Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, June 3, 2010

Complete DHS Daily Report for June 3, 2010

Daily Report

Top Stories

• Network World reports that cyber attacks, pandemics and electromagnetic disturbances are the three top “high impact” risks to the U.S. and Canadian power-generation grids, according to a report from the North American Electric Reliability Corp. (NERC). (See item 2)

2. June 2, Network World – (National) Cyberattacks seen as top threat to zap U.S. power grid. Cyber attacks, pandemics and electromagnetic disturbances are the three top “high impact” risks to the U.S. and Canadian power-generation grids, according to a report from the North American Electric Reliability Corp. (NERC). “The specific concern with respect to these threats is the targeting of multiple key nodes in the system, if damaged, destroyed or interrupted in a coordinated fashion, could bring the system outside the protection provided by traditional planning and operating criteria,” states the report, “High-Impact, Low-Frequency Risk to the North American Bulk Power System.” The contents of the 118-page report are largely the result of closed-door discussions held since November by NERC (which plays a key role in setting security standards for the U.S. power grid), power providers and U.S. government officials. Source:

• The New New Internet stated that phishers are looking into different ways of reaching new recruits of cyber criminals by casting their nets onto social networking sites, creating special Facebook groups for their work-at-home scams, according to Kaspersky Lab. (See item 16 below in the Banking and Finance Sector)


Banking and Finance Sector

14. June 2, Courthouse News Service – (National) Credit union demands $42 million, claims Fannie Mae bought ‘stolen’ mortgages. Fannie Mae refuses to return $42 million worth of “stolen” mortgages to Suffolk Federal Credit Union, the credit union claims in Federal Court. The credit union, which says its members are “predominantly blue collar workers from Suffolk County, New York ... including firefighters, police officers, emergency medical technicians, social services workers, and other low to middle income employees,” claims Fannie Mae had its head in the sand when it bought the stolen mortgages, and now refuses to return them. Suffolk claims U.S. Mortgage Corp. and its CEO, along with another U.S. Mortgage employee, serviced its mortgage loans, but “signed loan transfer documents that falsely identified themselves as executives of Suffolk.” Suffolk claims the CEO then sold the loans to Fannie Mae, which never checked his authority to execute such documents on behalf of the credit union. “Fannie Mae ignored obvious signs of falsified financial statements, payment irregularities, commingling of funds, and dangerously speculative securities trading, all of which pointed to a situation ripe for fraud,” Suffolk claims. Even after the CEO pleaded guilty to stealing the mortgages, Suffolk says, Fannie Mae refused to return them, claiming it bought the loans fair and square in good faith. But the credit union insists that the law states, “purchasers of negotiable instruments who stick their heads in the sand cannot claim ownership of stolen property.” Source:

15. June 2, KMTR 16 Eugene – (Oregon) Scam Alert: fake “Umpqua Bank” phone calls demand personal info. Scammers are targeting Umpqua Bank account holders with a new phone scam, starting with hundreds in Douglas County, Oregon. The Douglas County Sheriff’s Office says hundreds of residents began receiving the phone calls over the Memorial Day weekend, starting on Saturday, May 29th, 2010. The calls were claiming to be from “Umpqua Bank.” An automated message on the phone claims the customer’s debit or credit card has been deactivated, asking customers to press one on their phone, then to enter in personal information. The Douglas County Sheriff’s Office and Umpqua Bank say the phone calls are a scam. Scammers involved in this most recent phone fraud case ask for debit and credit card numbers, also Social Security car numbers and other information. Source:

16. June 1, The New New Internet – (International) Facebook used to find money mules. Phishers are looking into different ways of reaching new recruits of cyber criminals by casting their nets onto social networking sites, creating special Facebook groups for their work-at-home scams, according to Kaspersky Lab. Far from a novel idea, phishers have been using social networks for years to find new recruits. Now, the scammers have created Facebook groups specifically dedicated to the work-at-home scams that often serve as recruitment schemes for money mules. One such group has almost 225,000 members on Facebook, according to Kaspersky researchers. The criminals promise high earnings for minimal efforts: $6,000 per month for only 18 hours of work per week. Job responsibilities often involve accepting deposits and wire transfers of thousands of dollars a day, then transferring the money to other accounts designated by the phishing gang. Although the money mule can make fast cash relatively easy, it is usually they who are most likely to be discovered, arrested and prosecuted. Sometimes, the money mules do not know what the end result of their activities is; all they know is they are transferring money from one account to another. Source:

17. June 1, Bank Info Security – (Maine) ACH fraud sparks another suit. In another round of bank vs. customer, a Maine business has sued its bank, alleging that the institution failed to prevent fraudulent ACH transactions totaling more than $500,000. Patco, a Sanford, Maine-based construction company, had its corporate bank account raided over a six-day period last May by cyber thieves who were able to move over $588,000 to dozens of money mules throughout the country. The business was able to recover only $230,000 of the stolen funds and has sued its bank, Ocean Bank of Portsmouth, New Hampshire, for failing to detect and prevent the bogus transfers. “I told them ‘We don’t want to sue you; can you at least make up part of the loss?’“ says the co-owner of the business. But he describes the bank’s response as “This is your problem. It wasn’t our firewall that was penetrated.” This is but the latest example of banks and business customers battling over responsibility for losses resulting from ACH fraud, or corporate account takeover. Most recently, PlainsCapital Bank and Hillary Machinery of Texas settled their lawsuits over a similar dispute. Source:

18. May 31, CNN – (New York) Financial adviser to celebrities charged in $30 million Ponzi scheme. A financial adviser to celebrities was arrested on Thursday on charges he carried out a $30 million Ponzi scheme on some of his clients, according to the U.S. attorney’s office. The 66 year old suspect was charged with money laundering, investment adviser fraud and wire fraud. He was ordered held without bail until a June 10 pretrial hearing despite a vigorous appeal to the federal Magistrate Court by both Starr and his attorney. The suspect’s attorney argued that his client was terrified when federal agents came to arrest him early on May 27, portraying the suspect as a family man who had strong New York ties and did not pose a flight risk. But prosecutors painted a different picture, telling the court that the suspect attempted to evade arrest by hiding from federal agents. According to the complaint, the suspect defrauded a wealthy jeweler and his wife of nearly $14 million in either bogus or high risk investments. Almost all of that $14 million remains unaccounted for. The complaint says the suspect used nearly $6 million of a nearly 100-year-old heiress’ money, without authorization, to buy a $7.5 million condominium for himself. Source:

Information Technology

48. June 2, – (International) Symantec warns of hike in World Cup spam. Symantec has joined the chorus of voices warning users to brace for a surge in spam centered around the upcoming World Cup in South Africa. Unsolicited email using the tournament as a lure has risen by around 27 percent in the past month, according to new statistics posted on the security firm’s Net Threats 2010 site. Internet users were warned to expect a range of spam, including offers of counterfeit tickets, malware embedded in fake highlights videos and bogus FIFA product offers. Trend Micro observed similar trends last month, warning users of 419-style spam runs using the tournament as bait. Source:

49. June 2, SC Magazine – (International) Jewish Chronicle confirms that it was hit by a denial-of-service attack on Monday following Gaza flotilla incident. The Jewish Chronicle was hit by a massive denial-of-service (DoS) attack on May 31. Following the Gaza flotilla incident, a column in the Spectator claimed that the website of the paper was down following ‘a massive denial-of-service, apparently to shut down its balanced coverage of the Ashdod flotilla incident’. Speaking to SC Magazine, the managing editor of the Jewish Chronicle confirmed that this did occur and happens often. He said: “We are a target and it is part of our security policy that we understand people want to stop the Jewish voice. It was probably an attempt to silence us on a controversial subject. He further explained that the website does not get much traffic on a Saturday, but on a Sunday it gets traffic from the Jewish community and a much wider readership. Burton said: “It is a PR disaster for Israel, but we are not a mouthpiece for the Israeli government as we are critical of them, and our editor has said that there are two sides to it.” Source:

50. June 2, Help Net Security – (International) IT pros are hacking their own enterprises to keep intruders out. A survey of IT security professionals has discovered that 83 percent consider commercial applications, the ones you buy off the shelf, to be riddled with code flaws and vulnerabilities. Fortify Software found that 56 percent believe these flaws could allow hackers to exploit these software vulnerabilities. As a result, security professionals are making heavy investments in penetration and code testing, combined with application scanning, to try and build security into the software. Half of the IT security professionals also admitted to hacking, with 73 percent of these respondents doing so to test the strength of their own network’s defenses, 13 percent for fun or out of curiosity, and 3 percent targeting their efforts at the competition. Compiled at Infosecurity Europe, the survey also unearthed that, amongst the 300 IT security professionals interviewed (with the majority taken from companies employing 1,000 plus employees), 31 percent admitted to being victims of hacking. More interestingly, with 29 percent replying ‘don’t know’, this figure could be substantially higher! The majority of respondents cited the application layer to be the hackers’ main target. Source:

51. June 1, Marketing Vox – (International) Digital device, data explosion meets IP address shortage. The landscape for marketers charting digital strategies one or two years ahead could well be dramatically different than it is now: characterized by an explosion of new data generated from mobile devices — and possibly by a logjam created by a lack of IP addresses. According to IDC, right now there are more than 10 billion non-PC devices that connect to the Internet right now - and that number is expected to grow to almost 20 billion by 2014. In fact the growth will be so great that within 18 months — possibly as soon as September 2011 — it is estimated that the number of new devices able to connect to the internet will be limited by a lack of available IP addresses. In short, the world is running out. “The internet as we know it will no longer be able to grow,” the chief scientist at RIPE NCC, the organization that issues IP addresses in Europe, told CNN. “That doesn’t mean it will cease to function, but entry could be limited to new devices.” At the same time there are signs that content - especially user generated content - is about to enter a period where data will grow faster than the perimeters established with Moore’s law for improvements in hardware. Source:

52. June 1, Help Net Security – (International) Critical iPhone security issue leaves your contents exposed. Most iPhone users are confident that using a passcode to secure their devices means that even if they lost them or they get stolen, their data will be protected from prying eyes. Unfortunately for them, an information security professional has recently discovered that the passcode protection can be bypassed by simply connecting the iPhone 3GS in question to a computer running Ubuntu 10.04. According to him, the iPhone can be tricked into allowing access to photos, videos, music, voice recordings, Google safe browsing database, game contents, and more, by switching it off and connecting it to the computer, then switching the iPhone back on. He claims that he has managed to get read-and-write access in 4 different 3GS, non jailbroken, passcode protected iPhones with different iPhone OS version installed. He says the vulnerability is definitely not an Ubuntu vulnerability, but a flaw in the iPhone’s way of implementing authentication when connected to a computer. Apple has been notified of the flaw, and they managed to reproduce it, but have yet to push out a fix or to say when it will be made available. Source:

53. June 1, The Register – (International) Windows Mobile Trojan frags gamers. Scammers have hidden a nasty surprise for users who downloaded doctored copies of a Windows Mobile game. Hackers adapted a demo version of 3D Anti-Terrorist Action to include a Trojan that makes premium-rate calls costing around US$6 a minute on the sly. Doctored copies of the Counter-Strike-alike game are designed to call premium-rate phone numbers in the Antarctic, the Dominican Republic and Somalia, leaving users none the wiser until they received whopper mobile phone bills. The Terdial-A Windows-CE Trojan was first identified in March but has recently made its way onto several sites hosting Windows mobile apps, prompting a fresh warning from gaming site It adds that even legitimate versions of the application lack engaging gameplay. The net security firm Sophos believes a Russian-language speaker wrote the malware behind the attack. Source:

54. June 1, DarkReading – (International) Botnets target websites with ‘posers’. Botnets increasingly are creating phony online accounts on legitimate websites and online communities in order to steal information from enterprises. This alternative form of targeted attack by botnets has become popular as botnet tools have made bots easier to purchase and exploit. A botnet expert and distinguished professor of computer science at Georgia Tech, says bots are showing up “en masse” to customer-facing websites — posing as people. “We are seeing tens of thousands of false registrations getting through existing defense-in-depth to get accounts on websites,” says the professor, who is also a member of the board of directors at Pramana and a co-founder of Damballa, both security firms that specialize in botnet mitigation. And these bots can walk off with data from those sites, either for competitive purposes or for selling the stolen information on the black market, according to new data from Pramana, a startup that spun off from Georgia Tech. “Instead of humans, bots are showing up en masse” on auction, social networking, and various other websites that require registration for participation or comments or webmail, he says. “If job listings are your valuable content, what if your competitors set bots to screen-scrape and take your content out the door? This screen-scraping is costing a lot of money and becoming way more prevalent.” Botnet operators are poking holes in CAPTCHA defenses. Pramana, which uses what it calls “HumanPresent” technology that looks at online activity in real-time in order to catch fraud before it occurs, saw 60 percent of bots crashing through CAPTCHAS and other defenses at one Fortune 100 client’s website. Source:

55. June 1, – (International) WikiLeaks was launched with documents intercepted from Tor. WikiLeaks, the controversial whistleblowing site that exposes secrets of governments and corporations, bootstrapped itself with a cache of documents obtained through an internet eavesdropping operation by one of its activists, according to a new profile of the organization’s founder. The activist siphoned more than a million documents as they traveled across the internet through Tor, also known as “The Onion Router,” a sophisticated privacy tool that lets users navigate and send documents through the internet anonymously. The siphoned documents, supposedly stolen by Chinese hackers or spies who were using the Tor network to transmit the data, were the basis for the founder of WikiLeaks assertion in 2006 that his organization had already “received over one million documents from 13 countries” before his site was launched, according to the article in The New Yorker. Only a small portion of those intercepted documents were ever posted on WikiLeaks, but the new report is the first indication that some of the data and documents on WikiLeaks did not come from sources who intended for the documents to be seen or posted. It also explains an enduring mystery of WikiLeaks’ launch: how the organization was able to amass a collection of secret documents before its website was open for business. Source:

56. May 28, DarkReading – (International) Researchers uncover bot sales network. Researchers at PandaLabs said yesterday they have uncovered a network that sells bots targeting social networks and Webmail systems. The publicly available site contains an extensive catalog of programs aimed at social networks and Webmail services, including Twitter, Facebook, Hi5, MySpace, MyYearBook, YouTube, Tuenti, Friendster, Gmail, and Yahoo, PandaLabs says. Each entry explains the reason why the bot has been created and describes activities that the bots can perform, such as creating multiple accounts simultaneously on social networks; identity theft; stealing friends, followers or contacts; and automatic sending of messages. “All bots work in a conventional manner,” the page says. “They gather friend IDs/names and send friend requests, messages, [and] comments automatically. We are still investigating, but this is another example of the lucrative business that malware represents for cybercriminals,” says the technical director of PandaLabs. “The catalog of bots for sale describes some of the many activities they can be used for. Some of them are more ‘innocent,’ such as creating accounts, and others are more insidious and specifically focused on fraud — including theft of identities, photographs, etc.” Source:

Communications Sector

57. June 1, IDG News Service – (National) Android rootkit is just a phone call away. Hoping to understand what a new generation of mobile malware could resemble, security researchers will demonstrate a malicious “rootkit” program they’ve written for Google’s Android phone next month at the Defcon hacking conference in Las Vegas. Once it is installed on the Android phone, the rootkit can be activated via a phone call or SMS (short message service) message, giving attackers a stealthy and hard-to-detect tool for siphoning data from the phone or misdirecting the user. “You call the phone, the phone doesn’t ring, and when the phone realizes that it’s being called by an attacker’s phone number, it sends him back a shell [program],” said a security consultant with Chicago’s Trustwave, the company that did the research. Rootkits are stealthy programs designed to cover up their tracks on the operating system in order to evade detection. They have been around on Windows and Unix for years, but lately security researchers have been experimenting with them on mobile platforms. Source:

58. May 31, Hindu Business Line – (International) US to work with India on National Broadband Plan. The US has said that it would collaborate with India in evolving a National Broadband Plan. “We have initiated talks through the ICT joint working group last week in New Delhi. We have fixed a time-bound schedule to discuss things. The two sides will soon identify points of contacts for one-to-one interactions,” the US Coordinator for International Communication and Information Policy, said. “The ICT working group, which used to meet periodically, could not meet because of elections here and in the US. “We have revived it last week and hope to follow it up six months later in December. These meetings would be held twice a year,” he told Business Line. The group comprised top Government executives and representatives from businesses. “The Government set aside $7-billion announced as part of the stimulus package for creating awareness about the benefits of broadband usage and the US Congress asked the Federal Communication Commission (FCC) to work for a national broadband plan. It came out with hundreds of recommendations. Source: