Department of Homeland Security Daily Open Source Infrastructure Report

Monday, August 16, 2010

Complete DHS Daily Report for August 16, 2010

Daily Report

Top Stories

• According to the St. Louis Post-Dispatch, police in Lake Saint Louis, Missouri said an apparent pipe bomb exploded August 12 at an electric substation operated by Cuivre River Electric Cooperative. (See item 4)

4. August 13, St. Louis Post-Dispatch – (Missouri) Suspected pipe bomb explodes at Lake Saint Louis electric substation. Lake Saint Louis Police said an apparent pipe bomb exploded about 3 a.m. August 12 at a Lake Saint Louis electric substation and caused minor damage to an electric substation operated by Cuivre River Electric Cooperative. Police are investigating whether the suspected pipe bomb explosion is connected to several gasoline-filled milk jugs found at the same substation last July. Police said an alarm drew a police officer to the substation. The officer saw what he thought were sparks, so he returned to his vehicle and was pulling forward as the device exploded behind him. Officers searched the area after the explosion but did not find anyone. Remnants of the exploded device were found atop a control box. A chain-link fence surrounding the Woodland Marina substation had been cut. The explosion did not cause power outages in the area. Last year’s case was never solved. Agents with the Bureau of Alcohol, Tobacco, Firearms and Explosives are investigating both incidents. Source:

• The Associated Press reports that four Massachusetts hospitals are investigating how thousands of patient records, some containing Social Security numbers and sensitive medical information, ended up at a public dump possibly in violation of state law. The unshredded records were discovered in late July. (See item 34)

34. August 13, Associated Press – (Massachusetts) Medical records found intact at dump. Four Massachusetts hospitals are investigating how thousands of patient records, some containing Social Security numbers and sensitive medical information, ended up at a public dump possibly in violation of state law. The unshredded records were discovered late last month in Georgetown by a photographer for The Boston Globe who was dropping off his own trash. The paper alerted the hospitals. Under state law, medical records and documents containing personal identifying information must be disposed of in a way that protects privacy. That usually means shredding or burning. The dumped records were from hospitals in Milford, Holyoke, Boston and Milton and their pathologist groups, and most were dated 2009. All contract with the same billing company, which disposes of the records. Source:


Banking and Finance Sector

13. August 12, Computerworld – (Texas) Heartland denies systems involved in new data breach. Heartland Payment Systems, which last year suffered the largest ever data breach involving payment card data, is downplaying reports out of Austin, Texas linking the payment processor to a data breach at a local restaurant chain. Heartland’s CIO told Computerworld by e-mail August 10 that the reports out of Austin point to a “localized intrusion initiated within the stores, either in their point-of-sale system or as a result of other fraud.” He added that Heartland officials will work closely with business owners to help identify the source of the breach, and help with remediation efforts. The Austin Statesman reported on August 12 that an “accounting network” at Tino’s Greek Cafe, a local restaurant chain with four locations in Austin, had been breached. The story, which quotes a local police spokesman, said the intruders had hacked into the network connecting Tinos with Heartland Payment Systems. The spokesman is quoted as saying that somebody had hacked into a computer system “somewhere between Tinos’ point of sale and their credit card clearinghouse company.” Source:

14. August 12, Trustwave – (International) Trustwave rolls out ATM security review. Trustwave introduced the Automated Teller Machines (ATM) Technical Security Review to evaluate and test a bank’s ATM architecture and remediate risk on August 12. The service will be delivered by Trustwave’s SpiderLabs’ — the advanced security team at Trustwave responsible for incident response and forensics, penetration testing and application security, and security research. The ATM Technical Security Review was developed in response to a recent increase in malware attacks specifically targeting ATMs. Trustwave’s SpiderLabs has investigated such attacks and found that organized crime groups with expert knowledge of how ATMs work are utilizing known security deficiencies in a variety of ATM brands to obtain consumers debit card numbers and PIN numbers, as well as cash. Source:

15. August 12, The H Security – (International) Macs not vulnerable to Eleonore online banking trojan. Macs are not being infected with the Zeus botnet say M86 Security, after reports August 12 by a number of news sources that Macs, PlayStation 3’s and Nintendo Wii’s had joined Windows systems as part of a banking targeted botnet. These mistaken reports of the discovery of a Zeus botnet in the UK by M86 Security had in turn lead to some security vendors calling it “the big wakeup call for Mac users.” The reports of Mac infections from the M86 white paper appear to have been due to a table on page 4 of the report which lists the operating systems of machines which had connected to a web site used by the botnet’s creators to spread the infection. The criminals used the Eleonore exploit kit which makes use of vulnerabilities in Internet Explorer, Adobe Reader, Java Development Kit and Java Web Start. The product manager at M86 Security confirmed to The H that the list is only of OS connection numbers and does not indicate that there had been successful exploits of the listed operating systems; the list also includes Linux, Symbian, SunOS and Windows ME. “We’ve only seen these exploits on Windows machines” he said, adding “The table was included in the white paper to show the sophistication of the botnet’s data gathering and that it was analyzing the traffic.” Source:

16. August 12, Bloomberg – (International) Santos says Colombia car bomb was ‘terrorist act.’ The president of Colombia said a blast from a car bomb that shook the capital August 12 was a “terrorist act” that “won’t intimidate” the nation. The pre-dawn explosion occurred in Bogota at the intersection of 67th Street and 7th Avenue, in front of the studios of Caracol Radio and five blocks from the city’s financial district and the stock exchange. No fatalities were reported. The blast injured as many as nine people, Bogota’s health secretary said in comments broadcast by Caracol television. The blast blew out the windows of nearby businesses including branches of Banco Bilbao Vizcaya Argentaria SA and Bancolombia SA. Residents picked glass as helicopters flew overhead and soldiers in camouflage patrolled inside cordoned off streets nearby. A twisted black ball of metal remained from the car, which held 110 pounds of explosives, Bogota’s mayor said. Authorities August 11 deactivated a car bomb in the city of Neiva, in Huila province, newspaper El Espectador reported. Source:

17. August 12, Federal Bureau of Investigation – (National) Leader of $200 million real estate investment scam arrested for fraud. A suspect was arrested at his home early August 12 by federal agents on charges that he ran an investment fraud scheme causing losses of at least $200 million, a U.S. attorney announced. The 35-year-old suspect of Lakewood, New Jersey, was charged with one count of bank fraud and one count of wire fraud in connection with the alleged scheme. A 43-year-old suspect of Manalapan, New Jersey, was also charged with one count of wire fraud in connection with the scheme and remains at large. According to the criminal complaint unsealed August 12: From as early as September 2005 to the present, the main suspect orchestrated — with the help of others — a real estate investment fraud scheme, headquartered in Lakewood, that has resulted in losses to victim investors of at least $200 million. To perpetrate this scheme, the main suspect targeted fellow members of the Orthodox Jewish community in New Jersey, New York, Florida, California, and abroad using the social and business customs and practices of the community in furtherance of his scheme. To induce his victims’ investments, the two arrested suspects and others lied to their victims, using a variety of fraudulent means. Source:

18. August 11, Port Arthur Police Department – (Texas) Police warn of scam involving credit card abuse. Officers from the Port Arthur, Texas, police department are in the process of investigating wide spread credit card abuse through the use of Fuelman Cards. Fuelman is a fleet fueling system. Fuelman credit cards are issued to businesses that utilize the system. These credit cards can be used at any of the various “Fuelman” locations across Texas and other participating states. Each time a Fuelman card is used to make an unauthorized fuel purchase, which is a theft of gas or disel, a felony credit card abuse occurs. Currently, several hundred unauthorized transactions have been verified, resulting in tens of thousands of dollars in thefts. All city of Port Arthur and Port Arthur ISD employees who have been interviewed have given their full cooperation. Source:

Information Technology

43. August 13, The New New Internet – (International) Botnet conducts “Brute Force” attacks. A server-based botnet which attacks unsecure websites is currently launching a flood of attacks over the Internet, according to security researchers. The attacks are attempting to hack secure shells protecting Linux boxes, routers and other network devices by guessing the login credentials. The botnet hits websites which run an outdated version of phpMyAdmin, according to researchers. The vulnerability, which was patched back in April, is exploited by the botnet which installs a file which searches the Internet for devices using the SSH protocol for protection. “This bot then conducts brute force SSH attacks on random IP addresses specified by the bot herder,” one user wrote. A monitoring service run by the SANS Institute a six-times increase in sources participating in SSH scans in the past few weeks. Source:

44. August 13, The Register – (International) Rise in Latvian botnets prompts Spamhaus row. Over the previous year, Spamhaus’ monitoring staff had measured a steady increase in Latvian spam and DDOS traffic, particularly from a small ISP called Microlines. It is unclear who the offending cybercriminals were, but in common with its normal practice, Spamhaus contacted Microlines’ abuse address to ask them to take down the relevant servers. When no response came, researchers added the firm’s IP range to Spamhaus blocklist which is used by ISPs to cut the volume of spam entering their networks. Spamhaus next followed its escalation procedures, which involve using RIPE data to discover who is routing the spam and reporting it to their abuse department. The aim is to force cybercriminals to at least keep hopping ISPs, a ruse that often means they leave tell-tales identifying evidence for law enforcement agencies to trace. Microlines’ spam-filled traffic was being routed by Latnet Serviss, a larger ISP. Spamhaus contacted the RIPE-registered abuse address and again received no response. It added part of what it believed was Latnet’s IP range to the blocklist, based on a traceroute of the abuse address. Unbeknown to Spamhaus, however, Latnet Serviss had effectively outsourced management of its abuse department to the University of Latvia’s Institute of Mathematics and Computer Science, which houses both NIC.LV and the country’s Computer Emergency Response Team (CERT). As a result, the Institute and many other organizations were effectively cut off from the Internet. Source:

45. August 12, eWeek – (International) Security vendors turn focus to smartphones. As recent acquisitions have shown, mobile security is an area of growing interest for enterprises, with remote management and data protection capabilities at the top of the list. McAfee’s July 29 agreement to acquire TenCube was its second attempt to purchase its way deeper into the mobile security business this year, and one of multiple plays in the space by other vendors. Vendors are right to be interested. A June survey of enterprises by The 451 Group found two-thirds of the 91 respondents were either “highly concerned” (23 percent) or “moderately concerned” (44 percent) about a mobile security breach. This increased agita about security and management is likely to continue. “As smartphones and tablets, which are running on smartphone OSes, increasingly take share away from desktop and laptop computers, perpetrators will move to target these users,” said a The 451 Group analyst. “These smart devices will be the primary portal for mobile banking and social networking, so the data stored and traveling across these devices will steadily increase in value.” Mobile malware has increased steadily since 2003, but has not notably accelerated in 2010, said the worldwide head of mobile marketing at McAfee. “What has increased is media attention around privacy concerns [to do with] certain apps รข_¦ besides app security the discussion should be expanded to cover mobile Internet usage, family safety and—what is probably the most likely mobile security incident users face today—mobile device theft or loss,” he said. Source:

46. August 12, DarkReading – (International) Red Condor identifies possible source of recent malware campaigns. St. Bernard’s Red Condor security team August 12 issued a warning of a new sophisticated email malware threat that is disguised as misdirected personal emails with executable attachments. The spam messages — which have a variety of subject lines, including “You are in invited to another show!”, “FW: Resume as discussed” and “FW: Car & Car loan” — appear to consist of content that was likely stolen from compromised email accounts and computers and appear to have multiple connections with the ongoing one-click plug-and-play (PNP) malware campaigns that Red Condor has been monitoring the past several months. Red Condor also identified a possible source of the spam payloads at compromised accounts on the social media/networking site, The executables in this new campaign have been identified as TR/Dropper.Gen / FraudTool.Win32.AVSoft (v) / Malware-Cryptor.Win32.Limpopo. Source:

47. August 12, TrendLabs – (International) BREDOLAB spreading via malicious attachments. Following deeper analysis of this threat by senior threat researchers, TrendLabsSM has reclassified the malware used in this attack as a BREDOLAB variant (detected as TROJ_BREDOLAB.JA) instead of WALEDAC. An unfortunate combination of human and machine errors led to the mislabeling of this threat as WALEDAC. In the past few weeks, there has been something of an increase in the number of spammed messages delivering malicious attachments to users, on first takes, TrendLabs beleived this may have been a Waledac variant. One of the earlier variants we have seen poses as an annual “Social Security” statement. Other hooks used resumes and job offers, weddings, and even a puzzle. Using malicious attachments is a very popular method used to spread malware via email. However, TrendLabs has seen seen many recent attacks that use almost-identical payloads. Two variants have been seen with a malicious attachment either being a FAKEAV variant like TROJ_FRAUDLO.LO, TROJ_FAKEAV.SGN, and TROJ_FAKEAV.FGZ or a downloader that also leads to FAKEAV and BREDOLAB variants. Trend Micro detects these emerging BREDOLAB and FAKEAV variants using the detection names mentioned above. In addition, the above-mentioned spam are already being blocked by Trend Micro products with the aid of Smart Protection Network. Source:

48. August 12, Help Net Security – (International) Fake malicious software removal tool peddles fake AV. A fake Malicious Software Removal Tool using the actual icon of the legitimate software has been spotted by Trend Micro researchers. Even a first glimpse of the scanning alert looks pretty legitimate, but it’s the “Software searching” screen which signals that something might be off. A scan of the computer is simulated finding a well-known malware strain that can only be removed buy purchasing the $99.90 anti-virus that is advertised. This approach might fool the inexperienced computer user, but for those who know what warning signs to look for, there are two very obvious ones: the file size is too small (412,672 bytes) and the tool is not digitally signed. Source:

49. August 12, The H Security – (International) Jailbreak community develops its own iPhone patch. The jailbreak grandee, known as Saurik, has released his own patch for the critical Jailbreakme vulnerability, aimed at protecting the iPhone, iPod touch and iPad from crafted PDF files. Apple has also now plugged the security hole, a potent combination of two different vulnerabilities, but in doing so has left the first generation of iPhones and iPod touches out in the cold. Apple ignored the first generation of the two devices in its update to iOS 4.0, thereby leaving a whopping 65 security vulnerabilities unplugged. This was particularly galling for iPhone users as Apple was still selling that generation of iPhone as late as July 2008. On more recent models, Apple’s patch also un-jailbreaks jailbroken devices. For security reasons, users who want to stay jailbroken should install Saurik’s patch. Following yesterday’s publication of the source code for the Jailbreakme exploit, it is now just a matter of time before someone uses it to develop malware. Source:

For another story, see item 15 above in the Banking and Finance Sector

Communications Sector

50. August 13, The Register – (International) RIM tries to placate everyone. Updated RIM, operator of the BlackBerry service, has been explaining that customers’ security and government contracts are equally important, and that it really does not have any keys to hand over. The company has been very restrained on the governmental demands and statements put out recently, refusing to comment on just about everything except to deny the existence of a “master key.” But now RIM has laid out the principles that apparently guide its decision making process. Governments around the world have been increasingly vocal in demanding the ability to lawfully intercept BlackBerry communications. RIM is facing accusations of caving too easily to Saudi Arabia by agreeing to host servers within the country, and now India is demanding access to cryptographic keys that just do not exist. RIM would like to make it clear that it “genuinely tries to be as cooperative as possible with governments in the spirit of supporting legal and national security requirements.” Source:

51. August 13, IDG News Service – (International) India may put restrictions on Skype and Google. India may ask Google, Skype and other online service providers to allow the country’s law enforcement agencies to access communications on their networks, the head of an Internet association said August 13. The government said August 12 it will ask service providers in the country to ensure that some BlackBerry services should be made accessible to its law enforcement agencies by August 31, or face a block of these services. The president of the Internet Service Providers Association of India (ISPAI) said that at a meeting he attended about a month ago of the country’s Department of Telecommunications, it was discussed that other online services besides BlackBerry would also be asked to provide access to India’s security agencies. The Indian government’s public threat against BlackBerry is running in parallel with an as yet unannounced decision to pursue similar concerns with Google, Skype and other communications services, The Financial Times said in a report August 13, citing a government report. A spokesman for the Department of Telecommunications said he was unaware of the decision. Google said it had heard nothing from the government. Source:

52. August 12, LEX 18 Lexington – (Kentucky) AT&T cell phone service returns for Lexington, parts of Bluegrass. AT&T cell phone service returned to normal the afternoon of August 12 to a majority of customers whose service had been out in portions of the Bluegrass, including all of Lexington, Kentucky, for most of the day. The outage began at about 9:30 a.m. Cell phones of LEX 18 employees who are on AT&T customers had service restored beginning at around 2:30 p.m. The AT&T market manager for Kentucky and Tennessee released a statement August 12, saying, “Our 2G and 3G wireless customers in Lexington were experiencing a temporary service interruption while placing or making phone calls earlier this morning in the Lexington and Nicholasville areas. AT&T technicians are on site, investigating the root cause of this service interruption.” Source:

53. August 11, Executive Gov – (National) FCC seeks public comment on creation of cybersecurity plan. The Federal Communications Commission released a notice earlier the week of August 9 requesting public comment on the creation of an anticipated FCC plan that looks to address cybersecurity. The plan, the Cybersecurity Roadmap, seeks to identify vulnerabilities to core Internet protocols and develop solutions in response to cyber threats and attacks. The Cybersecurity Roadmap was recommended as an initial step forward in the area of cybersecurity as part of the Commission’s National Broadband Plan. Specifically, the NBP recommended the FCC issue, in coordination with the Executive Branch, a plan to address cybersecurity. FCC looks to finalize the Cybersecurity Roadmap by November 2010. “Cybersecurity is a vital topic for the commission because end-user lack of trust in online experiences will quell demand for broadband services, and unchecked vulnerabilities in the communications infrastructure could threaten life, safety and privacy,” FCC stated. Source:

For more stories, see item 44 above in the Information Technology Sector