Department of Homeland Security Daily Open Source Infrastrucuture Report

Monday, March 8, 2010

Complete DHS Daily Report for March 8, 2010

Daily Report

Top Stories

 The Washington Post reports that a California man who calmly opened fire on two police officers at an entrance to the Pentagon Thursday appears to have acted alone and was not connected to any terrorist plot, the Pentagon police chief said. The Associated Press reports that the Pentagon Metro station reopened a day after the incident. (See items 18 and 40)

18. March 5, Associated Press – (Virginia) Pentagon Metro station reopens after shooting. The Pentagon Metro station has reopened, a day after a gunman was killed in a shootout with police officers. The north entrance to the station reopened shortly after noon Friday. The station had been closed while the FBI investigated Thursday’s shooting. Metro says the southern entrance remains closed. Bus service has also started again from the lower level of the Pentagon Transit Center, while the FBI continues to work along the upper level. Source:

40. March 5, Washington Post – (Virginia) Suspected gunman in Pentagon shooting acted alone, officials say. The California man who calmly opened fire on two police officers at an entrance to the Pentagon Thursday appears to have acted alone and was not connected to any terrorist plot, the Pentagon police chief said. The shooter, identified as a 36-year-old, was dressed in a business suit and carried two semiautomatic weapons and “many magazines” of ammunition, the police chief said. “He walked very directly to the officers and engaged,” the police chief said. Two officers were superficially wounded, one in the shoulder and one in the thigh. Both were treated at George Washington University Hospital in Northwest Washington and released. They and a third officer returned fire at the suspect, critically wounding him in the head, said the chief of the Pentagon Force Protection Agency. The suspect died at George Washington University Hospital. Federal law enforcement sources identified the guns allegedly used by the suspect as a Sturm 9mm and a Taurus 9mm. Investigators are tracing the origins of the weapons and checking to see whether the suspect had permits for them. Source:

 According to the Associated Press, students carried out raucous rallies on college campuses nationwide March 4 in protests against deep education cuts that turned violent as demonstrators threw punches and ice chunks in Wisconsin and blocked university gates and smashed car windows in California. Protesting students also shut down the I-880 freeway in Oakland. (See items 21 and 41)

21. March 4, Associated Press – (California) Protesting students shut down Oakland freeway. A major San Francisco Bay area freeway has been shut down in both directions by college students protesting budget cuts at California campuses. About 150 people who were part of a much larger group demonstrating in downtown Oakland clambered onto the I-880 freeway at the beginning of the evening rush hour March 4. Aerial footage shot by television station KTVU showed people with banners spread out across the road, forming a barrier to lines of cars that stood stopped some distance away. KTVU says Oakland police are calling for more officers. The freeway closure came at the end of a day of protests and rallies at college campuses nationwide to draw attention to rising tuition and class cuts. Source:

41. March 5, Associated Press – (National) Rowdy protesters target funding cuts at US campuses. Students carried out raucous rallies on college campuses nationwide Thursday in protests against deep education cuts that turned violent as demonstrators threw punches and ice chunks in Wisconsin and blocked university gates and smashed car windows in California. At least 15 protesters were detained by University of Wisconsin-Milwaukee police after as many as 150 students gathered at the student union then moved to an administrative building to deliver petitions to the school chancellor. A University spokesman said campus police allowed one person inside, But when she emerged, she encouraged everyone to rush the building, he said. The violence began when police tried to turn them away. No serious injuries were reported. The school was among dozens of nationwide campuses hit with marches, strikes, teach-ins and walkouts in what was being billed as the March 4th National Day of Action for Public Education. In Northern California, rowdy protesters blocked major gates at two universities and smashed the windows of a car. Protesters at the University of California, Santa Cruz surrounded the car while its uninjured driver was inside. Earlier, demonstrators blocked campus gates. The University provost said there were reports of protesters carrying clubs and knives, but a Santa Cruz police captain could not confirm those reports. No arrests had been made. At the University of Texas at Austin, about 100 students and staff rallied on campus to protest a 5.4 percent hike in tuition and fees approved by regents a day earlier. Protesters complained the quality of education was taking a backseat to the university’s bottom line. Source:


Banking and Finance Sector

9. March 5, The Register – (International) Argos buries unencrypted credit card data in email receipts. Catalogue firm Argos has been criticized for an email security breach that exposed customers’ credit card details and CCV security numbers. The exposure came to light after an Argos customer who checked his order confirmation email found that his credit card number and security code was buried in the HTML source of the message. The slip-up meant that any miscreants who intercepted email confirmation messages from Argos would be able to harvest plastic card payment details - if they spotted where the numbers were stashed. The breach was discovered by a UK Argos customer and first reported by PC Pro. The customer’s card details were recently fraudulently misused, but this incident has not been linked to the Argos email slip-up. It’s unclear how long the exposure problem lasted, or how many Argos customers were affected. In a statement, Argos said it had already corrected the fault and was working with privacy watchdogs at the Information Commissioner’s Office in dealing with the fallout from the breach. Source:

10. March 5, Fort Wayne Journal Gazette – (Indiana; Michigan) Police tie suspect to 12 bank heists. Police in Valparaiso, Indiana have arrested a man suspected of robbing a dozen banks, including one in Warsaw recently. When authorities questioned a 35-year-old suspect, they said he admitted to the Warsaw robbery and 11 others in northern Indiana and southwest Michigan. These included banks in Plymouth, Hebron, Rensselaer and Chesterton, police said. The FBI believes the suspect could be responsible for two robberies in Valparaiso and one in Paw Paw, Michigan. The suspect was being held at the Porter County Jail pending federal bank robbery charges. Source:

11. March 5, NBC 4 Columbus – (Ohio) FBI: ‘Suburban Bank Robber’ robs 4th bank. A serial bank-robbery suspect local authorities call the “Suburban Bank Robber” robbed a fourth bank on March 4, according to the FBI. At about 3:52 p.m. on March 4, the suspect entered the Whitehall Credit Union at 5025 E. Main St. in Columbus, walked up to a teller and told the employee he was robbing the bank. The suspect wanted the teller to put money into a plastic bag that he placed on the counter. Although no weapon was observed, the teller complied and placed money into the bag. The suspect got into a blue-colored vehicle, possibly a small Chevrolet or Kia, and fled westbound on East Main Street. Law enforcement believes the credit union was the fourth bank the suspect has robbed since January 29, 2010 when he hit a Key Bank in Reynoldsburg. Since that time, he has robbed banks in Worthington and Upper Arlington, police said. Source:

12. March 4, SC Magazine – (International) Merchants seemingly on a mission to fail compliance tests as a quarter admit that they do not know if they will meet the September deadline. A third of merchants do not understand the requirements of PCI DSS (Payment Card Industry Data Security Standard) compliance and only 11 percent are certified as compliant. A survey conducted by Redshift Research on behalf of Tripwire found that a third of respondents do not know if they will be PCI compliant by the September 2010 deadline, while 18 percent said that they did not know if they would be compliant by the 2010 deadlines that have been set by Visa and MasterCard. Despite the majority of respondents saying they were confident about achieving PCI compliance, the research survey found that 32 percent are currently responding to weaknesses that were identified in their PCI DSS pre-audit; 27 percent of companies will put off becoming PCI compliant for as long as possible; 14 percent have completed a PCI DSS pre-audit but not undertaken any further action; and 14 percent are not compliant and are not in the process of becoming so. In addition, 39 percent of respondents believe that credit card security should be the problem of the credit card companies. Source:

13. March 4, Wall Street Journal – (National) Clash over ‘Too Big to Fail’. There is no U.S. government guarantee to protect the largest financial firms, a Treasury Department official said, as a congressional watchdog criticized the $45 billion in government aid provided to Citigroup Inc. The individual who oversees the Treasury’s $700 billion financial-rescue plan, disagreed with members of a congressional oversight panel that some financial firms benefit from the assumption that the government would step in to prevent their failure. The head of the Congressional Oversight Panel said that financial markets assume there is a government guarantee of large banks, but a Treasury official disagreed. The CEO of Citigroup said his bank is ‘well-capitalized.’ The chair of the five-member Congressional Oversight Panel said it was clear that financial markets do assume the guarantee exists, pointing to a recent ratings-company report that specifically noted the government’s role in backing Citigroup. Panel members locked horns with the individual who oversees the Treasury’s $700 billion financial-rescue plan over his reluctance to answer some questions, primarily regarding the health of Citigroup when the government injected capital into the bank in late 2008. Source:

14. March 4, DarkReading – (International) New BlackEnergy trojan targeting Russian, Ukrainian banks. Russian hackers have written a more sophisticated version of the infamous BlackEnergy Trojan associated with the 2008 cyberattacks against Georgia that now targets Russian and Ukrainian online banking customers. A security researcher with SecureWorks says Russian hackers are using the Trojan spread via the BlackEnergy botnet to hit Russian and Ukrainian banks with a two-pronged attack that steals their customers’ online banking credentials and then wages a distributed denial-of-service (DDoS) attack on the banks as a cover: “They may be emptying the bank accounts while the banks are busy cleaning up from the DDoS,” he says. Dubbed by the researcher as “BlackEnergy 2,” this new version of the Trojan is a full rewrite of the code that features a modular architecture that supports plug-ins that can be written without access to its source code. It currently comes with three different DDoS plug-ins, as well as one for spamming and two for online banking fraud, according to the researcher. Source:

Information Technology

53. March 4, PC World – (International) Microsoft plans to patch 8 Windows, Office bugs next week. Microsoft on March 4 announced it will ship two security updates on March 9 to patch eight vulnerabilities in Windows and Office. In its monthly advance notification, Microsoft spelled out next week’s two-update Patch Tuesday, a far cry from February’s massive roll-out of 13 security bulletins that fixed 26 flaws. The downturn was not unexpected. “This is indicative of the on and off cycle that Microsoft uses,” said the director of security operations at nCircle Network Security. “Last month was more OS related, this month they’re patching some applications.” Both bulletins will be pegged as “important,” Microsoft’s second-highest severity rating in its four-step scoring system. The vulnerabilities in those two updates, however, allow attackers to insert malicious code onto unpatched PCs, a fact that at first glance may seem contrary to Microsoft’s less-than-critical ranking. Neither of the bulletins match up with the outstanding security advisories that Microsoft has issued but not yet patched, including one harking back to November 2009. Newer advisories, such as one last month about a bug in Internet Explorer and another issued on March 1 about a flaw in VBScript, are also not on the patch list for next week, the director said. The VBScript bug, which can be exploited via Internet Explorer, prompted Microsoft to issue an unusual warning: Don’t press the F1 key. Source:

54. March 4, Network World – (International) Chinese attacks like the one against Google are on pace to double this year. Recent Internet attacks from China against Google and other U.S. companies will more than double this year if the pace during the first two months continues, a security expert says. This type of attack has been increasing over the past two years, with F-Secure spotting 1,968 such examples in 2008, 2,195 in 2009 and 895 so far this year, said the chief research officer for F-Secure, who during RSA Conference held a private briefing on the attacks. Unlike other malware attacks, these are fashioned for specific targets and are used only once. “In these cases, you are the only organizations in the world to get hit and no one else, and the attacker has done his homework,” the researcher said. Source:

55. March 4, – (International) RSA 2010: Researchers dissect ZeuS botnet blueprint. A little knowledge and a few thousand dollars is all it takes to build a fully functional botnet, according to security experts. Cisco researchers told delegates at the 2010 RSA conference in San Francisco that a botnet running the infamous ZeuS malware could be built for $2,500 (£1,660). ZeuS is primarily a data-gathering and botnet control tool, but has become particularly loathed in the security community because it directly injects content into pages and intercepts credentials before they are sent to legitimate sites. Making matters worse, the monetary and technical thresholds for running Zeus are particularly low. The researchers said that a current version of Zeus can be had for roughly $700 (£460), while older versions can be obtained for free. A criminal could then obtain an exploit tool to install the malware for roughly $800 (£530), while a server will cost around $300 (£200) and an additional $700 to hire and maintain affiliates to drive traffic to the attack sites. Source:

56. March 4, The Register – (International) Severe’ OpenSSL vuln busts public key crypto. Computer scientists say they’ve discovered a “severe vulnerability” in the world’s most widely used software encryption package that allows them to retrieve a machine’s secret cryptographic key. The bug in the OpenSSL cryptographic library is significant because the open-source package is used to protect sensitive data in countless applications and operating systems throughout the world. Although the attack technique is difficult to carry out, it could eventually be applied to a wide variety of devices, particularly media players and smartphones with anti-copying mechanisms. The scientists, from the University of Michigan’s electrical engineering and computer science departments, said the bug is easily fixed by applying cryptographic “salt” to an underlying error-checking algorithm. The additional randomization would make the attack unfeasible. An OpenSSL official, who asked that his name not be published, said engineers are in the process of pushing out a patch and stressed the attack is difficult to carry out in real-world settings. Source:

57. March 4, PC World – (National) FBI director: Hackers have corrupted valuable data. Hackers breaking into businesses and government agencies with targeted attacks have not only stolen intellectual property, in some cases they have corrupted data too, the head of the U.S. Federal Bureau of Investigation said on March 4. The United States has been under assault from these targeted spear-phishing attacks for years, but they received mainstream attention in January, when Google admitted that it had been hit and threatened to pull its business out of China — the presumed source of the attack — as a result. The FBI Director called these attacks a threat to the nation’s security on March 4, speaking at the RSA Conference in San Francisco. “Just one breach is all they need in order to open the floodgates,” he said, speaking about the hackers behind these intrusions. “We have seen not only a loss of data, but also a corruption of that data.” The director did not say exactly what he meant by corruption of data, but security experts worry that if attackers are able to alter source code, they might put back-doors or logic bombs in the software they gain access to. Source:

58. March 4, DarkReading – (International) Tool automates targeted attacks on social network users. A researcher on March 4 released a free tool that impersonates a Twitter user’s account in order to execute automated targeted attacks on the person’s followers. A security researcher with Core Security Labs, says the group wrote the tool as a way to demonstrate and test for how social networks can be used for spear phishing. The initial version executes attacks on Twitter, but the researcher says it can be extended to work against Facebook and other social networks. The tool is based on Core’s Exomind, an experimental Python-based framework written to test social network, search engines, and instant messaging attacks. The researcher says the goal is to provide organizations with a tool for social networking security training, penetration testing, or just to show how these attacks could work. Source:

For more stories, see item 14 above in the Banking and Finance Sector

Communications Sector

59. March 5, Middletown Times Herald Record – (New York) TV-signal glitch for Time Warner caused by fire. For the past two weeks, there’s been something fishy going on with Time Warner Cable’s signal in the Hudson Valley. In place of PBS’ usual programming, such as “Great Performances” and “Charlie Rose,” Channel 13 has aired children’s cartoons. There’s excess letterboxing — dark panels — surrounding the pictures on a few channels, and some shows on ABC look like they’re being viewed through a fun-house mirror. The problems were caused by a fire in a Manhattan manhole, according to a Time Warner Cable spokeswoman. The fire damaged some fiber-optic cable, forcing the company to switch to over-the-air signals. The PBS station and a few others should be returned to normal soon. Source:

60. March 4, ComputerWorld – (International) Agency awards $255M in new broadband funds. The U.S. Rural Utilities Service (RUS) today announced $254.6 million in funding for 22 broadband deployment projects in 18 states across the U.S. as it works to wrap up a first round of broadband funding made available in a huge economic stimulus package passed by Congress early last year. The RUS has now awarded more than $895 million of about $2.5 billion it has available under the American Recovery and Reinvestment Act. On March 2, RUS and the U.S. National Telecommunications and Information Administration (NTIA) announced they were extending the deadline to apply for a second round of funding from March 15 to later in the month. The new broadband projects will help rural areas attract new businesses, educational opportunities and jobs, said the secretary of the U.S. Department of Agriculture, the parent agency of the RUS. Source:

61. March 4, ComputerWorld – (International) Definition of ‘broadband’ still a secret in U.S. plan. The National Broadband Plan is due to reach Congress in two weeks, but there is still some mystery about how the plan will define the term “broadband.” The plan’s chief author said in an interview on March 3 that it will set specific minimum speeds that Internet service providers will have to deliver in order to qualify for funds from the Federal Communication Commission’s Universal Service Fund. But he revealed few details because the plan is undergoing more refinements before it is sent to Congress on March 17. Asked how the plan actually defines broadband, the chief author was noncommittal and indicated the answer was somewhat controversial. However, he noted that the FCC Chairman’s call for getting Internet service speeds of 100Mbit/sec. to 100 million U.S homes as one indication of what broadband goals for the nation should be. Source: