sites. If done properly, computer users are unlikely to detect whether they have landed at a legitimate site or an evil double maintained by someone bent on fraud. Security experts fear an open season for virus attacks and identity-fraud scams.


30. August 6, – (International) Adobe Flash Player download warning: Malware disguised. There has been coverage from the security community of a nasty worm on many popular social networking sites that is using social engineering lures to get you the user to install a piece of malware, and according to reports the worm posts comments on these such sites that includes links to a fake site. If this link is clicked and followed, users will be told that they need to update their Flash Player. The installer, posted on a malicious site, of course installs malware instead of Flash Player. Source:

31. August 6, PCmag – (International) Password stealing trojan on the loose. Security experts at MicroWorld have reported an alarming increase in the number of infections caused by the ZBot-D Trojan. The ZBot-D Trojan also known as ZBot first surfaced in February 2008 and mostly spreads via emails. It can effortlessly disable the firewall, steal financial data, and can also provide the hacker remote access to the infected system. ZBot has been designed very craftily to perform multiple malicious activities at a given point of time. It can modify system files, create new system processes, and automatically delete cookies in the Internet Explorer URL cache, so that key strokes are recorded and sent to the botnet herder, when unsuspecting users enter their passwords on online banking Web sites. Once any user opens a ZBot infected email, a file named “ntos.exe” is automatically installed in the system folder that adds entries in the registry to automatically invoke the Trojan at the system start up. The Trojan then creates havoc in the system such as, forwarding your personal details to remote websites from where the details are used by hackers and botnet herders, which in turn is sold to criminals for financial gains. It also starts flooding the inbox with loads of Spam and transforms the infected machine into a zombie computer, member of a botnet network. The zombie machines are then used for performing criminal activities. Source:

Communications Sector

32. August 5, Network World – (International) Skype won’t say if it decrypts VoIP calls. Skype, a voice-over-IP (VoIP) phone company, has declined to comment on an online report that alleges that Austrian officials with legal authority to tap VoIP phone communications have no problem listening in on Skype calls, which are encrypted as a standard part of Skype service. A Skype spokesman would not say whether Skype keeps keys to decrypt calls. It is virtually impossible to figure out for sure from independent research whether Skype keeps encryption keys or not, said the chairman of the Voice Over IP Security Alliance and senior director of security research at TippingPoint. “No one has shown it publicly,” he said. “Skype is a closed software package, essentially a black box.” The company has on rare occasions allowed outside researchers to examine and verify the security of its encryption, but not whether the keys that can crack the encryption can be retrieved, he said. To allay fears that the calls might not be secure from law enforcement, Skype should open its platform to evaluation by trusted, credible industry experts, he said. In the U.S., the Communications Assistance for Law Enforcement Act (CALEA) forbids requiring that vendors build in back-door decryption, said the vice president for public policy at the Center for Democracy & Technology. “CALEA expressly forbids requiring anyone to be able to decrypt anything,” he said. But that does not mean they don’t build in key-retrieval anyway. Currently there are no active proposals to force vendors to leave encryption back doors in their VoIP gear. Source:

33. August 5, San Bernardino County Sun – (California) Cities explore fiber options. The city of Grand Terrace is exploring the possibility of hooking into Loma Linda’s fiber-optic network as a way to boost economic development. Officials in both cities are in preliminary discussions on a plan to bring a fiber-optic connection to Grand Terrace businesses. Loma Linda has linked 2,000 new homes in the city to high-speed fiber-optic Internet service through its Connected Community Program. Loma Linda University, the Jerry L. Pettis Memorial Veterans Medical Center, and many businesses in town are part of the network. The city is in the process of expanding the four-year-old program to include older homes. Grand Terrace would like to tap into the same technology. Loma Linda’s information systems director estimates it would cost somewhere between $1 million and $10 million to bring the network from Loma Linda’s westerly city limits to Grand Terrace, which is about four miles away. Source:

34. August 5, CNet– (National) Twitter targeted by malware attacks. Twitter, the popular microblogging service that spread word of California’s recent earthquake even as phone lines we jammed, is now being targeted by online criminals. Kaspersky Lab has uncovered a fake Twitter profile created solely for the purpose of infecting people’s computers. The profile has posted a link that purports to be a video, but is instead Trojan software masquerading as MP3 files that steal data from the machine, according to the Kaspersky’s blog. The attack is dangerous because it does not require programming skills and could spread easily if it ends up high in Google search engine rankings. That is possible because Google indexes unprotected Twitter profiles. Source: