Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, August 12, 2010

Complete DHS Daily Report for August 12, 2010

Daily Report

Top Stories

• WJW 8 Cleveland reports that a fire at United Initiators in Elyria, Ohio nearly forced some evacuations August 10. Elyria’s fire chief says the warm weather may have triggered the fire in one of four skimming pools outside the chemical plant. (See item 6)

6. August 10, WJW 8 Cleveland – (Ohio) Heat blamed for Elyria chemical plant fire. A fire at United Initiators, a chemical plant in Elyria, Ohio, nearly forced some evacuations the afternoon of August 10. Employees at the organic peroxide production facility work with the chemicals and other ingredients that are used to manufacture plastics. Elyria’s fire chief says the warm weather may have triggered the fire in one of four skimming pools outside of the Garden Street plant. The pools hold chemicals and send excess water to the city treatment facility but investigators say nothing leaked into the sewer system. “We had the wastewater department out here, and they tested all the city sewer lines and there were no kinds of contaminants that got into the sewer systems or anything like that,” the fire chief said. At one point, 31 firefighters responded at the scene but no one was injured. The plant employs 59 people and was operational later that evening. Source: http://www.fox8.com/news/wjw-elyria-chemical-plant-fire-txt,0,5185732.story

• The Atlanta Journal-Constitution reports that three north Georgia soldiers accused of throwing military explosives August 8 at a crowd gathered in a Dawsonville grocery store parking lot face numerous charges, including domestic terrorism. Army investigators are standing by to help the Dawson County, Georgia Sheriff investigate the case against the soldiers. (See item 33)

33. August 10, Atlanta Journal-Constitution – (Georgia) Soldiers accused of throwing explosives at crowd could face military charges, too. Three north Georgia soldiers accused of throwing military explosives at a crowd gathered in a Dawsonville grocery store parking lot face numerous criminal charges, including domestic terrorism, possession of an explosive device, 16 counts of aggravated assault, and two counts of first degree cruelty to children. They were based at Camp Frank D. Merrill near Dahlonega. Army investigators are standing by to help the Dawson County Sheriff investigate the case against the soldiers, said an Army spokesman from Fort Benning. The enlisted men allegedly tossed two weapon simulators at the crowd. They contain no shrapnel, yet they are incendiary and they pack an explosive punch that could cause injury, according to military experts. A Dawson County Sheriff’s lieutenant told the AJC that 911 operators received a call August 8 around 1:30 a.m. about two pipe bombs tossed from a Cadillac with three occupants at a Dawsonville parking lot. The Cadillac fled up Georgia 400, and deputies who heard the explosions caught up to them. The deputies found a dozen undetonated devices that had been thrown from the car. Police have not released a motive in the case, but the executive officer at Camp Merrill said, “Alcohol was involved.” Source: http://www.ajc.com/news/soldiers-accused-of-throwing-589283.html

Details

Banking and Finance Sector

18. August 11, The Register – (International) Zeus botnet raid on UK bank accounts under the spotlight. More details have emerged of how security researchers tracked down a Zeus-based botnet that raided more than $1m from 3,000 compromised UK online banking accounts. The vice president of technical strategy for M86 Security said hackers began the assault by loading compromised third-party sites with a battery of exploits designed to infect visiting PCs with variants of the Zeus banking Trojan. Phase one of the attack used the Eleonore Exploit Kit and the Phoenix Exploit Kit to load Zeus onto compromised machines through a battery of browser and application-based vulnerabilities and drive-by download attacks. The main attack revolved around the use of version 3 of Zeus to steal money from online bank accounts. The use of a different strain of Zeus means the M86 researchers are sure the attack is unrelated to an otherwise similar attack involving 100,000 compromised UK bank accounts that was the subject of an alert by transaction security firm Trusteer the week of August 2. After noticing a pattern of possible attack, M86 researchers deliberately infected a machine in order to identify a command and control server associated with the botnet which was hosted in Moldova. They then used exploits to break into the poorly-secured system where they found logs recording the activity of compromised bank accounts. It also found that the exploit pack used to seed to attack had claimed a much larger number of victims — as many as 300,000 machines. The vast majority were Windows boxes, but 4,000 Mac machines were also hit. The logs also revealed that 3,000 online banking accounts had been victimized between July 5 and August 4. Source: http://www.theregister.co.uk/2010/08/11/zeus_cyberscam_analysis/


19. August 11, KSLA 12 Shreveport – (Texas) Texarkana debit card scam. Texarkana, Texas, police are warning citizens about a debit card scam. The Police department has been flooded with calls from people who say they had received an automated phone call letting them know their bank account had been compromised. During the call, citizens are asked to give personal information. Texarkana Texas Police warn that this is a scam. Source: http://www.ksla.com/Global/story.asp?S=12960862


20. August 10, Arizona Republic – (Arizona) Mesa bank hit again by ‘Overtime Bandit’. A Valley robber dubbed the “Overtime Bandit” struck a Mesa bank for the second time in less than three months August 9, marking his fourth robbery. The robber, given the name because he strikes on weekends and at the end of work hours, has also stolen from two banks in Chandler, according to a statement from the FBI. He enters the bank, demands money and flees with help from an accomplice. Desert Schools Federal Credit Union, which has been robbed twice by the man, is offering up to $10,000 for information leading to his conviction. Source: http://www.azcentral.com/news/articles/2010/08/10/20100810mesa-overtime-bandit-abrk.html


21. August 10, KMGH 7 Denver – (Colorado) Waitress charged in ‘Skimming’ case. A waitress in Greeley is accused of swiping customers’ credit cards through a hand-held device that recorded the information. The 22-year-old suspect has been charged with possession of identity theft tools, a felony, according to the Weld County District Attorney’s Office. Prosecutors said that according to police reports, the owners of Ambrosia Asian Restaurant videotaped her swiping customer credit cards through a hand-held device. Source: http://www.thedenverchannel.com/news/24578308/detail.html


22. August 10, NBC Chicago – (Illinois) Bank robbery ends with suicide, bomb squad. An attempted bank robbery ended August 10 with a bomb disposal scene and a suicide on the West Side of Chicago. The armed thief attempted to hold up a teller at a Bank of America branch at 2545 West Devon Avenue at around 9:00 a.m. After receiving an undisclosed amount of money the thief fled, said an FBI spokeswoman in a statement. He got into a taxi cab that was waiting for him outside the bank. A police officer followed the cab westbound and pulled it over at Western north of Catalpa. As the officer approached the vehicle, the man allegedly fatally shot himself. Afterward bomb squad agents dressed in full protective gear investigated a brief case that the man left at the scene. Using a robotic assistant, agents exploded the briefcase as a precautionary measure, but no bomb was found inside. Source: http://www.nbcchicago.com/news/local-beat/Bank-Robber-Commits-Suicide-Leaves-Fake-Bomb-Behind-100361264.html


23. August 10, KCCI 8 Des Moines – (Iowa) FBI: Robber strikes 2 Iowa banks. Federal agents are hunting a bank robber that struck twice in Iowa August 9. The FBI said the robber hit a bank in Ottumwa and Mount Pleasant. Agents said the first robbery happened at 9:43 a.m. at the Community First Credit Union in Ottumwa and the second happened at 1:55 p.m. at the Wayland State Bank in Mount Pleasant. Investigators said the man present a note in both cases indicating he had a gun. The robber is described as being in his mid 20s, standing 5-feet-6-inches tall with a small build. Source: http://www.kcci.com/r/24572083/detail.html


Information Technology


51. August 11, SC Magazine – (International) Vulnerabilities in the Palm Pre and Android smartphones detailed that can see credentials stolen and conversations intercepted. Major vulnerabilities in the Palm Pre and Android smartphones have been detected that could allow data to be stolen. Research by MWR Labs has revealed a major flaw in the Palm Pre that would allow conversations to be intercepted, while a flaw in the Android operating system from 2.0 onwards exists in the browser and allows login credentials and cookies to be harvested. A spokesperson demonstrated that sending a Vcard to the Palm Pre allows an attacker to compromise the phone and intercept all audio close to the phone. They said that this is a completely focused attack that targets a specific user. The director at MWR Labs told SC Magazine that this represents industrial espionage and if this was done over a carrier network it would be breaking the law. The Android flaw involved the use of a login page that can be intercepted over a publicly shared wireless network. The spokesperson said that as the phone is configured to save passwords, any user who connects to a rogue WiFi point can have their credentials stolen. Source: http://www.scmagazineuk.com/vulnerabilities-in-the-palm-pre-and-android-smartphones-detailed-that-can-see-credentials-stolen-and-conversations-intercepted/article/176735/


52. August 11, Global Voices Advocacy – (International) China: ISP level Gmail phishing. Recently, there are many reports from Chinese internet users saying that when they try to access their gmail accounts, they are redirected to a url: hxxp://124.117.227.201/web/gmail/ and asked to re-enter their password. On August 11, NTDTV.com disclosed that the url is a phishing page for stealing users’ password. It is believed that local ISPs are involved in the phishing activities. The phishing website looks exactly the same with Gmail but the server is from Urumqi. Moreover, some China Unicom users said that even when they have logged in their Gmail account, the ISP would ask them to “re-enter” their password. The source codes show that it is a phishing activity. The NTDTV.com report suggested that users check the login history of their Gmail account and change their password. In addition, they should check their filter setting and see if some of their emails be redirected to other email account. The report also said that the ISPs level phishing is to create insecure feelings among gmail users and in order to get them to stop using Google’s service. Source: http://advocacy.globalvoicesonline.org/2010/08/11/china-isp-level-gmail-phishing/


53. August 10, V3.co.uk – (International) Browser hijackers raking in millions. Criminal networks are making gangs millions of pounds a year through browser hijacker Trojans which redirect users to sponsored advertising, according to research from security vendor Trend Micro. In a blog post, the vendor explained that a criminal gang could generate several million pounds a year in profits with a network of around 150,000 bots just by hijacking search results. These botnets need constant feeding, as computers may get removed from it. In order to make up for these losses, Trend said that herders are “constantly infecting” new systems - tens of thousands of machines every day, in fact. In the case of one botnet, more than two million computers have been infected this year, and this is likely to double by the winter. The botnet criminal is a patient one, according to Trend, which said that, rather than make a quick buck, they prefer to wait until the botnet is fully formed and is able to harvest the most cash from victims. Typically, bot networks are made up of more than 100 servers spread across the world. Their bosses are cash rich and able to quickly scale up and take advantage of any criminal activities that come their way. Because of this, Trend said, the “collateral damage that their activities cause is huge”. Source: http://www.v3.co.uk/v3/news/2267936/trend-micro-warns-browser


54. August 10, IDG News Service – (International) Security researcher warns on UAE BlackBerry replacements. An offer of free smartphones may be a ruse for users in the United Arab Emirates to receive a handset loaded with spyware, a security researcher has warned, saying people who trade in their BlackBerry for a new smartphone should do a spyware check. The main mobile operator in the U.A.E. the week of August 2 offered some BlackBerry users a free replacement smartphone due to a government order to suspend BlackBerry data services. Etisalat was told by government regulators to suspend BlackBerry e-mail, Web browsing, instant messaging and social networking from October 11 until the services meet regulations. Although a deal with BlackBerry maker Research in Motion could forestall such an action, the mobile operator offered free replacement smartphones for BlackBerry devices. “Given the U.A.E.’s past actions, I would advise all recipients of the free phones to do a full wipe on them prior to using them,” said the director of security at Hermis Consultancy in Jakarta, Indonesia. He suggested that anyone receiving a new smartphone as part of Etisalat’s offer should try out spyware detection and clearing software from SMobile Systems, which makes security software for most major systems, including Android, BlackBerry, iPhone, Microsoft and Symbian. Source: http://www.computerworld.com/s/article/9180481/Security_researcher_warns_on_UAE_BlackBerry_replacements?taxonomyId=17


55. August 9, BBC – (International) Smartphone security put on test. BBC News has shown how straightforward it is to create a malicious application for a smartphone. Over a few weeks, the BBC put together a crude game for a smartphone that also spied on the owner of the handset. The application was built using standard parts from the software toolkits that developers use to create programs for handsets. This makes malicious applications hard to spot, say experts, because useful programs will use the same functions. While the vast majority of malicious programs are designed to attack Windows PCs, there is evidence that some hi-tech criminals are starting to turn their attention to smartphones. Booby-trapped applications for smartphones have been found online and in recent weeks Apple and Google have removed applications from their online stores over fears that they were malicious. The co-founder and technology head at security firm Veracode, which helped the BBC with its project, said smartphones were now at the point the PC was in 1999. At that time malicious programs were a nuisance. A decade on and they are big business, he said, with gangs of criminals churning out malware that tries to steal saleable information. Source: http://www.bbc.co.uk/news/technology-10912376


Communications Sector

56. August 11, IDG News Service – (International) Indian government to meet operators over the BlackBerry. Indian government officials plan to meet August 12 with mobile operators to discuss access to BlackBerry data, according to informed sources. A Home Ministry spokesman confirmed that the home secretary would be meeting with operators, but said he did not know whether a shutdown of Research in Motion’s (RIM) ban BlackBerry service is being considered. Analysts say the meeting will be an opportunity for the Indian government to press service providers that they must give security agencies the right to intercept communications, including BlackBerry services, under certain circumstances according to licensing rules. RIM’s India spokesman said he was not aware of the meeting or whether his company’s executives had been invited to attend. India and RIM have had previous problems about the BlackBerry before. In 2008, India demanded the right to intercept BlackBerry communications. Indian security agencies wanted to monitor BlackBerry communications, as they believed terrorists are increasingly using mobile and online technologies to plan their attacks. RIM’s BlackBerry service has come under scrutiny from a number of countries, including Saudi Arabia, which threatened to discontinue the service the week of August 2. The kingdom said August 10 that it was allowing the BlackBerry Messenger service to continue after RIM agreed to provide access to servers located in the country, a source said. The United Arab Emirates has also threatened to discontinue the BlackBerry service in the country from October 11, citing security reasons. Source: http://www.computerworld.com/s/article/9180563/Indian_government_to_meet_operators_over_the_BlackBerry


57. August 11, IDG News Service – (International) Demand Media a home to badware, researchers say. As Demand Media gears up for its initial public offering, anti-spam advocates and online crime fighters say that the company needs to clean up its act. In a report, released August 10, HostExploit, a volunteer badware-tracking group, found that Demand Media’s Internet service provider (ISP) business is hosting an abnormally large number of malicious Web pages, and far too many of the command-and-control servers that are used to send directions to hacked computers. In fact, HostExploit currently ranks Demand Media as the worst ISP in the world, a ranking that’s based on how the ISP is used to distribute spam and malicious software. Demand Media is best known as the operator of low-cost Web sites such as eHow, LiveStrong.com, and Cracked. But it also runs the world’s second-largest domain name registration business, and sells Web hosting services too, through brands such as eNom. Like all service providers Demand Media has to deal with scammers abusing its network. The criminals register domains or rent servers to host their scam Web sites — often doing this through other companies that resell Demand Media’s services. The criminals will hack legitimate customers and use their servers, too. For ISPs, staying on top of this fraud is just part the business, but some companies pull this off this better than others. Over the past year, Demand Media has had a hard time keeping up with the criminals, cybercrime watchers said. Source: http://www.computerworld.com/s/article/9180560/Demand_Media_a_home_to_badware_researchers_say


58. August 10, WMBB 13 Panama City – (Florida) Phones, Web site down at Bay District Schools. Phones at most Bay District Schools in Florida were out August 10, according to a spokesperson. The district’s Web site was also down. The problem is on the provider end of the system that runs the phone and Internet system in the schools. In addition, the district is still researching how widespread the outages are. Anyone trying to reach an individual school or the district office is encouraged to continue trying and the district apologizes for the inconvenience. Schools wil open as scheduled August 11. Source: http://www.panhandleparade.com/index.php/mbb/article/phones_website_down_at_bay_district_schools/mbb7725226/


59. August 10, Computerworld – (National) FTC reminder: Skip cell phone numbers on ‘Do Not Call’ list. Viral e-mails urging cell-phone users to hurry up and register with a government “Do Not Call” list to avoid advertising spam are still circulating five years after federal officials first told consumers they could basically ignore the message. The Federal Trade Commission in July once again issued a consumer alert noting that people do not need to register a cell phone or wireless phone number on the National Do Not Call Registry despite viral e-mail messages suggesting otherwise. The alert notes that people may place their cell phone numbers on the registry, but it also notes that federal regulations already prohibit most telemarketing targeted to cell phones. Similar information is listed at the top of the FTC’s Do Not Call information page. Some telemarketing to cell phones has been conducted in violation of federal regulations, and the FTC Web site includes notices of actions the agency has taken over the years against violators, who rely on automated dialers to reach cell phones. Despite what the viral e-mails say, the government is not releasing cell phone numbers to telemarketers, according to the latest FTC alert, and there is no deadline for registering a cell phone number on the Do Not Call Registry. The alert notes that Federal Communications Commission regulations prohibit telemarketers from using automated dialers to call cell phones. Source: http://www.computerworld.com/s/article/9180503/FTC_reminder_Skip_cell_phone_numbers_on_Do_Not_Call_list


60. August 10, Washington Post – (National) 4chan users seize Internet’s power for mass disruptions. Corporations spend millions of dollars trying to understand and control traffic on the Internet, and more often than not they don’t succeed. 4chan has mastered the feat for free. Created seven years ago by a 15-year-old, 4chan is a vast web of anonymous, uncensored message boards. No one is in charge, but the site’s users have managed to pull off some of the highest-profile collective actions in the history of the Internet. The June 17 takeover of Google Trends, the powerful tool that companies use to track what’s hot on the Internet, was not the first time 4chan succeeded in outwitting Google. The site’s users have also managed to get a swastika, symbols depicting planes crashing into the World Trade Center and the words “[expletive] you google” on the trends list. Trying to game Google to make a search popular is not illegal, but some of the other pranks have brought inquiries by the Securities and Exchange Commission, the Department of Homeland Security and the FBI. Source: http://www.washingtonpost.com/wp-dyn/content/article/2010/08/09/AR2010080906102.html


61. August 10, Computer Weekly – (International) DNSSEC not a panacea for cybercrime, but a step in the right direction. The global roll-out in mid-July of technology aimed at making the internet safer was billed as a decisive blow against cyber criminals, but has it made a difference? Not really, according to security firms monitoring malware and infections of legitimate websites. The problem is that the security extensions for the domain name service (DNSSEC) now enabled across the world’s 13 root-name servers, tackle a small subset of threats. DNSSEC protects very well against forged DNS data using public cryptographic keys and will block man-in-the-middle attacks by verifying that internet users are connected to a legitimate site and not a fake set up to steal personal information. Although this solves a serious problem, the vast majority of malware attacks are via legitimate websites that have been compromised, against which DNSSEC is powerless, says the senior technologist at security firm Sophos. “Legitimate web pages are still being compromised at the rate of one every two seconds, and over 80 [percent] of those tend to be legitimate web pages,” he says. Most malware infections continue because the problem is more at the application and content level, rather than the fundamental infrastructure of the internet. Source: http://www.computerweekly.com/Articles/2010/08/10/242324/DNSSEC-not-a-panacea-for-cybercrime-but-a-step-in-the-right.htm