Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, February 23, 2010

Complete DHS Daily Report for February 23, 2010

Daily Report

Top Stories

 DarkReading reports that attacks against the power grid are likely to rise and intensify during the next 12 months as smart grid research and pilot projects advance, according to utility security experts and a recently published report that analyzes threats to critical infrastructure. (See item 3)

3. February 19, DarkReading – (International) Spike in power grid attacks likely in next 12 months. There is a ‘window of opportunity for malicious intent’ as energy firms roll out smart-grid pilot programs. Attacks against the power grid are likely to rise and intensify during the next 12 months as smart grid research and pilot projects advance, according to utility security experts and a recently published report that analyzes threats to critical infrastructure. The so-called Project Grey Goose Report on Critical Infrastructure points to state and/or non-state sponsored hackers from the Russian Federation of Independent States, Turkey, and China as the main threats to targeting and hacking into energy providers and other critical infrastructure networks. The principal investigator for Project Grey Goose and founder and CEO of GreyLogic says he and other researchers working on the report initially focused on answering the question of whether there have been any successful cyberattacks on the utilities. “Some companies say there’s never been a successful attack against the grid, but that’s not true,” he says. “There have been at least 120 instances” of successful attacks, some of which are documented in the report and date back to 2001. Several utility security experts agree that utility security administrators will have their hands full during the next year, as the transition from isolated, closed energy-generation and transmission networks to IP-based and wireless ones begins to take shape in the form of pilot smart grid projects. The Grey Goose report calls out Russia, Turkish hackers, and China as the top threats to the power grid. “I perceive Russia as the most serious threat [of the three] and China last,” says the report’s principal investigator. That is because hackers from China are more likely to hack for espionage purposes than to disrupt the grid, he says. Source:

 According to Agence France-Presse, 18 people were injured when a United Airlines passenger plane carrying 245 people hit turbulence over Alaska en route from Washington to Tokyo, Japanese police said Saturday. (See item 25)

25. February 20, Agence France-Presse – (Alaska) 18 hurt as plane hit by turbulence: Japan police. Eighteen people were injured, with one breaking a leg, when a passenger plane hit turbulence en route from Washington to Tokyo, Japanese police said Saturday. The United Airlines Boeing 747-400 was carrying 245 passengers and crew when it hit turbulence over Alaska, seven hours from Tokyo’s Narita airport, a police officer at the airport said. Police initially said more than 20 people were hurt, but later revised that figure down to 18, including at least one person who suffered a broken leg. Footage broadcast by NHK showed rescuers carrying some of those injured from the plane. It reported three people were hospitalized. Source:


Banking and Finance Sector

14. February 22, St. Augustine News – (Florida) Beware of possible counterfeit cashiers checks. The director of the division of Supervision and Consumer Protection of FDIC’s Cyber-Fraud and Financial Crimes Section alerted St. Augustine local news reporters and St. Johns County businesses to the appearance of counterfeit Cashier’s Checks; which may be circulated in the area. Urban Trust Bank, Orlando, Florida, has contacted the Federal Deposit Insurance Corporation to report that counterfeit cashier’s checks bearing the institution’s name are in circulation. The counterfeit items display the routing number 263184815, which is assigned to Urban Trust Bank. A security feature statement is embedded between two padlock icons along the bottom border. The word “Remitter (s)” appears above the indemnity notice in the lower-left corner. The words “CASHIER’S CHECK” are displayed near the top center. A restrictive feature statement appears above two “AUTHORIZED SIGNATURE” lines. Be aware that the appearance of counterfeit items can be modified and that additional variations may be presented. Source:

15. February 20, Bank Info Security – (National) Four banks closed on Feb. 19. Four banks were closed by state and federal regulators on February 19. The largest of the failed institutions was La Jolla Bank, a Pasadena, California-based bank with $3.6 billion in assets. There have now been 21 failed banks and credit unions so far in 2010. Marco Community Bank, Marco Island, Florida, was closed by the Florida Office of Financial Regulation, which appointed the Federal Deposit Insurance Corporation (FDIC) as receiver. As of December 31, 2009, Marco Community Bank had approximately $119.6 million in total assets and $117.1 million in total deposits. The La Coste National Bank, La Coste, Texas, was closed by the Office of the Comptroller of the Currency, which appointed the FDIC as receiver. As of December 31, 2009, the La Coste National Bank had approximately $53.9 million in total assets and $49.3 million in total deposits. George Washington Savings Bank, Orland Park, Illinois, was closed by the Illinois Department of Financial Professional Regulation - Division of Banking, which appointed the FDIC as receiver. As of December 31, 2009, George Washington Savings Bank had approximately $412.8 million in total assets and $397.0 million in total deposits. La Jolla Bank, FSB, La Jolla, California, was closed by the Office of Thrift Supervision, which appointed the FDIC as receiver. As of December 31, 2009, La Jolla Bank, FSB had approximately $3.6 billion in total assets and $2.8 billion in total deposits. The FDIC estimates that the cost to the Deposit Insurance Fund for the closing of the four banks will be $1.065 billion. Source:

16. February 20, Branson Tri-Lakes News – (Missouri) Bomb suspect being held. A 35-year-old Florida man is being held in Branson in connection with a bomb that was located, and later detonated by a professional bomb squad, at Branson Landing. The suspect and a 34-year-old woman from Missouri were arrested on February 18 in relation to the bomb that was discovered near an ATM machine. The woman, whose name has not been made public, was released on February 19, police said. The suspect was in the Branson Jail on drug charges and out-of-state warrants, but charges related to the bomb were expected after press time. The bomb may have been part of an attempt to break into the ATM machine. The couple was allegedly seen at the ATM machine along the Landing’s promenade about 12:30 a.m. Thursday by a security guard. Following a brief conversation with the guard, the couple left, police said. Shortly after, the guard found a backpack near the ATM, looked inside, and noticed the homemade bomb and other tools, including a screwdriver. The Springfield Fire Department Bomb Squad was called in and using a robot, the backpack was moved to the south parking lot and detonated. A portion of Branson Landing Boulevard and the parking garage were closed for several hours in the morning. The Landing was open throughout February 18, however several guests of the Hilton Promenade were relocated to other rooms during the night. According to the assistant general manager of the hotel, 12 rooms of guests had to be relocated to other areas of the hotel, and one man even asked to be moved to another hotel across the street. By 8 a.m. on February 18, everyone was back in their assigned guest rooms. Source:

17. February 20, KTSM 9 El Paso – (Arizona; Texas) “Boomerang” bandit targets Arizona banks. The “boomerang” bandit now has a new name — the “chameleon” bandit — after Arizona FBI agents say he allegedly robbed five other banks in Tucson. “The unknown male enters the bank, approaches the teller counter and presents a demand note,” reads a news release from the Phoenix FBI office. “In the last two robberies the unknown male threatened he had a gun via the demand note. The unknown male received an undisclosed amount of money before exiting the bank.” The man targeted the 1st Federal Bank in El Paso on January 12. “Upon reviewing surveillance video, FBI agents determined that the subject had walked around the parking lot for some time, and had entered the bank prior to the robbery,” said agents with Crime stoppers El Paso. This is where he got the name “boomerang” bandit from FBI agents in El Paso. The first robbery was December 30 at a Wells Fargo Bank in Tucson, with the most recent on February 10 at First Credit Union in Tucson. Source:

18. February 19, KIRO 7 Seattle – (Washington) ‘F-bomb bandit’ wanted for series of bank robberies. Police are looking for a female bank robber who they are calling the ‘f-bomb bandit’ because of the ‘salty language’ she uses in her robbery notes, said the Seattle division of the FBI. The woman is suspected of four in-store bank robberies: on January 11 at the Bank of America at 4800 NE 4th St. in Renton; on February 2 at the Chase Bank at 4201 SW Morgan St. in Seattle; on February 4 at the Bank of America at 20830 108th Ave. SE in Kent; and on February 16 at the Wells Fargo at 17230 140th Ave. SE in Renton. Source:

19. February 19, Reuters – (International) US Treasury backs listing threats to financial system. The U.S. Treasury Department on February 19 said it endorsed a report from the international body fighting money laundering that blacklisted Iran, Angola, North Korea, Ecuador and Ethiopia for posing risks to the international financial system. “The U.S. Treasury Department welcomes the Financial Action Task Force (FATF) report statements this week identifying countries with strategic deficiencies in the area of anti-money laundering and combating the financing of terrorism,” the Treasury said. The task force said on on February 18 that Pakistan, Turkmenistan and Sao Tome and Principe were jurisdictions that also continue to have deficiencies in their systems for countering money laundering and terror financing that need to be addressed. The task force said other countries should “advise their financial institutions to give special attention to business relationships and transactions with Iran” and with Iranian institutions to head off any “financing of terrorism risks emanating from Iran.” The task force is an intergovernmental organization, based in Paris and set up in 1989 under the auspices of the Group of Seven nations specifically to find ways to thwart terror groups from using the global banking system to launder money. Source:

Information Technology

53. February 22, The Register – (International) Twitter phish pwned profiles push penis pills. Twitter users were hit by potent phishing attacks recently that have already led to spam runs from compromised accounts. Miscreants posted messages disguised as humorous updates on the Twitter micro-blogging service as part of an ongoing attack that started on February 20. The messages included links to a counterfeit Twitter login page hosted in China, located under the domain The micro-blogging site warned of the attack on February 21. It advised anyone that had fallen for the ruse to change their passwords quickly, before hackers had a chance to alter login credentials to hijack compromised accounts. The domain prospective marks are directed towards is actually designed to harvest Twitter login details for later misuse in spam and identity theft-based attacks. In other social networking insecurity developments, many Facebook users are getting hoodwinked into joining a bogus group in order to enjoy supposed benefits of a non-existent Gold account. The scam started as a prank on the notorious 4chan image board back in 2007, but has now taken on a life of its own. Scammers are using the supposed benefits of the fictitious group to hoodwink users into taking part in a survey that involves subscribing to text messaging services in order to get the results. Source:

54. February 22, SC Magazine – (International) A rise in cyber attacks by one third saw 100 per cent of enterprises experience cyber losses in 2009. Under half of organizations rate security as their top issue, while three quarters experienced cyber attacks in the last 12 months. According to Symantec’s 2010 State of Enterprise Security study, 75 percent of enterprises experienced cyber attacks in the last 12 months and 36 percent rated the attacks somewhat/highly effective. Also, there was a 29 percent rise in reported attacks in the last 12 months. It also found that 100 percent of enterprises surveyed experienced cyber losses in 2009, with theft of intellectual property, customer credit card information or other financial information and customer personally identifiable information the most prevalent. Also in the survey, on average, IT assigns 120 members of staff to security and IT compliance, while nearly all the enterprises surveyed (94 percent) forecasted changes to security in 2010, with almost half (48 percent) expecting major changes. Source:

55. February 22, The Register – (International) Argentinians invade Falkland Islands website. Argentinian hackers on February 21 raised their national flag over the Falkland Islands’ Penguin News - a temporary occupation in which they laid out their case for sovereignty over the South Atlantic paradise island group. The invaders’ bullet-point list of claims - backed by an rousing audio recording of the March of the Malvinas - suggested the islands are Argentinian because “they were inherited from Spain and its Viceroyalty of Rio de la Plata” and “because Argentina is the closest country.” Penguin News, meanwhile, had by early February 22 reclaimed the website and was gamely battling on, despite the risk of sinking under an excess of bandwidth. Source:

56. February 22, Network World – (International) Botnets’ long half-life extends malware’s threat. Information gathered about a newly discovered botnet called Kneber indicates that multiple infections by different malware on the same host could work together as a sophisticated mechanism to give all the malware a better survival rate. The sheer size of the Kneber botnet — 74,000 compromised computers in 2,400 different companies — attracted most of the attention when Kneber was revealed last week. But how it interacts with other malware networks suggests a symbiotic relationship that ultimately makes each botnet more resistant to being dismantled, says the senior consultant in the research department at NetWitness who discovered Kneber. Kneber was built using a well-established toolkit for aggregating botnets called ZeuS that has been around for years. Kneber is an example of just one botnet built with the toolkit, but because the consultant captured 75GB of log data from the command-and-control server, he was able to examine detailed characteristics of the computers ZeuS took over. What he found is that more than half the 74,000 compromised computers — bots — within Kneber were also found infected with other malware that uses a different command-and-control structure. If one of the criminal networks were disabled, the other could be used to build it up again. In this case, more than half the machines that made up the botnet were infected with both ZeuS, which steals user data, and Waledac, a spamming malware that uses peer-to-peer mechanisms to spread more infections, he says. He can’t conclude for sure that they’re working together in this case, but the presence of both introduces an interesting possibility: If the ZeuS command-and-control infrastructure is cut down, the owner of the ZeuS botnet could go to the person running the Waledac botnet and pay for it to push a ZeuS upgrade that brings the ZeuS bots back online reporting to a new server, he says. Source:

57. February 21, Financial Times – (International) US experts close in on Google hackers. US analysts believe they have identified the Chinese author of the critical programming code used in the alleged state-sponsored hacking attacks on Google and other western companies, making it far harder for the Chinese government to deny involvement. Their discovery came after another team of investigators tracked the launch of the spyware to computers inside two educational institutions in China, one of them with close ties to the military. A freelance security consultant in his 30s wrote the part of the program that used a previously unknown security hole in the Internet Explorer web browser to break into computers and insert the spyware, a researcher working for the US government told the Financial Times. Chinese officials had special access to the work of the author, who posted pieces of the program to a hacking forum and described it as something he was “working on”. The developments will add to the furor over the hacking campaign, revealed last month when Google said its systems had been compromised. Source:

58. February 21, PC World – (International) Cybercriminals exploit Haiti tragedy with malware. There was no let up in spamming and phishing activities last month even as the entire world watched with sympathy the tragedy in Haiti. To add to the sorrow behind the devastating earthquake on January 12, cybercriminals took advantage of the tragedy to launch spamming and phishing attacks. “Both scam and phishing categories doubled in terms of the percentage of all spam in January 2010 compared to December 2009,” reported Symantec in its State of the Spam and Phishing Report of February 2010. Similar to other trends in the past, 24 to 48 hours after the earthquake hit, cyber criminals launched their attacks. So-called 419 spams inviting people to donate proliferated to lure Internet users to donate to bogus entities. Some even went to the extent of pretending to be legitimate organizations, such as the UNICEF, Symantec reported. Malware were also introduced into videos pretending to be footages of the earthquake. Source:

59. February 20, IDG News Services – (International) Chinese schools deny role in Google hack. Two schools in China where computers were reportedly linked to cyberattacks on Google and other companies have denied involvement in the hack, Chinese state media said on February 21. Investigators say they have traced the attacks back to computers at Shanghai Jiaotong University, which is one of China’s top universities, and Lanxiang Vocational School in eastern Shandong province, The New York Times reported recently. That may not mean the attacks were launched from those computers since their IP (Internet Protocol) addresses could have been used by attackers elsewhere seeking to hide their location. A spokesperson said the Shanghai university was “shocked and indignant to hear these baseless allegations” and denied any link to students or teachers at the school, the state-run Xinhua news agency said. A representative of the vocational school said investigation of its staff found no trace that the attacks originated there, Xinhua said. The representative also denied any ties between the school and China’s military. Source:

60. February 19, Homeland Security NewsWire – (National) Gartner: only 6 percent of companies survive longer than two years after losing data. Technology moves at a fast pace. Still, while the offerings have changed frequently and often, the underlying issues that new technology addresses have been around since the advent of marketplaces. Marnoble Computer, founded in 1990, says it is finding new sales opportunities by addressing an age old need — protection against mishaps and catastrophes. Providing comprehensive backup and disaster recovery (BDR) transcends all businesses, though companies in the healthcare, legal, and manufacturing industries are well represented among the company’s roster of clients. With anywhere from five to 250 users, Marnoble’s small- and medium-size business (SMB) clients realize the business continuity planning (BCP) is a necessity. According to a study by research firm Gartner Group, 43 percent of companies were immediately put out of business by a “major loss” of computer records, and another 51 percent permanently closed their doors within two years — leaving a mere six percent “survival” rate. Source:

61. February 19, Reuters – (International) Computer jargon baffles users, hinders security. Computer jargon, a “tick box” culture and unimaginative advertising are discouraging Internet users from learning how to protect themselves online. Faced with such gobbledegook, many of the world’s nearly 2 billion Internet users conclude that security is for “experts” and fail to take responsibility for the security of their own patch of cyberspace — a potentially costly mistake. That was the message from cyber experts who met this week to work out how to protect computer users from the growing problem of online theft, fraud, vandalism, abuse and espionage. One problem is that computer “geeks” use jargon to cloak their work in scholarly mystique, resulting in a lack of clarity in everything from instruction manuals and systems design to professional training, the experts said. The industry has made progress in educating users, but a huge and urgent task lies ahead in view of the growing criminal threat and the imminent arrival of billions more Internet users. Source:

Communications Sector

62. February 20, – (National) FCC outlines US broadband overhaul plans. The US Federal Communications Commission (FCC) has released new information on its planned broadband internet overhaul. The FCC said that it will focus on government, infrastructure and educational projects, in an attempt to shore up a number of areas in need of increased web access and bandwidth. Among the projects being considered are a nationwide emergency broadband and alert network, the installation of smart energy grids and new citizen feedback programs. Other projects include grant programs for small businesses, expanded access and improved web speeds for schools, and an overhaul of online education and tutoring initiatives. The proposals are part of the $6 billion broadband infrastructure plan introduced by the U.S. President’s administration. Source: