Department of Homeland Security Daily Open Source Infrastructure Report

Friday, February 5, 2010

Complete DHS Daily Report for February 5, 2010

Daily Report

Top Stories

 The Augusta Chronicle reports that Richmond County, Georgia authorities are investigating the January 31 evening theft of 16 propane gas tanks from two Wrightsboro Road businesses. (See item 5)

5. February 3, Augusta Chronicle – (Georgia) Thefts of 16 propane tanks concern Augusta police. Richmond County authorities are investigating the January 31 evening theft of 16 propane gas tanks from two Wrightsboro Road businesses. “This is something out of the ordinary,” said a police seargant. “We haven’t had a lot of thefts of these kinds of items.” Although the thieves might simply try to sell the tanks — which can be used for heating and cooking — for a profit, more sinister motives could include making drugs or using the canisters as explosive devices, he said. “Being that these things are highly explosive, we have to notify Homeland Security,” he said. The thefts occurred about an hour apart, according to Richmond County Sheriff’s incident reports. The first, at the Tip Top Food Mart on the 2400 block of Wrightsboro Road, happened about 9 p.m. January 31, while the second theft happened at the Walgreens on the 3200 block of Wrightsboro Road. Eight tanks were taken from each location, with a total value of $840. In both cases, the tanks were stored outside the businesses and the locks were pried open, the reports state. No arrests have been made, but he said he is “sure” the incidents are connected. Source:

 According to Reuters, seven people were exposed to a suspicious white powder in a U.S federal building in downtown Manhattan on Wednesday. There was a mailing that was opened in the offices of the Social Security Administration that contained a white powder. (See item 25)

25. February 3, Reuters – (New York) Seven exposed to white powder NY federal building. Seven people were exposed to a suspicious white powder in a U.S federal building in downtown Manhattan on Wednesday, authorities said. The offices of the Social Security Administration (SSA) on the 40th floor of the building — which houses several agencies including the Federal Bureau of Intelligence and U.S. Citizenship and Immigration Services — were evacuated. “There was a mailing that was opened at 2:15 p.m. in the offices of the SSA,” said an FBI spokesman. “It contained a white powder that was contained and isolated and will be analyzed.” He said the results of the analysis would not be immediately known. The New York Fire Department spokesman said seven people were exposed to the white powder. Source:


Banking and Finance Sector

12. February 4, The Register – (International) Carbon trade phish scam disrupts exchanges. Phishing fraudsters have extended their net beyond harvesting e-banking credentials via a scam that resulted in the theft of 250,000 carbon permits worth over three million Euros. The outbreak of fraud resulted in the suspension of trading in several EU registries on February 2. The crooks are thought to have created fake emission registries, promoted via spam emails, before using identity details submitted on these sites to trade rights to blow-off greenhouse gases on the legitimate sites. Six unnamed German firms were among the victims of the scam, a new form of corporate identity theft. Illegal transactions have also happened in the Czech Republic. German police have begun investigating the fraud. The EU Commission may also become involved, the BBC reports. Meanwhile the United Nations’ Framework on Climate Change (UNFCCC) is working with national registries to boost the security of registries and to help develop policies to frustrate similar attacks in future. Short term measures reportedly include warning users and resetting passwords. “We have to be careful not to blow this out of proportion,” a EU environment spokeswoman told EUobserver. “This happens to banks, Visa, Mastercard about once or twice a month. And this is the same sort of thing.” Net security firm McAfee adds that a phishing attack targeting the Danish quota-market occurred in January 12, leading to its temporary suspension, prior to a much wider attack two weeks later around the turn of the month. Source:

13. February 4, – (International) Criminals exploiting flood of leaked personal data. Incidences of personal data being stolen and sold online have soared by 230 per cent since 2007, according to new figures from fraud database firm Lucid Intelligence. The company, which develops technology allowing users to check whether their data has been compromised and traded online, said in its annual report that, although the number of stolen credit cards being used online dropped slightly last year to 67,750, cyber criminals are shifting their attention to more sophisticated attacks. “Phished, stolen or negligently sold personal data has become the basis for creating false identities that can be used to set up bank accounts, credit cards and loans,” explained Lucid’s chief executive. “With such a potentially high value ‘end game’, criminals are becoming more patient and persistent. We see ‘card not necessary’ fraud as the major threat as we enter the next decade.” Lucid also uncovered over 4,100 web sites leaking personal information into the public domain which criminals then exploit, and 3,113 new bank accounts being offered by internet criminals for money laundering. Source:

14. February 4, Associated Press – (New Hampshire) Manchester police probe 3 bank heists in 3 days. Manchester police are investigating the city’s third bank robbery in as many days. Police say a man demanded money on January 3 from a TD Bank branch on South Main Street. The robbery came one day after a holdup at a Citizen’s Bank branch on Elm Street. In that earlier robbery, police say a man handed the teller a note saying he was a sick person who did not want to hurt anyone. He did not display a weapon. A Bank of New England branch on Elm Street was robbed on February 1. Source:

15. February 4, Associated Press – (Indiana; National) Identities of 27,000 Ceridian users at risk. A hacker attack on a Bloomington payroll processing company has put 27,000 people at financial risk. Ceridian, in a letter to affected customers, says the hacker attacked its Internet payroll system December 22 and December 23, potentially revealing Social Security numbers, birth dates and bank accounts of employees working at 1,900 companies nationwide. A Ceridian spokesman tells the Star Tribune the breach was reported to the FBI, but the affected customers were not notified until this week that their private information could be compromised. The spokesman says the company knows of no financial losses related to the hacker attack. It’s the second security breach at Ceridian in three years. In 2007, the theft of financial information involved a former employee. Source:

16. February 4, Washington Post – (National) Treasury offers loans to banks funding community development. The Treasury Department said February 3 that it will offer up to $1 billion in low-cost loans to banks that focus on funding development in lower-income communities, part of the administration’s new emphasis on helping smaller banks. The special program, which offers more favorable terms than those available to most banks, will benefit a group of institutions long embraced by Democratic politicians for working in areas where mainstream banks make few loans. Among the potential beneficiaries is ShoreBank, a pioneering force in the redevelopment of Chicago’s Southside that now is struggling with rising loan losses. The program also could benefit OneUnited Bank of Massachusetts, which got federal aid in fall 2008 with the help of a representative from Massachusetts but now could be allowed to pay a lower interest rate. Administration officials said it made sense to offer additional support in the areas hit hardest by the economic downturn. The government will offer loans to about 60 banks and 150 credit unions that are certified as community development financial institutions. The loans will carry an interest rate of 2 percent, less than the 5 percent paid by other banks. Treasury also will lower eligibility standards, allowing less healthy banks to qualify if they can raise matching funds from private investors. The money will come from the $700 billion allocated by Congress to rescue the financial industry. Unlike other recent administration proposals, it does not require congressional approval. Source:

17. February 4, Dow Jones Newswires – (National) US Treasury proposes better cooperation vs money laundering. The financial crimes enforcement division of the U.S. Treasury department plans to enhance information sharing with international and local law enforcement agencies on transactions potentially involved in money laundering, a Treasury official told Senators on February 4. In prepared remarks to a Senate committee hearing on how top African politicians had evaded anti-money laundering laws to bring hundreds of millions of dollars into the country, the director of the Treasury’s Financial Crimes Enforcement Network, said the agency is pursuing a number of steps to beef up enforcement. Describing large-scale corruption by foreign officials as a threat to the U.S. and the foreign countries involved, he said FinCEN is proposing giving certain foreign law enforcement agencies, as well as state and local agencies in the U.S., the ability to obtain information on bank accounts in anti-money laundering investigations. The agency is also working with Congress on legislation to prevent the use of shell corporation in money laundering, he said, while citing the need to balance transparency with the need to maintain efficiency and access to financial services. Source:

18. February 4, Marketwatch – (National) B. of A. to pay $150 mln to settle SEC charges. The Securities and Exchange Commission on February 4 filed a motion seeking court approval for a proposed settlement with Bank of America over a bonus scandal at Merrill Lynch. Bank of America will pay $150 million and strengthen its corporate governance and disclosure practices to settle SEC charges that the bank failed to properly disclose employee bonuses and financial losses at Merrill Lynch before shareholders approved the merger of the companies in December 2008, the regulator said. Source:

19. February 3, Purdue Exponent – (Indiana) Skimming devices found on two local ATMs. Customers at two banks in the Lafayette area were hit last week by ATM skimming devices that steal account information. The Fifth Third Bank branch on State Road 26 detected the device and removed it on February 1, said a spokesman from the bank’s communication department. Customers affected by the scam were notified and any purchases made with the stolen information were refunded. Police were also notified. The spokesman said the bank was unaware of any more devices on its other ATMs in the area. An Old National Bank ATM was also affected. Source:

20. February 3, Reuters – (National) US Treasury to recover $170 bln after PNC repayment. The U.S. Treasury Department said on Wednesday it will have recovered $170 billion in financial rescue funds once PNC Financial Services Group Inc has repaid money loaned to it from the government’s bailout program. “Once Treasury receives PNC’s repayment, it will have recovered nearly 70 percent of taxpayer investments in the banking system,” the department said. PNC said on February 2 it would repay $7.6 billion in Troubled Asset Relief Program money to the government. This repayment means that of the $376 billion in total TARP funds that have been disbursed since 2008, only $203 billion will be outstanding, the department said. Source:

21. February 3, Galesburg Register-Mail – (Illinois) F and M Bank warns of scam. A local bank is warning residents of a scam targeting cell phone customers. According to the director of marketing and public relations at Farmers & Mechanics Bank, a fraudulent text message has been sent to numerous cell phone customers which reads “Farmers & Mechanics Alert. Call 210-688-1431.” Those who called the number were asked for their debit card PIN and the three digits on the back of their card. The director said this is a scam and clients should not give any information over the phone. “F&M Bank will never request personal, private information via texting or e-mail,” she said. “Please notify F&M Bank immediately if you have called this number or given out any of your information.” Source:

Information Technology

51. February 4, TechWorld – (International) Fake Firefox update spreads unwanted app. The successor program to the notorious Zango spyware Toolbar is being used to target users of Mozilla’s Firefox with fake browser updates, a security company has alleged. According to a warning put out by eSoft, the reprised Hotbar app, run as of May last year by a new entity called Pinball Corp, is being fed to users via a fake but convincing Firefox update page. The update page - which users would come to through a search engine for the latest updates - looks identical to the genuine page in everything bar the version it is claiming to offer (3.5 where the most recent is 3.6) and some misspelling. Windows users fooled into downloading and installing from the fake page will actually be getting a toolbar app that also hits the user with pop-up ads and a weather application in the system tray. According to eSoft, the software is actually being fed without the direct knowledge of its creators, Pinball, which will likely be paying a third party affiliate for every install. As with the distribution of the original Zango Toolbar, how that install gets on to a user’s PC is not their business. Source:

52. February 4, Washington Post – (National) Google to enlist NSA to help it ward off cyberattacks. The world’s largest Internet search company and the world’s most powerful electronic surveillance organization are teaming up in the name of cybersecurity. Under an agreement that is still being finalized, the National Security Agency would help Google analyze a major corporate espionage attack that the firm said originated in China and targeted its computer networks, according to cybersecurity experts familiar with the matter. The objective is to better defend Google — and its users — from future attack. Google and the NSA declined to comment on the partnership. But sources with knowledge of the arrangement, speaking on the condition of anonymity, said the alliance is being designed to allow the two organizations to share critical information without violating Google’s policies or laws that protect the privacy of Americans’ online communications. The sources said the deal does not mean the NSA will be viewing users’ searches or e-mail accounts or that Google will be sharing proprietary data. Source:

53. February 3, IDG News Service – (International) IE flaw gives hackers access to user files, Microsoft says. Microsoft warned on January 3 that a flaw in its Internet Explorer browser gives attackers access to files stored on a PC under certain conditions. “Our investigation so far has shown that if a user is using a version of Internet Explorer that is not running in Protected Mode an attacker may be able to access files with an already known filename and location,” Microsoft said in a security advisory. The vulnerability requires that an attacker knows the name of the file they want to access, it said. The disclosure is the latest security problem to affect IE. Last month, an undisclosed vulnerability in IE 6 was used in attacks that targeted more than 20 U.S. companies, including Google, which blamed China. The vulnerability has since been fixed by Microsoft. The IE vulnerability disclosed on Wednesday, which is caused by incorrectly rendering local files in the browser, affects several versions, including Internet Explorer 5.01 and IE 6 on Windows 2000; IE 6 on Windows 2000 Service Pack 4; and IE6, IE 7, and IE 8 on Windows XP and Windows Server 2003, Microsoft said. Source:

54. February 3, PC World – (International) Fake Microsoft Outlook update installs trojan. A malicious spam campaign caught by Panda Labs is using a fake Microsoft Update notice to trick victims into installing a Trojan. While well crafted, the attack still provides dead giveaways. The e-mail is spoofed to look as if it comes from Microsoft Support. With a realistic-looking subject and e-mail body that attempts to piggy-back on the constant (and correct) advice to keep your computer up-to-date with patches, it’s a great example of a social engineering attack. But despite the lack of any obvious typos or grammatical errors, the e-mail does contain some clear clues. First, neither Microsoft nor any other company sends patches or updates as e-mail attachments. In this case, Panda says unzipping and running the attached .exe would install the Bredolab.Y Trojan. And as an extra added bonus, it will also download a rogue antivirus program called SecurityTool. Source:

55. February 3, ComputerWorld – (International) Versign fails to take action against malicious sites, researcher says. A security researcher is accusing Verisign Inc. of not acting fast enough to take down several dozen sites that he says are known to be spewing malware. The sites are all in the .com and .net domains and were registered by domain name registrars in Russia and Turkey said the CEO of security consultancy Deteque and a former senior special agent with the U.S Department of the Treasury. The sites first surfaced on February 1, and have been pushing out a new Russian exploit kit called JustExploit that takes advantage of Java bugs to infect computers, he said. The domain name registrars in Russia and Turkey, which registered the sites, have so long done nothing to deregister them though they have been notified about the problem by security researchers who monitor malicious activity on the Internet, he said. Verisign, which is the Registry service that manages the .com and .net domains has similarly been notified about the problem but also appears to have done nothing so far, the CEO said. More than 24 hours after Verisign was notified of the problem, the malicious domains are “live, resolving and still serving malware,” he said. Source:

56. February 3, Network World – (International) How Wi-Fi attackers are poisoning web browsers. Public Wi-Fi networks such as those in coffee shops and airports present a bigger security threat than ever to computer users because attackers can intercede over wireless to “poison” users’ browser caches in order to present fake Web pages or even steal data at a later time.That’s according to a security researcher who is the developer of the Kismet wireless network detector and intrusion-detection system, who spoke at the Black Hat conference. He said it’s simple for an attacker over an 802.11 wireless network to take control of a Web browser cache by hijacking a common JavaScript file, for example. Knowledge gained from researchers over the past year, he said, is showing that browser-cache poisoning over Wi-Fi can be kept in a persistent state unless the user knows how to effectively empty the cache. The few defenses the researcher suggested were continuously manually clearing the cache, or using private-browser mode. The researcher acknowledged he doesn’t know how widely attacks based on poisoning the browser cache via 802.11 actually are. But the potential for trouble is so evident he said he’d advise corporate security professionals to try to “forbid users from taking laptops onto open networks,” though he admitted, “Your users may lynch you.” He said some vendors, including Verizon, are looking at solving this problem with a custom client that is tied to specific operating systems. Source:

57. February 3, Network World – (International) Black Hat: Zero-day hack of Oracle 11g database revealed. A well-known security researcher on February 2 showed how to subvert security in the Oracle 11g database by exploiting zero-day vulnerabilities that would let a savvy user gain full and complete control. A researcher at NGS Consulting, demonstrated how a user can subvert security to elevate his privileges to take complete control over Oracle 11g and also showed how to bypass the Oracle Label Security used to set mandatory access controls over information depending on security level. At the same time, the researcher announced this was his final day at NGS, saying he was considering changing his focus to computer forensics. The security-industry veteran said ever since he heard the CEO of Oracle touting his database as being “unbreakable, I took umbrage at that.” The researcher’s latest reported discovery shows that due to the way Java has been implemented in Oracle 11g Release 2, there’s an overly permissive default grant that makes it possible for a low privileged user to grant himself arbitrary permissions. In a demo of Oracle 11g Enterprise Edition, he showed how to execute commands that led to the user granting himself system privileges to have “complete control over the database.” He also showed how it’s possible to bypass Oracle Label Security used for managing mandatory access to information at different security levels. Source:

For another story, see item 50 below

50. February 3, DarkReading – (International) IBM ISS researcher exposes holes in Cisco’s internet surveillance architecture. An IBM ISS researcher on February 3 revealed major security holes in a little-known wiretapping architecture for IP networks created by Cisco Systems for law enforcement. The weaknesses could result in an attacker interfering with legal surveillance or performing some unauthorized surveillance of his own. The manager of X-Force Research at IBM ISS says he first discovered the Cisco Architecture for Lawful Intercept in IP Networks, which was published as an IETF RFC in 2004, four years ago. The document, also known as IETF RFC 3924, is based on the lawful intercept architecture used by the European Telecommunications Standards Institute, and is implemented in Cisco’s edge and switch routers — the 7600, 10000, 12000, and AS5000 series products. The manager says other vendors also have deployed the architecture within their network devices. He says an alleged criminal could discover that he was under law enforcement’s surveillance using the current architecture, allowing him to manipulate or corrupt the information collected or to use the surveillance information for nefarious purposes. Cisco had previously patched a SNMPv3 vulnerability in its router models used in the wiretapping architecture, but the manager says the architecture itself needs some repair, pointing out multiple weaknesses that could be exploited by attackers — which he says he handed over to Cisco in December 2008. Source:

Communications Sector

58. February 4, Asheville Citizen-Times – (North Carolina) Phone service out in Swain County. All phone service in Swain County stopped working on February 4 but was restored around 11:30 a.m. County and state Emergency Management officials said the 911 system, cell phone service and landline telephones were not operational. Local authorities are still investigating the cause for service disruption. Emergency response officials were stationed at all major intersections. Source:

59. February 3, The Register – (National) Fugitive VoIP hacker admits 10 million minute spree. A Miami hacker has admitted he pocketed more than $1m by selling millions of minutes of voice over IP calls and surreptitiously routing them through the networks of telecommunications companies. The hacker pleaded guilty to two felonies in connection with the hacking spree, which spanned the years 2004 through 2006, according to court documents. He was apprehended last year in Mexico after skipping out on a $100,000 bond secured by the mother of his then girlfriend. He faces a maximum of 25 years in federal prison and fines of at least $500,000 at sentencing, which is scheduled for May 14. The hacker and a cohort were arrested in June 2006 and accused of carrying out an elaborate scheme that routed more than 10 million minutes of VoIP calls over the networks of a dozen or so telecommunications providers without their permission. They breached the networks by using brute-force attacks that deduced the security telephone prefixes needed to gain access. To disguise the source of the attacks, the pair rerouted them through the computers of third parties. From June 2005 to the following October, the cohort used a single AT&T broadband account to perform more than 6 million scans that looked for vulnerable machines, prosecutors said. Because the scheme piggybacked off the resources of others, virtually all the revenue was profit. Source:

60. February 3, Right Side News – (International) Wireless sensor test bed to provide guidelines for industrial systems. For many companies, installing wireless technology inside factories, power plants and nuclear facilities can be risky. Although wireless is cheaper than cable connections, the flow of information is not as reliable. That may not be a big deal when surfing the Net at home, but at a factory or power plant with automated control systems, even a five-second disruption could have serious consequences. A senior engineer at Idaho National Laboratory is devising and testing wireless sensor networks (WSN) to help ensure the transition to wireless is safer for power plants, factories and other facilities with automated control systems. He is using INL’s Center for Advanced Energy Studies to design a wireless sensor test bed where he can investigate vulnerabilities and weaknesses of these networks. CAES’ wireless system, along with its laboratories and office space, provides an environment that is similar to an industrial setting. WSN are designed to help measure and manage the operation of an industrial control system. They are composed of a number of sensors or nodes that monitor environmental conditions such as temperature, pressure and volume. The nodes relay readings, known as sensory data, to a central point that connects to the control system, which then makes decisions based on the information. Source:

61. February 3, KHBS/KHOG 40/29 Fort Smith/Fayetteville – (Oklahoma) Channel 40 transmitter off air. The channel 40 transmitter, which provides 40/29’s signal for the River Valley, is currently off the air. Station engineers are working to restore the broadcast signal as soon as possible. The problem is not just affecting over-the-air viewers. Those watching 40/29 on Direct TV and standard-definition Dish Network customers have also lost service. Source:

62. February 3, Augusta Chronicle – (Georgia) Martinez phone service disrupted. Telephone service currently is down for some AT&T customers in Martinez. “We recently experienced an equipment failure on Monday, leaving a small segment of our customers in Columbia County along Evans to Locks Road without telephone service,” said a AT&T spokeswoman in an e-mail sent this afternoon. Phone service has been restored to about two-thirds of AT&T customers in that area and the remaining customers should regain service today, the spokeswoman said. About 100 phone lines went down on February 1, but 70 have since been restored. Among the locations currently without phone service is Stevens Creek Elementary School. Source:

For more stories, see items 50 and 56 above within and at the end of the Information Technology Sector