Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, March 9, 2010

Complete DHS Daily Report for March 9, 2010

Daily Report

Top Stories

 Reuters reports that health experts watching for signs of a malaria outbreak have noticed several cases of the mosquito-borne disease among people traveling back from Haiti. So far, 11 laboratory-confirmed cases of malaria have been reported among emergency responders and those traveling in the United States from Haiti, the U.S. Centers for Disease Control and Prevention said on March 4. (See item 39)

39. March 4, Reuters – (International) Travelers from Haiti bringing malaria to U.S. Health experts watching for signs of a malaria outbreak have noticed several cases of the mosquito-borne disease among people traveling back from Haiti, where an earthquake in January killed as many as 300,000 people. So far, 11 laboratory-confirmed cases of malaria have been reported among emergency responders and those traveling in the United States from Haiti, the U.S. Centers for Disease Control and Prevention said on Thursday. Haiti already had a problem with malaria, which is spread by mosquitoes that will have more places to breed in the cities and towns wrecked by the giant quake. Each year, Haiti reports about 30,000 confirmed cases of malaria to the Pan American Health Organization, but the CDC estimates as many as 200,000 may occur each year. Three cases the CDC cited occurred among Haitian residents traveling to the United States and one case involved a U.S. resident who was visiting Haiti. All are expected to recover fully. Source:

 According to the Associated Press, an airman in training at Sheppard Air Force Base in Texas was in military custody Monday after toting a shotgun outside a dormitory. A spokesman for the base said no shots were fired and nobody was hurt during the incident Sunday night. (See item 40)

40. March 8, Associated Press – (Texas) Airman with shotgun disarmed at Sheppard AFB. An airman in training at Sheppard Air Force Base was in military custody Monday after toting a shotgun outside a dormitory. A spokesman for the base said no shots were fired and nobody was hurt during the incident Sunday night. Base security forces received a call shortly after 9 p.m. about a man with a weapon outside a barracks that houses male and female personnel, he said. The spokesman said security confronted the airman and he dropped the shotgun. The spokesman declined to release the airman’s identity or say why he armed himself. However, he said investigators determined that there was no overall threat to base security, and the airman was to receive “psychological counseling and help.” The base was shut down shortly after the incident, but the spokesman said it reopened shortly before midnight and there was no impact on the training. The base is home to the 82nd Training Wing and the 80th Flying Training Wing. Source:


Banking and Finance Sector

14. March 8, Bank Info Security – (National) Bank failures: 5 institutions closed. Five banking institutions - four banks and one credit union - were closed by state and federal regulators on March 5. These latest closings raise to 30 the number of failed banking institutions so far in 2010. Sun American Bank, Boca Raton, Florida, was closed by the Florida Office of Financial Regulation, which appointed the Federal Deposit Insurance Corporation (FDIC) as receiver. The FDIC estimates that the cost to the Deposit Insurance Fund (DIF) will be $103.8 million. The National Credit Union Administration (NCUA) liquidated Lawrence County School Employees Federal Credit Union (Lawrence FCU) of New Castle, Pennsylvania, and accepted New Castle, Pennsylvania, based First Choice Federal. Bank of Illinois, Normal, Illinois, was closed by the Illinois Department of Financial Professional Regulation - Division of Banking, which appointed the FDIC as receiver. To protect the depositors, the FDIC entered into a purchase and assumption agreement with Heartland Bank and Trust Company, Bloomington, Illinois, to assume all of the deposits of Bank of Illinois. The FDIC estimates that the cost to the Deposit Insurance Fund (DIF) will be $53.7 million. Waterfield Bank, Germantown, Maryland, was closed by the Office of Thrift Supervision, which appointed the FDIC as receiver. The FDIC estimates that the cost to its Deposit Insurance Fund will be $51.0 million. Finally, the FDIC approved the payout of the insured deposits of Centennial Bank, Ogden, Utah. The bank was closed by the Utah Department of Financial Institutions, which appointed the FDIC as receiver. The FDIC estimates the cost of the failure to its Deposit Insurance Fund to be approximately $96.3 million. Source:

15. March 6, Detroit News – (Texas) Police arrest man who allegedly threatened to fly plane into bank. A detention hearing is set for a Utica man arrested on March 3 after he allegedly threatened to fly an airplane into a Chase Bank building in Houston. “Chase Bank employees were frightened by this threat since several weeks ago, a plane had been flown into an Internal Revenue Service building in Austin, Texas,” an FBI special agent said in an affidavit that was attached to documents charging the suspect with making an interstate threat. The suspect, 40, a real estate appraiser also known by another alias, refused for nearly two hours to come to the front door when federal agents visited his home on March 5. He allegedly made the phone threat on March 4, the affidavit said. The suspect, who appeared in U.S. District Court in Detroit late on March 5 and was ordered held for a detention hearing on March 8, was reportedly upset about a real estate appraisal Chase Bank had conducted and told the operator at the bank’s Houston call center he was “ready to fly an airplane into your building.” Source:

16. March 5, IDG News Service – (California) Westin hotel in LA reports possible data breach. People who stayed at the Westin Bonaventure Hotel & Suites in Los Angeles in 2009 and used their credit or debit card to eat there should keep a close eye on their bank statements. Hotel officials disclosed on March 5 that the hotel’s four restaurants, along with its valet parking operation, may have been hacked at some time between April and December, disclosing names, credit card numbers and expiration dates printed on customers’ debit and credit cards. The Westin Bonaventure is in Los Angeles’ downtown financial district, near the Los Angeles Convention Center and the Staples Center. The system that stores hotel guest information wasn’t affected, the Westin said. It offered few other details, including whether any credit card data had been misused, and a spokesman for the company’s public relations firm didn’t immediately return a call on March 5. Hotel computers have emerged as a major target for hackers of late. Recently, Wyndham Hotels & Resorts disclosed that 37 of its hotels had been hacked in late 2009 — the third such breach affecting Wyndham over the past year. Source:

17. March 5, Oklahoman – (Oklahoma) Oklahoma bomb hoaxes used by 4 bank robbers. Within the past two months, bomb threats have been used during four bank robberies. Local and federal officials have varied opinions on whether this constitutes a trend. Here’s a recap of the crimes: On Jan. 22, a homeless man from Texas went into an Oklahoma Fidelity Bank branch in Edmond and flashed a cylinder wrapped in aluminum foil and a napkin, which he called a “detonator,” and robbed the bank. He was caught within minutes and the money was recovered. Three weeks later, a man carrying a pistol and a device he claimed was a bomb robbed a First Fidelity branch in Moore. A third bomb threat happened on February 22 in Tulsa when a robber entered a Food Pyramid, walked to the in-store bank and handed a teller a note stating that the robber had a bomb. The most recent bomb hoax robbery was about a week ago in Boise City, when a man walked into First State Bank and handed a note to the teller. He then placed a device on the counter of the bank and said there was a bomb at a local school. In each case, bomb technicians became part of the bank robbery investigations. In Boise City, technicians had to sweep the school and check the device left at the bank. Source:

18. March 5, Denver Post – (Colorado) FBI on watch for Limping Latex Bandit. Local FBI detectives are looking for a limping man suspected of multiple bank robberies in the Denver metro area. The latest robbery happened Friday afternoon at the Key Bank at 185 Crown Crest Boulevard in Parker. The man, caught on surveillance cameras, appears to be limping and wearing latex gloves, earning him the name, “Limping Latex Bandit.” He is described as a white man between the age of 40 to 50, about 5 feet, 6 inches tall and weighing about 200 pounds. It is suspected he is connected to four other robberies since November 2009. Source:

Information Technology

50. March 8, The Register – (International) Botnet takedowns ‘don’t hurt crooks enough’. The takedowns of the Mariposa and Waladec botnets recently were victories for the good guys, but security experts warn that although cybercrooks suffered a bloody nose they collectively retain the upper hand in their ongoing conflict with law enforcement and its security industry allies. “We have had significant victories against several botnets in the past but that hasn’t stopped the growth in malware or the growth in spam or in information theft,” said a security consultant at Trend Micro. “So, while we continue to win significant battles, winning the war will need closer cooperation between governments [and] law enforcement agencies on an ongoing basis rather than on an operational basis.” The consultant thinks that white hats remain outgunned by cybercrooks. He called for harmonisation of e-crime laws, to get rid of safe havens, and closer international cooperation in fighting internet crime. He added that ISPs have a vital role to play in curbing the botnet scourge. Source:

51. March 7, Computerworld – (International) Energizer Bunny’s software infects PCs. The Energizer Bunny infects PCs with backdoor malware, the Department of Homeland Security’s US-CERT said on March 5. According to researchers at US-CERT (United States Computer Emergency Readiness Team), software that accompanies the Energizer DUO USB battery charger contains a Trojan horse that gives hackers total access to a Windows PC. The Energizer DUO, a USB-powered nickel-metal hydride battery recharger, has been discontinued, said Energizer Holdings, which late on March 5 confirmed that the software contains malicious code. The company has not said how the Trojan made its way into the software, however. “Energizer is currently working with both CERT and U.S. government officials to understand how the code was inserted in the software,” Energizer said in a statement. Energizer’s DUO was sold in the U.S., Latin America, Europe and Asia starting in 2007. Source:

52. March 6, Techworld – (International) Wave of ransom malware hits internet. Criminals reused an attack from 2008 to hit the Internet with a huge wave of ransomware in recent weeks, a security company has reported. In the space of only two days, February 8 and 9, the HTML/Goldun.AXT campaign detected by Fortinet accounted for more than half the total malware detected for February, which gives some indication of its unusual scale. The attack itself takes the form of a spam e-mail with an attachment,, which if clicked automatically downloads a rogue antivirus product called Security Tool. It is also being distributed using manipulated search engine optimisation (SEO) on Google and other providers. What’s new is that old-style scareware has turned into a default ransom-oriented approach. The former assumes that users won’t know they are being scammed, while the latter assumes they will but won’t know what to do about it. The technique is slowly becoming more common but what is also different is the size of this attack, one of the largest ever seen by Fortinet for a single malware campaign. Source:

53. March 6, – (International) Phishing reaches record high in January. January marked a record high for phishing attacks, seeing a 21 percent increase over the month before, according to the latest figures from security vendor RSA. The firm’s monthly Online Fraud Report (PDF) showed that recorded phishing attacks reached 18,820, more than double the figure a year ago. Fast-flux attacks, in which phishing and malware delivery sites are hidden behind a constantly changing network of compromised host PCs, accounted for 24 percent of phishing incidents in January, up four per cent on December. Standard phishing attacks, meanwhile, showed a 12 percent increase compared with December. The number of attacked brands climbed by just two percent compared to December, but 35 new organizations suffered their first attack in January, more than triple the number reported in December. Source:

54. March 5, DarkReading – (International) Smartphone weather app builds a mobile botnet. A pair of researchers has amassed nearly 8,000 iPhones and Android smartphones in an experimental mobile botnet that demonstrates the ease of spreading potentially malicious applications on these devices. The security researchers with TippingPoint’s Digital Vaccine Group demonstrated how their seemingly innocuous weather app — called WeatherFist — gathers information on the users who downloaded it, including their GPS coordinates and phone numbers. The researchers wrote the app, which links to the Weather Underground Website and provides local and other weather forecast information to its users, and submitted it to app clearinghouses that offer apps for Androids and jailbroken iPhones. So why the WeatherFist experiment? The researchers say it’s to prove how such an app could steal or modify a user’s contacts, read his files, and access his Facebook and Twitter accounts, as well as email and passwords. Source:

55. March 5, The Register – (International) Opera says bug probably can’t commandeer machines. A security vulnerability identified in Opera can be exploited to crash users’ browsers, but probably can’t lead to the remote execution of malware, a company spokesman said. The buffer overflow bug was disclosed by Vupen Security on March 4, and the report has since been picked up by others, including Secunia and Sans. The advisories have said the vulnerability is critical because it can be exploited to remotely execute malicious code on end user machines. Vupen officials didn’t respond to emails seeking details. But Opera isn’t so sure. “We believe that the bug primarily causes a crash, and that exploiting the vulnerability to execute code is extremely difficult, if not impossible,” a spokesman told The Register. He went on to say that users should be sure to enable a security feature known as DEP, or data execution prevention. Source:

56. March 5, SC Magazine – (International) Microsoft will cover eight ‘important’ vulnerabilities on Patch Tuesday, as it gives dates for the end of support for Windows 2000 and Vista RTM. Microsoft is to address eight vulnerabilities on its monthly Patch Tuesday, with no critical flaws expected to be addressed. The vulnerabilities are in Windows and Microsoft Office and are remote code execution problems. The senior security communications manager at Microsoft, recommended that customers review the advance notification web page and prepare to deploy these bulletins as soon as possible. He said: “To provide additional guidance for deployment prioritization, customers should note that both bulletins will address issues that would require a user to open a specially crafted file. There are no network based attack vectors.” Source:

Communications Sector

57. March 8, – (International) ITU launches satellite interface standard for mobiles. The International Telecommunication Union has released a new standard which it claims will boost mobile services in the areas of roaming and compatibility. The standard will be added to the IMT-2000 (3G) satellite interface to improve common mobile tasks such as international roaming, high-speed data transfers and compatibility. “Recommendation ITU-R M.1850 identifies satellite radio interface specifications for IMT-2000 systems which, by means of one or more radio links, provide access to a wide range of telecommunication services,” the organization said. The ITU added that the update would support the main IMT-2000 standard, and there would be no negative impact on existing specifications. The ITU secretary-general welcomed the new standards, explaining that they would increase broadband access for remote areas or those not covered by conventional wired connections. The secretary-general said that they would not have been possible without the input of government and industry experts. Source:

58. March 5, Network World – (National) Data centers tackling cyber terrorism, slowly. The data center is receiving more public scrutiny than ever before, with IT managers facing a range of challenges from making systems run more efficiently to protecting computers from cyber terrorism, says the AFCOM chief executive. The 30-year-old organization for data center managers is holding its twice-yearly Data Center World show from March 7-11 in Nashville, Tennessee, where IT folks will learn about the most pressing issues facing data centers today and share their own experiences. Cyber terrorism is one of the topics the chief executive is looking forward to examining further. AFCOM’s recent survey of more than 400 data center pros found that only one-third have included cyber terrorism in disaster recovery plans, only one-quarter have addressed cyber terrorism in policies and procedures manuals, and only one-fifth provide cyber terrorism employee training. These low numbers were recorded despite the fact that 61 percent of data center managers said they recognize cyber terrorism as a threat they need to address. Source: