Department of Homeland Security Daily Open Source Infrastructure Report

Monday, June 14, 2010

Complete DHS Daily Report for June 14, 2010

Daily Report

Top Stories

• Serious mechanical problems with Coast Guard aircraft and vessels delayed, cut short or aborted rescue efforts after the Deepwater Horizon drilling rig exploded in the Gulf of Mexico April 20, according to an investigation by the Center for Public Integrity, USA Today reports. (See item 40)

40. June 10, USA Today – (International) Mechanical problems hampered Coast Guard rescue after Gulf rig blast. Serious mechanical problems with Coast Guard aircraft and vessels delayed, cut short or aborted rescue efforts after the Deepwater Horizon drilling rig exploded in the Gulf of Mexico April 20, according to an investigation by the Center for Public Integrity. Logs show the Coast Guard “averaged one problem for every seven rescue sorties it operated during the first three days of the oil spill crisis in April,” the investigation found. In one instance, 38 minutes were lost trying to evacuate workers from the burning rig or rescue those who jumped into the water because the crew of a 25-year-old helicopter had to switch to another aircraft. Similar mechanicals problems plagued rescue efforts after the Haiti earthquake in January. A Coast Guard official said the problems “were nothing that was not out of the ordinary.” Source:

• According to Bloomberg, South Korea said a government Web site was attacked June 9 from Internet addresses in China. The report comes amid concerns that North Korea is mounting cyber attacks in response to international pressure over the sinking of a South Korean warship in March. (See item 48 below in the Information Technology Sector)


Banking and Finance Sector

10. June 11, Reuters – (International) SEC eyes confluence of events as flash crash cause. U.S. regulators will most likely find that a confluence of events caused the unprecedented stock market “flash crash” in early May, the Securities and Exchange Commission (SEC) chairman said June 10. For a month, regulators have been trying to determine what caused the Dow Jones Industrial Average to plunge some 700 points in minutes May 6 before sharply rebounding. Earlier June 10, the SEC approved a mechanism to temporarily pause trading in single stocks when markets are plunging uncontrollably. The stock-specific circuit breakers, being adopted this month, will halt trading for five minutes in any S&P 500 share if it falls more than 10 percent in five minutes. The chairman said she was anxious to expand the stock-specific mechanism to other stocks and to a number of exchange-traded funds, which were hit harder than ordinary stocks in the brief market freefall. Source:

11. June 11, Greensboro News & Record – (North Carolina) Carolina Bank reports debit card phishing scheme. Carolina Bank in Greensboro, North Carolina sent an e-mail to customers June 10 warning them of a possible debit card “phishing” fraud scheme. Several customers and non-customers were contacted by telephone. Consumers heard a recorded message claiming to be from Carolina Bank saying their debit card had been or soon would be deactivated. Then the recording asked them to call a toll-free number where they were asked for their debit card number or PIN, according to the bank. Phishing is information technology slang for fraud schemes that attempt to gather sensitive information from consumers. E-mail is a typical vehicle for the scams. In this case, the president and CEO of the bank said the process seemed disorganized, especially because it targeted many people who are not even Carolina Bank customers. Source:

12. June 11, Great Falls Tribune – (Montana) Latvians to be deported for role in Davidson Companies extortion plot. Three men who aided an extortion plot on Davidson Companies will be deported after receiving their sentence June 10 in Helena, Montana. The three suspects, all of Latvia, previously pleaded guilty to a federal charge of receipt of extortion proceeds. A senior U.S. district judge sentenced the men to time served, as they have been in the custody of Dutch and U.S. officials since February 2008. Conspiracy and extortion charges against the men were dropped in accordance with a plea deal with prosecutors in the U.S. Attorney’s Office in Montana. The men were transferred to the custody of the Department of Homeland Security for deportation. Davidson’s computer system was hacked into some time between Dec. 20, 2007, and Jan. 11, 2008, by a man identified in court documents as “John Doe, aka [real name].” The hacker has not been arrested and remains at large. Thousands of customers’ personal and/or financial account information was accessed as part of the computer attack. The hacker demanded $80,000 from Davidson in exchange for revealing security vulnerabilities and destroying any confidential information he had obtained, court documents state. Source:

13. June 11, Bank Info Security – (New York) How to avoid hiring fraudsters. Recently, a CFO ran away with $600 million stolen from his employer who sold computers in New York City. When the president of Corporate Resolutions Inc, a business-consulting firm, investigated this case, he found glaring disconnects: The CFO had lied about his experience and credential in his resume, and he had listed three business references — one was dead; one did not exist; and when the last reference was called, he said, “Are you kidding me, I wouldn’t hire that guy for anything.” If the company “had only done their due diligence, they would not have hired him — it’s a shame,” said the president. This case exemplifies the risk of insider fraud, and it also serves as a cautionary tale: Be careful whom one hires. The leader for Ernst & Young’s information security practice for the Americas finds three common fraudulent behaviors specific to security professionals: Misusing access to retrieve critical information and/or view restricted information like pornographic material; Engaging with coworkers on a side online business and deleting logs and activities, and deliberately failing to monitor required systems; and overstating security credentials. According to a new report by the Association of Certified Fraud Examiners (ACFE), about 5 percent of organizational revenue is lost annually to organizational fraud, mostly employee theft. That translates into a potential total loss of about $3 trillion per year. Among the warning signs to look for when hiring security professionals: Candidates who do not stay in a job over a year; Someone who is not interested in benefits; One who does not provide accurate information on their current state of certifications; Lack of business references; Person is uncomfortable performing “hands-on” tests and exercises to demonstrate skill; Someone listed and associated with underground hacker groups; and anyone experiencing financial problems. Source:

14. June 10, KXTV 10 Sacramento – (California) Sacramento, Folsom, Placer County detectives find credit card skimmers at gas stations. After an investigation has led to the discovery of three identical credit card skimming machines inside gasoline pumps in California in Placer County, Sacramento and Folsom, authorities are now looking for the people who may have used the machines to collect personal identification information. A Placer County Sheriff’s Department spokeswoman said investigators found the scanning devices in pumps located far from the clerk’s location and close to the street. According to a detective, investigators believe there are at least four more machines operating at other gas stations. Over the last few days, Folsom police officers received numerous complaints about compromised credit cards used at a gas station where one of the machines was discovered. Source:

15. June 10, KPTV 12 Portland – (Oregon) ‘Beastie Boys Bandit’ sought in bank robberies. Oregon police said they are looking for a man they are calling the “Beastie Boys Bandit” after two recent bank robberies in east Portland. In June, a man wearing a wig, fake mustache, sunglasses and a dark suit with a white, button-up shirt robbed two U.S. Bank branches. The first robbery happened June 3 at the U.S. Bank at 1225 SE Cesar Chavez Blvd. The second robbery happened June 8 at the U.S. Bank at 1901 NE 42nd Ave. The man showed a demand note that either said he is armed or that there is a device inside the bank, according to the police bureau. Police gave the bank robber the Beastie Boys Bandit nickname based on the disguises worn by Beastie Boys band members in the 1990s music video “Sabotage.” Source:

16. June 10, Panama City News Herald – (Florida) Financial planner arrested in $6 million scam. A Florida financial planner has been arrested on charges he scammed almost 100 investors out of about $6 million. The 61-year-old suspect, of the Financial Planning Center of Panama City, was charged June 10 with grand theft after investigators served a search warrant at his office on Tyndall Parkway. The raid came after a three-month investigation into complaints from investors, according to the Bay County Sheriff’s Office. Parker police also were involved as officers seized computers and files. The complaints began in April after the suspect stopped paying investors in his “12 percent Savings Club,” according to a sheriff’s spokeswoman. Under the plan, the suspect told 92 investors their money was being invested in restaurant franchises. Investigators said bank records revealed the money instead was used to pay interest to other investors. According to the spokeswoman, the suspect admitted to investigators that he had made no legitimate investments in the club since about 2006. Source:

17. June 10, Associated Press – (Arkansas) Company reports potential breach of credit-card data at 2 Dixie Cafes in Arkansas. The company that owns Dixie Cafe restaurants said customers’ credit- and debit-card information may have been breached at two stores in Little Rock and Hot Springs, Dixie Restaurants of Little Rock said in a news release June 10 that the company was working with police to find out the origin of the data breach, and its extent. In the meantime, the company urged customers who had used a credit or debit card at either store during a period from February 1 to June 8 to alert card issuers and to report any unauthorized activity to police. The company said the two stores involved were at 10700 Rodney Parham Road in Little Rock and at 3623 Central Avenue in Hot Springs. The release said police are investigating, but initial findings show no wrongdoing by any member of the restaurants’ management or staff. Source:,0,4060072.story

Information Technology

41. June 11, The New New Internet – (International) World cup good for spammers. The World Cup begins June 11 and spammers have already joined the party, releasing spam messages that target individuals searching for World Cup information. Presently, the amount of World Cup-related spam is relatively small compared to total spam amounts but it has increased, according to F-Secure. “It’s still just a small percentage of spam overall (under 2 percent) but when comparing the first three days from the last six months, we see a doubling in volume and 74 times the number of hits on related keywords from January to June,” a researcher at F-Secure writes. “As the tournament continues from June to July 11th, we expect to see more related threats. A good example? SEO poisoning.” Source:

42. June 11, The Wall Sreet Journal – (National) FBI opens probe of iPad breach. The FBI has opened an investigation into a possible security breach of AT&T Inc.’s Web site that exposed the e-mail addresses of some owners of Apple Inc. iPad devices. The security hole highlights how corporations still have problems protecting private information. “The FBI is aware of these possible computer intrusions and has opened an investigation,” said an FBI spokeswoman. The FBI began the investigation June 10 but would not comment on what the bureau is looking at. “It’s very early in the investigation,” she added. The incident this week was embarrassing to both AT&T and Apple. AT&T declined to comment on the investigation. On June 9, the wireless carrier acknowledged that a flaw in its Web site made it possible for iPad users’ e-mail addresses to be revealed. AT&T said it fixed the security problem by June 8. Apple has not replied to requests for comment. Source:

43. June 11, – (International) Google posts Chrome security fixes. Google has issued a fresh round of security updates for its Chrome Web browser, addressing 11 vulnerabilities for the Windows, Mac OS X and Linux versions. Eight of the flaws in the Chrome 5.0.375.70 update are labeled as “high risk,” while the remaining three are listed as “medium” risk. The vulnerabilities range from memory corruption and cross site scripting flaws, to keystroke redirection risks. Two of the flaws are listed as discoveries which brought cash rewards. Google has a policy of paying bounties to researchers who directly report zero-day flaws in Chrome. The update comes just days after two of Google’s competitors in the browser market delivered fixes of their own. Source:

44. June 11, Bloomberg – (National) Senators tackle Internet security. The President could order emergency measures to combat cyber attacks under a measure introduced June 11 by three senators who said the Internet has unleashed a new breed of cyberterrorists. Under the bill, the President’s specific powers would be developed with companies and would not allow the government to take over private networks or give it more surveillance authority, the lawmakers said. “The Internet can also be a dangerous place with electronic pipelines that run directly into everything from our personal bank accounts to key infrastructure to government and industrial secrets,’’ a Connecticut Ondependent who heads the Senate Homeland Security and Governmental Affairs Committee said at a news conference. He is sponsoring the measure with the panel’s senior Republican, from Maine, and a committee member who is a Democrat from Delaware. “Our economic security, our national security, and our public safety are now all at risk as a result of new kinds of enemies, with new kinds of names like cyberwarriors, cyberspies, cyberterrorists, and cybercriminals,’’ the senator said. Source:

45. June 10, IDG News Service – (International) After attacks, Adobe fixes Flash bug. Less than a week after fielding reports that hackers were targeting a bug in its Flash Player software, Adobe Systems has rushed out a fix for the problem. Adobe’s new 10.1 Flash update, released June 10, fixed a bug that was first spotted via a small number of targeted attacks. According to Symantec, these Flash attacks are still not widespread, but users should update their Flash software as soon as possible. “We have been seeing a small but steady rise in detections of related malicious PDFs and we expect to continue to see these numbers increase over the coming hours and days,” the security vendor said in a statement. Criminals have been exploiting the flaw using malicious Flash swf files, which are typically opened by the Web browser’s Flash Player plug-in, or via PDFs that have maliciously encoded Flash components embedded inside them, Adobe said. Those malicious PDFs are typically opened by Reader or Acrobat, which include their own versions of Flash Player that have not yet been patched. That fix is due June 29. Source:

46. June 10, DarkReading – (International) Tool automates social engineering in man-in-the-middle attack. French researchers have developed an automated social engineering tool that uses a man-in-the middle attack and strikes up online conversations with potential victims. The proof-of-concept (PoC) HoneyBot poses convincingly as a real human in Internet Relay Chats (IRC) and Instant Messaging (IM) sessions. It lets an attacker glean personal and other valuable information from victims via these chats, or lure them into clicking on malicious links. The researchers had plenty of success in their tests: They were able to get users to click onto malicious links sent via their chat messages 76 percent of the time. The researchers who created the PoC — all of Institut EURECOM in France — are also working on taking their creation a step further to automate social engineering attacks on social networks. The researchers originally wrote their HoneyBot PoC tool as a way to demonstrate large-scale automated social engineering attacks. While spammers typically send IM messages that attempt to lure users to click on their malicious links, these attacks are often fairly conspicuous and obvious to the would-be victim. Such an attack could occur via an online shopping Web site or bank site that contains an embedded chat window, the researchers said. An attacker then could set up a phishing site and wage a man-in-the-middle attack on the chat window. Source:

47. June 10, SCMagazine – (International) Microsoft confirms Help Center vulnerability. Microsoft June 10 confirmed the presence of a zero-day vulnerability affecting Windows XP and Server 2003. The software giant plans to issue an advisory to provide workaround guidance to impacted users. The vulnerability was discovered by a Google engineer who published exploit code in an advisory posted to the Full Disclosure mailing list. The flaw is present in the Windows Help and Support Center application and is caused by the improper sanitization of “hcp:// URIs,” which is a protocol handler used to access help documents through specific URLs. By persuading a user to click on a malicious link, an attacker could execute arbitrary code on a victim’s machine. Customers running Windows Vista, 7, Server 2008 and Server 2008 R2 are not susceptible to the vulnerability, said the director of the Microsoft Security Response Center, in a blog post. The bug added fuel to the fire surrounding the responsible disclosure debate. The Google researcher notified Microsoft June 5 but went public with the vulnerability five days later, before Microsoft was able to issue a fix to its large user base. Source:

48. June 10, Bloomberg – (International) South Korea says cyber attacks came from China sites. South Korea said a government Web site was attacked June 9 from Internet addresses in China. The report comes amid concerns that North Korea is mounting cyber attacks in response to international pressure over the sinking of a South Korean warship in March. The attacks took place between 8:20 p.m. and midnight, the Ministry of Public Administration and Security said in a statement posted on its Web site June 10. The ministry blocked access after spotting the intrusions, and a probe is being conducted with related government offices, it said. North Korea’s postal ministry was the source of similar cyber attacks last July that sought to cripple dozens of Web sites in South Korea and the U.S., the JoongAng Ilbo reported in October, citing the director of the South’s spy agency. Tensions have risen on the Korean peninsula since an international panel concluded May 20 that the North was behind a torpedo attack that sank the Cheonan warship, killing 46 of the South’s sailors. Source:

49. June 10, The Hill – (International) Judge rules against DHS on extended border laptop seizures. A federal judge has ruled the federal government may not seize and months later search a traveler’s laptop without a warrant, according to a blog post by CNet. A U.S. district judge in the Northern District of California ruled June 2 that Customs and Border Protection agents can not indefinitely seize and search a traveler’s laptop without a warrant. The ruling came in response to the case of an American citizen whose laptop was seized upon his return from South Korea at San Francisco International Airport in January 2009. The issue of laptop searches at the border has been controversial; two years ago a group of privacy advocates warned the Senate Judiciary Committee about the policy’s detrimental impact on tourism and business travel. The Department of Homeland Security announced in August that it would continue to seize laptops without warrants, but established a 30-day time limit to conduct the searches. Source:

50. June 9, The New New Internet – (International) The link between porn and malware. With just a minimal amount of money invested, a single operator of a pornographic Web site can infect more than 20,000 computers with malware, according to a recent academic study presented at the Workshop on the Economics of Information Security (WEIS 2010). The researchers examined the online pornographic industry and traced significant amounts of malicious activity to porn Web sites. “Common belief suggests that adult Web sites tend to be more dangerous than other types of Web sites, considering well-known Web-security issues such as malware, or script-based attacks,” the researchers said. “Our results verify this assumption, and in addition, we show that many adult Web sites use aggressive marketing and advertisement methods that range from “shady” to outright malicious. They include techniques that clearly aim at misleading Web site visitors and deceiving business partners. For example, we discovered that a malicious operator could infect more than 20,000 with a minimal investment of about $160,” the researchers said. “We conclude that many participants of this industry have business models that are based on very questionable practices that could very well be abused for malicious activities and conducting cyber-crime. In fact, we found evidence that this kind of abuse is already happening in the wild.” After manually searching around 700 adult Web sites, the researchers developed an automatic tool to crawl through 269,566 URLs belonging to 35,083 porn sites. The researchers found that “free” pornographic Web sites were the most dangerous. Source:

For more stories, see items 12 & 13 above in the Banking and Finance Sector, and 51 below in the Communications Sector

Communications Sector

51. June 11, The Register – (International) World Cup streaming to choke corporate networks, doomsayers predict. Every World Cup soccer tournament and major sporting event since France 98, if not before, has come accompanied by dire predictions of networking doom. This time around the EMEA vice president of marketing at security appliance firm Blue Coat, was the prime source of an article “FIFA World Cup: The World’s Biggest Ever DoS?” He predicted: “Networks will fail because of World Cup streaming. If it doesn’t happen, I’ll eat my replica shirt.” The vice president backed this bold prophecy up with a presentation at a security conference entitled “The World Cup – Someone’s Network is Going to Die.” There are at least a couple of problems with this prediction, according to some experts. Firstly, it has been made before many times and never panned out. Secondly, most of the games in South Africa, especially towards the end of the tournament, when interest can be expected to peak, start in the evening European time. By contrast, games in Japan eight years ago all kicked off in the morning European time. The 2010 World Cup will be the first in the history of the tournament where every game will be streamed online live. Along with possibly constrained WAN connectivity, organizations may face heightened security risks caused by users venturing to untrusted and unknown sites in search of video content not available from official broadcast streams, Ipswitch warns. Source:

52. June 10, Sioux City Journal – (Iowa) Hinton explosion causes cell tower disruption. Verizon Wireless is working on a temporary cell phone tower after an explosion June 9 destroyed a building next to an existing tower, a local fire official said. The Hinton fire chief said the explosion was reported about 8:30 p.m. in a small building at the base of a cell phone tower near Hinton. Although the blast didn’t damage the actual tower, he said it destroyed the building and required the tower be turned off. The temporary structure was expected to be in place on June 10 or early June 11. A leaking propane tank from a backup generator allowed gas to fill the small building, which blew up when a spark ignited the flammable gas. Source:

53. June 10, The Canadian Press – (International) Wireless signals may be jammed during G8/G20. Wireless companies said they have been warned their signals could be temporarily jammed later this month both in downtown Toronto during the G20 summit and during the G8 summit in Huntsville, Ontario. The technology is expected to be used to create a so-called moving bubble of electronic silence around motorcades. “No one will be informed of locations and times for security reasons,” one wireless industry source told The Canadian Press. The Integrated Security Unit, which is responsible for the two summits and whose members include the Royal Canadian Mounted Police (RCMP), Toronto police, Peel Regional police and the Canadian Armed Forces, would not comment on security plans. The G8 summit happens north of Toronto on June 25-26, and the G20 gathering follows in the city’s downtown on June 26-27. In order to jam the signals, the RCMP must apply for an exemption from the Radiocommunications Act, which generally forbids interfering with the airwaves. Source: