Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, August 17, 2010

Complete DHS Daily Report for August 17, 2010

Daily Report

Top Stories

•The New York Daily News reports that an explosion rocked a Bronx, New York subway station August 13, sending one transit worker to a hospital and delaying train service. (See item 30)

30. August 14, New York Daily News – (New York) Battery explodes in Bronx subway station; sends one to hospital, delays service. An explosion rocked a Bronx, New York subway station August 13, sending one transit worker to a hospital and delaying train service, officials said. A battery blew up in a communications room at the Longwood Ave. No. 6 stop around noon, spewing noxious smoke throughout the station, officials said. The battery leaked a variety of chemicals, which were later removed by the New York Fire Department’s Hazardous Materials team, officials said. A transit worker overcome by the smoke was briefly hospitalized. No passengers at the Hunts Point stop were injured, officials said. Due to the smoke, southbound trains skipped the Longwood Ave. station for about 30 minutes, transit officials said. Northbound service was unaffected. Source:

•According to The Tennessean, police believe someone may be targeting a Tennessee Highway Patrol officer specializing in Driving Under the Influence arrests (DUIs) after a bomb went off at his home last month and two similar bombs exploded August 16 where he was working.(See item 53)

53. August 16, Tennessean – (Tennessee) THP officer may have been target of early-morning bomb. Police believe someone may be targeting a Tennessee Highway Patrol officer specializing in Driving Under the Influence arrests (DUIs) after a bomb went off at his home last month and two similar bombs exploded August 16 where he was working. A trooper was training two White House, Tennessee police officers on DUI detection at 1:30 a.m. when two bombs exploded on the west lawn of the police station, said a department of safety spokesman. Only the lawn was damaged. A third device was found later August 16 across the street in a neighbor’s yard. A bomb disposal team for the Robertson County’s Homeland Security District removed it. Homes in the area were evacuated, but residents began returning around 10 a.m. as police reduced the size of the protection area. Officials from the Tennessee Office of Homeland Security were at the scene. Source:


Banking and Finance Sector

18. August 16, The New New Internet – (International) Credit card clearing house hacked says security researchers. An underground credit-card clearing house has been hacked, according to Trend Micro security researchers. Leaked data from the hack include employee e-mails and recorded phone calls. “A group of hackers recently published detailed information from an underground credit card company,” writes an advanced threats researcher with Trend Micro. “On July 23, an anonymous group claimed to have compromised a server of an online credit card processor company. At that time, however, the extent of the compromise was unclear. Looking at the data that was published leads us to believe that the compromise is very plausible.” Some of the stolen recorded conversations include individuals speaking about ways to defraud credit card companies. “This hacking incident would probably make a lot of cyber criminals nervous,” the researcher writes. “Unfortunately, the incident also puts the personal data of legitimate customers and of many ordinary Russians at risk.” Source:

19. August 14, The Register – (Oregon) Man sentenced for DIY gift-card cloning. A 22-year-old Oregon man has been sentenced to 18 months probation for stealing $6,000 worth of merchandise using gift card–cloning gear he found online. The suspect was standing in the check-out line at a Fred Meyer store in Washington County when he realized it would not be too hard to hack the the magnetic strips used to store money on the cards, reports. With 20 hours of research, he found the software, which allowed him to electronically query a card’s balance many times per day. He also bought a magnetic card reader. The suspect would steal blank cards on display for purchase, scan them into his reader, and then return them to the store. When they were purchased and activated by customers, the software alerted him to that fact. He would then transfer the data to a blank card. Police eventually tracked him down by tracing his IP address and store surveillance cameras. He was caught with about 1,000 stolen gift cards. He ran the scam at numerous stores including Apple, Best Buy, and Macy’s. Fred Meyer was the only retailer willing to work with authorities. Source:

20. August 14, – (Illinois) One bank fails on Friday, Aug. 13. Federal and state banking regulators closed one bank on Friday, August 13. This failure raises the total number of failed institutions to 124 so far in 2010. Palos Bank and Trust Company, Palos Heights, Illinois, was closed by the Illinois Department of Financial and Professional Regulation - Division of Banking, which appointed the Federal Deposit Insurance Corp. (FDIC) as receiver. To protect the depositors, the FDIC entered into a purchase and assumption agreement with First Midwest Bank, Itasca, Illinois to assume all of the deposits of Palos Bank. The five branches of Palos were slated to reopen August 14 as branches of First Midwest Bank. Depositors of Palos Bank will automatically become depositors of First Midwest Bank. Palos Bank had $493.4 million in total assets. The cost to the FDIC Insurance Fund is estimated to be $72 million. Source:

21. August 13, CBC News – (International) Card skimmers found at Alberta mega-mall. A suspected bank-card skimming operation has been uncovered at the CrossIron Mills mega-mall near Balzac, north of Calgary, Canada police said August 20. Bank security experts alerted Royal Canadian Mounted Police (RCMP) commercial crime detectives after they found that two payment PIN pads at two retailers had been compromised. Mall officials said police advised them not to name the stores involved. The pads had been tampered with to capture financial data and gain access to accounts, said a RCMP constable. A full search of the 200 or so stores at the mall turned up two more skimming devices, investigators said. The transaction pads were likely installed in July. Some unauthorized withdrawals from bank accounts may have already occurred, but investigators think most of the potential fraud was interrupted. The culprits likely swiped the PIN pads while store clerks were not looking, substituting non-functional dummies while they added a wireless Bluetooth transmitter to the devices. Source:

22. August 13, – (International) Cyber attacks on banks likely to increase, says expert. Following the recent news that cyber criminals based in Eastern Europe have successfully drained $1,052,870 from customers of a major U.K. bank, an IT security expert has stated that similar attacks could remain undetected in other institutions, and are likely to be seen more and more in the future. The attack in question involved the use of the Zeus v3 trojan, a highly adaptable piece of software available to cyber criminals. “The [trojan] is very easy to customize in order to target a wide variety of web sites and users,” said the head of information security at Protiviti, an IT risk and consulting firm. “It’s likely that other organizations have been unknowingly targeted now, and will be in the future.” Source:

23. August 13, Associated Press – (Michigan) Secret Service probing credit card fraud in Clare. U.S. Secret Service officials said they are investigating the fraudulent use of more than 150 credit card numbers obtained at a Clare County hotel. The Clare Sentinel reported August 13 that the restaurant at the Doherty Hotel & Convention Center in Clare, Michigan had its database illegally accessed. The first fraudulent charges appeared on a credit card in May. A Secret Service agent said investigators are working to determine who accessed the information and how. The resident agent in charge of the federal agency’s Saginaw office said the hotel has put additional security protections in place. The agent said the charges on credit cards were between $2,000 and $3,000, and included international purchases. Source:,0,5766230.story

24. August 13, Central Valley Business Times – (California) Eight charged in real estate investment fraud scheme. A federal grand jury in Sacramento, California has returned an indictment charging eight persons in a real-estate, investment-fraud scheme, said a U.S. attorney. The first seven defendants are charged with 15 counts of mail fraud and wire fraud for defrauding investors of more than $11.4 million through a Sacramento company called Heaven Investments Holding Co. HIHC offered investors two types of investments. The planned income program promised to use investor money to acquire residential, single-family dwellings that would be renovated and resold for a profit. The tenants in common program promised to use investor money to develop four pieces of property. Investors were promised a 12- to 15-percent annual return. According to the indictment, the defendants said the investment was safe because it would be secured by a deed of trust where the investor would be in no worse than second or third position, and that the indebtedness on the property would never exceed 70 percent of property value. But the indictment charges HIHC acquired the properties through 100 percent financing from private lenders. Further, the promise was illusory because HIHC either failed to place the investor on the deed as promised, or when HIHC did put an investor’s name on the deed, the property had multiple investor names and was leveraged by as much 300 percent to 400 percent, the grand jury said. Source:

25. August 11, Houston Chronicle – (Texas) ‘XXXL Bandit’ sought in 2 Houston bank robberies. A man dubbed the “XXXL Bandit” due to his girth is suspected of robbing at least two Houston-area banks since mid-July, FBI officials said August 11. The latest robbery happened August 5 at an Associated Federal Credit Union bank inside a Kroger grocery in the 16400 block of El Camino Real. FBI agents said he struck up a conversation with a teller before passing a threatening note demanding money. He left the bank and the supermarket through an emergency exit in the rear. No injuries were reported and bank employees did not see him with a weapon, FBI agents said. The suspect is also being sought in the July 12 robbery of a Wells Fargo bank branch inside a Randall’s grocery in the 2300 block of Clear Lake City Blvd. Source:

Information Technology

54. August 16, The Register – (International) Virgin Media to warn malware-infected customers. Virgin Media subscribers whose computers are part of a botnet can expect a letter warning them to tighten up their security, under a new initiative based on data collected by independent malware trackers. The U.K.’s third-largest ISP will match lists of compromised IP addresses collected by the Shadowserver Foundation, among others, to its customer records. Those with infected machines will be encouraged to download free security software to remove the malware. Virgin Media said it expects to send out hundreds of letters per week initially, with plans to expand the campaign based on customer feedback. The firm will also take the opportunity to plug its Digital Home Support service, a $9.36-per-month remote PC maintenance helpline, “for those who need a little bit more help”. A quarter of callers have a malware infection, Virgin Media said. The announcement August 16 marks the second anti-malware initiative by a major U.K. ISP. TalkTalk is preparing an optional service that will block infected Web pages by following its customers around the Web, creating lists of all the URLs they visit. Source:

55. August 16, The H Security – (International) Authentication under Windows: A smouldering security problem. Speaking at the USENIX conference, a developer highlighted an old and known flaw that continues to be underestimated in the Windows world: authentication mechanisms involving NTLMv2 are often insecure. Attackers can intercept credentials transmitted during log-in and misuse them to log into the servers themselves — without knowing the password. The attackers exploit a weakness in NTLMv2, a protocol which is vulnerable to “replay” and “reflection” attacks although it does transmit the data itself in a secure encrypted form. While an attacker launching a replay attack can gain access to a server, attacks such as SMB reflection only require the operator of a specially crafted SMB server to send the NTLM log-in credentials of a log-in attempt at the operator’s server back to the victim. This allows the attacker to gain access to the victim’s PC and execute programs there. Successful attacks require ports 139 and 445 to be accessible on the victim’s machine, which would be the case if, for instance, file sharing and printer sharing are enabled on a local network. Microsoft released patches to fix this special SMB vulnerability at the end of 2008, added another patch in connection with WinHTTP in early 2009, and subsequently also released patches for WinINet and Telnet. However, the vendor needed seven years to solve the problem; an earlier patch would have had extremely negative effects on network applications at the time. Numerous other scenarios still remain unpatched – especially where non-Microsoft products are concerned. Source:

56. August 16, Help Net Security – (International) Fake dislike button Facebook scam. Facebook users should be wary of the latest survey scam spreading vacross the network. There are many variations of this scam, which sees users unwillingly update their Facebook status encouraging others to get the “official Dislike button”. The scam is spreading quickly as many Facebook users have been calling for the introduction of an official “Dislike” feature which would allow them to express their opinions on other users’ posts, links and updates. Two versions of the scam have been discovered by Sophos, which involves the sharing of messages with the text: “I just got the Dislike button, so now I can dislike all of your dumb posts lol!! LINK” and “Get the official DISLIKE button NOW! - LINK.” The viral scam, similar to many recent survey scams, tricks users into giving a rogue Facebook applications permission to access their profile, silently posting and promoting the link that tricked the user in the first place and spreading the message virally. Source:

57. August 16, Krebs on Security – (International) NetworkSolutions sites hacked by wicked widget. Hundreds of thousands of Web sites parked at have been serving up malicious software thanks to a tainted widget embedded in the pages, a security company warned August 14. Santa Clara, California-based Web application security vendor Armorize said it found the mass infection while responding to a complaint by one of its largest customers. Armorize said it traced the problem back to the “Small Business Success Index” widget, an application that Network Solutions makes available to site owners through its blog. Armorize soon discovered that the widget was serving up content for those who had downloaded and installed it on their sites, and was being served by default on some – if not all — Network Solutions pages that were parked or marked as “under construction.” Parked domains refer to those that are registered but contain no content. Network Solutions — like many companies that bundle Web site hosting and domain registration services – includes ads and other promotional content on these sites until customers add their own. Armorize’s founder and chief executive said Google and Yahoo! search results indicate anywhere from 500,000 to 5 million Network Solutions domains may have been serving the malware-infected widget. Armorize believes hackers managed to taint the widget after compromising the domain itself with a Web-based hacking tool that allowed them to control the site remotely. Source:

58. August 14, – (International) GPU acceleration brings new security risks. The growing integration of graphics processors into normal computational tasks could threaten security protections, according to a new report from the Georgia Tech Research Institute. The organization warned that general processing over GPU (GPGPU) platforms could dramatically increase the success rate for “brute force” password attacks. GPGPU platforms such as OpenCL have taken off recently as chipmakers and developers seek to harness the power of GPU chips for compute-intensive tasks such as financial analysis or physics modeling. The multi-threading capabilities of GPU chips could allow an attacker to increase the frequency of new password combinations and log-in attempts, allowing an attack tool to attempt to guess a system password. The researchers suggested that using these techniques with a consumer graphics card could easily compromise passwords of up to seven characters. A research scientist said that passwords under 12 characters could be vulnerable, and that administrators may need to institute alphanumeric passwords the length of entire sentences to keep systems secured. Security authentication vendors are pointing to the report as a call to adopt two-factor authentication systems, such as single-use security tokens. Source:

Communications Sector

59. August 16, – (Washington) In Everett, Washington, the sabotaged towers of KRKO (1380) are being rebuilt. The Snohomish News reports that work has begun on replacing two fallen towers in Everett, Washington, one a 349-foot tower and the other a 199-footer, in an effort to bring the station back to full power. The sabotaged towers of KRKO (1380) were literally pulled down, allegedly by an act of sabotage by ecoterrorists, last September. Radio-Info reported that two towers in the four-tower array were toppled by a group claiming to be from the Earth Liberation Front. KRKO has been running at reduced power. KRKO and its sports-talk format currently operates a nondirectional signal at 34,000-watts during the day and at 12,500-watts at night, and wants to increase their power output to 50,000-watts, but faces objections from area residents. Source:

60. August 16, The H Security – (International) RIM offers Indian government surveillance tools. According to the Wall Street Journal, during secret negotiations, BlackBerry vendor Research in Motion (RIM) offered to provide the government of India with information and a number of tools for monitoring e-mail and text messages sent using BlackBerry mobile devices. However, this does not mean that in the future, Indian government agencies will be able to read all messages. The BlackBerry Enterprise Service (BES) encrypts all sent messages and RIM stresses that not even it can decipher them. Government agencies will have to make do with metadata, such as the sender and recipient. The company’s BlackBerry Internet Service (BIS), on the other hand, is designed for non-business users. BlackBerrys using BIS communicate with a server hosted by mobile providers. These messages are compressed, but not encrypted (unless the individual users have done so with their own software) and it appears RIM may be helping the Indian government to unpack them. India requires mobile phone providers to provide the government with access to customer communications. It plans to block 3G networks until a system to allow full line tapping is in place. It is not yet clear whether or not India is satisfied with the concessions made to date and negotiations are ongoing. India has been threatening to ban the BlackBerry service outright. The BlackBerry vendor is also under pressure in Saudi Arabia and the United Arab Emirates, both of which are demanding access to BlackBerry messages. The Wall Street Journal said that, although RIM wants to help mobile phone providers meet national requirements, it is not prepared to rewrite its security architecture or to give governments better access to messages than competitors. Although it is likely to remain impossible to eavesdrop on encrypted communications via the Blackberry Enterprise Server, the German interior minister is nonetheless advising the German government and government departments not to use BlackBerrys. Source:

61. August 16, Homeland Security NewsWire – (International) Indian government: Google, Skype will follow BlackBerry in being forced to open networks. The Indian government, in a meeting last month with representatives of network operators and Internet service providers, said that after RIM was forced to open BlackBerry-based communication to government eavesdropping, Google and Skype would be asked to do the same — or face bans on some of their services in India. It is unlikely that the Indian government is interested in Google’s search business, but about 20 million Indians are active on Google’s social networking service, Orkut, which encourages them to communicate with each other over Google Talk. The Idian government met with mobile operators August 12, resulting in an ultimatum being issued that lawful interception of BlackBerry communications must be made possible by the end of August. The minutes of an earlier meeting, obtained by the Financial Times, show that RIM is not the only the company India intends to tackle. “There was consensus that there [is] more than one type of service for which solutions are to be explored. Some of them are BlackBerry, Skype, Google etc,” the minutes read. “It was decided first to undertake the issue of BlackBerry and then the other services.” Source:

62. August 15, CNN – (International) Grenade thrown at Mexican TV station; no injuries. A grenade thrown by unknown attackers August 15 damaged apartments near a television station office in Monterrey, Mexico, but there were no reports of injuries, the country’s state-run Notimex agency reported. The incident occurred at about 1:15 a.m. “Men in trucks” threw the device at the entrance to the television station. “The grenade exploded under a Toyota Tacoma pickup truck, which was badly damaged,” according to Notimex. “It damaged a television live truck.” Glass shattered in the apartment building, which was facing the entrance, Notimex said. Although employees were shaken up, no one was injured, the report said. Military patrols were not able to capture the grenade-throwers. Late August 14, a similar grenade attack occurred on the offices of Televisa in the city of Matamoros. A building was damaged but there were no reports of injuries. Source:

63. August 13, WKYT 27 Lexington – (Kentucky) AT&T blames equipment failure for phone outage. AT&T representatives now say it was equipment failure that caused many of its Kentucky customers to lose cell phone service for hours August 12. The outage began in the morning and was centered in the Lexington and Nicholasville areas. Customers were not able to make calls, send e-mails, or send text messages. Service was restored to all customers that afternoon. AT&T technicians worked for hours to determine the cause. AT&T officials are now encouraging people affected by the outage to call customer service about a possible credit or reimbursement. Source:

64. August 13, WDIO 10 Duluth – (Minnesota) Lightning strike causes headaches for WDIO and viewers. At around 3 a.m. August 13, WDIO-DT of Duluth, Minnesota took a lightning strike to the transmitter tower, temporarily disrupting the satellite feed of some morning programming. The first hour of ABC’s Good Morning America had video and audio issues. The signal was back to normal by the second hour. By 10 a.m. things were back to normal. However, the station phone system was also affected by the lightning strike. Viewers calling with questions about the on-air programs found it difficult to get through to the station. Efforts to repair the phone system continued throughout the day and things were back to normal by mid-afternoon. Source:

For another story, see item 54 above in the Information Technology Sector