Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, July 29, 2010

Complete DHS Daily Report for July 29, 2010

Daily Report

Top Stories

• A report to Wisconsin environmental officials said more than 2 billion gallons of untreated sewage and stormwater were dumped into Lake Michigan and Milwaukee area rivers during the recent storms, according to The Associated Press. (See item 37)

37. July 28, Associated Press – (Wisconsin; Michigan) 2 billion gallons of sewage dumped in Wis. storm. A report to Wisconsin environmental officials said more than 2 billion gallons of untreated sewage and stormwater were dumped into Lake Michigan and Milwaukee area rivers during the recent storms. The Milwaukee Metropolitan Sewerage District’s report to the state department of natural resources said that the amount is more than four times the capacity of its deep tunnel storage system. The release into area waterways still wasn’t enough to prevent sewers from backing up into thousands of homes, in addition to property damage caused by above ground flooding. The Journal Sentinel reports area sewage treatment plants handled more than 3.2 million gallons of wastewater from the July 22 storm. Source:

• CNN reports that Kern County, California was under a state of emergency July 28 as a result of spreading wildfires that have destroyed 25 homes, caused more than 2,300 people to evacuate and burned 15,000 acres. (See item 62)

62. July 28, CNN – (California) Wildfires spark state of emergency in California county. Kern County, California was under a state of emergency July 28 as a result of spreading wildfires that have destroyed 25 homes, caused more than 2,300 people to evacuate and burned 15,000 acres. The afternoon of July 27, firefighters were called to a new wild fire southeast of Tehachapi. Later that night the fire had grown, threatening 150 structures, authorities reported. Fire crews battled through the night with aircraft, fire engines, and bulldozers. Crews worked throughout the night protecting homes and trying to contain the blaze. An evacuation center was set up at the old junior high school nearby for evacuees and their pets. Animal control was taking large animals, authorities said. In addition, more than 1,000 firefighters continued to battle a blaze July 28 in California’s Sequoia National Forest, north of Tehachapi. As of July 27, that fire had spread across roughly 6,000 acres, a U.S. Bureau of Land Management spokeswoman said. The bureau is working with the U.S. Forest Service and the Kern County Fire Department to fight the blaze. Kern County is approximately 130 miles north of Los Angeles. Source:


Banking and Finance Sector

20. July 28, The Register – (International) Russian gang uses botnets to automate check counterfeiting. The director of malware research for Atlanta-based SecureWorks has uncovered a sophisticated check-counterfeiting ring that uses compromised computers to steal and print millions of dollars worth of bogus invoices, and then recruit money mules to cash them. The highly automated scheme starts by infiltrating online check archiving and verification services that store huge numbers of previously cashed checks. It then scrapes online job sites for e-mail addresses of people looking for work and sends personalized messages offering jobs performing financial transactions for an international company. The scammers then use stolen credit-card data to ship near exact replicas of checks to those who respond. The director was able to track the operation by infecting a lab computer and observing its interactions with command and control channels. A database file the criminals carelessly exposed showed 3,285 checks had been printed since June of 2009 and 2,884 job seekers had responded to the employment offer. Assuming each check was written in amounts of $2,800, a threshold sum that brings increased scrutiny to transactions, the director estimates the checks were valued at about $9 million. Source:

21. July 28, – (National) Most breaches caused by crime gangs. Organized crime was responsible for 85 percent of all stolen data in 2009. And stolen credentials were the most common way to gain unauthorized access into organizations. These are among the headlines of the 2010 Verizon Data Breach Investigations Report, just released by Verizon Business. Conducted for the first time in collaboration with the U.S. Secret Service, this year’s report takes a broader look at the types and causes of data breaches. The latest report finds 2009’s breaches of electronic records involved more insider threats, greater use of social engineering, and the persistent, troubling trend of organized crime involvement. Of the 143 million records breached in 2009, 85 percent of them were attributed to financial service incidents. Data breaches caused by insiders add up to 48 percent of all breaches investigated — an increase of 26 percent over 2008. Conversely, breaches caused by external sources were down slightly to 70 percent, dropping from 2008’s 79 percent. The CEO of ID Experts, a data breach response provider, said the latest report mirrors his own group’s finding — particularly an increase in “hybrid attacks” where external organized cybercriminals work with insiders to implement an effective breach. Source:

22. July 27, KRCG 13 Columbia – (Missouri) Phishing scam targets River Region Credit Union. River Region Credit Union in Jefferson City, Missouri is the target of a cell-phone phishing scam. The calls started July 27. “We started to receive phone calls from area residents, reporting that they have been receiving phone calls, asking for card information,” River Region Credit Union’s president said. The recorded message tells the person that their River Region debit card has been deactivated. Then, it asks the person to enter in their card number. The phishing scam called AT&T Wireless customers. An AT&T representative did not say how the scammers got the phone numbers, but said that they were investigating. River Region said the scammers did not get the phone numbers from them. The credit union said customers’ information has not been breached unless someone entered in their card number when they got the call. All banks have said they will never ask for personal information over the phone. Source:

23. July 27, Gainesville Sun – (Florida) Area credit card skimmers may be part of statewide theft ring. Law enforcement officials said a dozen credit-card skimming devices have been found this month at Gainesville, Florida area gas stations along with other devices found at St. Johns and Flagler County stations, in what appears to be a statewide theft ring. Some stolen card numbers are being used to buy Walmart cards in Miami, investigators have said. Gainesville police said at least 25 people in Gainesville have been victims. Officials said someone using a universal key, which fits almost any gas pump in the country, is opening the pump faces and within a few minutes installing the device, which is undetectable to someone slipping their credit or debit card into the machine on the outside. The device consists of a skimmer attached to the pump’s card reader, a small hard drive to store the credit card numbers and a Bluetooth wireless device that can be accessed remotely to retrieve the data. Investigators downloaded data from one device found earlier this month in Gainesville and found it had stored 500 card numbers. Source:

Information Technology

51. July 28, SC Magazine – (International) Twitter and Google are riddled with malicious links. Almost three quarters of Twitter’s 100 million accounts are unused or responsible for delivering malicious links. The 2010 mid-year security report from Barracuda Labs analyzed more than 25 million Twitter accounts, both legitimate and malicious, and found that true Twitter users (a user that has at least 10 followers, follows at least 10 people, and has tweeted at least 10 times) tweet more often, and as casual users become more active, malicious activity increases. Only 28.87 percent of Twitter users are “true Twitter users,”and the Twitter crime rate — the percentage of accounts created per month that were eventually suspended for malicious or suspicious activity, or otherwise misused — for the first half of 2010 was 1.67 percent. Google distributed the most malicious links of four of the most popular online services Bing, Twitter, and Yahoo, with 69 percent of its results poisoned when searches on popular trending topics were performed. The analysis reviewed more than 25,000 trending topics and nearly 5.5 million search results. Source:

52. July 28, Compterworld – (International) Google patches Chrome, sidesteps Windows kernel bug. On July 26, Google patched five vulnerabilities in Chrome by issuing a new “stable” build of the browser. The update to Chrome 5.0.375.125 fixed three flaws rated “high,” Google’s second-most-serious threat rating, as well as one pegged “medium” and another labeled as “low in Google’s four-step scoring system. Danish vulnerability tracker Secunia judged the cumulative update as “highly critical” using its own ranking. As per Google’s usual practice, technical details of the vulnerabilities were hidden from public view to prevent attackers from leveraging the information before most users have upgraded. According to a blog post by a member of the Chrome team, Google also added what he called “workarounds” to Chrome for a pair of critical vulnerabilities not in the browser’s code, but in external components or software. He did not provide any additional information on the workarounds other than to point a finger at the Windows kernel and “glibc,” or the GNU C Library, a collection of C programming language files and routines that’s a critical component of most Linux operating system kernels. Source:

53. July 28, IDG News Services – (International) Three arrested in connection with Mariposa botnet. Slovenian police have arrested three men in connection the massive Mariposa botnet that was disabled late last year. A 23-year-old man was arrested in Maribor, Slovenia, about 10 days ago. He has been released but is expected to be charged with computer-related crimes. The U.S. FBI confirmed the arrest July 28. Two others were also arrested. Millions of computers worldwide were infected with the Mariposa botnet code, which allowed hackers to siphon information from those machines and launch denial-of-service attacks against others. The FBI director said in March that Mariposa had infected the computers of Fortune 1000 companies and major banks. Mariposa’s authors changed the botnet’s code as frequently as every 48 hours in order to go undetected by security software. Source:

54. July 28, Help Net Security – (International) Critical ToolTalk Database Server Parser vulnerability discovered. Check Point announced that its IPS Research team has recently discovered a critical vulnerability in a function of the ToolTalk Database Server Parser that can enable a remote attacker to potentially inject and execute arbitrary code onto the affected system. The vulnerability identified is in the RPC-based ToolTalk database server that creates and manages database files and affects all system users with IBM AIX Version 6.1.3 and lower, Sun Solaris 10 Sparc/x86 and lower, as well as HP HP-UX 11.0 and lower. The vulnerability was discovered and responsibly disclosed to vendors by the IPS Research team. Check Point recommends applying the latest vendor patches and getting immediate protection by applying the latest IPS update. Source:

55. July 28, Help Net Security – (International) Critical vulnerability in Apple QuickTime. A highly critical vulnerability affects the latest version of Apple QuickTime Player for Windows. “The vulnerability is caused due to a boundary error in QuickTimeStreaming.qtx when constructing a string to write to a debug log file,” said a Secunia researcher. “This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into viewing a specially crafted web page that references a SMIL file containing an overly long URL.” If the flaw is successfully exploited, arbitrary code can be executed by the attacker, and the system can be compromised. So far, the vulnerability is confirmed to affect only the latest version of the software (7.6.6) for Windows, which was released March 30. Source:

Communications Sector

56. July 28, Honolulu Star-Advertiser – (Hawaii) Severed deep-sea cable disrupts service. At about 1:10 a.m. July 27, Oceanic Time Warner Cable in Hawaii started seeing disruptions. It was later discovered that part of a fiber-optic cable was severed about 30 miles off Kihei, Maui. The damaged cable is 3,000 feet under the sea, and 400,000 customers were affected. Most, if not all, Internet service was restored by the afternoon. TV service on Maui and the Big Island was the last to be restored because of the cut’s proximity to both islands. Oceanic Time Warner is among 144 Maui firms that rent bandwidth from that section of the cable. When the cable was cut, Internet protocol addresses did not know which route to take back to the mainland. Oceanic crews had to reroute connections through alternate cables connecting the islands. Oahu and Kauai services were restored by 8 a.m. July 27. Maui and Big Island services were restored by the afternoon. It was not immediately known how the cable was cut. Initial indications seem to point to the possibility that water may have seeped into the cable. Source:

57. July 27, Philadelphia Inquirer – (Pennsylvania) WHYY-FM off air during morning rush. Maintenance work on an antenna apparently knocked WHYY-FM in Pennsylvania off the air July 27 for about three hours longer than planned. Radio listeners were unable to listen to the BBC’s “World Update” or NPR’s “Morning Edition” on 90.9 early July 27. In a note on its Web site, the station advised that it might be off the air between 11:30 p.m. July 26 until 5 a.m. July 27 for maintenance work at the Roxborough antenna farm. Broadcasting resumed on the FM dial at 8 a.m. WHYY continued broadcasting online during the signal outage. Source:

58. July 27, NextGov – (National) FCC plan to support emergency communications relies on unproven technology. A proposal to auction 10 megahertz of broadband spectrum to commercial organizations, rather than dedicating the spectrum exclusively for public safety communications, relies on unproven technology to provide first responders priority access, a Homeland Security Department official told Congress July 27. The Federal Communications Commission’s (FCC) National Broadband Plan, released in March, includes a proposal to auction the 10 megahertz of spectrum known as D-Block to commercial interests, providing public safety organizations priority access in emergency events with next-generation wireless broadband technologies that — while unproven — promise to increase the capacity and speed of mobile telephone networks. “The technology being recommended by the FCC provides great opportunity,” said the assistant secretary of the Office of Cybersecurity and Communications at DHS during testimony before the House Subcommittee on Emergency Communications, Preparedness and Response. “It’s not absolutely clear what [this technology] is capable of.” Homeland Security would support FCC’s plan for the auction if the technical and legal frameworks were properly evaluated, and the technology’s capacity and capability were understood to meet public safety requirements, he added. Many public safety organizations oppose the proposal to auction the D-Block spectrum to commercial interests, instead supporting a bill that would dedicate the spectrum to public safety. Source: