Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, August 26, 2008

Complete DHS Daily Report for August 26, 2008

Daily Report


• According to the Sunday Herald, an international criminal gang has stolen the identities of an estimated eight million people in a hacking raid on the Best Western Hotel group’s online booking system. (See item 14)

See details below in Banking and Finance Sector.

• KNSD 7 San Diego reports that an area code switch caused a 911 emergency call system in Orange County, California, to crash for nearly one and a half hours on Saturday. (See item 38)

38. August 23, KNSD 7 San Diego – (California) Area code switch causes OC 911 system to crash. A 911 emergency call system in Orange County (OC) is up and running again after an area code switch caused it to crash for nearly 1 1/2 hours. The system went off-line around 2:30 a.m. Saturday in an area of the central and southern county that includes about 20 cities, a police spokesman said. During that time, people could only reach dispatchers by calling the sheriff’s regular business numbers. The introduction of a new area code apparently caused the crash, and service was restored after the Sheriff’s Department called AT&T to fix the problem. Source:


Banking and Finance Sector

14. August 25, Sunday Herald – (International) Revealed: 8 million victims in the world’s biggest cyber heist. An international criminal gang has pulled off one of the most audacious cyber-crimes ever and stolen the identities of an estimated eight million people in a hacking raid that could ultimately net more than £2.8billion in illegal funds. A Sunday Herald investigation has discovered that late on Thursday night, a previously unknown Indian hacker successfully breached the IT defenses of the Best Western Hotel group’s online booking system and sold details of how to access it through an underground network operated by the Russian mafia. It is a move that has been dubbed the greatest cyber-heist in world history. The attack scooped up the personal details of every single customer that has booked into one of Best Western’s 1312 continental hotels since 2007. Amounting to a complete identity-theft kit, the stolen data includes a range of private information including home addresses, telephone numbers, credit card details and place of employment. “They’ve pulled off a masterstroke here,” said a security expert, “the Russian gangs who specialize in this kind of work will have been exploiting the information from the moment it became available late on Thursday night. In the wrong hands, there’s enough data there to spark a major European crime wave.” Although the security breach was closed on Friday after Best Western was alerted by the Sunday Herald, experts fear that information seized in the raid is already being used to pursue a range of criminal strategies. Source:


15. August 23, State Journal – (West Virginia) International phone scam strikes Morgantown. Authorities are investigating an international phone scam targeting Clear Mountain Bank Customers. Customers of the Morgantown, West Virginia, bank are receiving calls from an automated caller telling them their bank card has been suspended. The call then asks people to enter their card and pin number over the phone. Officials say nearly 20 customers have been hit by the scam so far whose accounts are being withdrawn by con artists in Spain. Source:

16. August 23, Associated Press – (National) Merrill Lynch settlement with SEC worth up to $7B. Federal regulators said Friday that investors who bought risky auction-rate securities from Merrill Lynch & Co. before the market for those bonds collapsed will be able to recover up to $7 billion under a new agreement. The largest U.S. brokerage will buy back the securities from thousands of investors under a settlement with the Securities and Exchange Commission, New York’s attorney general and other state regulators over its role in selling the high-risk bonds to retail investors. Under that deal, announced Thursday, Merrill agreed to hasten its voluntary buyback plan by repurchasing $10 billion to $12 billion of the securities from investors by January 2. Merrill also agreed to pay a $125 million fine in a separate accord with state regulators. The SEC’s estimate of a $7 billion recovery is based on its projection of the eventual amount of the bonds that will be cashed in by the affected investors, who bought them before February 13. The $10 billion to $12 billion is the total amount that Merrill is committing to buy back. The firm has to offer redemptions to all investors, though not all may cash in the securities. The SEC said the new agreement will enable retail investors, small businesses and charities who purchased the securities from Merrill “to restore their losses and liquidity.” Merrill, Goldman Sachs Group Inc. and Deutsche Bank on Thursday brought to eight the number of global banks that have settled a five-month investigation into claims they misled customers into believing the securities were safe. Source:

17. August 22, Consumer Affairs – (West Virginia) West Virginia warns about phony debt collectors. Consumers in West Virginia who at one time obtained payday loans over the Internet – and even those who never borrowed money at all – have been getting threatening phone calls from alleged debt collectors. West Virginia’s attorney general says the debt collectors are actually scam artists. Internet payday loans are short-term loans or cash advances, usually for 14 days, made over the Internet via interactive web sites and secured by an agreement authorizing debits of the loan and all fees owed from the consumer’s checking account. These loans typically charge interest rates ranging from 600-800 APR and are unlawful in West Virginia. The scam artists, who speak English with a foreign accent, call themselves “U.S. National Bank,” “Federal Investigation Bureau,” “United Legal Processing” and numerous other phony names. They refuse to disclose real names and addresses and are believed to be operating “off the grid” from homes, automobiles, or from off shore locations or foreign countries, including India. Since the scammers have kept themselves purposely well hidden, the official says no law enforcement agencies have succeeded in locating or shutting them down. The scammers typically pose as law enforcement officers, investigators, lawyers, and bankers and threaten consumers that they will be arrested for “bank fraud” or other fictitious crimes unless money is wired immediately. The scammers almost always call consumers at work several times a day, and tell their supervisors, “Your employee has committed fraud and is about to be arrested.” Such threats have proven unsettling even to the most savvy consumers and employers who suspect the calls are fraudulent. Source:

Information Technology

39. August 22, Network World – (National) Red Hat admits breach of its servers, Fedora. Red Hat confirmed Friday that hackers compromised infrastructure servers belonging to the company and the Fedora Project, including systems used to sign Fedora packages. In the Fedora breach, company officials said they had “high confidence” the hackers did not get the “passphrase used to secure the Fedora package signing key.” Regardless, the company has converted to new Fedora signing keys. Red Hat’s Fedora project leader made the announcement Friday on the fedora-announce-list with the subject line “Infrastructure Report.” When contacted, Red Hat officials pointed to the project leader’s announcements as the company’s official statement. As a precaution, Red Hat released an updated version of those packages, a list of tampered packages and a script to check if any of the packages are installed on a user’s system. Source:

40. August 22, Computerworld – (National) Microsoft admits posting flawed update. Microsoft Corp. rereleased one of its August 11 security updates, explaining that it had posted an incomplete version to its own download center last week. The admission was the third time in the past two months that Microsoft has had to reissue a security-related update. Users who manually downloaded MS08-051 since August 12 to patch Office 2003 should obtain the second version as soon as possible, Microsoft said. People who obtained the update via Windows Update or through their company’s Windows Server Update Services (WSUS) server, or who updated other versions of Office do not need to reinstall MS08-051. That update patched three vulnerabilities in PowerPoint, the presentation maker included with Microsoft Office, including one that Microsoft labeled “critical,” its highest ranking. MS08-051 was one of 11 security bulletins released last week that patched 26 bugs, the most Microsoft has tackled in a single month for the past year and a half.


Communications Sector

41. August 25, United Press International – (Virginia) NASA investigates failed rocket launch. The U.S. space agency and Alliant Tech Systems Inc. said they have started an investigation into the failed launch of a suborbital rocket. The rocket, which lifted off from the National Aeronautics and Space Administration’s (NASA) Wallops Flight Facility in Virginia, was carrying two NASA hypersonic experiments. Liftoff occurred at 5:10 a.m. EDT Friday and the anomaly that forced launch safety officers to destroy the rocket occurred approximately 27 seconds later. No injuries or property damage were reported, with most of the debris falling into the Atlantic Ocean. Source:

42. August 24, Associated Press – (Virginia) Even modest Internet users may hit usage caps. Frontier Communications Corp. is one of several Internet service providers moving to curb the growth of traffic on their networks, or at least make the subscribers who download the most pay more. This could have consequences not just for consumers - who would have to learn to watch how much data their Internet use entails - but also for companies that hope to make the Internet a conduit for movies and other content that comes in huge files. Cable companies have been at the forefront of imposing and talking about usage caps, because their lines are shared between households. Frontier’s

announcement is noteworthy because it is a phone company - and it is matching a seemingly low ceiling set by a main cable rival: just five GB per month, the equivalent of about three DVD-quality movies. Source:

43. August 22, Crain’s New York Business – (New York) Static develops for Verizon’s FiOS. The New York State Public Commission Service recently notified Verizon Communications that the fiber-optic cable system that has been installed in some areas of the state violates provisions in the National Electric Code. The fiber is used to deliver Verizon’s FiOS television and high-speed Internet service to homes. The violations involve the proper grounding of cable and were discovered during routine inspections by the state agency earlier this summer. Verizon has spent more than $2 billion to build out its new network across the nation. “We are working closely with Verizon to remediate any potential problems,” said a PSC spokesman. Verizon sent a plan to the PSC last month outlining steps it will take to correct any violations. The company plans to inspect previous installations and fix problems within 60 days. Source: