Department of Homeland Security Daily Open Source Infrastructure Report

Monday, August 9, 2010

Complete DHS Daily Report for August 9, 2010

Daily Report

Top Stories

• The Dallas Morning News reports that postal inspectors and FBI agents are investigating six envelopes with white powder received August 5 by Dallas, Texas-area religious institutions, businesses, and Love Field. (See item 29)

29. August 6, Dallas Morning News – (Texas) Postal inspectors investigate mailing of white powder to Dallas-area businesses, churches. Postal inspectors and FBI agents are investigating six envelopes with white powder received August 5 by Dallas, Texas-area religious institutions, businesses and Love Field. A U.S. postal inspector said it was too early to determine whether the incidents were connected. Early tests determined that the substances were not hazardous. However, the envelopes were being sent to a laboratory for follow-up testing, which will take several days. After that they will be sent to postal inspectors for further investigation. St. Joseph Catholic Church and First Baptist Church of Richardson and a mosque in Richardson received the envelopes. Businesses in Irving and Grand Prairie also got envelopes, as did Love Field in Dallas. Source:

• Valley Meat Company, a Modesto, California establishment, is recalling approximately one million pounds of frozen ground beef patties and bulk ground beef products that may be contaminated with E. coli, the U.S. Food Safety and Inspection Service announced August 6. The products were distributed in California, Texas, Oregon, Arizona, and internationally. (See item 31)

31. August 6, U.S. Food Safety and Inspection Service – (National) California firm recalls frozen ground beef products due to possible E. coli contamination. Valley Meat Company, a Modesto, California establishment, is recalling approximately one million pounds of frozen ground beef patties and bulk ground beef products that may be contaminated with E. coli O157:H7, the U.S. Department of Agriculture’s Food Safety and Inspection Service (FSIS) announced August 6. FSIS became aware of the problem on July 15 when the agency was notified by the California Department of Public Health (CDPH) of a small E. coli O157:H7 cluster of illnesses with a rare strain as determined by PFGE subtyping. A total of six patients with illness onset dates between April 8 and June 18, 2010 were reported at that time. After further review, CDPH added another patient from February to the case count, bringing the count to seven. The products subject to recall bear the establishment number “EST. 8268” inside the USDA mark of inspection as well as a production code of 27509 through 01210. These products were produced between the dates of October 2, 2009 through January 12, 2010 and were distributed to retail outlets and institutional foodservice providers in California, Texas, Oregon, Arizona, and internationally. Source:


Banking and Finance Sector

17. August 6, Glendale News Press – (California) Officials investigate ATM tampering at La Crescenta bank. Los Angeles County, California, sheriff’s detectives are investigating a potential security breach at a Chase bank where a credit card skimmer was found on an ATM. Detectives are waiting to receive evidence, including surveillance tapes and a list of potential victims, from the Chase bank in La Crescenta to determine the scope of the July 24 incident. Detectives do not know whether any accounts were breached because they need those details from the bank. A resident who was going to use the bank about 6 p.m. July 24 noticed a credit card skimmer had been placed on the ATM and called the sheriff’s station. Detectives were trying to determine whether the device was placed on the ATM a day before or the day it was discovered. Since the breach, no similar incidents have been reported to the sheriff’s station. Card skimmers on ATMs has become a common problem throughout the nation, said an executive director of the nonprofit Identity Theft Resource Center. Source:,0,6745237.story

18. August 6, KTVI 2 St. Louis – (Missouri) Another car, more cash found in ATM solutions heist. There are new developments in August 2nd’s armored car heist. Just before midnight August 6, the FBI agents found the car they have been looking for and they found even more cash in the trunk. The car was towed from a storage facility near 270 and Lilac in North County. It was taken to the crime lab. Agents and St. Louis, Missouri police were also back at a home on Page Avenue August 5, where they arrested as suspect August 4 and found $1.5 million in the trunk of his car. He is believed to be one of four men who stole millions from ATM Solutions. Source:,0,6307697.story

19. August 6, Insurance and Financial Advisor – (National) Pa., other securities regulators seeing fraud scheme ‘mutations’. Securities regulators in Pennsylvania and other states are warning investors to keep an eye out for “mutations of old schemes and themes” as con artists seek to profit from new federal financial reform legislation. Pennsylvania’s securities regulators joined with other securities department leaders in other states, part of the North American Securities Administrators Association, to issue their annual list of “Top 10 Investor Traps” which are: Sale of exchange-traded funds to parties who are least able to withstand the risks involved. Bogus foreign exchange trading schemes masquerading as bona fide investments. Gold and precious metals deals that trap investors with high redemption costs or, worse, where investments are not backed by precious metal holdings. Green schemes where scammers exploit headlines claiming secret processes to clean-up the Gulf of Mexico oil spill or produce endless “clean” energy. Life settlement investments sold by unlicensed and unscrupulous operators who claim to be buying up beneficiary rights to life insurance policies which, in turn, are promised to yield substantial returns. Oil and gas schemes play off current interest in Pennsylvania’s natural gas fields in the state’s Marcellus Shale formation. Affinity fraud abuses an investor’s membership or association with an identifiable group to convince or create trust in questionable or shaky investments. Undisclosed conflicts of interest on the part of brokers or salespeople can result in individuals being steered to investments that do not represent their best interests. Private or special deals, while legal, can be more easily abused by salespeople because they are not subject to the same review as general securities offerings. “Off the books” deals that might be offered by salespeople separate and apart from a brokerage’s regular offerings may or may not be legal but they definitely do not come with the oversight and support of a regular brokerage house. Source:

20. August 5, IDG News Services – (National) Hackers find a new target in payroll processing. Criminals recently hacked into a desktop computer belonging to Regeneron Pharmaceuticals and tried to steal money by redirecting funds using Regeneron’s account on the company’s third-party payroll system, operated by Ceridian. The attack did not work, but it shows that criminals, who have been making millions of dollars by hacking into computers and initiating fraudulent bank transfers, may have found a new target. In some bank fraud cases, the scammers will add dozens of new payees to a company’s payroll and try to pay them off immediately. With the Regeneron hack, the hacker found nine employees who were receiving direct deposit payments and tried to redirect their payments to fraudulent accounts. “Regeneron immediately informed the nine affected employees and cancelled the fraudulent direct deposit accounts before any payroll funds were diverted,” said the vice president of human resources with Regeneron. “It appeared they didn’t know enough about what they were doing.” This type of payroll system attack may actually be more widespread than most people realize. Investigators know that hackers are somehow corrupting payroll files, used by banks to process employee payments. Companies like Ceridian prepare these files for their customers, so breaking into accounts operated by third-party payroll processors could be one way that this fraud is done. Source:

Information Technology

53. August 6, Virus Bulletin – (International) Firefox 4 crack spreads trojan. In a new malware campaign, users are told they can download a free crack of the Firefox 4 browser, only to find themselves infected with trojans. The lure of “free” has made many a user browse the more dodgy parts of the Internet, where crooks are eagerly waiting to infect their computers with malware. Cracked versions of commercial software more often than not contain malware and in many cases not even the real software itself. Users should be wary that cracked software is likely to contain unwanted extras. What makes this case interesting is that Firefox 4, the new version of the popular browser which was released as a beta last month, is available for free from Mozilla’s Web site; downloading a crack is thus totally pointless. It is not surprising that it is dangerous too, and researchers at Sunbelt found at least five different pieces of malware in the download. Source:

54. August 6, IDG News Service – (International) Zeus malware used pilfered digital certificate. Researchers at Trend Micro have found that a widespread piece of malware used a digital certificate from a competing security company’s product in an attempt to look legitimate. The malware is Zeus, a bot that is used to steal all kinds of data from computers and has proved to be a tricky application for security companies to detect. The version of Zeus detected by Trend Micro had a digital certificate belonging to Kaspersky’s Zbot product, which is designed to remove Zeus. The certificate — which is verified during a software installation to ensure a program is what it purports to be — was expired, however. Also, the malware’s hash value, a unique numerical identifier based on the source code for applications, was incorrect, as it was derived on the Kaspersky tool, according to a blog post written by Trend Micro. Trend said it informed Kaspersky of the certificate issue. Experts at the security company Trusteer said security software suites are often only able to detect about 10 percent of the active Zeus variants circulating. Source:

55. August 6, – (International) Elcomsoft offers iPhone password cracker. A Russian company is offering a tool that it claims can crack the encrypted contents of an iPhone. Elcomsoft’s iPhone Password Breaker is pitched at forensic investigators, and can dig into the handset’s operating system and recover previously unavailable content, according to the firm. The content includes passwords for email accounts, Web sites, and third-party software, and can provide “valuable court evidence to investigators and forensic authorities”, Elcomsoft claimed. The password cracker works across a range of Apple devices running iOS4 or iPhone OS, including the iPad and iPod touch. Elcomsoft said that the Password Breaker uses dictionary attacks that work “near instantly” thanks to ATI and Nvidia video acceleration hardware. Source:

56. August 5, Compterworld – (International) Microsoft slates record-setting monster Patch Tuesday next week. Microsoft today said it will deliver a record 14 security updates August 10 to patch a record-tying 34 vulnerabilities in Windows, Internet Explorer (IE), Office, and Silverlight. But people still running Windows XP Service Pack 2 (SP2) will receive only a few of those fixes. “Call it Massive Patch Tuesday,” said the CTO of security risk and compliance provider Qualys. “It’s a huge update, and more importantly, everybody’s involved.” Eight of the 14 updates were tagged with Microsoft’s “critical” label. The remaining six were marked “important,” the second-highest rating. The 14 updates are a record, beating the count from both February 2010 and October 2009 by one. Source:

57. August 5, Computerworld – (International) Adobe confirms PDF zero-day, plans rush patch. Adobe announced it would release a rush, or “out-of-band,” security update for the latest Reader zero-day during the week of August 16-20. Adobe issues its quarterly security updates for Reader and Acrobat August 3, and has shipped emergency fixes on that same day of the week. If the company continues the practice, it would most likely deliver the out-of-band patch on August 17. Adobe hinted that the out-of-band update will include fixes for numerous other vulnerabilities. The company also said it would still ship its next regularly-scheduled quarterly update on October 12. The push to come up with a fix for the latest Reader zero-day will not affect work on the next major upgrade to the program, Adobe said. Reader 10, which should ship for Windows before the end of the year, is to include “sandboxing” technology to isolate malicious PDF documents. Source:

58. August 5, The Register – (International) Virus writer charged with destroying property. Japanese police have arrested a suspected virus writer over allegations he created and distributed an old-school virus that destroyed data. The 27-year-old from Osaka allegedly created the “ika-tako” (squid-octopus) virus. The malware program searched out and destroyed data files from file sharing networks and replaced them with a supposedly humorous icon of an octopus. The malware targeted users of file-sharing networks. The malware was created in July 2009 and subsequently seeded onto file sharing networks, claiming an estimated 50,000 victims in the process. He told police he wanted to test his programming skills as well as punish file sharers, the Japan Times reports. The paper adds that he is believed to be the first person charged with destroying property by using a computer virus. Source:

Communications Sector

59. August 5, – (International) Employee misuse taking up a quarter of bandwidth. Symantec subsidiary MessageLabs said that, in some cases, companies are losing up to a quarter of available bandwidth because of employees’ personal use. The senior malware analyst at Symantec Hosted Services, said in a blog post that the World Cup in particular highlighted the risk of bandwidth crunch from increased use of streaming media. The company’s Web Security Service filtering tool recorded an 8.3 per cent jump in policy-based blocks on streaming media over the course of the tournament. Streaming requests peaked 23 June, when staff logged in to view the England v Slovenia and USA v Algeria matches during working hours. He estimated that a worker viewing a 90-minute football match through streaming HD video will pull as much as 2.1GB through an internet pipeline, resulting in a slow down in network traffic and bandwidth ‘brown-outs’. “Part of the problem is that the internet is designed to continue operating even if links are busy or damaged; indeed that’s the whole point of it,” he said. “This means that you probably don’t notice if your emails take longer to deliver, web pages take longer to load and internet phone and video conferences are lower quality.” Source: