Department of Homeland Security Daily Open Source Infrastructure Report

Monday, September 21, 2009

Complete DHS Daily Report for September 21, 2009

Daily Report

Top Stories

 According to IDG News Service, an Avon Lake, Ohio man is set to enter a guilty plea on September 30 to one count of illegally intercepting electronic communications after spyware he allegedly meant to install on the computer of a woman he had had a relationship with ended up infecting computers at Akron Children’s Hospital in Ohio in March. (See item 25)

25. September 17, IDG News Service – (Ohio) Misdirected spyware infects Ohio hospital. A 38-year-old Avon Lake, Ohio man is set to plead guilty to federal charges after spyware he allegedly meant to install on the computer of a woman he had had a relationship with ended up infecting computers at Akron Children’s Hospital. In late February 2008, the man spent $115 for a spyware program called SpyAgent and sent it to the woman, according to a plea agreement filed in the U.S. District Court for the Northeastern District of Ohio. He allegedly sent the spyware to the woman’s Yahoo e-mail address, hoping that it would give him a way to monitor what she was doing on her PC. But instead, she opened the spyware on a computer in the hospital’s pediatric cardiac surgery department, creating a regulatory nightmare for the hospital. Between March 19 and March 28, the spyware sent more than 1,000 screen captures to the man via e-mail. They included details of medical procedures, diagnostic notes, and other confidential information relating to 62 hospital patients. He was also able to obtain e-mail and financial records of four other hospital employees as well, the plea agreement states. He is set to formally enter a guilty plea on September 30 to one count of illegally intercepting electronic communications and will pay $33,000 to the hospital for damages caused by the incident. Products such as SpyAgent are marketed as legitimate tools to help employers or worried parents keep track of what is going on with their computers, but they can easily be misused to spy on innocent victims, said the director of research services with antivirus company Sunbelt Software. Still the director faulted the hospital’s IT staff for allowing someone to download spyware from Yahoo mail and install it on their systems. “That points to a security failing at that hospital, but then they aren’t that different from 99 percent of companies out there,” he said. Source:

 KSNW 3 Wichita reports that authorities are searching for vandals who used tools on the control valves of the Horsethief Reservoir in Hodgeman County, Kansas to partially open a spillway gate on September 10, releasing nearly 135 million gallons of water. An arrest in the case could lead to misdemeanor charges. But should it happen again, officials say the crime could be considered an act of terrorism. (See item 39)

39. September 17, KSNW 3 Wichita – (Kansas) Vandals spill millions of gallons of water from reservoir. Millions of gallons of water have escaped a Kansas dam. The problem is that it was not supposed to happen and now authorities are calling the case a crime. The incident happened September 10 and now authorities are searching for who is responsible for tampering with the recently-completed Horsethief Reservoir in Hodgeman County. It was only last week that Horsethief Reservoir passed state inspection. The quality of construction was checked out, but maybe they should have looked at one more thing — security. “Somebody broke in, climbed over the fence, and let just a little bit of water out,” said the park manager. Officials say it was a calculated case of vandalism where someone used tools on the control valves to partially open a spillway gate. Nearly 135 million gallons were released into Buckner Creek — that’s about two inches off the lake. But since it was a controlled release there was no imminent danger to life or property down the stream. “We lost a little bit of water, but we’ve still got plenty of water coming in and we’re actually letting water out downstream now,” he said. KSN spoke to officials with the Department of Agriculture who recently inspected the dam and they admit it never occurred to them to check valve security. They say now there will be some more thought put into that when looking at reservoirs in the future. The dam has since added a few safety measures. With a new security light and chains now on the valves, dam officials say they are confident this will not happen again. The Hodgeman Sheriff’s Department will continue to work on making the reservoir more secure and have notified the Kansas Bureau of Investigation of the incident. So far, the sheriff says they have no suspects and no motive at this time. An arrest in the case could lead to misdemeanor charges. But should it happen again, officials say the crime could be considered an act of terrorism. Source:


Banking and Finance Sector

10. September 18, Dow Jones Newswires – (National) FDIC’s Bair: May borrow from Tsy to shore up deposit insurance. The Federal Deposit Insurance Corp. Chairman said her agency is considering borrowing from the U.S. Treasury to replenish its deposit insurance fund. Using the FDIC credit line with the Treasury is one option under consideration, the chairman said on September 18 after a speech in Washington. Other options include hiking assessments on banks or requiring them to prepay assessments, she added. Source:

11. September 18, Sarasota Herald-Tribune – (National) U.S. proposes ban on ‘Flash’ trading on Wall Street. It is an obscure art of Wall Street, a technique that gives a scattering of traders an edge over everyone else — and the Securities and Exchange Commission wants to stamp it out. The SEC on September 17 proposed banning what are known as flash orders, which use powerful computers to glimpse at investors’ orders. The practice is often associated with a controversial corner of finance called high-frequency trading, which has grown, largely hidden from view, into a potent force in the markets. The proposed ban was announced on the same day that the SEC put forward new rules for credit ratings agencies, which were widely criticized for their role in the financial crisis. Together, the moves telegraphed a tougher line from the commission after a series of prominent missteps, including its failure to spot the largest Ponzi scheme in history. Critics say flash orders favor sophisticated, fast-moving traders at the expense of slower market participants. Using lightning-quick computers, high-frequency traders often issue and then cancel orders almost simultaneously and get an early peek at how others are trading. The chairwoman of the SEC, said on September 17 that in proposing the ban, the commission was trying to balance the often competing interests of long-term investors and short-term traders. The proposal requires a second vote by the commission to become binding. Source:

12. September 17, Associated Press – (National) Gov’t considers crackdown on loan help payments. The head of the Federal Trade Commission said on September 17 the agency is considering banning upfront payments to companies that advertise help for borrowers who are in trouble on their home loans. Government officials say scammers seeking to take advantage of borrowers in danger of default often charge upfront fees of $1,000 to $3,000 for help with loan modifications that rarely, if ever, pay off. “If you are concerned about keeping your home, avoid any company that asks you for a large fee in advance. That is a real red flag,” said the chairman of the FTC. Such upfront fees are already prohibited in 20 states. His comments came as his agency announced it filed civil charges against two companies, San Diego-based Nations Housing Modification Center and Infinity Group Services of Orange County, California The government accused both companies of charging homeowners large fees for assistance in working with their lenders, but doing “little or nothing” to actually help borrowers. Separately, the agency filed additional charges against New Jersey-based United Credit Adjusters, Inc. The company, which was already targeted by the government in a credit repair scam, was accused of running a loan modification scheme under the name Loss Mitigation Services Inc. Source:

For another story, see item 31 in Information Technology

Information Technology

30. September 18, The Register – (International) Carder forum drops offline after hack attack. A Pakistan-based carder site has dropped off the net, after white hat hackers broke into the forum and posted details of the hack on a full disclosure mailing list. provided a forum for ne’er do wells to discuss hacking tactics and trade malware, bank logins details and stolen credit card credentials. However this activity was interrupted after login details for the forum and email addresses were posted online following a break-in. A previously unknown group called War Against Cyber Crime claimed credit for the hack. The group expressed the hope that law enforcement agents will begin an investigation against individuals named on the leaked list. Meanwhile, the site remains unavailable. Net security firm F-Secure, which was among the first to record the takedown hack, said it reckons the forum is unlikely to reappear. More details of the hack, including screenshots, can be found in a blog entry by F-Secure. Source:

31. September 18, The Register – (International) World’s nastiest trojan fools AV software. One of the world’s nastiest password-stealing trojans evades detection by the majority PCs running anti-virus (AV) programs, according to a study that examined 10,000 machines. Zeus, a stealthy piece of malware that sits on a PC and waits for users to log in to bank websites, is detected just 23 per cent of time by AV programs, according to the study released by security firm Trusteer. Even AV programs with up-to-date malware signatures were unable to identify the infection a majority of the time, the authors said. Zeus, which also goes by the name Zbot and PRG, escapes detection using sophisticated techniques such as root-kit technology, the Trusteer report said. The company is able to detect it by examining the fingerprint Zeus leaves when it penetrates an infected PC’s browser process. A recent report estimated that Zeus is the No. 1 trojan, with 3.6 million infections in the US alone, or about 1 per cent of the installed base of PCs. Trusteer’s study, which found Zeus accounted for 44 percent of the banking malware infections, was consistent with that finding. After sneaking onto a PC, it sits quietly in the background until a user logs on to a financial website. It then sends the login credentials to a remote server in real time, sometimes by use of instant messaging programs. Of Zeus-infected machines, about 31 per cent do not run AV at all and 14 percent run AV that is out of date. The remaining 55 percent had AV programs that were up to date. Source:

32. September 17, CNET News – (International) Microsoft sues over malicious online ads. Aiming to crack down on a growing problem, Microsoft said it filed five lawsuits on September 17 against parties it suspects of posting online advertisements laden with malicious code. Microsoft has tried to work with ad networks to thwart such “malvertising” in the past, but this is the first time it has gone to court. “Our filings in King County Superior Court in Seattle outline how we believe the defendants operated, but in general, malvertising works by camouflaging malicious code as harmless online advertisements,” the Microsoft associate general counsel said in a blog posting. In each case, Microsoft is suing the unknown parties responsible for the ads. “Although we don’t yet know the names of the specific individuals behind these acts, we are filing these cases to help uncover the people responsible and prevent them from continuing their exploits,” the associate general counsel said. Recently, the New York Times’ Web site was hit with a rogue advertisement that told readers that their computer may be infected with a virus and redirected them to a site that purports to offer antivirus software. Microsoft likened the latest lawsuits to prior legal action that it has taken against those suspected of click fraud or instant messaging spam. Source:

33. September 17, IDG News Service – (International) Sophisticated botnet causing a surge in click fraud. A new botnet has caused a sharp spike in click fraud because it is skirting the most sophisticated filters of search engines, Web publishers and ad networks, according to Click Forensics. The company, which provides services to monitor ad campaigns for click fraud and reports on click fraud incidence every quarter, said on September 17 that the botnet’s architects have figured out a way to mask it particularly well as legitimate search ad traffic. Click Forensics is calling this the “Bahama botnet” because initially it was redirecting traffic through 200,000 parked domains in the Bahamas, although it now is using sites in Amsterdam, the U.K. and Silicon Valley. Click fraud affects marketers who spend money on pay-per-click (PPC) advertising on search engines and Web pages. It happens when a person or a machine clicks on a PPC ad with malicious intent or by mistake. For example, a competitor may click on a rival’s PPC ads in order to drive up their ad spending. Also, a rogue Web publisher may click on PPC ads on its site to trigger more commissions, which is probably what’s behind the Bahama botnet. Click fraud also includes nonmalicious activity that nonetheless yields a click of little or no value to the advertiser, such as when someone clicks on an ad by mistake or two consecutive times. Click Forensics has been warning recently that click fraud scammers are increasingly resorting to botnets, which are networks of computers that have been secretly compromised for a variety of malicious tasks. In a piece of extremely bad news for advertisers running PPC campaigns, Click Forensics has seen worst-case scenarios in which as much as 30 percent of a monthly ad budget is swallowed by Bahama botnet click-fraud traffic. Source:

Communications Sector

34. September 17, Broadcast Engineering – (Utah) Lightning strike disrupts transmission of Utah broadcasters. Lightning struck a television transmission tower atop Farnsworth Peak about 17 miles southwest of downtown Salt Lake City September 13 taking eight full-power DTV stations off the air. The incident, which occurred at about 9 p.m., knocked four of the stations off the air for about 90 minutes. DTV transmission resumed for the remaining four stations at about 1:30 a.m. on September 14, said the KSL chief engineer. The stations included: KSL, the Bonneville International-owned NBC affiliate in Salt Lake City; Four Points Media Group-owned CBS affiliate KUTV in Salt Lake City; Newport Television-owned ABC affiliate KTVX in Salt Lake City; PBS member station KUED in Salt Lake City; Utah State Board of Regents station KUEN in Ogden, UT; PBS member station KBYU in Provo, UT; Larry H. Miller-owned KJZZ in Salt Lake City; and High Plains Broadcasting-owned CW Television affiliate KUCW in Ogden, UT. DTV Utah, an alliance of the stations, operates a shared RF infrastructure on Farnsworth Peak, which includes two combiners, one each for four channels, and two antennas in the main structure, one of which sustained the lightning strike, as well as a backup antenna. The lightning strike of the tower caused a failure of the waveguide switch control system, said the engineer. “The strike put one of the combiner chains into an illegal condition, which caused the output (of one of the combiners) to be fed back into the input (of the other combiner),” he said. Source: