Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, January 5, 2010

Complete DHS Daily Report for January 5, 2010

Daily Report

Top Stories

 The New York Times reports that a gunman opened fire Monday morning in the lobby of the Lloyd D. George Federal Courthouse in downtown Las Vegas, killing a court security officer and wounding a deputy United States marshal before he was shot in the head and killed nearby. (See item 41)

41. January 4, New York Times – (Nevada) 2 dead in shootout at Las Vegas federal building. A gunman in a black trench coat opened fire Monday morning in the lobby of the Federal Courthouse in downtown Las Vegas, killing a court security officer and wounding a deputy United States marshal before fleeing. He was then shot in the head and killed nearby. “The suspect was in the lobby, but he never made it past the security checkpoint,” said a spokeswoman for the Las Vegas police. The building, the Lloyd D. George Federal Courthouse, is a huge structure that houses federal courts as well as other agencies, including the offices of two Senators. Both Senators were in Nevada, their offices said, but not in the building. The gunman entered the building shortly after it opened at 8 a.m. and began firing in the lobby. An Associated Press reporter within sight of the building counted 20 shots over several minutes, although it was not clear how many were fired by the gunman and how many by responding law enforcement officials. Two hours after the shooting, the complex was still being evacuated floor by floor, with groups of about 20 people being escorted several blocks away while surrounded by several officers toting large rifles. The courthouse was blocked off for at least a five-block perimeter. Federal officials confirmed that the security officer had died. There was no immediate word on the identity of the suspect, or whether the shooting was a random act of violence, a vendetta or something else. There was also no initial indication that terrorism was involved. Source:

 According to United Press International, members of the Hemet-San Jacinto Valley Anti-Gang Task Force in southern California found their building had been rigged to explode December 31. A Hemet police lieutenant told the Los Angeles Times it is “an educated guess” that gang members are responsible. (See item 46)

46. December 31, United Press International – (California) Calif. police building rigged to explode. Police officers and other members of a gang task force in Southern California found their building had been rigged to explode Thursday, authorities said. At the headquarters of the Hemet-San Jacinto Valley Anti-Gang Task Force, a gas line had been rerouted through the office, said a Hemet police lieutenant. Given the amount of gas that had accumulated, a spark could have ignited the building, he told KABC-TV, Los Angeles. “It could have easily leveled that building — that’s about a 1,700-square-foot building — and killed anyone inside,” he said. “It was planned to blow up the building and anyone in it. We’re not really sure why it didn’t.” Authorities evacuated the building and shut down the gas as investigators examined the office. A Hemet police lieutenant told the Los Angeles Times it is “an educated guess” that gang members are responsible. The gang task force, formed five years ago, includes members of the Hemet Police Department, the Riverside County Sheriff’s Department, the county probation office, the state parole office and the district attorney’s office. Source:


Banking and Finance Sector

17. January 1, West Volusia News Journal – (Florida) Man uses ‘bomb’ to rob Bunnelll bank. An unidentified man put a strange cylinder on the counter at a Bank of America and told the teller it was a bomb, quietly demanding money on December 31. The man fled the bank branch on E. Moody Blvd. just after 11:30 a.m. with an undisclosed amount of cash — and left the package behind. The teller raised the alarm and customers and bank employees were informed of what had happened. Local law enforcement officers shut down the streets around the bank for several hours on December 31 while the St. Johns County Sheriff’s Office bomb squad checked out the pipe-like package that was covered in electrical tape. A nearby business was also evacuated and no one was allowed within 500 feet of the bank — including stranded customers and workers whose cars were in the bank parking lot. Just before 3 p.m., the bomb squad “neutralized” the package inside the building by blowing it up in a protective container, the Bunnell police chief said. Source:

18. December 31, USA Today – (National) Cybercrooks stalk small businesses that bank online. A rising swarm of cyber-robberies targeting small firms, local governments, school districts, churches, and non-profits has prompted an extraordinary warning. The American Bankers Association and the FBI are advising small and mid-size businesses that conduct financial transactions over the Internet to dedicate a separate PC used exclusively for online banking. The reason: Cybergangs have inundated the Internet with “banking Trojans” — malicious programs that enable them to surreptitiously access and manipulate online accounts. A dedicated PC that is never used for e-mail or Web browsing is much less likely to encounter a banking Trojan. And the bad guys are stepping up ways to get them onto PCs at small organizations. They then use the Trojans to manipulate two distinctive, decades-old banking technologies: Automated Clearing House (ACH) transfers and wire transfers. ACH and wire transfers remain at the financial nerve center of most businesses. ACH transfers typically take two days to complete and are widely used to deposit salaries, pay suppliers and receive payments from customers. Wire transfers usually come into play to move larger sums in near-real time. Internet-enabled ACH and wire transfer fraud have become so acute that the FBI, which is usually reticent to discuss bank losses or even acknowledge ongoing cases, has gone public about the scale of the attacks to bring attention to the problem. The FBI, the Federal Deposit Insurance Corp. and the Federal Reserve have all issued warnings in the past two months. Source:

19. December 31, Richmond Palladium-Item – (Indiana) Debit card scam: Hagerstown, Greens Fork already affected. A telephone debit card scam is impacting Hagerstown and Greens Fork, Indiana, and may continue to spread east, bank executives say. The vice president of member services for Perfect Circle Credit Union said the scam is currently hitting 489 and 886 prefixes. Customers of PCCU and West End Bank are being fraudulently asked via automated phone calls from 1-800-245-9655 to enter their debit card numbers or risk having them canceled. The real risk is that by responding to the scam, unsuspecting customers can expose themselves to unwanted charges on their accounts and also myriad potential credit issues. Source:

20. December 30, Investment News – (International) Security breach reported by Internet trading site Users of the do-it-yourself trading site received an “urgent” e-mail at a few minutes past noon on December 30 notifying them that the company’s computer database had been breached by a hacker and that all users should log in to change their passwords immediately. That e-mail, from the founder of Collective2 LLC, stated that the information accessed by the hacker included names, e-mail addresses, passwords and credit card information. In addition, the e-mail went on to state: “We have contacted federal and state law enforcement authorities, who we hope will track down and prosecute the person responsible. More important: we have changed our database security, locked down our servers and altered our website in order to prevent similar attacks. We are also notifying the three credit bureaus — Equifax, Experian and TransUnion — of the breach.” Launched in 2003, provides its 25,000 subscribers with algorithm-based, computer-generated trading systems. A trading system is a set of formulas and rules that generate buy and sell recommendations based on price, volume, or other data. acts as an online repository for more than 9,000 automated trading systems developed by mathematicians and traders from around the world. Trading volume at the site rose to $17.5 billion during the third quarter. That compares with about $1.2 billion in the similar period a year ago. Source:

21. December 29, Help Net Security – (International) Phishers prefer Paypal, Visa, eBay and Amex. Compared to the first half of 2009, the amount of phishing messages has remained relatively unchanged, although phishers have switched their focus to institutions that could bring them the most profit in the shortest timeframe. This is one of the results of BitDefender’s malware and spam survey. Primary targets are PayPal, Visa and eBay, followed by HSBC, American Express, and Abbey Bank. Ally Bank and Bank of America rank last with a little over one percent of the total amount of phishing messages. These messages mostly target English-speaking computer users who are using the services of at least one of the institutions previously mentioned. BitDefender Labs found that most web 2.0 phishing attempts in the first half of 2009 relied on social engineering schemes and speculated user naivety. The Twitter Porn Name scam is a good example. Users were invited to reveal their first pet name, as well as the first street on which they lived. These names are usually employed as backup/security questions. An e-crook possessing a person’s username along with these “clues” can easily retrieve a password that he or she can later employ to access the account and send spam, access transactions, or use the account in whatever way necessary to make a profit, including demanding a ransom for release of the hijacked account. Source:

Information Technology

48. January 4, – (International) Symantec issues South Africa cyber crime warning. The next major global cyber security hub could be South Africa, as the country struggles to cope with the twin effects of rising broadband penetration and the World Cup tournament this summer, warned security giant Symantec. The firm said that South Africa risks creating a “perfect storm” for cyber criminals because of significant broadband infrastructure upgrades within the country, including links to two new undersea fiber-optic cables. Improved broadband connectivity is often the key factor leading to increased botnet activity in a region. Symantec also warned that the World Cup is already generating large amounts of related spam, and other online crime such as government web site defacements. “Over the years Symantec has seen a surge in malicious activity in countries introducing faster, cheaper and more accessible broadband,” said the regional director for Africa at Symantec. “Our research has also shown that events such as the Olympic Games and the Soccer World Cup trigger online fraud, fake web sites, phishing and spam attacks, and hacking.” Source:

49. January 2, eWeek – (International) Researcher uncovers Twitter, Google calendar security vulnerabilities. A security researcher has uncovered vulnerabilities in Twitter and Google Calendar that could put users at risk. In a proof of concept, a researcher demonstrated cross-site scripting (XSS) vulnerabilities in Google Calendar and Twitter that he said could be used to steal cookies and session IDs. He also uncovered an HTML injection issue affecting Google Calendar as well that he said could be used to redirect a victim to an attack site any time the user viewed his or her Google Calendar agenda events. The researcher sent the code to eWEEK, which in turn contacted Twitter and Google about the vulnerabilities. Twitter issued a fix for the issue December 30, and Google told eWEEK December 31 it would examine the input validation process for the Google Calendar field to help address the situation. “We do not believe this report contains evidence of substantial security issues,” a spokesperson for Google told eWEEK. “Trying to trick someone into copying unfamiliar, suspicious code into a Google Calendar text field is neither a likely attack vector nor one that we are seeing being exploited. ... Nonetheless, we will check the input validation mechanisms in Google Calendar text fields to help prevent any abuse of this capability before an event is sanitized.” According to the researcher, a penetration testing expert with Avnet Information Security Consulting in Israel, the cross-site scripting vulnerability can be exploited if a victim adds malicious code to his quick add post calendar. Source:

50. December 30, – (International) Phishing attacks soar in December. Phishing attacks soared in December as cyber criminals looked to capitalise on the higher number of online shoppers in the run up to Christmas, according to new research from managed security firm Network Box released on December 30. The firm’s analysis of web-based threats in December 2009 shows that just over 57 percent of all threats were phishing attacks, compared to 28.3 percent in November. “The run up to Christmas is traditionally a time for hackers to strike the vulnerable. A higher proportion of shopping is done online, with more money spent than at any other time of year,” warned a Network Box internet security analyst. “Christmas offers rich pickings for phishers. This is likely to continue through the sales in January, and we urge online bargain hunters to be vigilant.” The firm also found that the greatest source of viruses and spam during the same time period was Brazil, which accounted for 20.9 percent of all viruses and 9.1 percent of all spam in December. This is up from 14 percent and eight percent respectively in November. Network Box also warned that India is playing an increasingly significant role in the world’s threat landscape, with 6.8 percent of all spam coming from the sub-continent, up from 4.2 percent in November; and 4.1 percent of viruses — the same as in November. Source:

For more stories, see items 52 and 56 below in the Communications Sector

Communications Sector

51. January 3, McDowell News – (North Carolina) Can you hear me now? City’s phone system back in service. The problems with the city of Marion’s new telephone system seem to be solved. The city’s administrative offices, Public Works Department, and the Marion Fire Department all recently experienced phone outages. The city switched its phone service from Verizon to Charter in an attempt to save money. The city manager said the new system is expected to save the city several thousand dollars a year. The changeover happened before Christmas at around the same time as the big snowstorm. But the city soon faced problems with the new phone system. Calls could not get through to City Hall, the Fire Department and other offices. The lines were constantly giving a busy signal. “It’s certainly an annoyance for the public,” said the city manager. Charter has worked to correct the problem. On January 3, the city manager said the phones at City Hall and the Fire Department are back in service. Source:

52. January 2, Techworld – (International) UK mobile operator O2: iPhone apps are hurting our network. The US mobile phone company AT&T has had trouble keeping its network up to speed given the huge bandwidth requirements of the popular iPhone. They are not the only mobile carrier having issues. In the UK, O2 has been having problems with the huge amount of data being schlepped around the network by iPhones. The CEO of O2 told the Financial Times that performance of the O2 network had been disappointing since this summer and that the company was trying to cope with the increasing number of mobile apps running on devices such as the iPhone. TUAW reported a multi-day data outage that affected O2 users just a few weeks ago. Most of the issues have been confined to London, so the company is installing 200 additional base stations to support the increased levels of traffic. The CEO also noted that the company is working with Apple, RIM, and other handset manufacturers to learn more about which applications are causing the heavy demands on the O2 network. O2 has been working with Nokia Siemens Networks to modify the network infrastructure to better handle the combination of voice and data traffic. While trying to iron out these issues, it appears that O2’s parent company, Telefonica, is making moves that could place further demands on the network. Telefonica purchased mobile VoIP company Jajah to add to O2’s portfolio of services, and VoIP services are notorious devourers of bandwidth. Source:

53. January 1, Pittsburg Morning Sun – (Missouri) Fire reported at KSN/KODE studio. An electrical fire at the KODE/KSN studio in Joplin, Missouri, has disrupted programming for ABC, according to a statement on the station’s Web site. KSN’s evening broadcast also may be delayed because of the fire, the Web site reported. “Empire Electric is working right now to restore electricity to the building,” according to the statement. “We are very sorry for this inconvenience.” An electrical transformer outside the TV studio caught fire around 2:30 p.m on January 1. The small fire caused the station to lose power for nearly four hours. The Joplin Fire Department and crews from Empire Electric responded to the station. Source:

54. January 1, Times of the Internet – (National) AT&T down: Network service outages. A number of reports indicate that AT&T is suffering from network outages that are affecting users. 3G cell phone users in Norwalk, Connecticutt, Keller, Texas, Ville Platte, Louisiana, Los Angeles, California, and Orange County, California, have all mentioned service outages when attempting to use their phones. There have also been reports of SMS outages due primarily to heavy load, although it appears that issue may now be cleared up. Source:

55. December 30, Data Center Knowledge – (International) Technician injured in Peer 1 power outage. Colocation provider Peer 1 said a technician was seriously injured during an incident on December 30 that knocked out power at its data center on Front Street in Toronto. The company said the injuries “appear to be non-life threatening.” The service technician from Eaton Corp. was injured during scheduled maintenance on the uninterruptible power supply (UPS) system in Peer 1’s fourth-floor data center at 151 Front, the largest carrier hotel and data center hub in the Toronto market. The technician was replacing a failed fan in a UPS unit. “During the maintenance at approximately 8:46PM EST there was a visible arc flash [no confirmed cause yet] from the UPS causing 2nd and 3rd degree burns to the Eaton service technician and witnessed by our data center manager who also went to the hospital to have his eyes checked for retinal burns,” said the vice president of Facilities and Data Center Operations for Peer 1, in an e-mail update. “The Eaton service tech was transferred to another hospital with a burn unit and was in serious/critical condition and our data center manager was treated and released.” All staff were cleared from the fourth floor suite while the fire and police investigated, but were cleared to return and power was restored about three hours after the incident. Peer 1 said it had additional staff on hand to provide support for customer site restoration. Source:

56. December 30, Times Online – (International) Domain name extension ‘could boost cyber-crime’. The introduction of internet addresses in non-Roman scripts could offer fresh opportunities to cyber-criminals, experts have warned. In 2010, the Internet Corporation for Assigned Names and Numbers (Icann) will for the first time accept internet domain names in non-Roman scripts. The domain name is the part of a web address that precedes the “dot”, such as timesonline. The new internationalized domain names will open up the internet as never before to users whose native language does not use the Roman alphabet. But Roman-reading users face a possible deluge of phishing and e-mail scams. “With Cyrillic, Korean, Arabic, Chinese, Korean, and Japanese scripts now possible, this threatens to be like a hydra,” an intellectual property lawyer with the law firm Arnold & Porter told The Times. “You cut off one head and another grows in its place.” The problem for Western users is that the internet addresses of many well-known companies, such as Apple, Yahoo, Google and PayPal, can also be rendered to look identical in Cyrillic scripts, such as Russian. To a Roman-reading eye, an e-mail containing a link to any one of these sites might appear genuine, while to a Russian-reading eye, “paypal”, for example, reads as “raural”. An e-mail link could thus lead to a clone site constructed by unscrupulous thieves, who could then use it to harvest personal and financial details, or to steal cash. Source: