Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, October 22, 2009

Complete DHS Daily Report for October 22, 2009

Daily Report

Top Stories

 Fox News and the Associated Press report that a 15-year-old boy was arrested Monday and is being held in a psychiatric hospital after he stockpiled gasoline, propane, fuses, and a machete for a planned attack at the Monroe-Woodbury High School in Monroe, New York on the anniversary of the Columbine High School killings, police said. (See item 28)

28. October 20, Fox News and Associated Press – (New York) New York teen arrested in Columbine-style plot. A 15-year-old boy is being held in a psychiatric hospital after he stockpiled gasoline, propane, fuses and a machete for a planned attack at a New York school on the anniversary of the Columbine High School killings, police said. The boy, whose name was withheld, was arrested Monday evening after police searched his home in Monroe, 45 miles northwest of New York City. Police found 16-ounce bottles of gasoline, a torch, a machete, a black trench coat, two computers, three propane tanks and several other electronic devices, reported. Police say he told them he planned to attack the Monroe-Woodbury High School on April 20 and was looking to buy an assault rifle. Police say the boy recently transferred to another school and harbored grudges against former classmates. Police say it appears he acted alone. The Monroe-Woodbury superintendent said the willingness of students to come forward with information averted any threat to the district. Source:,2933,568740,00.html?test=latestnews

 According to the Associated Press, a pharmacy college graduate in Boston appeared in federal court Wednesday, hours after being charged with conspiring with two other men in a terror plot to kill two prominent U.S. politicians and attack shoppers in U.S. malls and American troops in Iraq. (See item 41)

41. October 21, Associated Press – (National) Feds: Mass. man planned terror attacks on U.S. malls. A graduate of the Massachusetts College of Pharmacy in Boston appeared in federal court Wednesday, hours after being charged with conspiring with two other men in a terror plot to kill two prominent U.S. politicians and attack shoppers in U.S. malls and American troops in Iraq. Authorities say the men’s plans were thwarted in part when they could not find training and were unable to buy automatic weapons. The 27-year old suspect was arrested Wednesday morning at his parents’ home in Sudbury and appeared for a brief hearing later in the day. Prosecutors say he worked with two men from 2001 to May 2008 on the conspiracy to “kill, kidnap, maim or injure” soldiers and two politicians who were members of the executive branch but are no longer in office. Authorities refused to identify the politicians. The suspect conspired with an identified man, who authorities say is now in Syria, and an unnamed man, who is cooperating in the investigation. The three men often discussed their desire to participate in “violent jihad against American interests” and talked about “their desire to die on the battlefield,” prosecutors said. But when they were unable to join terror groups in Iraq, Yemen, and Pakistan, they found inspiration in the Washington-area sniper shootings and turned their interests to domestic terror pursuits while they plotted the attack on shopping malls, authorities said. The suspect had “multiple conversations about obtaining automatic weapons and randomly shooting people in shopping malls,” said an Acting U.S. Attorney. Prosecutors would not say which malls had been targeted. The attorney said the men justified attacks because U.S. civilians pay taxes to support the U.S. government and because they are “nonbelievers.” The mall plan was abandoned after the men failed to track down automatic weapons, the Attorney said. The suspect, a U.S. citizen, was arrested in November and charged with lying to the FBI in December 2006 when asked the whereabouts of a man who is now serving a 10-year prison sentence for training with al-Qaida to overthrow the Somali government. Authorities said Wednesday that the suspect and his conspirators had contacted the man about getting automatic weapons for their planned mall attacks. Source:


Banking and Finance Sector

11. October 21, Globe and Mail – (International) MoneyGram fined $18-million in cash-transfer scams. The FTC alleges that MoneyGram allowed its system to be used by fraudulent telemarketers, most based in Canada, to bilk thousands of Americans out of more than $80-million (U.S.). The commission said the real loss is far higher, because only about one-quarter of consumer fraud cases are reported. MoneyGram has agreed to pay $18-million (U.S.) to settle the allegations, representing the amount it made on transfer commissions. It must also implement a sweeping anti-fraud and agent monitoring program. The FTC said U.S. consumer complaints involving money transfers to Canada more than doubled from 2003 to 2007. The FTC alleged that MoneyGram ignored thousands of complaints about a group of roughly 100 agents in Canada who handled close to $100-million in transfers annually. Roughly 99 Canadian MoneyGram agents had previously been fired or suspended by Western Union over allegations of fraud, court filings alleged, and MoneyGram did few, if any, background checks. Some MoneyGram agents in Ontario knowingly accepted fake identification from cash recipients for years while others directed telemarketing scams, the FTC alleged. At least 65 agents have been charged or are under investigation in Canada by the RCMP, the agency said in court filings. Source:

12. October 20, Arizona Republic – (Arizona) Scottsdale police warning residents of banking scam. An ongoing banking scam is attempting to scheme people out of their money. The Scottsdale Police Department’s Financial Crimes Unit said that the scammers send texts and e-mails posing as a bank. The message tells the potential victim that their debit card account is about to be deactivated and that the victim must provide the scammers with their debit card number so they can reactivate it. The messages attempt to look authentic by giving the name of the bank and the six-digit Bank Identification Number. Through the e-mails, the scammers link to a fake Web site, often modeled to look like an actual bank Web site, according to police. The texts come from a variety of numbers that, when called, redirect to a phone tree that prompts the caller to enter their 16-digit debit card number. There is seemingly no other option for the caller to make and the system seems to recognize false numbers. Depending on the response of the recipient, or lack of a response, more messages may be sent with an increasingly intimidating tone, police said. Several banks in different jurisdictions have reported the scam, with similar, if not identical processes. Scottsdale police say that the scammers are not based in Arizona. Source:

Information Technology

34. October 21, The Register – (International) Kanye West death prank used to sling scareware. Rumours of the death of a popular rapper in a car crash became fodder for fake anti-malware scams on October 20. Users searching for more info on the fictitious fatality are liable to get redirected to sites distributing scareware, security researchers warn. The rumour itself reportedly originated on notorious image board 4chan, the seeding ground for the Anonymous campaign against Scientology. Bogus reports, claiming the rapper died in a crash involving two luxury cars in Los Angeles, subsequently appeared in email as well as appearing on social network sites such as Facebook and Twitter. These reports did not themselves point to malware-infested sites but made the topic of the rappers supposed demise a trending topic on Twitter and elsewhere. Hackers latched onto this to poison search results related to the rapper’s fictitious death. Source:

35. October 20, DarkReading – (National) DHS secretary says cabinet-level IT position unnecessary. The Secretary of the Department of Homeland Security (DHS) today basically dismissed the concept of a cabinet-level IT position for technology and cybersecurity, noting that IT networks and services underlie most operations today. The DHS Secretary delivered an unprecedented Web address on October 20, which came on the heels of a video address on cybersecurity by the U.S. President last week, urging citizens and businesses to help in the fight against cybercrime and cyberattacks, and detailing her department’s role in the fight. In a brief Q&A session following her online speech, she said, “It’s really hard to segregate [IT] out.” “I’m not sure that I think that a cabinet-level position is necessary. And the reason is that cyber runs through everything that we do as a government,” she said when asked why there was no cabinet-level IT position. “I think one of the things we’re learning as we enter this new cyber arena is that segregating it into an IT function is no longer adequate. Again, as my remarks suggested, cyber is part of everything we do, from the most basic transaction.” Cyber should be “part of our thinking in all departments,” she said. “But added to that now, the president has included a chief technology officer, a chief information officer, in the White House, and he will be appointing a coordinator for cyber within the White House to help make sure that cyber is part of all that we do throughout the vast array of the federal government as we move forward.” Source:;jsessionid=PF5R5YO1TPNHDQE1GHPSKHWATMY32JVN?articleID=220700409

36. October 20, DarkReading – (International) Automotive industry hit hardest by spam: Panda. Panda Security, the Cloud Security Company, revealed on October 20 the results of its three-month long study from July to September 2009 on the prevalence of spam across a range of industries. Investigating 11 sectors, including automotive, insurance, banking, tourism, construction, food and others, Panda analyzed the email traffic generated by 867 companies in 22 countries throughout the U.S. and Europe and found that the automotive industry is the top recipient of spam and email-borne malware. In total, more than 503 million messages were analyzed. The overall aim of the study was to compare the prevalence of spam and malware across different business sectors. Following automotive, the electronics sector and government institutions rounded out the top three recipients of spam and email-borne malware with ratios of 99.89, 99.78 and 99.60 percent, respectively. This ratio represents the percentage of spam or malicious messages in relation to all email received. Consequently, this means that just 0.11 percent of mail received by businesses in the motor industry is legitimate (similarly 0.22 percent in the electronics sector, and 0.40 percent in government institutions). Interestingly, the banking sector, predicted by many to be a prime target, featured near the bottom of the ranking with a ratio of 92.48 percent. The education and tourism sectors close the ranking with figures of 87.98 and 87.22 percent. Banker Trojans were responsible for approximately 70 percent of all malware detections. These were followed by adware/spyware at 22 percent, with the remainder accounted for by viruses, worms, etc. Source:

37. October 20, IDG News Service – (International) Hackers change tactics, Gumblar attacks surge again. Security researchers are seeing a resurgence of Gumblar, the name for a piece of malicious code that is spread by compromising legitimate but insecure Web sites. In May, thousands of Web sites were found to have been hacked to serve up an iframe, which is a way to bring content from one Web site into another. The iframe led to the “” domain. Gumblar would then try to exploit the user’s PC via software vulnerabilities in Adobe Systems products such as Flash or Reader and then deliver malicious code. Gumblar has also now changed its tactics. Rather than hosting the malicious payload on a remote server, the hackers are now putting that code on compromised Web sites, vendors IBM and ScanSafe say. It also appears Gumblar has been updated to use one of the more recent vulnerabilities in Adobe’s Reader and Acrobat programs, according to IBM’s Internet Security Systems Frequency X blog. The hackers know that it’s only a matter of time before a malicious domain is shut down by an ISP. The new tactic, however, “gives them a decentralized and redundant attack vector, spread across thousands of legitimate websites around the world,” IBM said. To help avoid detection, the bad code that is uploaded to the legitimate Web sites has been molded to match “existing file structures,” IBM said. It also has been scrambled or obfuscated to try and avoid detection. Source:

Communications Sector

38. October 21, Broadband DSL Reports – (National) Time Warner Cable security flaw exposes 65,000. A vulnerability in a Time Warner combination Wi-Fi router and cable modem could allow a hacker to remotely access the device’s administrative menu over the internet, according to a blogger. Time Warner Cable has confirmed the flaw, which impacts some 65,000 Time Warner Cable broadband users. According to the blogger, he discovered the vulnerability when trying to change the unit’s default encryption from WEP to WPA2, only to find the unit’s administration functions were disabled via javascript. The blogger simply disabled browser Javascript: “The extra features that I now had access to included a little item called ‘Back Up Configuration File.’ When I clicked it, a text dump of the router’s configurations was saved to my desktop. Upon examination of this file, I found the admin login & password in plaintext. Another issue which was alarming was the fact that by default, the web admin is accessible from ANYWHERE on the internet. By running a simple port scan of Time Warner IP addresses, I easily found dozens of these routers, open to attack.” The blogger claims he got in touch with Time Warner Cable’s security department four weeks ago, but was told “we are aware of it but we cannot do anything about it.” Time Warner Cable says they are aware of the router vulnerability and are working quickly to resolve the issue. They also note that the unit, made by SMC, only comprises a small portion of their 14 million customer base. Source:

39. October 20, Web Host Industry Review – (National) US data center demand outpaces supply by three times. The demand for data center space is outpacing the supply by three times in the United States, said the EVP and director of the National Data Center Practice at Grubb & Ellis in his presentation on October 20 at the DatacenterDynamics conference. This is a drastic turn around from the lack of US high-tech real estate leasing activity seen in the first half of the year. The director says that 32 percent of the leased data center space is up for renewal between now and 2013, while colocation and wholesale data center prices are up by 15 percent. There is also stronger demand for smaller transactions, specifically, for facilities with a capacity of 300 to 800kW. Data center operators are increasingly using modular designs, with POD sizes from 9,000 to 10,000 square feet. Other data center trends include the market comprising mostly of social networking, virtualization platform providers and hosting providers. The director adds that organizations in the healthcare sector are also expected to increase their footprint as more organizations begin to digitize their medical records and the stimulus package funds continue to be distributed. Chicago is currently leading the rest of the country in colocation services, while latency is increasingly becoming an important factor for data center operators that target the financial sector. Source:

40. October 20, CNET – (International) Leaking crypto keys from mobile devices. Security researchers have discovered a way to steal cryptographic keys that are used to encrypt communications and authenticate users on mobile devices by measuring the amount of electricity consumed or the radio frequency emissions. The attack, known as differential power analysis (DPA), can be used to target an unsuspecting victim either by using special equipment that measures electromagnetic signals emitted by chips inside the device or by attaching a sensor to the device’s power supply, the vice president of technology at Cryptography Research said on October 20. An oscilloscope can then be used to capture the electrical signals or radio frequency emissions and the data can be analyzed so that the spikes and bumps correlate to specific activity around the cryptography, he said. “While the chip performs cryptography it is massaging the secret key around in various ways. This processing causes information about the key to leak through the power consumption itself,” said the vice president. Smartphones and PDAs have been found to leak data unless they have countermeasures in place to protect against it. Source: