Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, April 14, 2010

Complete DHS Daily Report for April 14, 2010

Daily Report

Top Stories

 The Washington Post reports that a riot of roughly 8000 people broke out in a neighborhood near James Madison University’s campus in Harrisonburg, Virginia. Property was destroyed, three dozen people were injured, and at lest 17 people were arrested.

36. April 13, Washington Post – (Virginia) Crowded off-campus party degenerates into ‘war zone’. The bottle caps, broken glass and empty plastic cups littering a neighborhood near James Madison University’s campus in Harrisonburg, Virginia, suggested that the events of Saturday afternoon were nothing more than a kegger gone bad. But those who witnessed the party-turned-riot recalled chaos so out of character for this Shenandoah Valley town that by Monday afternoon, it still had the power to amaze. “When you are setting off tear gas and people still aren’t leaving, you know it’s bad,” recalled a police official with the Harrisonburg Police Department. “It was really bad.” Each semester, James Madison students organize a huge block party, in one of the popular neighborhoods near campus, that typically attracts about 2,000 people. But when more than 8,000 people showed up to “Springfest” at a row of townhouses at the Forest Hill Manor development, the event quickly escalated, the police official and witnesses said. Rocks, beer bottles, and cans flew, hitting and injuring dozens of people and shattering car and house windows, according to police, witnesses and video of the events. Dumpsters were set ablaze. The response eventually involved about 200 police officers from several different agencies, many outfitted in riot gear and fighting back with canisters of tear gas, rounds of pepper spray, and foam projectiles. A Medevac helicopter arrived to take a casualty to a trauma center, and about three dozen others went to the local hospital. By the time it was over, Harrisonburg police said they had arrested at least 17 people and were studying uploaded YouTube videos for more suspects. Other law enforcement agencies made arrests, but the total numbers are still being tallied. Source:

 The Federal Times reports that federal agencies remain vulnerable to cyber attacks and security breaches because they have failed to take required steps to secure Internet connections and computer systems, the Government Accountability Office said in two reports issued on April 12. See item 48 below in the Information Technology Sector.


Banking and Finance Sector

14. April 12, Seattle Times – (California) Ex-employees turn to cyber crime after layoffs. When a slumping economy and historically high unemployment rates dropped the ax on the country’s workforce and left the survivors wondering if — or when — they’d be next, law enforcers and security experts braced themselves for what they considered would be an almost inevitable rise in data breaches and high-tech crimes. Based on new data, it appears they may have been right. National unemployment rates peaked in October at 10.1 percent and remained at 9.7 percent during the first two months of the year. Local law enforcement officials said the inability to find gainful employment has been a recurrent motivation behind new cases of identity theft and software piracy that drop on their desks almost daily. In one recent case under investigation, a detective sergeant said, an unemployed San Mateo, California woman in her 20s was detained with a large number of re-encoded credit cards in her possession. She said she was using them to buy food. And a Fremont, California man who had been recently laid off was arrested in February for selling pirated copies of a $2,500 Adobe design program for $150 on Craigslist. According to cybersecurity researchers, corporations across all industries have been dealing with a steadily growing number of internal data breaches since the financial meltdown. Source:

15. April 12, Gaithersburg Gazette – (Maryland) Mortgage broker charged in $2.8M fraud. A Bethesda, Maryland man is due in federal district court on Friday to answer charges that he ripped off lenders, his own relatives and others for more than $2.8 million in a mortgage-fraud scheme. The 41-year-old suspect faces up to two decades in prison if convicted, according to a statement from federal prosecutors. He has been indicted on charges of mail fraud, aggravated identity theft and bankruptcy fraud, in connection with the scheme, according to court records. The suspect, who was the resident agent for First Investment Choice Corp. of Bethesda, was a mortgage originator and/or broker with a company that operated in Laurel. The indictment alleges that from April 2006 through last August, the suspect, with the assistance of an appraiser and others, ran a scam through a series of bogus, real-estate transactions. The indictment further alleges that five of the properties went into foreclosure after the suspect failed to make the promised loan payments. He received loans worth $2,829,971 as a result of the scheme. Source:

16. April 12, Tacoma News (Washington) – (Montana) Brokerage fined $375,000 in data-breach case; alleged hackers arrested and extradited from Eastern Europe. Anyone with a brokerage account with D.A. Davidson is likely to already have heard about the breach in security and what the company has done to secure a remedy. As a penalty, the Financial Industry Regulatory Authority announced this morning that it has fined the Montana-based financial services firm $375,000 for failing to protect confidential, client information. The company’s computer data were invaded, and confidential information downloaded, in 2008. The accused hackers, Latvian natives, then attempted to blackmail the firm. The company immediately reported the incident and assisted the Secret Service in identifying “four members of an international group suspected of participating in the hacking attack of the firm. Three of those individuals have been extradited from Eastern Europe, arrested and are facing charges in federal court in Montana,” according to a FINRA release. To date, no clients have suffered any instance of identity theft related to the incident. Source:

17. April 12, WBEN 930 Buffalo – (New York) Cheektowaga business park evacuated after armed man makes bomb threat. A distraught elderly man was taken by police from a Union Road bank in a Cheektowaga, New York business park, Monday morning, after employees say he showed a gun in his waistband. The man now faces charges. A police captain said the man “was kinda confused, made some comments about people chasing him and trying to get him. In doing so, indicated to the personnel at the bank he wanted to take out his money from the bank. While doing so, he told them he had a gun.” As authorities escorted the man with a small revolver out of the KeyBank branch on Union near Como, the man told them that he had a bomb in his car. The bank, the nearby AppleTree Business Park, and a nearby apartment complex where the man lived were all evacuated as a precaution. “We set up a perimeter and called for Erie County Sheriff’s bomb squad and the NFTA bomb sniffing dog,” said the police captain. He said authorities had not found anything as of yet. The man will face charges of falsely reporting an incident and menacing. He has been arraigned and bail is pending a forensic examination at Erie County Medical Center. Source:

18. April 9, Reuters – (South Carolina) Regulators seize small South Carolina bank. A small South Carolina bank failed on April 9, bringing the 2010 tally to 42 so far, as regulators continue to clean up the wreckage from the banking industry meltdown. The Federal Deposit Insurance Corp. said Beach First National Bank, of Myrtle Beach, South Carolina, was seized by regulators. Bank of North Carolina is assuming all of the failed institution’s deposits. First National had about $585.1 million in total assets. By comparison, Washington Mutual, the largest U.S. bank to fail in the recent crisis, had $307 billion in assets. Source:

19. April 8, KSAZ 10 Phoenix – (Arizona) Police: Bank robber threatened tellers with explosives. A 72-year-old man has been arrested after police say he robbed a Compass Bank located inside an Albertson’s supermarket in Prescott, Arizona. Prescott Police said that the suspect entered the bank, showed tellers a handgun and claimed he had put explosives in the store on April 8. He robbed two tellers of an undisclosed amount of cash, as well as some personal money, according to police. The suspect was taken into custody immediately after he exited the bank. The store was evacuated and searched for explosives but nothing was found. Source:

Information Technology

43. April 13, ComputerWorld – (International) Microsoft to patch unhackable Windows 7 bug later today. On April 13, Microsoft will play it safe by patching a Windows 7 bug that it says cannot be exploited. Of the 11 security bulletins that will be released in a few hours, Bulletin 7 will address one or more vulnerabilities in Windows 2000, Windows XP and Windows Server 2003. But Microsoft will also offer the same update to users running Windows Vista, Windows 7 and Windows Server 2008, even though the company maintained last week that they were impervious to attack. “Windows 7 users will be offered Bulletin 7 as a defense-in-depth update even though the [advanced notification] states that the issue does not affect Windows 7,” said a group manager with the Microsoft Security Response Center, in one of several e-mails replying to questions. “This means that the vulnerable code is in the software, but due to the improved protections built into Windows 7, there are no known vectors to reach it.” In other words, the vulnerability is there — in Vista, Windows 7 and Server 2008 — but Microsoft doesn’t know how it could be exploited. Source:

44. April 13, The Register – (International) Third of XP security suites flunk tests. A third of 60 anti-malware products for Windows XP failed to make the grade in independent security tests. Twenty out of 60 security products tested by independent security-certification body Virus Bulletin flunked its rigourous VB100 certification, mainly because of false-positive problems. False alarms in scanning benign files from major providers including Adobe, Microsoft, Google and Sun tripped up many of the products under test. Failure to detect complex polymorphic viruses also acted as a stumbling block during Virus Bulletin’s largest ever test of anti-malware products to date. Win XP security products from Microsoft, Frisk, Norman and Fortinet were among those who failed to make the grade. Source:

45. April 13, Tech Herald – (International) WordPress-driven sites compromised due to permission settings. The discussion surrounding the mass compromise of sites running WordPress continued this past weekend. After some research on various blogs, the common link discovered in the attacks wasn’t plug-in related or a ZeroDay vulnerability, it was a permissions issue. The sites were compromised by altering the site url value in the wp_options table of targeted sites. Once this value was altered by the attacker, an Iframe was injected into the rendered page, which would then redirect visitors to a malicious domain where Malware, Rogue anti-Virus, and various client side exploits were delivered. This attack was different than normal in that the malicious destinations used by the Iframe served up Malware in the BUZUS family. BUZUS is traditionally spread using instant messaging programs according to researchers from TrendMicro. BUZUS is a Trojan virus that has been used in the past to launch denial-of-service attacks. In addition to instant messaging, BUZUS has also been known to spread over P2P networks by mimicking the names of popular games and movies. Source:

46. April 13, ZDNet – (International) hit by targeted XSS attack, passwords compromised. Combining a cross-site scripting (XSS) vulnerability with a TinyURL redirect, hackers successfully broke into the infrastructure for the open-source Apache Foundation in what is being described as a “direct, targeted attack.” The hackers hit the server hosting the software that uses to track issues and requests and stole passwords from all users. The software was hosted on, a machine running Ubuntu Linux 8.04 LTS, the group said. The passwords were encrypted on the compromised servers (SHA-512 hash) but Apache said the risk to simple passwords based on dictionary words “is quite high” and urged users to immediately rotate their passwords. “In addition, if you logged into the Apache JIRA instance between April 6th and April 9th, you should consider the password as compromised, because the attackers changed the login form to log them,” Apache said. Source:

47. April 12, The Register – (International) Freetard-targeting Trojan seeks to scam scaredycats. A sneaky new, Trojan virus attempts to extort money from BitTorrent users under the guise of a fictitious, copyright-infringement lawsuit. Malicious pop-up messages generated by the malware, which is being spread via fake files offered up for download through BitTorrent, seeks to bully victims into agreeing to pay $400 for a “pre-trial settlement” to avoid possible prosecution over alleged copyright-piracy violations. Both the Antipiracy foundation scanners that supposedly identified pirated content on the PCs of targeted individuals and ICPP Foundation “law firm” are fakes. Infected users receive warnings every time they reboot their system, warns net security firm F-Secure. The scammers have sought to lend credibility to the ruse by setting up an official-looking but bogus website at, which was taken offline on April 12. Source:

48. April 12, FederalTimes – (National) GAO: Federal computers still not defended against cyber threats. Federal agencies remain vulnerable to cyber attacks and security breaches because they’ve failed to take required steps to secure Internet connections and computer systems, the Government Accountability Office said in two reports issued today. No agency has taken all of the actions required to secure their Web networks under the Trusted Internet Connections and Einstein programs, GAO said in the report, “Information Security: Concerted Effort Needed to Consolidate and Secure Internet Connections at Federal Agencies.” GAO largely faulted the Office of Management and Budget and the Homeland Security Department for the delays, saying they provided “inconsistent communication” to agencies for how to secure their Web connections. GAO also reviewed efforts to roll out the Federal Desktop Core Configuration initiative, which was launched by OMB and the National Institute of Standards and Technology in 2007 and is supposed to provide a baseline level of security for government-owned desktop and laptop computers. No agency has deployed all of the configuration settings on all of their workstations as required under the initiative, GAO said in the report, “Information Security: Agencies Need to Implement Federal Desktop Core Configuration Requirements.” Source:

49. April 12, DarkReading – (International) Many DLP users still leaking data, survey says. Data leak prevention (DLP) tools might give enterprises a start on data-loss issues, but they do not always solve the whole problem, a new study suggested. A survey by security vendor DeviceLock indicated that many DLP users are still leaking data, according to a news report. Thirty-eight percent of respondents have not deployed any DLP technology — or even device control, according to the study. Among small and midsize businesses, that figure rises to more than 50 percent, DeviceLock said. Even among the enterprises that have deployed DLP, there are leaks in the implementations, according to the survey. Nearly half (48 percent) of respondents said they aren’t yet monitoring synchronization between smartphones and the corporate network. Only 26 percent said they have the ability to control content printed from corporate computers. More than three-fourths (77 percent) of respondents said they monitor employees’ Webmail and social networking applications — such as Facebook and Twitter — to prevent data leakage, regardless of whether corporate or private accounts are used. Only 8 percent of respondents believe that privacy concerns are an obstacle for enforcing such controls. Source:

Communications Sector

50. April 13, Carroll County News – (Arkansas) FCC halts construction of Planer Hill cell tower. The Federal Communications Commission (FCC) has moved to stop a cell tower from going up on Planer Hill until an investigation is completed into how Smith Communications LLC got its permits from the city of Eureka Springs, Arkansas and the FCC. “On Friday we issued a temporary stop work order on the tower as we look into the matter,” said the chief of staff for the FCC Wireless Communications Bureau, Washington D.C. in a April 13 phone call to the Lovely County Citizen. “That is all we have to say about it at this point.” The concrete foundation for the controversial Smith Communications LLC cell tower on Planer Hill was poured on April 2. The project manager of Smith Communications LLC, Fayetteville, said in a phone interview on April 2 that they expected to erect the cell tower in three days this week, weather permitting. But cell-tower protesters apparently found fertile ground with the FCC. A local group called CACTUS (Citizens Against Cell Towers Utilizing Smith) has been raising questions about how Smith obtained permits that allowed construction of the tower located in the Eureka Springs Historic District. Source: