Department of Homeland Security Daily Open Source Infrastructure Report

Monday, March 15, 2010

Complete DHS Daily Report for March 15, 2010

Daily Report

Top Stories

 An American charged in Yemen with being a member of Al Qaeda had worked at nuclear power plants in the U.S., a spokesman for a group of plants in New Jersey said on March 11. (See item 8)

8. March 12, – (International) Al Qaeda suspect worked at U.S. nuclear plants. An American charged in Yemen with being a member of Al Qaeda had worked at nuclear power plants in the U.S., a spokesman for a group of plants in New Jersey said Thursday. But a state official said the man did not breach security there. The 26-year-old natural-born U.S. citizen was arrested in Yemen earlier this month and is accused of killing a guard in an attempt to break out of a hospital. The FBI, the State Department, and other authorities said they were trying to gather information about the suspect. But the allegations appeared to illustrate a phenomenon U.S. intelligence officials have warned about: American Muslims becoming radicalized and joining terrorist movements overseas. The suspect was identified by Yemeni officials as a Somali-American. The suspect moved to Yemen about two years ago, supposedly to learn Arabic and study Islam, a former neighbor said. Before that, the suspect worked for several contractors at three nuclear power plants in New Jersey from 2002 to 2008, a PSE&G Nuclear spokesman said. The suspect carried supplies and did maintenance work at the plants on Artificial Island in Lower Alloways Creek, and worked at other plants in the region as well. Source:,2933,589022,00.html

 Just weeks after dealing with record-setting snowfall, residents in Pennsylvania, Ohio, and New Jersey are preparing for the possibility of flooding on March 11. A large portion of Pennsylvania and all of New Jersey is under a flood watch. Parts of Ohio, along the Ohio River, are under a watch, too, with the threat of heavy rain combining with melting snowpack. (See item 48)

48. March 11, Associated Press – (Pennsylvania; New Jersey; Ohio) Pa., NJ, Ohio residents prep for possible flooding. Just weeks after dealing with record-setting snowfall, residents in Pennsylvania, Ohio, and New Jersey are preparing for the possibility of flooding. A large portion of Pennsylvania and all of New Jersey is under a flood watch. Parts of Ohio, along the Ohio River, is under a watch, too, with the threat of heavy rain combining with melting snowpack. A forecast of warm weather and several days of rain will cause deep snow in the mountains to melt, according to the National Weather Service. Flooding in Pittsburgh could begin Friday night, and the Ohio River in the city is expected to crest about two feet above flood stage on Sunday afternoon, according to the NWS. Emergency management officials in the Pittsburgh region had warned of the possibility of major flooding as record-breaking amounts of snow began to thaw. February was the snowiest month in Pittsburgh-area history. The Allegheny County Emergency Services chief said last week that “the rivers are going to flood. It’s just a question of where.” The Pittsburgh mayor declared a state of emergency on Wednesday. The declaration will help the city more easily control resources, if needed. The Army Corps of Engineer’s Pittsburgh district said it has 107,000 sandbags and 650 linear feet of temporary flood wall available. The Corps has also drawn down its 16 reservoirs in the Ohio River Basin in preparation. Source:


Banking and Finance Sector

17. March 12, SC Magazine – (International) Employee of HSBC steals information of 24,000 customers. HSBC has been hit by an insider threat with reports that information of 24,000 HSBC customers with Swiss accounts have been stolen. HSBC has said that a former IT employee of HSBC’s Swiss subsidiary Private Bank (Suisse) SA, identified by French authorities as Herve Falciani, obtained the information between late 2006 and early 2007. The accounts, held by individuals worldwide, were all opened before October 2006 and some 9,000 have since been closed, according to the Associated Press. The bank said it has contacted the affected customers and does not believe the data has or will allow any unauthorized person to access the affected accounts. The stolen information only affects accounts in Switzerland with the exception of its former subsidiary HSBC Guyerzeller Bank. Source:

18. March 12, eSecurity Planet – (Ohio) Cyber attack dents body shop. A recent cyber attack on an auto body shop resulted in the theft of more than $200,000. “The latest victim is Clarke Collision Center, an auto body shop in Hudson, Ohio,” writes a researcher on Security’s Brian Krebs. “According to [the] owner of Kintz Tech, a local security consulting company that responded to the incident, on Feb. 23 an employee of the victim firm noticed something strange when she went to log in to the company’s online bank accounts: The site said the bank’s system was down for maintenance.” “The page she was sent to even included a 1-800 number supposedly for the bank’s customer service line,” the researcher writes. “[The owner] said the woman called that number, but quickly found that it was not in service. When the employee looked up the real customer service number for the bank and called to complain about the suspicious activity, she learned that there had just been a large number of wires and money transfers out of the company’s accounts to individuals in the United States and overseas, [the owner] said.” Source:

19. March 11, Coastal Monmouth Bureau – (New Jersey) Robber threatened to use grenade at Manasquan bank. Police are asking for the public’s help in locating an armed man who threatened to blow up a bank branch earlier today and made off with an undisclosed amount of money, putting one area school into lockdown and forcing two others to take emergency precautions, authorities said. The robber, who used a southern accent, is described as an overweight, white man between 50 and 60 years old and about 5 feet 7 inches tall. The man entered the Two River Community Bank at 240 Parker Ave., near Route 71, around 2:20p.m., the administrative assistant Monmouth County prosecutor said. He brandished what appeared to be a small caliber revolver. He also showed two other items which appeared to be hand grenades, one of which was around his neck, the assistant prosecutor said. The man told the teller that one of the items was hooked up to a timer and would blow up in a number of minutes if he was not given all the money in the bank, the assistant prosecutor said. The man was given an undisclosed amount of money. The incident caused the lockdown of the nearby Sea Girt elementary school. Manasquan Elementary School, while not on lockdown, did retain pupils until they could be picked up by parents. Manasquan High School canceled all ongoing after school activities and also held children until parents arrived. Source:

20. March 11, Reuters – (New York) U.S. regulators seize small New York bank. Regulators on March 11 seized a small New York bank, bringing the number of U.S. bank failures this year to 27. The Federal Deposit Insurance Corp said LibertyPointe Bank, of New York City, was closed by state regulators. Valley National Bank, of Wayne, N.J., is assuming all of LibertyPointe’s deposits. LibertyPointe had three branches and $209.7 million in total assets. The FDIC did not give a reason why it failed. It said the closure is expected to cost the FDIC’s insurance fund $24.8 million. Source:

Information Technology

39. March 12, The Register – (International) SSD tools crack passwords 100 times faster. Password-cracking tools optimised to work with SSDs have achieved speeds up to 100 times quicker than previously possible. After optimizing its rainbow tables of password hashes to make use of SSDs Swiss security firm Objectif Securite was able to crack 14-digit WinXP passwords with special characters in just 5.3 seconds. Objectif Securite spokesman told Heise Security that the result was 100 times faster than possible with their old 8GB Rainbow Tables for XP hashes. The exercise illustrated that the speed of hard discs rather than processor speeds was the main bottleneck in password cracking based on password hash lookups. Objectif’s test rig featured an ageing Athlon 64 X2 4400+ with an SSD and optimised tables containing 80GB of password hashes. The system supports a brute force attack of 300 billion passwords per second, and is claimed to be 500 times faster than a password cracker from Russian firm Elcomsoft that takes advantages of the number crunching prowess of a graphics GPU from NVIDIA. Source:

40. March 12, SC Magazine – (International) Anti-virus is becoming obsolete, as full content scanning is needed on web pages. Basic whitelisting and scanning of websites is not enough as web pages become more content driven. Speaking at a reseller event this week the director of product marketing for web and data security at Websense said that there was a ‘need to classify content, as there may be some inappropriate or compromised content’ on existing websites. He pointed to iGoogle as an example, as it ‘is a mash up of content, and some of it may not be appropriate’. He claimed that while anti-virus is great for leveraging threats and it does have a use, it is not good at detecting exploits. He said: “The days of traditional URL filtering are dead, we care about where users go and they all use the top 500 websites. We care about enforcing capable policy security and the content on pages is dynamic. Source:

41. March 12, Domain Name Wire – (International) ICANN board drops bomb on registrars hoping to launching new TLDs. ICANN’s board resolved on March 12 that there will be “strict separation of entities offering registry services and those acting as registrars. No co-ownership will be allowed.” However, the board left the possibility open for compromise, stating that if the Generic Names Supporting Organization (GNSO) comes up with a compromise, it will consider it. This is bad news for companies such as Demand Media, which owns registrar eNom and hoped to apply for new top level domain names. It’s good news for incumbent registries VeriSign, Neustar, and Afilias. The issue of registry/registrar separation has been a hot topic since the start of discussions on new top level domain names. The separation of the .com registry from the registrar business opened the door to massive registrar competition. Without it, it’s fair to wonder if behemoths such as Go Daddy, eNom, and Tucows would be around today. But proponents of allowing integration — including some of these very same registrars that benefited to separation the first time around — argue that was a different time with a different set of circumstances. Source:

42. March 11, The Register – (International) Koobface gang refresh botnet to beat takedown. Command and Control servers associated with the infamous Koobface worms have gone through a complete refresh over the last fortnight. Russian net security firm Kaspersky Lab reckons the change up might be aimed at making takedown efforts by cybercrime fighters more difficult. Koobface spreads via messages on social networking sites such as Facebook and Twitter. The worm and compromised legitimate websites act as proxies for its main command and control servers. Infected machines are contaminated with other forms of malware, in particular scareware (rogue anti-virus), an easy and most profitable mechanism in general for cybercrooks to make money. Over the last two weeks, researchers at Kaspersky have seen Koobface C&C servers shut down or cleaned an average of three times per day. The number of control nodes dropped steadily from 107 on February 25, to as low as 71 on March 8, before doubling to 142 just two days later on March 10. These control systems are important because they orchestrate the operation of zombie, infected drones. In the course of this process the percentage of Koobface C&C servers hosted in the US increased from 48 percent to 52 percent. Source:

43. March 11, Network World – (International) ZeuS botnet code keeps getting better; for criminals. New capabilities are strengthening the ZeuS botnet, which criminals use to steal financial credentials and execute unauthorized transactions in online banking, automated clearing house (ACH) networks and payroll systems. The latest version of this cybercrime toolkit, which starts at about $3,000, offers a $10,000 module that can let attackers completely take control of a compromised PC. Zeus v.1.3.4.x (code changes are always underway by the author and owner, who is believed to be one individual in Eastern Europe) has integrated a powerful remote-control function into the botnet so that the attacker can now “take complete control of the person’s PC,” says the director of threat intelligence at SecureWorks, which released an in-depth report on ZeuS this week. This new ZeuS feature, which was picked up from an older public-domain project from AT&T Bell Labs known as “Virtual Network Computing,” gives ZeuS the kind of remote-control capability that might be found in a legitimate product like GoToMyPC, the director says. SecureWorks calls this a “total presence proxy,” and it’s so useful to criminals, just this one VNC module for ZeuS costs $10,000. Source:

44. March 11, The Register – (International) One-third of orphaned Zeus botnets find way home. The takedown of 100 servers used to control Zeus-related botnets may be a short-lived victory, security researchers said after discovering that about a third of the orphaned channels were able to regain connectivity in less than 48 hours. The resurrection of at least 30 command and control channels came after their internet service provider found a new upstream provider to provide connectivity to the outside world, autonomous system records showed on March 11. As a result, some of the rogue customers who used the Troyak ISP to herd huge numbers of infected PCs were able to once again connect to the compromised machines and issue commands. “The problem is that as soon the C&Cs are reachable from the internet again, the cybercriminals can regain the control of their botnet and can safely move the stolen data away from those AS’s to a safer place or to a backup server,” a researcher connected to the Zeus Tracker service told The Register. One example of a severed server that was able to reconnect was this one. In all, about 100 of the 249 C&C servers Zeus Tracker monitored lost connectivity. Since then, 30 have been able to reconnect. The researcher, who asked not to be identified by name, said he expected more of the malicious servers will reconnect over time. Source:

45. March 11, ComputerWorld – (International) ICANN president criticized for remarks on DNS security. The country code subgroup of the Internet Corporation for Assigned Names and Numbers has criticized the ICANN President and CEO for “inflammatory” comments that the domain name system is not as secure as it used to be. While speaking at the Government Advisory Committee meeting on March 9, the CEO said more concerted efforts are needed to protect the DNS because it is under more attacks, is fragile and vulnerable, and “can stop any time.” In the session with the GAC and board members, the CEO addressed DNS abuse cases by some unspecified countries and promised to write to GAC members for more information and advice on DNS in their countries. The chairman of the Country Code Name Supporting Organization (ccNSO) council took issue with the statement to the GAC, terming it “inflammatory” and capable of rolling back the gains made by ccTLD managers and government officials in relation to DNS security. Source:

Communications Sector

46. March 11, Computer World – (National) FCC launches broadband test site for consumers. The U.S. Federal Communications Commission (FCC) has added tools to the Web site to help users measure their broadband speeds or report that they do not have broadband available. The FCC announced on March 11 that it has added new features called the Consumer Broadband Test and the Broadband Dead Zone Report to The Consumer Broadband Test measures broadband quality indicators such as speed and latency and reports that information to consumers and the FCC. A mobile version of the app, the first mobile app released by the FCC, is also available through the Apple and Android app stores. The Consumer Broadband Test uses two popular broadband testing tools: the Ookla Speed Test and the Network Diagnostic Tool, running on the Measurement Lab (M-Lab) platform. The FCC plans to offer additional broadband testing tools in the future, the agency said in a press release. Source: