Department of Homeland Security Daily Open Source Infrastructure Report

Friday, July 23, 2010

Complete DHS Daily Report for July 23, 2010

Daily Report

Top Stories

• Five states sued the federal government and Chicago’s water authority July 19 seeking emergency action to block Asian carp from entering the Great Lakes, according to Reuters. Environmentalists said the invasive fish could devastate salmon and native fish, while regional officials fear the voracious species could destroy the region’s $7-billion fishery industry.

34. July 19, Reuters – (National) Five states file suit to block Asian carp. Michigan, Wisconsin, Minnesota, Pennsylvania, and Ohio sued the federal government and Chicago’s water authority July 19 seeking emergency action to block Asian carp from entering the Great Lakes. The action followed three previous attempts at court action, all of which were rejected by the U.S. Supreme Court. The suit, filed in federal court in Chicago, seeks a court order to force the U.S. Army Corps of Engineers to use nets or other barriers to block carp on the Little Calumet River, which connects to Lake Michigan. The states also want to close Chicago shipping locks temporarily ,and to order a study of whether the Great Lakes can be separated from the Mississippi River to block carp. Environmentalists said the invasive fish could devastate salmon and native fish if they are allowed to take hold in the Great Lakes, while regional officials fear the voracious species could destroy the Great Lakes’ $7 billion fishery industry. Last month, a 20-pound Asian carp was fished out of a waterway close to the Great Lakes in Lake Calumet, beyond a pair of electric barriers designed to keep the fish out. Asian carp, which have proliferated in the Mississippi River basin, can grow to 100 pounds and boaters report frequent collisions and injuries from fish jumping from the water. Source:

• Computerworld reports that hundreds of people in the information security, military and intelligence fields shared personal information and documents with a fictitious Navy cyberthreat analyst named “Robin Sage” created by a security researcher to illustrate the risks of social networking. See item 41 in the Information Technology Sector below.


Banking and Finance Sector

18. July 22, Computerworld – (Georgia) Corporate ID theft hits Georgia businesses. Just days after Colorado officials warned businesses about scammers who are forging corporate identities to commit financial fraud, an official in Georgia said the same thing has been happening therel. As in Colorado, scammers took advantage of a loosely protected online-registration system at the secretary of state’s office to alter and use business registration data to open fraudulent lines of credit and merchant accounts. The Duluth Police Department has so far prosecuted two such cases, where the loss to banks and financial institutions have been more than $6 million, said a detective with the department’s criminal investigations division. Both cases involved individuals associated with the music industry, and both include numerous conspirators, though only the main players have been targeted, the detective said. One of the cases is currently under federal indictment and involves the owner of a music-production business who is believed to have orchestrated more than $5 million in fraudulent transactions, affecting several financial institutions including American Express and SunTrust Bank. In all, the individual and his group of more than 100 people are believed to have misused the identities of about 3,900 individuals and businesses. The other case involves a 90s-era singer who served a year in prison recently on identity-theft charges. He is believed to have stolen and used the identities of 149 individuals and about 200 companies to make fraudulent transactions totaling more than $1.2 million. Source:

19. July 22, Chicago Tribune – (Illinois) Gunman makes terror threat, robs downtown office. According to police, a gunman threatened to detonate a car bomb and claimed links to al-Qaida while robbing an American Express office on the Magnificent Mile in Chicago July 21. A man approached an employee in the American Express travel service office at 605 N. Michigan Ave. at first trying to buy euros and then showing her a gun in his waistband as he demanded money, said the Near North District captain. The man told the woman he was a member of al-Qaida, pointed to a vehicle across the street, and claimed there was a bomb in the car and that he could detonate it with his cell phone. The man, described as 6-feet tall, 200 pounds and possibly of Middle Eastern descent, went on to instruct all the office employees they had three minutes to hand over all the money they had. Police believed the robber made off with 15,000 euros in addition to other currency. He fled the scene on foot, heading south on St. Clair Street, according to the police captain. No one was hurt. When police arrived, the vehicle carrying the alleged bomb was gone. The man had spent several hours in the office July 20, employees told police. He had tried to obtain euros but was unable to because the office did not have a sufficient amount, the spokesman said. The man told the employees that they had better have plenty of euros on hand when he returned. Source:

20. July 21, BBC – (National) Obama signs sweeping U.S. financial reform into law. The U.S. President signed into law July 21 the biggest overhaul of American financial regulation in decades. The President said the law will ensure “that everyone follows the same set of rules, so that firms compete on price and quality, not tricks and traps”. The law is a major victory for the President and the Democrats, who passed it with little Republican support after months of political wrangling. The law tightens mortgage and consumer-lending rules, improves disclosure for student borrowers and average investors, and establishes a new consumer protection agency, among other provisions. Almost every Congressional Republican opposed the bill, saying its new regulations would prove burdensome to businesses trying to create jobs. Several - provisions are intended to eliminate government bailouts by dealing with an issue known as “too big to fail” where a financial firm cannot be allowed to collapse because of the wider damage it would do. There are provisions to enable regulators to shut down a failing large firm in an orderly manner, and others intended to curtail their size in the first place. Source:

21. July 21, Associated Press – (New York) NY ex-bank computer tech gets prison in $1M scam. A computer technician who used a three-month job at a New York bank as a launching pad for almost a decade of theft from charities has been sentenced to 5 to 15 years in prison. The suspect told a judge July 21 he felt “shame, guilt and remorse” for his scheme. He admitted last month to stealing 2,000 bank employees’ identities in 2001. He used their IDs for years to siphon about $1 million from charities that released banking information to ease donations. He transferred money from the charities’ accounts to accounts he’d opened under stolen identities. The suspect pleaded guilty to charges including grand larceny. The 27-year-old Nigerian immigrant will be deported after serving his sentence. The sentencing range reflects possible credit for good behavior. Source:

22. July 21, WHIO 7 Dayton – (Ohio) Local bank hit by phishing scam. Officials at Security National bank in Springfield, Ohio discovered July 21 the bank was the victim of an e-mail phishing scam. E-mails purporting to be from the bank were sent to customers and non-customers, offering a $50 deposit to a checking account in return for taking a survey. Respondents were asked to give credit card numbers and 3-digit identification codes, which the scammers could then use for fraudulent credit card activity. Security’s senior vice-president of retail banking said the e-mails were not issued by Security, and the bank would never ask for that kind of information over the Internet. The bank was alerted by several customers who were suspicious of the e-mail. It was not possible for the bank to reach all recipients since there is no way to locate everyone who received the message. Security is working to find out as much information as possible about the scammers and has reported the issue to the FBI. Source:

23. July 20, Associated Press – (International) Italy makes arrests in anti-hackers probe. Italian police say they have arrested 12 people and broken up a ring of hackers that allegedly used cloned credit cards for purchases and scams online. Police said July 20 the suspects were arrested in Rome and other cities. Another seven people were in custody but not behind bars. Police said it is one of the largest such operations in Italy, and includes another 23 suspects arrested in May. The suspects are accused of working with criminal groups in Russia and Ukraine. According to police, the suspects would buy cloned cards and codes on encrypted chats and would then use the cards to buy luxury goods and high-tech products, which they would sell on the black market. They lured customers through fake Internet sites, some offering vacation homes. Source:

Information Technology

48. July 22, SC Magazine – (International) Spam with shortened URLs accounts for 18 percent of all spam sent. One Web site visit is generated for every 74,000 spam e-mails containing a shortened URL link. According to the Symantec MessageLabs Intelligence Report for July, the most frequently visited shortened links from spam received more than 63,000 Web site visits. A MessageLabs Intelligence senior analyst at Symantec Hosted Services told SC Magazine that spammers are generally getting a return of a tenth of one percent when it comes to a click through return rate. Elsewhere, the report revealed a significant increase in the percentage of spam containing shortened hyperlinks over the last year. Spam containing shortened hyperlinks hit a one-day peak of 18 percent, or 23.4 billion spam e-mails April 30. This doubled last year’s peak levels when spam with shortened hyperlinks accounted for 9.3 percent of spam, with a one-day peak of more than 10 billion spam e-mails July 28, 2009. Further analysis of spam containing shortened URLs revealed that the Storm botnet, which returned to the threat landscape in May this year, is responsible for the greatest volume of botnet spam containing short hyperlinks, when it accounted for 11.8 percent of all spam containing shortened hyperlinks. A large proportion of short URL spam in this quarter also originates from other sources, including unidentified botnets. Source:

49. July 22, The New New Internet – (International) Botnet malware writers arrested in Slovenia. Slovenian police have arrested four suspects amid allegations that the four developed the Mariposa botnet malware. The arrests come on the heels of a joint investigation between Slovenian police and the FBI. Earlier this year, three suspects were arrested in Spain and were charged with distributing the malware. According to STA, a Slovenian news agency, the four suspects are through to have developed the malware used by the Spaniards. Investigators said the Mariposa botnet may have infected up to 12.7 million PCs around the globe. During the arrests in Spain, police found the banking information of around 800,000 people. Source:

50. July 22, Help Net Security – (International) 1.2 million infected by Eleonore exploits toolkit. AVG’s Web security research team has discovered a network of 1.2 million malware-infected computers controlled by cybercriminals who were using the Eleonore exploit toolkit –- commercial-attack software enabling cybercriminals to infect and monitor compromised PCs. The two-month-long study by AVG Research reviewed 165 Eleonore toolkits in use by cybercriminals and concluded that those using the Eleonore exploit toolkit were experiencing a 10 percent success rate in infecting the more than 12 million users visiting their compromised Web pages. All 165 domains experienced high volumes of traffic, which the cybercriminals managed to compromise. The research was built using AVG LinkScanner product data, identifying URLs that the product blocked when it identified a threat. Source:

51. July 21, Computerworld – (International) Microsoft warns of Windows shortcut drive-by attacks. Microsoft July 21 said that hackers could exploit the unpatched Windows shortcut vulnerability using drive-by download attacks that would trigger an infection when people simply surf to a malicious Web site. A noted vulnerability researcher July 21 confirmed such attacks are possible. In the revised security advisory published July 20, Microsoft acknowledged the new attack vector. “An attacker could also set up a malicious Web site or a remote network share and place the malicious components on this remote location,” the company said. “When the user browses the Web site using a Web browser such as Internet Explorer or a file manager such as Windows Explorer, Windows will attempt to load the icon of the shortcut file, and the malicious binary will be invoked.” That language was a change from earlier statements by Microsoft, which had said that attackers could hijack Windows PC by setting up a remote network share, a much more complicated task than building a malware-spreading Web site. In the earlier advisory, Microsoft also said that “the malicious binary may be invoked; the most recent warning instead said “the malicious binary will be invoked [emphasis added in both cases. Source:

52. July 21, IDG News Services – (International) Update: Dell warns of malware on server motherboards. Dell is warning customers that “a small number” of its server motherboards may contain malicious software. “The potential issue involves a small number of PowerEdge server motherboards sent out through service dispatches that may contain malware,” according to a post on a Dell support forum. “This malware code has been detected on the embedded server management firmware.” The malware issue affects a limited number of replacement motherboards in four servers, the PowerEdge R310, PowerEdge R410, PowerEdge R510 and PowerEdge T410 models, the vice president and general manager of server platforms at Dell wrote in an e-mail. Source:

53. July 21, Sophos – (International) Malicious shortcuts: now documents and webpages are risky too. There is more bad news for those troubled by the Microsoft zero-day vulnerability that allows a Windows shortcut link, known as an .LNK file, to run malicious code whenever Windows displays their icon. The Shortcut exploit is well known to be capable of spreading via USB sticks, network and remote WebDav shares. But the latest version of Microsoft’s security advisory on the subject also warns that a malicious shortcut file can be embedded on a Web site (meaning users who visit the page via Internet Explorer could be infected) or hidden inside documents. It has also become apparent that .PIF files can also be exploited by the vulnerability, as well as .LNK files. Source:

54. July 21, The Register – (International) 38 states grill Google on three-year Wi-Fi slurp. A coalition of 38 U.S. states has called on Google to explain in detail how Wi-Fi-sniffing software that surreptitiously collected data over wireless networks was included in its fleet of Street View cars. “We are asking Google to identify specific individuals responsible for the snooping code and how Google was unaware that this code allowed the Street View cars to collect data broadcast over WiFI networks,” the attorney general of Connecticut said in a statement issued July 21. “Information we are awaiting includes how the spy software was included in Google’s Street View network and specific locations where unauthorized data collection occurred.” The attorney general of Connecticut said 38 states and the District of Columbia have formally joined the probe into the Street View sniffing debacle, which collected snippets of traffic traveling over open Wi-Fi networks in more than 30 countries over a three-year period. In addition to Connecticut, Florida, Illinois, Kentucky, Massachusetts, Missouri, and Texas are on the coalition’s executive committee. The investigation aims to determine whether any laws were broken and whether legislation is needed to prevent similar episodes in the future. Source:

55. July 21, IDG News Service – (International) New ‘Kraken’ GSM-cracking software is released. On July 16, an open-source group released software that cracks the A5/1 encryption algorithm used by some GSM networks. Called Kraken, the software uses new, efficient encryption-cracking tables that allow it to break A5/1 encryption much faster than before. This is a key step toward eavesdropping on mobile phone conversations over GSM (Global System for Mobile Communications) networks. Since GSM networks are the backbone of 3G, they also provide attackers with an avenue into the new generation of handsets. As the software becomes more polished, it will make GSM call eavesdropping practical. “Our attack is so easy to carry out, and the cost of attack is lowered so significantly, that there is now a real danger of widespread intercepting of calls,” a developer with the A5/1 Security Project said. The developer and his co-developers haven’t put together all the components someone would need to listen in on a call — that would be illegal in some countries. Someone must still develop the radio-listening equipment needed to gain access to the GSM signal, but that type of technology is within reach. He said this could be done using an inexpensive mobile phone and a modified version of open-source software called OsmocomBB. Hackers could also use a more expensive Universal Software Radio Peripheral (USRP) device in conjunction with another program, called Airprobe. Source:

Communications Sector

56. July 22, Wilmington Star-News – (North Carolina; Georgia) AT&T phone service restored. AT&T said phone service has been restored to eastern North Carolina after many customers had trouble making or receiving calls July 21. A spokeswoman said in a statement early July 22 that the problem was an equipment issue that has been fixed. The company also responded July 21 to service outages in the Raleigh area and Atlanta, a spokesman said. Problems in the Atlanta area were fixed July 21. The Raleigh outages were connected to those in eastern North Carolina and have also been resolved. Source:

57. July 22, Virginia Gazette – (Virginia) Verizon outage cuts calls, Internet. Perhaps thousands of households and businesses were left without Verizon phone and Internet service July 20 when a utility contractor severed a main fiber optic line near Kingsmill, Virginia. Officials were especially concerned for 911 emergency calls. Customers began complaining around 1:30 p.m., according to a James City spokesman. It included Verizon customers in all of Williamsburg, James City, and upper York. Cox customers seemed immune. Many people switched to using their cell phones, but those quickly jammed from traffic, the spokesman said. With neither phone nor Internet, James City officials scrambled to reroute 911 calls to the York-Williamsburg-Poquoson Dispatch Center, off Goodwin Neck Road in Yorktown. All three localities tried to urge people to use their cell phones only for emergencies. Many local businesses were forced to turn customers away when they were unable to run credit and debit cards. Verizon said that there was an apparent fiber optic cable cut 2 and 1/2 miles from Williamsburg. That was narrowed down to the Kingsmill area shortly after, and crews were on the scene working to restore at least temporary service, a Verizon spokesman said. Source:

58. July 21, KCRA 3 Sacramento – (California) Landlines out in part of Colusa County. Residents in the Stoneyford area of Colusa County, California are likely to be without landline phone service until July 24, the sheriff’s department said. The unscheduled outage happened late July 21. The sheriff’s department said people should use their cell phones to reach emergency services. The cause of the outage was not immediately known. Source:

59. July 21, WRAL 5 Raleigh – (North Carolina; Georgia; Tennessee) AT&T, Time Warner outages reported. AT&T customers began experiencing problems making and receiving phone calls at about 7 a.m. July 21 in North Carolina, Georgia, and Tennessee, a spokeswoman said. Crews were working to fix the problem, she said, but she could not provide specific information about the nature of the problem or where crews were trying to make repairs. AT&T did not have an estimate of when service would be restored. AT&T wireless customers in Raleigh, Carthage, Sanford, Goldsboro, Fayetteville, Wilson, and Durham, North Carolina said that they have been unable to make calls and receive voice-mail messages. It is unclear how many customers were affected. Meanwhile, some Time Warner Cable digital cable customers were unable to see some channels. A spokeswoman said a software problem caused some channels to go dark. Most customers had service restored by mid-afternoon, and the rest had service by 9:45 p.m., a spokesman said. There was no estimate of the number of customers affected. Source:

60. July 21, IDG News Service – (National) Rockefeller to push spectrum auction incentive bill. A U.S. Senator will introduce legislation allowing the Federal Communications Commission (FCC) to share auction proceeds with spectrum holders that voluntarily give up unused bandwidth, and will give police and fire departments additional spectrum for a nationwide wireless broadband network. The West Virginia Democrat and chairman of the Senate Commerce, Science and Transportation Committee, said July 21 he will introduce the Public Safety Spectrum and Wireless Innovation Act in coming days. The bill would allow the FCC to conduct incentive auctions and share the proceeds with current spectrum holders such as television

stations, as outlined in the agency’s national broadband plan released in March, he said. The bill would also give emergency response agencies an additional 10MHz of spectrum for a nationwide wireless network. The 10MHz would likely come from the so-called D block in the 700MHz band of spectrum, which the FCC failed to sell in auctions that ended in March 2008. The FCC had hoped to sell the D block for a combined commercial and public-safety network, but the agency failed to receive the minimum bid it asked for. The FCC Chairman has called for the agency to re-auction the D block spectrum, but senior agency officials said July 21 they supported the proposed bill. Source: