Department of Homeland Security Daily Open Source Infrastructure Report

Friday, January 8, 2010

Complete DHS Daily Report for January 8, 2010

Daily Report

Top Stories

 NBC News,, and the Associated Press report that three people are dead and five have been wounded after a man armed with an assault rifle and a handgun opened fire Thursday at Swiss-based ABB Group’s plant in St. Louis. The company manufactures transformers at the site. (See item 7)

7. January 7, NBC News,, and Associated Press – (Missouri) 3 dead after rampage at St. Louis plant. Three people are dead and five have been wounded after a man armed with an assault rifle and a handgun opened fire at a St. Louis manufacturing plant. The police captain confirmed the number. Citing two unidentified sources, NBC station KSDK reported that the suspect had been “found and removed from the building.” The gunman is believed to have shot himself, according to the report. The police captain said the suspected shooter, of Webster Groves, Missouri, is an employee of the plant. KMOX radio said he had worked for the company for 23 years. The rampage began around 6:30 a.m. during a shift change at Swiss-based ABB Group’s plant in St. Louis and 40 to 50 people were likely in the plant at the time. As shots began to ring out, employees scurried to find safety. “Many of them sought safety on the roof, in boilers and broom closets,” the police captain said. A two-mile perimeter was established around the plant and Interstate 70 was shut down. The St. Louis Fire Department set up a staging area near the plant with six ambulances on standby. The Post-Dispatch reported that the suspect was a plaintiff in a class-action federal lawsuit against ABB and its pension review committee over financial losses. Police had been told the shooter was carrying an ammunition belt. Swiss-based ABB Group makes power transmission and industrial automation equipment. The company manufactures transformers at the St. Louis site, according to its Web site. Source:

 According to the Los Angeles Times, another envelope containing a suspicious substance was discovered at the University of California, Irvine on Wednesday, the fifth such letter found on campus this week. (See item 21)

21. January 6, Los Angeles Times – (California) Fifth letter containing suspicious substance found at UC Irvine. Another envelope containing a suspicious substance was discovered at UC Irvine on January 6, the fifth such letter found on campus this week. In the latest case, an assistant to an associate professor of arts felt something granular in an envelope she was about to open and notified authorities. Like all the suspicious envelopes discovered since Monday at UC Irvine, it had an Idaho postmark. Campus officials said they have taken steps to scrutinize incoming mail and sent out warnings to not open unexpected letters from Idaho. Tests on the substances in the previous letters, which included the message “black death,” found them to be harmless. Nevertheless, today’s incident was handled like the others — by an Orange County Fire Authority hazardous materials team. All five letters were sent to faculty members in a variety of departments. Aside from that, a pattern as to who is being targeted has yet to emerge, said a university spokeswoman. “At first the only pattern was that they were all women,” she said. “This latest one” — sent to a male associate professor of arts — “breaks that pattern.” Source:


Banking and Finance Sector

10. January 7, DarkReading – (National) Industry group plans cyber attack simulation. A financial services industry group is planning to simulate a series of cyber attacks to test how well banks, payment processors and retailers deal with online threats. The Financial Services Information Sharing and Analysis Center (FS-ISAC), a group formed in response to a 1998 Presidential security directive, on January 5 invited financial institutions, retailers, card processors, and businesses of all sizes to participate in its Cyber Attack against Payment Processes (CAPP) Exercise. “FS-ISAC in conjunction with a variety of industry partners is testing their members’ emergency response, notification, and communication procedures in response to a number of different types of cyber attacks against payment processes,” the group’s Web site says. “The three-day exercise will simulate a different attack scenario each day. Detailed result collection is kept confidential.” The CAPP event is scheduled for February 9 through 11, 2010. Participants will be expected to activate their incident response procedures in accordance with the scenario presented and to complete an anonymous survey to evaluate their organization’s response. “When cyber security threats occur, swift and well-planned reactions can mean the difference between business continuity and business catastrophe,” said FS-ISAC’s president and CEO in a statement. “This is especially true with cyber attacks against payment processes. FS-ISAC is eager to provide payment systems participants with this unique opportunity to test their readiness to respond to major cyber attack incidents.” The incidence of such incidents has been rising. Source:

11. January 6, MetroWest Daily News – (Massachusetts) Framingham man charged in $29m Ponzi scheme. A Framingham, Massachusetts man’s Ponzi scheme bilked its victims — numbering around 130 and largely from that same area — out of more than $29 million over 20 years, federal prosecutors said on January 5. The 76 year old suspect was arrested in Mississippi on January 5 and was charged in a criminal complaint with mail fraud, said the U.S. Attorney’s office. The suspect will be arraigned in Massachusetts at a later, unknown date, said a spokeswoman with the U.S. attorney’s office in Boston. A FBI special agent said the suspect conducted business under the name Northeast Sales from an office in an upstairs bedroom at his Ford Lane home in Framingham. The scheme ensnared about 130 investors whose total payout, including principal amounts invested and compounded interest, exceeds more than $29 million, the criminal complaint says. Source:

12. January 6, Dalton Daily Citizen – (Georgia) Secret Service advises consumers on skimming fraud. Skimming has been described as one of the most significant problems facing the credit card industry, as it can happen anywhere a credit card is accepted. According to special agents of the U.S. Secret Service’s Atlanta Field Office, the best way for consumers to protect themselves from skimming is by paying attention to the details of credit card usage. “Fraudulent transactions frequently occur within 24 to 48 hours of a compromise, but most cardholders are not aware that they have been victimized until they receive statements showing the fraudulent charges,” said the Special Agent in Charge of the Atlanta Field Office. “That’s why one important step every individual can take is to regularly review your credit card statements online.” When a credit card is skimmed, data on the card, including the account number, is electronically transmitted or stored. The credit card information can then be encoded onto a lost, stolen, or counterfeit credit card and used anywhere in the world. Source:

13. January 5, – (National) FTC cracks down on fraudulent credit card pitches. Consumers are frequently advised to be on the lookout against credit card schemes — and one of the most common red flags in this area comes in the form of unsolicited phone pitches. With that in mind, the Federal Trade Commission (FTC) has announced an ongoing crackdown on scam artists who use robocalls to pitch phony credit card interest rate reduction plans to financially desperate consumers. “During these difficult economic times, the last thing anyone needs is to be bombarded by robocalls pitching worthless interest-rate reduction programs. The lawsuits announced today are not the first, nor will they be the last, that the agency brings to protect consumers from intrusive, illegal, and deceptive telemarketing robocalls,” said the FTC chairman. Specifically, the FTC reported that it filed lawsuits against three outfits that pitched phony interest rate reduction plans for up-front costs as high as $1,495. The agency noted that it had stopped a similar scheme last year where people were duped into signing up for phony auto warranties by scam artists using robocalls. Typically, one sign of a financial scam involves a requirement for consumers to pay a substantial up-front fee, which can then be difficult, if not impossible, to recover after a refund is sought. In this particular case, the scammers were also violating the federal Do Not Call law, which is aimed at protecting people from unwanted telemarketing calls and other similar nuisances. Source:

Information Technology

43. January 7, Computerworld – (International) Large-scale attacks exploit unpatched PDF bug. A week before Adobe is scheduled to patch a critical vulnerability in its popular PDF software, hackers are actively exploiting the bug with both targeted and large-scale attacks, a security researcher said January 7. The SANS Institute’s Internet Storm Center (ISC) reported on January 4 that they had received samples of a new rigged PDF document that hijacked PCs using a bug Adobe acknowledged December 14. Later last month, Adobe said it would not patch the bug until January 12. In his write-up of the sample, a ISC analyst called the attack PDF “sophisticated” and its use of egg-hunt shellcode “sneaky.” “Egg-hunt shellcode” is a term for a multi-stage payload used when the hacker can’t determine where in a process’ address space the code will end up. A security intelligence manager at Symantec confirmed that the malicious PDF exploited the Adobe Reader and Acrobat vulnerability, but unlike the ISC analyst, said it wasn’t out of the ordinary. “It’s not particularly novel or sophisticated,” the security intelligence manager said. Source:

44. January 7, SC Magazine – (International) Deployment of mobile security software is on the agenda for more than half of companies this year. More than half of companies are planning to deploy mobile anti-virus products and services this year. According to the second part of the Mobile Security 2009 Survey by Goode Intelligence, 54 per cent of the organizations surveyed plan to deploy mobile anti-virus products and services, with 33 percent planning to deploy mobile anti-virus products and services by March 2010. The remaining 67 percent plan to deploy by September 2010. The survey reveals that while nearly 71 per cent of organizations currently feel that the threat from mobile phone viruses is low, this number drops significantly for the perceived threat by 2011, with only 21 percent believing the risk to be low and 29 percent forecasting that the risk will be high or very high. This rise in awareness and plans for deployment has been welcomed by Acumin Consulting who co-produced the report. The marketing manager said that it was “reassuring to see that mSecurity is being taken seriously and becoming more of a priority for the IT and security functions.” Source:

45. January 7, The Register – (International) Easily spoofed traffic can crash routers, Juniper warns. Juniper Networks is warning customers of a critical flaw in its gateway routers that allows attackers to crash the devices by sending them small amounts of easily-spoofed traffic. In an advisory sent on January 6, the networking company said a variety of devices could be forced to reboot by sending them internet packets with maliciously formed TCP options. The flaw affects versions 3 through 10 of Junos, the operating system that powers devices at ISPs, backbones, and other large networks. Software releases built on or after January 28, 2009 have already fixed the issue. “The Junos kernel will crash (i.e. core) when a specifically crafted TCP option is received on a listening TCP port,” the bulletin, which was issued by Juniper’s technical assistance center, stated. “The packet cannot be filtered with Junos’s firewall filter. A router receiving this specific TCP packet will crash and reboot.” There are “no totally effective workarounds,” the bulletin added. It is unclear how many Juniper systems remain vulnerable or exactly when customers began installing patches. But the wording of the bulletin was enough to make some security watchers pay close heed, particularly since the Junos ACL, or access control list, was powerless to prevent the attacks. Source:

46. January 6, Computerworld – (National) FTC to examine cloud privacy concerns. In a development likely to be closely watched by Google Inc.,, Microsoft Corp. and other vendors, the Federal Trade Commission (FTC) is examining potential threats to consumer privacy and data security posed by cloud computing services. The agency will hold a roundtable session on January 28, and another later this year, to gather information from industry stakeholders and to study ways of protecting consumer privacy in cloud environments. The FTC plan was also detailed in a letter sent last month to the Federal Communications Commission. The letter was filed in response to a request for comment on a national broadband plan that is being drawn up by the FCC. In its letter, the FTC said it wants to be sure the FCC pays attention to technologies such as cloud computing and identity management in drawing up its plans. The letter, signed by the director of the FTC’s Bureau of Consumer Protection, highlighted some of the cost benefits of cloud computing services but also expressed concerns at the associated risks. The letter, dated December 9, was dug up by The Hill blog, which reported the story recently. “The ability of cloud computing services to collect and centrally store increasing amounts of consumer data, combined with the ease with which such centrally stored data may be shared with others, create a risk that larger amounts of data may be used by entities in ways not originally intended or understood by consumers,” the director warned. Source:

47. January 6, The Register – (International) Hacker pierces hardware firewalls with web page. On January 5, a hacker demonstrated a way to identify a browser’s geographical location by exploiting weaknesses in many WiFi routers. Now, the same hacker is back with a simple method to penetrate hardware firewalls using little more than some javascript embedded in a webpage. By luring victims to a malicious link, the attacker can access virtually any service on their machine, even when it’s behind certain routers that automatically block it to the outside world. The method has been tested on a Belkin N1 Vision Wireless router, and the hacker says he suspects other devices are also vulnerable. “What this means is I can penetrate their firewall/router and connect to the port that I specified, even though the firewall should never forward that port,” the hacker told the Register. “This defeats that security by visiting a simple web page. No authentication, XSS, user input, etc. is required.” The hacker’s proof-of-concept page forces the visitor to submit a hidden form on port 6667, the standard port for internet relay chat. Using a hidden value, the form surreptitiously coerces the victim to establish a DCC, or direct client-to-client, connection. Vulnerable routers will then automatically forward DCC traffic to the victim’s internal system, and using what’s known as NAT traversal an attacker can access any port that’s open on the local system. For the hack to work, the visitor must have an application such as file transfer protocol or session initiation protocol running on his machine. The hack does not guarantee an attacker will be able to compromise that service, but it does give the attacker the ability to probe it in the hope of finding a weak password or a vulnerability that will expose data or system resources. Source:

Communications Sector

48. January 7, Associated Press – (Rhode Island) Glitch in some RI Verizon internet services. Verizon says it is working to fix a glitch that has left some Rhode Island customers without Internet or video-on-demand services. Company officials said on January 7 they believe a router problem caused the outage. Verizon was unsure how many customers have been affected. Fiber optic television and telephone service are operating normally. Source: