Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, August 18, 2010

Complete DHS Daily Report for August 18, 2010

Daily Report

Top Stories

• The public works superintendent of a mid-Missouri city has admitted falsifying information on tests for safety of the water supply, according to Associated Press. The U.S. Attorney’s office said the 54-year-old man, of Stover, pleaded guilty in federal court August 13 to one count of making a false statement. (See item 34)

34. August 15, Associated Press – (Missouri) Official admits falsifying water test records. The public works superintendent of a mid-Missouri city has admitted falsifying information on tests for safety of the water supply. The U.S. Attorney’s office said the 54-year-old man, of Stover, pleaded guilty in federal court August 13 to one count of making a false statement. He was indicted in April on 27 counts of making false statements in violation of the Safe Water Drinking Act. He was in charge of collecting water samples from various houses in Stover for contamination testing by the state. In his plea, he admitted lying on a July 2007 report listing samples from 10 homes. One of the addresses turned out to be a vacant house with no water service. The accused man faces up to five years in federal prison. A sentencing date has not been set. Source:

• Computerworld reports security firm Symatec indicates that traditional security technologies are losing the battle against the black hats and malicious code writers. In a mid-year review of its IT security risks and predictions made early in 2010, Symantec has warned that there are simply too many new cyber threats out there for traditional automated systems to catch. See item 50 below in the Information Technology Sector


Banking and Finance Sector

18. August 17, El Paso Times – (Texas) Armed ‘Bird Flu Bandit’ robs Lower Valley bank. They call him the “Bird Flu Bandit.” The FBI says this thief in a surgical mask is responsible for three armed bank robberies in El Paso, Texas. The latest was at 10:15 a.m. August 16 when the robber stuck a handgun in the face of a teller and demanded cash at the El Paso Employees Federal Credit Union in the lower valley. It marked the second time in three months that this robber struck that credit union, the FBI said. FBI agents said he put the money into a gray plastic grocery bag, ordered the tellers to get on the floor, and ran out of the bank at 9305 North Loop. At least one customer was inside at the time. The use of the handgun is an added concern since most bank robberies in El Paso are committed using only a threatening note. The robber wore gloves, blue denim shorts, a red-and-gray baseball cap and a Houston Texans No. 8 jersey. He spoke in Spanish. The robber was nicknamed the Bird Flu Bandit by agents because of his surgical mask. FBI agents believe the same thief robbed the same credit union May 21 and the First Savings Bank in Downtown El Paso June 24. During the First Savings Bank robbery, the man wore an orange traffic vest and a bandanna mask. Source:

19. August 16, Tucson Citizen – (Michigan) BBB warns of another advance fee loan scam. The Better Business Bureau (BBB) has received several complaints over the last few weeks, from consumers across the country, inquiring about a company identified as First National Financial Corp., allegedly located on Grand River Avenue in Brighton, Michigan. Consumers are informing BBB that they have been approved for a secured loan of $30,000 at a 7 percent interest rate with a required collateral deposit of $1,210, which is to be wired to Ontario, Canada. The Michigan Office of Financial & Insurance Services has informed BBB that First National Financial Corp. is not an active Michigan corporation and that it does not have a valid license to provide lending and financial services. The address is that of a former location for 1st Financial Lending, a legitimate Michigan firm located in Troy. 1st Financial Lending alerted the BBB to the use of their address and has no affiliation to the fraudulent operation. BBB’s report on First National Financial is being revised to reflect the current investigation. Recent BBB investigations reveal an increase in bogus loan brokers who are impersonating legitimate lenders. They make illegal use of the names, logos and/or addresses of reputable financial institutions or organizations that have no affiliation or connection with the fraudulent operation. Source:

20. August 16, Mobile Observer – (New York) Police warn of phone scam involving area bank. The Chautauqua and Cattaraugus County, New York sheriff departments are warning residents about a phone scam. Both departments said they received several phone calls from citizens August 16 who have gotten phone calls at home, at work and on their cell phones from an automated phone system. The system states the call is from the Cattaraugus County Bank or Mt. Vernon Money Management, and that the person’s credit card account has been compromised or blocked. The call then requests the person to either select an option to be forwarded to the security division, or it asks the person to enter his/her credit card number using the phone touchpad. Police said this is a scam. Officials at Cattaraugus County Bank state they are in no way involved in these calls and Mt. Vernon Money Management is no longer in business. Law enforcement officials remind everyone that they should not give any personal or financial information out over the phone. Source:

21. August 16, Fort Worth Star-Telegram – (Texas) Texas Bankers Foundation, Bank of America offer reward in holdups. A $5,000 reward was offered August 16 for the arrest and conviction of the “Doo Rag Bandit,” who FBI agents said is responsible for seven holdups in Fort Worth, Texas since December. The reward is offered by the Texas Bankers Foundation and by Bank of America, whose banks were hit six times since December 23. The most recent holdup was July 30 at the Bank of America at 3100 Altamesa Blvd. The suspect received his nickname because he sometimes wears a black do-rag, but he has also worn a navy blue Dallas Cowboys cap. He has hit Bank of America branches at 5670 Bryant Irvin Road in Fort Worth and 3100 Altamesa Blvd. twice each, and once each at 116 E. Seminary Drive and 4751 S. Hulen St., according to an FBI news release. The suspect has also held up the BBVA Compass bank at 2601 S. Hulen St. Source:

22. August 15, Philadelphia Inquirer – (Pennsylvania) Suspected serial robber hits Cottman Ave. bank. A suspected serial bank robber, who has been identified, struck again August 14 at a Citibank branch on Cottman Avenue in Philadelphia, Pennsylvania, law enforcement authorities said. Officials believe the 31-year-old suspect is the man who robbed a Wachovia Bank on South Broad Street July 23, a Citizens Bank on Bustleton Avenue July 26, and a Conestoga Bank on South Broad Street August 2. On August 14, the robber wore a brown baseball cap, a dark T-shirt with a long, gray shirt underneath, and jeans shorts, authorities said. No information about a weapon was released. Source:

Information Technology

44. August 17, SC Magazine – (International) Symantec warns of a suspicious Android application that appears as ‘Snake’ but transmits GPS data. Warnings have been issued about a malicious version of the classic mobile phone game “Snake” that is actually a Trojan. Symantec Security Response said it found the game in the Android Market, which plays much like the original game, but a satellite icon appears in the top menu bar, indicating GPS data is being acquired. This indicated a Trojan was being downloaded with the game, Symantec said. It then uploads data to a remote server, allowing another person to monitor the location of the phone without the user’s knowledge. The Trojan has been labeled as AndroidOS.Tapsnake, although to receive the GPS coordinates, a second paid-for application called “GPS Spy” must be installed on another Android device, which the developer describes as an application to track another mobile. The description reads: “Download and install the free Tap Snake game app from the Market to the phone you want to spy on. Press menu and register the app to enable the service. Use the GPS Spy app with the registered email/key on your own phone to track the location of the other phone. Shows the last 24 hours of trace in 15 minute increments.” Two researchers claimed AndroidOS.Tapsnake uploads the GPS data every 15 minutes to an application on Google’s free App Engine service. GPS Spy then downloads the data and uses the service to display it as location points in Google Maps. The person monitoring the compromised phone can even view the date and time of the specific points uploaded by the Trojan. Source:

45. August 17, The H Security – (International) Mud-slinging in the Warez scene. In his blog, a hacker claims he gained access to the data of 770,000 registered users of the Warez forum. To prove his claim, the hacker provided The H’s associates at Heise Security with a 100-MByte database extract. The file contains almost 200,000 private messages, some of which have already been verified as authentic by members of the forum. The unknown hacker has threatened to publish the stolen data, including IP and e-mail addresses within 6 weeks. Users who have shared copyrighted material through the forum were given the option of “buying themselves out” by removing their uploads from the forum and sending a confirmation message to the hacker. Among other things, the hacker accused operators of storing IP addresses and of censoring the forum. He called on the admins to resign –- threatening to publish their private data if they don’t. A short time later, a blogger claimed the campaign was instigated by rival forum and threatened to retaliate, saying he intended to publish a database excerpt of the forum, which has more than 700,000 registered members. The blogger has already published private data he claims belong to the operators of This includes e-mails linking the operators to the file hosting service. The blogger also claims to possess 100 Mbytes of data from, including users’ IP addresses. A report from statistics of a partner program reveals payments of more than $273,557 to this operator. In another post added shortly afterwards, the hacker said he has now reported the security hole he found to, and that he will refrain from publishing any further data. Whether this was a response to the threats or a reply forged by the intruder has not been established. Source:

46. August 17, Softpedia – (National) Disney, Warner Bros and others sued for spying on Internet users. A complaint filed last week in California alleges that several companies including Disney, Warner Bros. Records, Ustream and others have installed illegal codes on millions of computers with the purpose of tracking online activity. At the center of the suit, which seeks class action status, are the so-called Flash cookies. Technically known as Local Shared Objects (LSO), these are used by Flash-based applications to store preferences, cache files or save state and temp data, all methods of improving user experience. However, security experts and researchers have warned that this feature can be misused to store tracking cookies and even re-create them if they are intentionally deleted from the browser. This is exactly what the companies referred to collectively as “Clearspring Flash Cookie Affiliates” in the complaint are accused of doing, thus affecting the visitors to their respective Web sites. The defendants are Clearspring Technologies, the company developing Flash-based technologies and its customers, which include Walt Disney Internet Group, Demand Media, Project Playlist, Soapnet, SodaHead, Ustream and Warner Bros. Records. “Defendants Clearspring Flash Cookie Affiliates acted with Defendant Clearspring, independently of one another, and hacked the computers of millions of consumers’ computers to plant rogue, cookie-like tracking code on users’ computers. With this tracking code, Defendants circumvented users’ browser controls for managing web privacy and security,” the complaint reads. Unlike regular cookies, which are governed by the browser’s Same-Origin policy, making it possible only for their creator to access them, Flash cookies can be read by any Web site. This allowed Clearspring to build visitor profiles and sell the data to advertisers. Source:

47. August 17, IDG News Service – (International) NSS Labs: Testing shows most AV suites fail against exploits. A majority of security software suites still fail to detect attacks on PCs even after the style of attack has been known for some time. NSS Labs tested how security packages from 10 major companies detect so-called “client-side exploits.” In such incidents a hacker attacks software ulnerabilities such as Web browsers, browser plug-ins or desktop applications such as Adobe Acrobat and Flash. NSS Labs is an independent security software company that does not accept vendor money for performing comparative evaluations. Vendors are notified, however, and are allowed to make configuration changes before NSS Labs’ evaluation. “This test — the first of its kind in the industry — was designed to identify how effective the most popular corporate endpoint products are at protecting against exploits,” according to the report. “All of the vulnerabilities exploited had been publicly available for months (if not years) prior to the test, and had also been observed in real attacks on real companies.” The attacks are often done by tricking a user into visiting a hostile Web site that delivers an exploit, or a specially crafted code sequence that unlocks a vulnerability in a software application, according to the NSS Labs report. Source:

48. August 17, The Register – (International) Network Solutions pulls widget that tainted up to 5M websites. Network Solutions admitted that a software widget designed to help small businesses build Web sites was contaminated with malware. The domain name registration and hosting firm has pulled the offending widget and published an advisory on its blog that provides guidance to customers but fails to explain either how the slip-up happened or to apologise for the snafu. Network instead heaps scorn on early reports that anywhere from 500,000 to 5 million Web sites have been affected by the tainted code, saying these estimates are well wide of the mark. The tainted Small Business Success Index widget was offered to Network customers and used as part of the parked domain page by default. In addition, the Network domain was compromised with a shell script. Application security firm Armorize, which was the first to warn of the attack, traced the flaw back through a series of compromises involving DNS manipulation and Wordpress hacking and dating back to January. Source:

49. August 17, Help Net Security – (International) Courier service customers targeted by phishing web sites. Customers of well-known courier services are often targeted by cybercriminals. Sometimes people open up malicious files attached in e-mails seeking verification of transaction details, but lately Symantec has detected a number of phishing sites that spoof Web sites of courier services. With the pretext that the customer’s account has not been updated for a considerable time, the site asks the customer to enter account details such as UserID and password, account name and number, and billing address. Many people might assume this information is not that sensitive, but it can be misused by the criminals taking over the identity of the customer with the service in question and — at the minimum — redirect valuable packages to another delivery address. Also, individuals might be one of those users who constantly recycles their passwords, so this password can be tried with various usernames on more importantly, accounts (e-mail, social network, PayPal, etc.) Once the users enter the credentials, they are redirected to the official Web site of the courier, making the illusion of legitimacy complete. But often these phishing websites are not very professionally executed, and certain links lead to error pages. Another telling sign of a phishing page is the wrong URL — the sites are hosted on Web hosting domains, compromised legitimate domains or even IP domains. Source:

50. August 16, Computerworld – (International) Blacks hats winning, says Symantec. Traditional security technologies are losing the battle against the black hats and malicious code writers, said the security firm Symantec. In a mid-year review of its IT security risks and predictions made early in 2010, Symantec has warned that there are simply too many new cyber threats out there for traditional automated systems to catch. The review found that Symantec created 2,895,802 new malicious code signatures last year alone, a 71 percent increase over 2008, and representing more than half of all malicious code signatures ever created by the security firm. Symantec said they identified more than 240 million distinct new malicious programs, a 100 percent increase over 2008. “In just the first half of the year, we have created 1.8 million new malicious code signatures and identified more than 124 million distinct new malicious programs.” the report said. “This means it is becoming less likely that traditional security technologies will catch every new threat out there; there are simply too many of them, even with automated systems in place.” Source:

51. August 16, The Register – (International) Hackers: ‘ColdFusion bug more serious than Adobe says’. A recently patched vulnerability in Adobe’s ColdFusion application server may be more serious than previously thought following the public release of exploit code and blog posts claiming it can be used to take full control of systems running the software. In a bulletin, Adobe rated the directory traversal vulnerability “important,” the third-highest classification on its four-tier severity scale. “This could lead to information disclosure,” the company warned. The flaw affects version 9.0.1 and earlier of ColdFusion for machines running Windows, Mac OS X, and Unix operating systems. But at least two researchers have said the security bug should have been rated critical because it allows attackers to seize control of servers. What’s more, they said attackers can employ simple Web searches to find administrators who have carelessly exposed ColdFusion files that make the attacks much easier to carry out. “This attack can lead to a full system compromise, so let’s make sure we’re clear,” a HP researcher wrote. “It’s not just that you can poke around the system files of the machine you’ve attacked; it’s also the ability to upload scripts that can compromise the system or even poke around the database natively if the security is really that bad.” Source:

Communications Sector

52. August 17, Sierra Vista Herald – (Arizona) Storm damage muddles Monday. Severe weather August 15 created communications and computer headaches for some businesses, school districts and cell phone users throughout the area around Sierra Vista, Arizona. “Micro-bursts and intense weather in southern Arizona caused fiber-optic lines to be washed away,” a regional spokesperson for Qwest said. Technicians were in rugged country throughout the night, using four-wheel-drive vehicles to gain access into problem areas. The service interruption started sometime around midnight and continued until about 4:30 p.m. August 16. While some computer and phone service suffered, 911 calls were not impacted by the interruption because of a rerouting system that Qwest has in place. Source:

53. August 17, – (National) Mobile data offloading to double by 2015. The amount of mobile data being diverted from networks to ease congestion will triple to 48 percent over the next five years, according to a new report from ABI Research. Data traffic is expected to grow by a factor of 30 over the period, and recent figures from Ericsson suggest that mobile data is reaching monthly levels of 225,000 terabytes. Ericsson is tackling this by building new base stations, and recently announced its millionth, but ABI said that increasing capacity is not always an option. Traffic overload is starting to choke the mobile networks, and ABI recommended in its Mobile Network Offloading report that firms use new technologies to alleviate congestion. These should include Wi-Fi, femtocells, mobile content delivery networks and media optimization. ABI Research’s practice director explained that by using these technologies, firms could save themselves from traffic overload. “Each of these offload and optimization technologies is aimed at solving a particular problem and they will all coexist. Wi-Fi is effective in covering limited areas containing many users, such as transport stations and sports venues,” he said. By contrast, a femtocell would be a good option for targeting small numbers of heavy data users, while a mobile content distribution network could be used to cache files locally, lessening load, for example, should a video go viral. Compression, meanwhile, is the most popular method now and will continue to be so. Source:

54. August 16, Eugene Register-Guard – (Oregon) Power outage briefly closes EPUD phone service. A power outage August 16 briefly closed telephone service at Emerald People’s Utility District offices and affected about 150 customers south of the Eugene-Springfield, Oregon area. Something interfered with a power line near a substation, causing a blown fuse, a spokeswoman said. Power was down between 11:40 a.m. and around noon in areas near north Creswell, Matthews Road and Seavey Loop, where the utility is located. A back-up generator provided power at the utility headquarters while power was restored to the rest of the building and the affected customers, she said. Source:

55. August 16, Alamosa Valley Courier – (Colorado) Qwest explains Saturday outage. Qwest officials report the loss of internet and phone service August 14 originated in Ft. Garland, Colorado. “Somebody was doing some serious fencing,” a Qwest corporate communications manager said. “Somewhere near Ft. Garland, someone putting up a fence on Saturday augured down four or five feet and went through some lines. Cement and a post were then dropped in.” Crews were on the scene within a couple of hours to fix the problem. Because of the cement, which had dried, it took the crews a while to dig around the offending posts and remove them. Service was restored at about 3:15 a.m. August 15. Source: