Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, November 5, 2009

Complete DHS Daily Report for November 5, 2009

Daily Report

Top Stories

 Occupational Health and Safety reports the California Nurses Association/National Nurses Organizing Committee and Catholic Healthcare West hospital chain have reached a settlement that organizers say sets a national benchmark for protecting workers as well as patients and containing the spread of pandemics such as H1N1 on November 3. (See item 36)

36. November 3, Occupational Health and Safety – (California; Nevada) Nurses, hospital reach ‘historic agreement’ on pandemic protection. In what is being hailed as an “historic agreement,” the California Nurses Association/National Nurses Organizing Committee (CNA/NNOC) and Catholic Healthcare West hospital chain have reached a settlement that organizers say sets a national benchmark for protecting workers as well as patients and containing the spread of pandemics such as H1N1. The settlement, which averted a strike that had been set for October 30, covers 13,000 registered nurses in 32 CHW facilities in California and Nevada. According to the agreement, the hospital chain will ensure safe staffing standards, reduce the assignment of RNs to areas outside their clinical expertise or orientation, and prevent management’s proposed reduction in nurses’ health care coverage. Importantly to CAN/NNOC, the agreement also creates a new system-wide emergency task force, comprised of CNA/NNOC RNs and hospital representatives following the declaration of pandemic emergencies. The task force set up by the settlement will monitor system-wide preparedness and set uniform standards on full implementation of federal, state, and local guidelines, availability of on-site protective safety equipment, communication and training policies for all hospital personnel, and other needed steps, such as consideration of off-site emergency triage and treatment. Source:

 According to the Associated Press, an Army Special Forces soldier has been arrested following the discovery of about 100 pounds of explosives outside his Tennessee home. Federal and military officials searched his home on November 2 after a pair of hunters found the C-4 plastic explosive in a field by the house. (See item 41)

41. November 2, Associated Press – (Kentucky; Tennessee) Soldier arrested on explosives charge. An Army Special Forces soldier has been arrested following the discovery of about 100 pounds of explosives outside his Tennessee home. Federal and military officials searched his home early Monday morning after a pair of hunters found the C-4 plastic explosive in a field by the house outside Clarksville. The house is near Fort Campbell, a sprawling Army post on the Tennessee-Kentucky border where the soldier is based. A spokeswoman for Army Special Forces at Fort Campbell, said the soldier, who was not identified, is currently being held in the county jail. The spokeswoman said the search was conducted by agents from the Bureau of Alcohol, Tobacco, Firearms and Explosives, the FBI and U.S. Army criminal investigators. A spokesman for the Montgomery County sheriff, said the explosives found late Sunday evening appeared to be military ordnance. Another Fort Campbell soldier was arrested in October and charged with selling four stolen hand grenades and a stolen anti-tank rocket to an undercover officer in Tennessee. Source:


Banking and Finance Sector

17. November 4, New York Times – (New York) S.E.C. taps hedge fund counsel to lead unit. Amid continuing reports of insider trading and Ponzi schemes linked to hedge funds, the Securities and Exchange Commission said Tuesday it had named a hedge fund general counsel to lead its New York examinations group. The general counsel, who assumes in the post in in January, will head up a staff of approximately 100 accountants and examiners responsible for the inspections of investment advisers and hedge funds in the New York region, the S.E.C. said Tuesday. Source:

18. November 4, Insurance and Financial Advisor – (California) Organizer of $64 million California Ponzi scheme gets 25 years in jail. A California man who orchestrated a $64 million Ponzi scheme promising huge returns to investors through a bond-trading program and life insurance pool to aid local churches will spend the next 300 months in a federal prison. A 41 year-old man, formerly of Westlake Village, California, was sentenced following a two-day hearing in a U.S. District Court in Los Angeles. He pleaded guilty last year to 19 felony counts, including conspiracy, wire fraud and money laundering. The convicted schemer, originally indicted in 2006, must also pay $44 million in restitution, according to the U.S. States Attorney’s Office for the Central District of California. The judge said the man’s 25-year prison term was warranted because of the danger he poses to the community, his unwillingness to accept responsibility for the fraud scheme and the deterrent effect the lengthy prison term would have on others. Source:

19. November 3, CNET – (National) Corporate bank accounts targeted in online fraud. Criminals have tried to steal an estimated $100 million from corporate bank accounts using targeted malware and money mules, the FBI said on Tuesday. “Within the last several months, the FBI has seen a significant increase in fraud involving the exploitation of valid online banking credentials belonging to small and medium businesses, municipal governments, and school districts,” the agency said in a statement. The FBI is seeing, on average, several new victim complaints and cases every week, according to a report prepared by the Internet Crime Complaint Center and linked to in the FBI release. A reporter for The Washington Post’s Security Fix blog said last week that the FBI puts losses from online fraud involving malware and money mules at around $40 million. He is keeping a running list of businesses who have been victims of online theft and detailing the attacks. Criminals are shifting their focus to stealing online bank credentials from businesses instead of consumers because there is more money in the corporate bank accounts to plunder, according to the chief technical officer of browser security vendor Trusteer. Source:

20. November 3, The Examiner – (New Jersey) New Jersey criminal corruption sting largest in history. A FBI informant turned witness for the federal government in the largest New Jersey criminal corruption sting in its history emerged recently from the federal protection program long enough to plead guilty to a $50 million bank fraud. The 37 year-old man pleaded guilty in federal court in Newark to one count each of money-laundering and bank fraud, charges that can put him in prison for up to 11 years. As the man stood before a U.S. District Judge in Newark in his less than 30-minute appearance he entered pleas to separate counts of bank fraud and money laundering in connection with two bogus checks totaling more than $50 million that he tried to deposit at the PNC Bank. “I am guilty your honor,” he declared, firmly and without hesitation. Later in Monmouth County, the scene was repeated before a Superior Court Judge in Freehold, where he pled to similar state charges. Source:

21. November 3, Associated Press – (Florida) More than 100 arrested for mortgage fraud, feds say. A federal prosecutor says a crackdown on organized mortgage fraud this year has yielded 105 arrests from Jacksonville to Fort Myers. The U.S. attorney for Florida’s middle district announced the results of the nine-month investigation at news conferences Tuesday in Fort Myers and Tampa. He said the fraudulent loans totaled more than $400 million and involved more than 700 properties. Defendants include mortgage brokers, Realtors, lenders, sellers and buyers. He called the problem an “epidemic.” Florida’s middle district includes a swath that extends from Jacksonville to Fort Myers and includes the Orlando and Tampa areas. Source:,2933,571516,00.html

Information Technology

43. November 4, The Register – (International) Newfangled cookie attack steals/poisons website creds. A security researcher has discovered a weakness in a core browser protocol that compromises the security of Google, Facebook, and other websites by allowing an attacker to tamper with the cookies they set. The weakness stems from RFC 2965, which dictates that browsers must allow subdomains, such as, to set and read cookies for their parent ( The specification also states that if a cookie for a subdomain does not already exist, the browser should use the cookie belonging to the parent instead. The arrangement makes it possible for attackers to steal or even alter the cookies that websites use to authenticate their users. Attackers would first have to identify an XSS, or cross-site scripting, bug in some part of the site they are targeting. But because virtually any subdomain will suffice, the scenario is not unrealistic, two web security experts said. “Most websites actually will store session IDs in a cookie and that’s actually how they keep track of users throughout the use of their website,” said a senior researcher for Foreground Security who first documented the flaw at last month’s Toorcon hacker conference. “Using the same techniques to attack those cookies, I can really damage sessions and cause some problems.” The researcher’s paper goes on to demonstrate how he used the technique to bypass a feature Google recently implemented to beef up security on Gmail and other properties. By exploiting a minor vulnerability in, he was able to falsify the contents of his global Google cookie. Google has since fixed the XSS hole in the subdomain. Source:

44. November 4, IBTimes – (International) Illegal file-sharing growth has led to spurt in cyber crimes: McAfee. Attempts to bring internet pirates to justice have only resulted in growth of cyber crimes, internet and network security services provider McAfee Inc. has warned. In August, when Swedish authorities tried to shut down The Pirate Bay, a torrent site that provided internet links of sites hosting unauthorised, copyrighted content, it only prompted Pirate Bay users to look for a new place to download the copyrighted material, prompting several The Pirate Bay-like sites to be launched. “Once it was temporarily shut down, those people still wanted the torrents so they went elsewhere, and that meant lots of other sites popped up to take advantage – we saw a 300 percent increase in sites hosting and distributing movies and software,” PC Pro quoted a McAfee security analyst, as saying. “This was a true ‘cloud computing’ effort,” McAfee said in its Threats Report for the third quarter. “The masses stepped up to make this database of torrents available to others. The Pirate Bay example shows how difficult it is to ‘stop’ data once it is on the web,” the report said. “A website can be shut down, but anyone who has accessed the content may still be able to redistribute it.” Though the news that state authorities are fighting a losing battle against internet piracy may be welcomed by torrent users, the surge in such users have also helped cyber criminals to increase their attacks on unsuspecting victims, McAfee warned. With the increase in torrent sites, cyber criminals are also putting up look-alike malware-infested sits on the internet “to trick users looking to download copyrighted material into downloading malicious programmes.” “Many of these (malicious) sites sprang up to scam users of The Pirate Bay who were looking for a new place to download copyrighted material,” McAfee said, adding that the number of such sites will increase during the fall and the Oscar season. McAfee has also noticed that cyber criminals have become smarter and are “getting increasingly effective at utilizing SEO techniques to drive traffic to these bad sites.” Source:

45. November 3, DarkReading – (International) Researchers create hypervisor-based tool for blocking rootkits. Researchers at North Carolina State University and Microsoft Research have come up with a way to combat rootkits by using the machine’s own hardware-based memory protection: the so-called HookSafe tool basically protects the operating system kernel from rootkits. Rootkits are the most difficult of malware to detect and remove: they often evade detection by anti-malware software, and even if they are discovered, they can still be difficult to completely eradicate. A rootkit typically hijacks “hooks” in the operating system — basically the control data in the kernel used to augment or extend the features of an OS — in order to hide out in the OS. This in turn lets the rootkit intercept and manipulate the system’s data, remain invisible to the user and anti-malware tools, and to install other malware aimed at stealing data from the system. The researchers have devised a way to move the potentially tens of thousands of hooks in the kernel to a centralized location so they are easier to monitor and more difficult to abuse. Their HookSafe prototype is a hypervisor-based system that is able to protect nearly 6,000 different kernel hooks and has successfully stopped nine different rootkits. HookSafe runs in Ubuntu Linux 8.04 and leverages hardware-based memory protection in the system to stop rootkits from hijacking kernel hooks. The main tradeoff of the tool thus far is a slight performance hit, about a 6 percent slowdown in system performance. Source:

46. November 3, – (International) Symantec uncovers new type of Facebook Trojan. A command and controlserver is used by a botnet - a cluster of malware infected PCs which communicate across the internet - as a means of controlling the botnet swarm. Communications are usually relayed between the infected PCs and the server through the use of internet relay chat channels. The Facebook-enabled trojan is called Whitewell and is being spread via email using infected documents (PDF or MS-Office format) that contain exploits for known vulnerabilities. According to a security analyst with the Symantec Security Response operation, the trojan works by contacting the mobile version of Facebook and using its Notes section. In the analyst’s blog, he said that, by analyzing the trojan’s code, Symantec’s researchers have concluded that the malware appears to perform four different actions, depending on the notes’ titles that are found. “The real command and data processing is done through the remote URL that was received from the notes, and this URL may point anywhere”, said the analyst in his blog. “However... one could (also) use a Facebook account as a C&C server and this trojan is able to successfully parse the Facebook HTML data, retrieve the wanted data from it, and also post new data to it.” Infosecurity notes that, while this is not the first time a social networking site has been used to assist in the control of malware and a botnet - a Twitter botnet, for example, was spotted back in August - it is the first time that a trojan infection has been structured to allow Facebook itself to act as a command and control server. Source:

47. November 3, Computerworld – (National) Put cybersecurity chief in DHS not the White House, Senator says. Five months after the U.S. President announced the need for a White House-appointed coordinator to oversee national cybersecurity affairs, the debate continues in Washington over whether such a coordinator would be more effective if outside the White House. The Ranking Member of the Senate Homeland Security and Governmental Affairs Committee raised the issue most recently. Delivering a speech on cybersecurity issues at George Washington University on November 2, the senator rejected the idea of a White House led cybersecurity effort and insisted the leadership would have to come from the U.S. Department of Homeland Security (DHS). “Effectively managing government cybersecurity is going to require more than a few staff crammed into a cubicle in the depths of the White House,” the senator said in her speech. She said that while the National Security Agency and other intelligence agencies have the needed cybersecurity resources, “privacy and civil liberties” issues preclude them from taking leadership. As a result, any effort to secure civilian government and critical infrastructure against cyber threats needs to be led by the DHS, the senator said. Only the DHS has the ability to provide the aggressive oversight and continuous real-time security monitoring and analysis that is needed, she said. Source:

48. November 3, The Register – (International) Bug in latest Linux gives untrusted users root access. A software developer has uncovered a bug in most versions of Linux that could allow untrusted users to gain complete control over the open-source operating system. The null pointer dereference flaw was only fixed in the upcoming 2.6.32 release candidate of the Linux kernel, making virtually all production versions in use at the moment vulnerable. While attacks can be prevented by implementing a common feature known as mmap_min_addr, the Red Hat Enterprise Linux (RHEL) distribution, does not properly implement that protection, a developer at grsecurity who discovered the bug in mid October, told The Register. Many administrators are forced to disable the feature so their systems can run developer tools or desktop environments such as Wine. On October 22, the developer wrote a proof of concept attack for the local root exploit. Over the past few months, he has emerged as an outspoken critic of security practices followed by the team responsible for the Linux kernel. In July, the developer published a separate Linux exploit that drew considerable notice because it worked even when fully patched versions were running security enhancements. It targeted a separate null pointer dereference bug that was spawned when the OS was running SELinux, or Security-Enhanced Linux. The developer at the time criticized Linux’s principal developer for failing to take responsibility for the the critical issue, citing online comments. He has also taken the Linux kernel developers to task for failing to fully disclose the extent of security bugs when they are patched. The latest bug is mitigated by default on most Linux distributions, thanks to their correct implementation of the mmap_min_addr feature. But to make RHEL compatible with a larger body of applications, that distribution is vulnerable to attack even when the OS shows the feature is enabled, he said. “They’re putting their users at risk,” he said. “They’re basically the only distribution that’s still vulnerable to this class of attack.” A Red Hat spokeswoman said patches for the versions 4 and 5 of RHEL and MRG are available here. An update for RHEL 3 is in testing and should be released soon. He said many other Linux users are also vulnerable because they run older versions or are forced to turn off the feature to run certain types of applications. Source:

Communications Sector

49. November 4, The Register – (International) Whitehall plans ‘White Noise’ phone network collapse. The British government will simulate a shutdown of the national phone network next week in an exercise involving hundreds of government and industry players. The exercise - codenamed “White Noise” - is designed to simulate a catastrophic nationwide communications failure, will take place over Wednesday 11 November and Thursday 12 November. It will be the first time the U.K. has conducted such a large scale exercise the head of communications security in the Department for Business told a Lords committee November 4. White Noise will simulate a total national collapse of the traditional Public Switched Telephone Network. There will be no impact on those not involved in the exercise. Such a scenario could be caused by a cyber or physical attack, or a natural disaster. Officials will monitor the government’s ability to respond in a coordinated way, including keeping Parliament and the public informed. Data and mobile communications will remain intact throughout the exercise. Source:

50. November 4, Money Times – (National) T-Mobile hit with second outage in two months. In yet another outage, T-Mobile was inaccessible Tuesday, thus leaving nearly its 1.7 million users without access to calls or data on their cell phones. As the service carrier had been working to restore the data for its Sidekick users, it has encountered another glitch. Immediately after the outage, the service carrier posted the statement saying, “T-Mobile customers may be experiencing service disruptions impacting voice and data. Our rapid response teams have been mobilized to restore service as quickly as possible. We will provide updates as more information is available.” The outage lasted for nearly eight hours, and the company apologized for the inconvenience after it restored the services. It updated its statement saying, “T-Mobile confirms it has fully restored voice and text/picture messaging services for customers affected by intermittent service disruptions on Tuesday.” The company further stated that its focus has been to restore full services and it would now be working to investigate what led to the incident. Source:

Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, November 4, 2009

Complete DHS Daily Report for November 4, 2009

Daily Report

Top Stories

 Reuters reports that an outbreak of food-borne illness, linked to dangerous bacteria in ground beef, sickened 28 people and may have caused two deaths in the U.S. Northeast, health officials said on November 2. (See item 24)

24. November 2, Reuters – (National) Two U.S. deaths may be linked to bad beef. An outbreak of food-borne illness, linked to dangerous bacteria in ground beef, sickened 28 people and may have caused two deaths in the U.S. Northeast, health officials said on Monday. The U.S. Centers for Disease Control and Prevention (CDC) said all but three of the illnesses were in the Northeast and 18 were in the six New England states. A common strain of E. coli bacteria was involved so tests were under way to see if all of the reported cases have the same cause. State officials said a death in New Hampshire was linked to the ground beef that is being recalled by Fairbank Farms of Ashville, New York. The New York State Health Department said a death in the Albany area from E. coli O157:H7 bacteria was being investigated to see if it is linked. Fairbank Farms announced the recall on Saturday of 545,699 lbs (248,450 kg) of fresh ground beef products. The Agriculture Department, which oversees meat safety, said an investigation led it to conclude “there is an association between the fresh ground beef products and illnesses in Connecticut, Maine and Massachusetts.” USDA worked with state and federal officials in examining a cluster of E. coli O157:H7 illnesses. Source:

 The Los Angeles Times reports that lethal waste is seeping from mountain burial sites and moving toward aquifers, springs and streams that provide water to 250,000 residents of northern New Mexico. The Los Alamos National Laboratory seemed an ideal place to store a bomb factory’s deadly debris, but the heavily fractured mountains have not contained the waste, some of which has trickled down hundreds of feet to the edge of the Rio Grande, one of the most important water sources in the Southwest. (See item 28)

28. November 1, Los Angeles Times – (New Mexico) Toxic waste trickles toward New Mexico’s water sources. Lethal waste is seeping from mountain burial sites and moving toward aquifers, springs and streams that provide water to 250,000 residents of northern New Mexico. Isolated on a high plateau, the Los Alamos National Laboratory seemed an ideal place to store a bomb factory’s deadly debris. But the heavily fractured mountains have not contained the waste, some of which has trickled down hundreds of feet to the edge of the Rio Grande, one of the most important water sources in the Southwest. So far, the level of contamination in the Rio Grande has not been high enough to raise health concerns. But the monitoring of runoff in canyons that drain into the river has found unsafe concentrations of organic compounds such as perchlorate, an ingredient in rocket propellent, and various radioactive byproducts of nuclear fission. Laboratory officials insist that the waste does not jeopardize people’s health because even when storm water rushing down a canyon stirs up highly contaminated sediment, it is soon diluted or trapped in canyon bottoms, where it can be excavated and hauled away. Much surface contamination, however, becomes embedded in sediment or moves down into groundwater. That subterranean migration poses the greatest long-term danger to drinking-water wells and ultimately the Rio Grande. Adding to the uncertainty, a draft report released last summer by the Centers for Disease Control and Prevention said that the lab may have substantially underreported the extent of plutonium and tritium released into the environment since the 1940s. More recently, the state Environment Department reported finding DEHP, an organic compound used in plastics and explosives, at 12 times the safe exposure level in an aquifer that supplies drinking water to Los Alamos and the nearby community of White Rock. The U.S. Environmental Protection Agency classifies DEHP as a probable human carcinogen also capable of harming reproductive systems. Source:,0,6423820.story


Banking and Finance Sector

13. November 3, Washinton Post – (International) British plan breakup of bailed-out banks. The British government is moving to break up parts of major financial institutions bailed out by taxpayers, with a restructuring plan expected to be unveiled as soon as November 3. The move highlights a growing divide across the Atlantic over how to deal with the massive banks partially nationalized during the height of the financial crisis. The British government — spurred on by European regulators — is set to force the Royal Bank of Scotland, Lloyds Banking Group and Northern Rock to sell off parts of their operations. The Europeans are calling for more and smaller banks to increase competition and eliminate the threat posed by banks so large that they must be rescued by taxpayers, no matter how they conducted their business, in order to avoid damaging the global financial system. The move to downsize some of Britain’s largest banks comes as U.S. politicians are debating whether American banks should also be required to shrink. The the U.S. President’s administration has maintained that large banks should be preserved because they play an important role in the economy and that taxpayers instead should be protected by creating a new system for liquidating large banks that run into problems. But Britain’s decision already is being cited by a growing chorus of experts, including prominent bankers and economists, who want the United States to pursue a similar approach. The changes would amount to a massive restructuring of the British financial system, among the hardest hit by the global crisis, that could result in what the government has described as the creation of three new commercial banks. The Royal Bank of Scotland — now 70 percent owned by British taxpayers — announced November 2 that regulators were demanding that it sell off more of its businesses than originally expected. According to British media reports, RBS would be told to sell off more than 300 retail branches in the United Kingdom, as well as several insurance businesses. The sell-offs would pave the way for tens of billions of dollars more in previously announced cash injections from the governments.


14. November 3, Bank Info Security – (National) Six more banks, credit unions hit in phone scam. Banking customers in two additional states have been hit by the telephone-based fraud scheme that already has struck institutions in several other states. Customers of several banks and at least one credit union in southeastern Wisconsin, as well as one credit union in Hawaii, report receiving automated phone messages that appear to be coming from their institution, telling them their debit card has been compromised. It then prompts the customer to enter their card information. Hawaii Central Credit Union in Honolulu, HI reports that its customers received the automated messages asking for account information last week. Citizens Bank of Mukwonago, Park Bank in Milwaukee, Burlington’s First Banking Center, Maritime Savings Bank and Educators Credit Union are among Wisconsin financial institutions that have reported such calls since October 24, says the security officer for Citizens Bank of Mukwonago. Source:

15. November 2, The Register – (International) US gov warns banks on money mules. The government agency that insures U.S. banks has warned its members to be on the lookout for an increase in money mules used to launder money that has been electronically stolen from deposit accounts. In a memo issued recently, the Federal Deposit Insurance Corporation told member banks the mules can often be spotted by common characteristics. The tell-tale signs include: someone with a newly opened account who receives unusually large numbers of electronic transfers, account holders who receive electronic transfers and shortly afterward originate outgoing wire transfers or cash withdrawals that are 8 to 10 percent less (accounting for the mule’s commission), and foreign exchange students with a J-1 visa and a fraudulent passport who opens a student account that has a high volume of incoming and outgoing electronic transfers. “Money mule activity is essentially electronic money laundering,” the memo stated. “Strong customer identification, customer due diligence, and high-risk account monitoring procedures are essential for detecting suspicious activity, including money mule accounts.” Over the past few years, cybercrooks, many located in Eastern Europe, have increasingly relied on mules located in the U.S. to receive stolen funds and then funnel the money overseas before the fraud is detected. According to Security Fix, such scams have plundered at least $40m from small- to mid-sized businesses. Source:

16. November 2, LA Daily News – (California) Westlake Village man to be sentenced for $65 million life insurance scam. A Westlake Village man could get as many as 27 years behind bars when he is sentenced on Monday in Los Angeles federal court for bilking about 70 wealthy investors out of $65 million in a life insurance scam targeting South Los Angeles church parishioners. The guilty party pleaded guilty one year ago to conspiracy, six counts of mail fraud, four counts of wire fraud and eight counts of money laundering in U.S. District Court in downtown Los Angeles during jury selection in his trial. The guilty party and a co-defendant, both 41, claimed that the investors’ money would be invested in bond trading programs or used to buy pools of existing life insurance policies owned by African-American church members in Watts and Compton, prosecutors said. The two men told investors they would buy the policies for a small percentage of what they were worth, and that when the policyholders died, they would get a $240,000-per-policy windfall, which they would distribute to the investors, according to the criminal fraud complaint. Of the approximately $65 million raised from investors for those purposes, only $4.7 million was used to make life insurance premium payments, and no bonds were purchased for investors’ benefit, the complaint states. Source:

17. November 2, Marketwatch – (National) Treasury expects to borrow $276 bln this quarter. The U.S. government is expected to borrow $276 billion in the final three months of the year, the Treasury Department said on November 2. The borrowing estimate is $209 billion less than estimated in August. The drop in borrowing is due to the Treasury reducing its investment in a special Federal Reserve facility that supported the central bank’s innovative credit-easing policy, the agency said. For the January-March quarter, Treasury said it expects to borrow $478 billion. In the three months ending September, the government borrowed $393 billion. The Treasury will announce on November 4 the sizes and terms of its quarterly refunding auction. Source:

For more stories, see item 33 below:

33. November 2, WNEM 5 Saginaw – (Michigan) State officials warn of benefit debit card scam. Michigan’s Unemployment Insurance Agency (UIA) is warning those with state unemployment insurance debit cards that scammers are using cell phone text messages in an attempt to steal their unemployment benefits. According to a news release, UIA received two calls from individuals receiving unemployment benefits stating they had received text messages telling them to verify their UI debit card personal identification number by contacting the text sender. Officals at UIA said it is not their policy to contact anyone by text or by e-mail about their unemployment claim or PIN. The fake text messages advised individuals they need to reset their UI debit card PIN. One person was told to send a return text with his PIN included, while the other was instructed to call the phone number listed in the text message. When a victim calls the telephone number, a recorded voice asks the caller for the UI debit card number and PIN. With that information, the scammer can access and remove funds from the card account. JPMorgan Chase administers the MI UI Debit Card program for the state of Michigan. UIA said similar scam attempts are starting to surface in New York, Rhode Island and Missouri. Source:

Information Technology

38. November 3, Network World – (International) Hackers exploit Google Wave’s popularity. Hackers are exploiting web users that were too late in signing up for Google Wave, says Symantec. According to the security firm, web users worldwide are being encouraged to download an application that claims to offer access to Google Wave - a new invite-only online tool for real-time communication and collaboration. However, the application is in fact malware, which allows hackers to potentially steal senstive personal data from your PC. A security analyst for Symantec said: “Cybercriminals have used Google Wave for the bait precisely because of current its popularity. Furthermore, using a trusted brand like this increases the chance of success for the attacker. Unfortunately, this technique is something fraudsters use all the time and internet users should be wary - if something appears too good to be true, then it usually is.” The security firm urged web users to be careful when clicking on links, only download software was from a reputable source and ensure your security software is up-to-date. Source:

39. November 2, CNET – (International) New Trojan encrypts files but leaves no ransom note. Symantec is warning about a new Trojan horse that encrypts files on compromised computers but offers no ransom note like other software designed to hold data hostage for a fee. Instead, a Web search for terms related to the Trojan horse leads to a company offering a way to remove the malware. The company offering the product used to charge for it but now offers it for free. Trojan.Ramvicrype uses the RC4 algorithm to encrypt files on systems running Windows 98, 95, XP, Windows Me, Vista, NT, Windows Server 2003 and Windows 2000, according to Symantec’s Web site. Computers with files that have the .vicrypt extension are infected, a Symantec researcher wrote in a blog post recently. A Web search for “vicrypt help” brings up a news release for a company called Exquisys Software Technology Ltd in Mauritius offering a product called Antivicrypt that will “repair and restore” files that are “damaged.” Symantec reports that the company charges for the product. Exquisys could not be reached for comment on November 2, which happens to be a national holiday in that country. Meanwhile, Symantec is offering a free tool to decrypt the encrypted files. However, there is a chance that an affected computer will not have access to the Internet to search for any tools, free or otherwise. If a file in the Windows system folder has recently been opened, all the files in the system folder will be encrypted and the user may be unable to access the Internet, Symantec said. When the Trojan is executed it searches for files in MyDocuments, Desktop and Application Data\Identities and renames them with a .vicrypt extension. Then it looks for links in the Recent folder and renames all the files in the folders that are pointed to by links there and encrypts the head section of each file. Source:

40. November 2, SC Magazine – (International) German rail firm handed ‘record’ fine for data breaches. Deutsche Bahn has been fined more than 1 million euros to cover a number of serious breaches of data protection legislation dating back over the past ten years. The Berlin Data Protection Commissioner revealed that Deutsche Bahn were to be fined exactly 1,123,503.50, million euros which according to the Berlin Data Protection agency, is the ‘highest penalty that a German Data Protection Inspectorate has established’. The activity for which Deutsche Bahn is being fined relates to the mass screening of employee data including names, addresses, telephone numbers and bank details against those of suppliers. This screening was carried out on at least three separate occasions in 1998, 2002/3 and 2005/6, supposedly to detect fraudulent activity and employee fronted Scheinfirmen or shell companies. It has been claimed that Deutsche Bahn also enlisted the services of a detective agency to assist in this screening activity. The Information Commissioner’s press release states that personal and banking information was illegally retained for ‘years’ even after suspicions had been allayed. The head of Deutsche Bahn, Hartmut Mehdorn, was forced to resign after it became apparent that 173,000 of Deutsche Bahn’s 220,000 employees had been screened this way. Deutsche Bahn has since set up a new department for data protection. A senior security adviser at Trend Micro claimed that Deutsche Bahn’s heavy-handed tactics and the size of the resultant fine amply illustrate the need for enterprises to involve employees, works councils and unions from the outset, both when defining data protection policies and also when conducting sensitive investigations. Source:

41. November 2, ComputerWorld – (International) Microsoft links malware rates to pirated Windows. Microsoft on November 2 said computers in countries with high rates of software piracy are more likely to be infected by malicious code because users are leery of applying security patches. “There is a direct correlation between piracy and the malware infection rate,” said the principal group program manager for the Microsoft Malware Protection Center. He was touting the newest edition of his company’s biannual security intelligence report. According to the manager the link between PC infection rates — the percentage of computers that have been cleaned by the updated monthly Malicious Software Removal Tool, or MSRT — and piracy is due to the hesitancy of users in countries where counterfeit copies abound to use Windows Update, the service that pushes patches to PCs. China’s piracy rate is more than four times that of the U.S., according to Microsoft’s report, published on November 2, but the use of Windows Update in China is significantly below that in the U.S. Brazil and France also have a higher piracy rate, and lower Windows Update usage, than the U.S., Microsoft maintained. But the company’s own data does not always support the manager’s contention that piracy, and the hesitancy to use Windows Update, leads to more infected PCs. China, for example, boasted a malware infection rate — as defined by the number of computers cleaned for each 1,000 executions of the MSRT — of just 6.7, significantly lower than the global average of 8.7 or the U.S.’s rate of 8.2 per thousand. France’s infection rate of 7.9 in the first half of 2009 was also under the worldwide average. Of the three countries Microsoft called out as examples of nations whose users are reluctant to run Windows Update because of high piracy rates, only Brazil fit the manager’s argument: Brazil’s infection rate was 25.4, nearly three times the global average. By Microsoft’s tally, Serbia and Montenegro had the highest infection rate in the world, with 97.2 PCs out of every 1,000, nearly 10%, plagued by malware. Turkey was No. 2, with 32.3, while Brazil, Spain and South Korea were third through fifth, with infection rates of 25.4, 21.6 and 21.3, respectively. Source:

42. November 2, DarkReading – (International) New Trojan kills the Zeus Trojan. First there were hijacked search results, now there are hijacked links: a newly discovered Trojan redirects victims to search engine sites in order to cash in on the clicks. The so-called Opachki Trojan doesn’t do the usual search-result hijacking typically deployed by the bad guys to make money, but instead attempts to hijack all links on a page the infected user is viewing. When the user clicks on a link, the Trojan redirects him to an affiliate-based search engine site that lists multiple links. “This is the first one I’ve seen that tries to replace with arbitrary links rather than hijacking search results,” says a researcher with SecureWorks’ Counter Threat Unit. “This one goes to the page and takes all the links and makes them look like searches so the [victim] sees a search result rather than the page they thought they were going to.” Opachki basically provides the bad guys another way to make money from affiliate search engines that pay people to drive traffic to them, he says. Each time the victim clicks on one of the links at the redirected search engine site, the Opachki author gets paid a small sum of money, he says. “So to make it look somewhat legit, they have real people clicking on things so that it makes it look like that person is searching.” And interestingly, the Trojan does one good deed: if the victim’s machine is also infected by the nasty Zeus banking malware, it kills it. “Why is it deleting Zeus? [Opachki] is hooking into the browser similarly to what Zeus does. Maybe there’s some sort of conflict where they both don’t work on the same machine,” the researcher says. “I’m not sure what they’re thinking” by knocking out Zeus, he says. Opachki infections come via drive-by browser exploits, and the Trojan can do its dirty work even if the user doesn’t have administrative privileges on the machine, according to Stewart’s report on the Trojan. Source:

Communications Sector

43. November 3, The Register – (International) Hacker charged in $1m cable ISP customer cloning scheme. Federal prosecutors have charged a California man with earning $1m over a six-year period by illegally selling products that allowed customers to get high-speed internet service for free. A 26 year-old San Diego man sold software and hardware that were designed to fool Charter Communications and other internet service providers into believing the gear belonged to paying customers, the prosecutors allege. The man and his employees also offered technical support in publicly available chat forums at, the website belonging to their modem-hacking business. The hack worked by spoofing the media access control address that acts as an electronic serial number for each modem. By replacing the unique address with one known to belong to a paying subscriber, the man’s customers were able to obtain internet service for free. Over time, his company offered additional services. One allowed users to increase their bandwidth while another made it possible to detect the MAC addresses of legitimate paying ISP subscribers. From 2003 to earlier this year, TCNISO, as the man’s company was called, generated revenue of more than $1m, according to documents filed in U.S. District Court in Boston. In addition to allowing customers to obtain internet service without paying for it, TCNISO allowed users to surf anonymously. Among those taking advantage of that benefit was a juvenile hacker who went by the moniker Dshocker. Last year, he admitted to carrying out crippling denial-of-service attacks on online rivals and placing hoax emergency phone calls that prompted them to receive visits by heavily armed police teams. The Massachusetts youth was sentenced to 11 months detention. Source:

44. November 3, Data Center Knowledge – (Texas) Power Outage Affects Rackspace Cloud. Rackspace reports that parts of its Dallas data center lost power early today during testing of power distribution units (PDUs) during scheduled maintenance. This resulted in downtime for sites hosted on SliceHost and The Rackspace Cloud, including the leading tech blog TechCrunch, which ensured that the outage was widely noted on blogs and Twitter. The Dallas data center has experienced power problems before, including outages on June 29 and July 7 that prompted the Rackspace CEO to issue an apology to customers and provide a detailed explanation of the outage and the operations of the Dallas/Fort Worth facility. This morning’s problems started at about 12:30 a.m. central time. “We were testing phase rotation on a Power Distribution Unit (PDU) when a short occurred and caused us to lose the PDUs behind this Cluster,” Rackspace reported on its blog. “All power has been restored and devices are being brought back online. The PDUs were down for a total of about 5 minutes. We have aborted the maintenance for the remainder of the evening and will reschedule this for another date.” Althought the PDUs were offline for only 5 minutes, many customer sites were unavailable for a longer window. Most sites returned to service by 2 a.m., while several cloud servers continuing to experience problems until after 5 a.m., according to a timeline on the Cloud Servers status blog. The Rackspace DFW data center in Grapevine, Texas is the company’s largest facility, with 144,000 square feet of space. The facilty in Grapevine figured into a 2007 power outage that interrupted service for many prominent web sites. In that incident, a vehicle struck a power transformer, and public safety officials turned off both the facility’s power feeds during their emergency rescue operations. Source: