Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, June 23, 2010

Complete DHS Daily Report for June 23, 2010

Daily Report

Top Stories

• According to the Pittsburgh Post-Gazette, a former employee at Massey Energy’s Upper Big Branch coal mine in Montcoal, West Virginia has told federal investigators that miners short-circuited detectors intended to shut off electrical equipment when levels of explosive methane rose inside the mine. The statement was given to investigators looking into the massive April 5 explosion that killed 29 men. (See item 5)

5. June 20, Pittsburgh Post-Gazette – (West Virginia) Miner cites tampering with sensors. A former employee at Massey Energy’s Upper Big Branch coal mine has told federal investigators that miners there short-circuited detectors intended to shut off electrical equipment when levels of explosive methane rose inside the mine. The statement was given to investigators in the wake of a massive explosion April 5 that ripped through the mine in Montcoal, West Virginia, killing 29 men in the nation’s worst underground coal disaster in 40 years. Preliminary findings suggest the blast began as an explosion of methane, possibly triggering secondary explosions of coal dust. Information about the statement was provided by three sources working with the probe. According to the sources, the miner — who worked at Upper Big Branch until the day of the disaster — told FBI agents and other federal investigators that he had seen wire “bridges” used to bypass alarms. Underground mine equipment, such as conveyor belts to carry mined coal and continuous mining machines used to dig it, are outfitted with sensors designed to automatically shut off current to the machines when methane or carbon monoxide levels rise. According to people familiar with the witness’ statement, on one or more occasions someone hooked a length of wire between the terminals, bypassing those detectors. Source:

• Citing a study in Joseph Farah’s G2 Bulletin, WorldNet Daily reported that the Chinese may have been able to develop computer algorithms that will penetrate military computers at the secret level, according to alerts about a “Spear Phishing attack” issued recently to users of a military system. In one case, users at the secret, or collateral, level told of a false report of an outbreak of war in Asia. (See item 51)

51. June 21, WorldNet Daily – (International) Chinese breaking into classified network. The Chinese may have been able to develop computer algorithms that will penetrate military computers at the secret level, according to alerts about a “Spear Phishing attack” issued recently to users of a military system, said a report in Joseph Farah’s G2 Bulletin. In one case, users of military computers at the secret, or collateral, level told of a false report of an outbreak of war in Asia beaming across military networks. “So, it appears they’re into our systems at least at the collateral level,” one military computer user said of the Chinese. He said such access is “relatively hard to get into.” In earlier cases, Trojans and viruses also have been introduced that halted the use of flash drives on Defense Department computers. While it remains unclear whether the Chinese have developed algorithms that would allow penetration systems that are Top Secret or beyond, it cannot be ruled out, since the Chinese have developed super computers capable of developing encryption and decrypting codes. Most U.S. troops in the field use classified information at the collateral level. Collateral information includes reporting on combat arms and tactical operations. If that is the case, then the enemy could be given access to codes capable of decrypting collateral traffic and could, in effect, be reading intelligence that may be going to U.S. war fighters in Afghanistan and Iraq. Source:


Banking and Finance Sector

18. June 22, DarkReading – (National) PCI standards stretched to three-year cycle. Merchants have gained breathing room for complying with PCI: The PCI Standards Council June 22 announced its standards cycle will move from a two- to three-year cycle. The extra year between new versions of the PCI DSS, PA-DSS, and PCI DTS standards came in response to complaints from merchants and others in the secure-payment industry that the current schedule of releasing new requirements every two years was too tight. “We’re looking at a phased, orderly introduction of new standards. This gives the stakeholders more time to get familiar with them and implement them,” said the general manager of the PCI Security Standards Council. The council also shifted the date the standards take effect from its current fall time frame to after the holiday season. “Merchants go into a lockdown period in late September, and their systems basically stay static from there. They are heads down for Black Friday,” the general manager said. So the latest PCI standards won’t go into effect until the first of the year. Source:

19. June 22, The Washington Post – (International) Lawmakers reach deal to limit card ‘swipe fees’. House leaders have reached an agreement with their Senate counterparts on an amendment to financial overhaul legislation that would limit the fees credit and debit card issuers can charge retailers, a Democratic Senator from Illinios said June 21. The Senator’s “swipe fee” amendment was included in the Senate version of the bill but not in the House version. Under the compromise, government-issued prepaid cards and reloadable prepaid cards would be exempt. The agreement “preserves key protections for the grocers, retailers and country store owners most affected by out-of-control swipe fees, while addressing legitimate concerns of the industry,” a Democratic representative from Vermont wrote in an e-mail. The Senate amendment, approved in May on a 64-33 vote, would have regulated the fees associated with debit or prepaid-card purchases. Retailers have said that the fees, which run about 1 or 2 percent, can erase their profit on small transactions. However, state and local governments that use debit or prepaid cards to distribute unemployment and child support benefits have lobbied against the measure, saying that letting merchants avoid paying swipe fees could translate into higher costs for crucial social programs. The compromise version of the amendment seeks to address those concerns by exempting federal, state and local government debit and prepaid cards from new swipe-fee rules. Congressional aides said the changes could save the federal government $40 million per year. Source:

20. June 22, Washington Examiner – (Maryland) P.G. bank bandit strikes again. A Maryland bank robber who poses as a customer, waits in line and then slips a note to a teller demanding cash has struck again. The man has robbed at least four Prince George’s County banks since March, police said. He most recently hit an M&T Bank on the 6900 block of Laurel Drive in Bowie June 12, authorities said. He ran out of the bank and then darted down the street on foot, just as he has in the three other robberies. He first cropped up March 12, robbing a SunTrust Bank at 24 Watkins Park Drive in Upper Marlboro. On April 19, he robbed a BB&T Bank on the 10500 block of Campus Way South in Upper Marlboro and then struck again May 21 at the M&T Bank on the 1000 block of Shoppers Way, also in Upper Marlboro. Police described the suspect as a black male in his late 30s. He is about 5-foot-9 and weighs about 210 pounds. Source:

21. June 22, HedgeCo.Net – (New York) Alleged mobster charged in Staten Island hedge-fund fraud. Nine more people have been charged in connection with the Gryphon Holdings Inc. case, where federal prosecutors allege a $20 million hedge-fund scam occurred, according to Staten Island Live (SIlive). Among the nine charged yesterday is an alleged Gambino crime family associate, SIlive reported. All the defendants were Gryphon sales representatives and purportedly known by other names. The defendants were each charged with wire fraud and securities fraud conspiracy, securities fraud, and investment adviser fraud conspiracy. In April, 2010, the SEC charged the self-proclaimed, “Wolves of Wall Street,” with operating an Internet-based scam that misleads investors into paying fees for phony stock tips and investment advice from fictional trading experts. There are 14 defendants now including the hedge-fund founder. The team is charged with fraud, pretending to run a $1.4 billion hedge fund, using fake names while claiming millions of dollars in trading riches, as well as claiming top-notch educational backgrounds and prominent Wall Street experience. Gryphon frequently posted investment tips on the Internet, the SEC alleges, using at least 40 different monikers such as “Wolves of Wall Street,” “Wall Street’s Most Wanted,” “Pure Profit,” and “Mafia Trader.” In reality, Gryphon’s financial publications only served as a vehicle to attract unsuspecting investors. According to the SEC’s complaint, Gryphon obtained more than $17.5 million from its operations over the past three years. Source:

22. June 21, DarkReading – (National) Small and midsize businesses getting serious about security, study says. Once viewed as easy marks by hackers and cybercriminals, small and midsize businesses (SMBs) are fighting back, states a study published June 21. According to a report conducted by Applied Research and published by Symantec, SMBs’ attitudes about security and data integrity have changed significantly over the past year, resulting in higher prioritization of security issues and more technology spending. “Last year when we conducted this survey, a lot of SMBs were very confident in their security posture, but they weren’t always clear on the threat,” said Symantec’s senior product marketing manager. “This year they realize they have gaps, and they are getting more serious — in fact, they rated data loss and cyberattacks as top risks, even above natural disasters.” In the study of 2,500 executives with responsibility for IT security — half from companies of less than 100 employees and half from companies in the 100-to-499 employee range — the researchers found new data-risk loss concerns. The respondents ranked data loss and cyberattacks as top business risks, ahead of traditional criminal activity, natural disasters, and terrorism. SMBs are now spending an average of $51,000 per year — and two-thirds of IT staff time — working on information protection, including computer security, backup, recovery, and archiving, as well as disaster preparedness. Loss of critical business information threatens SMBs, Symantec said. Seventy-four percent of the respondents said they are somewhat or extremely concerned about losing electronic information. Source:

23. June 21, New York Times – (New York) SEC cites asset firm in a fraud. Beginning a new stage in the government’s investigations of the mortgage industry, the Securities and Exchange Commission (SEC) June 21 accused a New York firm that managed complex mortgage securities of defrauding investors and misleading American International Group, the government-controlled company that insured some of the firm’s deals. Two of the four mortgage deals in the SEC complaint were bought by the New York Federal Reserve in 2008, in its bailout of AIG. Goldman Sachs and UBS, which were not named in the complaint, received payouts from the Fed for those deals. The case involves a new type of target for the SEC, which has been tracing the mortgage pipeline to try to uncover wrongdoing. The commission has filed cases against mortgage companies that originated loans, like Countrywide Financial, and this spring it filed a case against Goldman Sachs over a mortgage bond the bank had created. This latest case examines the last party in that chain, a firm that managed complex deals known as collateralized debt obligations (CDOs) after they were created by banks. The firm, ICP Asset Management, used the four CDOs that were sold under the name Triaxx, like a piggy bank to enrich itself by diverting millions of dollars from investors, the commission said in the complaint. The complaint was filed in the Southern District of New York. Source:

24. June 21, Shreveport Times – (Texas) Four arrested in credit card scam. Four people are in jail for manufacturing credit cards using stolen information, said the Caddo, Louisiana sheriff. Credit card numbers were stolen from customers who used their cards at a local fast-food restaurant in June. An employee of the restaurant sold those numbers to three Texas men who turned them into new credit cards, the sheriff said. The employee was arrested at the restaurant June 18 by members of the Caddo-Shreveport Financial Crimes Task Force. A subsequent raid at the Quail Creek Apartments led to the three male suspects who were in possession of hundreds of credit card numbers and credit-card-making equipment, the sheriff said. Detectives located a box full of Visa gift cards, a laptop that was open and running and displaying several hundred credit card numbers, a magnetic card reader/writer to add information to the magnetic strip on the back of a credit card, and an imprinter to stamp a name or number on the front of a credit card. They also seized $5,000 in cash and an early-model Mercedes. The victims’ credit cards bills were used to track down where the suspects had made fraudulent purchases using the illegal cards. The suspects were seen on store video using the cards at area discount and home/garden stores. They used the fake cards to buy legitimate gift cards. Source:

Information Technology

55. June 22, Help Net Security – (International) Flaw in VPN systems nullifies its promise of privacy. A security flaw in the virtual private network (VPN) systems - caused by the combination of IPv6 and PPTP-based VPN services - can be exploited and a user’s IP address, MAC address and their computer name can be identified. The existence of the flaw was made public at the Telecomix Cyphernetics Assembly in Sweden, home country of the Pirate Bay and the Pirate Party (both of whom offer VPN services). It has also been suggested that Swedish anti-piracy investigators are already aware of it and are using it to gather data on “anonymous” sharers. Most users might also not be aware that they can be targeted with this approach, since they are not aware that their computers use IPv6 (for example, those that have Windows 7 installed). The flaw can be closed by the simple action of switching back to IPv4, or by choosing an alternative to PPTP - such as OpenVPN. “It’s more secure than PPTP, and more stable too, though it doesn’t work on mobile devices natively, and isn’t quite as easy to set up on a computer, especially older machines,” said a writer for Wired. “OpenVPN also has the advantage that it’s often not blocked in countries where PPTP systems are blocked.” Source:

56. June 22, The H Security – (International) Malware: certified trustworthy. According to anti-virus vendor F-Secure, the number of digitally signed malware samples for Windows is increasing - and more and more scareware programs also include a valid digital signature. Virus authors use this method to overcome various hurdles on Windows systems, and suppress alerts such as those triggered when a program attempts to install an ActiveX control in Internet Explorer, or before installing a driver. F-Secure’s list of potentially undesirable programs contains almost 400,000 digitally signed samples. In terms of malware, the list still includes almost 24,000 samples. Authenticode is used for signing and checking software under Windows and is meant to verify the origin of software. Users tend to trust digitally signed software. Software without a digital signature triggers a dialogue that explicitly asks the user for confirmation before proceeding with the installation. In the 64-bit versions of Windows 7 and Vista, installing an unsigned driver isn’t possible at all, even if a user were to wave it through. F-Secure sais that virus authors successfully use various tricks to obtain valid digital signatures or certificates for their programs. The most reliable method is to trick a Certificate Authority into issuing a code-signing certificate. It seems that this has become just as easy as obtaining a valid SSL server certificate – a valid e-mail address is sufficient. Internet frauds and criminals also use such services as Digital River, which sign software for their customers. Source:

57. June 22, The Register – (International) Opera stomps on ‘extremely severe’ security holes. Opera has unleashed a minor point upgrade for the Windows and Mac versions of its Web browser - so minor it didn’t merit a press release. But the 10.54 release fixes five security holes, four of which Opera won’t fully disclose, but are rated “extremely severe,” “highly severe,” “moderately severe” and⦠“less severe.” In addition the Mac version receives a number of stability and UI issues, including the annoying “not releasing a mouse click when making selection from drop-down” problems with pop-ups grabbing the focus, and a speeded-up MacBook trackpad. Opera said what it calls “premature shutdowns” invoked by closing a window, loading system frameworks, and other causes have been fixed. Source:

58. June 22, DarkReading – (International) Researcher ‘fingerprints’ the bad guys behind the malware. Malware writers actually leave behind a telling trail of clues that can help identify their native tongue, their geographic location, their ties to other attacks — and, in some cases, lead law enforcement to their true identities. A researcher at Black Hat USA next month plans to give away a homemade tool that helps organizations glean this type of intelligence about the actual attacker behind the malware. The founder and CEO of HBGary has been for several months studying malware from the infamous Operation Aurora attack that hit Google, Adobe, Intel, and others, as well as from GhostNet; in both cases, he discovered key characteristics about the attackers themselves. The CEO said the key is to gather and correlate all of the characteristic “markers” in the malware that can, in turn, be traced to a specific malware writer. While anti-malware firms focus on the malware and malware kits and give them names, he said that model is all wrong. “That whole model is completely broken,” the CEO said. “Instead of tracking kits, we need to start tracking the attacker as a threat group. I want to take the fight back to the attacker.” Among his findings on GhostNet, an attack used to spy on Chinese dissidents, for example, was a common compression method for the video stream that was unique to those attacks. And in Operation Aurora, he found Chinese-language ties, registry keys, IP addresses, suspicious run-time behavior, and other anomalies that tied Aurora to the developer. Source:

59. June 22, SC Magazine – (International) Is the Mariposa botnet still functioning three months after it was shut down and its owners were arrested? Claims have been made that the Mariposa botnet is still alive, and some control and commands center (CnC) are still active and spreading. According to a researcher at the FireEye malware intelligence lab, some Mariposa CnCs are still active and spreading. He pointed to a Mariposa sample communicating to its CnC, which had received a command to spread through a USB. He said: “It seems that either Spanish police have not been able to apprehend the entire Mariposa gang or the botnet CnC has some sort of auto-pilot mode. All this brings home a very important lesson in shutting down major botnets. Even if the bot masters are arrested, you still have to shut down the CnC. Unless that is done, the infrastructure is still there, it still lives, and it can continue to spread and cause harm.” He raised several questions, including: Who is currently operating this botnet, if it is still alive?; Has the botnet been taken over by some rival gang?; Are the original bot masters pulling the strings while in police custody?; or Is the botnet simply operating on auto-pilot? Source:

60. June 22, Computerworld – (International) Most firms face security ‘red alert’ as XP SP2’s retirement looms. Three out of four companies will soon face more security risks because they continue to run the soon-to-be-retired Windows XP Service Pack 2 (SP2), said a report published June 22. Toronto-based technology systems and services provider Softchoice Corp. said that 77 percent of the organizations it surveyed are running Windows XP SP2 on 10 percent or more of their PCs. Nearly 46 percent of the 280,000 business computers Softchoice analyzed rely on the aged operating system. “This is a red alert,” said Softchoice’s services development manager. “This isn’t something you can safely ignore.” He was referring to the impending end-of-support deadline that Microsoft Corp. has set for Windows XP SP2, a service pack that debuted in the fall of 2004. After July 13, Microsoft will stop issuing security updates for SP2, a move that has users scrambling to update to Windows XP SP3, which will be supported until April 2014. “Windows XP SP2 is deployed in 100 [percent] of the companies [surveyed] to some extent,” said the manager. “But that doesn’t tell the whole story. On average, 36 [percent] of the PCs in every organization run SP2.” Softchoice obtained its data from customers of its IT assessment services, which include asset, hardware life cycle and licensing management. It analyzed PCs in 117 U.S. and Canadian organizations in education and the financial, health care and manufacturing industries. The firm weighted the number of XP SP2 systems in each polled organization to arrive at the average usage mark of 36 percent. Source:

61. June 21, PC World – (International) What is your Facebook data worth? The gargantuan amount of high-quality user data on Facebook is causing everyone — from marketers to hackers — to salivate like dogs gazing at a steak. They all want a piece of Facebook users. Thanks to Facebook’s Open Graph API (which simplifies the development of third-party applications that interoperate with the social-networking site) and social plug-ins (which essentially splash Facebook’s “Like” button all over the Internet), people who are interested in one’s data are getting a chance at a much choicer cut of it. Additionally, Facebook’s Instant Personalization Pilot Program, which the social network introduced this spring, was the wake-up call for many users who had been ignoring the concerns of privacy watchdogs. In response, Facebook updated its privacy settings in late May, to some praise and confusion. Facebook has unrestricted access to everything one does relating to its site, and its growing collection of profile data, preferences, and connections is prompting some experts to estimate the value of the site beyond the GDP of some countries. For instance, a Mashable article reported that SharesPost, a marketplace for shares in privately owned companies, suggested an $11.5-billion value for Facebook, versus a $1.4-billion value for Twitter and a $1.3-billion value for LinkedIn. A quick look through the Web site Openbook, which allows users to search for embarrassing Facebook status updates that anyone can view, shows the volume of people whose accounts are set to broadcast status updates to everyone. Some Facebook status updates reveal far too much. For instance, a search for “cocaine” or “drunk” in Openbook’s search field yields status updates such as “Cocaine is a man’s best friend” and “I’m so drunk right now I need to go to bed.” Are these updates just jokes? Are they statements taken out of context? They could be either. But slapped next to a name, gender, and profile picture (information that Facebook requires to be public), they create an impression. Source:

For another story, see item 64 below in the Communications Sector

Communications Sector

62. June 22, InformationWeek – (National) FCC meets with broadband providers over regulation. Phone and cable company representatives have been meeting with the Federal Communications Commission (FCC) to discuss giving the government authority over high-speed Internet lines. The FCC is seeking comment from broadband providers, including AT&T and Verizon Communications, and Internet companies, such as Google and Skype, to see if they can find common ground over the FCC’s power to regulate broadband Internet companies. Talks were held June 21 with the chief of staff for the FCC chairman. A similar meeting was held June 18, a day after the FCC voted to gather public comments on whether the agency should reclassify broadband regulation under existing stricter, older phone-network regulations. Phone and cable companies have urged Congress to update the Communications Act so that the FCC doesn’t resort to using the decades-old rules for broadband lines. Source:

63. June 22, West Kentucky Star – (Kentucky) Marshall County 911 phone lines are working again. Marshall County dispatch has informed The West Kentucky Star that the fiber-optic lines that were broken have been repaired, and 911 service for Calvert City and Benton in Kentucky is fully functional again. Customers who had land-based telephone lines with Windstream Communications were affected from the afternoon of June 21 until early June 22. In case of emergency, they had to dial Marshall County dispatch directly, or call 911 from their cellular phones. Source:

64. June 22, The Register – (International) Cyber cops want stronger domain rules. International police have called for stricter rules on domain-name registration, to help them track down online crooks, warning the industry that if it does not self-regulate, governments could legislate. The changes being discussed would place more onerous requirements on Internet Corporation for Assigned Names and Numbers (ICANN)-accredited domain-name registrars, and would likely lead to an increase in the price of domains. In Brussels, Belgium at the 38th public meeting of ICANN, police from four agencies said that registrars need to crack down on criminals registering domains with phoney contact info. Law enforcement has long argued that weaknesses in the domain-name industry allow criminals such as fraudsters and child abusers to remain anonymous and evade the law. An agent for the UK Serious Organised Crime Agency said: “We believe that the industry needs mandatory minimum standards, because otherwise the good practices that some registries and registrars have, only displace criminals to those with less strict regimes and less strict audits.” Among over a dozen proposals put forward by law enforcement is a provision that would require registrars to collect the IP address and HTTP headers of users at the time of registration. Registrars would also have to validate billing and contact information, use CAPTCHAs to verify that domains are not being registered by bots, and maintain a list of fraudulent user IP addresses. An agent from the FBI said that law enforcement agencies from a dozen or more countries back the changes, which come as part of a broader overhaul of ICANN’s Registrar Accreditation Agreement. Source:

65. June 21, IDG News Service – (National) AT&T, Verizon join Wi-Fi roaming group. AT&T and Verizon Wireless, the two largest U.S. mobile operators, have joined an organization that ensures roaming among mobile operators’ Wi-Fi networks. The group, called the Wireless Broadband Alliance (WBA), also announced June 21 that South Korean mobile operator KT, Cisco Systems, U.S. cable operator Comcast, and wireless software vendor Devicescape Software have recently joined. The WBA provides for sharing of log-in credentials among operators of Wi-Fi networks so that subscribers can log into another WBA member’s network using the same username and password as they do with their primary carrier. Service providers that join WBA commit to participating in this program over time, though the interoperability may not be available immediately, said the CEO of Devicescape. AT&T and Verizon were not immediately able to confirm what they will be doing with the WBA. Also June 22, the WBA said it is set to release the WISPr 2.0 specification, which will allow Wi-Fi network operators to go beyond the single-log-in capability and remove the need for entering any username and password for roaming. Source:

66. June 21, Erie Times News – (Pennsylvania) Verizon warns of scammers ‘phishing’ for account information. The manager of media relations at Verizon Communications Inc. said Erie, Pennsylvania residents should be on the lookout for suspicious people posing as Verizon employees. Lately, there have been e-mails going around that ask for updated information. This scam is known as phishing. These e-mails will generally tell customers that their account will be interrupted if they do not update their account information. The claims are not true, and account information should not be provided. Source: