Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, July 21, 2010

Complete DHS Daily Report for July 21, 2010

Daily Report

Top Stories

• As tests continue July 20 on BP’s ruptured oil well in the Gulf of Mexico, scientists are weighing a new option for permanently sealing it, CNN reports. The “static kill” would involve pumping mud into the well to force oil back into the reservoir below, officials from BP said July 19. (See item 1)

1. July 20, CNN – (Louisiana) Scientists weighing new option for shutting down oil well. As tests continue July 20 on BP’s ruptured oil well in the Gulf of Mexico, scientists are weighing a new option for permanently sealing it. The “static kill” would involve pumping mud into the well to force oil back into the reservoir below, officials from BP said July 19, noting that the option could succeed where other similar attempts have failed because pressure in the well is lower than expected. A geologist told CNN’s “American Morning” July 20 the relative simplicity of a static kill makes it an attractive option. A BP senior vice president said July 19 that the idea was still “very much in its infancy,” but that a decision could be made in several days. The former coast guard admiral, the federal government’s point man on the spill, said July 19 that there were no signs of significant problems with the ruptured well’s casing. But he said tests on the well would continue for another 24 hours as federal and company officials try to explain “anomalous” pressure readings and possible leaks. Source:

• According to Associated Press, the FBI has joined an investigation into the case of a convicted felon who opened fire on California Highway Patrol officers after a traffic stop. Authorities said the 45-year-old suspect was heavily armed and wearing a bulletproof vest when he shot at police July 18 on an Oakland freeway. (See item 24)

24. July 19, Associated Press – (California) FBI joins probe into suspected CA freeway shooter. The FBI has joined an investigation into the case of a convicted felon who opened fire on California Highway Patrol officers after a traffic stop. Authorities said the 45-year-old suspect was heavily armed and wearing a bulletproof vest when he shot at police July 18 on an Oakland freeway. He also was wounded in the shootout, but expected to survive. Authorities said the FBI joined the investigation to probe his background and behavior, as well as the contents of a diary authorities found in his car. The notebook was titled “California” and removed by a bomb squad robot. His mother told local media that her son was angry he could not find a job as a parolee and upset about Congress’ “left-wing agenda.” Source:


Banking and Finance Sector

15. July 20, Krebs on Security – (National) Skimmers siphoning card data at the pump. Thieves recently attached bank card skimmers to gas pumps at more than 30 service stations along several major highways in and around Denver, Colorado, the latest area to be hit by a scam that allows crooks to siphon credit and debit card account information from motorists filling up their tanks. Forced to re-issue an unusually high number of bank cards due to fraudulent charges on the accounts, a regional bank serving Colorado and surrounding states recently began searching for commonalities among the victimized accounts. The financial institution, which shared information with on the condition that it not be named, found that virtually all of the compromised cardholders had purchased gas from one of a string of filling stations along or not far from Interstate 25, a major North-South highway that runs through the heart of Denver. Several Valero stations along the I-25 corridor reached by phone acknowledged being visited over the past week by local police and U.S. Secret Service agents searching for skimmer devices. The stations declined to comment on the record, but said investigators left them with a bulletin stating that stations in the area had been targeted, and urging them to be on the lookout for suspicious activity around the pumps. Similar attacks on gas station pumps recently have hit other parts of the country. Police in Arizona also are dealing with a spike in reports about skimmers showing up at gas pumps, prompting the governor to urge the Arizona Department of Weights and Measures to increase its inspection efforts. Source:

16. July 20, Associated Press – (South Carolina) 2 plead guilty in SC bank fraud case. Two former bank officials in South Carolina have pleaded guilty to fraud charges. Multiple media outlets reported that the 58-year-old and 44-year-old suspects pleaded guilty to conspiracy to commit bank fraud in federal court in Florence July 19. The two admitted falsifying information on loan applications so Myrtle Beach banks would approve mortgages that wound up in foreclosure. The 58-year-old worked at J.P. Morgan Chase, the 44-year-old worked at a Bank of America. A U.S. district judge agreed to allow the suspects to remain free until they are sentenced in about two months. Each of them face up to 30 years in prison. They also face fines of up to $1 million each, and could be ordered to pay restitution. Source:

17. July 20, Associated Press – (New York) NYC bank robber says it with flowers, plants too. New York City’s bouquet bandit has a green thumb. Police said July 20 that a man wanted for robbing a Manhattan bank while armed with a bouquet of flowers has struck before — using a potted plant. On July 19, police released a security photo of a man holding fresh flowers that were neatly bundled in pink tissue paper and plastic. Hidden inside the arrangement was a note demanding $50 and $100 bills and a message for the teller, “Don’t be a hero.” On July 10, police said the same man robbed another Manhattan bank, pulling a threatening note from a leafy plant and handing it to a teller. He reached over the counter and grabbed the cash before he fled, leaving the plant behind. Source:

18. July 20, Oklahoman – (Oklahoma) Employee among 3 arrested in Shawnee bank robbery. Three men arrested over the weekend face federal bank robbery charges, as they are accused of robbing a Shawnee, Oklahoma bank July 8, according to the FBI. The three men were taken into custody July 16 and July 17, according to a news release from a special agent. All three men live in Pottawatomie County. Investigators searched homes in Shawnee and Tecumseh before the arrests. The special agent said one of the suspects was employed at the bank, but could not comment further. First United Bank was robbed July 8 by a masked robber who fled in a small black car with a driver. Source:

19. July 19, Associated Press – (Utah) Utah electric utility warning of credit card fraud. Rocky Mountain Power in Salt Lake City, Utah, said scam artists are tricking its customers to reveal their credit card accounts using fraudulent telephone calls claiming the customers are in default and at risk of losing power. Sometimes the perpetrators tell victims they forgot to sign a check. The callers are asking for credit card numbers to satisfy bills. Rocky Mountain Power said it does not operate that way and warns people not to give out any personal information. The utility said it is working with police to stop the fraud. Source:

20. July 19, UPI – (Maryland) Woman arrested in Baltimore bank robberies. Authorities said a woman who allegedly robbed seven Baltimore-area banks while using heavy makeup as a disguise was in custody July 19. The makeup worn by the suspect of Landsdown, Maryland, was reportedly melting off her face July 17 when she was taken into custody after becoming trapped in the vestibule of a Madison Bank branch in Baltimore. The FBI told the Baltimore Sun a quick-thinking teller pushed an alarm switch that slammed the two doors in front of the suspect and behind her as she allegedly tried to make her getaway. The Sun said the suspect was believed to have robbed six banks in July while wearing disguises that included a long black wig and a Muslim head covering. Source:

For more stories, see items 55 and 56 below in the Information Technology Sector

Information Technology

49. July 20, The Register – (International) Yellow alert over Windows shortcut flaw. Windows Shortcut’s zero-day attack code has gone public. The development increases the risk that the attack vector, already used by the highly sophisticated Stuxnet Trojan to attack Scada control systems, will be applied against a wider range of vulnerable systems. All versions of Windows are potentially vulnerable to the exploit, according to experts. Just viewing the contents of an infected USB stick is enough to get the attack, even on systems where Windows Autoplay is disabled. Maliciously crafted Windows shortcut (.lnk) files might also to be able to push malicious code through other attack routes such as Windows shares. The SANS Institute’s Internet Storm Centre has responded to the heightened threat by moving onto yellow alert status for the first time in years. “We believe wide-scale exploitation is only a matter of time,” wrote an ISC handler. “The proof-of-concept exploit is publicly available, and the issue is not easy to fix until Microsoft issues a patch. Furthermore, anti-virus tools’ ability to detect generic versions of the exploit have not been very effective so far.” Microsoft has acknowledged the problem — and published workarounds deigned to guard against attack — ahead of a possible patch. But many experts think Microsoft will be hard pressed to quickly develop a fix. The Siemens SIMATIC WinCC SCADA systems specially targeted by the Stuxnet Trojan use hard-coded admin username / password combinations that users are told not to change. Details of these passwords has been available on underground hacker forums for at least two years, Wired reports. Worse still, changing Siemens’ hard-coded password will crash vulnerable SCADA systems, IDG reports. Siemens is in the process of developing guidelines for customers on how to mitigate against the risk of possible attack. Source:

50. July 20, SC Magazine – (International) Blog platform closed down due to posting of terrorist material and bomb-making instructions. Web hosting company BurstNET Technologies has taken its blogging platform down after a link to terrorist material, including bomb-making instructions and an al-Qaeda “hit list” was posted to the site. In a statement regarding the termination of service to, BurstNET claimed that July 9, it received a notice of a critical nature from law enforcement officials and was asked to provide information regarding ownership of the server hosting It said: “Upon review, BurstNET determined that the posted material, in addition to potentially inciting dangerous activities, specifically violated the BurstNET acceptable use policy. “This policy strictly prohibits the posting of ‘terrorist propaganda, racist material, or bomb/weapon instructions.’ Due to this violation and the fact that the site had a history of previous abuse, BurstNET elected to immediately disable the system.” Source:

51. July 20, Sophos – (International) Yes, there’s malware. But don’t change your SCADA password, advises Siemens. If the malware (call Stuxnet for now) was programmed to know the default password used by the SCADA (Supervisory Control And Data Acquisition) systems which manage critical operations, a person might want to seriously consider changing those default passwords, right? As a sensible precaution, yes? Unfortunately, life is not that simple. Although Siemens SCADA systems are being targeted by the Stuxnet malware (which exploits a zero-day Microsoft vulnerability in the way that Windows handles .LNK shortcuts, allowing malicious code to run when icons are displayed), the company is telling customers that they should not change their default passwords. “We will be publishing customer guidance shortly, but it won’t include advice to change default settings as that could impact plant operations,” a Siemens spokesman told journalists. That’s in spite of the fact that the password used by Siemens Simatic WinCC SCADA software was leaked onto the net some years ago. Siemens is worried that if critical infrastructure customers change their Siemens WinCC SCADA password (to hinder the malware’s attempt to access their system) they will stop Stuxnet being able to steal information, but could at the same time throw their systems into chaos. Source:

52. July 20, IDG News Service – (International) Eset discovers second variation of Stuxnet worm. Researchers at Eset have discovered a second variant of the Stuxnet worm that uses a recently disclosed Windows vulnerability to attack Siemens industrial machines. The second variant, which Eset calls “jmidebs.sys,” can spread via USB drives, exploiting an unpatched flaw in Windows involving a malicious shortcut file with the “.lnk” extension. Like the original Stuxnet worm, the second variant is also signed with a certificate, used to verify the integrity of an application when installed. The certificate was bought from VeriSign by JMicron Technology Corp., a company based in Taiwan. The first Stuxnet worm’s certificate came from Realtek Semiconductor Corp., although VeriSign has now revoked it, said a Eset senior research fellow. Both companies are listed to have offices in the same place, the Hsinchu Science Park in Taiwan. “We rarely see such professional operations,” the senior researcher wrote. “They either stole the certificates from at least two companies or purchased them from someone who stole them. At this point, it isn’t clear whether the attackers are changing their certificate because the first one was exposed or if they are using different certificates in different attacks, but this shows that they have significant resources.” Although Eset analysts are still studying the second variant, it is closely related to Stuxnet, the fellow said. The code for the second variant was compiled July 14. Source:

53. July 20, Cnet News – (International) Adobe Reader to block attacks with sandbox tech. Adobe Reader will soon have an additional layer of protection against the many attacks that target the popular PDF viewer. Adobe Systems is borrowing a page from Microsoft’s and Google’s playbook by turning to sandboxing technology designed to isolate code from other parts of the computer. Adobe is adding a “Protected Mode” to the next release of Adobe Reader for Windows due out some time this year, said the director of product security and privacy at Adobe. The feature will be enabled by default and included in Adobe Reader browser plug-ins for all the major browsers. The company has no plans to add the feature to the version of its PDF (Portable Document Format) viewer for the Macintosh at this time because the vast majority of Adobe Reader downloads and exploits are on Windows, a spokeswoman said. The sandbox mechanism will confine PDF processing, such as JavaScript execution, 3D rendering, and image parsing, to a confined area and prevent applications from installing or deleting files, modifying system information, or accessing processes. While Adobe Reader can communicate directly with the operating system, applications running in the program cannot. If malicious code sneaks onto a computer by successfully exploiting a hole in Adobe reader, its impact will be limited because it will be contained within the sandbox. Source:

54. July 19, The New New Internet – (International) Argentinean government sites used in Black Hat SEO campaigns. Numerous Argentinian government Web sites were recently compromised by hackers and used in black hat search engine optimization (SEO) campaigns, according to Sunbelt Software. Security researchers said 12 government pages were involved in the spamming campaign, with some of them distributing malware as well. Also called spamdexing, black hat SEO is a technique used by cyber crooks to unethically raise search rankings. Researchers said the SEO campaign used keywords related to prescription drugs and enhancement pills to increase visibility of malicious Web sites. A security expert said, “What’s more scary than the spam itself, is that these sites are hacked and nobody is noticing it or taking any action to clean them up.” He added many of the sites have been accessed through SQL injections and vulnerabilities with poorly coded custom applications. Source:

55. July 19, DarkReading – (International) Reports: Turkish hackers have stolen personal data of more than 100,000 Israelis. Turkish hackers have posted two large files that could expose the personal data of more than 100,000 Israeli citizens, according to news reports. Israeli observers fear the data thefts may be a concerted effort by Turkish hackers to target Israeli nationals. The two countries have been in conflict since Israeli forces intercepted a Gaza-bound aid flotilla May 31. On July 18, an Israeli blogger said in his blog on We-CMS that he had found an Excel spreadsheet with more than 32,000 e-mail addresses and passwords published on a Turkish forum. The items were obtained through numerous hackings since the Gaza flotilla incident, he said, including Israeli accounts on Facebook, Gmail, and Messenger. Also July 18, Web site reported that another file is circulating on the Internet that contains the e-mail addresses of an additional 70,000 Israeli Web users. One of the sources of the data, Israel’s Pizza Hut, confirmed it has been hacked. The company said July 17 that e-mail addresses and passwords of 26,476 customers who ordered pizza from the company’s Web site in early June had been stolen. Pizza Hut officials said credit-card data is not stored on the Web site. The Israeli classified ad site called Homeless also conceded that its site has been hacked. No personal details were disclosed in the hack, according to the site, although “partial” user data may have been revealed. “I also mean PayPal,” the blogger said. “From what I’ve been able to learn on the forum, the hackers penetrated PayPal accounts of Israelis, and their bank accounts, and also obtained credit card details.” Source:

56. July 19, Kapersky Lab Security News Service – (International) Attackers moving to social networks for command and control. Bot herders and the crimeware gangs behind banker Trojans have had much success the last few years using bullet-proof hosting providers as their main base of operations. New research from RSA shows that the gangs behind some Trojans that are such a huge problem in some countries, especially Brazil and other South American nations, are moving quietly and quickly to using social networks as the command-and-control mechanisms for their malware. The company’s anti-fraud researchers recently stumbled upon one such attack in progress and watched as it unfolded. The attack is as simple as it is effective. It begins with the crimeware gang setting up one or more fake profiles on a given social network (RSA is not naming the network). The attacker then posts a specific set of encrypted commands. When a new machine is infected with the banker Trojan, the malware checks the profile for new commands. The specific command begins with a string of random characters that serves as an authentication mechanism, letting the Trojan know it’s found the right commands. The rest of the encrypted string is hard-coded instructions telling the Trojan what to do next, whether to look for other machines on the network, search for saved data or log keystrokes when the user visits an online banking site. These types of attacks are increasing. There have been botnets controlled via Twitter for at least one year, and researchers found a number of example of Facebook profiles set up specifically for malicious activity. Source:

57. July 19, Network World – (International) Black Hat talk to reveal analysis of hacker fingerprints. Looking deeper within malware yields fingerprints of the hackers who write the code, and that could result in signatures that have a longer lifetime than current intrusion-detection schemes, Black Hat 2010 attendees will be told July 28 and 29. Analysis of the binaries of malware executables also reveals characteristics about the intent of the attack code that could make for more efficient and effective data defenses, said the CEO of HBGary, whose briefing “Malware Attribution: Tracking Cyber Spies and Digital Criminals” is scheduled for the Las Vegas conference. The CEO said this analysis uncovers tool marks — signs of the environments in which the code was written — that can help identify code written by a common person or group based on what combination of tools they use. For example, his research looked under the covers of one malware executable whose fingerprint included use of Back Orifice 2000, Ultra VNC remote desktop support software, and code from a 2002 Microsoft programming guide. Each program was slightly modified, but the information available amounted to a good fingerprint. The malware was a remote access tool (RAT), and RAT generators such as Poison Ivy could have created unique RAT code for each use, but that is not the route this attacker chose. Identifying this RAT in other instances of malware can link groups of malicious code to a common author or team. The CEO found these fingerprints last a long time. Once written, the binaries themselves are altered only infrequently, so employing these fingerprints as malware signatures will be more useful for longer periods. Source:

Communications Sector

58. July 20, KCCI 8 Des Moines – (Iowa) Flash flooding knocks out 911 service. The Wayne County Sheriff’s office in Iowa said early July 20 that 911 service has been knocked out to some cities due to flash flooding. Hummeston and a few other cities are without 911 service and long distance phone service. Some phone lines were washed out. It is not known yet how long the outage is expected to last. Residents affected can use their cell phones to call 911. Source:

59. July 19, WCSC 5 Charleston – (South Carolina) AT&T outage leaves some Charleston businesses without service. Many Lowcountry AT&T customers in SouthCarolina were without service July 19 after a line was dug up during a construction project. Officials with the state’s Department of Transportation (DOT) said the cut happened July 18 at the corner of Rivers and Helm avenues. According to the DOT, theline was cut in 16 places. More than 1,300 customers in Charleston and surrounding areas were affected by the outage, which impacted Internet and phone service. Businesses along Remount Road and the North Charleston police department were included in the outage. The outage included the National Weather Service (NWS) bureau in North Charleston. As a result, the NWS cannot send out weather alerts via theNational Oceanic and Atmospheric Administration (NOAA) weather radio service for Charleston, Green Pond, Savannah and Metter. In a statement, AT&T said they expected to begin restoring power to the company’s customer’s the afternoon of July 19. Source:

60. July 19, Pttsburgh Business Times – (Pennsylvania; Maryland; New Jersey) Verizon fiber optic line cut affects Pennsylvania business customers. Verizon business customers in Pennsylvania, New Jersey, and Maryland experienced service disruptions July 19 after a fiber optic line was cut in Hagerstown, Maryland, a spokesman confirmed. Initially, Verizon said the outage of Internet and phone service affected about 215 customers in Maryland, Pennsylvania and New Jersey, and included the largest business customers, but that number was later revised to about 1,000 affected customers. The 1,000-foot cable was damaged around 3 a.m. by a tree falling on an aerial fiber line near railroad tracks. When a train passed through, the cable was snagged and damaged. By 11:30 a.m., the problem had been repaired, but the spokesman noted it could take time for all customers’ systems to “reset and restore.” Source:

61. July 19, WJAR 10 Providence – (Rhode Island) Portsmouth police phones back online. Portsmouth, Rhode Island police said business lines are up and running again. Phones went down at about noon July 19 after a lightning strike to one of the towers in town. 911 service remained available during the outage. Police reported minimal confusion during the two- to three-hour outage. Source: