Department of Homeland Security Daily Open Source Infrastructure Report

Friday, February 26, 2010

Complete DHS Daily Report for February 26, 2010

Daily Report

Top Stories

 The Washington Post reported that the Washington Metro’s decision to mix different types of signaling equipment against strong warnings from the manufacturer could have caused the June 22 Red Line crash that killed nine people, a senior company engineer testified before a federal panel on February 24. (See item 17)

17. February 25, Washington Post – (District of Columbia) Parts manufacturer says it warned Metro about mixing signaling equipment. Metro’s decision to mix different types of signaling equipment against strong warnings from the manufacturer could have caused the June 22 Red Line crash that killed nine people, a senior company engineer testified before a federal panel on Wednesday. The site safety officer of Alstom Signaling, said at a National Transportation and Safety Board hearing that the combination of other manufacturers’ components with Alstom equipment just five days before the crash was at the heart of the failure of the train detection system. The previously undisclosed analysis by Alstom offers a new clue into what could have led to the Red Line crash. “ALSTOM believes that the use of third-party components presents, . . . not only a customer quality issue, but also constitutes a serious and increasing risk to overall signaling system safety,” Alstom said in a Sept. 7, 2004, letter that the safety officer said was distributed to all of its customers, including Metro and its then-assistant chief engineer, who retired February 1. In addition, the safety officer said an Alstom employee gave a Metro engineer an oral warning about the risks of mixing different manufacturer equipment during discussions over a bulletin issued on the topic in October 2006. Source:

 IDG News Service reports that on February 24 Microsoft, with the help of a U.S. federal judge, has struck a blow against one of the Internet’s worst sources of spam: the notorious Waledac botnet. Microsoft said it had been granted a court order that will cut off 277 .com domains associated with the botnet. (See item 45 in the Information Technology Sector below)


Banking and Finance Sector

12. February 25, Miami Herald – (Florida) Mortgage fraud task force comes to Miami. The Financial Fraud Enforcement Task Force kicked off the first of its mortgage-fraud summits on February 24 in the epicenter of the nation’s mortgage-fraud crisis and pledged to begin finding solutions. The interagency task force — established last November by the U.S. President to combat financial crime — is a team of federal, state and local law enforcement agencies, financial regulators, and inspectors general dedicated to curbing mortgage fraud, predatory lending, and other financial crimes. There are 23 task forces and 67 mortgage-fraud working groups throughout the country. According to Fannie Mae, Florida ranked No. 1 in loan-origination fraud in 2008 and 2009. South Florida is ranked first in the nation for the number of residents named in mortgage fraud-related suspicious activity reports, called SARs, filed by financial institutions, according to the U.S. Financial Crimes Enforcement Network. Source:

13. February 24, The Register – (Massachusetts) 3 Bulgarians charged in 44-day ATM hacking spree. Three Bulgarian men were charged on February 24 with defrauding banks of more than $137,000 in a scheme that attached electronic skimming devices to numerous automatic teller machines in Massachusetts. In the 44-day hacking spree, the men planted skimmers on ATMs maintained by Bank of America and Citizens Bank and secretly recorded information stored on the magnetic strips of cards as they were being used. The men also allegedly used concealed cameras to record the corresponding personal identification numbers. The men compromised “numerous” ATMs throughout eastern Massachusetts and stole more than $120,000, according to a press release issued by federal prosecutors in Boston. Court documents filed in the case said proceeds from the alleged crime were $137,724. The three were each charged with using counterfeit ATM cards, bank fraud, and aggravated identity theft. Two of the suspects were also charged with possession of device-making equipment. Source:

14. February 24, DarkReading – (National) FTC issues report of 2009 top consumer complaints. The Federal Trade Commission released a report on February 24 listing top complaints consumers filed with the agency in 2009. It shows that while identity theft remains the top complaint category, identity theft complaints declined 5 percentage points from 2008. The FTC is releasing a new animated video showing how people can file a complaint, and offers examples of what complaints the FTC handles. The report breaks out complaint data on a state-by-state basis and also contains data about the 50 metropolitan areas reporting the highest per capita incidence of fraud and other complaints. In addition, the 50 metropolitan areas reporting the highest incidence of identity theft are noted. Source:

15. February 24, Storefront Backtalk – (Alabama) Secret Service investigating debit-only breach of an Alabama Dairy Queen. For the mysterious data breach crime folder, the U.S. Secret Service is investigating a series of payment card thefts—originating at an Alabama Dairy Queen—that has only been impacting debit cards. The Hanceville, Georgia, police department’s captain is quoted in a local newspaper saying: “At that location, somebody has apparently tapped into the Internet server and hacked into the debit card system, and they’re printing out the customers’ debit card numbers and using them all over California and Georgia.” This is a disturbing trend, as retailers see debit card approaches as a way to try and reduce interchange costs. It’s even more frightening when factoring in that debit cards are more likely to suffer a processing glitch—as Best Buy and Macy’s discovered last year–than credit cards and that consumers impacted by a debit card data breach are far more exposed than they would have been had they used a credit card. Source:

16. February 23, Federal Bureau of Investigation – (Illinois) FBI searches for ‘ESPN Bandit’. The special agent-in-charge of the Chicago office of the Federal Bureau of Investigation (FBI), is asking for the public’s help in identifying the individual who is believed responsible for the armed robbery of at least four (4) Chicago area banks and the attempted robbery of a fifth, dating to December of last year. The most recent theft occurred on February 22, when a Fifth Third Bank branch, in Chicago, was robbed of an undisclosed amount of money. As he has done in prior thefts, the robber entered the bank and approached a teller. He then handed her a manila colored envelope which contained a type written demand note. The note claimed that the robber was armed and threatened the teller with harm if his demands were not met. After obtaining money from the teller, the robber fled the bank on foot, disappearing into the passing crowd. Prior to the February 22 robbery, the “ESPN Bandit” last struck on January 13 of this year, when he robbed two banks and attempted the robbery of a third. The fourth theft this individual is suspected of committing is the December 10, 2009 robbery of the TCF Bank branch, in Melrose Park, Illinois. Source:

Information Technology

44. February 25, SC Magazine – (International) Microsoft operating system vulnerability claims refuted. Claims made of a major vulnerability in the Microsoft Windows operating system have been refuted. The head of PCI at ProCheckUp Labs claimed that the findings by 2X Software, revealed exclusively by SC Magazine on February 24, were a ‘little sensationalist’. On February 24, 2X Software said that with a simple piece of code, an operating system from Windows 7/Server 2008 versions to Windows 2000/Server 2003 could be crashed with malicious applications installed. However the head of PCI refuted this, saying that the claims indicate that code needs to be run for the vulnerability to be exploited, so an attacker cannot just send some malicious traffic to a Microsoft server and crash it. Source:

45. February 25, IDG News Service – (International) Court order helps Microsoft tear down Waledac botnet. With the help of a U.S. federal judge, Microsoft has struck a blow against one of the Internet’s worst sources of spam: the notorious Waledac botnet. Microsoft said on February 24 that it had been granted a court order that will cut off 277 .com domains associated with the botnet. This will effectively knock the brains of Waledac off the Internet, by removing the command-and-control servers that criminals use to send commands to hundreds of thousands of infected machines. Thought to be used by Eastern European spammers, Waledac has been a major source of computer infections and spam over the past year. Microsoft believes the botnet can send over 1.5 billion [b] spam messages daily. In a lawsuit against the unknown spammers behind Waledac, filed Monday with the U.S. District Court of Eastern Virginia, Microsoft argues that Verisign, which manages the .com domain, is a choke-point for the botnet. The court has apparently ordered Verisign to remove the botnet’s command-and-control domains from the Internet. Source:

46. February 25, The Register – (International) Microsoft’s wiretap guide goes online, security site goes offline. Long-established privacy and cryptology website was pulled offline on February 24 after Microsoft launched a legal offensive over its publication of Redmond’s guide to internet wiretapping. Microsoft’s Global Criminal Compliance Handbook, a 22 page booklet designed solely for police and intelligence services, provides an overview of Microsoft’s online services, what information it collects on users and how long it keeps it. The guide also explains how to serve warrants and how to make sense of the records it stores to understand, for example, when and to who a Hotmail user sent an email. Redmond’s lawyers used the Digital Millennium Copyright Act (DMCA) in an attempt to force Cryptome to pull the guide, a request it refused, before going to hosting provider Network Solutions. The firm not only complied with this order but went one step further by placing a lock on the domain to keep the site down. Cryptome, which began way back in 1996 and serves as an outlet for whistleblowers, previously got into hot water for publishing Microsoft’s point-and-click “computer forensics for cops” COFFEE tool back in November. Source:

47. February 25, SC Magazine – (International) Phishing campaigns step up with hits on Twitter and Fotolog this week. Warnings have been made about a worm that spreads through the photo sharing website Fotolog. The worm, detected as FTLog.A by PandaLabs, spreads through the photo-blogging site by inserting a comment in the targeted user’s page prompting them to click a link, supposedly pointing to a video. If the user clicks the link, the system will ask for permission to download the worm, which is disguised as a DivX video codec. Once installed, FTLog.A redirects the browser to a site with explicit content and a web page that asks users for their data in order to claim a (false) prize. If the user clicks ‘Get Free Access’ a setup.exe file is downloaded which, once run, installs the Media Pass plug-in. This also changes the browser home page and injects code into the browser to display pop-up ads, disrupting the user’s browsing experience. Source:

48. February 24, – (International) Malware levels remain steady in 2009. A new report from security firm Kaspersky Lab suggests that there has been little growth in the number of new malware samples over the past year. The company reported that roughly 15 million new malware samples were found during 2009, a rate of about 30,000 a day which is “virtually the same” as the 2008 level. While the growth of new threats leveled off, Kaspersky said that the malware that did emerge was more sophisticated and widespread. The company noted that nine pieces of malware were able to infect more than a million systems in 2009, while sophisticated programs such as polymorphic worms became more common. Kaspersky also reported that web-based fraud schemes, such as fake anti-virus software, boomed in 2009 and netted some $150m (£97m) in profits. Much of the focus this year is expected to shift from PC-based malware to attacks on web services and new devices. Source:

49. February 24, MIS Asia – (International) Cyber attacks frequent on Asia Pacific enterprises. Three quarters of Asia Pacific enterprises — and two thirds of businesses in Singapore - have experienced cyber attacks in the past 12 months, according to new global research. The 2010 Symantec State of Enterprise Security Study, released today, found that 38 percent of Asia Pacific enterprises, and 67 percent in Singapore, rank cyber risk as their top concern, more than natural disasters, terrorism, and traditional crime combined. Initiatives that IT executives rated as most problematic from a security standpoint include infrastructure-as-a-service, platform-as-a service, server virtualisation, endpoint virtualisation, and software-as-a-service. The study involved surveys of 2,100 enterprise CIOs, CISOs and IT managers from 27 countries in January this year, including 850 respondents from the Asia Pacific and 100 from Singapore. Source:

50. February 24, ComputerWorld – (International) Baidu: Registrar ‘incredibly’ changed our e-mail for hacker. A hacker who took down top Chinese search engine last month broke into its account with a U.S. domain name registrar by pretending to be from Baidu in an online chat with the registrar’s tech help, according to a lawsuit filed by Baidu. Support staff at the registrar,, then refused to aid Baidu when first contacted about redirecting users to a Web page that declared, “This site has been hacked by the Iranian Cyber Army,” the Baidu complaint alleges. The complaint was filed last month in U.S. District Court for the Southern District of New York, but the court only recently released an unredacted copy of the complaint. The complaint says Baidu’s service was disrupted for five hours by the hack and seeks millions of dollars allegedly lost in revenue and other costs. Source:

51. January 22, U.S. Government Accountability Office – (International) Border security: Better usage of electronic passport security features could improve fraud detection. The Department of State has developed a comprehensive set of controls to govern the operation and management of a system to generate and write a security feature called a digital signature on the chip of each e-passport it issues. When verified, digital signatures can help provide reasonable assurance that data placed on the chip by State have not been altered or forged. However, DHS does not have the capability to fully verify the digital signatures because it has not deployed e passport readers to all of its ports of entry and it has not implemented the system functionality necessary to perform the verification. Because the value of security features depends not only on their solid design, but also on an inspection process that uses them, the additional security against forgery and counterfeiting that could be provided by the inclusion of computer chips on e passports issued by the United States and foreign countries, including those participating in the visa waiver program, is not fully realized. Protections designed into the U.S. e-passport computer chip limit the risks of malicious code being resident on the chip, a necessary precondition for a malicious code attack to occur from the chip against computer systems that read them. GPO and State have taken additional actions to decrease the likelihood that malicious code could be introduced onto the chip. Source:

Communications Sector

52. February 24, Mobiledia – (National) FCC wants TV airwaves for wireless broadband. Federal regulators are hoping to get more wireless spectrum for advanced mobile services by offering to pay television broadcasters — including NBC, CBS, Fox and ABC — to give up their rights to airwaves worth an estimated $50 billion. As part of a proposal, called the “National Broadband Plan,” existing spectrum holders would be paid to give up their licenses for government auctions, in addition to receiving a portion of the airwave proceeds raised by selling the to rights wireless carriers. The plan would free up 500 megahertz of airwaves, more than doubling the existing spectrum available for wireless carriers, who have demanded more space as their customers increasingly watch videos, check email and update Facebook on high-end smartphones. “The highly valuable spectrum currently allocated for broadcast television is not being used efficiently — indeed, much is not being used at all,” said the Federal Communications Commission’s chairman. Source: