Department of Homeland Security Daily Open Source Infrastructure Report

Friday, April 30, 2010

Complete DHS Daily Report for April 30, 2010

Daily Report

Top Stories

 The American Forces Press Service reports that a massive oil slick in the Gulf of Mexico that is headed toward U.S. shores is receiving “top-level attention” within the Defense Department as officials evaluate what capabilities it may have to support the response mission, the Pentagon Press Secretary said on Thursday. According to Reuters, fishermen and tourism businesses in the northeast Gulf of Mexico are dreading the possibility that the spill could wreck their livelihoods if it reaches shore. (See items 2 and 35)

2. April 29, American Forces Press Service – (National) Pentagon prepares for possible oil spill response. A massive oil slick in the Gulf of Mexico that is headed toward U.S. shores is receiving “top-level attention” within the Defense Department as officials evaluate what capabilities it may have to support the response mission, the Pentagon Press Secretary said on Thursday. The Defense Secretary, Chairman of the Joint Chiefs of Staff Navy, as well as officials at U.S. Northern Command, the Joint Staff, and the Navy are working in close collaboration with the White House and the Department of Homeland Security to determine what assets are required. In the meantime, planners at Northcom are planning for a variety of possible missions. Military resources could be used to tow and place containment booms, tow skimmers, provide aerial delivery of dispersant chemical or map the oil spill, reported a Northcom spokesman. In the event that the spill reaches shore, military assets could be needed to support beach clean-up, provide incident support bases, or provide other consequence management missions. A defense coordinating officer and defense coordinating element from Northcom’s Region 6 are deploying to support the federal on-scene commander, and their counterparts in Region 4 have been told to prepare to deploy. Meanwhile, the Navy is providing boom and mooring systems, oil skimmer systems and self-propelled MARCO Class V skimmer systems in direct support to the Coast Guard. That support is being provided under an existing pollution clean-up and salvage agreement between the two services. Source:

35. April 29, Reuters – (National) Oil spill fans fears of fishery, tourism damage. Fishermen and tourism businesses in the northeast U.S. Gulf of Mexico are dreading the nightmare possibility that a huge oil spill could wreck their livelihoods if it reaches shore. The threat could not come at a worse time as the oyster season ends and shrimp season is set to begin. The slick threatens the eastern shores of Louisiana and could also affect coastal waters in Mississippi, Alabama, and northwest Florida. The Southern Shrimp Alliance told the National Marine Fisheries Service in Washington this week it could help with prevention and clean-up. “They are willing to pull booms if they have to,” said a spokeswoman for the non-profit trade alliance. “The timing of this could be horrible.” U.S. landings of shrimp were valued at $442 million in 2008, up 2 percent from the previous year, according to the National Marine Fisheries Service. The industry fears a southerly wind could keep oil off the coast but push the shrimp into the slick, she said. The slick could also hit the tourism sector that is vital to Gulf Coast economies. In Alabama, coastal residents and businesses were “frantic” about the possible impact if the slick was blown east, said the director of the Dauphin Island Sea Lab, a state marine research facility. Tourists spent $2.3 billion on Alabama’s beaches in 2008, supporting 41,000 workers, according to the Alabama Gulf Coast Convention and Visitors Bureau. But Alabama’s beaches would be easier to clean than salt marshes and oyster reefs. The lab director said the state’s oyster fisheries are in “immediate jeopardy.” Source:

 The Washington Times reports that U.S. Northern Command in Colorado withdrew from major participation in the National Level Exercise that tests its response with the Department of Homeland Security and local governments to a nuclear attack. Some officials say that what is now planned for this month will be a waste of time. (See item 57)

57. April 27, Washington Times – (National) Military cancels nuclear attack test. The U.S. military has canceled a major field exercise that tests its response to a nuclear attack, angering some officials who say that what is now planned for this month will be a waste of time. U.S. Northern Command in Colorado withdrew from major participation in the National Level Exercise (NLE), a large-scale drill that tests whether the military and the Department of Homeland Security can work with local governments to respond to an attack or natural disaster. The exercise was canceled recently, after the planned site for a post-nuclear-attack response — Las Vegas — pulled out in November, fearing a negative impact on its struggling business environment. A government official involved in NLE planning said a new site could not be found. The official also said the Northern Command’s exercise plans for “cooping” — continuity of operations, during which commanders go to off-site locations — also had been scratched. “All I know is it’s been turned into garbage,” said the official, who asked not to be identified because of the sensitivity of the information. The NLE, which is supposed to be a series of hands-on exercises to test the system in the event terrorists use a nuclear device, has become instead a “tabletop exercise at best,” the official said. The field exercise in Las Vegas was to simulate terrorists detonating an improvised nuclear device assembled with smuggled weapons-grade uranium. Created after the September 11th attacks, the NLE is the country’s largest exercise of its kind — combining activities among the military, Department of Homeland Security, and local governments to test their joint, emergency response capabilities. Source:


Banking and Finance Sector

21. April 29, Foster’s Daily Democrat – (New Hampshire) State warns consumers about loan scam. The New Hampshire attorney general and the banking commissioner wish to warn consumers about Laconia Loan Services, an Internet loan scam, which purports to offer loans that require individuals to pay a large fee upfront. The attorney general’s office and the New Hampshire Banking Commission, as well as the Laconia Police Department, have received complaints about Laconia Loan Services (LLS) from consumers who, thinking they are going to be receiving a loan, have wired large amounts of money through Western Union to addresses in Spain given to them by LLS. After wiring the funds, LLS has failed to provide the loans. LLS is an Internet loan company which uses a Laconia, New Hampshire address on its paperwork. It is not located at this address. LLS is in no way affiliated with Laconia Savings Bank. The attorney general’s office and the banking commission arranged to have LLS’ toll-free telephone number shut down, but the business had already obtained another number. LLS’ Web site has also been closed down. Consumers are urged not to do business with LLS or any other Internet loan business without first contacting the attorney general’s office or the banking commission. Source:

22. April 29, Wichita Eagle – (National) FDIC: Hacker attacks are risk for businesses. A federal bank regulator is concerned about what he or she said are cybercriminals targeting small and midsize businesses. The Federal Deposit Insurance Corporation said such attacks are on the rise. It plans to begin addressing the problem at a symposium next month in Washington, D.C. “Our analysis of Financial Crimes Enforcement Network’s Suspicious Activity Reports indicates that bank losses related to computer intrusion or wire transfer have increased as of last fall,” said the director of the FDIC’s division of supervision and consumer protection. “We must do everything we can to keep electronic payments of all types safe.” The FDIC said the fraud has “resulted in losses in the millions, and frayed business relationships and litigation affecting both banks and businesses.” The specific issue is what the FDIC calls “corporate account takeover schemes.” Those involve criminals gaining access to a business’s online banking account by way of a password and user name or through hacking, another FDIC spokesman said. The criminals then make fraudulent electronic funds transfers. “This is happening all across the country,” he said. Source:

23. April 28, U.S. Government Accountability Office – (National) Better communication could enhance the support FinCEN provides to law enforcement. Better communication could enhance the support the Financial Crimes Enforcement Network (FinCEN) provides to law enforcement, the Government Accountability Office (GAO) has found. It detailed steps that could be taken to improve anti-money-laundering efforts in a study issued April 28. The GAO noted that in December 2009, it found that the majority of 25 Law Enforcement Agencies (LEA) surveyed found FinCEN support useful in their efforts to investigate and prosecute financial crimes. But the GAO also found that FinCEN could enhance its support by better informing LEAs about its services and products and actively soliciting their input. GAO recommended that FinCEN establish a process for soliciting input regarding the development of its analytic products. FinCEN agreed with the recommendation and in April 2010 outlined a number of steps it plans to take to better assess law-enforcement needs, including ongoing efforts to solicit input from LEAs. GAO recommended that FinCEN develop a mechanism to collect sensitive information regarding regulatory changes from LEAs. In April 2010, FinCEN reported that it developed an approach for collecting sensitive information without making the comments publicly available. Source:

24. April 28, WBRC 6 Birmingham – (Alabama) Former bank employee indicted for fraud, theft. A federal grand jury April 28, indicted a former Regions Bank (Alabama) employee on fraud and identity theft charges. A U.S. attorney, in a statement to FOX6 News, said the 33-year-old suspect of Birmingham, Alabama was indicted on 11 counts of mail fraud, bank fraud, and aggravated identity theft. In June 2008, the suspect applied for a Capital One credit card in the name of a Regions Bank customer who did business at the branch where the suspect worked. The suspect received the credit card through the mail, used it for more than a year, and sometimes made payments on the card bill with money he took from the same customer’s Regions Bank accounts. The indictment also charges that, from October 2008 to September 2009, the suspect made unauthorized cash withdrawals from accounts of three Regions customers, including the one in whose name he had obtained the Capital One credit card. Between June 2009 and September 2009, the suspect also made unauthorized electronic withdrawals from accounts of two of these Regions customers, causing the money to be transferred to a PayPal account he controlled, the indictment says. The U.S. attorney said this prosecution is connected to the U.S. President’s Financial Fraud Enforcement Task Force. Source:

25. April 28, Chicago Tribune – (Illinois) Serial robber suspected in suburban bank heists. A man who robbed an Arlington Heights bank today is suspected in at least four other Chicago-area bank heists this month, authorities said. At approximately 4:10 p.m., the man walked into the Village Bank and Trust at 311 S. Arlington Heights Road and demanded money, although he did not display a weapon. He left the bank on foot, eastbound into a residential neighborhood, Arlington Heights police said. Police searched the area with officers and dogs but did not find him. The FBI believes the same man is responsible for four other bank robberies and an attempted robbery in the last month, a spokesman said. According to information the FBI posted on the Web site, the same robber hit the TCF Bank at 950 W. Meacham in Schaumburg April 5, the Harris Bank at 1680 W. Algonquin Road in Hoffman Estates April 12, the Harris Bank at 10 Huntington Lane in Wheeling April 16, and the Harris Bank at 1 S. Arlington Heights Road in Elk Grove Village April 21. According to the FBI, witnesses in the first heist described the robber as a white man in his early 20s, about 5-foot-10 and 185 pounds, brown hair, and wearing blue jeans, a gray sweatshirt and dark sunglasses. Source:

26. April 28, – (International) Barclays security chief: assume all networks are compromised. IT security professionals should operate under the assumption that their networks are compromised, and look at ways to ensure that the system works regardless, according to the head of information risk management at Barclays. He argued during a panel debate at Infosecurity Europe April 28 that it is wrong for security chiefs to try to create a “bubble of safety” in their systems because it is a false hope given the numerous threats and flaws. He clashed with his fellow panelists, both heads of information security at large multinationals, arguing that users do not benefit from feeling that they are being “watched” and should not be treated like children. It is the information security professional’s responsibility to educate users so that they can make the right decisions, according to the Barclay’s executive. “I believe that it is not all the user’s fault. Users generally make informed and sensible decisions, and our goal is to educate and inform them,” he said. Source:

27. April 28, U.S. Government Accountability Office – (National) FinCEN needs to develop its form-revision process for suspicious-activity reports. The Financial Crimes Enforcement Network (FinCEN) must further develop its form revision process for suspicious-activity reports to better enforce the Bank Secrecy Act, according to a new Government Accountability Office (GAO) report. Issued April 28, the study found that from 2000 through 2008, total Suspicious Activities Report (SAR) filings by depository institutions increased from about 163,000 to 732,000 per year. Representatives from federal regulators, law enforcement, and depository institutions with whom the GAO spoke attributed the increase mainly to two factors. First, automated monitoring systems can flag multiple indicators of suspicious activities and identify significantly more unusual activity than manual monitoring. Second, several public-enforcement actions against a few depository institutions prompted other institutions to look more closely at client and account activities. Other factors include institutions’ greater awareness of and training on Business Software Alliance (BSA) requirements after September 11, 2001, and more regulator guidance for BSA examinations. FinCEN and law-enforcement agencies have taken actions to improve the quality of SAR filings and educate filers about their usefulness. Since 2000, FinCEN has issued written products with the purpose of making SAR filings more useful to law enforcement. FinCEN and federal, law-enforcement agency representatives regularly participate in outreach on BSA/anti-money laundering, including events focused on SARs. Law-enforcement agency representatives said they also establish relationships with depository institutions to communicate with staff about crafting useful SAR narratives. According to FinCEN officials, it is taking additional steps toward obtaining greater collaboration with law-enforcement agency representatives, prosecutors, and multi-agency law-enforcement teams and others to determine the contents of the form, but it is too soon to determine the effectiveness of the process. Source:

Information Technology

59. April 29, – (International) Russia dominating automated-malware kit market. Russia is dominating the market for automated malware creation kits that are sold online to phishers and data thieves. A new report from M86 Security, entitled “Web Exploits: There’s an App for That,” found that the majority of new malware-creation kits, such as Adpack and Fragus, are being sold in Russia The company had seen a big increase in the size and complexity of such kits, and said that more than a dozen had launched in the past six months. “People can launch attacks without even knowing a line of code, and the infrastructure now exists to pay the attacker per exploit achieved,” said the vice president of technology strategy at M86 Security. “With an attack kit, there is literally ‘an app for that’ and it is driving the explosive growth in Internet-borne threats such as spam and zero-day attacks with new kits popping up every day.” Software to automatically generate malware has been around for some years, but has now evolved into a complex business. Some kits just offer code generation, while others sell full-service packages that update the creation engine to keep ahead of security companies. The report also found a thriving trade in third-party payments, where attackers receive a commission based on the amount of third-party malware installed on a victim’s system. Source:

60. April 29, Help Net Security – (International) India now the primary producer of viruses. India has pushed Korea into second place and taken over the mantle of the world’s largest producer of Internet viruses, according to analysis of Internet threats in April by Network Box. India now accounts for just under 10 percent of the world’s viruses, ahead of Korea at 8.24 per cent and the U.S. at 6.7 percent. India is also becoming a more dominant force in spam production and intrusions: 7.4 percent of the world’s spam now originates from India; and the country is responsible for 8.6 percent of intrusions. This trails the U.S., which still produces more spam than any other country (11.9 percent). It was revealed earlier in the month that computer networks in India were compromised by Chinese hackers using social networking sites to compromise computers in India, and also attack the India High Commission in the UK. Source:

61. April 29, Computerworld – (International) PDF exploits explode, continue climb in 2010. Exploits of Adobe’s PDF format jumped dramatically last year, and continue to climb during 2010, a McAfee security researcher said April 28. Microsoft, meanwhile, recently said that more than 46 percent of the browser-based exploits during the second half of 2009 were aimed at vulnerabilities in Adobe’s free Reader PDF viewer. According to a security strategist with McAfee Labs, the percentage of exploitative malware targeting PDF vulnerabilities has skyrocketed. In 2007 and 2008, only 2 percent of all malware that included a vulnerability exploit leveraged an Adobe Reader or Acrobat bug. The number jumped to 17 percent in 2009, and to 28 percent during the first quarter of 2010. “In the last three years, attackers have found PDF vulnerabilities more and more useful, for a couple of reasons,” the security strategist said. “First of all, it is increasingly difficult for them to find new vulnerabilities with the operating system and within browsers that they can exploit across the different versions of Windows. And second, Reader is one of the most widely deployed applications that allows files to be accessed or opened within the browser.” Source:

62. April 29, Wall Street Journal – (International) Beijing to impose encryption disclosure rules. China is set to implement new rules that would require makers of certain electronic equipment to disclose key encryption information to be eligible for government procurement sales, creating a possible showdown with foreign companies that are unlikely to comply. Beginning May 1, makers of six categories of technology products, including smart cards, firewall technology, and Internet routers, will have to disclose encryption codes to authorities for certification to participate in bidding for government purchases. Such encryption information is closely guarded by companies, and industry officials say foreign companies that fall under the new rules are unlikely to comply, which could mean they are cut off from government contracts for those products. The product categories covered by the encryption rules account for tens of millions, or possibly hundreds of millions, of dollars a year in government sales, industry officials estimate. That’s a small fraction of the many tens of billions a year China’s government spends on procurement. Still, the dispute is the latest illustration of recent tension between Chinese authorities and foreign businesses over a range of regulatory policies. Source:

63. April 28, Computerworld – (International) Major malware campaign abuses unfixed PDF flaw. Several security companies today warned of a major malware campaign that tries to dupe users into opening rigged PDFs that exploit an unpatched design flaw in the PDF format. Users who open the attack PDFs are infected with a variant of a Windows worm known as “Auraax” or “Emold,” researchers said. The malicious messages masquerade as mail from company system administrators and come with the subject heading of “setting for your mailbox are changed,” said a research engineer in CA Inc.’s security group. A PDF attachment purportedly contains instructions on how to reset e-mail settings. “SMTP and POP3 servers for ... mailbox are changed. Please carefully read the attached instructions before updating settings,” the message states. In reality, the PDFs contain embedded malware and use the format’s /Launch function to execute that malware on Windows PCs running the newest versions of Adobe Systems Inc.’s Acrobat application or its free Adobe Reader, as well as other PDF viewers, such as Foxit Reader. Source:

64. April 28, IDG News Service – (Texas) Texas man set to admit building botnet-for-hire. A Mesquite, Texas man is set to plead guilty to training his 22,000-PC botnet on a local Internet Service Provider — just to show off its firepower to a potential customer. The suspect will plead guilty to charges that he and another man built a custom botnet, called Nettick, which they then tried to sell to cybercriminals at the rate of $0.15 per infected computer, according to court documents. On August 14, 2006, the pair allegedly used part of Nettick to attack a computer hosted by The Planet. Apparently, that was just a test, to show that the botnet was for real. “After the test, the bot purchaser agreed to buy the source code and the entire botnet for approximately $3,000,” prosecutors said in the indictment against the two men. The first suspect will plead guilty Thursday in federal court in Dallas, according to his attorney. The second suspect has pleaded innocent in the case and is set to go to trial May 17. Both men face a maximum of five years in prison and a $250,000 fine on one count of conspiring to cause damage to a protected computer and to commit fraud. Source:

65. April 28, The Register – (International) Online anonymity fueled ‘Web War’ on Estonia. The attacks that paralyzed Estonian Internet traffic for three days in 2007 were fueled by online anonymity and a phenomenon known as contagion, according to a report by three academicians. The paper, titled “Storming the Servers: A Social Psychological Analysis of the First Internet War,” is among the first to study the social and psychological forces that contributed to the massive DDoS, or distributed denial of service, attacks on Estonia. They are likely to play out in future online conflicts, the authors warn. Chief among the contributors was the anonymity of online interactions, which the authors said created a disregard for established social mores. “Participants in the attacks both transmitted instructions on how to participate and took part in the DDoS attacks themselves from the privacy of their offices, Internet cafes, and homes,” the paper explains. “One of the many ways in which communication via the Internet differs from face-to-face communication is the relative anonymity afforded by the communication mode.” Anyone who has ever participated in an online discussion knows that the potential runs high for flaming and other highly aggressive behavior. The paper speculates that the relative anonymity that comes with online interaction may be to blame because it decreases the effect of an individual’s internal standards of conduct. The resulting lack of accountability may have spurred on people who were already angry at Estonia. Source:

66. April 28, Government Computer News – (International) Microsoft reissues Windows 2000 Server security fix. On April 28, Microsoft released an updated critical fix for Windows Media Services on Windows 2000 Server. The revamped bulletin, MS10-025, addresses a “privately disclosed” bug that could enable remote code execution attacks. The bulletin was reissued less than a week after Microsoft pulled the initial fix from its April monthly security-patch rollout. Microsoft explained at that time that the fix did not “address the underlying issue effectively.” The company added that it was not aware of active attacks seeking to exploit the vulnerability. Some security experts believe that Microsoft recently received private, third-party reports that the patch did not correctly address the vulnerability and therefore pulled it for a reconfiguration last week. For its part, Microsoft said that the new update remedies the remote code execution exploit, which takes advantage of stack overflow in Windows Media Services. Windows Media Services is an option in Windows Server 2000 that supports streaming media applications. Source:

Communications Sector

67. April 29, – (International) Damaged submarine cable now fixed, says Etisalat. Frustrated Internet users in the UAE may finally be able to get back to watching video clips on YouTube and uploading pictures to Facebook, following the April 29 announcement that the damaged submarine cable largely responsible for connecting the country to the rest of the world has been fixed. The Sea-Me-We 4 cable has been out of action for two weeks, and although UAE internet providers Etisalat and Du say bandwidth has not been affected because traffic has been re-routed, users have complained of dramatically reduced speeds. Earlier April 29, a spokesman for Etisalat told CommsMEA: “[The repair work] has been completed and now all operators are re-routing their traffic. This will take some time, but by tonight it should be back to normal.” Repair work to fix the affected section of the cable was scheduled to start April 17, but it was pushed back to April 24 due to bad weather in the Mediterranean Sea before finally beginning April 25. Source: