Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, March 4, 2010

Complete DHS Daily Report for March 4, 2010

Daily Report

Top Stories

 reports that 540 students at Phoenix Multicultural School on Detroit’s southwest side were evacuated Wednesday morning after a “Drano bomb” detonated inside the building. (See item 36)

36. March 3, – (Michigan) Drano bomb goes off in Detroit school. Students at Phoenix Multicultural School on Detroit’s southwest side were evacuated Wednesday morning after a “Drano bomb” detonated inside the building, said authorities. The explosive device, made of household cleaning chemicals, went off in the hallway of the building at about 8:30 a.m., sending fumes into the air, said a school official. School officials said no students were injured because they were all inside classrooms. “The device itself could have caused a lot of damage if there were a lot of children around when the device actually went off. Those types of bombs are very, very unstable”, said a police inspector with the DPD Bomb squad. Police said the 540 students at the K-8 school were immediately evacuated, and many were forced out into the cold without their coats. The students were bused to Roberto Clemente School in Detroit, which is located at 1551 Beard Street. Parents are asked to pick them up there at the end of the day. School is expected to resume at Phoenix Multicultural Thursday. A 14-year-old student is in police custody. Homeland security agents were at the scene with bomb-sniffing dogs, and have given the all clear. An investigation into how the student brought the device into the building is under way. Source:

 According to Reuters, Spanish police have arrested three men accused of masterminding one of the biggest computer crimes to date — infecting more than 13 million PCs with a virus that stole credit card numbers and other data. The men were suspected of running the Mariposa botnet, Spain’s Civil Guard said on Tuesday. (See item 47 in the Information Technology Sector below)


Banking and Finance Sector

14. March 3, Bank Info Security – (Colorado) Heartland breach: Colorado bank reports new fraud. A Colorado bank has come forward to reveal that as many as 5,000 of its customers were at risk because of new fraudulent transactions tied to the Heartland Payment Systems data breach. First National Bank of Durango, a $399 million institution, went public with the news on March 1, after several customers reported that their debit cards had fraudulent transactions on them. Additional staff was added by the bank to handle the front-end calls from customers. The bank’s senior vice president says the first customers to come forward late last week reported strange charges on their bills. As First National bankers met to discuss the situation, they heard from several more customers and their credit card processor that several debit cards had been compromised. Fewer than 20 customers had reported fraudulent charges by March 1. First National says it has received a list of up to 5,000 card numbers, or one fourth of the debit cards it has issued, that may be compromised. No fraud amounts on the compromised cards were revealed. Source:

15. March 3, – (International) RSA panel: No easy solution for Zeus Trojan, banking malware. The Zeus Trojan, a sneaky, ever-changing malware comes in many variants and is constantly finding ways to evade detection, said the vice president of online security and enrollment at Bank of America. “The complexity of the Trojan is what makes it so scary,” he said during a panel discussion on banking malware on March 2 at the RSA Conference. New solutions to fight the threat can quickly become outdated, he added. Bank of America does a lot of threat scoring; last year, phishing was the top threat facing its customers. But this year, in the wake of Zeus, “The customer endpoint has become the number one threat,” he said. Cybercriminals have been using the Zeus Trojan to steal online banking credentials, and researchers say the highly customizable and easily obtainable malware kit has proven to be particularly successful. Small and midsize businesses have been especially hard hit by online banking fraud triggered by password-stealing malware. Source:,289142,sid185_gci1407907,00.html

16. March 3, Free Internet Press – (International) Innovative bank scam: Criminals steal account numbers using one-cent transfers. Criminals in Germany are exploiting a loophole in the banking system to get hold of customers’ account details. They transfer one cent to random account numbers - if the transfer goes through, they know they can steal money from the account. According to German authorities, criminals attempt to transfer the sum of 1 euro cent to several accounts at a particular bank, using account numbers they have generated at random. If the payment gets rejected by the bank, then the account number does not exist - but if the transfer goes through successfully, then the crooks know they have stumbled upon a genuine account number. It’s a similar approach to that sometimes used by the senders of e-mail spam, who may compile mailing lists by generating random email addresses and checking to see which of those accounts accept the messages. Armed with the account number, the crooks then start transferring sums of money out of that account, disguised as payments for supposed purchases or services. Often, they merely inform their own bank that they have the right to withdraw money from the account by direct debit, a procedure often used by utility companies, government institutions and associations. German banks generally do not check very closely to make sure the recipient has the right to make the direct debit. Instead, the onus is on bank customers to spot illicit withdrawals from their account - in cases of fraud, account holders have 13 months to cancel a transaction. Source:

17. March 3, Washington Post – (National) Senators propose consumer-protection regulator within Fed. Some lawmakers who set out to improve financial regulation by stripping the Fed of its powers are moving toward the grudging conclusion that the Fed should hold even more power. The central bank was responsible for the health of the nation’s largest banks and the safety of American borrowers. Its failures in both roles have been well documented. Even so, key lawmakers on the Senate banking committee are seeking bipartisan support for a plan to house a new consumer-protection regulator inside the Fed. Separate efforts to strip the Fed of its responsibility for overseeing large banks have lost momentum. Adding authority to the Fed has emerged as the only viable option, congressional aides said. Democrats wanted a free-standing consumer-protection agency. Republicans were willing only to tuck a new regulator inside another agency. Democrats suggested the Treasury Department. Republicans said no. The Fed, whose leaders had largely abandoned efforts to retain a role in consumer protection, was left as the last candidate. Source:

18. March 2, SC Magazine – (International) Banks encouraged to implement decent multi-factor authentication to securely offer online banking. Multi-factor authentication will solve the problems of online banking. In a blog posting on the threatpost website a senior anti-virus researcher in Kaspersky Lab’s global research and analysis team claimed that banking Trojans reached a form of maximum sophistication in 2007. This specific subset of banker Trojans was - and still is - extremely sophisticated and will exploit per-bank specific vulnerabilities in the implementation of two-factor authentication. He said that a lot of banks do not employ two-factor authentication and when they do, it is a very weak form of it. He said, “In short: online banking requires multi-factor authentication. The authentication code needs to be received or generated on a device, which is not connected to the device that is doing the transaction. Ideally, not only the transaction authorisation code is generated dynamically but also the password for logging onto the banking site. One thing to keep in mind here is that the cryptographic response algorithm needs to be different for logging on and approving transactions.” A solution inside this, suggested the researcher, is to make the receiving bank account number a part of the authentication process, either by sending along the number with the SMS or using it as an additional challenge when using a token. Source:

19. March 2, NACS Online – (California) California police nab two alleged in skimming scam. Police announced the arrest of two men that they maintain ran an ID theft ring that used gas pumps to wipe-out bank accounts, KGO-TV reports. The suspects targeted at least 20 Bay Area cities, and police say that they are responsible for at least 400 identity thefts, all originating at gas stations. Martinez police said that the men used skimming devices to access people’s bank accounts. A 7-Eleven clerk performing routine maintenance discovered the devices inside one of his store’s pumps and notified police. Detectives installed a decoy device and apprehended the suspects when they came to retrieve it. Police estimated that skimming operations net $20,000 a day each. The PCI SSC Skimming Prevention paper can be downloaded online. Source:

For another story, see item 47 in the Information Technology Sector below

Information Technology

47. March 3, Reuters – (International) Spain busts global botnet masterminds. Spanish police have arrested three men accused of masterminding one of the biggest computer crimes to date — infecting more than 13 million PCs with a virus that stole credit card numbers and other data. The men were suspected of running the Mariposa botnet, named after the Spanish word for butterfly, Spain’s Civil Guard said on March 2. A press conference to give more details is scheduled for March 3. Mariposa had infected machines in 190 countries in homes, government agencies, schools, more than half of the world’s 1,000 largest companies and at least 40 big financial institutions, according to two Internet security firms that helped Spanish officials crack the ring. The security firms — Defense Intelligence Inc. of Canada and Panda Security S.L. of Spain — did not say how much money the hackers had stolen from their victims before the ring was shut down on December 23. Security experts said the cost of removing malicious program from 13 million machines could run into tens of millions of dollars. Mariposa was programed to secretly take control of infected machines, recruiting them as “slaves” in an army known as a “botnet.” It would steal login credentials and record every key stroke on an infected computer and send the data to a “command and control center,” where the ringleaders stored it. Source:

48. March 2, Christian Science Monitor – (National) White House declassifies parts of US cybersecurity plan. On March 2, the White House declassified cybersecurity somewhat when the cybersecurity czar pulled back the curtain, at least a bit, on the the previous U.S Presidential Administration’s secretive plan to defend the nation’s computer networks. At the RSA Conference, a security industry event, in San Francisco on March 2, the czar announced that the current Presidential Administration was partially declassifying the 2008 Comprehensive National Cybersecurity Initiative (CNCI) in the name of transparency. The declassified portion of the CNCI includes descriptions of 12 broad initiatives of the CNCI, but few details. According to the Wired Threat Level blog, “the most most controversial part of the declassified plan is a discussion of a need for the government to define its role in protecting private critical infrastructure networks” such as telecoms, the electric grid, Internet providers, and banking networks. The document largely focuses on efforts to secure the federal government’s vast computer networks with the use of its Einstein system to detect unauthorized attempts to access government computers. Source:

49. March 2, The Register – (International) Microsoft wants to put infected PCs in rubber room. A top Microsoft executive is floating the idea of creating mandatory quarantines for computers with malware infections that pose a risk to internet users. The informal proposal, made on March 2 by Microsoft’s vice president of trustworthy computing was short on specifics, such as who would be responsible for monitoring and isolating malware-riddled machines. But he laid out his case for keeping them away from the general populace, comparing such a move to laws that have gone into effect over the past 20 years banning cigarette smoking in public. The vice president is the latest to champion the idea that infected PC users should be put in their own rubber room, so the malware, spam, and other attacks they generate can’t harm others. The logistics of such a plan remain woefully unformed. While many say ISPs should monitor subscribers for infections, there’s considerable disagreement about how providers should carry out and pay for such a system. Source:

50. March 2, ComputerWorld – (International) Microsoft again pushes patch linked to Windows blue screens. Microsoft on March 2 said it had restarted distribution of a security update that had crippled some Windows PCs last month with reboot problems and Blue Screen of Death error screens. The update, dubbed MS10-015, originally shipped on February 9, but was pulled from Windows Updates’ automatic update two days later after complaints flooded Microsoft’s support forum from users whose machines refused to restart after they had installed the patch. The affected PCs shuddered to a stop at the blue screen which indicates a serious software error and crash in Windows. Within a week, Microsoft announced that only PCs infected with the “Alureon” rootkit were incapacitated by MS10-015. It denied that there was any flaw in the security update itself. Users who have already installed MS10-015 without problems do not have to reinstall it, Microsoft said. Source:

51. March 2, Help Net Security – (International) 6 in 10 malicious URLs bypass AV scanners and URL filtering. M86 Security released a new report revealing its Security Labs research results based on the primary attack vectors on the Web and how the common approaches used to fend off these attacks stand up in today’s dynamic threat landscape. The report titled “Closing the Vulnerability Window in Today’s Web Environment,” discloses both quantitative research on the percentage of Web threats correctly identified by URL filtering (3%) and Anti-virus scanning (39%) over the course of last month and three real-life studies of specific attacks, which are increasinin frequency: dynamic obfuscated code, hacking of legitimate Websites, and zero-day vulnerabilities. In February 2010, Security Labs collected and tested more than 30,000live malicious URL samples against the typical tools of third-party URL lists and anti-virus scanners. The analysis found that in the best case scenario, 6 in 10 malicious URLs pass unnoticed through anti-virus scanners and URL filtering, even when these two approaches are used together. The test also looked at the growth rate of signaturesbehind anti-virus scanners, such as the popular’s malware collection, andfound that despite the dramatic increase in signatures, organizations and end-users are less protected because of the evasive methods cyber criminals use as well as the real-time dynamic nature and sophistication of today’s Web-based attacks. Source:

52. March 2, The Register – (International) Zombie tactics threaten to poison honeypots. Innovations in botnet technology threaten the usefulness of honeypots, onof the main ways to study how bot herders control networks of zombie PCs. Computerscientists at the University of Central Florida warn that bot herders can now avoid honeypots - unprotected computers outfitted with monitoring software - set up by security firms. Ethical concerns mean that security firms do not allow their infrastructure to be used in sending spam or running attacks against victims. By monitoring such instructions it’s therefore possible for cybercrooks to program command and control servers to disable or simply ignore these machines, thus depriving security firms of vital intelligence in how zombie botnets are operating in threal world. The scientists are working on techniques to make stealthier honeypot traps to trick bot herders. Preliminary findings from the Florida team’s research were published in a recent edition of the International Journal of Information and ComputerSecurity. Source:

Communications Sector

53. March 3, Washington Post – (National) FCC Chairman Genachowski confident in authority over broadband, despite critics. Internet service providers are stepping up their campaign to prevent the Federal Communications Commission from regulating them like telephone companies and questioning the limits of the agency’s power over the Internet. The commission chairman said in an interview on March 2 at The Washington Post that he’s confident of the agency’s authority, and that his focus is on moving ahead with the administration’s campaign to bring high-speed Internet to all American homes. The FCC will present a national broadband plan to Congress in two weeks. The chairman said he plans to recommend unleashing 500 megahertz of spectrum for the next generation of smartphones, tablet computers and other portable devices that connect people wirelessly to the Web. But he wouldn’t answer whether the FCC is considering a move, urged by some public interest groups, to reclassify broadband service providers — the companies that provide access to the Web — so they more clearly fall under the agency’s jurisdiction. Source:

54. March 3, DarkReading – (International) Ponemon study: Voice calls may be at risk. A survey released today by the Ponemon Institute suggests that large and medium businesses are putting themselves at risk of cell phone voice call interception. According to a survey of seventy five companies and 107 senior executives in the United States, it costs U.S. corporations on average $1.3 million each time a corporate secret is revealed to unauthorized parties. Eighteen percent of respondents estimate such losses to occur weekly or more frequently; 61 percent say such leaks occur at least monthly. Ninety percent of companies say such leaks occur at least once a year. 67 percent of IT practitioners surveyed lack confidence that the proprietary and confidential information conveyed during cell phone conversations is adequately secured in their organizations. Eighty percent believe that their organizations would not discover the wrongful interception of a cell phone conversation that revealed valuable corporate secrets. Only 14 percent of organizations have deployed technological solutions to personnel travelling to high risk locations. Eighty-three percent of companies are not even training employees about the risks of using cell phones in high risk areas, Ponemon says. Source:

55. March 3, Wall Street Journal – (National) Verizon Wireless fixes network outage. Some Verizon Wireless customers in the eastern half of the U.S. were temporarily left without access to data services such as mobile Web and email early on March 3. The network outage, which was resolved by 8:15 a.m. Eastern Time, affected customers “east of the Mississippi,” according to a spokesman. He cited “bad switch software” which resulted in a deterioration of service and lower wireless speeds. Not everyone in the area was affected, the spokesman said. Data access in New York, for instance, continued to work on March 3. Source:

56. March 2, Homeland Security NewsWire – (National) FCC’s new public safety proposal receives mixed response. Ever since the 9/11 terrorist attacks, the United States has been trying to create a national, interoperable network for public safety. The plan encountered many hurdles, not least when the D Block of the 700 MHz band, earmarked for a public/private safety initiative, failed to reach its reserve price at auction in 2008. Now, the Federal Communication Commission (FCC) chief has announced new plans to relaunch the plan, putting up to $16 billion and more spectrum behind the proposals. A spokeswoman for Rethink Wireless’s writes that some public safety groups are disappointed that the plan does not go further, while the wireless carrier community remains undecided on the plan. The FCC plans to re-auction the D Block, and will call on Congress to allocate $12 billion to $16 billion in funding over ten years to help build the network. The FCC also wants safety agencies to have access to the whole 700 MHz band, not only to the D Block. Verizon Wireless will soon start building its LTE network in the band, and AT&T has plans to do the same from 2011. Another major existing 700 MHz user is Qualcomm, for its MediaFLO mobile TV system. Source:

57. March 2, – (New Jersey) Fire official: Welder hurt in explosion in Carteret. A welder was sent to the hospital after a small explosion on Federal Boulevard in Carteret late Tuesday morning, according to a fire official. The fire captain said a worker was welding at a construction site at the Verizon Wireless data center on Federal Boulevard at 11:31 a.m. on March 2 when a blast made the doors of his nearby truck fly off and hit him. The captain said he did not know what the welder was working on, but said that the blast did not cause a fire. “Something touched off an explosion,’’ he said. “I wouldn’t say it was a big explosion, but it was enough to basically blow the compartment doors off of his truck, and the compartment door struck him.’’ Authorities are investigating the cause of the blast. Source: