Department of Homeland Security Daily Open Source Infrastructure ReportDepartment of Homeland Security Daily Open Source Infrastructure Report

Thursday, April 29, 2010

Complete DHS Daily Report for April 29, 2010

Daily Report

Top Stories

 The Federal Way Mirror reports that a suspicious object found at the Rainier View Elementary School playground in Washington on Monday turned out to be a six-inch pipe bomb, according to a King County sheriff's spokesman. The school was put into lockdown. (See item 45)

45. April 26, Federal Way Mirror – (Washington) Pipe bomb found at Rainier View Elementary in Federal Way. A suspicious object found at the Rainier View Elementary School playground in Washington Monday turned out to be a six-inch pipe bomb, according to a King County sheriff's spokesman. The pipe bomb was found during morning recess. The school was put into lockdown at 10:20 a.m. and the lockdown was lifted at 12:22 p.m. The King County Sheriff's Department was called to the school at 3015 S. 368th St. in unincorporated King County. The bomb squad came in and picked up the bomb. Students and staff were all safe. Shortly after the all clear was given Monday at Rainier View, a bomb threat was reported at Todd Beamer High School at 35999 16th Ave. S. The school was evacuated. Police inspected the school and found nothing suspicious. Staff and students were able to return to the school at 1:30 p.m. Federal Way Police are continuing to investigate the threat, which came from a phone call. Source:

 According to the Associated Press, police arrested two men and a woman suspected of planning to bomb an IBM Corp. research facility near Zurich, Swiss media reported on Monday. The arrests occurred on April 15. (See item 51 below in the Information Technology Sector)


Banking and Finance Sector

13. April 28, Daily Bruin – (California) Duffel bag prompts examinination by Los Angeles Police Department bomb squad. A duffel bag left in the parking structure of Chase Bank in Westwood, California April 27 was deemed nonexplosive by the Los Angeles Police Department (LAPD) bomb squad at 2 p.m. The bomb squad arrived at Chase Bank at 1:30 p.m. to examine the bag, which was thought to be suspicious, a LAPD sergeant said. A note on the outside of the bag read "Keep away confidential," according to police. The bag belonged to a homeless person and contained clothes and other miscellaneous items, the sergeant said. While police were investigating, several Westwood intersections were blocked off, and foot traffic around the bank was redirected. Source:

14. April 28, Patriot Ledger – (Massachusetts) Four charged with credit-card fraud at South Shore Plaza. Police arrested four, New York City residents on credit-card fraud charges at South Shore Plaza in Braintree, Massachusetts. They were charged with credit-card fraud, forgery of a credit card, and conspiracy. A Braintree deputy police chief said a detective and a officer were checking the parking lot near Lord & Taylor April 26 when they saw two men acting suspiciously in a Toyota RAV4. The officers allegedly saw the rear seat passenger "tearing stickers off a gold-colored Visa credit card," the deputy police chief said. In all, the officers saw more than 20 credit cards on the passenger's lap and on the seat, police said. They searched the passenger and found $1,630 in cash, the deputy police chief said. The two suspects in the vehicle were taken to the mall's police substation for further questioning. On the way, the deputy police chief said officers saw another man duck between two parked cars. He was also taken in for questioning. The final suspect was picked up when she returned to the vehicle with a laptop computer purchased from the Apple Store, the deputy police chief said. The officers found that the account numbers on the credit cards had not been issued by the card company and were either stolen or fraudulent, he said. Officers recovered 16 fraudulent credit cards and 25 others that had not been programmed with account information. Also recovered were $2,200 in cash, and two laptop computers believed to have been purchased with the fraudulent cards from Apple stores at the mall and in Dedham. Source:

15. April 27, ComputerWorld – (International) Man gets 81 months, $2.5-Million fine for stock scheme. An Indian national was sentenced Monday to 81 months in prison for hacking into online brokerage accounts and using those accounts to manipulate stock prices for personal gain. The 36-year-old suspect of Chennai, India, was also ordered to pay close to $2.5 million in restitution to the more than 90 people and seven brokerage firms that were victims of his illegal capers. In February, the suspect pleaded guilty in federal court in Omaha, Nebraska, to one count each of conspiracy to commit wire fraud, securities fraud, computer fraud and aggravated identity theft. He was arrested in Hong Kong and extradited to the U.S. last June. He had initially pleaded not guilty to the charges, but changed his mind earlier this year. One of his accomplices had in June 2008 pleaded guilty on the same charge and was sentenced to a two-year term. However, that suspect was deported to India last year before completing his prison term. A third conspirator, who has been indicted on 23 criminal counts including computer fraud and aggravated identity theft, remains at large. Court documents said the Indian man and his accomplices ran a hack, pump and dump scheme in which they would buy large volumes of thinly traded stocks and then sell those stocks after fartificially inflating their price. Between February 2006 and December 2006, the suspect and his cohorts, all of whom operated out of Chennai and Thailand, hacked their way into numerous brokerage accounts at investment companies including Omaha-based T.D. Ameritrade, E*Trade, Schwab, and Fidelity. The documents do not describe how the three gained access to customer accounts at these firms. However, all three appear to have somehow gained access to the full names, addresses, Social Security Numbers and other personal details of their victims. Source:

16. April 27, WPEC 12 West Palm Beach – (Florida) Police looking for high tech ATM scammers. Police are looking for some high-tech ATM scammers in Palm Beach Gardens, Florida. In a new scam, suspects are placing high-tech devices on ATM's to swipe both card and personal identification numbers at the same time. Transactions process normally, but the card data and pin numbers are captured and saved. Often the devices are indiscernible from real ATM parts. Once the information is captured, the scammers can make fake, ATM cards with the information and access the victims' bank accounts. Incidents like this have been happening nationally, and Palm Beach Gardens police have recorded three incidents. The most recent took place at the Bank of America at 5560 PGA Blvd where a customer discovered a skimming device had been installed over the ATM's card slot. The customer tugged at the device and it came off, then took the device and contacted police. Immediately after the customer left with the device, two men were captured on the ATM's security camera removing a video camera from the ATM's overhang. They were gone by the time police arrived. Authorities said that it is unusual to actually recover a skimming device. The one recovered in this incident has been sent for forensic analysis. Source:

17. April 27, SCMagazine – (National) U.S. businesses face skimming-fraud increase. U.S. banks are grappling with a recent increase in skimming attacks, which are being carried out by Eastern European gangs aiming to steal consumer bank account numbers and Personal Identification Numbers, according to a Gartner analyst. These types of attacks are not new, but the scale and the organization behind them is, the Gartner vice president told April 27. Over the past six months, fraudsters increasingly have been mounting well-organized and systematic attacks that involve placing skimming devices on not just ATM machines — the most commonly targeted device — but also point-of-sale systems and gas-pump card readers. The analyst said she heard about the increase in skimming at a recent fraud conference attended by officials from numerous financial-services firms. Source:

18. April 27, North Platte Bulletin – (Nebraska; National) Nebraskaland Bank pounces on 'phishing' scam. Nebraskaland National Bank took quick action April 27 to stop a "phishing" e-mail that apparently went out across the country. This phishing e-mail was sent at 7:55 a.m. notifying readers of "a new security message" at the bank. The readers were asked to click on the link: At that link, they were asked to enter a password and other information, such as their name, address and Personal Identification Number. Bank officials immediately began contacting Internet-security companies such as Norton and McAfee, as well as Internet search engines. In less than two hours the phony Web site was blocked with red warnings, and IT-security providers automatically advised their clients not to enter. Apparently, the e-mail was part of a widespread effort to collect passwords and bank account numbers. "We received calls from all over the nation," a bank spokesman said, "including a gentleman from Austin, Texas who said he got a similar e-mail from nine other banks. He didn't have an account at any of them." Source:

19. April 27, WCTV 11 Tallahassee – (National) There is lots of mortgage fraud in Florida and Georgia. An annual report by the Lexis Nexis Mortgage Asset Research Institute has Florida ranked as the tops in mortgage fraud for 2009, while Georgia came in 8th. Fraud includes lying on a mortgage application, but this year much of the fraud stemmed from inaccurate appraisals. A Valdosta State University economics professor said he was surprised to see so many cases as a result of appraisals. "Appraisers can give you numbers that may not be reflective of what's truly going on in the economy," he said. "Certainly one issue is just the sheer volume of foreclosure issues. Florida and Georgia both have lots of foreclosures, and that makes it difficult to find three, comparable homes for an accurate appraisal." The report said mortgage fraud and misrepresentation increased 7 percent from 2008 to 2009. Source:

20. April 27, WPBF 25 West Palm Beach – (Florida) Man wearing raincoat robs bank, claims he has bomb. A man wearing a raincoat left a Pompano Beach, Florida bank with a bag full of cash Monday morning after claiming he had a bomb, the Broward Sheriff's Office said. The robbery occurred at the Wachovia at 3885 N. Federal Highway about 9 a.m. Detectives said the man entered the bank, approached the teller, placed a black bag on the counter and told her it was a bomb. He then instructed the teller to fill a bag with money and threatened to detonate the bomb if she did not follow his instructions. The man then ran out of the bank. Surveillance video shows the man wearing a raincoat with the hood over his head and dark sunglasses to hide his face. Source:

21. April 27, Forbes – (National) Inside the brains of a professional, bank-hacking team. Following the cyberspying breaches at Google, Adobe, Yahoo!, Intel, Juniper and others, there has been much discussion and dissection of targeted attacks. But rarely is an individual operation laid out in step by step detail. And rarer still is an account told from the hacker's perspective. But just such an account has been provided by the individual who runs Netragard, a cybersecurity consultancy that, among other services, performs penetration tests on clients to expose their security vulnerabilities. In a blog post April 26, the consultant laid out a recent hacking operation that his SNOsoft research team was hired to perform on a bank client. Though he does not name the target, he describes step by step the social engineering involved in sussing out the bank's defenses, including staging a fake job interview with unwitting employees of the company. The technical strategy for breaching the bank's defenses — a targeted, booby-trapped, PDF attachment — is not a surprise. But the detailed description of the preparation for that exploit is a rare window into the hacking process. Source:

Information Technology

47. April 28, The Register – (International) Hackers crack Ubisoft always-online DRM controls. Hackers have overcome Ubisoft's controversial DRM system that relied on constant connection to the Internet for games to function. A crack for Ubisoft's anti-piracy system published by a group called Skid Row allows gamers to circumvent the controls for games such as Assassin's Creed II. A message from the group on a gamers' forum sets out the group's agenda: allowing legitimate copies of PC games to be played without an Internet connection, rather than facilitating piracy. Skid Row sarcastically thanks Ubisoft for posing an interesting intellectual challenge. A security researcher at Sunbelt Software and a long-time gamer, told The Register that Ubisoft's controls were fundamentally misconceived. "In general, it seems DRM restrictions in gaming are becoming more intrusive and creating problems for genuine customers, rather than the pirates who happily bypass these measures every time," he said. "PC gaming should be about portability — what use are games you can't play at the airport or on a train if you can't get online?" Source:

48. April 28, DarkReading – (International) Costs of data breaches much higher in U.S. than in other countries, study says. A data breach in the United States could cost enterprises twice as much as the same breach costs companies in other countries with less stringent disclosure and notification laws, according to a study published April 28. The study, conducted by the Ponemon Institute and sponsored by security vendor PGP, is an extension of the companies' previous cost-of-breach research that examined regional differences in the costs inflicted by compromises of enterprise data. In a nutshell, the study finds breaches are much more expensive in countries that have stringent regulations than in countries that do not. "The overarching conclusion from this study is the staggering impact that regulation has on escalating the cost of a data breach," said the chairman and founder of The Ponemon Institute. "The U.S. figures are testament to this, and it is clear that as breach-notification laws are introduced across the rest of the world, other countries will follow the same pattern, and costs will rise." The study examined breach costs in five countries: the United States, the United Kingdom, Germany, France, and Australia. In the U.S., where 46 states have introduced laws forcing organizations to publicly disclose the details of breach incidents, the cost per lost record was 43 percent higher than the global average. In Germany, where equivalent laws were passed July 2009, costs were second highest — 25 percent above the world-wide average. In Australia, France, and the U.K., where data-breach notification laws have not yet been introduced, costs were all below the average. Source:

49. April 28, IDG News Service – (International) New storm worm may not last long. A new variant of the Storm worm has emerged, but it does not appear to be as well-designed as its older relative, according to computer-security researchers. The Storm worm first appeared in early 2007 and spread quickly, making it one of the most prolific and widespread worms ever. Once it infected people's computers, the worm sent million upon millions of spam messages. The Shadowserver Foundation, which tracks botnets, first received a sample of the new version of the worm April 13, said a researcher via instant message. The worm was then reverse-engineered by the Honeypot Project, which studies Internet threats. The new worm was found to be based on the old code, but some of the elements that made Storm difficult to disrupt were gone, according to a blog post from the organization. The new Storm does not communicate using a peer-to-peer system, a decentralized way to have computers infected with the code communicate with each other and receive new spam instructions. That may be because researchers have effectively disrupted peer-to-peer botnets, the researcher said. The new Storm communicates via HTTP traffic, but it is programmed to receive instructions from one IP (Internet Protocol) address hosted by a server in the Netherlands. The ISP hosting that server has been contacted, the researcher said. Since it is receiving instructions from just one IP address, it means the new Storm may not last that long. Source:

50. April 27, KUSA 9 Denver – (International) New twist on old scam defrauds Facebook users. A new phishing fraud is a frenzy on Facebook. Thousands of folks have fallen victim to an old scam with a new twist. The Colorado attorney general wants to change Facebook liability rules "This is the very first time I have seen it but I am not surprised," the CEO of Vertical IT Solutions in Tampa, Florida said. The CEO was an intended target himself. He got an e-mail from what he thought was Facebook. It asked him to "reset his password" by clicking on an attachment. But being an Internet-security expert, he knew better. "No organization can send you an e-mail requesting you to change your password. No organization does that," he said. He said that this policy was put in place after the Bank of America phishing scam that hit thousands of Americans last year. That scam was a more direct route to get to people's personal information, like passwords, account information and ultimately money. This Facebook scam is a more roundabout route but still effective, since most people tend to use the same password for everything. "Spoofing Facebook and having them capture that confidential information, I mean, it is ingenious," the CEO said. Source:

51. April 26, Associated Press – (International) Swiss police foil bomb attack against IBM. Police have arrested two men and a woman suspected of planning to bomb an IBM Corp. research facility near Zurich, Swiss media reported Monday. Prosecutors said two Italians and a Swiss national suspected of planning a bomb attack against an international company had been arrested, but declined to confirm the target. They said the arrests occurred April 15 near Rueschlikon about 6 miles (10 kilometers) south of Zurich. Police discovered "explosive and further items in their car" as well as a note "indicating a planned attack on the branch of an international company," said a spokeswoman for the federal prosecutors office. All of those arrested remain in detention, she said. The SonntagsBlick newspaper reported the suspects intended to attack a nanotechnology research facility that IBM Corp. is building in Rueschlikon. Source:

For more stories, see items 55 and 57 below in the Communications Sector

Communications Sector

52. April 28, Associated Press – (International) Copper theft cuts phone service to hundreds in Alberta. Telus says phone service to hundreds of customers was cut after thieves swiped about 500 meters of copper cable in Alberta, Canada. Land-line and Internet service to around 460 Telus customers living in the Big Lake area in northwest Edmonton was cut off around 6 a.m. April 26 and restored later that afternoon. A spokesman for the phone company said the outage was caused by the theft of about 500 meters of copper cable. He said the cable normally would have been buried, but construction was underway in the area and it had been temporarily dug up and was above ground. The spokesman said the thieves put people's lives at risk because they no longer had access to 911. Source:

53. April 28, Gulf News – (International) Faulty submarine internet cable still not fixed. The faulty Internet cable Sea-We-Me, which has caused Web traffic disruptions since April 14 not only in the UAE, but in the entire Middle East, large parts of Africa and Southern Asia, is still not fixed. The cable, which stretches from South East Asia to Europe via the Indian sub-continent and Middle East, was initially scheduled to undergo repairs April 24. But the cable consortium said that the work would take longer than expected, mainly due to bad weather conditions in the Mediterranean Sea. One of the affected Internet service providers, Seacom in South Africa, said in a statement April 28 that the Sea-We-Me consortium "has indicated that the repair window may be extended to Friday, April 30." The cause of the damage is still unclear. There is speculation that a ship anchor might have caused the outage, which has been located on a cable segment between Alexandra and Sicily. Source:

54. April 28, Southeast Texas Record – (Texas) Phone company claims utility provider caused damage to circuits. Southwestern Bell Telephone Co. (SWBT) has filed suit against Texas-New Mexico Power Co. over $30,000 worth in damages to its communications system. SWBT alleges that on May 14, 2008, TNMPC erected a utility pole near Highway 3 and Century Boulevard in Texas City and struck a conduit and cable that were buried in the area. The original complaint was filed April 26 in Galveston County Court No. 3. TNMPC is accused of negligence and trespassing. SWBT claims it lost the use of four DS3 trunk and toll circuits and five DS1 exchange circuits while repairing the problem caused by the power company. "The plaintiff has suffered actual, incidental and consequential damages, including costs to replace, repair and/or restore that portion of its telecommunications system damaged by the defendant and the value of replacement lines or circuits for the time they could not be used," the suit states. Source:

55. April 28, Help Net Security – (International) Poisoned search results: Our daily reality. The biggest threat to search engines are not their competitors, but poisoned search results. Since the moment when search engines have largely become the starting point for our daily surfing, the risk of landing on a compromised site serving malware has increased. Scammers'-link architectures have evolved, and they now include even fake search engines — perfect copies of the real ones, but with all links pointing to compromised sites. A paper that Google presented April 27 at the Workshop on Large-Scale Exploits and Emergent Threats in San Jose, California contains results of the company research of the fake AV phenomenon. Among the things the researchers reviewed is how their search engine is abused in order to drive users towards malware-serving Web sites set up by fake AV peddlers. Basically, poisoned search engine results have become a primary vector of infection, and it should not come as a surprise that Google's large market share, its breadth and speed of indexing have made it the target of choice. Source:

56. April 27, IDG News Service – (National) Broadcasting group defends its spectrum turf. Television broadcasters are willing to talk about sharing their unused spectrum with broadband providers, but they should not be forced to give up spectrum or be taxed for the spectrum they have, said the head of a broadcasting trade group. The National Association of Broadcasters (NAB) supports the goal of the U.S. Federal Communications Commission to bring broadband to all U.S. residents, but policymakers should recognize TV broadcasting, with its one-to-many communication model, is a more efficient use of spectrum than broadband, the NAB president and CEO said. "Broadband is one to one, and it is spectrum hogging," he told members of the U.S. Senate Small Business and Entrepreneurship Committee April 27. Mobile broad-band providers could solve much of their concern about a coming spectrum shortage by investing more money and putting up more towers, the NAB president, who is a former U.S. Senator, said. While much of the hearing focused on the broadband needs of small businesses, the NAB president devoted much of his testimony to concerns that his group has about a national broadband plan the FCC released in March. The plan says the FCC should encourage broadcasters to give up unused spectrum in return for a share of the money when the spectrum is sold at auction as part of an effort to free up 500MHz of spectrum for mobile broadband uses in the next 10 years. Source:

57. April 27, – (International) InfoSec 2010: Europe to mandate reporting of serious breaches. Organizations could soon be forced to report all serious data breaches to the Information Commissioner's Office (ICO), as part of an upcoming review of a European Union directive on the reporting of data losses. The ICO deputy commissioner said April 27 at Infosec 2010 that elements of the Privacy and Electronic Communications directive on breach notifications, which will soon force telcos and Internet Service Providers (ISPs) to report data breaches, are likely to be extended. "Within 18 months it is likely that ISPs and telecoms companies will have to abide by this rule, and before too long this same law will apply more generally," he said. "However, it would still only be for serious breaches of data, and firms would need to understand what represented a serious breach to ensure that the ICO, and individuals affected, were not bombarded with irrelevant notifications on all losses." The deputy commissioner also revealed the latest figures on data breaches reported to the ICO. Since November 2007, there were 962 public and private sector breaches. The largest source of breaches was the National Health Service. Source: