Department of Homeland Security Daily Open Source Infrastructure Report

Monday, July 19, 2010

Complete DHS Daily Report for July 19, 2010

Daily Report

Top Stories

• The Newark Star-Ledger reported that a 400-gallon container filled with sulfuric acid exploded inside a Newark, New Jersey processing plant July 15, seriously injuring a nearby employee who was splashed with dangerous chemicals. (See item 8)

8. July 15, Newark Star-Ledger – (New Jersey) Sulfuric acid explodes in Newark plant, injures employee. A 400-gallon container filled with sulfuric acid exploded inside a Newark, New Jersey processing plant July 15, seriously injuring a nearby employee who was splashed with dangerous chemicals. Authorities are still trying to determine what caused the explosion, which forced 60 firefighters and state Department of Environmental Protection (DEP) officials to respond to the bio-diesel fuel processing plant on Passaic Street around 3:40 p.m., according to the Newark fire chief. The victim suffered third-degree burns to 18 percent of his body and was taken to Saint Barnabas Medical Center’s burn unit in Livingston with non-life threatening injuries. The man was apparently connecting hoses to a tanker truck filled with methanol when the acid container burst behind him. The facility mixes acids and other chemicals to make bio-diesel fuels. Firefighters and DEP representatives spent nearly 2 and 1/2 hours trying to decontaminate the building. The Newark fire chief said 100 to 200 gallons of acid spilled and flooded the structure, and haz-mat teams weren’t able to fully neutralize the acid in the area until 6:10 p.m. Source:

• Thousands of laptops have been stolen from the Tampa, Florida office of a private contractor for the U.S. military’s Special Operations Command, according to The Associated Press. Surveillance cameras caught up to seven people loading the computers into two trucks for nine hours. (See item 14)

14. July 13, Associated Press – (Florida) Thousands of laptops stolen during nine-hour heist. Thousands of laptops have been stolen from the Tampa, Florida office of a private contractor for the U.S. military’s Special Operations Command. Surveillance cameras caught up to seven people loading the computers into two trucks for nine hours. U.S. Special Operations Command coordinates the activities of elite units from the Army, Navy, Air Force and Marines. A spokeswoman said July 13 that none of the stolen laptops contained military information or software. The Virginia-based company iGov was awarded a $450-million contract earlier this year to supply mobile-technology services linking special operations troops worldwide. A company executive said iGov is cooperating with authorities and the March 6 break-in at its Tampa facility remains under investigation. Source:


Banking and Finance Sector

15. July 16, Help Net Security – (International) Bank of America phishing scam. ScanSafe reports a new phishing scam on the Bank of America Web site where the link provided for signing in to online banking points to a (a Web site belonging to barbecue establishment in California), which in turn automatically redirects tusers to a phishing page hosted on - another legitimate, but compromised, site belonging to a Canadian band. The use of compromised sites for redirecting and hosting phishing pages is a technique successfully used by many scammers, since it allows the e-mails to bypass reputation filters and community-based trust reporting. Experts note that the scams are easily detected — if one knows what to look for. Positioning the cursor on the link reveals that the domain it points to is not the official domain of the bank. And if one follow the link, the URL in the address bar will tell you the same. Source:

16. July 16, WFXT 25 Boston – (National) ‘Burly Bandit’ arrested for string of bank robberies. The man the FBI has dubbed the Burly Bandit has been officially charged in one of the 10 holdups along the East Coast, and investigators say more charges could be coming. The arrest may be a major break in the investigations into 11 bank robberies in five New England states. The suspect is a Greyhound bus driver from Lowell, Massachusetts. On July 13, a bank robber hit the Bangor savings bank in Orono, Maine. He was arrested July 14. From April to July, 10 banks in Massachusetts, Connecticut, New Hampshire, and Rhode Island were hit, all of them by the same, heavy-set bank robber. The FBI had not yet connected the suspect to all 11 robberies. Source:

17. July 15, United States Department of Justice – (International) Swiss lawyer indicted for helping to hide Swiss bank accounts and monies returned to U.S. clients. The Justice Department announced July 15 that a federal grand jury in Alexandria, Virginia, returned an indictment charging an attorney practicing in Zurich, Switzerland, with conspiring to defraud the United States, and structuring the importation of currency into the U.S. If convicted, he faces a maximum sentence of 25 years in prison, and a maximum fine of $1.25 million. According to court documents, in 199, a Sterling, Virginia doctor, inherited an undeclared bank account from his mother at the Zurich branch of one of the world’s largest international banks. The bank is headquartered in England and also has offices in Zurich, Geneva and Virginia. The account was held in the name of a sham Liechtenstein trust. In 1999, the doctor met with the suspect who managed the account in Zurich. He instructed the doctor to not keep any records relating to the account, and to send coded letters if he wished to meet. According to court documents, in September 2009, the doctor was informed that the international bank was closing his undeclared Swiss account, and that he had until the end of the year to travel to Switzerland to withdraw all funds. The doctor made two trips to Zurich in October and November 2009 and met with the suspect, and a Swiss banker at the private wealth office of the international bank. The suspect and the banker refused to wire the money as it would leave a trail. Instead, they provided him with $235,000 in U.S. currency. According to court documents, with the assistance of the suspect, the doctor mailed 26 packages containing over $200,000 to the U.S. to himself and another person. Source:

18. July 15, The Waterland Blog – (Washington) Normandy park police warn residents about credit card scam. The Normandy Park, Washington Police Department July 15 received information on a new credit card scam where names and addresses are used to issue fake credit cards believed to be designed to defraud PayPal. Cards are issued with the correct name and address of the card holder, though Social Security numbers do not match the name on the card being issued. Several Normandy Park residents have reported receiving in the mail, Visa or Mastercard credit cards from USAA Federal Savings Bank. The card comes with a very real looking account statement showing an Internet deposit of $25 to the card. Sounds like a good deal, but the $25 is debited from the card prior to the card actually reaching a victim’s mailbox. The residents involved have not lost any money but their names will appear on a paper trail when PayPal finds their loss. USAA Federal Savings Bank, a legitimate financial institution, is aware of the fake cards. They are currently working with the FBI to resolve the problem. Source:

19. July 15, KSAZ 10 Phoenix – (Arizona) Alert: ATM skimmers found in Scottsdale. Scottsdale police are warning ATM and bank card users about skimmers that have been found on two ATM machines near Scottsdale and Shea, Arizona — and there could be more. Officials said the technology was so good, it was hard to tell a credit card number-skimmer was attached. The skimmer reads the card’s number from the magnetic strip. On July 14, a customer noticed the Bank of America ATM machine he regularly uses looked different. He reported it, and the bank found a skimmer attached. That same day, at another Bank of America, an ATM tech found an identical skimmer. Police said if the green lights surrounding the ATM card slot are dim or not working, that is one way to spot a skimmer. But not all ATM machines have lights. Police advise users to check their bank account balances every day. Also, when using any ATM, one should inspect the front for unusual or non standard appearance. Scratches, marks, adhesive or tape residues could be indicators of tampering. Source:

20. July 15, Huntington Herald-Dispatch – (West Virginia) Area credit union warns members against fraud. A West Virginia credit union with branches in Huntington, Buffalo, Teays Valley, St. Albans, Charleston and Beckley, wants its members to know about a fraudulent scam that has been circulating via telephone calls, texts and e-mails. Officials with Star USA Federal Credit Union say the scam is called “phishing.” Phishers hijack brand names of banks, e-retailers and credit card companies and use them to convince customers to respond by providing personal financial data. “It is important customers realize that legitimate financial institutions and plastic card processors will never request this information,” states a release from the credit union. “It is extremely important that consumers do not release personal information over the telephone or through any electronic means.” One of the e-mails alerts a credit union member that they have a new private message, and are asked to click on a link to resolve the problem or reply. Credit union officials said other fraudulent e-mails may make an urgent appeal to provoke immediate action by stating the account could be closed without verification of personal data. Source:

Information Technology

46. July 16, The Register – (International) Windows shortcut flaw underpins power plant Trojan. Hackers have developed malware that spreads via USB sticks using a previously unknown security weakness involving Windows’ handling of shortcut files. Malware targeting the security weakness in the handling of ‘lnk shortcut files has been spotted in the wild by Belarus-based security firm VirusBlokAda. The malware uses rootkit-style functionality to mask its presence on infected systems. These rootlet drivers come digitally signed by legitimate software developer Realtek Semiconductor, a further mark of the sophistication of the attack. In an advisory, VirusBlokAda said it has seen numerous incidents of the Trojan spy payloads dropped by the malware since adding detection for the malign code in June. Even fully patched Windows 7 systems are vulnerable to attack in cases where a user views files on an infected USB drive using Windows Explorer, a security blogger reports. Instead of using Windows Autoplay, the malware takes advantage in security weaknesses involving shortcut files. Malicious shortcuts on the USB are reportedly capable of auto-executing if users open an infected storage device on Windows Explorer. Normally, users would have to click on the link for anything to happen. An independent researcher has uncovered evidence that the malware is targeting SCADA control systems, used to control industrial machinery in power plants and factories, and specifically Siemens WinCC SCADA systems. “Looks like this malware was made for espionage,” the independent researcher wrote. Source:

47. July 16, – (International) IBM prepares new weapon against IT threats. IBM has unveiled a security appliance that it claims will help firms create and adopt an IT infrastructure that is “secure by design.” The company said the continually evolving threat landscape makes it vital that enterprises build security in at the beginning to stay ahead of attacks. Research by IBM’s X-Force Data and Analysis team found that the average IT infrastructure is attacked as many as 60,000 times per day. The attacks target vulnerabilities and can lead to the loss of confidential information. The IBM Security Network Intrusion Prevention System (IPS) is a hardware appliance pre-loaded with security software and backed by research and information from IBM Security Solutions. Companies can unify their security resources, according to IBM, and manage a range of typical network tasks. For example, automated patch technology can sense and block threats as they come in, the firm said. Unifying security on such a platform will let enterprises better manage their network security, client-side applications, data security, web applications and in-house applications, IBM said. Source:

48. July 16, Tech Herald – (International) Criminals pushing Rogue anti-Virus disguised as scanned documents. E-Mail messages claiming to be scanned documents are the latest attempt by criminals to push rogue anti-virus malware to the masses. The messages, which claim to come from a Xerox WorkCentre Pro, come with a Zip file that will immediately infect the system if accessed. The Tech Herald noticed the malicious e-mail this morning, while checking a drop account for messages. The attachment is a typical Zip file and the message itself attempts to pass itself off as a scanned document from a Xerox Multi-Function Printer. Firms with a Xerox WorkCentre Pro should be able to determine the message is fake, experts said. The WorkCentre Pro can scan documents to e-mail or FTP accounts if configured to do so, but the most common scanning format is PDF, followed by TIFF and XPS. A WorkCentre Pro will never send a Zip file as an attachment. It appears that while the malicious messages are going to as many people as possible, the criminals behind the campaign are looking to single out users who use Xerox products in-house as a method of scanning and printing. If downloaded and extracted, the file inside the Zip attachment is clearly an executable. On the Tech Herald’s test system, once the file was accessed, Microsoft’s Security Essentials flagged it immediately. The malware itself has a low detection rate. Source:

49. July 15, IDG News Service – (International) Researchers: Password crack could affect millions. A well-known cryptographic attack could be used by hackers to log into Web applications used by millions, according to two security experts who plan to discuss the issue at an upcoming security conference. They said they have discovered a basic security flaw that affects dozens of open-source software libraries — including those used by software that implements the OAuth and OpenID standards — that are used to check passwords and user names when people log into Web sites. OAuth and OpenID authentication are accepted by popular Web sites such as Twitter and Digg. They found that some versions of these log-in systems are vulnerable to a “timing attack.” Cryptographers have known about timing attacks for 25 years, but they are generally thought to be very hard to pull off over a network. The researchers aim to show that is not the case. The attacks are thought to be so difficult because they require very precise measurements. They crack passwords by measuring the time it takes for a computer to respond to a log-in request. On some systems, a computer will check password characters one at a time, and kick back a “login failed” message as soon as it spots a bad character in the password. This means a computer returns a completely bad log-in attempt a tiny bit faster than a login where the first character in the password is correct. By trying to log in again and again, cycling through characters and measuring the time it takes for the computer to respond, hackers can ultimately figure out the correct passwords. This all sounds very theoretical, but timing attacks can actually succeed in the real world. Three years ago, one was used to hack Microsoft’s Xbox 360 gaming system, and people who build smart cards have added timing-attack protection for years. Source:

50. July 15, The New New Internet – (International) Spammers use ‘disposable’ domains to prevent shutdowns. Spammers and botnet operators are now using disposable domains for their activities to evade security technologies. According to research by security firm M86 Security Labs, spammers are buying dozens of domains at a time and moving from one to another as often as several times per day to avoid getting shut down. For years, spammers bought domains in bulk and used them for redirections to other sites, and for locations to set up quick e-commerce sites. Anti-spam services and e-mail filters usually use static lists of known malicious domains, or ones known to be used by spammers. According to Kaspersky, that initial approach worked well in the fight against spam; lately, however, spammers have begun using more devious and effective tactics. The new M86 research looked at 60 days worth of data from M86 customers and found that more than 70 percent of the domains used by spammers are active for one day or less. Source:

51. July 15, IDG News Service – (National) Some experts question efforts to identify cyberattackers. Efforts by the U.S. government to better identify cyberattackers will likely lead to violations of Internet users’ privacy and anonymity, and technological means to attribute the source of the attacks may be inaccurate, privacy and cybersecurity experts said July 15. Witnesses at a U.S. House of Representatives subcommittee hearing disagreed about whether the government should explore new ways to attribute the sources of cyberattacks. Several cybersecurity experts have called for new attribution efforts, including trusted identification systems, but an international affairs fellow for the Council on Foreign Relations said oppressive governments would use new identification technologies to track their political enemies. Proposals to label IP (Internet Protocol) packets with unique identifiers “would be far more useful for authoritarian regimes to monitor and control Internet use by their citizens than it would be in combating cyberwarfare, crime and nuisance behavior,” the international affairs fellow told the House Science and Technology Subcommittee on Technology and Innovation. For massive attacks, attribution of the attackers may not be difficult, because only a few nations have that capability, while low-level attacks do not rise to the level of national emergencies. “In a lot of cases, we don’t lack attribution, we lack response options,” he added. “We don’t know what we should do when we discover that the Chinese have hacked into Google.” Source:

52. July 13, Forbes – (International) “Millions” of home routers vulnerable to web hack. A researcher with Maryland-based security consultancy Seismic plans to release a software tool at a conference later this month that he says could be used on about half of the existing models of home routers, including most Linksys, Dell, and Verizon Fios or DSL versions. Users who connect to the Internet through those devices and are tricked into visiting a page that an attacker has set up with the researcher’s exploit could have their router hijacked and used to steal information or redirect the user’s browsing. The researcher’s attack is a variation on a technique known as “DNS rebinding,” a trick that’s been discussed for close to 15 years. The hack exploits an element of the Domain Name System, or DNS, the Internet’s method of converting Web page names into IP address numbers. Modern browsers have safeguards that prevent sites from accessing any information that’s not at their registered IP address. But a site can have multiple IP addresses, a flexibility in the system designed to let sites balance traffic among multiple servers or provide backup options. The researcher’s trick is to create a site that lists a visitor’s own IP address as one of those options. When a visitor comes to his booby-trapped site, a script runs that switches to its alternate IP address — in reality the user’s own IP address — and accesses the visitor’s home network, potentially hijacking their browser and gaining access to their router settings. Source:

Communications Sector

53. July 16, – (International) Chile becomes first net neutrality nation. Chile has become the first nation to officially put net neutrality principles into law. In a vote by the Chilean legislature, the new law won a near unanimous vote, according to local media. The new law forces Internet Service Providers (ISPs) to “ensure access to all types of content, services or applications available on the network and offer a service that does not distinguish content, applications or services, based on the source of it or their property.” The legislation also requires ISPs to provide parental controls that block objectionable content, as well as require written consent before payment for online services, and ensure that ISPs have proper security measures in place. The amount of support for the bill was surprising, but Chile is looking to expand its technological infrastructure. Around half of the population uses the Internet on a regular basis, and broadband speeds in metropolitan centers are around 2Mbit/s. Net neutrality campaigners in other countries will be using this case as a legislative example of how net neutrality could work on a state level. Source:

54. July 15, Eugene Register-Guard – (Oregon) Phone service restored to Creswell area. About 5,000 customers of Century Link in the Creswell and Glide, Oregon areas went without local telephone service for much of July 15. The day-long outage began about 8:30 a.m., when a construction crew member working on a project to build a new Interstate 5 bridge over the Willamette River in the Eugene-Springfield area accidentally drilled through a fiber-optic line owned by Qwest Communications, a company spokesman said. Telephone service was restored by 6:30 p.m. Source:

55. July 15, KSNT 27 Topeka – (Kansas) Phone service restored in NW Shawnee County. Citizens were unable to make 911 calls to the Shawnee County Sheriff’s office in areas near Silver Lake and Rossville, Kansas for several hours, July 15. According to the Shawnee County Sheriff’s Office, phone service was restored at approximately 1:30 p.m. The outage was reported at about 9:45 a.m. Source:

56. July 15, FierceWireless – (National) FCC proposal would free satellite spectrum for mobile broadband. The Federal Communications Commission (FCC) voted 5-0 to consider a proposal to ease restrictions on satellite spectrum, a move that could free 90 MHz of spectrum for mobile broadband use. Specifically, the FCC issued a Notice of Inquiry seeking comment on its proposal to change the rules for how satellite companies are allowed to use their mobile satellite services spectrum. The companies could, for example, lease the spectrum for mobile broadband services. In addition, the agency proposed allowing satellite firms to give up their MSS spectrum in exchange for part of the proceeds gleaned from the auction of that spectrum. In response to the FCC actions, the CTIA wireless association advocacy group said it commends the agency for taking the first step. “The adoption of today’s NPRM advances the effort to make the spectrum promises of the National Broadband Plan a reality. CTIA looks forward to continuing to work with the commission to find ways to bring this underutilized, and at times unutilized, spectrum quickly to market.” Source: