Department of Homeland Security Daily Open Source Infrastructure Report

Monday, March 29, 2010

Complete DHS Daily Report for March 29, 2010

Daily Report

Top Stories


 The Oregonian reports that police in Molalla, Oregon are looking for burglars who broke into the city’s water-treatment plant and stole the system’s computer. The city administrator said the computer, later found destroyed, contained all the programming that kept the water-treatment plant working on autopilot.

30. March 25, Oregonian – (Oregon) Burglars steal, destroy Molalla water system computer. Police in Molalla, Oregon, are looking for burglars who broke into the city’s water-treatment plant and stole the system’s computer. The city administrator said theft of the computer is a federal crime and has been reported to the U.S. Department of Homeland Security. He said the computer, later found destroyed, contained all the programming that kept the water-treatment plant working on autopilot. Water quality is unaffected, he said. The only difference is the plant is running in manual-control mode and must be monitored in-person. “And frankly, we can shut off the plant at night because we keep our reservoirs topped off. We have enough water stored that we’d be good for days.” He said he hired a security consultant to “harden” both the water-treatment plant and the sewage-treatment plant against future break-in attempts. On Saturday, an assistant plant operator was on standby duty when an intruder alarm alerted him to the break-in. When he arrived at the plant, he found the plant’s front door open and the computer gone. City staff members immediately began searching Internet sites such as Craigslist and eBay to see whether anyone had put the computer up for sale. The next day, however, the computer and monitor were discovered in the backwash pond at the plant site. The computer and monitor are destroyed. Atkins estimated cash value loss at “less than $1,000.” Computer experts are trying to recover the programming from the hard drive. Police said the burglar gained access to the plant by driving around a fenced and gated area through an adjacent tree farm. Source:

 According to IDG News Service, a networking error has caused computers in Chile and the United States to come under the control of the Great Firewall of China, redirecting Facebook, Twitter, and YouTube users to Chinese servers. (See item 46 below in the Information Technology Sector)

Banking and Finance Sector

9. March 26, Wall Street Journal – (National) More than a dozen banks suspected co-conspirators in Muni case. More than a dozen banks and investment firms are suspected co-conspirators in a criminal probe by the Justice Department’s Antitrust Division into alleged bid rigging and price fixing in the municipal derivatives market, according to a court filing. The list of banks was inadvertently filed earlier this week in U.S. District Court in Manhattan as part of a request for a bill of particulars in a criminal case against three former executives of CDR Financial Products Inc., a California municipal-bond broker. The executives, including the founder of CDR founder, were indicted in October on conspiracy and fraud charges. They have denied wrongdoing. In a letter on March 26, the lawyers asked a U.S. District Judge, who is hearing the criminal case, to strike the inadvertent filing. The banks and investment firms include units of J.P. Morgan Chase & Co., UBS AG, Citigroup Inc., Wells Fargo & Co., Bank of America Corp., General Electric Co. and Societe Generale. None of the alleged co-conspirators have been accused of criminal wrongdoing. Source:

10. March 25, SCMagazine – (National) Hacker Albert Gonzalez receives 20 years in prison. A notorious credit card hacker received, on March 25, the largest-ever U.S. prison sentence for a hacker. The 28 year old, of Miami, Florida, was sentenced to 20 years in prison for leading a group of cybercriminals that stole tens of millions of credit and debit card numbers from TJX and several other retailers. He pleaded guilty in September to multiple federal charges of conspiracy, computer fraud, access device fraud and identity theft for hacking into TJX, which owns T.J. Maxx, BJ’s Wholesale Club, OfficeMax, Boston Market, Barnes & Noble and Sports Authority. He was facing up to 25 years in prison for these charges. He also pleaded guilty last year in two other pending hacking cases for which he is scheduled to be sentenced on March 26. He faces up to 20 years in prison for his role in hacking into the network of Dave & Buster’s restaurant chain and stealing credit and debit card numbers from at least 11 locations. As part of a third pending case, he faces between 17 and 25 years in prison for hacking into the payment card networks of Heartland, 7-Eleven and Hannaford Bros. supermarket chain to steal more than 130 million credit and debit card numbers. In a plea deal, his sentences will run concurrently to each other. Source:

11. March 25, Reuters – (National) Dave and Buster’s settles credit card security charges. The entertainment and restaurant chain Dave and Buster’s Holdings Inc has settled charges the company failed to adequately secure the credit and debit card information of customers, the Federal Trade Commission said on March 25. The company, which has 53 restaurants, was hacked in mid-2007 by an intruder who installed unauthorized software and intercepted data sent from the restaurants to credit card processing companies, the FTC said. About 130,000 credit and debit cards were affected, with affected banks paying out “several hundred thousand dollars in fraudulent charges,” the FTC said in its complaint. “After learning of the breach, respondent (Dave and Buster’s) took steps to prevent further unauthorized access and to notify law enforcement and the credit card companies of affected consumers,” the complaint said. The settlement requires Dave & Buster’s to put in place a comprehensive security program. Source:

12. March 25, SC Magazine – (International) FSA investigation leads to insider trading arrests, as Oracle claims that IT systems can increase the levels of protection. Employees of three major banks have been arrested on a charge of running an insider-dealing scheme. According to BBC News, the investigation is a joint venture between the Financial Services Authority and the Serious Organised Crime Agency (SOCA). It claimed that employees from Deutsche Bank, BNP Paribas and hedge fund Moore Capital are now known to have workers caught up in the investigation. The vice president of marketing at Oracle Financial Services global business unit, claimed that this incident shows that there is a need for IT security solutions that are suitable for use within the financial sector. Source:

13. March 25, Fort Morgan Times – (National) Nationwide scam linked to Eben Ezer bank account. Within the last several weeks, administrators at Eben Ezer Lutheran Care Center in Brush, Colorado have received dozens of calls from people who have received counterfeit checks linked to an Eben Ezer bank account as part of a nationwide scam. Those who received the fake checks for up to $29,000 were told that they won a sweepstakes, and that the checks were reimbursements for the taxes they were to pay on a larger sum of prize money that would be sent later. “All the paperwork that’s coming with it doesn’t say anything about Eben Ezer,” said the facility chief finance officer. The people who received the phony checks were directed to send the tax payments directly to a bogus “personal receiving agent” to process the funds. Presumably, this would allow the scammers to pocket the real cash before the fake checks are rejected by Eben Ezer’s bank, the Bank of Colorado in Brush. The phony checks have been sent to individuals in several states, including Texas, Ohio, Minnesota and Florida. Source:

14. March 25, Courthouse News Service – (Ohio) Bank abetted $15M Ponzi, investors say. Huntington National Bank aided and abetted a $15 million Ponzi scheme run by a felon who had already pleaded guilty to bank fraud, according to a complaint in Cuyahoga County Court, Cleveland. Seventeen investors say the bank put a hold on the suspect’s accounts after finding out he had just been released from prison for bank fraud, then inexplicably released the money to him. The suspect promised about 250 investors 10 percent annual returns on Serengeti Diamonds USA and Lomas de la Barra Development, according to the complaint. The investors say the suspect used his daughter, a teller, to open two bank accounts in 1998 that were “facially deficient.” The only defendant in this complaint is the Huntington National Bank. The plaintiffs say the bank refused the suspect’s requests to send money from his accounts offshore, in January 1999, but relented and went ahead with it after the suspect threatened it. The investors say the bank did it although it already knew the suspect was a felon. Source:

15. March 25, Bloomberg – (National) U.S. Treasury said to have plan for Citigroup shares. The U.S. Treasury intends to unload its 27 percent stake in bailed-out bank Citigroup Inc. using a preset trading plan that will lock the government into a schedule for selling its shares, people with direct knowledge of the matter said. The program, which may be announced next month, is similar to those used by executives to protect themselves against accusations of insider trading, said the people, who asked not to be identified because the process isn’t final. The Treasury would be able to issue instructions on how many shares to sell, when to sell them and at what price while eliminating concern that the sales are based on non-public information. A sale of the Treasury’s shares, which could be completed this year, would bring Citigroup a step closer to exiting the government’s Troubled Asset Relief Program. The firm had to get a $45 billion infusion of taxpayer money in late 2008 as withering confidence in the bank almost triggered a deposit run. Source:

16. March 24, Reno Gazette Journal – (National) Utah police arrest suspected ATM skimmers; may be related to Reno-Sparks cases. A Utah police department has arrested two men on charges they illegally hooked up devices to gas station pumps to collect ATM personal identification numbers from unsuspecting customers there. Authorities are trying to determine if the two men arrested in Richfield, Utah, are connected to ATM card skimming in Reno and Sparks in January and February. Local authorities received more than 100 complaints. Arrested on on March 19 by the Richfield Police Department were a 55 year old, of Burbank, California, and a 27 year old of Van Nuys, California. They were booked into the Sevier County jail in central Utah on $250,000 bail on 16 felony counts related to the alleged attempted ATM card skimming. A Reno Police Department lieutenant said there was a similar arrest in Benecia, California, about three weeks ago and the ATM skimming thefts stopped in Reno after that arrest. “I’m pretty certain that it was related to the one in this area,” an investigator said of the Benecia case. “According to the information, it was the whole west coast group so I’m assuming it’s the whole group involved.” Source:

Information Technology

46. March 25, IDG News Service – (International) China’s Great Firewall spreads overseas. A networking error has caused computers in Chile and the U.S. to come under the control of the Great Firewall of China, redirecting Facebook, Twitter, and YouTube users to Chinese servers. Security experts are not sure exactly how this happened, but it appears that at least one ISP recently began fetching high-level DNS (domain name server) information from what’s known as a root DNS server, based in China. That server, operated out of China by Swedish service provider Netnod, returned DNS information intended for Chinese users, effectively spreading China’s network censorship overseas. China tightly controls access to a number of Web sites, using technology known colloquially as the Great Firewall of China. The issue was reported on March 24 by a DNS admin with NIC Chile, who found that an unnamed local ISP reported that DNS queries for sites such as, and — all of which have been blocked in China — were being redirected to bogus addresses. It is unclear how widespread the problem is. Source:

47. March 25, The Register – (International) Hackers hit where they live. The countries of hackers originating malware-laced spam runs have been exposed by new research, which confirms they are often located thousands of miles away from the compromised systems they use to send out junk mail. A third of targeted malware attacks sent so far in March came from the United States (36.6 percent), based on mail server location. However, after the sender’s actual location is analyzed, more targeted attacks actually began in China (28.2 percent) and Romania (21.1 percent) than the US (13.8 percent), according to the March 2010 edition of the monthly MessageLabs security report. The MessageLabs intelligence senior analyst, explained the discrepancy: “A large proportion of targeted attacks are sent from legitimate webmail accounts which are located in the US and therefore, the IP address of the sending mail server is not a useful indicator of the true origin of the attack. “Analysis of the sender’s IP address, rather than the IP address of the email server, reveals the true source of these targeted attacks.” Source:

48. March 25, Help Net Security – (International) Rogue toolbars phish for Facebook credentials. Two rogue toolbars have been spotted in the wild by Sunbelt researchers. At first glance, they look legitimate enough. Purportedly enabling the user to cheat at popular Zynga games on Facebook, they contain various links and other teature usual for this kind of tool. Upon closer inspection, the toolbar is revealed to be a tool used to steal login credentials. If the user clicks on the “Facebook” button in the left top corner, he is taken to a Facebook look-alike phishing page: The domain on which the phishing page is hosted is constantly changing because in time every domai gets reported, detected and blocked by the browsers. The problem is that the toolbars - when they are not pointing towards the phishing page - point to the real Facebook URL, and the switch can happen anytime. It is best to distrust “cheating” toolbars altogether, and access Facebook and other networks and services by typing in the URL yourself or following your own bookmark. Source:

49. March 25, IDG News Service – (International) New malware overwrites software updaters. For the first time security researchers have spotted a type of malicious software that overwrites update functions for other applications, which could pose additional long-term risks for users. The malware, which infects Windows computers, masks itself as an updater for Adobe Systems’ products and other software such as Java, wrote an analyst with Bach Khoa Internetwork Security (BKIS), a Vietnamese security company, on its blog. BKIS showed screen shots of a variant of the malware that imitates Adobe Reader version 9 and overwrites the AdobeUpdater.exe, which regularly checks in with Adobe to see if a new version of the software is available. Users can inadvertently install malware on computers if they open malicious e-mail attachments or visit Web sites that target specific software vulnerabilities. Adobe’s products are one of the most targeted by hackers due to their wide installation base. Source:

50. March 25, – (International) China implicated in flood of email-borne attacks. China is the number-one source of email-borne targeted attacks of the sort Google and at least 30 other companies are believed to have suffered, according to the latest monthly MessageLabs Intelligence report from Symantec Hosted Services. The irm analyzed the email headers of suspect messages intercepted last month to identify he true IP address of the senders, and found that around 28 percent of targeted attacks riginated in China. The emails described by Symantec Hosted Services are targeted in ow numbers at key figures in an organisation, and contain legitimate-looking but malicious attachments. They are similar to those understood to have been used by Chinese hackers to infiltrate Google’s systems. The findings chime with what many commentators have been saying about the Google hacks, in that they represent just the tip of the iceberg with respect to global attacks of this kind. “These targeted attacks are very low in number, individually targeted and the attackers have done their reconnaissance beforehand,” explained Symantec hosted services senior analyst. Source:

51. March 24, Reuters – (International) Inside a global cybercrime ring. Innovative Marketing Ukraine, or IMU, was at the center of a complex underground corporate empire with operations stretching from Eastern Europe to Bahrain; from India and Singapore to the United States. A researcher with anti-virus software maker McAfee Inc who spent months studying the company’s operations estimates that the business generated revenue of about $180 million in 2008, selling programs in at least two dozen countries. “They turned compromised machines into cash,” said the researcher. The company built its wealth pioneering scareware — programs that pretend to scan a computer for viruses, and then tell the user that their machine is infected. The goal is to persuade the victim to voluntarily hand over their credit card information, paying $50 to $80 to “clean” their PC. Groups like Innovative Marketing build the viruses and collect the money but leave the work of distributing their merchandise to outside hackers. Once infected, the machines become virtually impossible to operate. The scareware also removes legitimate anti-virus software from vendors including Symantec Corp, McAfee and Trend Micro Inc, leaving PCs vulnerable to other attacks. When victims pay the fee, the virus appears to vanish, but in some cases the machine is then infiltrated by other malicious programs. Hackers often sell the victim’s credit card credentials to the highest bidder. In a rare victory in the battle against cybercrime, the company closed down last year after the U.S. Federal Trade Commission filed a lawsuit seeking its disbandment in U.S. federal court. Source:

Communications Sector

52. March 25, South Oregon World – (Oregon) Cut fiber-optic line disrupts businesses. Bank customers lined up outside Wells Fargo in Coos Bay on March 24, as tellers hand wrote transactions one by one inside the guarded doors. Elsewhere, shop workers processed credit cards manually, and people dialed phone numbers only to hear automated recordings. Phone and Internet service was cut off along the coast for much of the day, after a construction crew working on a bridge six miles east of Myrtle Point struck a fiber optic cable. Communication lines were not restored until after 5 p.m., causing some businesses, including ACS in North Bend, to send employees home early. The crew knocked out the Verizon cable at 9:50 a.m., but the company did not locate the damage until around 1 p.m. Some users, such as emergency responders, were able to get service through a backup network. Service was affected in coastal communities all the way from Reedsport to Port Orford and possibly farther. Source:

53. March 25, ComputerWorld – (National) Public safety fee on wireless users a challenge for industry. The FCC’s proposed monthly public safety fee of up to $1 on every broadband user in the U.S. poses a political challenge for the private wireless industry. On one hand, the industry would like to see the FCC auction off radio spectrum in what is called the D block for private uses; the spectrum could then be shared with emergency groups, as the FCC has proposed in the National Broadband Plan. On the other hand, the wireless industry hates the idea of adding more user fees, with one industry-backed group,, noting that the average wireless consumer already pays 16 percent in taxes and fees — and the average wireless household pays $350 a year in wireless taxes. In a separate document not on the site, the group put the total of taxes and fees on the average wireless consumer at nearly $600 a year. The public safety fee, which would be used to support a $16 billion emergency wireless network, was proposed by the FCC in its National Broadband Plan. In that plan, it is described only as a “nominal” fee, although a spokesman recently said it would probably be less than $1 a month. Other officials this week pegged the fee at closer to 50 cents, although the matter is still under discussion and Congress must grant the FCC permission to impose the fee. Source:

54. March 25, WOFL 35 Orlando – (Florida) Widespread cable outages reported. Bright House Networks customers throughout Central Florida reported cable outages on March 25. Beginning around 10:30 p.m., cable customers around metropolitan Orlando experienced intermittent outages and frozen images on their television sets. The technical glitch appeared to be corrected by 11 p.m. It is still unclear exactly how many customers were affected. Some reported that certain channels were displaying properly while others remained frozen. Subscribers of high definition and select digital tier channels reported that most were displaying while standard cable tier channels were not. This is very similar to what Bright House Networks customers experienced on October 2 of last year, when the outage lasted approximately one hour. There were no reports of telephone or Internet outages on March 25. Source:

For more stories, see item 46 above in Information Technology