Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, April 21, 2010

Complete DHS Daily Report for April 21, 2010

Daily Report

Top Stories

 According to Bloomberg, a former trader for Societe Generale in New York was charged Monday with stealing the company’s computer code for high-frequency trading. The suspect is accused of making copies in June 2009 of one part of the code he had been given access to and another part that he had not. (See item 14 below in the Banking and Finance Sector)

 The Billings Gazette reports that a weekend break-in at the Malta, Montana water storage area resulted in the city’s water supply being placed under DEQ control and a water restriction. The FBI has been notified. (See item 30)

30. April 19, Billings Gazette – (Montana) Malta residents waiting on word about their water. After a security breach at the municipal water supply this past weekend, Malta, Montana residents and some officials have advised residents, businesses and institutions to not to use city water because of possible contamination. While authorities suspect that drunken teenagers are responsible for the brief, they are not sure when the water supply will be deemed safe to drink, said a spokeswoman for the Montana Department of Environmental Quality (DEQ). The trouble started Sunday when a breach of the fence surrounding the Hi-Line city’s two tanks — one contains 400,000 gallons of water, the other 176,000 gallons — was discovered. In her initial report, an official said she was informed that the fence had been cut, but law enforcement did not confirm that. A Phillips County undersheriff said a ladder propped up against the fence showed where the intruder or intruders went over. He said evidence was collected at the scene, but “there is no physical evidence they put anything in the tanks.” There was no visible damage, and there are no suspects. The DEQ spokeswoman said preliminary tests results may be available as soon as April 19, but final results are at least a week away. The DEQ is testing the water for chemical, biological, and radiological contamination, while the Phillips County Sheriff’s Office investigates the trespass. The FBI has also been notified. Schools were closed Monday and will remain closed Tuesday. Phillips County Hospital and Family Health Clinic hauled water from Havre and from out-of-town wells. Some restaurants closed, and local stores had a run on bottled water. The hospital, administrator said the facility was functioning with safe water on hand and water hauled in from outside the city. Source:


Banking and Finance Sector

10. April 20, Bloomberg – (International) 500-Euro bill lifts crime risk, Bank of Italy says. Mafia money launderers, terrorists and tax dodgers may be accumulating 500-euro bills because they’re easy to hide and transport, the Bank of Italy said in a report. “The wide diffusion of the 500-euro bill is a motive of possible concern in terms of fighting both money laundering and terrorism financing,” the June 2009 report prepared by the central bank’s financial intelligence unit said. “Cash is the ideal tool for illegal payment and movement of funds” and “the high-value banknote simplifies the logistical management of large sums of money,” according to the study. The report might boost arguments by law-enforcement officials to do away with the 500-euro ($673) note, the second most-valuable bill among the world’s most-traded currencies. The Frankfurt-based European Central Bank reviewed the denominations of its banknotes in 2005, and has no plans to change the structure of its currency, an ECB spokesman said. The Bank of Italy report may foreshadow a split within the ECB on the merits of keeping the 500-euro note at the next review. The dangers tied to the use of the 500-euro bill may “merit attention by monetary authorities and the institutions fighting money laundering and terrorism,” the report said. In 2000, the Bank of Canada withdrew its 1,000-dollar ($981) bill “as part of the fight against money laundering and organized crime,” according to its Web site. Source:

11. April 19, KTVZ 21 Bend – (Oregon) Telephoned bomb threat shuts bank in La Pine. The U.S. Bank branch in La Pine, Oregon was shut down Monday afternoon after a telephoned bomb threat, but a search turned up nothing, authorities said. After getting the suspicious call around 2:30 p.m., bank staff decided to evacuate the building on Huntington Road and contact police, a Deschutes County sheriff’s lieutenant said. He said the man who called was very specific about where a bomb was in the building, and what it looked like. Authorities declined to reveal many details due to the ongoing investigation. Deputies encircled the bank with crime-scene tape as a search took place for just over an hour, eventually prompting the bank to close for the day. Source:

12. April 19, Federal Bureau of Investigation – (Illinois) Two men indicted in alleged $56-million bank fraud. Two men who purported to purchase and develop two, Loop residential buildings in Chicago are facing federal fraud charges in connection with financial transactions that allegedly caused the former CIB Bank in west suburban Hillside to lose approximately $56 million. The defendants allegedly operated various businesses, including a real-estate investment venture, a construction company, a land trust and holding companies. They defaulted on bank loans relating to projects they purportedly undertook at 6 North Michigan Ave., and 59 East Van Buren St. Both men allegedly used at least $3.6 million in loan proceeds for their own benefit, including to purchase real estate, to buy a vehicle and jewelry for one of the suspects, and to fund the same suspect’s investment account. Neither defendant has any connection to the current ownership or development of the two Loop properties. Both suspects were each charged with two counts of bank fraud and three counts of making false statements in bank-loan documents in a federal grand jury indictment that was returned under seal in December 2009. Source:

13. April 19, The Register – (International) Feds bust website that catered to identity thieves. Federal prosecutors have brought felony charges against an Eastern European man for running a Web site that allegedly helped thousands of criminals exploit stolen financial information. In an indictment unsealed April 19, prosecutors in Manhattan charged the suspect with creating and running The online business supplied identity thieves with English- and German-speaking individuals to call financial institutions and pose as authorized account holders. They would then confirm fraudulent withdrawals, transfers, and other transactions., which brazenly advertised its services on other Web sites, assisted more than 2,000 identity thieves carry out more than 5,000 cases of fraud, prosecutors alleged. The Web site was founded in June 2007 and remained in operation until earlier this month. The service was designed to counteract security measures put in place by financial institutions to prevent account fraud. In exchange for a fee, the Web site took online orders that allowed identity thieves to enter instructions about the fraudulent transaction to be conducted over the phone. The Web site would then assign the job to an individual who spoke the appropriate language. Source:

14. April 19, Bloomberg – (International) Ex-Societe Generale trader accused of stealing code. A former trader for Societe Generale in New York was charged by the U.S. with stealing the company’s computer code for high-frequency trading. Charged with one count of theft of trade secrets, the 26-year-old suspect is accused of making copies in June 2009 of one part of the code he had been given access to and another part that he had not. He was arrested April 19, according to federal prosecutors in New York. In August and September 2009, he also printed portions of the code from a Microsoft Word file he created, they said. “Over the past several years, the financial institution has spent millions of dollars to develop and maintain a computer system that allows the financial institution to engage in sophisticated, high-speed trading on various securities markets,” according to the criminal complaint. The suspect was hired by Societe Generale in March 2007 to work as a quantitative analyst in the high-frequency trading group, according to the complaint. He was promoted to trader last April and resigned in November, prosecutors said. Before resigning, he deleted a computer folder on his personal network drive that contained the code, they said. Source:

15. April 16, Federal Bureau of Investigation – (National) Australian man charged with laundering half-billion dollars in Internet-gambling proceeds. An Australian national was arrested in Las Vegas on April 16 on charges he assisted illegal, Internet-gambling companies by processing approximately $500 million in transactions between U.S. gamblers and Internet-gambling Web sites and disguising the transactions to the banks so that they would appear unrelated to gambling. In early 2008, the suspect began processing gambling transactions in the United States through the Automated Clearing House (ACH) system which allows money to be electronically transferred from a gambler’s U.S. checking account to an Internet-gambling company simply by the gambler going to the Internet gambling company’s Web site and entering his bank-account information. The suspect and his co-conspirators processed more than $543 million in ACH transactions between February 2008 and March 2009, the overwhelming majority of which were on behalf of Internet-gambling companies. The suspect then arranged for the funds received from gamblers to be wired offshore for the benefit of the gambling companies. The suspect also invested approximately $27 million from these ACH transactions into an online “payday loan” company that offered consumers high-interest, short-term loans that typically carried an annualized interest rate of more than 500 percent. The suspect and his co-conspirators induced U.S. banks to provide ACH services to Internet-gambling companies by disguising the transactions so that they would not appear to be gambling related. Source:

Information Technology

46. April 20, – (International) Symantec logs 100 percent rise in new malware. More than 240 million new, malicious programs were discovered last year, with cyber criminals increasingly focusing on Web-based and targeted attacks, according to the latest annual Symantec Internet Security Threat Report. The findings for 2009 showed a 100 percent year-on-year increase in new malware, and a Symantec solutions architect said that one new botnet-infected computer is detected worldwide every 4.6 seconds. The architect warned that malicious activity is taking root especially in developing countries, where less-experienced users are coming online without investing in security tools to protect Internet-connected devices. These countries have also become a source of malicious activity, she added, because many do not have the legislation in place to crack down on cyber crime. Web-based attacks continue to be the most common form of attack, and browser vulnerabilities are increasingly being targeted, the architect explained. The report also highlighted the growing problem of sophisticated attacks targeting specific enterprises, often with the aim of stealing intellectual property rather than customer credit card or bank account details. Source:

47. April 20, The Register – (International) Pinhead Mac Trojan sticks it to fanbois. Miscreants have created a new strain of Trojan horse malware that establishes a backdoor on compromised Macs. HellRTS-D (AKA Pinhead-B) disguises itself as the iPhoto photo application. The Trojan is a new variant of a strain of malware first reported in 2004, reports Mac security specialist firm Intego. Developed using RealBasic, the Trojan is designed to set up its own server on compromised systems, and from there send e-mail or contact a remote server. HellRTS-D has been spotted on various online forums but is not thought to be spreading, so the threat posed by the malware is currently low. Anti-virus firms including Intego and Sophos have already added detection for the Trojan in updates to their Mac-security software products. Source:

48. April 19, New York Times – (International) Cyberattack on Google said to hit password system. Ever since Google disclosed in January that Internet intruders had stolen information from its computers, the exact nature and extent of the theft has been a closely guarded company secret. But a person with direct knowledge of the investigation now said that the losses included one of Google’s crown jewels, a password system that controls access by millions of users worldwide to almost all of the company’s Web services, including e-mail and business applications. The program, code named Gaia for the Greek goddess of the earth, was attacked in a lightning raid taking less than two days last December, the person said. Described publicly only once at a technical conference four years ago, the software is intended to enable users and employees to sign in with their password just once to operate a range of services. The intruders do not appear to have stolen passwords of G-mail users, and the company quickly started making significant changes to the security of its networks after the intrusions. But the theft leaves open the possibility, however faint, that the intruders may find weaknesses that Google might not even be aware of, independent computer experts said. Source:

49. April 19, DarkReading – (International) Politically motivated attacks could force enterprises to reshape defenses. An emerging wave of politically motivated cyberattacks is reaching critical mass and threatens to redefine the way enterprises build their defenses, according to an April 20 report. Compiled by a well-known botnet researcher of Damballa, the study offers a comprehensive look at the recent trend toward politically motivated cyberprotests, sometimes called hacktivism. While such organized, mass attacks on specific targets are best known for being carried out against rival governments (think Estonia or Georgia) and large companies (think Project Aurora), the new report showed “cyberprotests” can be carried out against any organization, and for myriad reasons. “These types of attacks focus on all types of topics, and they can be executed by thousands of users or even just a few,” the researcher observed. The report offered numerous examples of hacktivism in recent years, including the defacement of hundreds of Dutch Web sites in August 2008 by Islamic protesters over the release of the film Fitna, and last summer’s distributed denial-of-service (DDoS) attacks on Iranian government sites by supporters of defeated presidential candidates who claimed voting irregularities. Source:

50. April 19, Computerworld – (International) Network Solutions sites hacked again. A week after Web-hosting company Network Solutions LLC dealt with a large-scale infection of WordPress-driven blogs, the company acknowledged that other sites it hosts have been compromised. “We have received reports that Network Solutions customers are seeing malicious code added to their Web sites, and we are really sorry for this experience,” said a company spokesman in an April 18 blog post. “At this time, since anything we say in public may help the perpetrators, we are unable to provide details.” On April 19, another Network Solutions spokesperson declined to get more specific or answer questions, including queries about what moves the company was making to stop the infection, and how many sites had been affected. “At this time, we believe this is affecting a subset of our hosting customers,” said Network Solutions’ director of corporate communications. “For now, it’s difficult to make a conclusive statement or provide more details publicly.” On April 18, Securi Security Labs said that at least 50 sites hosted by Networks Solutions had been hacked and that malicious JavaScript injected into those sites was redirecting unsuspecting users to a Ukrainian attack server. The same server was involved in the earlier attacks against Network Solutions-hosted blogs. Source:

51. April 19, ZDNet – (International) Researchers hack into Palm WebOS with text messages. Security researchers at the Intrepidus Group have hacked into Palm’s new WebOS platform, using nothing more than text messages to load potentially malicious Web pages or turn off the device’s radio. Hackers at the security consulting firm found that the WebOS SMS client did not properly validate input/output validation on any SMS messages sent to the handset, researchers explained in a blog post. This led to a rudimentary HTML-injection bug. Coupled with the fact that HTML injection leads directly to injecting code into a WebOS application, the attacks made possible were quite dangerous (especially considering they could all be delivered over a SMS message), experts indicated. The researchers were able to send a number of text messages to a device running WebOS to perform HTML injection attacks that opened a Web site by simply reading a text message or turned off the handset’s radio. Source:

52. April 19, DarkReading – (International) Researcher demonstrates how to counterattack against a targeted attack. Targeted attacks might be tough to prevent, but what if you could fight back against the attacker once he has infiltrated your network? A researcher has come up with a proof-of-concept (PoC) that does just that by finding vulnerabilities in the attacker’s malware and using it against him. Last week at Black Hat Europe, a security consultant demonstrated how it is possible to wage a counterattack in a targeted attack: His PoC was based on some fuzzing and reverse-engineering he conducted against malware used in an infected PDF that was sent to a pharmaceutical company. The consultant found a buffer overflow bug in the malicious toolkit, which was the Poison Ivy tool, and then built an exploit for it. “I [had been] asking myself, in theory, what if you wanted to counterattack — provided that it’s possible,” he said. “You can [actually] hack the hackers and counterattack” as demonstrated by the PoC, he said. But the consultant said that such an attack in reality would be illegal for a victim company to execute. Instead, the goal of his research is to show there are techniques for fighting back once a targeted attack is already under way, he said. “This is for the purpose of research,” he said, noting, however, that some special government agencies may be able to, or already are, deploying such techniques. Source:

53. April 16, H Security – (International) Tool allows cracking of Microsoft Office encryption in minutes. An implementation flaw allows attackers to bypass the encryption mechanism used for Microsoft Office documents. Although this is not news, having been made public in 2005, no (officially acknowledged) attack or tool for exploiting the vulnerability has existed until now. Experts said this probably explains why Microsoft has never fixed the problem with an update for older versions of Office. In a presentation at the recent Black Hat security conference, a French crypto expert emphasised that the situation has now changed. He said his tool can decrypt a document within a few minutes. The expert said he began working on the statistical analysis of the RC4 algorithm used in Office back in 1994. Talking to Heise Security, the expert explained why he has only now published his results: “I was employed by the French military at the time. Everything I did was classified. Now I am free to speak about it.” The crypto expert’s analysis of RC4-encoded data took advantage of the fact that many implementations of the algorithm are flawed. For RC4 to produce reliable encryption, no key can ever be used more than once. For example, the main reason why the WEP (Wired Equivalent Privacy) encryption used in wireless LANs was cracked so thoroughly was that there weren’t enough initialisation vectors (IV) to provide sufficient key variations. Frequently, packets appeared that had been encoded via identical combinations of the same IV and an already static password. Source:

Communications Sector

54. April 20, Lassen County Times – (California) Rodent causes communication breakdown. A rodent chewed through a Frontier Communications line in Lassen County, California on April 15, causing a phone, digital subscriber line, and high-speed Internet outage for roughly 17,000 customers in Susanville, Chester, and Alturas. “We dispatched multiple crews to the area where the line was cut, and we’ll have crews working on preventative measures as well,” said a Frontier Communications spokesman. He said crews would be installing pole guards to keep similar incidents from happening in the future. Source:

55. April 19, Defense Systems – (National) Satellite system won’t see space anytime soon. Delays plaguing the Navy’s Mobile User Objective Satellite program have yet to end, with one DOD official confirming the initial launch has been pushed back yet again to late 2011. “Hopefully, in the next two years we will be able to replace the [current ultra-high frequency satellite] constellation,” a Navy captain and deputy commander, Space Field Activity, Space and Naval Systems Command, said April 15 at the AFCEA Naval IT Day in Vienna, Virginia. “We’re focusing on launching in late ‘11, with on-orbit capability in 2012.” With MUOS years behind schedule, the Navy is looking to the commercial sector to bridge the gap between the expiration of the current ultra-high frequency follow-on satellites and the yet-to-be-launched MUOS satellites. Naval officials are also asking Congress to consider yielding some government-only UHF bandwidth to commercial operators to help ease the transition. The existing satellites provide critical capabilities for all four military branches, including communications, navigation and geo-location used for precision weapons. But they are aging and obsolete, and narrow-band capabilities will degrade below the required level of availability by January 2011 if no interim measures are taken, according to the Government Accountability Office. The degraded, narrow-band communications could result in outages on the ground that would slice into the operations of soldiers, sailors, Marine and airmen around the world. Source:

56. April 19, Computer Weekly – (International) Toshiba Research Europe announces breakthrough in ultra-secure computing. Ultra-secure encryption of sensitive data sent by banks, hospitals and government organizations could be a reality within three to five years, said Toshiba Research Europe. A breakthrough by the organization’s Cambridge Lab has cleared the way for the development of communications systems using one-time, pad encryption. The encryption method is considered to be perfect because it uses extremely long encryption keys only once and therefore cannot be cracked using crypto-analysis. “Not even quantum computers will be able to crack these keys because they are not based on computational complexity like classic cryptography,” said the assistant managing director at the Cambridge Lab. Use of this method has been limited to date because of a technical inability to sustain the data-transmission speeds it requires for quantum key distribution. But the Cambridge Lab said it has overcome these barriers by finding a way of sustaining low error rate and extremely fast transmission speeds indefinitely. Source: