Department of Homeland Security Daily Open Source Infrastructure Report

Friday, March 25, 2010

Complete DHS Daily Report for March 25, 2010

Daily Report

Top Stories


 According to Reuters, Saudi Arabia said on Wednesday it had arrested 113 al Qaeda militants including suicide bombers who had been planning attacks on energy facilities in the world’s top oil exporter. (See item 2)

2. March 24, Reuters – (International) Riyadh says arrests militants planning oil attacks. Saudi Arabia said on Wednesday it had arrested 113 al Qaeda militants including suicide bombers who had been planning attacks on energy facilities in the world’s top oil exporter. The interior ministry said its sweep, among the biggest in several years, netted 58 suspected Saudi militants and 52 from Yemen. The militants, who were also from Bangladesh, Eritrea, and Somalia, were backed by al Qaeda in Yemen, it added in a statement, without giving the dates of the arrests. A counter-terrorism expert at Janusian security consultants in London said the arrests showed the Saudi oil sector remained a priority target for al Qaeda. Saudi security was making it difficult for militants to operate in the kingdom but counter-terrorist activity was having little impact on al Qaeda’s regional arm, al Qaeda in the Arabian Peninsula (AQAP), in Yemen, he said. AQAP “represents a consistent, if not growing threat to the oil sector and Western interests in the region,” he said. The 113 militants were organized into three cells, including two planning suicide attacks on oil and security facilities in Saudi Arabia’s oil-producing Eastern Province, home to the world’s biggest oil refinery. U.S. allied-Saudi Arabia and Western countries fear al Qaeda is exploiting instability in impoverished Yemen to launch attacks in the region and beyond. Source:

 The Associated Press reports that investigators are trying to determine what led to an estimated 200 pounds of sulfur trioxide leaking at the BASF plant near the northeast Missouri town of Palmyra on Monday. The chemical plant and neighboring industries were evacuated, and a seven-mile stretch of the Mississippi River was closed. (See item 5)

5. March 24, Associated Press – (Missouri) Release of sulfur trioxide at northeast Missouri plant leads to inquiry. Investigators are trying to determine what led to an estimated 200 pounds of the acid rain-producing gas sulfur trioxide leaking at the BASF plant near the northeast Missouri town of Palmyra. The release happened the morning of March 22. No one was hurt but the plant and neighboring industries were evacuated and a seven-mile stretch of the Mississippi River was closed. The plant makes chemicals for the agricultural industry. Plant manager told the Hannibal Courier-Post that the leak was likely from a mechanical failure. State investigators planned to test for environmental damage and look at whether regulatory action was needed. Source:,0,7171402.story

Banking and Finance Sector

10. March 24, Patriot Ledger – (Massachusetts) 3 South Shore banks robbed hours apart Tuesday. In the most brazen of three South Shore, Massachusetts, daylight bank robberies on March 23, a man threatened to detonate explosives taped to his chest and then left a trail of money as he fled, Rockland police said. The robberies were reported within about four hours and 16 miles of each other. The first occurred about noon in Stoughton at the South Shore Savings Bank branch at 1538 Turnpike St. Police said a white man who appeared to be in his late 20s passed a note to a teller demanding cash. He escaped on foot. The robber wore a white hooded sweatshirt and white baseball cap. Police said he was armed but they declined to reveal the kind of weapon he had. In Rockland at about 3:30 p.m., employees at South Coastal Bank, 279 Union St. told investigators a 6-foot-tall white man in a gray hooded sweatshirt threatened to detonate an explosive if his demands for money were not met. A Rockland police search dog team tracked the robber a short distance to Blanchard Street where he may have fled in a small gray vehicle, police said. Half an hour later, a Rockland Trust branch in Hanover was robbed, a Rockland police dispatcher said. Hanover police said a man in his 20s wearing a light-colored sweatshirt robbed the branch on Columbia Road about 4:30 p.m. and made off with an undetermined amount of cash. The robber did not show a weapon. Source:

11. March 24, WRIC 8 Richmond – (Virginia) Security breach in some Union First National bank accounts. Some Union First Market Bank customers are upset after learning their private account information is accessible to other customers. Bank administrators say when online bill-pay accounts were transferred from First Market Bank to Union First Market Bank over the weekend, a bad file containing information of around 1000 customers was sent. That data is now accessible to some other customers. Union First Market Bank says it’s working to fix the problem. The CEO says the bank will offer credit checks and identity theft protection to customers impacted by the problem. Administrators hope to be back online with all information secure by March 24. Source:

12. March 24, Middletown Times Herald Record – (New York) Card-skimmer suspect still at large, cops say. Village of Goshen investigators are still trying to find a woman who installed a skimming device and hidden camera on an ATM at the West Main Street branch of Bank of America in December. She returned late at night on December 12 and 13 to remove the devices after numerous customers used the machine. Bank customers began reporting unauthorized withdrawals from their accounts made between February 25 and March 2 at ATMs in New York City and Chicago. At least 37 Bank of America customers, the majority of them Goshen residents, had more than $25,000 in all stolen from their accounts. Goshen’s village police chief said law enforcement agencies believe the woman is part of a two-person team hitting ATMs all over for almost a year. And the number of local banks targeted by the ring might be much larger than previously known. Source:

13. March 23, Courthouse News Service – (National) Class claims Ameriprise presided over Ponzi. Securities America, a subsidiary of Ameriprise Financial, ran a $700 million Ponzi scheme in promissory notes, investors say in a federal class action. The class claims Securities America ignored repeated warnings from its advisers to disclose the truth, and claimed that providing risk information to its own brokers and investors would “be a bad thing.” The lead plaintiff filed on behalf of all Securities America investors who bought notes from any of three Medical Capital Corps. or “Med Cap” special purpose corporations from 2004-2008. The lead plaintiff say the Med Cap notes they bought for $768,000 are now worthless. Under the control of Minneapolis-based Ameriprise Financial, and its wholly owned subsidiary Securities America Financial Corp., Securities America acted as a statutory underwriter to sell $697 million of securities issued by Tustin, California, medical receivables company Med Cap, according to the complaint. The class claims that Med Cap was a $2 billion Ponzi scheme, the subject of a 2009 SEC civil action and a Massachusetts enforcement

action. Source:

14. March 23, TechWorld – (National) Russia arrests WorldPay hackers after FBI plea. Three men accused of being involved an audacious attack on US ATM machines in 2008 have been arrested by the feared Russian Security Service (FSB) in an event that is being interpreted as marking a sea change in Russian policy towards cybercrime. The Financial Times reports that the FSB arrested the alleged Russian mastermind of the attack and two alleged accomplices all believed by the FBI to be involved in the high-profile $9 million (£6 million) raid on a US-based ATM system run by RBS WorldPay, a subsidiary of the Royal Bank of Scotland. The attack is said to have allowed the attackers to use cloned payroll cards to steal the money from 2,100 cash machines across the US in a 12-hour period in November 2008 after the gang cracked the encryption used to protect cards from tampering. The immediate fate of the men is unclear but the most likely course of action for the authorities is that they will be tried in Russia. If found guilty, the lack of an extradition treaty between the US and Russia means none will face jail time in the US. Source:

15. March 23, Southern Oregon Mail Tribune – (Oregon) Police suspect ‘Grandpa Bandit’ in Medford heist. An older man has robbed six Oregon banks in the past half-year. The reward for the “Grandpa Bandit” — suspected of robbing a Medford bank on March 18 — has now hit $15,000. Bank of America is offering a reward of up to $10,000, and the Oregon Financial Institutions Security Task Force is offering a reward of up to $5,000, for information leading to the arrest and conviction of the serial bank robber. Suspected in five other robberies in Salem, Sherwood, West Linn, and Hillsboro, the unknown man is believed to have robbed the Bank of America branch at 790 Stevens St. in Medford on March 18. Five of the six banks he has robbed are Bank of America branches. Although he did not show a weapon in the Medford robbery, he has threatened tellers in previous robberies. In one instance, investigators believe that he threatened to kill a teller as he showed her a weapon in his waistband. Source:

16. March 22, Krebs on Security – (National) Organized crooks hit NJ town, Ark. utility. An Arkansas public water utility and a New Jersey town are the latest victims of an organized cyber crime gang that is stealing tens of millions of dollars from small to mid-sized organizations via online bank theft. On March 18, officials in Egg Harbor Township, New Jersey, acknowledged that a sizable amount of money was taken in an “outside intrusion into a municipal banking account,” suggesting in public statements that computer criminals were responsible. On March 22, details began to emerge that implicate the work of the same gang that Krebs on Security has been tracking for close to a year now. The mayor confirmed that the thieves took close to $100,000 from town coffers, sending the money in sub-$10,000 chunks to individuals around the country who had no prior businesses with Egg Harbor. The town is working with local authorities and the FBI. In a separate incident on March 4, organized crooks stole roughly $130,000 from North Garland County Regional Water District, a public, nonprofit utility in Hot Springs, Arkansas. Again, thieves somehow broke into the utility’s online bank account and set up unauthorized transfers to more than a dozen individuals around the country that were not affiliated with the district. Source:

Information Technology

41. March 24, IDG News Service – (International) Security companies warn of uptick in new IE attack. Criminals are stepping up their attacks leveraging an unpatched flaw in Microsoft’s Internet Explorer browser, using it to install fake antivirus products and malicious back doors on victim’s computers. Microsoft first warned of the bug on March 9, saying that it had been used in “targeted attacks.” But now, according to researchers, the exploits are much more widespread. By late last week, security vendor AVG was getting reports of 30,000 attacks per day, according to AVG’s chief research officer. “It’s not a massive attack, but it’s an unpatched exploit being used aggressively,” he said on March 23 in an instant message interview. It appears that two separate cybergangs have begun using the exploit — the first uses it to install fake antivirus software on victim’s computers; the second group is installing a variant of the Sinowal Trojan, he said. Most of the attacks are being hosted on Web sites that appear to be specifically set up to host the attack code, rather than hacked sites. Source:

42. March 24, Help Net Security – (International) Brazil tops global spam rankings. Brazil, India, Vietnam, USA and Russia head the ranking of countries from which most spam was sent during the first two months of the year, according to a study by Panda Security. Brazil has topped the global spam ranking for January and February. The spam messages themselves are used primarily either to distribute threats or sell illicit products, and the main lure used as part of the social engineering techniques employed is the promise of videos or photos of Brazilian girls. With respect to the cities from which spam was being sent, Seoul was first in the list, followed by Hanoi, New Delhi, Bogota, Sao Paulo and Bangkok. Source:

43. March 23, Associated Press – (Arkansas) Man arrested, accused of making HP threat. Authorities say a 27-year-old man has been arrested after he purportedly threatened to shoot fellow employees at the new Hewlett-Packard facility in Conway, Arkansas. He told authorities that he was only kidding when he made the comment Friday. A police report released this week says witnesses told authorities that he said he was going to bring two guns to the facility and “shoot some people.” He faces three counts of first-degree terroristic threatening. A Circuit Judge also issued a no-contact order including all HP employees and facilities. Hewlett-Packard opened its technical service center in December and employs more than 600 workers. Source:

44. March 23, SC Magazine – (International) Comments made on deleting data, as organizations struggle to securely and compliantly remove files. Deleting data should be done efficiently as a failure could lead to a data breach or worse. In a recent blog a SecureWorks solutions architect claimed that many organisations are struggling to delete data in a way that is both secure and compliant. He said: “Some ways to do this include using software to overwrite the data, using a degaussing tool to electronically damage the drives, and physically destroying them. Make sure you keep in mind that whatever method you use, the goal is risk mitigation rather than risk elimination. You’re trying to mitigate the most risk for the least money.” Commenting, the CTO at SecureWorks said that as people are not deleting data efficiently ‘if you want to collect information then buy cheap drives off eBay’. The CTO said: “There are better ways to delete data, a file system is like books and a database is a table of contents and when you a delete file on this it does not delete the file, it removes it from the table of contents. If you keep looking you will find the file. We would help a client set up a process to delete data.” Source:

45. March 23, PC World – (International) Firefox fix heads off font attack. Mozilla pushed out an ahead-of-schedule fix for its Firefox browser to close a critical security hole that became public before the patch was available. The flaw in the Web Open Font Format (WOFF) could potentially allow a malicious Web page to run any command, such as downloading malware, on a victim PC. It was made public by a security researcher in February prior to Mozilla being informed, prompting a debate about the responsible disclosure of security flaws. The critical flaw only affects Firefox 3.6, as earlier browser versions don’t support WOFF. According to Mozilla’s 3.6.2 release notes, the update also fixes additional security and stability bugs. Opera users should likewise update their browser to fix a vulnerability involving the program’s handling of HTTP Content-Length headers. Yesterday’s patch squashes a number of other bugs as well; see the Opera 10.51 changelog for full details. Source:

46. March 23, The Register – (International) Your health, tax, and search data siphoned. Google, Yahoo, Microsoft’s Bing, and other leading websites are leaking medical histories, family income, search queries, and massive amounts of other sensitive data that can be intercepted even when encrypted, computer scientists revealed in a new research paper. Researchers from Indiana University and Microsoft itself were able to infer the sensitive data by analyzing the distinct size and other attributes of each exchange between a user and the website she was interacting with. Using man-in-the-middle attacks, they could glean the information even when transactions were encrypted using the Secure Sockets Layer, or SSL, protocol or the WPA, or Wi-fi Protected Access protocol. The paper showed how they were able to deduce the doctor and medical condition of a person who had entered the information into a site operated by “one of the most reputable companies of online services,” which runs exclusively over an HTTPS channel. In the case of medical conditions, the details were leaked through the site’s auto-suggestion feature, which updates potential entries in response to each keystroke. Source:

47. March 23, IDG News Service – (International) Google Apps sync tool for Outlook hit by bug. A bug in Google Apps’ Sync for Microsoft Outlook that has apparently existed for months is causing some e-mail messages to remain in Gmail servers and not be downloaded into Outlook, causing end users to overlook messages or see them late. End users in organizations hit by the bug are having to check the Gmail Web interface periodically to make sure they are not missing any e-mail messages in their Outlook PC client. Google acknowledged the bug on March 12 and promised a fix for early last week, but was unable to deliver it. The latest plan is to push out a solution by March 24. “After we fix the server side problem, we will release an automatic update that will resynchronize your mailbox to help ensure that any mail that wasn’t downloaded gets downloaded,” wrote a Google representative identified as an advisor in the Google Apps discussion forum on March 12. Source:

Communications Sector

48. March 24, Washington Post – (International) Telecom companies seek to make Haiti a mobile nation. The earthquake that devastated Haiti also destroyed the nation’s feeble network for phones and Internet service. Except for cellphones, the population was largely cut off from communication. But out of the rubble, one U.S. wireless industry pioneer sees opportunity. The founder of Voice Stream and former chief executive of T-Mobile USA wants the Haitian government to forget about rebuilding its copper wire communications network. Instead, he thinks Haiti should go mobile. In a keynote speech prepared for delivery at the wireless industry’s CTIA trade show on March 24 in Las Vegas, the chief executive called for the Haitian government to create an all-wireless nation with more robust networks for the population of nearly 10 million and to build an economy centered on mobile technology. The chief executive is asking Haiti to release more spectrum for commercial carriers to get more people to text and use their phones for commerce, banking and other daily needs. He pledged that his company, Trilogy, would commit up to $100 million to expand its network there. Source:

49. March 23, IDG News Service – (National) AT&T execs: U.S. must work hard to retain mobile lead. AT&T executives described the U.S. mobile market as a world leader but warned that without continued hard work that position is in jeopardy, while speaking at the CTIA conference in Las Vegas on March 23. Their comments might seem ironic to iPhone users, many of whom complain about AT&T’s poor network performance. But the growth figures that the executives shared perhaps explain why the operator has had a hard time keeping up with demand. Over the past three years, wireless data volume in the U.S. grew more than 3,000 percent, said the president and CEO of AT&T. During that time, volume at AT&T grew 5,000 percent, he said. The U.S. has 117 million 3G subscribers, or 18 percent of the world’s 3G subscribers, he said. The country with the next most subscribers is Japan, with 101 million 3G users, he said. Since the U.S. only has 7 percent of the world’s total wireless subscribers, that’s remarkable, said the president and CEO of AT&T Mobility. But the current success is no guarantee of success in the future, he said. He fears a time when demand outstrips the ability of networks to support users. Source:

50. March 23, SC Magazine – (International) Claims made that the Digital Economy Bill will cause the end of public WiFi, as Open Rights Group plans demonstration tomorrow. In the United Kingdom, proposals to hold WiFi providers liable for actions by those connecting to networks could be the death knell for public access. The regulatory affairs spokesman at CMA claimed that it was ‘becoming obvious that one of the [Digital Economy] Bill’s provisions seems certain to inflict serious damage to the availability of public WiFi access points and thus to an important part of our broadband infrastructure’. Proposals in the bill make it possible for the provider of WiFi access to be classed as an ISP rather than as a subscriber and therefore subject to the same liabilities as BT or TalkTalk. CMA also believes that the bill will impose a significant financial and administrative burden on the smaller operators of wireless services, namely the need to invest in specialist software and/or the need to track clients to computer ports, and to retain client identity details. Source: