Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, June 30, 2010

Complete DHS Daily Report for June 30, 2010

Daily Report

Top Stories

• The FBI has arrested 10 people for allegedly serving for years in the U.S. as secret agents of Russia’s intelligence service, the SVR, with the goal of penetrating U.S. government policymaking circles, the Associated Press reports. (See item 38)

38. June 28, Associated Press – (National) 10 alleged Russian secret agents arrested in U.S. The FBI has arrested 10 people for allegedly serving for years as secret agents of Russia’s intelligence service, the SVR, with the goal of penetrating U.S. government policymaking circles. According to court papers unsealed June 28, the FBI intercepted a message from SVR headquarters, Moscow Center, to two of the defendants describing their main mission as “to search and develop ties in policymaking circles in US.” Intercepted messages showed they were asked to learn about a broad swath of topics including nuclear weapons, U.S. arms control positions, Iran, White House rumors, CIA leadership turnover, the last presidential election, Congress, and the political parties. After a secret multi-year investigation, the Justice Department announced the arrests in a blockbuster spy case that could rival the capture of a famous Soviet spy in 1957 in New York. There was no clue in initial court papers how successful the agents had been, but they were alleged to have been long-term, deep-cover spies, some living as couples. These deep-cover agents are the hardest spies for the FBI to catch because they take civilian jobs with no visible connection to a foreign government; one was a reporter, editor and columnist at a New York Spanish-language newspaper. They are more elusive than spies who operate from government jobs inside Russian embassies and military missions. Source:

• Oil from the BP spill in the Gulf of Mexico washed ashore at one of the largest tourist beaches in Mississippi June 28, forcing tourists to pack their bags and evacuate the shore, according to Reuters. (See item 57)

57. June 28, Reuters – (Mississippi) Oil washes onto big Mississippi tourist beach. Oil from the BP spill in the Gulf of Mexico washed ashore at one of the largest tourist beaches in Mississippi June 28, forcing tourists to pack their bags and evacuate the shore. Sludgy brown oil, light sheen and tar balls arrived at a series of small towns June 27, the first time oil has hit Mississippi’s mainland. On June 28, the oil reached Biloxi, a major resort city famous for its casinos. One day after state and local officials complained vehemently about nonexistent cleanup efforts, busloads of workers in white plastic haz-mat suits showed up to scoop up the greasy tide and tar balls. In total, 700 boats were at work on the containment effort and the state was pressing for more resources, the Mississippi governor said in a statement. But residents disputed that figure. Rain and thunderstorms churned up the oil on beaches overnight, scattering it and making cleanup more difficult. But local officials said that despite the urgency of the task, they were struggling to mount a bigger effort because of problems in the chain of command. The state has closed additional areas to commercial and recreational fishing and it warned people to stay out of the water off all major tourist beaches. Source:


Banking and Finance Sector

12. June 29, The Washington Post – (International) European Union, U.S. to share banking data to fight terrorism. The European Union has reached an agreement with the United States that will allow European bank data to continue to be shared for counter-terrorism purposes, but only after liberal members of parliament secured stronger privacy guarantees. Under a five-year agreement signed June 28 by the European Council, the E.U.’s governing body, U.S. officials can request European financial data relevant to a specific terrorist investigation if they substantiate the need for the data. The European Parliament is expected to approve the deal by a comfortable margin when it votes on it next week, lawmakers said. The deal would take effect August 1. Privacy concerns had prompted the European Parliament in February to reject a proposal to extend the information-sharing. But in recent weeks, a bloc of Liberal Democrats pushed for concessions from the European Council and the United States. Source:

13. June 29, Charleston Post and Courier – (South Carolina) Robber leaves suspected bomb. A man walked into the Summerville, South Carolina BB&T at noon June 28, robbed it and threatened that he left a bomb, authorities said. Over the next 2 and 1/2 hours, members of the Summerville Police Department, state law enforcement division, FBI and the Charleston County Sheriff’s Office Bomb Squad rushed to 904 North Main Street. They evacuated the bank’s staff — all of whom were safe — to a car dealership next door. No bomb was found. But traffic was shut down for two blocks on either side of the bank, which included the portion of North Main Street just in front of his business. The robbery was just another in a string of 11 that occurred this month in the Lowcountry. Five occurred the week of June 21 through 25, and at least 22 robberies have occurred this year. While some arrests have been made, other suspects remain at large. Source:

14. June 29, Bank Info Security – (National) Red flags: No delay for credit unions. A new agreement to delay ID Theft Red Flags Rule-enforcement for physicians does not impact the current date for state-chartered credit unions. The Federal Trade Commission (FTC) June 25 signed a court-approved agreement to hold off on enforcing the Red Flags Rule for physicians until at least 90 days after an appellate court rules on a case involving enforcement of the rule for attorneys. But according to a FTC spokesperson, this agreement has no bearing on state-chartered credit unions or any other entities, which still face the December 31 enforcement date announced at the end of May. Under the Red Flags Rule, organizations that extend credit to their clients must develop and implement written, identity-theft prevention programs that help identify, detect and respond to patterns, practices or specific activities, known as “red flags,” that could indicate identity theft. Source:

15. June 28, Krebs on Security – (California) e-Banking bandits stole $465,000 from California escrow firm. A California escrow firm has been forced to take out a pricey loan to pay back $465,000 stolen when hackers hijacked the company’s online bank account earlier this year. In March, computer criminals broke into the network of Redondo Beach-based Village View Escrow Inc. and sent 26 consecutive wire transfers to 20 individuals around the world who had no legitimate business with the firm. The owner said her financial institution — Professional Business Bank of Pasedena, California – normally notified her by e-mail each time a new wire was sent out of the company’s escrow account. But the attackers apparently disabled that feature before initiating the fraudulent wires. The thieves also defeated another anti-fraud measure: A requirement that two employees sign off on any wire request. The owner said that a few days before the theft, she opened an e-mail informing her that a UPS package she had been sent was lost, and urging her to open the attached invoice. Nothing happened when she opened the attached file, so she forwarded it on to her assistant who also tried to view it. The invoice was in fact a Trojan horse program that let the thieves break in and set up shop and plant a password-stealing virus on both the owner’s computer and the PC belonging to her assistant, the second person needed to approve transfers. Source:

16. June 28, Dow Jones Newswires – (Virgin Islands) SEC alleges purported fund manager ran $105 million Ponzi scheme. The Securities and Exchange Commission (SEC) June 28 announced fraud charges and an emergency-asset freeze against a purported fund manager based in the U.S. Virgin Islands who allegedly perpetrated a $105 million Ponzi scheme against investors. The SEC alleges that the suspect, a resident of St. Thomas, used several entities and sales agents to misrepresent to investors that their money would be put in funds that, in turn, would be invested primarily in foreign currency. Investors were falsely told that the suspect’s funds had never lost money and historically produced profitable annual returns that one year reached over 180 percent, according to the SEC. The suspect instead used the funds raised from new investors to pay earlier investors, and misappropriated other funds to pay unrelated business expenses, the SEC said. He allegedly concealed the scheme by issuing phony documents to investors that led them to believe their investments were profiting. The SEC has obtained an emergency court order freezing the assets of of the suspect and his companies. An investigation into the alleged fraud is ongoing. Source:

For another story, see item 44 below in the Information Technology Sector

Information Technology

42. June 29, The Register – (International) Developers plug critical PNG graphic bug. Developers have plugged a critical hole in a Portable Network Graphics (PNG) reference library used by many browsers to render graphics file. The 1.2.44 and 1.4.3 updates to the libpng open source reference library address a bug that, left unfixed, created a mechanism for hackers to inject code onto vulnerable systems. Older versions of the PNG format library contained a buffer overflow-style flaw. The bug was discovered by developers at Mozilla. It is unclear which browsers supported the vulnerable library files. Previous problems involving the rendering of PNG files have spawned drive-by download attacks. Source:

43. June 28, ComputerWorld – (International) Social networks leak your information, study says. A new study from Worcester Polytechnic Institute in Massachusetts shows that mobile social networks are giving data about users’ physical locations to tracking sites and other social networking services. Researchers reported that all 20 sites that were studied leaked some kind of private information to third-party tracking sites. The study looked at the practices of 13 mobile, online social networks, including Brightkite, Flickr, Foursquare, Gowalla and Urbanspoon. They also studied seven traditional, online social networks, such as Facebook, LinkedIn, MySpace and Twitter, which allow users to access their sites using mobile devices. The researchers found that in many cases, the data given out contained the user’s unique social networking identifier, which could allow third-party sites to connect the records they keep of users’ browsing behavior with their profiles on social networking sites. Mobile social networks track users’ geographic location by tapping into data on mobile devices. The study noted that only two social networks directly gave location information to the third-party tracking sites, but several use a third-party map service to show the user’s location. The study also reported that six different sites transmit a unique identifier to the user’s mobile phone, enabling third-party sites to continue to track a user’s location even as the phone is used for other applications. Source:

44. June 28, The Register – (National) Rancid IE6 ‘more secure’ than Chrome and Opera US bank says. Microsoft’s creaking Internet Explorer 6 (IE 6) is more secure and popular than either Google’s Chrome or Opera U.S. banking giant Chase has determined. The bank therefore decided its online banking services will continue to support the aging IE 6, but will drop support for Chrome and Opera. IE 6 is 9 years old and even Microsoft is now desperately speaking out against the browser, to get individuals and businesses to move on to IE 8. Microsoft’s Australian business unit recently equated using IE 6 to being as risky as drinking — or maybe, eating — a carton of 9-year-old milk as it lacked up-to-date cross-site scripting and anti-malware protection among other defenses. Chase has said it will support later versions of Microsoft’s browser, such as IE 8, that offer greater protection. Also making the cut are Mozilla’s Firefox 2.0 and higher, and version 3.0 and higher of Apple’s Safari on the Mac, but not the PC. Source:

45. June 28, DarkReading – (International) Comodo update on VeriSign’s security vulnerability. Comodo announced June 28 it acknowledges that VeriSign has made some recent fixes to its security issues that were prompted by Comodo, which notified VeriSign through an independent third-party of problems it discovered . On June 23, Comodo provided VeriSign with a second disclosure document on the previously reported vulnerability. VeriSign’s response was to make further corrections with respect to the security issues reported to them. VeriSign acknowledged fixes to their certificate-management portal, including removing some of the features that were publicly assessable and ensuring that the portal is no longer found through methods of search and in Google, and that requests for revoking of certificates are no longer available publicly. Source:

46. June 28, DarkReading – (International) The blurred line between business and personal online use. Half of business users worldwide employ their smartphones and other Web applications for both work and personal use, mixing data from the two worlds freely. And most have purchased at least one device on their own for use at work, according to a new report. IDC’s new “Consumerization of IT” report, which was commissioned by Unisys, demonstrates how IT organizations are not keeping up with the adoption of new technologies. The report — which was researched in two parts, with a survey of 2,820 telecommuters in 10 countries and a survey of 650 IT decisionmakers from around the world — found that consumer devices, such as smartphones, and social networking and similar applications are blurring the lines between business and personal technology usage. IDC found that while 73 percent of IT executives said their enterprise networks are “very secure,” more than 40 percent of employees said they use instant messaging and texting for business purposes, and nearly 25 percent use blogs and professional online communities for work. Workers said they use an average of four consumer devices and various third-party applications, including social networking sites, during the workday. While IDC said the number of workers using smartphones in their jobs will double through 2014, less than half of enterprises said they let workers access enterprise apps via their smartphones today. Source:

47. June 28, The New New Internet – (International) 33 South Korean poker scammers booked. Police in South Korea recently arrested 33 hackers who used a DDoS program to cheat online poker players out of 55 million won (South Korean money), roughly $45,265, during a six-month period, according to Korean English-language newspaper JoongAng Daily. The Cyber Terror Response Center in South Korea said the hackers, led by a 30-year-old and a 29-year-old, used a DDoS attack to infect 11,000 computers across the country. According to police, one offender bought the Netbot Attacker program from a Chinese hacker last year, then sold copies online to others. The hackers then broke into the administrative systems of the PC rooms and installed the virus in their computers to allow them to see the hands of poker opponents. Netbot Attacker is one of the programs that attacked Korea’s major Web sites in 2009, slowing down connection speeds throughout the country and disabling the major sites for nearly a week. Recent versions of the program update too fast for security programs to keep up with them, but attempts to control DDoS attacks have inflated the price of the program from 3 million won to 15 million won in the last year. Source:

48. June 28, Computer World – (National) Cisco access point gear could lead to Wi-Fi breach. Users of a popular Cisco Systems wireless access point may be setting themselves up for trouble if they leave a WPA wireless migration feature enabled, according to researchers at Core Security Technologies. The issue has to do with Cisco’s Aironet 1200 Series Access Point, which is used to power centrally managed wireless LANs. The Aironet 1200 can be set to a WPA (Wi-Fi Protected Access) migration mode, in which it provides wireless access for devices that use either the insecure WEP (Wired Equivalent Privacy) protocol or the more secure WPA standard. This gives companies a way to gradually move from WEP to WPA without immediately buying all-new, WPA-capable equipment. But while auditing the network of a customer who used the product, Core researchers discovered that even networks that had stopped using WEP devices could still be vulnerable, so long as the Aironet’s migration mode was enabled. Researchers were able to force the access point to issue WEP-broadcast packets, which they then used to crack the encryption key and gain access to the network. Source:

Communications Sector

49. June 29, Omaha World-Herald News Service – (Nebraska) 2 phone companies restoring service. Verizon wireless customers lost cell phone and landline service in Nebraska during an outage June 28 from about 8:30 a.m. until 12:15 p.m. Additional outages were reported in the afternoon. All wireless communication was affected — mobile to mobile, mobile to landline, landline to mobile, data usage, and 911 calls. The affected communities included Scottsbluff, Gering, Oshkosh, Bridgeport, Kimball, Harrisburg, Mitchell, Bayard, Potter, Broadwater and Lewellen. The network problem was resolved as of 12:13 p.m. but officials were unable to say exactly what caused the outage. In addition to the Verizon outage, many communities in the valley and in eastern Wyoming lost use of their CenturyLink landlines after a major fiber-optic phone line near Oshkosh, Nebraska was accidentally cut. The manager of market development for CenturyLink in Las Vegas said June 28 that crews were at the site of the damaged phone line, hand-digging to try to get to the affected line as quickly as possible. He said the company was unsure when service would be re-established to all customers in the area. Source:

50. June 28, Houston Chronicle – (Texas) KPFT’s radio broadcasts may resume today. Houston’s KPFT-FM (90.1) was knocked off the air all day June 28 after suspected copper thieves broke into the nonprofit, independent radio station’s transmission tower site, cutting a power drop line and peeling a junction box off the building’s wall. The station’s signal dropped off Houston radio dials hours before KPFT was to begin broadcasting gavel-to-gavel coverage of the U.S. Supreme Court nominee’s confirmation hearings. KPFT is one of five radio stations owned by the Pacifica Foundation Network, an alternative media source that emphasizes peace, social justice, racial equality and the arts. The Houston station’s transmitter was bombed twice in 1970, with the first incident blamed on the Ku Klux Klan, according to KPFT’s Web site. The second bombing shut down KPFT for more than three months. Source:

51. June 28, Contra Costa Times – (California) Some in Walnut Creek still without phone, Internet and cable. PG&E had restored power to most Walnut Creek, California homes by 4:30 p.m. June 28 after a pair of brief outages June 27 and 28 that also knocked out Astound Broadband cable for nearly 24 hours, according to a PG&E spokeswoman. A brief power outage at 6:30 p.m. June 27 affecting fewer than 400 residents resulted in an outage of cable television, phone and Internet service for Astound Broadband customers. The reason for the power outage is equipment failure, a PG&E spokeswoman said. It is unclear why Astound’s services were out much longer than the power outage. Source:

52. June 26, Rome News-Tribune – (Georgia) Wiring stolen from AT&T call center. Police in Cedartown, Georgia met with an employee of AT&T’s construction department to discuss the theft of wiring from telephone poles June 21. The employee said about 900 feet of copper wiring was stolen. During the incident, fiber optic wires and stand cable were also cut but left behind. The incident occurred along Davis Road in Cedartown, according to reports. The AT&T call center, 101 AT&T Drive, was shut down for an unknown amount of time, according to a Cedartown detective. A spokeswoman said the incident impacted the center for several hours, but calls coming in were able to be routed to other call centers. AT&T is offering a reward of as much as $3,000 for information that leads to an arrest and conviction of the individuals responsible. Source: