Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, July 20, 2010

Complete DHS Daily Report for July 20, 2010

Daily Report

Top Stories

• A man is in custody on charges of felony arson after allegedly driving a car bomb into a Lockport, Illinois bank July 16, according to CNN. The car exploded, but the suspect walked away and no other injuries were reported as the bank was closed and unoccupied. (See item 20 below in the Banking and Finance Sector)

• CNN reports that waters were receding July 18 as rescue crews conducted searches in the aftermath of flash flooding in eastern Kentucky that killed at least two people. The Pike County judge-executive confirmed the two fatalities, and estimated that 200 homes in the area were damaged or destroyed.

32. July 19, CNN – (Kentucky) At least 2 dead in Kentucky flooding. Waters were receding July 18 as rescue crews conducted searches in the aftermath of flash flooding in eastern Kentucky that killed at least two people, a top county official said. The Pike County judge-executive confirmed the two fatalities, and estimated that 200 homes in the area were damaged or destroyed. Earlier in the day, another Pike County official, said that there were three fatalities. The county will send nine assessment teams July 19 to gauge damage so a report could be submitted to the Federal Emergency Management Agency for assistance. Several major roads and bridges in in the area were damaged. Crews in Pike County worked throughout the night in boats to rescue people from homes after flash flooding in the area. About 5,000 people were affected, and there were a number of high-water rescues and several evacuations. As the water began to recede, the county faced another problem: One of the major water intake plants in the county was damaged and unusable. “It looks like about 4,000 customers will be without water for about a week, so we’re setting up distribution centers for folk to make sure they have drinking water,” an official said. Source:


Banking and Finance Sector

16. July 19, Connecticut Post – (National) Outage snarls processing of food stamps. System outages on July 15 and 16 may have crimped the shopping plans of some recipients of food stamps on the East Coast. The outages affected people in as many as 10 states that are served by J.P. Morgan, including Connecticut, New York and New Jersey, said a communications director for the Connecticut Department of Social Services. The outage is being blamed on a connectivity issue between J.P. Morgan, and one of its processors. There is a manual voucher process available to all retailers who participate in the Supplemental Nutrition Assistance Program (SNAP) that is being used until the system is back online. The back-up process requires a form to be completed by the retailer, a phone call to be made for an authorization number, and a signature from the client confirming the sale. Retailers would then clear the voucher within 15 days to receive payment. With this process, clients can have full access to their SNAP benefits. Source:

17. July 19, Consumer Affairs – (National) Consumers warned about scam. The millions of consumers who use to purchase everything from books to cookware have to be careful about a new phishing scheme. The Better Business Bureau (BBB) said it has received reports of e-mails, appearing to come from customer service, with the subject line “Thank you for your order.” The message has the logo and looks legitimate in other ways, at least on the surface. The e-mail lists an order number, total price, and a link to view the order. Someone receiving the message who had not ordered anything might click the link to see what he has mistakenly been charged for. Someone who had actually ordered something from Amazon might click the link because the price and item description is wrong. Anyone who clicks on the link would be sent to a fake site where an attempt would be made to steal her personal information. Source:

18. July 19, Bank Info Security – (National) BP aftermath: Fear of fraud. Financial institutions in states along the Gulf of Mexico are taking action to prepare for the long-term financial impact of the BP oil spill — including fraud attempts against customers. One Alabama bank recently reported a phishing scheme that enticed customers to click fraudulent links, using BP relief and recovery funds as a guise. All Alabama Bankers Association (ABA) banks have been warned of this scheme, according to the ABA’s CEO. Banks also have been urged to keep close watch out for a new wave of counterfeit checks, though no reports have yet been made. In Florida, the state’s banking institutions are prepared to identify and fight the fraud attempts that typically prey upon disaster victims, said the senior vice president of service operations for Florida’s Suncoast Schools Federal Credit Union. This latest disaster began April 20, when the Deepwater Horizon drill rig exploded, killing 11 people, rupturing a pipeline and initiating the unprecedented oil leak into the gulf coast waters. Last week, both the Federal Deposit Insurance Corp. and the National Credit Union Administration released a joint statement encouraging institutions to consider steps to help borrowers affected by the spill. The agencies also formally categorized the spill as a disaster — one that would allow federal examiners to take unusual circumstances into consideration where supervisory response and safety are concerned. Source:

19. July 17, Bank Info Security – (National) 6 banks closed on July 16. Federal and state banking regulators closed six banks July 16, raising the total number of failed banks and credit unions to 106 so far in 2010. Assets of three of the failed banks were purchased by a single institution in Miami, Florida. The latest closings are: Woodlands Bank, Bluffton, South Carolina, was closed by the Office of Thrift Supervision (OTS), and the Federal Deposit Insurance Corporation (FDIC) was appointed receiver. The estimated cost to the FDIC’s Deposit Insurance Fund (DIF) will be $115 million. Metro Bank of Dade County, Miami, Florida; Turnberry Bank, Aventura, Florida; and First National Bank of the South, Spartanburg, South Carolina, were closed by federal and state banking agencies. The FDIC was appointed receiver for all three banks, and arranged for NAFH National Bank, Miami, Florida, to buy the deposits of the failed institutions. The estimated cost to the DIF for Metro Bank of Dade County will be $67.6 million; for Turnberry Bank, $34.4 million; and for First National Bank of the South, $74.9 million. Mainstreet Savings Bank, FSB, Hastings, Michigan, was closed by OTS, and the FDIC was appointed receiver. The Commercial Bank, Alma, Michigan, will buy the deposits of the failed bank. The estimated cost to the DIF will be $11.4 million. Olde Cypress Community Bank, Clewiston, Florida, was closed by the OTS, and the FDIC was appointed receiver. The estimated cost to the DIF will be $31.5 million. Source:

20. July 17, CNN – (Illinois) Police: Man drove car bomb into a bank. A man is in custody on charges of felony arson after allegedly driving a car bomb into a Lockport, Illinois bank July 16. The 48-year-old suspect, of Blue Island, Illinois, was arrested after witnesses at the scene identified him, the Lockport Police Department said. He drove his car into the front entrance of a PNC bank, police said. The car exploded as the suspect walked away, police said, adding that he used the same material found in fireworks. No injuries were reported because the bank was closed and unoccupied, authorities said. The suspect is being held on charges of felony arson and felony criminal damage to property with an incendiary device. His motive is unknown, according to police. Source:

21. July 16, Computerworld – (Colorado) Colorado warns of major corporate ID theft scam. Colorado’s secretary of state and other officials are warning the state’s 800,000 or so registered businesses to watch out for scammers who have been forging business identities to make fraudulent purchases from several big-box retailers in recent months. So far, at least 35 businesses in the state have had their corporate identities misused to open fraudulent credit accounts at retailers such as Home Depot, Lowe’s, Office Depot, Apple, and Dell. According to the Colorado Bureau of Investigation (CBI), the scammers have made at least $750,000 in fraudulent purchases from Home Depot alone after opening up lines of credit. Five people in California have been arrested in connection with the scam, said the CBI agent in charge of the fraud unit. It is unclear how many other businesses may have been affected. But the problem appears to be growing, with several more groups likely involved in similar scams, including one in Texas. The thefts were possible because of what appears to have been a wide open business registration system at the Colorado secretary of state’s office. Colorado, like other states, requires companies to register. The details, which include the name of the registered agent, the full local address and other information, are a public record. In Colorado’s case, however, not only does the state allow anyone to view the record — it also allows just about anyone to alter or update it. The state site requires no username or password for access to a company’s registration information, which means that anyone with access to the site can make changes. The identity thieves used this hole to alter the contact and other registration information for several companies. According to the agent in charge, many of the companies targeted appear to have been smaller and medium-sized firms and, in some cases, defunct companies. Once the registration information was changed, the scammers then used the forged identity to make online applications for lines of credit with the retailers. Source:

22. July 16, Chattanooga Times Free Press – (Tennessee) Bomb threats force evacuations at Home Depot, Bank of America. Telephoned bomb threats July 16 forced the evacuation of two businesses near Northgate Mall in Chattanooga, Tennessee, a Chattanooga Police Department spokeswoman said. Both the Home Depot at 1944 Northpoint Blvd. and the Bank of America branch at 1945 Northpoint Blvd. were searched and no explosive devices found. Workers and customers returned to the buildings after about 45 minutes. Police are working to locate the caller or callers. Source:

Information Technology

51. July 19, Computerworld – (International) Windows ‘shortcut’ attack code goes public. A security researcher July 18 published a working exploit of a critical Windows vulnerability, making it more likely that attacks will spread. According to a security advisory issued July 16 by Microsoft, hackers can use a malicious shortcut file, identified by the “.lnk” extension, to automatically run their malware simply by getting a user to view the contents of a folder containing the shortcut. Malware can also automatically execute on some systems when a USB drive is plugged into the PC. All versions of Windows, including the just-released beta of Windows 7 Service Pack 1 (SP1), as well as the recently retired Windows XP SP2 and Windows 2000, contain the bug. On July 18, a researcher known as “Ivanlef0u” published proof-of-concept code to several locations on the Internet. Later that day, a Belgian researcher — who in late March revealed a serious design flaw in Adobe’s PDF document format — confirmed that Ivanlef0u’s code could be tweaked to create an effective attack. The Belgian researcher also announced that he’d tested Ivanlef0u’s exploit against a tool he had written a year ago, and said that the utility successfully blocked attacks launched from USB flash drives and CDs. Source:

52. July 19, The Register – (International) MS confirms Windows shortcut zero-day flaw. Microsoft has confirmed the presence of a zero-day vulnerability in Windows, following reports of sophisticated malware-based hacking attacks on industrial control systems that take advantage of the security flaw. Security shortcomings in the Windows shortcut (.lnk files) are being exploited by the Stuxnet rootlet, an information stealing threat that targets industrial and power plant control systems. The malware - which has been detected in the wild - executes automatically if an infected USB stick is accessed in Windows Explorer. The attack features root-kit components designed to hide the presence of the information-stealing payload on compromised systems. The digital certificate, assigned to legitimate firm Realtek Semiconductor, used to sign the root-kit components in the malware was revoked by VeriSign last week following discovery of the attack. All versions of Windows — including Win XP SP2, widely used despite the discontinuation of further security updates earlier this month — are vulnerable. Disabling Windows AutoPlay and AutoRun — the normal defense against malware on USB sticks — has no effect. Source:

53. July 16, DarkReading – (International) Single Trojan accounted for more than 10 percent of malware infections in first half 2010. When something works, hackers keep doing it. And as a vehicle for delivering malware, Microsoft’s Autorun.INF utility is still working just fine, according to researchers at BitDefender. In a study issued last week, BitDefender reported that the top two malware offenders during the first six months of 2010 — Trojan.AutorunINF.Gen and Win32.Worm.Downadup.Gen — both exploit Autorun.INF. Trojan.AutorunINF.Gen alone accounted for 11 percent of all the malware infections detected by BitDefender in the first half, according to the report. “The autorun technique is massively used by worm writers as an alternate method of spreading their creations via mapped network drives or removable media,” BitDefender said. Initially designed to simplify the installation of applications located on removable media, the Windows Autorun feature has been used large scale as a means of automatically executing malware as soon as an infected USB drive or an external storage device has been plugged in, the report stated. Unlike legitimate autorun.inf files, those used by miscellaneous malware are usually obfuscated, the researchers said. MBR worms made a comeback in early 2010, with upgraded viral mechanisms, BitDefender stated. Late January saw the emergence of Win32.Worm.Zimuse.A, a deadly combination of virus, rootkit, and worm. Regionally, China and Russia are the world’s top malware distributors, the report said. Source:

54. July 16, ZD Net – (International) Windows token kidnapping returns to haunt Microsoft. Microsoft’s problems with Token Kidnapping on the Windows platform are not going away anytime soon. More than a year after Microsoft issued a patch to cover privilege escalation issues that could lead to complete system takeover, a security researcher plans to use the Black Hat conference spotlight to expose new design mistakes and security issues that can be exploited to elevate privileges on all Windows versions including the brand new Windows 2008 R2 and Windows 7. The founder and CEO of Argeniss, a security consultancy firm based in Argentina, first reported the token kidnapping hiccup to Microsoft in 2008, and after waiting in vain for a patch, he released the details during the Month of Kernel Bugs project. The flaw would eventually be exploited in active attacks, leading to a mad scramble at Redmond to come up with a fix, and to a subsequent disclosure flap that exposed Microsoft as the irresponsible party. This year, the researcher plans a new talk titled “Token Kidnapping’s Revenge” where he will discuss how attackers can even bypass certain Windows services protections. Source:

55. July 12, San Jose Mercury News – (International) Watch out for phone scam that offers tech support, leaves spam. A tricky phone solicitor posing as Microsoft tech support can turn one’s computer into a spam-sending zombie machine, and the victim might be charged for it. The scam is one of many fishy attempts to obtain personal information or hack computers, according to a spokeswoman for the consumer affairs unit at a San Jose, California-area district attorney’s office. A Santa Cruz man said he recently got the scammer’s call. The caller, possibly East Indian, said he was from Microsoft and that the man’s computer operating system had errors in it that he could help correct. The Santa Cruz man said he hung up because he had not called Microsoft for assistance and was not having trouble with his computer. The scam has surfaced across North America, in the United Kingdom and in Australia. The caller pretends to be tech support from a computer company, but the instructions he walks people through actually install new software that gives him remote access to the computer, so he can use it to send spam or access people’s personal information. Source:

Communications Sector

56. July 19, Engineering News – (International) Faulty Seacom cable to be fixed by end of week. Fiber-optic cable system operator Seacom expects its faulty undersea cable to be repaired at the end of this week, as the repair schedule remained on track. However, the company cautioned that a number of external factors including location, water depth, ocean currents and weather made the cable outage “very difficult” to repair. The SEACOM cable provides high capacity bandwidth to Southern Africa, East Africa, Europe, and South Asia. On July 5, Seacom reported that its service was down because a submarine repeater failure was experienced, resulting in service downtime between Mumbai, India and Mombasa, Kenya. The repeater is a large, complex unit, essentially a large box of optical electronics. Repeaters are required to regenerate the light signal at certain intervals along the cable to ensure the quality of the signal. There are 159 repeaters deployed along the Seacom cable. “These are enormously robust pieces of equipment designed for the harshest conditions,” said the Seacom South Africa geneeral manager. “A failure is very unusual,” he noted. “It could be due to external forces such as rocks, landslides, which have caused the failure of this particular repeater.” Source:

57. July 17, Staunton News-Leader – (Virginia) Verizon cell service disrupted Friday. A cell phone outage caused Verizon Wireless customers to have problems placing or receiving calls early July 16. A company spokeswoman said Verizon identified and fixed the disruption in the early afternoon after the problems were reported. “It was a minor issue that was addressed immediately and service is back to normal,” she said. Earlier that day, customers who called the affected phones got messages saying the service is disconnected. Customers who tried to call out received a message saying they need a credit card number to place a call. Source:

58. July 16, Wall Sreet Journal – (New York) Cablevision customers hit by email glitch. Cablevision Systems Corp. said its Internet-service subscribers had their e-mail service restored July 16 after an outage that lasted 24 hours or more for some customers. “The e-mail disruption has been resolved,” the Bethpage, New York, company said. “The issue was caused by a digital mail storage device malfunction.” Cablevision said the e-mail disruption affected a “minority” of its customers, who in some cases weren’t able to send or receive e-mails. “We apologize to our customers and thank them for their patience,” Cablevision said. As of March 31, there were more than 2.6 million customers for Cablevision’s Optimum Online high-speed Internet service. Cablevision said the problem was “extremely rare” and didn’t affect Internet access for its subscribers. Source:

59. July 15, Beirut Daily Star – (International) MP warns telecoms exposed to infiltration. The current state of the telecommunications sector in Lebanon exposes it to security infiltration, the head of the Media and Telecommunications Parliamentary committee said July 14. He explained that damage was sustained by the telecommunications sector when a former employee in the field provided Israeli intelligence with sensitive information enabling it to monitor the entire telecommunications network. The technician in state-run Alfa telecommunications firm was arrested in June by Lebanese authorities on charges of providing the Israelis with crucial data. During the investigation, the detainee confessed that he had been collaborating with Israeli authorities since 1996. “There are responsibilities that should be shouldered by [telecom] firms, and a vital role for the state to play in protecting this sector by practical measures,” the head of the Media and Telecommunications Parliamentary committee said. The technician was charged July 13 with spying for Israel. Another Israeli spy was sentenced to death at the same day. Source: