Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, January 26, 2010

Complete DHS Daily Report for January 26, 2010

Daily Report

Top Stories

 The Spokane Spokesman-Review reports that Latah County, Idaho Sheriff Deputies have arrested two juveniles in connection with at least 20 reports of vehicles being hit with gunfire along Highway 8. (See item 25)

25. January 22, Spokane Spokesman-Review – (Idaho) Teens jailed in sniper shootings. Latah County Sheriff Deputies have arrested two juveniles in connection with at least 20 reports of vehicles being hit with gunfire along Highway 8 near Forks Road, just east of Helmer, Idaho. The shootings closed a portion of Highway 8 from milepost 29 to milepost 34, between Bovill and Deary, Friday afternoon. Police fielded multiple calls from people saying they had been shot at while driving in the area. Latah County Deputies and Idaho State Police set up a perimeter around the shooting scene and began to look for the suspects. Deputies found the spot where the teens had been shooting from and later arrested two juvenile boys. Source:

 According to the Washington Post, three large car bombs rocked well-known Baghdad hotels on Monday, killing at least 36 people. (See item 56)

56. January 25, Washington Post – (International) At least 36 dead as car bombs rock Baghdad hotels. Three large car bombs rocked well-known Baghdad hotels on Monday, killing at least 36 people and ending a 1-1/2-month lull in coordinated assaults on the Iraqi capital as the country heads into a March election. Police said at least 71 people were wounded in the separate suicide car bombings, which went off within minutes of one another. Some of the casualties were police. Health ministry data showed a lower figure for the death toll. The first blast occurred near an entrance of the Ishtar Sheraton hotel, a Baghdad landmark on the eastern side of the Tigris River. The shock wave blew open doors, shattered windows, and sent thick dust swirling into the Reuters offices nearby. Towering concrete blastwalls protecting the hotel along the Abu Nawas riverside boulevard fell like dominoes. The blast took place across from a park frequented by families and picnickers. The building has not been a regular hotel for years and largely houses company offices and some media organizations, but some adventurous international tour groups began using it last year. Police said another blast went off just outside the al-Hamra hotel, which has been a hub for many Western journalists since 2003. One Western reporter said the hotel had sustained heavy damage. The Washington Post said three of its Iraqi employees were wounded. The blast at the Hamra, like that at the Sheraton, ripped a giant crater in the pavement. A final bomb appeared to have blown up near the Babylon hotel, which is used by Iraqi travelers and sometimes for government meetings. A Baghdad security spokesman put the death toll at seven killed with 51 wounded, citing health ministry data. Source:


Banking and Finance Sector

14. January 23, Reuters – (International) Europeans, Asians held in $10 billion bank scam: report. Abu Dhabi police have arrested seven men for plotting to defraud the UAE central bank of 7.2 billion euros ($10.17 billion) using false documents, the state news agency WAM said on January 23. It said the suspects, three Europeans and four Asians, had presented forged documents from a commercial bank in Europe purporting that the central bank of the United Arab Emirates owed the funds representing the family investments of the gang’s leader. The suspects also had a power of attorney from their leader authorizing the withdrawals, the agency said. The arrests were made in coordination with the central bank’s anti-money laundering unit, a spokesman said, adding that the suspects had denied the charges of forging documents and attempted fraud. Source:

15. January 23, Bank Info Security – (National) Five banks closed on Jan. 22. Five banks were closed by state and federal regulators on January 22. The largest of the failed institutions was Charter Bank, a $1.2 billion bank based in Santa Fe, New Mexico. These latest closings now raise to 10 the total number of failed institutions so far in 2010. The banks closed were Premier American Bank in Miami, Florida, Bank of Leeton in Leeton, Missouri, Charter Bank in Santa Fe, New Mexico, Evergreen Bank in Seattle, Washington, and Columbia River Bank in The Dalles, Oregon. The FDIC estimates that the total cost to the Deposit Insurance Fund (DIF) for the five bank failures will be $531.7 million. Source:

16. January 22, Oklahoman – (Oklahoma) No bomb found at Edmond bank after arrest. A man who went into an Oklahoma Fidelity Bank branch in Edmond this morning was bluffing when he used what he called a “detonator” to rob the bank, police said. A 52-year-old transient from Texas was arrested within 15 minutes of the 9:30 a.m. robbery near Second Street and Bryant Avenue, a Edmond police spokeswoman said. His name has not been released. Based on the man’s threat, Edmond police evacuated the bank and swept the building for any suspicious devices. Shortly after 11 a.m., a bomb technician wearing heavy armor exited the building and flashed a thumbs-up gesture, which gave the-go ahead for detectives and FBI agents to go in and conduct their investigation. The spokeswoman said she did not know what the device actually was that was used to rob the bank, but she said bank employees described it as some sort of cylinder wrapped in aluminum foil and then wrapped in a napkin. Source:

17. January 21, Federal Bureau of Investigation – (New York; Nevada) Bronx man pleads guilty in Manhattan Federal Court to bank robberies in New York and Las Vegas. A bank robber pleaded guilty on January 21 in Manhattan federal court to robbing banks in New York and Las Vegas. Beginning in March 2009, the defendant robbed six banks in New York City and Las Vegas, where the defendant was apprehended on June 17, 2009. After robbing four banks in New York, he traveled to Las Vegas, where he robbed two additional banks before being caught by local police. He robbed a Citibank, a Sovereign Bank, a Chase Bank, and a Capital One Bank in Manhattan; and a Nevada State Bank and a Citibank in Las Vegas. During the robbery of the Capital One Bank in Manhattan, the defendant placed a written note on a bank teller’s counter which read: “Give me all the money, don’t give me no ink, don’t pull the button.” When the teller handed over some of the cash from the drawer, the defendant demanded more, saying, “You have 15 seconds to give me all you have or else I’m going to start shooting everyone in here.” Source:

18. January 21, U.S. Government Accountability Office – (National) Improvements needed in National Flood Insurance program’s financial controls and oversight. Due to the federal government’s role as guarantor, floods impose an enormous potential financial burden on the federal government. Consequently, decision makers at the Department of Homeland Security (DHS), the Federal Emergency Management Agency (FEMA), and the Congress need accurate and timely financial information to assess the effectiveness of the National Flood Insurance Program (NFIP). This report assesses whether controls in place during the 2005 to 2007 time frame were effective in providing accountability and reliable financial reporting for NFIP transactions; whether effective oversight structures were in place during this time frame to monitor NFIP financial activity; and whether recent and planned actions to improve controls are likely to address identified financial control weaknesses. Weaknesses in internal controls impaired FEMA’s ability to maintain effective transaction-level accountability. These weaknesses limited FEMA’s ability to assure accurate NFIP financial data during the 3-year period from fiscal year 2005 through 2007, which included the financial activity related to the 2005 Gulf Coast hurricanes. Second, incomplete BSA- level premium data files (lacking key information such as insureds’ names and addresses) prevented an assessment of the reliability of reported NFIP premium amounts. Lastly, FEMA’s financial reporting process uses summary data that is overly reliant on error-prone manual data entry. GAO made seven recommendations to FEMA to improve NFIP financial management controls and oversight. They include modifying the financial reporting process to reduce the risk of errors and improving procedures to strengthen oversight. Source:

19. January 21, Federal Burea of Investigation – (Florida) Florida man pleads guilty in stock scheme that swindled millions from investors. A Florida man pleaded guilty Thursday to his role in a $20 million stock fraud and money laundering scheme, admitting that he cost public investors over $1 million in losses, a U.S. attorney announced. The 61 year old defendant, of Sarasota, Florida, pleaded guilty before a U.S. district judge to a one-count Information that charges conspiracy to commit securities fraud, wire fraud, and money laundering. At his plea hearing, the defendant admitted that beginning in May 2002 and continuing through October 2005, he operated a sophisticated scheme, involving more than five co-conspirators, which used deceptive and manipulative practices in connection with the fraudulent issuance, purchase, and re-sale of shares of stock of Skylynx Communications, Inc. to defraud more than 50 victims. The company’s stock was publicly traded on the Over the Counter Electronic Bulletin Board System (OTC Bulletin Board). The defendant admitted that he and his co-conspirators acquired ownership and control of a substantial number of Skylynx stock shares, without disclosing this ownership and control to the public. He further admitted that he and his co-conspirators paid undisclosed cash, free-trading Skylynx stock, and restricted Skylynx stock to securities brokers for purchasing Skylynx in their retail customers’ accounts. For example, the defendant admitted that in July 2003, he caused 100,000 shares of Skylynx stock to be issued to a conspirator nominee as a kickback for the conspirator’s role in manipulating the market for Skylynx stock. Source:

Information Technology

45. January 25, IDG News Service – (International) Chinese human rights sites hit by DDoS attack. Five Web sites run by Chinese human rights activists were attacked by hackers over the weekend, as a separate row continued between Google and China over political cyberattacks. The Web site of Chinese Human Rights Defenders, an advocacy group, was hit by a distributed denial of service (DDoS) attack that lasted 16 hours starting January 23, the group said in an e-mailed statement on January 25. A DDoS attack involves the attacker ordering a legion of compromised computers all to visit a certain Web site at once, overwhelming its server with requests for communication and leaving the site inaccessible to normal visitors. The group said it could not confirm the origin of the attackers but called the Chinese government the most likely suspect. The latest hacking attack also targeted another Chinese rights group named Civil Rights and Livelihood Watch; two news sites run by Chinese activists, Canyu and New Century News; and the Independent Chinese Pen Center, which posts essays by dissident writers, according to the e-mailed statement. Public records show the Web sites all share two neighboring IP (Internet Protocol) addresses, suggesting the sites were all affected by the DDoS attack. The bandwidth consumed by the attack hit 2GB per second at its peak, the statement said, citing the Internet service provider for the Web sites. The targeted IP addresses belong to The Planet, a server hosting provider based in Texas. No one at The Planet was immediately available to comment. Source:

46. January 25, CNET News – (International) Survey: Data breaches from malicious attacks doubled last year. Data breaches at U.S. companies attributed to malicious attacks and botnets doubled from 2008 to 2009 and cost substantially more than breaches caused by human negligence or system glitches, according to a new Ponemon survey to be released on January 25. The incidence of malicious attacks rose from 12 percent in 2008 to 24 percent last year, according to the 2009 Annual Study: U.S. Cost of a Data Breach survey conducted by the Ponemon Institute and sponsored by PGP Corp. The cost per compromised record involving a criminal act averaged $215, about 40 percent higher than breaches from negligence and 30 percent higher than those from glitches, the survey found. For the first time, companies reported in the survey that data-stealing malware caused their breaches. The average organizational cost of a data breach increased nearly 2 percent to $6.75 million in 2009, while the average cost per compromised record per breach rose only $2 to $204. The most expensive breach in the survey was nearly $31 million and the least expensive was $750,000. Meanwhile, 42 percent of all cases reported in the survey involved mistakes made at third parties, such as outsourcers, and 36 percent of the cases involved lost or stolen laptops or other mobile devices. Source:

47. January 25, The Register – (International) Slovak biker spat linked to rare destructive worm. A rare example of a destructive computer worm has been spotted on the web. Zimuse-A and its variant, Zimuse-B, overwrite MBR (Master Boot Record) files on infected drives with their own data, either 40 days or 20 days respectively after infection. This malicious behaviour corrupts records and makes data recovery difficult if not impossible, anti-virus firm Eset reports. Eset cites circumstantial evidence suggesting the worm was originally created as a prank, targeting bikers in central Slovakian region of Liptov. One of the worm’s infection routines attempts to trick users into clicking a pop-up box that informs them of supposed problems with the

site. Whether the worm was original created to hit users of that group or not, it has now spread far and wide. Eset said it has detected hundreds of incidents of infection since the malware started spreading. After first cropping up in Slovakia, the malware has spread to the US, Thailand and Spain. The worm is distinct from most of the malware currently in circulation, much of which either attempts to drop a backdoor on compromised systems, turn them into botnet clients, or both. Source:

48. January 25, The Register – (International) Whirlpool allows old stains to linger on site. Domestic appliance manufacturer Whirlpool has come under fire for failing to clean up a malware infection on one of its sites, months after it was notified of a problem by UK anti-virus firm Sophos. Sophos tried for months to clean-up its website, without success, before going public on the problem on Friday. The kitchen utensil selling site remains infected with the Badsrc-C (AKA Asprox) strain of malware five months after a Sophos customer reported a problem, which the security firm forwarded to the white goods firm. The malicious script points towards nowhere at present, so there is not an immediate risk. The problem is that this may change at any time, hence the need for remedial action that Whirlpool seems reluctant to take. The Asprox strain of malware still lingering on’s website has been linked to phishing spam. SQL injection attacks on vulnerable website have been a preferred method for spreading malware. Source:

49. January 25, SC Magazine – (International) New spam campaigns see sustained levels in the New Year. Spammers have launched new campaigns in January to sustain the high levels of spam experienced towards the end of 2009. According to the January 2010 MessageLabs Intelligence Report, spam related to the New Year accounted for 7.7 percent of all spam on a single day. More than 50 percent of New Year related spam was sent by the Grum and Cutwail botnets combined. Since the New Year passed, it claimed that spammers are now moving away from the New Year themes and are expected to next latch onto Valentine’s Day-related spam topics. It also said that spammers and phishers have also been quick to take advantage of the tragedy that struck Haiti to generate advanced-fee fraud scams. With 83.4 percent of spam originating from botnets at the end of 2009, MessageLabs Intelligence calculated that the remainder of spam, 0.9 per cent – the equivalent of 900 million spam emails, originated from free web mail accounts. More than 79 percent of web mail spam came from three well-known free web mail service providers. Source:

50. January 25, Network World – (International) Data breach costs top $200 per customer record. The cost of a data breach increased last year to $204 per compromised customer record, according to the Ponemon Institute’s annual study. The average total cost of a data breach rose from $6.65 million in 2008 to $6.75 million in 2009. Ponemon Institute based its estimates on data from 45 companies that publicly acknowledged a breach of sensitive customer data last year and were willing to discuss it. Breach costs increased just $2 per compromised customer record, as compared to 2008 costs. However in the five years that Ponemon Institute has conducted its study, costs have increased from $138 per compromised customer record. In tallying the cost of a data breach, Ponemon Institute looks at several factors including: the cost of lost business because of an incident; legal fees; disclosure expenses related to customer contact and public response; consulting help; and remediation expenses such as technology and training. Overall, 42 percent of all cases in the Ponemon data-breach study involved third-party mistakes and flubs. In addition, more than 82 percent of the cases in the Ponemon study were organizations that had more than one data breach in 2009 involving the loss or theft of more than 1,000 records containing personal information. At about 40 percent of the companies that participated in the study, the chief information security officer (CISO) was in charge of managing the response related to the data breach. Source:

51. January 22, ComputerWorld – (International) China hacks used as lure for more targeted attacks. Malicious hackers have begun using the recent cyberattacks against Google and more than 30 other companies as lures for launching even more targeted attacks, security firm F-Secure said in a blog post on January 22. The company reported spoofed e-mails purporting to contain details on the alleged Chinese attacks that contain a PDF attachment. When opened, it installs and runs the Acrobat.exe backdoor on the user’s machine. A screen shot posted on F-Secure’s Web site showed an e-mail designed to look like it came from George Washington University. The e-mail, with the subject header ‘Chinese cyberattack,’ offered the target a review of an article on the recent attacks that the purported author had just written for the Far Eastern Economic Review. When the attached PDF is opened in Acrobat Reader, it exploits a known vulnerability in the function of the reader to install a back door on the user’s system, F-Secure said. The flaw was patched by Adobe recently. Source:

52. January 22, IDG News Service – (International) RealPlayer fix addresses 11 security bugs. The U.S. Computer Emergency Readiness Team advised RealPlayer users on January 22 to apply a new security update for the media-playing software. The update, issued recently, fixes 11 vulnerabilities in RealPlayer, and were issued for Windows, Mac and Linux versions of the product. Although CERT thinks the patch is important, RealNetworks said in its advisory that it has received “no reports of any machines actually being compromised as a result of the now-remedied vulnerabilities.” Although RealPlayer has lost market share recently to rivals such as Windows Media Player and iTunes, it is still widely used and has been exploited in past cyberattacks. Source:

Communications Sector

53. January 25, Associated Press – (North Carolina; South Carolina) SC TV station loses transmitter briefly in storm. Severe weather apparently knocked out a transmitter for an NBC-TV affiliate in South Carolina for more than two hours, affecting viewers in two states. WYFF-TV in Greenville said the transmitter on top of Ceasar’s Head Mountain in Greenville County was knocked out at about 5:45 p.m. on January 24. Engineers were able to restore service shortly after 8 p.m. Viewers in western North Carolina and the South Carolina Upstate were affected, depending on how they receive the station’s signal. Source:

54. January 24, KSFY 13 Souix Falls – (South Dakota) National weather service transmitters down. The National Weather Service in Sioux Falls say they have at least two weather transmitters or towers down because of the storm. One problem is with the tower which serves South Central South Dakota. The other is in the Huron area in Wessington. The thick fog froze to the metal and then wind did the rest of the damage that will cut off information to people who need it. “The primary impact is they won’t be receiving weather info and that’s a problem. They cover 40-50 miles it is unclear if it is just a tower or a just a transmitter,” said a spokesman for the National Weather Service. Officials say they will try to get to the issues on January 23 to see how much damage has been done. Source:

55. January 21, Associated Press – (International) Warming could open Arctic to data cable. Global warming has melted so much Arctic ice that a telecommunication group is moving forward with a project that was unthinkable just a few years ago: laying underwater fiber optic cable between Tokyo and London by way of the Northwest Passage. The proposed system would nearly cut in half the time it takes to send messages from the United Kingdom to Asia, said the CEO of Kodiak-Kenai Cable Co. The route is the shortest underwater path between Tokyo and London. The quicker transmission time is important in the financial world where milliseconds can count in executing profitable trades and transactions. “Speed is the crux,” the CEO said. “You’re cutting the delay from 140 milliseconds to 88 milliseconds.” Source: