Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, October 1, 2009

Complete DHS Daily Report for October 1, 2009

Daily Report

Top Stories

 The Minneapolis Star Tribune reports that school officials in Princeton, Minnesota closed all of the district’s schools on Wednesday because of a reported bomb threat. The Princeton Union-Eagle reported that police are investigating a number of suspicious packages that have been found at the city post office, the high school, and the local public utility commission office. (See item 34)

34. September 30, Minneapolis Star Tribune – (Minnesota) 3 possible bombs investigated in Princeton. School officials in Princeton, Minnesota closed all of the district’s schools at 9:30 a.m. because of a reported bomb threat. The school district’s web site announced shortly before 8:30 a.m. that it was sending all of its 3,500 students home as what it called “a precautionary measure.” Princeton police are investigating a number of suspicious packages that have been found around the city, a department dispatcher said. No new developments had been reported as of 10 a.m., she said. Police blocked several city streets early this morning. The Princeton Union-Eagle reported that suspicious packages had been found at the city post office, the high school, and the local public utility commission office. The St. Paul police department dispatched members of its bomb squad to Princeton to assist local officers. According to the school district, students from the high school and an elementary school have already been taken to the middle school and North Elementary, where buses will pick them up. Children will be allowed to get off buses only if adults are present at bus stops, the district said. Children who are not met by adults will be returned to the middle school. Source:

 ABC News and the Associated Press report that the U.S. President has declared the U.S. territory of American Samoa a major disaster after an undersea earthquake caused a tsunami and massive flooding that has reportedly killed more than 90 people in the South Pacific Samoan Islands and the islands of Tonga. A spokesperson of Samoa Hotel Association told the BBC that the tourism business on the South Coast is “completely wiped out.” (See item 47)

47. September 30, ABC News and Associated Press – (American Samoa; International) President Obama declares American Samoa a major disaster. The U.S. President has declared the U.S. territory of American Samoa a major disaster after an undersea earthquake caused a tsunami and massive flooding that has reportedly killed more than 90 people in the South Pacific Samoan Islands and the islands of Tonga. At least 100 people are dead and dozens are missing. The President’s declaration makes federal funding available to people in American Samoa, which has a population of about 65,000 people. The 8.2 magnitude quake triggered huge waves that overtook small villages. The initial quake was followed by at least three aftershocks of at least 5.6 magnitude. The quake struck early Tuesday morning in American Samoa and the independent nation of Samoa just as people were preparing to go to work, taking citizens by surprise. The Associated Press has reported that at least 99 people were killed. That includes at least 24 people in American Samoa, according to the territory’s acting governor. Officials say the death toll is likely to rise with dozens missing. A woman who works at a hotel in the Samoan capital of Apia said the area shook unlike any previous earthquake. “All the houses were shaking,” she told ABC News. “Really stronger than other earthquakes that we had before.” Speaking in Honolulu, the territory’s acting governor said he has received reports of the destruction of several coastal villages. A spokesperson of Samoa Hotel Association told the BBC that there was total devastation on the islands. “The South Coast, the low lying areas where a lot of people live and operate tourism business is completely wiped out, absolutely nothing standing. Even concrete buildings are all gone.” Source:


Banking and Finance Sector

13. September 30, Wired – (International) New malware re-writes online bank statements to cover fraud. New malware being used by cybercrooks does more than let hackers loot a bank account; it hides evidence of a victim’s dwindling balance by rewriting online bank statements on the fly, according to a new report. The sophisticated hack uses a Trojan horse program installed on the victim’s machine that alters html coding before it is displayed in the user’s browser, to either erase evidence of a money transfer transaction entirely from a bank statement, or alter the amount of money transfers and balances. The ruse buys the crooks time before a victim discovers the fraud, though will not work if a victim uses an uninfected machine to check his or her bank balance. The novel technique was employed in August by a gang who targeted customers of leading German banks and stole Euro 300,000 in three weeks, according to the chief technology officer of computer security firm Finjan. The victims’ computers are infected with the Trojan, known as URLZone, after visiting compromised legitimate web sites or rogue sites set up by the hackers. Once a victim is infected, the malware grabs the consumer’s log in credentials to their bank account, then contacts a control center hosted on a machine in Ukraine for further instructions. The control center tells the Trojan how much money to wire transfer, and where to send it. To avoid tripping a bank’s automated anti-fraud detectors, the malware will withdraw random amounts, and check to make sure the withdrawal does not exceed the victim’s balance. The money gets transferred to the legitimate accounts of unsuspecting money mules. Source:

14. September 30, Washington Post – (District of Columbia) Petri dishes found near FBI harmless. Someone slid a few petri dishes into the overnight deposit box at the Wachovia bank across the street from FBI headquarters, causing a false alarm and three hours of street closures Tuesday on Pennsylvania Avenue in the District of Columbia. A bank employee called police after a worker processing the morning’s take discovered the empty but sealed plastic dishes, according to a District Fire and Emergency Medical Services Department spokesman. The workers were quarantined, and a hazardous materials team entered the branch. The team conducted several field tests, which all came out negative for any biological or chemical contaminant. Source:

15. September 29, South Florida Business Journal – (Florida) SEC targets virtual reality company. A Delray Beach-based virtual reality technology company is the target of a Securities and Exchange Commission investigation into boiler room fraud. The company, 3001 AD LLC, along with its principals and three former sales agents, are alleged to have raised about $20 million from about 500 investors nationwide between 1998 and 2008 through what the SEC said was a “maze of unregistered offerings” that hyped the company’s products. The investors were told, among other things, that the sales commissions they paid were significantly less than they actually were, and that an initial public offering was imminent, when, in fact, no steps had been taken to take the company public. The SEC complaint, filed Tuesday in U.S. District Court for the Southern District of Florida, also alleges that the company told investors that Microsoft, Apple, and a former Disney CEO were investors, even though they had no interest in the company. Source:

Information Technology

41. September 30, IT Pro – (International) Symantec sees new botnet players emerge. New botnets have emerged from the taking down of ISPs hosting botnet activity in the last year, according to Symantec. Botnets are now responsible for sending 87.9 percent of all spam, with a newer botnet called Maazbem experiencing rapid growth in May by spewing out casino-related spam emails, according to a MessageLabs Intelligence Report. Maazben’s growth has accelerated over the past month, from 0.5 percent of all spam in August to 1.4 percent of all spam in September. A MessageLabs Intelligence senior analyst said in a statement that the number of ISPs being taken offline for hosting botnet activity had resulted in a case of older botnets sinking and newer botnets taking their place. He said: “This has undermined the power of the more dominant botnets like Cutwail and cleared the way for new botnets like Maazben to emerge.” However, one of the oldest and largest botnet, Rustock, had doubled in size since June — it is the only botnet to have a regular spam cycle. Research published this month also claimed that the decline in domain tasting — the practice of cancelling domain registrations within five day grace period — had changed the malicious nature of Web sites. The research reported that malicious domains were now likely to be older, compromised Web sites rather than newly registered domains with a short lifespan as was the case a year ago. Source:

42. September 29, The Register – (International) Researcher: No emergency patch for critical Windows bug. A security researcher has downplayed the significance of publicly released attack code exploiting a critical vulnerability in newer versions of Windows, saying it is not reliable enough to force Microsoft to issue an emergency patch. The exploit, which on Monday was folded into the open-source Metasploit penetration testing kit, is at best successful only 50 percent of the time, said the CTO of security firm Immunity. Given the burden of releasing out-of-schedule patches, Microsoft is unlikely to do so in this case. The vulnerability, which surfaced three weeks ago, resides in file-sharing technology called SMB2, short for server message block version 2, which was first added to Windows Vista and later made its way into newer versions of the operating system. While the Metasploit exploit is sophisticated, it is frequently thwarted by a security measure known as ASLR. Short for address space layout randomization, it picks a different memory location to load system components each time the OS is started. Without being able to predict where required code will be located, the Metasploit attack is not reliable enough to prompt Microsoft to take the drastic step of releasing a patch outside of the regularly scheduled update cycle. The Metasploit exploit in many cases is able to get around ASLR by targeting memory locations that are predictable when Windows is running on VMware. But when the exploit targets the OS running directly on a computer, the success rate can be as low as 10 percent. By contrast, the exploit released by Immunity is much more reliable, he said, “but we poured a ton of resources into it.” Based on his review of the Metasploit code, he predicted it would take another two weeks for it to become fully reliable. The SMB2 bug is significant because it can allow attackers to remotely execute malware and affects code that was added to Vista under Microsoft’s SDL, or secure development lifecycle, a rigorous process designed to prevent precisely these kinds of vulnerabilities. Source:

Communications Sector

43. September 30, MacNN – (New York) Apple tech claims 30 percent drop rate for NYC iPhone calls. Nearly a third of all iPhone calls made in the New York City area are dropped, according to a Genius Bar technician at Apple’s SoHo retail store. A person who recently brought his iPhone 3G to the outlet says he complained of being repeatedly disconnected, thinking the issue was related to faulty hardware. On testing, the Genius is noted to have discovered that over 22 percent of the phone’s calls had been dropped. That result is actually better than normal, the technician claims, citing a regional average of 30 percent. The problem is moreover alleged to be with AT&T’s network, not iPhones, meaning that no solution may exist for New York City residents short of abandoning the iPhone or pressuring AT&T into increasing its depth of coverage. Most complaints about AT&T’s iPhone service have typically revolved around data, as a large number of 3G users will frequently overwhelm bandwidth and block people from using a full-speed connection. Source:

44. September 30, Agence France-Presse – (International) U.S. agrees to greater international oversight of Web body. The U.S. Commerce Department and the private sector corporation which administers the Web unveiled an agreement on Wednesday that opens up the body to greater international oversight. The new agreement loosens U.S. control over the Internet Corporation for Assigned Names and Numbers (ICANN) and creates four review panels in a move designed to bring greater accountability to the organization. The review panels will include government representatives and will examine the work of ICANN in key areas. ICANN is the California-based non-profit that manages the Domain Name System (DNS) and Internet Protocol addresses that form the technical backbone of the Web. Since 1998, it has operated under an agreement with the U.S. Commerce Department’s National Telecommunications and Information Administration. That agreement expired on Wednesday and was replaced with a new document called an “Affirmation of Commitments.” The expiry of the agreement comes at a critically important time with ICANN poised to expand the number of generic top-level domains (gTLDs) such as .com, .net, and .org, a controversial move that would greatly increase the number of available addresses. The review panels created under the new agreement will examine such issues as “accountability, transparency and the interests of global Internet users” and “promoting competition, consumer trust, and consumer choice.” The United States will retain a permanent seat on the accountability panel. Source:

45. September 30, Local Tech Wire – (North Carolina) AIT hosting services back online after ‘catastrophic’ router failure. Fayetteville-based Advanced Internet Technologies, Inc. went offline for much of the day Tuesday as a result of a “catastrophic core router failure,” a spokesman said. Service was restored Tuesday night. The company provides web hosting, domain registration, and other Web services. In an e-mail to clients, the company acknowledged that the company Web site, e-mail servers, FTP services, and hosted sites were all unavailable. The e-mail said, “We are currently working with Cisco Engineers to return service to operational status. We should have services returned shortly to you.” According to AIT, the company hosts more than 210,000 Web sites. Source:

46. September 30, Mobile Burn – (National) CTIA asks FCC to free up 800MHz of additional wireless spectrum. The CTIA Wireless Association has issued a statement to the Federal Communications Commission asking the federal agency to open up more wireless spectrum to networks in order to encourage innovation and competition, warning that demand may soon outpace supply. The organization pointed to the “virtuous cycle” of the mobile industry: When spectrum is expanded, networks upgrade capacity, handsets are developed to utilize the new upgrades, and creatives make content to take advantage of the new handset features. “...Ultimately, consumers demand more,” the organization stated. “It’s a cycle that never ends as long as spectrum is available.” The CTIA hopes that the FCC will allocate up to 800MHz of spectrum over the next six years in addition to the 410MHz already available. It also asked the agency to allocate 50MHz of readily-available spectrum in the short-term. Source: