Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, April 8, 2010

Complete DHS Daily Report for April 8, 2010

Daily Report

Top Stories

 According to Reuters, an oil pipeline operated by Chevron Pipe Line Co leaked at least 18,000 gallons of crude oil into the Delta National Wildlife Refuge near Venice, Louisiana, the U.S. Coast Guard said on Tuesday.

3. April 6, Reuters – (Louisiana) Pipeline leaks oil into Louisiana wildlife refuge. An oil pipeline operated by Chevron Pipe Line Co leaked at least 18,000 gallons of crude oil into the Delta National Wildlife Refuge in Louisiana, the U.S. Coast Guard said on Tuesday.No wildlife covered with, or affected by oil had been found Tuesday afternoon, but the exact environmental impact remained undetermined, a spokesman for the Louisiana Department of Wildlife said. The leak, discovered by a contractor shortly after midnight, discharged into a canal 10 miles southeast of Venice, Louisiana, and investigative and cleanup teams were on scene, the Coast Guard said in a news release. A barge working for Exxon Mobil Corp was driving long pipes called “spuds” to anchor the barge in place, and one may have hit the pipeline operated by Chevron, a Coast Guard spokesman said. Chevron shut down the affected section of pipeline and started efforts to minimize environmental impact, said a news release issued by Chevron, the Coast Guard and state of Louisiana. Coast Guard and state environmental investigators were assessing the impact and monitoring cleanup efforts from aircraft and boats, the release said. Source:

 The Towson Times reports that 200,000 customers in Baltimore County, Maryland were without water Wednesday after an overnight power outage caused by an underground fire knocked out a water pumping station near Towson Reservoir. (See item 32)

32. April 7, Towson Times – (Maryland) Central Baltimore County without water after overnight power outage. As many as 200,000 people in central Baltimore County could be without water for much of the day Wednesday. County officials, in a statement, said an overnight power outage caused by an underground fire has knocked out a water pumping station on Hillen Road near Towson Reservoir. The outage affects water service in the Towson, Timonium, and Cockeysville areas. The boundaries of the affected area are: Stevenson Lane on the south; Sparks to the north; Falls Road to the west; and Old Harford Road to the east. “Customers in this area would expect to be without water for at least part of the day, possibly into the evening,” a spokesman for the county’s Office of Homeland Security and Emergency Management Agency wrote in a released statement. “The impact on the water system is expected to increase after [morning] rush hour, as the remaining water in the tanks is depleted.” BGE is working to restore power to the pumping station on Hillen Road in Towson. That effort could take until late Wednesday afternoon, the statement said. She wrote that once that happens, water should be restored to residents within a few hours. The water outage has caused 17 schools to close. Towson University will remain closed until 5 p.m. The county Circuit Court has closed for the day. Baltimore County offices are expected to open “as usual and will remain open for as long as possible,” she wrote. The county has opened its emergency operations center and is providing updates on the outage on its Web site and on Twitter account. Source:


Banking and Finance Sector

13. April 7, Associated Press – (Utah) Utah man, 21, arrested after bank prank. Police say a Utah man may have thought he was pulling a prank when he sprayed a smelly chemical into a plastic tube and sent it to the teller at a bank drive-through. Police arrested the 21-year-old on three misdemeanor charges. Police and a fire department hazardous materials team were called to the Mountain America Credit Union in Herriman on Tuesday after the teller opened the container and reported the chemical made her ill. Police say the man drove away, but was tracked down from personal information left with his bank deposit. As for the chemical, police say it was a common prank item and is not hazardous. Source:

14. April 7, Spokane Spokesman-Review – (Washington) Feds search offices. Agents of the FBI and IRS Tuesday searched the offices of Team Spirit America, the operating affiliate of a payday loan business that investors allege was a Ponzi scheme. An agent posted inside the door of the offices at 1801 W. Broadway Ave. in Spokane declined to comment on the activity, or whether a search warrant had been issued. Spokesmen for the IRS, FBI and U.S. Attorney’s Office also would not respond to questions. Team Spirit is managed by the founder of Little Loan Shoppe, which made short-term installment loans. Little Loan Shoppe, as LLS America LLC, filed bankruptcy in August. Although the Washington Department of Financial Institutions has filed civil charges against Little Loan Shoppe, the owner, and others, the April 6 activity was the first sign federal authorities might be investigating the operation. The state alleges the owner misled or improperly sold securities to investors who committed more than $29 million in U.S. dollars, and another $26 million in money from Canada, where the company was founded in 1997. The state is seeking a $150,000 fine from the owner, $30,000 from another suspect who helped find investors, and $60,000 in costs. The investors were promised returns on promissory notes of as much as 60 percent, made possible by high-interest, short-term loans. But payments stopped in March 2009. Source:

15. April 7, Florida Today – (Florida; Mississippi) Man wanted in 10 bank robberies nabbed on Merritt Island. A 30-year-old transient wanted in connection with 10 armed bank robberies committed in five Central Florida counties and also in Mississippi has been apprehended by a law enforcement task force after being spotted on Merritt Island. The suspect is being held in the Brevard County Detention Center, accused in a series of bank robberies in Brevard, Seminola, Volusia, Indian River and Orange counties as well as Mississippi. Charges include fraud, impersonation, false ID given to law enforcement officers, resisting arrest and obstruction. Officials from the Florida Department of Law Enforcement have a press conference on the suspects arrest on April at the Viera Government Center. The suspect will be remanded to the custody of U.S. Marshals. Authorities allege the suspect would enter each bank, indicate to the customer service representatives that he possessed a firearm, and demand that the tellers provide him with money. The suspect committed the robberies beginning February 15 and hit banks in Biloxi, Mississippi, Hattiesburg, Mississippi, Rockledge, Daytona Beach, Vero Beach, Sanford, Palm Bay and Titusville. He is believed to have committed two robberies on April 6 in Orlando, authorities said. Source:

16. April 6, – (International) Javelin report: ATM attacks growing in sophistication. ATM attacks have shifted from basic skimming into attacks on ATM software and ATM networks, fraudulent mobile alerts, and account takeover via stolen information and call centers, according to a report released on April 6 by Javelin Strategy & Research. Traditional skimming is being replaced by more sophisticated attacks as criminals have become more organized and global, said an analyst at the Pleasanton, California-based research firm and author of the report. “Now what we’re seeing is use of malware inside the ATMs or somewhere along the ATM network that takes the same data and gives it to the criminals.” For example, there have been ATM attacks in which apparent maintenance crews opened up ATMs and installed malware on the machines, he said. Early last year, Diebold Inc. issued a security update for its Windows-based ATMs after criminals attacked a number of them in Russia and installed malware designed to steal sensitive data. In other cases, such as in the RBS WorldPay heist, criminals target the backend, where the ATM interfaces with other networks at a financial institution, the analyst said. “Someone can gain access through administrative privileges to encrypted PIN data, then use a laptop computer to reverse the encryption on the PINs,” he said. Source:,289142,sid185_gci1508178,00.html

17. April 6, WNYW 5 New York – (New York) Credit card skimmer bust. Two restaurant workers are accused of using a credit-card skimmer to steal about $60,000 from customers. The New York Post reports that the pair were arrested on April 2. Citibank found that 38 of its accounts had been violated after people made purchases at East Japanese Restaurant on Third Avenue near East 26th Street. The two are charged with identity theft, grand larceny and criminal possession of forgery devices. Source:

18. April 6, Bloomberg – (New York) Three lawyers charged in $10 million mortgage fraud. Three lawyers were among 10 people named in an indictment that accuses the defendants of conspiring in a $10 million mortgage fraud, prosecutors in Brooklyn, New York said. A Brooklyn lawyer and nine others were charged in a scheme that ran between January 2005 and May 2007, prosecutors in the office of the Brooklyn U.S. attorney said. Two licensed real-estate brokers were also charged, according to the indictment unsealed today. The defendants falsified mortgage loan applications, appraisals, title reports and other documents to make straw buyers whom they recruited appear more creditworthy on their applications, prosecutors said. In some instances, the defendants were able to obtain multiple loans for the same property, defrauding banks and other lenders, prosecutors said in court papers. Source:

19. April 5, Newport Beach Daily Pilot – (California) FBI suspects ‘Questions’ bandits in Friday robbery. The April 2 take-over robbery of a Newport Beach bank may be the work of the “20 Questions Bandits,” a group of armed men who’ve robbed half a dozen other banks in Southern California since last year, FBI officials said on April 5. About 5:48 p.m. on April 2, two armed men in dark clothes and ski masks entered the Bank of America branch at 1016 Irvine Ave. They ordered everyone inside to get on the ground, hopped the teller counter and demanded money from some of the bank tellers, said a Newport Beach police lieutenant. After getting a hold of the cash the men left the bank and fled in a black Chevrolet Tahoe parked on the building’s east side, the lieutenant said. The Tahoe, which was reported stolen out of Culver City, was found nearby on Rutland Road. FBI officials said the robbery looks like the work of the 20 Questions Bandits, a group of up to four men who have robbed banks in Ventura, Oxnard, El Monte, Thousand Oaks and Westminster. The men were dubbed the 20 Questions Bandits because during their first heists they asked several questions, FBI officials said. In some of the instances, the men have assaulted bank employees and robbed bank customers of personal belongings authorities said. This is the seventh robbery linked to the group. Bank of America is offering a $50,000 reward for information leading to the robbers’ arrests. Source:

Information Technology

46. April 7, The Register – (International) Police cuff 70 eBay fraud suspects. Romanian police have arrested 70 suspected cybercrooks, thought to be members of three gangs which allegedly used compromised eBay accounts to run scams. The alleged fraudsters obtained login credentials using phishing scams before using these trusted profiles to tout auctions for non-existent luxury goods (luxury cars, Rolex watches and even a recreational aircraft). Buyers handed over the loot but never received any goods in return. The 800 victims of the scam are estimated to have suffered รข‚¬800,000 in losses since 2006. Victims were located across Western Europe, Scandinavia, the US, Canada and New Zealand. Complaints from the victims led to a joint FBI and Romanian Directorate for Investigating Organized Crime and Terrorism (DIICOT) investigation culminating in the execution of 101 search warrants and multiple arrests across Romania on April 6. Source:

47. April 7, ComputerWorld – (International) Botnets ‘the Swiss Army knife of attack tools. Hacker militias reach for the closest tool at hand — botnets already up and running, already reaping ill-gotten gains — when they mobilize to attack the information infrastructure of other countries, security experts say. “They just pick up what they use every day,” said the director of malware analysis at SecureWorks Inc. and a noted botnet researcher. “[Militias] don’t have much time to ramp up, just days, so it has to be something already in use.” Although militias may be at the bottom of the cyberwar food chain, that does not mean they have not caused chaos. Researchers believe that in 2008, Russian hackers marshaled a force of previously compromised computers — one or more botnets — to carry out distributed denial-of-service attacks (DDoS) that knocked offline many of the Web sites in the former Soviet republic of Georgia. At the time, military forces from Georgia and Russia were fighting over disputed territory. “Botnets are the Swiss Army knife of attack tools,” said the manager of research and development for Symantec Corp.’s security response team. “Hackers use them to relay spam, for phishing and to post Web-based attacks or malcode. They’re the engine that drives criminal activity on the Internet.” Source:

48. April 7, IDG News Services – (International) Facebook takes steps to deal with gift card scams. The latest Facebook con game is fake gift cards. In the past months, fan pages have popped up all over the social networking site, offering too-good-to-be-true gift cards. There’s the $500 Whole Foods card, the $10 Walmart offer, and the $1,000 Ikea gift card. The Ikea page put these gift card scams on the map last month, when it quickly racked up more than 70,000 fans before being snuffed. Facebook has also taken down Target and iTunes gift card scam pages in the past few months. Many of these pages have fake posts suggesting that the giveaway offer worked, but the sites typically lead to affiliate marketing Web sites that try to collect data and generate Web traffic for advertisers, according to a Facebook spokesman. Because anyone can set up a fan page for virtually anything — and many pages do contain legitimate gift-card offers — it’s a thorny problem for Facebook to solve. Right now, the company is playing the social networking version of whack-a-mole, with a team of engineers monitoring the problem and deleting groups, applications, and fan pages as quickly as it can find them. Source:

49. April 7, PC World – (International) Foxit’s updated PDF reader remains vulnerable to attack. Reacting to a demonstration that showed how attackers could force-feed malware to users without exploiting an actual vulnerability, Foxit Software patched its PDF viewer last week. But the Belgium-based researcher who showed how hackers could run executable code on a Windows PC from a malformed PDF said on April 7 that Foxit’s fix did not protect users from his attack tactics. The April 1 update to Foxit Reader, a popular alternative to Adobe System Inc.’s Reader, adds a warning that pops up when a PDF tries to launch an executable, a function that’s permitted by the PDF specification. The change makes Foxit Reader behave similarly to Adobe Reader, which already sports such a warning. “Foxit adds prompts to all pop-ups within PDFs,” said a spokeswoman for Foxit in an e-mail reply to questions on April 7. “For example, if there is a .txt or .exe file [that] is going to open within a PDF, the old version of Reader will launch the file by calling the associated program from your system, without any inquiry. [The update] will detect it and launch a prompt to ask you if you want to execute it or not.” Source:

50. April 7, IDG News Service – (International) Adobe considers changes to mitigate PDF attack. Adobe Systems is considering modifying its PDF applications to counter a way to run arbitrary code on Windows computers by embedding it in a malicious PDF file. Recently, a security researcher detailed a way to run executable code using a different launch command even though PDF applications from Adobe and Foxit do not allow embedded executables to directly run. The attack requires some social engineering. Adobe’s Reader and Acrobat products do display a warning that only trusted executables should be opened, but the security researcher showed how it was possible to modify part of the warning message in order to persuade a user to open the file. The company is considering modifications to the programs. Source:

51. April 6, The Register – (International) PDF security hole opens can of worms. The security perils of PDF files have been further highlighted by new research illustrating how a manipulated file might be used to infect other PDF files on a system. An application security researcher at NitroSecurity said the attack scenario he has discovered shows PDFs are “wormable”. Computer viruses are capable, by definition, of overwriting other files to spread. His research is chiefly notable for illustrating how a benign PDF file might become infected using features supported by PDF specification, not a software vulnerability as such, and without the use of external binaries or JavaScript. The “wormable PDF” research comes days after another security researcher showed how it was possible to both embed malicious executables in PDFs and manipulate pop-up dialog boxes to trick victims into running a malicious payload. Both Adobe and FoxIT are working on a fix against the security shortcomings in their respective PDF viewing packages illustrated by the research. Source:

52. April 6, DarkReading – (International) Researcher details new class of cross-site scripting attack. A new type of cross-site scripting (XSS) attack that exploits commonly used network administration tools could be putting users’ data at risk, a researcher says. The lead security research engineer at nCircle on April 2 published a white paper outlining a new category of attack called “meta-information XSS” (miXSS), which works differently than other forms of the popular attack method — and could be difficult to detect. “Think about those network administration utilities that so many webmasters and SMB administrators rely on — tools that perform a whois lookup, resolve DNS records, or simply query the headers of a Web server,” the white paper states. “They’re taking the meta-information provided by various services and displaying it within the rendered Website. “These Web-based services introduce a class of XSS that can’t be captured by the current categories.” He explains that there are three current types of XSS attacks: reflected, persistent, and DOM-based. MiXSS has aspects of both reflected and persistent attacks, but does not fall into either category, the engineer explains. “It is valid user input provided to a service,” he says. “The service then utilizes the user-provided data to gather data and display it for the user. It is in this data that the cross-site scripting occurs.” Source:

53. April 6, Help Net Security – (International) Generic and behavior-based threats increasing. Sunbelt Software announced the top 10 most prevalent malware threats for the month of March 2010. The list shows the continued prevalence of Trojan horse programs circulating on the Internet and the growing trend of generic and behavior-based detections in antivirus detections. Generic and behavior-based detections by the antivirus industry have improved thanks to the massive increase in new malcode, which number thousands per day. The top two detections for the month remained in the same positions as last month. Both Trojan.Win32.Generic!BT (31.07 percent) and Trojan-Spy.Win32.Zbot.gen (4.97 percent) maintained approximately the same pervasiveness in the overall malware tracked. The top 10 made up more than 50 percent of all detections for the month and the top two made up greater than 36 percent of all detections. Source:

54. April 6, The Register – (International) RSA says it fathered orphan credential in Firefox, Mac OS. Digital certificate authority RSA Security on Tuesday acknowledged it issued a root authentication credential shipped in in the Mac operating system and Mozilla web browsers and email programs, ending four days of confusion about who controlled the ultra-sensitive document. The “RSA Security 1024 V3” certificate is a master credential that can be used to digitally validate the certificates of an unlimited number of websites and email servers. It’s one of several dozen “certificate authority certificates” that by default are shipped with Mac OS X and Mozilla’s Firefox browser and Thunderbird email client. It’s valid from 2001 to 2026. Before this article was first published, no one knew who issued or controlled the credential. Both RSA and competing certificate issuer VeriSign previously said it was not theirs. Further compounding the mystery, recent audits of certificate authority credentials made no reference of it, according to this bug report posted to Mozilla’s website for developers and a follow-up post on Google Groups. Although now solved, the case of the orphaned certificate casts doubt on the security of some of the web’s most important documents. Source:

Communications Sector

55. April 7, Television Broadcast – (District of Columbia) FCC evacuated for bomb threat. FCC headquarters was evacuated Wednesday morning due to a bomb threat, a source within the commission confirmed. Speculation regarding the threat emerged as events were canceled. Notification went out around 11:20 a.m. that a CLS round table had been canceled. Further speculation sped through various Twitter feeds, though nothing initially appeared on the FCC’s Web site nor its own Twitter page. The source within the Portals said some meetings were held on the grass before staff was dispatched. “Several buildings cascaded into the threat warning,” the source said. Details about the nature and timing of the threat were unavailable, though the source said staff was out for about two hours — the “longest ever,” and that bomb-sniffing dogs were dispatched. E-mail releases from the commission resumed mid-afternoon. Source:

56. April 6, IDG News Services – (National) Court rules against FCC’s Comcast Net neutrality decision. A U.S. appeals court has ruled that the U.S. Federal Communications Commission did not have the authority to order Comcast to stop throttling peer-to-peer traffic in the name of network management. The U.S. Court of Appeals for the District of Columbia Circuit, in an order on April 6, overturned the FCC’s August 2008 ruling forcing Comcast to abandon its network management efforts aimed at users of the BitTorrent P-to-P (peer-to-peer) service and other applications. The FCC lacked “any statutorily mandated responsibility” to enforce network neutrality rules, wrote a judge. Some Net neutrality advocates said the ruling raises broad questions about the FCC’s authority to take any actions not spelled out in law. Unless the FCC takes action to reclassify broadband service, the court’s decision calls into question FCC authority in many areas, including protecting broadband consumer privacy and redirecting money from the Universal Service Fund into broadband deployment, said the president of Public Knowledge, a digital rights group that complained to the FCC about Comcast’s traffic throttling. Source:

57. April 6, – (International) Major powers agree on datacenter energy metrics. Organizations from Europe, the US and Japan have reached an accord on the measurement of energy efficiency, giving data center operators a better understanding of how to improve efficiency at their own sites. The proposals were put forward at a meeting in February to discuss rising energy consumption at data centers. The meeting was attended by experts from the US Department of Energy, the US Environmental Protection Agency, the European Commission, Japan’s Ministry of Economy, Trade and Industry, Japan’s Green IT Promotion Council and The Green Grid. The organizations have recommended a number of standards, including The Green Grid’s Power Usage Effectiveness (PUE) as the base metric for energy efficiency. PUE is the measurement of total energy used divided by IT energy consumption. Also on the agenda was improved measurement capabilities to make it easier to measure power use down to the individual server level, for example. Source:

58. April 6, GPS World – (National) GPS satellite PRN09 AWOL. The GPS satellite PRN09/SVN39, a Block IIA satellite in orbit slot A1, has been silent since about 24 March, shortly after a planned delta-V maneuver. Apparently, the delta-V maneuver was accompanied by an attitude control system anomaly that has taken the satellite off line. Although the satellite is not currently transmitting its assigned pseudorandom noise codes, it is not known if the transmitters have been switched off (either automatically or on command) or if they are transmitting non-standard codes, which is a practice used to protect users from a malfunction in the satellite’s reference frequency system or other anomalies. It is unclear whether or not the satellite’s controllers at the Second Space Operations Squadron (2 SOPS) actually have the satellite under control. All a spokesperson from the 50th Space Wing, 2 SOPS’s parent command, would say is “We are currently working to restore PRN09/SVN39 back to operational status. 2 SOPS will release a NANU to notify users when the vehicle is returned to operational status or if we anticipate the outage continuing for a significant amount of time.” Source:

59. April 6, KHON 2 Honolulu – (Hawaii) Vandals leave hundreds in Waipahu with no phone or Internet service. 1,100 Hawaiian Telcom customers in Waipahu were cut off from telephone and internet service Sunday. “Sunday night we learned that two of our cables in the Waipahu area had been cut in several places,” said a Hawaiian Telcom spokesperson. The target was a pole on Waipahu Depot Street. No copper was taken. Hawaiian Telcom says the vandalism of their poles is uncommon. Crews have been working around the clock to get customers back online since Sunday. So far at least 500 customers have had their service restored, but the job could take a while. Some who have been re-connected to the Internet say they are still experiencing some problems. There is no timeline when service will be restored. Hawaiian Telcom says it has filed a police report. Source: