Department of Homeland Security Daily Open Source Infrastructure Report

Friday, March 19, 2010

Complete DHS Daily Report for March 19, 2010

Daily Report

Top Stories

 The Associated Press reports that Virginia Tech is urging calm as e-mails and Internet postings originating in Italy threaten another attack on campus. Though police do not believe the threats are credible, classes were held Thursday with additional security on campus. (See item 37)

37. March 18, Associated Press – (Virginia) Online postings warn of another Va. Tech attack. Virginia Tech is urging calm as e-mails and Internet postings originating in Italy threaten another attack on campus. Though police do not believe the threats are credible, the school president said in an e-mail to faculty and students Wednesday that classes will be held Thursday with additional security on campus. Authorities investigated similar threats earlier this month and in October and believe the new posts are from the same person. Virginia Tech was the scene of the worst mass shooting in modern U.S. history in April 2007. Virginia State Police and the FBI are assisting in the investigation. Source:

 According to Reuters, hackers have flooded the Internet with virus-tainted spam that targets Facebook’s estimated 400 million users in an effort to steal banking passwords and gather other sensitive information. (See item 48 below in the Information Technology Sector)


Banking and Finance Sector

12. March 18, Morristown Daily Record – (New York) FBI seeks gentlemen bank robbers in NY. A polite bank robber who says “thank you” as he holds tellers at gunpoint is part of at least a two-man crew who have robbed six Westchester banks since January, federal agents say. The men are picking up their pace, robbing two banks since March 13 and frustrating law enforcement officers who have set up roadblocks to try and catch them. Westchester appears to be their primary target — with the exception of the March 15 robbery of a TD Bank in Mahopac — but investigators said they believe they have robbed banks before this recent spree. The robber has demonstrated calm under pressure and is likely an experienced stickup artist. The result has been one of the biggest Westchester bank robbery sprees in decades. It has led state Crime Stoppers to offer a $2,500 reward for information leading to an arrest, and the FBI’s Westchester County Violent Crimes Task Force to coordinate several police agencies in the investigation. Investigators said they believe there are at least two men involved in the seven heists. Source:

13. March 18, The Register – (International) Madoff geeks charged for writing book-cooking code. A federal grand jury has indicted two computer programmers on fraud and conspiracy charges for developing programs used by a renown Ponzi artist to cook the books in his billion-dollar Ponzi scheme. The two suspects knowingly created the programs that removed or altered key data contained in reports submitted to regulators in the United States and Europe, according to the indictment filed on March 17 in U.S. District Court in Manhattan. Among other things, their code contained algorithms to randomly generate times for purported orders that in fact were never made. The reports were generated on “House 17,” an IBM AS/400 server kept on the 17th floor of the Ponzi artist’s offices that had no link to the outside world, prosecutors allege. To ensure the reports appeared genuine, the server pulled partial information from a separate AS/400 that was linked to the Depository Trust Company and other third parties. The document goes on to claim that the programmers knew their programs were being used to falsify information being provided to the Securities and Exchange Commission and the European Accounting Firm, and sought to profit from their expertise. Source:

14. March 18, Help Net Security – (International) Barclays under strong phishing shower. A highly productive phishing scam, with more than 180 messages sent in three minutes, hits a big chunk of the online segment of Barclays members. Various people are wondering what to do now that their bank has been acquired in the wake of the lending crisis. Do not click the links in e-mails supposedly sent by the bank. Barclays’ members will be amazed to find in their inboxes an apparently legitimate message which requires them to check their account details by following a link allegedly directing them to the financial institution’s Web site. The provided link redirects the gullible users towards a fake Barclays Web site, which employs several PHP scripts for pilfering the sensitive data they fill in. And the phisher gets greedier: after completing the name and membership number, Barclays users are taken to a page where they are supposed to provide very sensitive information, such as their five digit passcode. In this final step, a request for an apparently trivial piece of information slips in: the first two letters of their memorable word. Considering that this detail serves as a password recovery hint for online banking accounts, this last move should make the alarm bell ring quite loudly. Source:

15. March 18, SC Magazine – (International) Authentication and transaction sectors boosted with new solutions. The banking and payment industries have been bolstered this week with new options in authentication and transaction checking. FireID launched the FireID Authentication platform for banks this week, which provides transaction verification, authentication for mobile and online banking, and internal VPN access for bank use. It explained that the platform eliminates the need for hardware tokens by generating secure one-time passwords (OTP) on users’ mobile phones, with no network connectivity required, to provide strong security for sensitive financial transactions. Ethoca360 Signals — a free fraud detection service targeted at preventing chargebacks and card not present (CNP) fraud — has also been launched by Ethoca. The company claimed that this checks transactions in real-time against the Global Fraud Alliance (GFA) repository and identifies matches and patterns that indicate either fraud risk or a probable good order through intuitive color-coded “warning signals.” Source:

16. March 18, Tallahassee Democrat – (Florida) Robber uses bomb threat to hold up bank. A man robbed Farmers and Merchants bank on the 4200 block of West Tennessee Street, according to a spokesperson for the Tallahassee Police Department. The man entered the bank and claimed to have a bomb. He left with an undisclosed amount of cash. The package he claimed to be a bomb was left at the scene. The Hazardous Devices Team in currently on scene investigating the package. No one was injured during the robbery. Source:

17. March 18, Washington Post – (National) Small banks lag in repaying Treasury for bailout funds. The Treasury Department invested in large and small banks during the financial crisis. So far, the big bets are paying off better than the smaller ones. While the largest banks have borne the brunt of criticism for their role in triggering the crisis, they were among the quickest to give back their federal bailout funds. Sales of the warrants that these firms were required to hand over to the federal government as a condition of the aid also proved lucrative for the Treasury. But hundreds of community banks have yet to return their bailouts. More than 10 percent of the 700 banks that got federal bailouts and are still holding the money even failed to pay the government a quarterly dividend in February. The list of 82 delinquent banks is significantly longer than the 55 banks that failed to make payments in November, according to an analysis by a finance professor at the University of Louisiana at Lafayette. The professor calculated that the missed payments totaled $78.1 million in February and that banks now have missed a total of $205 million in dividend payments to the government. Many of the community banks still holding aid from the Troubled Assets Relief Program are struggling with losses on real estate development loans. Source:

18. March 18, – (National) Blackstone considers $1bn fund for failed banks. Blackstone Group, the largest private equity firm in the industry, has initiated talks over raising a $1bn fund to buy up failed banks, according to reports. The firm is talking to a former president of Bluebonnet Savings Bank about the proposal. Regulators are said to have seized at around 160 lenders since the start of 2009, with the FDIC’s list of “problem” banks standing at just over 700 with more that $400bn in assets. In May last year, Blackstone and Carlyle invested $900m in BankUnited after winning an auction for the troubled Florida lender. Investors, which also included funds managed by Centerbridge Partners and WL Ross & Co, bought BankUnited’s operations, deposits, and assets from its receiver, the Federal Deposit Insurance Corporation (FDIC). The struggling bank had assets of around $13bn. Source:

19. March 17, Dallas Business Journal – (Texas) 40 indicted in alleged North Texas mortgage scheme. A Florida man and 39 other defendants who are accused of conspiring with him have been named in a 16-count indictment filed in the U.S. Attorney’s Office of the Eastern District of Texas. The U.S. Attorney’s Office alleges that a 41 year old suspect, of Windemere, Florida, solicited real estate agents, property finders, mortgage brokers, real estate agents, property finders, title company attorneys, property appraisers and straw buyers to run a scheme in which lending institutions were defrauded by approving mortgage loans on properties that had fraudulently inflated values. At least a dozen of the defendants live in North Texas, and all allegedly were recruited by the suspect to take part in the scheme. Many of the defendants are from North Texas. The charges vary, but include conspiracy to commit mail and wire fraud, wire fraud, and money laundering. According to the U.S. Attorney’s Office, the man operated the scheme through Florida-based businesses TKI Group Inc. and JAB Consulting. Source:

Information Technology

44. March 18, SC Magazine – (International) One in four children has attempted hacking with one fifth believing that they could generate an income from the activity. A survey has found that one in four schoolchildren have attempted some level of hacking. Despite 78 percent agreeing that it is wrong, a quarter have tried to surreptitiously use a victims’ password, with almost half saying that they were doing it ‘for fun’. However 21 percent aimed to cause disruption and 20 percent thought they could generate an income from the activity. Five percent said that they would consider it as a career move. Of those who had tried hacking, a quarter had targeted Facebook accounts, 18 percent went for a friend’s email, seven per cent for online shopping sites, six per cent for their parent’s email and five per cent breached the school website. A bold three percent had honed their skills enough to aim much higher with corporate websites under their belts. Source:

45. March 18, The New New Internet – (National) MIT keeps system online during cyber attack. Previously, when a system was under cyber attack, the only solution to mitigate the threat was to take the server offline. However, there may now be another option. MIT researchers have developed a system that allows servers and computers to continue to operate even while under cyber attack. The research, predominately funded by the U.S. Defense Department’s Defense Advanced Research Projects Agency (DARPA), has stood up to outside testing. DARPA hired outside security experts to attempt to bring down the system. According to an electrical engineering and computer science professor who led the project, the system exceeded DARPA’s performance criteria in each test. During normal operations, the system developed by the MIT team monitors any programs running on computers connected to the Internet. This allows the system to determine each computer’s normal behavior range. When an attack occurs, the system does not allow the computers to operate outside of the previously determined range. “The idea is that you’ve got hundreds of machines out there,” the professor says. “We’re saying, ‘Okay, fine, you can take out six or 10 of my 200 machines.’” But, he adds, “by observing what happens with the executions of those six or 10 machines, we’ll be able to deploy patches out to protect the rest of the machines.” An associate professor of computer science at Columbia University finds the MIT approach to be novel. However, he feels that most web developers might be reluctant to implement the new technology in the near future. Source:

46. March 17, Wired – (Texas) Hacker disables more than 100 cars remotely. More than 100 drivers in Austin, Texas found their cars disabled or the horns honking out of control, after an intruder ran amok in a web-based vehicle-immobilization system normally used to get the attention of consumers delinquent in their auto payments. Police with Austin’s High Tech Crime Unit on March 17 arrested a 20-year-old who was a former Texas Auto Center employee who was laid off last month, and allegedly sought revenge by bricking the cars sold from the dealership’s four Austin-area lots. The dealership used a system called Webtech Plus as an alternative to repossessing vehicles that haven’t been paid for. Operated by Cleveland-based Pay Technologies, the system lets car dealers install a small black box under vehicle dashboards that responds to commands issued through a central website, and relayed over a wireless pager network. The dealer can disable a car’s ignition system, or trigger the horn to begin honking, as a reminder that a payment is due. The system will not stop a running vehicle. Texas Auto Center began fielding complaints from baffled customers the last week in February, many of whom wound up missing work, calling tow trucks or disconnecting their batteries to stop the honking. The troubles stopped five days later, when Texas Auto Center reset the Webtech Plus passwords for all its employee accounts, says the manager of Texas Auto Center. Then police obtained access logs from Pay Technologies, and traced the saboteur’s IP address to the suspect’s AT&T internet service, according to a police affidavit filed in the case. Source:

47. March 17, IDG News Service – (International) Nvidia warns of graphics drivers with overheating risk. Nvidia on March 17 asked customers to remove drivers that caused its GeForce graphics cards to overheat, which ultimately crashed some PCs. Nvidia acknowledged on its support site that customers had problems with the 196.75 package of GeForce drivers. Nvidia is asking customers to remove the faulty driver package and upgrade to the latest package, which is 197.13. “Nvidia is aware that some customers have reported fan speed issues after installing 196.75 drivers from Nvidia’s website. Nvidia has removed these drivers and asked its partners to also remove the drivers,” Nvidia wrote on another support site. As an alternative, customers could roll back to the older versions of graphics drivers, Nvidia said. “In almost every case reverting back to our 196.21 driver immediately resolved their issues,” Nvidia wrote. Source:

48. March 17, Reuters – (International) New password-stealing virus targets Facebook users. Hackers have flooded the Internet with virus-tainted spam that targets Facebook’s estimated 400 million users in an effort to steal banking passwords and gather other sensitive information. The emails tell recipients that the passwords on their Facebook accounts have been reset, urging them to click on an attachment to obtain new login credentials, according to anti-virus software maker McAfee Inc. If the attachment is opened, it downloads several types of malicious software, including a program that steals passwords, McAfee said on March 17. Hackers have long targeted Facebook users, sending them tainted messages via the social networking company’s own internal email system. With this new attack, they are using regular Internet email to spread their malicious software. McAfee estimates that hackers sent out tens of millions of spam across Europe, the United States and Asia since the campaign began on March 16. Source:

49. March 17, The Register – (International) Vodafone Spain supplies pre-Mariposa’d smartphone (again). Vodafone Spain has again supplied a HTC Magic smartphone that came pre-infected with the Mariposa botnet client and other malware crud. The second incident, involving an Android-based phone supplied to a researcher at S21Sec, comes a week after the mobile phone giant supplied the same type of infection on the identical model of phone to a worker at Spanish anti-virus firm Panda Security. The S21Sec pre-pwned smartphone kerfuffle undermines Vodafone’s assurances at the time of the Panda flap that the incident was “isolated and local”. Both smartphones were ordered at around the same time towards the beginning of March. The Register spoke to Vodafone on March 17, making it aware of the second HTC Magic/Mariposa infection in Iberia. Vodafone stuck by its original line that the problem was “isolated and local” but added that it hadn’t experienced the problem outside of Spain. A spokesman added that its investigation is continuing. The S21Sec worker detected the malware after he plugged it into his PC using a copy of AVG’s scanner. Aware of Panda’s previous work, he forwarded an infected microSD drive to a researcher at PandaLabs, who carried out an analysis. Source:

50. March 17, IDG News Service – (International) Law enforcement push for stricter domain name rules. Law enforcement officials in the U.K. and U.S. are pushing the Internet Corporation for Assigned Names and Numbers to put in place measures that would help reduce abuse of the domain name system. Now it is “ridiculously easy” to register a domain name under false details, said the senior manager and head of e-crime operations for the U.K.’s Serious Organised Crime Agency (SOCA). Domain names can be used for all kinds of criminal activity, ranging from phishing to trademark abuse to facilitating botnets. Law enforcement often run into difficulty when investigating those domains, as criminals use false details and stolen credit cards. The FBI and SOCA have submitted a set of recommendations to ICANN for how it could strengthen Registration Accreditation Agreements (RAA). The agreement is a set of terms and conditions that a registrar — an entity that can accept domain name registrations — would be subject to in order to run their business. ICANN’s RAA applies to registrars for generic top-level domains (gTLD), such as “.com.” The ideas from the FBI and SOCA have not been publicly revealed but include stronger verification of registrants’ name, address, phone number, e-mail address and stronger checks on how they pay for a domain name, the manager said. Source:

51. March 17, – (International) Sophos warns of Facebook fakers. Security experts are warning of yet another scam to hit Facebook, pointing out that the site is full of fake Fan Pages which could open users up to another avenue of attack A Sophos senior technology consultant, himself the victim of a fake fan page, urged Facebook to tighten up its rules on the creation of such sites, as their existence threatens the security of other users. “Innocent people — friends, acquaintances, and anyone who might follow my blog — are joining the fan page in the belief that they are somehow following me. They have no way of telling that I didn’t create this fan page,” said the consultant in a blog posting. Although the social networking site has rules in place to deal with unauthorized fan pages, and actually should be prohibiting the creation of unofficial ones, the fake profile has not been removed, despite calls from the real thing for its removal. Source:

52. March 16, PC World – (International) Attack samples show targeted sophistication. If anyone would like to know what a targeted e-mail attack looks like, take a look at samples posted today by antivirus maker F-Secure. The screen shots, pulled from malware analysis blog contagio, clearly show a greater attention to detail and grammar than the usual clumsy attack e-mails that stand out like a sore thumb. The first two samples in F-Secure’s post lack any clear clues, while the third has some capitalization errors but no laughable grammatical mistakes. These types of polished attacks are typically sent to high-value targets, and are comparitively uncommon. For instance, last January Google said it was hit by targeted attacks. But while the contagio samples do no immediately stand out, they do share a common thread: All have a .pdf attachment. F-Secure warned last year that .pdf’s have become the attack of choice for targeted attacks, and these samples support that warning. Source:

Communications Sector

53. March 17, ComputerWorld – (National) Broadband plan gives FCC wider cybersecurity role. The National Broadband Plan released by the Federal Communications Commission (FCC) recently contains several recommendations that are designed to boost the preparedness of communications networks to deal with cyberthreats. The plan gives the FCC a greatly enhanced role in developing and promoting cybersecurity measures and calls for closer cooperation between the FCC and the U.S. Department of Homeland Security on security matters. The 360-page broadband plan is a blueprint for modernizing the country’s aging communications networks and for delivering broadband services to a majority of U.S. homes over the next decade. It contains six long-term policy goals and other recommendations for ensuring the availability of affordable 100Mbit/sec. service to 100 million U.S. homes, and 1Gbit/sec. service to institutions such as hospitals and schools, by 2020. While a vast majority of the recommendations deal with building out the communications infrastructure, several touch on cybersecurity and communications networks’ ability to survive a cyberattack. Source: