Department of Homeland Security Daily Open Source Infrastructure Report

Friday, July 2, 2010

Complete DHS Daily Report for July 2, 2010

Daily Report

Top Stories

• According to CNN, Gulf state health and fisheries officials and leaders from several federal agencies will collaborate to set safety levels for seafood coming out of the Gulf of Mexico, the U.S. Vice President said June 29. (See item 27)

27. June 29, CNN – (National) Vice president announces Gulf food safety plan. Gulf state health and fisheries officials and leaders from several federal agencies will collaborate to set safety levels for seafood coming out of the Gulf of Mexico, the U.S. Vice President said June 29. “We want one single standard so you don’t have to worry about where you fish, when you can fish,” the Vice President said. “Bottom line is, we want to get fishermen back out on the water as soon as possible after the oil has been removed.” The plan will be devised and carried out in collaboration with the Food and Drug Administration (FDA) and the National Oceanic and Atmospheric Administration (NOAA), he said. Representatives from NOAA, the FDA and the Environmental Protection Agency met the week of June 21 in New Orleans with state health officers and state fisheries directors from Alabama, Florida, Louisiana, Mississippi and Texas to fine-tune the plan for sampling state and federal waters, and for deciding when to reopen them. Source:

• Nearly a month after a Google engineer released details of a new Windows XP flaw, criminals have dramatically ramped up online attacks that leverage the bug, IDG News Service reports. Microsoft reported Wednesday that it has now logged more than 10,000 attacks. (See item 43 below in the Information Technology Sector)


Banking and Finance Sector

12. July 1, Help Net Security – (International) New financial malware targeting bank customers. Bank customers are being targeted by criminals using regional specific malware that flies under the radar of most antivirus technology to steal online banking credentials and commit fraud. Detection rates for regional malware are between zero and 20 percent, suggesting that the majority of these attacks go undetected. Two pieces of regional malware targeted at U.K. banks have been detected by Trusteer; Silon.var2, which resides on one in every 500 computers in the U.K. compared to one in 20,000 in the U.S., and Agent.DBJP, detected on 1 in 5,000 computers in the U.K. compared to 1 in 60,000 in the U.S. In addition, Trusteer has discovered two UK-specific Zeus botnets. Although Zeus is the most well-known piece of financial malware, these botnets only consist of U.K.-based computers and only target U.K.-based banks. Hence the variants are less likely to be detected by antivirus solutions. To help avoid detection and maximize return on effort, criminals use U.K.-centric spam lists and compromised Web sites based in the U.K. to spread the malware that targets bank customers. Source:

13. July 1, – (Texas) MoCity man pleads guilty in multi-million dollar mortgage fraud scheme. A Missouri City, Texas resident has pleaded guilty to committing wire fraud arising from a $10-million, mortgage-fraud scheme, a United States district attorney has announced. The 46-year-old suspect was indicted in June 2009 along with others for perpetrating a scheme to defraud lenders of mortgage loans by making fraudulent claims on mortgage loan applications and having some borrowers make false representation of a Social Security number on those same applications. On June 30, he pleaded guilty and admitted his role in the multi-million dollar fraud scheme before a U.S. district judge who has set sentencing for September 27. The suspect’s role was two-fold – that of a recruiter of borrowers with good credit on behalf of Phantom Marketing, and that of a loan processor at Capri Mortgage and United National Mortgage. The suspect, and an associate who pleaded guilty to these same charges June 29, devised a scheme to purchase multiple residential properties in the greater Houston area through fraudulent mortgage loans. Through their association with several companies – including Capri Mortgage Services, United National Mortgage and Phantom Marketing – two were able to obtain more than $10 million in fraudulent loans between June 2003 and July 2006. Source:

14. June 30, Network World – (International) Heartland ramps up first end-to-end encryption. Heartland Payment Systems, the victim last year of a massive data breach, vowed to develop new security gear based on end-to-end encryption to prevent such a breach from occurring again. That’s now taking shape, but slowly. “We have a long way to go,” acknowledges Heartland’s CEO, pointing out that the so-called E3 payment terminals intended for small-to-mid-size customers, are but the first step, “with more advanced technologies coming in the summer” intended for use between Heartland’s network and much larger merchants that would require more back-end integration into processing systems. “We’re not ready to help all of them yet,” he acknowledged. There is no end-to-end encryption requirement for debit- and credit-card processing, although the Payment Card Industry (PCI) Security Standards Council, which sets technical standards used by payment processors and merchants, is expected to weigh in on that topic in its upcoming PCI standard this October. Source:

15. June 30, Worcester Telegram & Gazette – (Massachusetts) ‘Very aggressive’ bank robber worries investigators. Brazen, aggressive and armed - all three descriptions of a bank robber are never a good mix in law enforcement officials’ eyes. All three are being used to describe the suspect who robbed the Central One Federal Credit Union in Auburn, Massachusetts June 28. Officials think he could be the same man who hit banks in Worcester and two others in Auburn. The man who robbed the Central One Federal Credit Union on Southbridge Street shortly after 8 a.m. June 28 carried a handgun, pointed it at two employees and threatened their lives. He stole cash and ordered the two people onto the floor before fleeing and disappearing into nearby woods. Authorities reviewing the man’s aggressive style found similarities with other bank robberies from this year, last year and 2007. In three cases, the suspect claimed to have an explosive device. Source:

16. June 30, Folsom Telegraph – (California) Pizza-tossing brothers charged with credit-card fraud. Folsom, California police arrested two brothers for allegedly being part of a credit-card skimming ring. An officer of the Folsom Police Department, said a 29-year-old suspect, and his brother, were arrested after their Rancho Cordova residence and their family-owned Folsom Family Pizza were searched by police Thursday. “Both searches turned up fake credit cards,” the officer said. “The brothers were arrested on charges of alleged unauthorized use of credit cards and identity theft.” The arrests stem from a multi-jurisdictional investigation that started earlier this month after police had discovered credit-card skimming devices placed at Folsom, Auburn and Sacramento gas stations. A similar device was found in Rocklin earlier this year. The officer said investigators believe that the the brothers might be part of a larger ring of credit-card skimmers and identity thieves working in the area. Source:

Information Technology

41. July 1, The Register – (International) Animated CAPTCHA tech aims to fox spambots. Replacing text puzzles featuring distorted letters with videos as a roadblock against the automated creation of Web accounts can reduce user frustration while offering improved security, according to a Canadian start-up. CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) have been used for some years to prevent the automated sign-ups to Web-mail accounts. Users typically have to identify distorted letters depicted in an image. Over the years, miscreants have devised techniques to break the process in order to create ready-to-spam accounts from reputable providers that are far less likely to be automatically blocked. The sign-up for new accounts is automated, but solving the CAPTCHA puzzles themselves is tasked to the human cogs in 21st century sweatshops, often based in India, where workers are paid as little as $4 per day to defeat security checks. Canadian firm NuCaptcha aims to rewrite the rules of account-validation checks with a new video-based CAPTCHA system. Users are asked to identify moving text on a video background. The firm also offers a voiceover audio option for the partially sighted or color-blind. The technology is designed to work on a range of computing devices including hardware that does not support Flash, such as iPads, ReadWrite Web reports. Source:

42. July 1, SC Magazine – (International) Security commentators claim that Adobe should disable JavaScript in Adobe Reader. Adobe has been praised for its more frequent patching, but requests have been made for it to disable JavaScript by default in Adobe Reader. The Sophos principal virus researcher praised Adobe, claiming that it was “obvious” that Adobe was doing more to address vulnerabilities found in its product, especially since it rolled out patches two weeks ahead of schedule recently. However, he claimed that Adobe should disable JavaScript by default in its Reader software, because the main vulnerability that was patched affected Adobe Flash, and the main vehicle for delivering malicious payloads were PDF files. He said: “A booby-trapped PDF file would contain a Flash animation which would trigger the vulnerability, JavaScript code which would be used to create memory layout to allow the exploit to successfully launch shellcode and ultimately, an encrypted executable payload which would deliver the final functionality.” He also commented that the high number of patched vulnerabilities indicates that it may be a good time for Adobe to go through a security push to overhaul the approach to building in security to their products. The request was echoed by the director of malware intelligence at ESET. The director said: “Adobe, when I disable JavaScript, stop silently re-enabling it when you update (yes, I realize that this is because it’s restoring defaults, so it’s practically the same point: the point is that a sane update takes customizations into account).” Source:

43. June 30, IDG News Service – (International) Microsoft: 10,000 PCs hit with new Windows XP zero-day attack. Nearly a month after a Google engineer released details of a new Windows XP flaw, criminals have dramatically ramped up online attacks that leverage the bug. Microsoft reported Wednesday that it has now logged more than 10,000 attacks. “At first, we only saw legitimate researchers testing innocuous proof-of-concepts. Then, early on June 15, the first real public exploits emerged,” Microsoft said in a blog posting. “Those initial exploits were targeted and fairly limited. In the past week, however, attacks have picked up.” The attacks, which are being launched from malicious Web pages, are concentrated in the U.S., Russia, Portugal, Germany and Brazil, Microsoft said. PCs based in Russia and Portugal, in particular, are seeing a very high concentration of these attacks, Microsoft said. Security vendor Symantec said these attacks peaked recently. “Symantec has seen increased activity around this vulnerability. The increased activity started around June 21 and peaked around June 26 and 27,” a company spokesman said June 30. Attacks have leveled out since then, he added. Criminals are using the attack code to download different malicious programs, including viruses, Trojans and software called Obitel, which simply downloads more malware, Microsoft said. Source:

44. June 30, The New New Internet – (International) Spammers favorite topic now: FIFA World Cup. In its June 2010 MessageLabs Intelligence Report, Symantec highlighted how the amount of spam related to the keywords of soccer and football since March 2010 has reached 25 percent of overall spam as the World Cup international soccer tournament continues. Holidays such as St. Valentine’s Day, Thanksgiving, Halloween and Christmas are occasions that receive a great deal of attention from spammers. Newsworthy events, including celebrity deaths and natural disasters as well as major sporting activities are also popular themes, and the FIFA World Cup is no exception, the report noted. While spammers often re-send the same spam e-mails, they include the latest news headlines either in the subject line or somewhere in the body to catch attention of the recipient and increase the likelihood of the message being opened. Taking advantage of the FIFA event, spammers are using soccer-themed keywords to hawk pharmaceutical products or counterfeit watches and jewelry with subject lines such as “20-hour wait in World Cup ticket line” and “Inter Milan win Italian Cup.” The body of the e-mail will often contain poorly worded sentences crafted to lure the recipient to click on the embedded links. Source:

45. June 30, DarkReading – (International) Sasfis botnet active this month, report show. Fortinet June 30 announced its June 2010 Threat Landscape report showed that new variations of the Sasfis botnet have entered the malware Top 10 list. Sasfis, which has been competing with the Pushdo botnet in terms of sheer volume, was very active this month. “We observed Sasfis loading a spambot component, which was heavily used to send out binary copies of itself in an aggressive seeding campaign,” said Fortniet’s project manager for cyber security and threat research. “The Sasfis socially engineered e-mails typically had two themes; one looked like a fake UPS invoice attachment, and the other was disguised as a fees statement,” he said. “Much like the Pushdo and Bredolab botnets, Sasfis is a loader and the spambot agent is just one of multiple components downloaded.” Source:

46. June 29, – (International) White hat uses Foursquare privacy hole to capture 875K check-ins. A coder who recently built a service called Avoidr that helps users avoid social network “friends” they do not really like, figured out that Foursquare had a privacy leak because of how it published user check-ins on web pages for each location. On pages like the one for San Francisco’s Ferry Building, Foursquare shows a random grid of 50 pictures of users who most recently checked in at that location — no matter what their privacy settings. When a new check-in occurs, the site includes that person’s photo somewhere in the grid. So the coder built a custom scraper that loaded the Foursquare Web page for each location in San Francisco, looked for the differences and logged the changes. Even though he was using an old computer running through the slow but anonymous Tor network, he estimates he logged about 70 percent of all check-ins in San Francisco over the last three weeks. That amounts to 875,000 check-ins. The coder reported the privacy breach to Foursquare June 20 — and the company admitted the bug existed. They asked for a week or so to fix the bug, and now, according to an e-mail sent to the coder, the company is modifying its privacy settings to let users opt out of being listed on location’s Web pages. The site previously allowed users to opt out of being listed in the “Who’s here now” function, but until June 29, that button did not apply to listing “Who’s checked in there.” Source:

Communications Sector

47. July 1, WIES Radio – (Alabama) Copper thieves steal cable from TDS ... again. For the fourth time this year, copper thieves in rural Alabama have risked their lives to steal copper cables from TDS Telecom facilities, causing phone and Internet outages for many people and businesses from Cedar Bluff to Gaylesville. Early July 1, more than 400 residents woke to no phone or Internet service as a result of the vandalism and theft of a 400-pair copper cable. Local cellular service was also impacted as cell sites connect to TDS lines to connect mobile and landline phone calls across the nation and locally. TDS technical response team members immediately began work to replace the cable in an effort to restore services to the area as quickly as possible, but the damage was significant. TDS is asking people to report suspicious activity near utility poles, telephone cabinets and other utility-owned areas. The Cherokee County Sheriff’s Department tip line is 256-927-9999. Source:

48. June 30, Milwaukee Journal Sentinel – (Wisconsin) Cable service restored, Time Warner says. After a two-hour disruption, service to Time Warner Cable customers in southeast Wisconsin was restored at 7:30 a.m., the company said June 30. Customers in the region lost service around 5:15 or 5:30 a.m., according to a Time Warner spokeswoman. She said the service disruption began during routine maintenance overnight. The cause of the disruption and the number of customers affected are not yet known. Source:

49. June 30, Walla Walla Union-Bulletin – (Washington) Fiber-optic cable break severs communications in Walla Walla area. A broken fiber-optic cable interrupted service early June 29 to Qwest business customers and residential lines served by other providers in the state of Washington. According to a Qwest spokesman, the break occurred when a construction crew replacing road signs on U.S. Highway 12 west of Walla Walla severed the fiber-optic line running between Walla Walla and Pasco. The break interrupted service primarily to Qwest business customers. Residential lines served by other providers who use the line were also affected. The spokesman said he did not immediately know the exact number of customers who had their service cut. Qwest crews were able to repair the damage by about noon and restore service. Walla Walla County 911 services were not disrupted by the break. Source:

50. June 28, KTSM 9 El Paso – (Texas) Power mostly restored In downtown; channel 9 without power for nearly 5 hours. A power outage in downtown El Paso, Texas knocked NewsChannel 9 off the air for more than 4 hours June 28. A burned out cable caused the outage just after 4 p.m. About four blocks around Mesa and Yandell and NewsChannel 9 were left completely without power until around 8:20 p.m. June 28. As a result the station was unable to broadcast 5 p.m. or 6 p.m. newscasts. About 450 customers were affected. As of 11 p.m. June 28, not all power had been restored. Source: