Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, November 4, 2009

Complete DHS Daily Report for November 4, 2009

Daily Report

Top Stories

 Reuters reports that an outbreak of food-borne illness, linked to dangerous bacteria in ground beef, sickened 28 people and may have caused two deaths in the U.S. Northeast, health officials said on November 2. (See item 24)

24. November 2, Reuters – (National) Two U.S. deaths may be linked to bad beef. An outbreak of food-borne illness, linked to dangerous bacteria in ground beef, sickened 28 people and may have caused two deaths in the U.S. Northeast, health officials said on Monday. The U.S. Centers for Disease Control and Prevention (CDC) said all but three of the illnesses were in the Northeast and 18 were in the six New England states. A common strain of E. coli bacteria was involved so tests were under way to see if all of the reported cases have the same cause. State officials said a death in New Hampshire was linked to the ground beef that is being recalled by Fairbank Farms of Ashville, New York. The New York State Health Department said a death in the Albany area from E. coli O157:H7 bacteria was being investigated to see if it is linked. Fairbank Farms announced the recall on Saturday of 545,699 lbs (248,450 kg) of fresh ground beef products. The Agriculture Department, which oversees meat safety, said an investigation led it to conclude “there is an association between the fresh ground beef products and illnesses in Connecticut, Maine and Massachusetts.” USDA worked with state and federal officials in examining a cluster of E. coli O157:H7 illnesses. Source:

 The Los Angeles Times reports that lethal waste is seeping from mountain burial sites and moving toward aquifers, springs and streams that provide water to 250,000 residents of northern New Mexico. The Los Alamos National Laboratory seemed an ideal place to store a bomb factory’s deadly debris, but the heavily fractured mountains have not contained the waste, some of which has trickled down hundreds of feet to the edge of the Rio Grande, one of the most important water sources in the Southwest. (See item 28)

28. November 1, Los Angeles Times – (New Mexico) Toxic waste trickles toward New Mexico’s water sources. Lethal waste is seeping from mountain burial sites and moving toward aquifers, springs and streams that provide water to 250,000 residents of northern New Mexico. Isolated on a high plateau, the Los Alamos National Laboratory seemed an ideal place to store a bomb factory’s deadly debris. But the heavily fractured mountains have not contained the waste, some of which has trickled down hundreds of feet to the edge of the Rio Grande, one of the most important water sources in the Southwest. So far, the level of contamination in the Rio Grande has not been high enough to raise health concerns. But the monitoring of runoff in canyons that drain into the river has found unsafe concentrations of organic compounds such as perchlorate, an ingredient in rocket propellent, and various radioactive byproducts of nuclear fission. Laboratory officials insist that the waste does not jeopardize people’s health because even when storm water rushing down a canyon stirs up highly contaminated sediment, it is soon diluted or trapped in canyon bottoms, where it can be excavated and hauled away. Much surface contamination, however, becomes embedded in sediment or moves down into groundwater. That subterranean migration poses the greatest long-term danger to drinking-water wells and ultimately the Rio Grande. Adding to the uncertainty, a draft report released last summer by the Centers for Disease Control and Prevention said that the lab may have substantially underreported the extent of plutonium and tritium released into the environment since the 1940s. More recently, the state Environment Department reported finding DEHP, an organic compound used in plastics and explosives, at 12 times the safe exposure level in an aquifer that supplies drinking water to Los Alamos and the nearby community of White Rock. The U.S. Environmental Protection Agency classifies DEHP as a probable human carcinogen also capable of harming reproductive systems. Source:,0,6423820.story


Banking and Finance Sector

13. November 3, Washinton Post – (International) British plan breakup of bailed-out banks. The British government is moving to break up parts of major financial institutions bailed out by taxpayers, with a restructuring plan expected to be unveiled as soon as November 3. The move highlights a growing divide across the Atlantic over how to deal with the massive banks partially nationalized during the height of the financial crisis. The British government — spurred on by European regulators — is set to force the Royal Bank of Scotland, Lloyds Banking Group and Northern Rock to sell off parts of their operations. The Europeans are calling for more and smaller banks to increase competition and eliminate the threat posed by banks so large that they must be rescued by taxpayers, no matter how they conducted their business, in order to avoid damaging the global financial system. The move to downsize some of Britain’s largest banks comes as U.S. politicians are debating whether American banks should also be required to shrink. The the U.S. President’s administration has maintained that large banks should be preserved because they play an important role in the economy and that taxpayers instead should be protected by creating a new system for liquidating large banks that run into problems. But Britain’s decision already is being cited by a growing chorus of experts, including prominent bankers and economists, who want the United States to pursue a similar approach. The changes would amount to a massive restructuring of the British financial system, among the hardest hit by the global crisis, that could result in what the government has described as the creation of three new commercial banks. The Royal Bank of Scotland — now 70 percent owned by British taxpayers — announced November 2 that regulators were demanding that it sell off more of its businesses than originally expected. According to British media reports, RBS would be told to sell off more than 300 retail branches in the United Kingdom, as well as several insurance businesses. The sell-offs would pave the way for tens of billions of dollars more in previously announced cash injections from the governments.


14. November 3, Bank Info Security – (National) Six more banks, credit unions hit in phone scam. Banking customers in two additional states have been hit by the telephone-based fraud scheme that already has struck institutions in several other states. Customers of several banks and at least one credit union in southeastern Wisconsin, as well as one credit union in Hawaii, report receiving automated phone messages that appear to be coming from their institution, telling them their debit card has been compromised. It then prompts the customer to enter their card information. Hawaii Central Credit Union in Honolulu, HI reports that its customers received the automated messages asking for account information last week. Citizens Bank of Mukwonago, Park Bank in Milwaukee, Burlington’s First Banking Center, Maritime Savings Bank and Educators Credit Union are among Wisconsin financial institutions that have reported such calls since October 24, says the security officer for Citizens Bank of Mukwonago. Source:

15. November 2, The Register – (International) US gov warns banks on money mules. The government agency that insures U.S. banks has warned its members to be on the lookout for an increase in money mules used to launder money that has been electronically stolen from deposit accounts. In a memo issued recently, the Federal Deposit Insurance Corporation told member banks the mules can often be spotted by common characteristics. The tell-tale signs include: someone with a newly opened account who receives unusually large numbers of electronic transfers, account holders who receive electronic transfers and shortly afterward originate outgoing wire transfers or cash withdrawals that are 8 to 10 percent less (accounting for the mule’s commission), and foreign exchange students with a J-1 visa and a fraudulent passport who opens a student account that has a high volume of incoming and outgoing electronic transfers. “Money mule activity is essentially electronic money laundering,” the memo stated. “Strong customer identification, customer due diligence, and high-risk account monitoring procedures are essential for detecting suspicious activity, including money mule accounts.” Over the past few years, cybercrooks, many located in Eastern Europe, have increasingly relied on mules located in the U.S. to receive stolen funds and then funnel the money overseas before the fraud is detected. According to Security Fix, such scams have plundered at least $40m from small- to mid-sized businesses. Source:

16. November 2, LA Daily News – (California) Westlake Village man to be sentenced for $65 million life insurance scam. A Westlake Village man could get as many as 27 years behind bars when he is sentenced on Monday in Los Angeles federal court for bilking about 70 wealthy investors out of $65 million in a life insurance scam targeting South Los Angeles church parishioners. The guilty party pleaded guilty one year ago to conspiracy, six counts of mail fraud, four counts of wire fraud and eight counts of money laundering in U.S. District Court in downtown Los Angeles during jury selection in his trial. The guilty party and a co-defendant, both 41, claimed that the investors’ money would be invested in bond trading programs or used to buy pools of existing life insurance policies owned by African-American church members in Watts and Compton, prosecutors said. The two men told investors they would buy the policies for a small percentage of what they were worth, and that when the policyholders died, they would get a $240,000-per-policy windfall, which they would distribute to the investors, according to the criminal fraud complaint. Of the approximately $65 million raised from investors for those purposes, only $4.7 million was used to make life insurance premium payments, and no bonds were purchased for investors’ benefit, the complaint states. Source:

17. November 2, Marketwatch – (National) Treasury expects to borrow $276 bln this quarter. The U.S. government is expected to borrow $276 billion in the final three months of the year, the Treasury Department said on November 2. The borrowing estimate is $209 billion less than estimated in August. The drop in borrowing is due to the Treasury reducing its investment in a special Federal Reserve facility that supported the central bank’s innovative credit-easing policy, the agency said. For the January-March quarter, Treasury said it expects to borrow $478 billion. In the three months ending September, the government borrowed $393 billion. The Treasury will announce on November 4 the sizes and terms of its quarterly refunding auction. Source:

For more stories, see item 33 below:

33. November 2, WNEM 5 Saginaw – (Michigan) State officials warn of benefit debit card scam. Michigan’s Unemployment Insurance Agency (UIA) is warning those with state unemployment insurance debit cards that scammers are using cell phone text messages in an attempt to steal their unemployment benefits. According to a news release, UIA received two calls from individuals receiving unemployment benefits stating they had received text messages telling them to verify their UI debit card personal identification number by contacting the text sender. Officals at UIA said it is not their policy to contact anyone by text or by e-mail about their unemployment claim or PIN. The fake text messages advised individuals they need to reset their UI debit card PIN. One person was told to send a return text with his PIN included, while the other was instructed to call the phone number listed in the text message. When a victim calls the telephone number, a recorded voice asks the caller for the UI debit card number and PIN. With that information, the scammer can access and remove funds from the card account. JPMorgan Chase administers the MI UI Debit Card program for the state of Michigan. UIA said similar scam attempts are starting to surface in New York, Rhode Island and Missouri. Source:

Information Technology

38. November 3, Network World – (International) Hackers exploit Google Wave’s popularity. Hackers are exploiting web users that were too late in signing up for Google Wave, says Symantec. According to the security firm, web users worldwide are being encouraged to download an application that claims to offer access to Google Wave - a new invite-only online tool for real-time communication and collaboration. However, the application is in fact malware, which allows hackers to potentially steal senstive personal data from your PC. A security analyst for Symantec said: “Cybercriminals have used Google Wave for the bait precisely because of current its popularity. Furthermore, using a trusted brand like this increases the chance of success for the attacker. Unfortunately, this technique is something fraudsters use all the time and internet users should be wary - if something appears too good to be true, then it usually is.” The security firm urged web users to be careful when clicking on links, only download software was from a reputable source and ensure your security software is up-to-date. Source:

39. November 2, CNET – (International) New Trojan encrypts files but leaves no ransom note. Symantec is warning about a new Trojan horse that encrypts files on compromised computers but offers no ransom note like other software designed to hold data hostage for a fee. Instead, a Web search for terms related to the Trojan horse leads to a company offering a way to remove the malware. The company offering the product used to charge for it but now offers it for free. Trojan.Ramvicrype uses the RC4 algorithm to encrypt files on systems running Windows 98, 95, XP, Windows Me, Vista, NT, Windows Server 2003 and Windows 2000, according to Symantec’s Web site. Computers with files that have the .vicrypt extension are infected, a Symantec researcher wrote in a blog post recently. A Web search for “vicrypt help” brings up a news release for a company called Exquisys Software Technology Ltd in Mauritius offering a product called Antivicrypt that will “repair and restore” files that are “damaged.” Symantec reports that the company charges for the product. Exquisys could not be reached for comment on November 2, which happens to be a national holiday in that country. Meanwhile, Symantec is offering a free tool to decrypt the encrypted files. However, there is a chance that an affected computer will not have access to the Internet to search for any tools, free or otherwise. If a file in the Windows system folder has recently been opened, all the files in the system folder will be encrypted and the user may be unable to access the Internet, Symantec said. When the Trojan is executed it searches for files in MyDocuments, Desktop and Application Data\Identities and renames them with a .vicrypt extension. Then it looks for links in the Recent folder and renames all the files in the folders that are pointed to by links there and encrypts the head section of each file. Source:

40. November 2, SC Magazine – (International) German rail firm handed ‘record’ fine for data breaches. Deutsche Bahn has been fined more than 1 million euros to cover a number of serious breaches of data protection legislation dating back over the past ten years. The Berlin Data Protection Commissioner revealed that Deutsche Bahn were to be fined exactly 1,123,503.50, million euros which according to the Berlin Data Protection agency, is the ‘highest penalty that a German Data Protection Inspectorate has established’. The activity for which Deutsche Bahn is being fined relates to the mass screening of employee data including names, addresses, telephone numbers and bank details against those of suppliers. This screening was carried out on at least three separate occasions in 1998, 2002/3 and 2005/6, supposedly to detect fraudulent activity and employee fronted Scheinfirmen or shell companies. It has been claimed that Deutsche Bahn also enlisted the services of a detective agency to assist in this screening activity. The Information Commissioner’s press release states that personal and banking information was illegally retained for ‘years’ even after suspicions had been allayed. The head of Deutsche Bahn, Hartmut Mehdorn, was forced to resign after it became apparent that 173,000 of Deutsche Bahn’s 220,000 employees had been screened this way. Deutsche Bahn has since set up a new department for data protection. A senior security adviser at Trend Micro claimed that Deutsche Bahn’s heavy-handed tactics and the size of the resultant fine amply illustrate the need for enterprises to involve employees, works councils and unions from the outset, both when defining data protection policies and also when conducting sensitive investigations. Source:

41. November 2, ComputerWorld – (International) Microsoft links malware rates to pirated Windows. Microsoft on November 2 said computers in countries with high rates of software piracy are more likely to be infected by malicious code because users are leery of applying security patches. “There is a direct correlation between piracy and the malware infection rate,” said the principal group program manager for the Microsoft Malware Protection Center. He was touting the newest edition of his company’s biannual security intelligence report. According to the manager the link between PC infection rates — the percentage of computers that have been cleaned by the updated monthly Malicious Software Removal Tool, or MSRT — and piracy is due to the hesitancy of users in countries where counterfeit copies abound to use Windows Update, the service that pushes patches to PCs. China’s piracy rate is more than four times that of the U.S., according to Microsoft’s report, published on November 2, but the use of Windows Update in China is significantly below that in the U.S. Brazil and France also have a higher piracy rate, and lower Windows Update usage, than the U.S., Microsoft maintained. But the company’s own data does not always support the manager’s contention that piracy, and the hesitancy to use Windows Update, leads to more infected PCs. China, for example, boasted a malware infection rate — as defined by the number of computers cleaned for each 1,000 executions of the MSRT — of just 6.7, significantly lower than the global average of 8.7 or the U.S.’s rate of 8.2 per thousand. France’s infection rate of 7.9 in the first half of 2009 was also under the worldwide average. Of the three countries Microsoft called out as examples of nations whose users are reluctant to run Windows Update because of high piracy rates, only Brazil fit the manager’s argument: Brazil’s infection rate was 25.4, nearly three times the global average. By Microsoft’s tally, Serbia and Montenegro had the highest infection rate in the world, with 97.2 PCs out of every 1,000, nearly 10%, plagued by malware. Turkey was No. 2, with 32.3, while Brazil, Spain and South Korea were third through fifth, with infection rates of 25.4, 21.6 and 21.3, respectively. Source:

42. November 2, DarkReading – (International) New Trojan kills the Zeus Trojan. First there were hijacked search results, now there are hijacked links: a newly discovered Trojan redirects victims to search engine sites in order to cash in on the clicks. The so-called Opachki Trojan doesn’t do the usual search-result hijacking typically deployed by the bad guys to make money, but instead attempts to hijack all links on a page the infected user is viewing. When the user clicks on a link, the Trojan redirects him to an affiliate-based search engine site that lists multiple links. “This is the first one I’ve seen that tries to replace with arbitrary links rather than hijacking search results,” says a researcher with SecureWorks’ Counter Threat Unit. “This one goes to the page and takes all the links and makes them look like searches so the [victim] sees a search result rather than the page they thought they were going to.” Opachki basically provides the bad guys another way to make money from affiliate search engines that pay people to drive traffic to them, he says. Each time the victim clicks on one of the links at the redirected search engine site, the Opachki author gets paid a small sum of money, he says. “So to make it look somewhat legit, they have real people clicking on things so that it makes it look like that person is searching.” And interestingly, the Trojan does one good deed: if the victim’s machine is also infected by the nasty Zeus banking malware, it kills it. “Why is it deleting Zeus? [Opachki] is hooking into the browser similarly to what Zeus does. Maybe there’s some sort of conflict where they both don’t work on the same machine,” the researcher says. “I’m not sure what they’re thinking” by knocking out Zeus, he says. Opachki infections come via drive-by browser exploits, and the Trojan can do its dirty work even if the user doesn’t have administrative privileges on the machine, according to Stewart’s report on the Trojan. Source:

Communications Sector

43. November 3, The Register – (International) Hacker charged in $1m cable ISP customer cloning scheme. Federal prosecutors have charged a California man with earning $1m over a six-year period by illegally selling products that allowed customers to get high-speed internet service for free. A 26 year-old San Diego man sold software and hardware that were designed to fool Charter Communications and other internet service providers into believing the gear belonged to paying customers, the prosecutors allege. The man and his employees also offered technical support in publicly available chat forums at, the website belonging to their modem-hacking business. The hack worked by spoofing the media access control address that acts as an electronic serial number for each modem. By replacing the unique address with one known to belong to a paying subscriber, the man’s customers were able to obtain internet service for free. Over time, his company offered additional services. One allowed users to increase their bandwidth while another made it possible to detect the MAC addresses of legitimate paying ISP subscribers. From 2003 to earlier this year, TCNISO, as the man’s company was called, generated revenue of more than $1m, according to documents filed in U.S. District Court in Boston. In addition to allowing customers to obtain internet service without paying for it, TCNISO allowed users to surf anonymously. Among those taking advantage of that benefit was a juvenile hacker who went by the moniker Dshocker. Last year, he admitted to carrying out crippling denial-of-service attacks on online rivals and placing hoax emergency phone calls that prompted them to receive visits by heavily armed police teams. The Massachusetts youth was sentenced to 11 months detention. Source:

44. November 3, Data Center Knowledge – (Texas) Power Outage Affects Rackspace Cloud. Rackspace reports that parts of its Dallas data center lost power early today during testing of power distribution units (PDUs) during scheduled maintenance. This resulted in downtime for sites hosted on SliceHost and The Rackspace Cloud, including the leading tech blog TechCrunch, which ensured that the outage was widely noted on blogs and Twitter. The Dallas data center has experienced power problems before, including outages on June 29 and July 7 that prompted the Rackspace CEO to issue an apology to customers and provide a detailed explanation of the outage and the operations of the Dallas/Fort Worth facility. This morning’s problems started at about 12:30 a.m. central time. “We were testing phase rotation on a Power Distribution Unit (PDU) when a short occurred and caused us to lose the PDUs behind this Cluster,” Rackspace reported on its blog. “All power has been restored and devices are being brought back online. The PDUs were down for a total of about 5 minutes. We have aborted the maintenance for the remainder of the evening and will reschedule this for another date.” Althought the PDUs were offline for only 5 minutes, many customer sites were unavailable for a longer window. Most sites returned to service by 2 a.m., while several cloud servers continuing to experience problems until after 5 a.m., according to a timeline on the Cloud Servers status blog. The Rackspace DFW data center in Grapevine, Texas is the company’s largest facility, with 144,000 square feet of space. The facilty in Grapevine figured into a 2007 power outage that interrupted service for many prominent web sites. In that incident, a vehicle struck a power transformer, and public safety officials turned off both the facility’s power feeds during their emergency rescue operations. Source:

No comments: