Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, May 11, 2010

Complete DHS Daily Report for May 11, 2010

Daily Report

Top Stories

 According to the Associated Press, radioactive water that leaked from Oyster Creek Nuclear Generating Station in Lacey Township, New Jersey has now reached a major underground aquifer that supplies drinking water to much of southern New Jersey, the state’s environmental chief said on May 7. (See item 47)

47. May 8, Associated Press – (New Jersey) Tainted nuke plant water reaches major NJ aquifer. Radioactive water that leaked from the nation’s oldest nuclear power plant has now reached a major underground aquifer that supplies drinking water to much of southern New Jersey, the state’s environmental chief said May 7. The New Jersey State Department of Environmental Protection has ordered the Oyster Creek Nuclear Generating Station in Lacey Township to halt the spread of contaminated water underground, even as it said there was no imminent threat to drinking-water supplies. The department launched a new investigation May 7 into the April 2009 spill and said the actions of plant owner Exelon Corp. have not been sufficient to contain water contaminated with tritium. The tritium leaked from underground pipes at the plant April 9, 2009, and has been slowly spreading underground at 1 to 3 feet per day. At the current rate, it would be 14 or 15 years before the tainted water reaches the nearest private or commercial drinking water wells about two miles away. But the mere fact that the radioactive water — at concentrations 50 times higher than those allowed by law — has reached southern New Jersey’s main source of drinking water calls for urgent action, the chief said. He ordered the Chicago-based company to install new monitoring wells to better measure the extent of the contamination, and to come up with a plan to keep the tainted water from ever reaching a well. Should the plant fail to stem the spread of the contaminated water, the state will do it and bill the company for three times the cost as a penalty, the environmental department said. Source:

 The Associated Press reports that a 17-year-old with a grudge against his former Long Island, New York high school planned with his girlfriend to buy shotguns, enter his old school, and indiscriminately shoot down students and teachers, days before his ex-classmates were scheduled to graduate, police said on May 7. The two teenagers set a June 10 date for the planned attack on Connetquot High School in Bohemia. (See item 53)

53. May 8, Associated Press – (New York) 2 NY teens arrested in plot to attack high school. A 17-year-old with a grudge against his former Long Island, New York high school planned with his girlfriend to buy shotguns, enter his old school and indiscriminately shoot down students and teachers, days before his ex-classmates were scheduled to graduate, police said May 7. The two teenagers extensively researched bomb making, attempted to buy a shotgun and set a June 10 date for the planned attack on Connetquot High School in Bohemia, a Suffolk County police sergeant said. Evidence from the 16-year-old girl’s computer and cell phone showed they had searched bomb-making and explosives Web sites, and exchanged text messages in which they discussed plans to buy firearms and kill people, police said. Both were arrested and charged as adults with conspiracy. The boy pleaded not guilty at his arraignment May 7, while his girlfriend entered a not-guilty plea last week. Each could face up to a year in jail if convicted. Source:


Banking and Finance Sector

20. May 9, KEZI 9 Eugene – (National) ATM users on alert after skimming cases along West Coast. An unidentified suspect is wanted by authorities in three different states, including Oregon. Police said he is stealing bank card numbers and pins using an ATM skimming device. He then produces cloned bank cards and pilfering accounts. A surveillance photo taken at a Vancouver, Washington, bank shows a white male, around 30 to 40 years old. Police said he has short brown hair, a mustache and a goatee. They said he’s about 5’9” to 6 feet tall and has a stocky build. Vancouver is one area the suspect allegedly hit the hardest. Police said they are still looking for him. The case extends to California, Nevada, Idaho and Washington, with incidents occurring from August 2009 to April 2010. Source:

21. May 9, Philadelphia Inquirer – (Pennsylvania) Grays Ferry man is sought in 4 Center City bank heists. Federal agents continued their hunt May 8 for a serial Center City bank robber whose latest of four heists was occurred just before lunchtime May 7 in Philadelphia, Pennsylvania’s business district. The FBI released a photo and description of the 31-year-old suspect saying he was linked to the Susquehanna Bank holdup at 1635 Market St. around 11:35 a.m. May 7 and three other downtown bank robberies since April. The FBI said the suspect had been captured on videotape inside the Susquehanna Bank and had “presented a threatening note to a teller.” The robber fled on foot with an unknown amount of cash, the FBI said. Authorities believe the suspect is also linked to the robberies of Republic First Bank at 1601 Market St. Monday, the TruMark Financial Credit Union branch at 1811 JFK Blvd. April 26, and PNC Bank at 230 S. Broad St. April 21. Source:

22. May 8, Bank Info Security – (National) Four banks fail May 7. State and federal regulators closed four banks Friday, May 7. These closings raise to 75 the number of failed institutions so far in 2010. The Bank of Bonifay, Bonifay, Florida, was closed by the Florida Office of Financial Regulation, which appointed the Federal Deposit Insurance Corporation (FDIC) as receiver. The First Federal Bank of Florida, Lake City, FL will assume all of the deposits of the failed bank. The failed bank had $242.9 million in total assets .The estimated cost to the Depositors Insurance Fund (DIF) will be $78.7 million. Access Bank, Champlin, MN, was closed by the Minnesota Department of Commerce, which appointed the FDIC as receiver. The bank’s assets were sold to PrinsBank, Prinsburg, MN. Access Bank had $32 million in assets. The estimated cost to the DIF will be $5.5 million. Towne Bank of Arizona, Mesa, AZ, was closed by the Arizona Department of Financial Institutions, which appointed the FDIC as receiver. Commerce Bank of Arizona, Tucson, AZ will assume all of the deposits of the failed bank. The Towne Bank of Arizona branch will become a branch of Commerce Bank of Arizona. Towne Bank of Arizona had $120.2 million in total assets. The FDIC estimates that the cost to the DIF will be $41.8 million. 1st Pacific Bank of California, San Diego, California, was closed by the California Department of Financial Institutions, which appointed the FDIC as receiver. The six branches of 1st Pacific Bank of California will reopen as branches of City National Bank. 1st Pacific Bank of California had $335.8 million in assets. The estimated cost to the DIF will be $87.7 million. Source:

23. May 8, Krebs on Security – (International) Visa warns of fraud attack from criminal group. Visa is warning financial institutions that it has received reliable intelligence that an organized criminal group plans to attempt to move large amounts of fraudulent payments through a merchant account in Eastern Europe, possibly as soon as this weekend. In an alert sent to banks, card issuers and processors this week, Visa said it “has received intelligence from a third-party entity indicating that a criminal group has plans to execute “a large batch settlement-fraud scheme.” The alert states that the criminals claimed to have access to account numbers and the ability to submit a large batch-settlement upload to occur over a weekend. Visa does not have any information as to when the fraudulent settlement activity may occur. The criminals claim to have access to a merchant account placed with a bank in Eastern Europe. Upon receipt of this notification from the third-party, Visa immediately implemented monitoring of large-settlement activity for banks located in Eastern Europe. To date, Visa has not seen abnormal or large-settlement activity. Visa is continuing to monitor and will alert any affected Visa clients of abnormal activity, if necessary. Visa said institutions should start monitoring for large or unusual settlement activity, conduct monitoring daily, especially over weekends and long holidays, and review settlement and charge-back activity for high-risk merchants and agents. Source:

24. May 8, Contra Costa Times – (California) Improper disposal of hundreds of loan applications raises security concerns. The financial and personal details of about 300 property-loan applicants were compromised when confidential documents were mistakenly tossed into an outdoor waste bin. The paperwork, belonging to FHG Finance, a home-loan business at 548 Contra Costa Blvd. in Pleasant Hill, California was discarded recently by a cleaning crew hired to clear out a portion of the building where FHG is based, an official at the business said. The documents, which contained bank account and Social Security numbers, were found by employees at a neighboring store, who alerted FHG. The company secured the trash bin with a padlock until the documents could be shredded. The vice president of FHG described it as a close call. Source:

25. May 8, Roanoke Times – (Virginia) National Bank again targeted in scam. The National Bank of Blacksburg, Virginia has been the target again of a scam that attempts to obtain confidential account information from residents. Bank officials said May 7, that residents are reporting receiving scam phone calls requesting confidential debit card and bank account information. The fraudulent automated calls say they are from the National Bank of Blacksburg, which is a subsidiary of National Bankshares Inc. The National Bankshares’ chairman, president, and CEO said in a news release that the bank’s computer system has not been compromised and the bank is not the source of any information, including phone numbers. Officials said the calls appear to be a continuation of a large-scale phishing attack on the bank in mid-April when fraudulent e-mails, phone calls and text messages using the bank’s name, logo and Web site were sent to some Southwest Virginia residents. Source:

26. May 7, Sarasota Herald-Tribune – (Florida) Bomb used as weapon in Bradenton bank robbery. The Manatee County Sheriff’s bomb squad is examining a device left inside a Bradenton, Florida bank during a robbery May 7. A man put the pipe-bomb type device on the counter of a Wachovia bank in the 3700 block of Manatee Avenue West and demanded money about 2:40 p.m. He fled with an undisclosed amount of money, leaving the device on the counter, said a sheriff’s spokesman. Bomb squad deputies are using a robot to check out the device. The bank has been evacuated. The man is described as white, in his 30s, about 5-foot-9 with dark hair and a scruffy beard. He was wearing a black shirt, sunglasses and a black baseball cap. Source:

27. May 7, Associated Press – (Georgia) 3 accused in massive bank fraud. Federal prosecutors said two former executives of Integrity Bank of Alpharetta, Georgia, and a Florida developer are charged with fraud in connection with $80 million in loans made before the bank collapsed two years ago. A U.S. attorney said May 7, the 50-year-old developer of Coral Gables, Florida, used some of the loan money to buy a private island. She said the 40-year-old and 42-year-old executives dumped their Integrity stock before the failed loans came to light. The indictment alleges that with the assistance of individuals within the bank, the developer paid interest on existing loans with money from other loans, and kept borrowing to pay interest. Source:

28. May 6, U.S. Government Accountability Office – (National) Financial crisis highlights need to improve oversight of leverage at financial institutions. In 2009, the U.S. Government Accountability Office (GAO) conducted a study on the role of leverage in the recent financial crisis and federal oversight of leverage, as mandated by the Emergency Economic Stabilization Act. This testimony presents the results of that study, and discusses (1) how leveraging and deleveraging by financial institutions may have contributed to the crisis; (2) how federal financial regulators limit the buildup of leverage; and (3) the limitations the crisis has revealed in regulatory approaches used to restrict leverage and regulatory proposals to address them. The crisis has revealed limitations in regulatory approaches used to restrict leverage. First, regulatory capital measures did not always fully capture certain risks, which resulted in some institutions not holding capital commensurate with their risks and facing capital shortfalls when the crisis began. Federal regulators have called for reforms, including through international efforts to revise the Basel II capital framework. The planned U.S. implementation of Basel II would increase reliance on risk models for determining capital needs for certain large institutions. The crisis underscored concerns about the use of such models for determining capital adequacy, but regulators have not assessed whether proposed Basel II reforms will address these concerns. Such an assessment is critical to ensure that changes to the regulatory framework address the limitations the crisis had revealed. Second, regulators face challenges in counteracting cyclical leverage trends and are working on reform proposals. Finally, the crisis has revealed that with multiple regulators responsible for individual markets or institutions, none has clear responsibility to assess the potential effects of the buildup of system-wide leverage or the collective effect of institutions’ deleveraging activities. Source:

29. May 5, WIS 10 Columbia – (South Carolina) ATM skimmers, which can steal info in seconds, becoming more popular. Investigators said a person can get cleaned out in seconds when they unknowingly slip a debit card through a crook’s skimming device. It’s a new crime, and now the Secret Service and the South Carolina State Law Enforcement Division say card skimming cases are up, five times higher, so far this year. “This is actually a skimming device that was recovered from one of the local area grocery stores, here in Columbia,” said a Secret Service agent as he showed a device agents found about a month ago. The skimmer came from an ATM outside the Harbison Publix. A crook put it on the machine, and stole electronic data from dozens of debit cards. The Secret Service spent 12 hours waiting for the crook to come back for the skimmer, but the crook never showed before agents took the device as evidence. Luckily, agents took the skimmer off the ATM before the bad guys could download the information and create a new batch of victims. Source:

Information Technology

57. May 10, Help Net Security – (International) Highly critical vulnerability in Safari for Windows. A vulnerability has been discovered in Apple Safari 4.0.5 for Windows, which can be exploited to compromise a system. The vulnerability is caused due to an error in the handling of parent windows and can result in a function call using an invalid pointer. This can be exploited to execute arbitrary code when a user e.g. visits a specially crafted Web page and closes opened pop-up windows. Source:

58. May 10, TG Daily – (International) Hackers target WordPress in large-scale attack. Hackers have reportedly targeted a number of Web sites powered by the popular WordPress platform.รข_¨ The attacks have affected sites hosted by various providers, including DreamHost, GoDaddy, Bluehost and Media Temple. In addition, other PHP-based management systems - such as Zen Cart eCommerce - have also been targeted in the ongoing cyber offensive. “The hacked Web pages appear to have been infected with scripts, which not only install malware on users’ systems, but also prevent browsers like Firefox and Google Chrome, which use Google’s Safe Browsing API, from issuing an alert when users try to access the page,” reported H Open. “When Google’s search bot encounters such a specially crafted page, the page responds by simply returning harmless code. This camouflage strategy takes advantage of the browser switch normally used by developers to return browser specific code to suit functional variations in different browser, such as Internet Explorer and Firefox.” Source:

59. May 10, The Register – (International) Dodgy Facebook pages used to power ‘spam a friend’ joke scam. Dubious Facebook pages host rogue Javascript code that creates a means for miscreants to spam people on a user’s friends list, security researchers warn. A security researcher at Sunbelt Software, who goes by the online name Paperghost, explains that the ruse relies on duping prospective marks into completing surveys. Users who complete these studies would inadvertently grant access to their friends list by following instructions on misleading dialogue boxes. Baits being used in the ruse offer supposed access to the “world’s funniest joke,” among other ruses. Users are taken through a series of steps that results in them copying and then pasting JavaScript code into their address bar. Once this happens a “suggest this to your friends” dialogue box will automatically appear briefly on users’ screens before it is replaced by a captcha prompt. Users who follow through will post a spam-link on the news feed of anybody who happens to be their friend. This “spamvertised” link, in turn, promotes a fake Internet survey aimed at flogging “expensive ringtones, and fake iPod offers, as explained in a blog post. A depressing total of over 600,000 links to four pages containing the malicious JavaScript reveals that numerous users have been exposed, if not already taken in, by the scam. Source:

60. May 7, eWeek – (International) Worms attack Skype, Yahoo Messenger. Security researchers have reported a new wave of attacks targeting users of Yahoo Messenger and Skype. BKIS (Bach Khoa Internetwork Security) researchers May 7, said the attack comes via messages such as, “Does my new hairstyle look good? bad? perfect?” and “My printer is about to be thrown through a window if this pic won’t come our right. You see anything wrong with it?” The messages contain malicious links. “The users are more easily tricked into clicking the link by these messages, because users tend to think that ‘their friend(s)’ are asking for [advice],” said the BKIS blog post. “Moreover, the URL shows a .jpg file to users, reinforcing the users’ thought of an image file.” BKIS’ discovery follows the appearance of another worm targeting Yahoo Messenger that was reported recently. “The page at the end of the link is basic and does not employ any exploits in order to install the worm, it relies solely on social engineering to trick victims into believing they are opening a picture from a friend, while in fact they run the worm,” explained a Symantec researcher May 2. Once executed, “the worm copies itself to %WinDir%\infocard.exe, then it adds itself to the Windows Firewall List, blocks the Windows Updates service and sets the following registry value so that it runs whenever the system boots: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”Firewall Administrating” = “%WinDir%\infocard.exe,” the researcher wrote. With that done, the worm then blasts itself out to everyone on the victim’s Yahoo Messenger contact list, and it may also download and execute other malicious files. Source:

61. May 7, Kapersky Lab Security News Service – (International) Main PHP-Nuke site compromised. Researchers at Websense found that the main site for the PHP-Nuke content-management system software,, has been compromised and is serving malicious iFrame exploits to visitors. The attack uses the common iFrame-redirection technique to hijack users’ browsers and send them off to a malicious site. The code on that site is highly obfuscated and contains exploits for three separate vulnerabilities, two in Internet Explorer and one in Adobe Reader. The first attack tries to exploit a four-year-old flaw in Internet Explorer. If that part of the attack works, it downloads a Trojan onto the victim’s machine. The malware then tries to connect to several Web sites, the researchers said. The second attack uses a Java exploit, which ends up with the same infection routine as the first one. The third exploit is a PDF exploit — this actually merges three exploits targeting Adobe Reader. First the JavaScript in the HTML page checks if Adobe Reader is exploitable by checking its version number. Source:

62. May 7, The Register – (International) New attack bypasses virtually all AV protection. Researchers say they have devised a way to bypass protections built in to dozens of the most popular desktop anti-virus products, including those offered by McAfee, Trend Micro, AVG, and BitDefender. The method, developed by software security researchers at, works by exploiting the driver hooks the anti-virus programs bury deep inside the Windows operating system. In essence, it works by sending them a sample of benign code that passes their security checks and then, before it’s executed, swaps it out with a malicious payload. The exploit has to be timed just right so the benign code is not switched too soon or too late. But for systems running on multicore processors, matousec’s “argument-switch” attack is fairly reliable because one thread is often unable to keep track of other simultaneously running threads. As a result, the vast majority of malware protection offered for Windows PCs can be tricked into allowing malicious code that under normal conditions would be blocked. All that is required is that the AV software use SSDT, or System Service Descriptor Table, hooks to modify parts of the OS kernel. Source:

63. May 7, – (International) Botnets exploit Linux owners’ ignorance. A lack of knowledge and awareness about how to use Linux mail servers could be contributing to the disproportionately large number of Linux machines being exploited to send spam, according to new Symantec Hosted Services research. The firm’s latest monthly MessageLabs Intelligence Report found that Linux-based computers are five times more likely to send spam than Windows PCs. A malware data analyst at Symantec Hosted Services explained in a blog post May 6 that he decided to dig deeper into the potential causes. “On investigating the originating IPs of a random selection of spam from Linux, I found that in most cases it came from a machine running an open-source mail transfer agent, such as Postfix or SendMail, that had been left open,” he said. “This suggests that one reason there is so much spam from Linux could be that many companies that have implemented their own mail servers, and are using open-source software to keep costs down, have not realized that leaving port 25 open to the Internet also leaves them open to abuse.” Source:

Communications Sector

Nothing to report

No comments: