Department of Homeland Security Daily Open Source Infrastructure Report

Friday, June 25, 2010

Complete DHS Daily Report for June 25, 2010

Daily Report

Top Stories

• According to the New York Post, Port Authority of New York and New Jersey police who staff the agency’s bridges and tunnels must be on alert for a fuel-filled tanker meant to start a series of explosions designed to decimate first responders. But one Port Authority official said, “It’s a totally unsubstantiated threat.” (See item 24)

24. June 24, New York Post – (New York; New Jersey) Port Authority cops on lookout for terror attack. Port Authority of New York and New Jersey police who staff the agency’s bridges and tunnels were read harrowing details of a terrorist threat June 23 advising them to be on the lookout for a fuel-filled tanker meant to explode prior to a secondary blast designed to decimate any first responders. The chilling warning was read at roll call for four police commands - cops assigned to the Holland and Lincoln Tunnel; the George Washington Bridge; and also the Staten Island command, which incorporates the Bayonne and Goethals Bridge and the Outerbridge Crossing, a source said. The alleged threat claims “all crossings” would be in jeopardy and is “being treated as credible, that some type of tanker will explode causing us to respond ... At some point during the response, a second explosion [will occur] causing injury to all first responders to this incident.” No date or time was given for the potential terrorist strike, but a Port Authority police source indicated a fuel tanker from Canada may be involved. The New York Police Commissioner insisted he was unaware of any specific terrorist threat that had been received by the department targeting the area’s bridges or tunnels, and a Port Authority official said, “It’s a totally unsubstantiated threat,” and suggested the threat was mentioned to “[rally] the troops to be vigilant.” Source:

• Kansas City infoZine News reports that the governor of Missouri activated the Missouri National Guard to provide emergency assistance to residents of northwest Missouri communities that could be affected by continued flooding along the Missouri River. (See item 62)

62. June 24, Kansas City infoZine News – (Missouri) Missouri activates National Guard because of flooding in northwest Missouri. The governor activated the Missouri National Guard to provide emergency assistance to residents of northwest Missouri communities that could be affected by continued flooding along the Missouri River. The governor’s action was taken in response to notification from the U.S. Army Corps of Engineers late Wednesday that it would release more water from the upper Missouri River at the Gavins Point reservoir over the next four days. The Corps said it would increase the release of water from 15,000-cubic-feet per second to 20,000-cubic-feet per second Wednesday, and incrementally increase releases between Wednesday and Saturday until a target release rate of 35,000 cubic-feet-per second is achieved. “I have activated the National Guard to provide help whenever and wherever it is needed to fight the flood waters, protect residents of flood-stricken communities, and assist local officials and emergency responders,” he said. Source:


Banking and Finance Sector

15. June 24, Associated Press – (International) Woman arrested on explosives charge ahead of G-20. The common-law wife of a man charged with possession of explosives in what police are calling a Group of 20 summit-related arrest has also been charged in the investigation. A police spokeswoman said June 24 that the 37-year-old suspect has been charged with possession of an explosive device and possession of a weapon. The suspect’s partner, a computer-security expert, was charged June 23 with several offenses, including possession of explosives, dangerous weapons and intimidating a justice system participant. An Internet activist and contributor to the Canadian Broadcasting Corp. said the computer expert told a May meeting of activists and professors that he planned to monitor police chatter about the summit of the Group of Twenty Finance Ministers and Central Bank Governors (G-20) summit and post it on Twitter. He also said he would buy items online to attract police attention. The police spokeswoman said she could not say what the explosives are but said there is no risk to public safety. Police have declined to release more details, but police said the investigation is part of the ongoing effort to ensure a safe and secure G-20 Summit in Toronto. The G-20 groups the leaders from 19 leading rich and developing nations, andthe European Union. Source:

16. June 24, CIO – (National) Credit card data breaches cost big bucks. Javelin Strategy& Research estimates that credit and debit card issuers spent $252.7 million in 2009 replacing more than 70 million cards compromised by data breaches. In 2009, an estimated 39 million debit cards and 33.3 million credit cards were reissued due to data breaches, for a total of 72.2 million. An estimated 20 percent of those affected by the breaches had more than one card replaced. Javelin’s survey shows that 26 percent, or one out of four U.S. consumers received a data-breach notification last year from a company or agency holding their personal data, including credit and debit card or checking account information. Of the people notified (which is required by law in moststates), 11.5 percent were victims of identity fraud compared with only 2.4 percent whowere not notified. The report surmises that data breaches lead to fraud. Digital Transactions explains, “Data breaches are one obvious pathway to fraud, but a breach alone doesn’t mean an affected consumer will become an identity-fraud victim. Banks often give free credit-report monitoring services to customers whose data may have been compromised.” The flaw here is that credit monitoring only makes the consumer aware of new account fraud, when a Social Security number is used to open a new account. Credit monitoring has nothing to do with credit card fraud in which an existinaccount is compromised. “There’s a disconnect,” Javelin tells Digital Transactions News. Consumers “should pay attention to your credit reports after you’re notified, because you’re more vulnerable.” Source:

17. June 24, Associated Press – (International) Al Qaeda front says it bombed Iraq bank; 18 die. An al Qaeda front group claimed responsibility June 23 for bombing a state-run investment bank, gloating over its ease in penetrating security in an attack that killed at least 18 people. The June 20 attack on the Trade Bank of Iraq was meant to expose the weakness of the country’s stalled government, according to a statement posted on the Web site of the Islamic State of Iraq. The statement called the bank a “stronghold of evil” because it was established to attract foreign investment. The group, which is allied with al Qaeda, taunted the government for its inability to keep the peace. The same group claimed responsibility for the recent strike on the Central Bank of Iraq, the nation’s treasury, in which at least 26 died in a commando-style assault by bombers and shooters. Source:

18. June 24, The Register – (International) Scotland Yard cuffs teens for role in cybercrime forum. Two teenagers have been arrested for their alleged involvement in the world’s largest English-language cybercrime forum. The pair were detained by appointment in central London Wednesday by the Police Central e-Crime Unit (PCeU), a national unit based at Scotland Yard. An 8-month investigation into the forum, which hasn’t been named, found it had almost 8,000 members who traded malware, cybercrime tutorials and stolen banking information. The cybercrime tools for sale included the ZeuS Trojan and data stolen from machines it has already infected. Detectives have so far recovered 65,000 credit card numbers from the forum. The two males, aged 17 and 18, were arrested on suspicion of encouraging or assisting crime, unauthorized access under the Computer Misuse Act, and conspiracy to commit fraud. The have been bailed pending further investigations. Source:

19. June 24, MarketWatch – (National) Smaller banks get break on capital standards. Smaller banks won a concession from congressional lawmakers Thursday about how much capital they’ll need, as larger banks worried that they’ll have to pay for the failure of mortgage giants Fannie Mae and Freddie Mac. House and Senate lawmakers negotiating the final details of a massive bank regulatory overhaul bill agreed to a compromise on capital levels for smaller banks, while they advanced a series of proposals that would impose additional fees on big banks. The leaders of the conference committee hoped to wrap up work June 24. Big issues are still unresolved, including whether taxpayer-insured banks should be able to trade derivatives, and whether they should be able trade on their own account. In the morning session, lawmakers from the House agreed with a Senate proposal that would allow smaller banks to continue to count existing trust-preferred securities, a form of hybrid debt capital, toward their capital standards. Larger banks would have five years to phase out this kind of capital, potentially forcing them to raise more capital from common equity. Meanwhile, a proposal that would force big banks to pay hundreds of billions of dollars to wind down Fannie and Freddie is likely to be defeated, a banking analyst told MarketWatch. Source:

20. June 23, Associated Press – (Georgia) Decatur man arrested with 98 fake credit cards. Authorities have arrested a 21-year-old Decatur, Georgia man they say had a cache of phony documents, including 98 fake credit cards. Henry County police got a tip that the suspect was going to use a fake credit card at a Kroger June 16. A police spokesman said authorities arrested him after he allegedly used a homemade American Express credit card to buy a $400 gift card. Police said they later recovered a counterfeit driver’s license, three fake driver’s licenses and some counterfeit money, some of it in a bag in his car. Source:

21. June 23, Carlton County Pine Journal – (Minnesota) Woodlands National Bank targeted in ‘phishing’ scam. Woodlands National Bank, with a branch office in Cloquet, Minnesota, has been taking a lot of heat lately — through no fault of its own. The bank has been the brunt of an elaborate e-mail, phone and text message fraud that has provoked literally hundreds of phone calls weekly, according to a local branch manager. The Woodlands National Bank name and logo have been used without the company’s consent or knowledge in “phishing” schemes aimed at acquiring sensitive information from unsuspecting consumers. The branch manager said that the perpetrators used a variety of methods to randomly contact people residing in the customer area of the bank’s various branch offices. In most cases, the message informs the recipient that their account has been temporarily suspended, and requests proprietary information in order to bring it back on line. In the most recent telephone scam, a recorded message asks for recipients to input their debit card numbers in order to reactivate their accounts. She added that Woodlands National Bank does not send any sort of “alert messages” via e-mail, phone or text messages and never initiates a request for sensitive information through those means. Source:

22. June 18, Trend Micro – (International) Belgian pump and dump botnet. According to a report in Belgian newspaper De Tijd, malware has been used to compromise the online portfolios of Belgian investors. The botnet was then used to influence stock prices, making the criminals more than 100,000 Euros. The investigation remained secret until June 18. The federal prosecutor and the computer crimes unit of the national police in Belgium were looking into events that took place in 2007. Between April and May 2007, criminals infected the PCs of customers of the the banks Dexia, KBC and Argenta with a bot (the exact nature of the bot is unspecified) which stole the usernames and passwords for online share-trading platforms. The article goes on to detail what appears to be a highly targeted, custom-written attack that was able to automate stock trades across the botnet. With a push of a button, the botmaster instructs all the computers to buy or sell the same shares at the same time. The criminals behind the enterprise went on to profit from the sharp changes in stock price of the penny stocks that were being manipulated by buying and selling their own shares at exactly the right moments in classic pump-and-dump tactics. Source:

Information Technology

46. June 24, – (International) Asprox botnet causing serious concern. Security researchers are warning of a rapidly growing number of Web sites infected by the Asprox spam botnet. Asprox is capable of launching SQL-injection attacks, and has more than doubled its appearance on application service provider (ASP) sites from 5,000 to 11,000 overnight, according to M86 Security. The firm has tagged the botnet with a ‘high severity’ badge, meaning that it is particularly serious. A M86 security-threat analyst said in a blog post that Asprox had been used only to send spam, but that it is now responsible for SQL injections and the “mass infection” of Web sites. “This week our suspicions were confirmed when we came across another version of Asprox, which started to launch spam and SQL-injection attacks,” he said. Once in place, the bots attempt to contact three domains with a .ru address. The analyst said these are Asprox control servers that return spam templates, target e-mail addresses and malware updates, and list ASP sites to target. The botnet also downloads an encrypted XML file that offers information such as Google search terms for finding more targets. Source:

47. June 23, Krebs on Security – (International) Exploiting the exploiters. Many computer users understand the concept of security flaws in common desktop software such as media players and instant message clients, but they often are surprised to learn that the very software tools attackers use to break into networks and computers typically are riddled with their own hidden security holes. Bugs that reside in attack software sold to criminals are extremely valuable to law enforcement officials and “white hat” hackers, who can leverage these weaknesses to spy on the attackers or interfere with their day-to-day operations. Recently, French security researchers announced they had discovered a slew of vulnerabilities in several widely used “exploit packs,” stealthy tool kits designed to be stitched into hacked and malicious sites. The kits — sold in the underground for hundreds of dollars and marketed under brands such as Crimepack, Eleonore, and iPack — probe the visitor’s browser for known security vulnerabilities, and then use the first one found as a vehicle to quietly install malicious software. The founder of Paris-based TEHTRI Security released security advisories broadly outlining more than a dozen remotely exploitable flaws in exploit packs. According to TEHTRI, some of the bugs would allow attackers to view internal data stored by those kits, while others could let an attacker seize control over sites retrofitted with one of these exploit packs. The founder of TEHTRI said he is reluctant to release more information about the vulnerabilities until July, when he is slated to discuss the findings at a conference. But in an interview with KrebsOnSecurity, he said that in the days since his advisory was published, some in the security community have come out against the idea of sharing the exploit-pack-vulnerability information more broadly. Source:

48. June 23, The New New Internet – (National) Twitter accounts hacked. More than 1,000 Twitter accounts have been compromised by hackers, according to F-Secure researchers. The hacked accounts are subsequently used to tweet “Hacked By Turkish Hackers.” The researchers are currently unclear how the hacking attack is spreading. However, it appears that significant numbers of compromised accounts are owned by Israelis. One researcher suggests, “Perhaps there’s a Twitter phishing run in Hebrew underway?” Twitter has seen a variety of phishing attacks, as cyber criminals look to exploit the latest trends in user behavior. Source:

49. June 22, CNET News – (International) Report says be aware of what your Android app does. About 20 percent of the 48,000 apps in the Android marketplace allow a third-party application access to sensitive or private information, according to a report released June 22. And some of the apps were found to have the ability to do things like make calls and send text messages without requiring interaction from the mobile user. For instance, 5 percent of the apps can place calls to any number and 2 percent can allow an app to send unknown SMS messages to premium numbers that incur expensive charges, security firm SMobile Systems concluded in its Android market-threat report. SMobile said that while not all apps are malicious, there is the potential for abuse. Users should know what the apps they downloaded are doing because they have expressly granted the apps permission to do those activities when they downloaded them. In addition, the Android architecture limits the apps to the permissions granted so any damage from a potentially malicious app would be very limited, according to Google. The report found that dozens of apps have the same type of access to sensitive information as known spyware does, including access to the content of e-mails and text messages, phone-call information, and device location, said the chief technology officer at SMobile Systems. Source:

Communications Sector

50. June 24, WBRZ 2 Baton Rouge – (Louisiana) Crews knock out Sprint. Crews installing equipment for Sprint June 23 in Baton Rouge, Louisiana accidentally knocked out phone and text transmissions in the area for much of the day. A company spokeswoman said the outage was expected to be repaired by the evening of June 23. Source:

51. June 23, Government Computer News – (International) Another domain adopts added DNS security. The Public Interest Registry, which operates the .org generic top-level domain, announced June 23 that it has completed deployment of Domain Name System Security Extensions, which provide an additional level of security to the DNS. The full deployment tops off a two-year deployment and testing period of DNSSEC in 18 live “friends and family” domains within .org. “What happened today was enabling potentially all of the .org domain owners to begin signing their zones,” using DNSSEC, said the public interest registry chief executive officer “We have at least three registrars that are operationally capable of serving customers who want to sign their zones.” Those registrars, who sell and register domain names within .org, are Names Beyond, DynDNS and GoDaddy, the world’s largest registrar. The DNS maps domain names to IP addresses and underlies nearly all Internet activities. DNSSEC lets responses to DNS queries be digitally signed so they can be authenticated with public cryptographic keys, making them harder to spoof or manipulate. This can help to combat attacks such as pharming, cache poisoning, and DNS redirection that are used to commit fraud and identity theft and to distribute malware. Both sides of an exchange must be using DNSSEC in order for it to work. Source:

52. June 23, KTVZ 21 Bend Oregon – (Oregon) Outage update: Signals should be back June 24. KTVZ’s chief engineer continues to work on microwave relay failure issues that have knocked signals off the air and also on cable systems other than BendBroadband. It is expected that backup equipment will be in place and signals restored by midday June 24. The problem arose when the chief engineer tried to resolve an issue by rebooting the microwave relay system that sends signals from the station on O.B. Riley Road to the transmitter atop Awbrey Butte. He then tried to switch to a backup system that failed. Source: