Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, May 25, 2010

Complete DHS Daily Report for May 25, 2010

Daily Report

Top Stories

 According to The Associated Press, Vermont Yankee officials said that while cleaning up after a leak of radioactive tritium at the nuclear power plant, they found another, more potent radioactive isotope in soil near where the leak occurred. Strontium-90 is a byproduct of nuclear fission that has been linked to cancer and leukemia. (See item 10)

10. May 21, Associated Press – (Vermont) Strontium-90 found in soil at Vermont nuke plant. Vermont Yankee officials said that while cleaning up after a leak of radioactive tritium at the nuclear power plant, they found another, more potent radioactive isotope in soil near where the leak occurred. Strontium-90 is a byproduct of nuclear fission that has been linked to cancer and leukemia. A Vermont Yankee spokesman said Friday that the substance has not been found in any groundwater and plant officials believe they have removed all the soil containing it. He said they believe it poses no threat to public safety or health. Source:

 San Antonio Express-News reports that U.S. Department of Agriculture fever-tick inspectors have become the latest set of American workers pulled from northern Mexico amid ongoing drug cartel violence, a move some Texas ranchers fear will reintroduce a pest that nearly wiped out U.S. cattle a century ago. (See item 34)

34. May 22, San Antonio Express-News – (National) Ranchers now fear return of fever ticks. U.S. Department of Agriculture (USDA) fever-tick inspectors have become the latest set of American workers pulled from northern Mexico amid ongoing drug cartel violence, a move some Texas ranchers fear will reintroduce a pest that nearly wiped out U.S. cattle a century ago. Citing safety concerns, the department’s Animal & Plant Health Inspection Service March 29 suspended its cattle inspections in Reynosa and Nuevo Laredo, Mexico. The agency last week diverted Reynosa inspections to nearby Pharr, Texas and this week opened a second U.S. facility in Laredo. A USDA spokeswoman said the agency is taking precautions to minimize the risk of a reinfestation. The non-native fever ticks transmit a blood parasite that causes bovine babesiosis, otherwise known as “Texas fever” or “cattle fever.” The disease in the early 1900s spread through herds and wiped out nearly 90 percent of the cattle in some areas, helping end the era of cattle drives to the north. In 2006, the USDA marked the 100-year anniversary of its successful Cattle Fever Tick Eradication Program, which by 1943 had eliminated the ticks in the United States except for a narrow quarantine zone along the border. The ticks in 2007 turned up beyond the quarantine zone, prompting a cry for more federal resources. There’s growing concern about deer and other animals, such as non-native nilgai kept as exotic game for hunters, spreading the tick as they jump fences between ranches. A large part of the program has been done in Mexico, where the USDA has had 43 employees at 11 Mexican cattle inspection ports examining about a million head a year. About 38,000 of these come through Laredo, another 39,000 through Pharr. While the Laredo facility is outside the quarantine zone, a USDA spokeswoman said precautions were being taken to ensure ticks don’t drop onto U.S. soil. Mexican agriculture inspectors are doing visual inspections before the cattle cross, she said, which makes for a “double inspection.” Trucks are sealed by Mexican authorities and not unsealed until they get to the inspection facilities in Texas. Source:


Banking and Finance Sector

15. May 24, Washington Post – (National) District food servers charged in theft of patrons’ credit card numbers. Three servers at the Cheesecake Factory restaurant on Wisconsin Avenue in Washington D.C. allegedly stole credit card numbers from patrons as part of a scheme that racked up more than $117,000 in fraudulent charges between 2008 and last year, authorities said. Investigators with the U.S. Secret Service allege the servers were working for a larger fraud ring and were using electronic devices to “skim” the credit card numbers of customers they served at the restaurant. The devices were handed off to others, and the stolen numbers were used to make fake credit cards and later used to buy gift cards and merchandise in the Washington area, according to court records in U.S. District Court in Alexandria. Federal officials became aware of the scheme in April 2009, when Citibank investigators reported numerous fraudulent charges on cards that had been used at the Cheesecake Factory at 5345 Wisconsin Ave. in Friendship Heights, just south of the Maryland line. Because servers at the restaurant have to swipe a server card unique to them before processing a credit card, investigators were able to narrow the transactions to three servers, according to court documents. Secret Service agents interviewed two servers, identified in court documents only by their initials because they are cooperating with the investigation. The servers said they were recruited by another server at the restaurant. The recruiter allegedly provided the servers with “skimmers” to capture the credit card numbers and would then hand off the devices to two men, known only as “Slim” and “G.” Source:

16. May 23, KXII 12 Sherman – (Texas) Text scam targets Chase bank customers. Over the weekend, messages requesting Chase customer’s bank information were sent via text. The message informed customers to call an 800 number, and then type in their account numbers because their funds may have been tampered with. One Chase customer shared the message with KXII 12 saying he was skeptical, and called his bank to confirm if the message was true. Chase representatives said they will never ask for personal information via text. Source:

17. May 23, KKTV 11 – (Colorado) Phone scam asking for credit card number targets region. A phone scam is making its way throughout the region, asking customers for their credit card numbers in order to protect against future fraud. The scam works by trying to make an individual think they are already a victim of fraud. The caller tells the potential victim that someone has made fraudulent charges on the victim’s card, and in order to stop it, they need the credit card number. Aventa, which was formerly Colorado Springs Credit Union, is sometimes referenced in these scam calls, and a company representative said it has already started receiving calls from concerned customers. Aventa’s representative said customers should never give out personal and account information; if one’s financial institution needs it, they probably already have it. Source:

18. May 23, Associated Press – (Oregon) Man arrested in Eugene accused as ‘Grandpa Bandit’. A man arrested in Eugene, Oregion in connection with a bank robbery has been indicted by a federal grand jury on charges that he robbed seven Oregon banks in a spree attributed to the “Grandpa Bandit.” Eugene Police arrested the 60-year-old Drain resident after $939 was taken from an Umpqua Bank branch in Eugene. This week, the suspect was indicted by a federal grand jury in connection with seven robberies. An affidavit filed in U.S. District Court by an FBI agent said the suspect told police he was responsible for several bank robberies. The reason he gave Eugene Police for robbing the Eugene Bank was “stupidity.” Source:

19. May 22, Bank Info Security – (Minnesota) 1 bank closed on May 21. State and federal regulators closed one bank May 21. This closing raises to 81 the number of failed institutions so far in 2010. Pinehurst Bank in St. Paul, Minnesota was closed by the Minnesota Department of Commerce, which appointed the Federal Deposit Insurance Corporation as receiver. Coulee Bank, La Crosse, Wisconsin, will buy all of the deposits of Pinehurst Bank. The sole branch of Pinehurst Bank will reopen as a branch of Coulee Bank. Pinehurst Bank had approximately $61.2 million in total assets. The estimated cost to the Deposit Insurance Fund (DIF) will be $6 million Source:

20. May 22, Kentucky Post – (Ohio) Bank robber takes money, leaves fake bomb. Police said a man walked into a PNC bank branch in Sharonville, Ohio, placed a suspicious device on the counter, and demanded money from the tellers. It happened around 6:05 p.m., just as the bank was closing. The PNC branch is located on Reading Road near I-275. The first Sharonville officer on the scene followed procedure by evacuating the bank and nearby businesses. He set up a 250-yard perimeter, and called in the Hamilton County Bomb Squad. Bomb technicians suited up in protective gear before entering the bank, and X-ray imaged the suspicious device. The X-rays revealed the device was not a threat. Source:

21. May 22, KRQE 13 Albuquerque – (New Mexico) Bank evacuated for bomb threat. A bomb threat sent Bank of America employees scattering May 22 in Rio Rancho, New Mexico. Dozens of employees of a Bank of America were evacuated after someone made a “non-specific” bomb threat around 12:45 p.m. As the workers waited outside, police went through the building looking for anything suspicious. Police said it could be hard to pinpoint exactly where the call came from. Nothing was found. Source:

22. May 21, Computerworld – (National) Walmart to support smartcard payments. Retail giant Walmart Stores Inc. is reportedly planning on making all its payment terminals in the U.S. compliant with a smartcard-based credit card technology that is widely used around the world but is not common in the U.S. Walmart’s plans were disclosed at a smartcard conference being held this week, and were first reported by Storefront Backtalk. Storefront Backtalk quoted Walmart’s director of payment services as saying the retailer was working on making all payment terminals in its domestic stores chip-and-PIN-capable. The director was reported as having said that signature-based credit-card transactions had become a “waste of time” for Walmart. Such a move by Walmart would have widespread ripple effects. As the largest retailer in the world, a Walmart decision to support chip-and-PIN could finally nudge card issuers, payment processors and other merchants to adopt the technology. Source:

23. May 21, DarkReading – (International) ID theft victims spending less in cleanup aftermath. Nearly one-third of all identity theft victims say they are unable to completely clear up damaged credit or criminal records in the aftermath of their identities being abused. But the good news is they are spending much less time and money cleaning up the fraud perpetrated against them in their names, according to a newly released report. The Identity Theft Resource Center (ITRC)’s “Identity Theft: The Aftermath 2009” report found that ID theft victims spent about $527 dollars out of pocket for an existing account compromised by an attacker, down from $741 in 2008. They also spent less time repairing the damage from a compromised account — an average of 68 hours versus 76 hours in 2008. It takes more time to clean up a newly opened financial account or a case involving criminal or governmental issues — 141 hours last year, which was an improvement over ‘08, when it took an average of 265 hours. The ITRC report (PDF) surveyed 183 victims nationwide. Nearly 24 percent say they believed they knew their identity thief, who was either a relative, friend, roommate, ex-spouse, or ex-significant other. And 10 percent say their cases were traced to an employee at a business who had their identity information. Source:

Information Technology

45. May 24, – (International) Botnets for hire at £5.99 per hour. Authentication firm VeriSign has warned that botnets could become more widespread and dangerous as the services become easier to find and cheaper to hire. VeriSign’s iDefence arm said that criminals are advertising botnet services on online forums for just £5.99 an hour, which could be used to launch hacking attacks. The company warned that this cheap and wide availability means that businesses are increasingly at risk of sophisticated attacks from the lowliest of sources. VeriSign studied 25 botnet herders across three forums, and found that the average cost of a 24-hour rental is just under £45, and includes a range of attack vectors including ICMP, SYN, UDP, HTTP and HTTPS. The firm said that it had seen many forums using traditional types of marketing to promote their wares, including banner advertising, in a sign of how sophisticated such businesses had become. VeriSign added that one forum even offered prices for taking down sites that were already prepared to defend against such attacks. Source:

46. May 24, SC Magazine – (International) Google introduces SSL encrypted search engine, as Hotmail moves to protect users further. Google has added full SSL encryption to its search services to allow users to have a secure https connection when searching The page is accessed by specifically entering in the address bar. A Google software engineer claimed that by adding SSL encryption to products including Gmail to Google Docs, the session-wide encryption was “a significant privacy advantage over systems that only encrypt login pages and credit card information.” Google also clarified that the release is in beta to cover only the core Google Web search product, and not on Image Search and Maps. Since SSL connections require additional time to set up the encryption between the browser and the remote Web server, a user experience with search over SSL may be slightly slower than a regular Google search experience. Google also claimed that it will still maintain search data “to improve your search quality and to provide better service.” Source:

47. May 24, – (International) Facebook users suffer second ‘sexy’ malware attack. Security experts have called on Facebook to set up an early warning system on its network to notify users of any threats and when they occur, after yet another malware attack hit the site over the weekend. The attack is the second in successive Saturdays to use a “sexy video” to lure the recipient into clicking on a fake FLV Player upgrade message, which then downloads adware onto the PC. Both files arrive as a thumbnail video in messages posted to users’ walls. Last week’s included the message: “This is without doubt the sexiest video ever!: P :P :P.,” while the new scam refers to “distracting beach babes.” Facebook is aware of the problem and is “actively removing both the wall posts and the malicious applications,” wrote a Websense senior research manager in a blog post. Source:

48. May 24, Computerworld – (International) Microsoft smacks patch-blocking rootkit second time. For the second month in a row, Microsoft has tried to eradicate a mutating rootkit that has blocked some Windows users from installing security updates. According to the Microsoft Malware Prevention Center (MMPC), this month’s Malicious Software Removal Tool (MSRT) has scrubbed the Alureon rootkit from over 360,000 Windows PCs since its May 11 release. That represented 18.2 percent of all MSRT detections for the month, more than double the 8.3 percent the rootkit accounted for in April. The free MSRT is updated each month as part of Microsoft’s monthly Patch Tuesday, and pushed to users via the same Windows Update mechanism used to serve up security fixes. April’s edition of MSRT, which was released April 13, also included Alureon sniffing skills. Last month, MSRT removed the rootkit from more than 260,000 Windows systems. Although the Alureon rootkit is no malware newcomer — antivirus company Symantec identified it in October 2008 — it first made news last February when Microsoft confirmed that the rootkit caused infected PCs to crash when users applied a patch the company issued that month. Source:

49. May 23, PC World Р(International) Bugnets could spy on you via mobile devices. Imagine an individual sitting in a caf̩ discussing the details of a business proposal with a potential client. Neither the individual nor the client has a laptop; they are just two people having a conversation. But unbeknownst to either, someone half a world away is listening to every word they say. Later, as the individual leaves, they receive a text message referring to the proposal and demanding money in exchange for silence. Recent research from two universities suggests that such a remote-

eavesdropping scenario may soon be possible. According to two George Mason University researchers, cell phones make excellent surveillance devices for remote snoops. In a paper, both discuss a “modernized mic hijacker” that an attacker could control over what they call a “roving bugnet.” The eavesdropper would use a piece of malware called a “bugbot” to listen in on in-person interactions via a nearby smartphone or laptop. Such attacks would be more likely to target specific people (a wayward spouse, say) than to play a role in widespread attacks on the general public. Source:

50. May 21, The Register – (International) Flaw lets hackers delete Facebook friends. The Facebook security gaffes keep coming, with the latest being a bug that allows hackers to delete all of a users’ site friends without permission, according to IDG News. The flaw was reported May 26 by a college student, but some 48 hours later it could still be exploited to delete an IDG reporter’s Facebook friends. The student has written proof-of-concept code that uses publicly available data from Facebook to systematically delete all of a user’s friends. “A malicious hacker could combine an exploit for this bug with spam or even a self-copying worm code to wreak havoc on the social network,” IDG said. The CSRF, or cross-site request forgery, bug that makes all this possible is the same one reported earlier last week that exposed user birthdays and other sensitive data even when they were designated as private. Facebook representatives had said company engineers had closed the hole, but that pronouncement was premature. The flaw could still be exploited to control the site’s “like” feature, a button users click to endorse ads and other types of content. Source:

51. May 21, DarkReading – (International) New threat for wireless networks: Typhoid adware. There is a potential threat lurking in your Internet cafe, say University of Calgary computer science researchers: Typhoid adware. Typhoid adware works in similar fashion to Typhoid Mary, the first identified healthy carrier of typhoid fever who spread the disease to dozens of people in the New York area in the early 1900s. “We’re looking at a different variant of adware — Typhoid adware — which we have not seen out there yet, but we believe could be a threat soon,” said an associate professor who co-authored a research paper with a assistant professor and two students. Typhoid adware could be spread via a wireless Internet cafe or other area where users share a nonencrypted wireless connection. Typically, adware authors install their software on as many machines as possible. But Typhoid adware hijacks the wireless access point and convinces other laptops to communicate with it instead. Then the Typhoid adware automatically inserts advertisements in videos and Web pages on hijacked computers, the researchers said. Meanwhile, the carrier sips her latte in peace — she sees no advertisements and doesn’t know she is infected, just like symptomless Typhoid Mary. Source:

52. May 21, The New New Internet – (International) Swedish online network cyber attacked. IDG, a Swedish online network with more than 25 technology-, IT- and business-related Web sites, suffered a cyber attack May 19, according to ComputerSweden. All sites belonging to the network crashed as result of a botnet targeting the whole network, as well as the internal one. The first signs of the cyber attack emerged around 10 p.m. After hours of intense work, the sites were back up the following day. An IP-address originating in Taiwan was identified as a possible culprit for the attack. With that information handy, technicians were able to block traffic and reboot the systems. Even IDG’s own Internet connection was compromised by the attackers, but the problem was solved thanks to alternative connections, including 3G modems. Source:

53. May 21, The New New Internet – (International) Iranian cyber army second largest in the world, claims Iranian commander. After hacking Twitter and various Iranian Web sites and engaging in a cyber war with China, the Iranian Cyber Army is said to be looking at the Revolutionary Guards for direction, according to a senior Revolutionary Guards Corps commander. Fars news agency reports that the commander of the Ali Ebn-e Abi Taleb Guards in Qom, said May 20 that the Revolutionary Guards has been successful in establishing a cyber army and “today the cyber army of the Revolutionary Guards is the second largest cyber army in the world.” The commander also claimed the objective of the Iranian Cyber Army is “to prevent the destruction of Iran’s cultural and social system” and added the “cyber army of the Revolutionary Guards is a force to reckon with in this arena.” The Iranian Cyber Army has not been officially claimed by any group. Last year, Defense Tech, a U.S. military and security organization announced that the Iranian Cyber Army belongs to the Revolutionary Guards of Iran. Source:

Communications Sector

54. May 24, PC Advisor UK – (International) US begins $8 billion upgrade of GPS satellites. The U.S. is upgrading its 24 Global Positioning System (GPS) satellites in a bid to improve the accuracy of the technology and prevent outages. As part of the $8 billion upgrade, 18 new satellites are being built by Boeing’s Space and Intelligence Systems, while Lockheed Martin has been commissioned to build a further 12 satellites. Each of the existing 24 satellites will be replaced, the first of which was launched this weekend, while the remaining six that have been manufactured will be kept as spares. “We know that the world relies on GPS,” the upgrade’s chief engineer told the Los Angeles Times. It is thought the new satellites will mean a location can be pinpointed to “within an arm’s length, compared with a margin of error of 20 feet or more today.” The upgrade is expected to take 10 years to complete and will be handled by engineers at the Los Angeles Air Force Base in El Segundo. Source:

55. May 22, The Day – (Connecticut) State regulators: AT&T should pay for slow repairs. Telecommunications giant AT&T should pay $1.12 million for its slow repair service, Connecticut regulators said May 21 in a decision cheered by consumer advocates and union leaders. “AT&T Connecticut has consistently and repeatedly failed to meet the requirement that 90 percent of all service repairs ... be cleared within 24 hours,” the state Department of Public Utility Control (DPUC) said in its decision. AT&T said it would contest the civil penalty, which looked back to the phone company’s record of service since 2001. The fines, officially proposed against AT&T subsidiary Southern New England Telephone, amount to $10,000 per month since the requirement for quick phone repair has been in effect. “The DPUC’s notice of violation sends a strong message to AT&T that the customer service regulations are going to be enforced,” said a statement from the office of consumer counsel approving of the decision. Source: