Department of Homeland Security Daily Open Source Infrastructure Report

Monday, August 30, 2010

Complete DHS Daily Report for August 30, 2010

Daily Report

Top Stories

•According to CBC News, one of three Ontario, Canada men who are suspects in what the Royal Canadian Mounted Police (RCMP) are alleging is a terrorist plot possibly against transit systems and government buildings in Canada, has been remanded into custody until September 1 after appearing in an Ottawa courtroom.

21. August 27, CBC News – (International) Bomb plot suspect appears in court. One of three Ontario, Canada men who are suspects in what the Royal Canadian Mounted Police (RCMP) are alleging is a terrorist plot against Canada has been remanded into custody until September 1 after appearing in an Ottawa courtroom. An RCMP chief described all three men during a August 26 press conference as being part of a conspiracy to commit "a violent terrorism attack." The men discussed specific targets in Canada, according to security sources CBC spoke with, including specific government buildings and transit systems, but didn't mention any of those targets by name. A former senior Canadian Security Intelligence Service officer told CBC News his sources had said Parliament Hill was among the targets discussed, and suggested Montreal's transit system was a possible target because two of the men had roots in the city, and had lived and studied there. Source:

•The Richmond Times-Dispatch reports that a massive computer failure is crippling Virginia government, knocking out Web sites to the governor's office and 26 state agencies, blocking the issuance of driver's licenses, preventing the processing of jobless benefits, and delaying welfare payments.

42. August 27, Richmond Times-Dispatch – (Virginia) State struggles with computer failures. A massive computer failure is crippling Virginia government, knocking out Web sites, blocking the issuance of driver's licenses, preventing the processing of jobless benefits, and delaying welfare payments. The outage, flaring August 25 and expected to disrupt some services through the weekend, is attributed to 228 malfunctioning servers, which supply shared software and applications to clusters of state agency computers. Twenty-six of more than 80 state agencies were hit by the shutdown, including the office of the governor. The incident is the latest embarrassment for Virginia Information Technologies Agency (VITA) and Northrop Grumman, the company the state hired in 2005 to provide computer and communications services under a $2.3 billion contract — Virginia's richest-ever privatization deal. VITA and the firm have quarreled for months over shoddy, expensive service. This past spring, VITA and the company announced a new agreement giving an additional $236 million to Northrop Grumman in return for a pledge of better service. Source:


Banking and Finance Sector

11. August 27, Gainesville Sun – (Florida) Luis Orlando Martinezroque accused of using information gathered by credit card skimmers. A man accused of illegally using information gathered by credit card skimmers at Gainesville, Florida gas stations has been booked into the Alachua County jail. The 24-year-old suspect, of Orlando, was arrested August 24 in Orange County on charges of identity theft and scheming to defraud. Gainesville Police requested that the suspect be extradited to Gainesville. He is under investigation by police, the Alachua County Sheriff's Office, and the U.S. Secret Service in connection with skimmers found earlier this summer. Investigators said about 30 people have reported finding fraudulent charges on their credit cards after buying gas at area stores where skimmers were found. The skimmers were small electronic devices placed inside pumps to gather credit card information surreptitiously from unsuspecting consumers. Information "skimmed" from the card when it is swiped at the pump can then be used or sold. A week ago, industry officials and local investigators said the skimmers might have been the work of international crime rings. The suspect was identified by surveillance videos, and a witness. Source:

12. August 27, KNXV 15 Phoenix – (Arizona) 'Bad Tooth Bandit' strikes again. Police are investigating a bank robbery in Phoenix, Arizona that they said may be the work of the "Bad Tooth Bandit" who is wanted in connection with several other heists. According to a Phoenix Police Department spokesman, a Wells Fargo bank located inside the Albertson's store near Tatum and Shea boulevards was robbed around 5 p.m. August 26. It is unclear if the suspect was armed during the incident. The spokesman said officers searched the surrounding area for the suspect, but were unable to locate him. Police are reportedly investigating if the man is the "Bad Tooth Bandit," who is responsible for other robberies around the valley. Source:'bad-tooth-bandit'-strikes-again-police-investigating-bank-robbery-in-phoenix

13. August 26, New York Times – (International) Young girl among those hurt by acid in letters. An 8-year-old girl was among those injured by letters containing acid that were sent to the families of Geneva, Switzerland bank executives in recent days, the magistrate investigating the case said August 26. The girl was taken by ambulance to a hospital after she opened a box inside one of the letters and her hands were burned by concentrated sulfuric acid, the magistrate said by telephone from Geneva. Two adults were also injured, but apparently less seriously, by the letters, which targeted Geneva private bankers and their families, he said. The magistrate said that a total of eight letters containing acid were mailed to eight different addresses, in several cases the wives of executives at Geneva private banks. The letters were mailed from within Switzerland, but were routed through a central post office so it was not possible to say from where. The letters were sent August 22, the Swiss newspaper Tribune de Geneve reported. The motivation for sending the letters is not yet clear. Source:

14. August 26, KXTV 10 Sacramento – (California) Bomb squad inspects two potential explosives at Wells Fargo bank in Tracy. An evacuation at a strip mall in Tracy, California was lifted after the San Joaquin County bomb squad determined two possible explosive devices inside a car were smoke bombs, police said. The incident began about 10:40 a.m. August 26 when officials at the Wells Fargo bank on Valpico Road and Tracy Boulevard reported a man tried to deposit a fake check at the branch, said a Tracy police lieutenant. He said officers determined the check was fraudulent and arrested the 26-year-old suspect, of Lathrop. A search of the suspect's car turned up two loaded guns in the vehicle as well as black clothing, ski masks, and two devices that looked like explosives in his trunk. The suspect said the cylinders were bombs. Officers evacuated the bank as well as a Subway, a Supercuts and a yogurt shop in the area. The bomb squad determined the devices were the type used to place in a gas pipe to check for leaks. The suspect was arrested on weapons and bad check charges. Source:

15. August 26, Poughkeepsie Journal – (New York) Central Hudson warns of scam seeking credit card data. Customers of Central Hudson Gas & Electric Corp. are being warned about a scam discovered recently. People posing as Central Hudson employees are seeking credit card information over the telephone and via text messages, said a spokesman for the utility company. “Several calls were made to residents indicating a balance due on their Central Hudson account, or offering a discount on future utility bills for a one-time payment,” he said. ”Several residents also received text messages on their cell phones advising them to reply with a ‘Yes’ or ‘No’ to obtain a discount on their utility bills.” These are neither authorized nor conducted by Central Hudson, and customers receiving these calls or messages are warned not to provide their utility account or credit card information. The spokesman said customers who get these inquiries should note the caller ID information and report the incident to police. Source:

16. August 25, Salt Lake Tribune – (Utah) Prosecutors: Mortgage worker got drunk, shot computer server. A Salt Lake City, Utah mortgage company employee allegedly got drunk, opened fired on his firm’s computer server with a .45-caliber automatic, and then told police someone had stolen his gun and caused the damage. The 23-year-old suspect has been charged in 3rd District Court with criminal mischief, a second-degree felony; carrying a dangerous weapon while under the influence and providing false information to police, both Class B misdemeanors; and public intoxication, a Class C misdemeanor. Salt Lake County prosecutors said the suspect called police August 12, claiming a man had stolen his gun and fired into the $100,000 computer server owned by RANLife Home Loans, located at 268 W. 400 South. However, investigators allege the suspect was drinking that night at a concert with a co-worker and had returned to his office afterward and shot the server. A probable cause statement alleges the suspect told police he had been “mugged, assaulted with his own firearm and drugged” by a mystery assailant. However, acquaintances of the suspect reportedly told police he had earlier been drunk, was armed and had threatened to shoot the computer and maybe himself. Source:

17. August 25, Pasadena Star-News – (California) 'Drywaller bandit' suspected of robbing two Pasadena banks. Authorities have linked two recent Pasadena, California bank heists to a robber the FBI is calling "The Drywaller Bandit." The gun-wielding crook is believed to have held up a Wells Fargo branch August 24 as well as a Citibank branch August 13, a Pasadena police lieutenant said. The banks are within 1 mile of each. Because of the white dust mask worn during both crimes, "We're calling him `The Drywaller Bandit,' " said an FBI spokeswoman. In both cases, police said, the robber was described as a white man in his 30s, of medium to heavy build, wearing a dust mask and a baseball cap and armed with a handgun. The robber stuffed the stolen money into cloth bags in both robberies, officials said. Source:

Information Technology

48. August 27, Computerworld – (International) Rootkit with Blue Screen history now targets 64-bit Windows. A new version of malware that crippled Windows PCs last February sidesteps safeguards designed to block rootkits from hijacking machines running 64-bit editions of Windows, researchers said August 26. "A new era has officially dawned; the era of x64 rootkits," said a Prevx researcher in a post to the company's blog. The updated rootkit, which goes by names including Alureon, TDL and Tidserv, is able to infect 64-bit Windows PCs. Both Prevx and Symantec have found evidence that hackers are actively using the rootkit. "The infection is spreading on the Web, by using both porn Web sites and exploit kits," he said, adding that U.K.-based Prevx spotted the new rootkit more than 1 week ago. Symantec's first sighting was August 25. The new rootkit sidesteps two, important anti-rootkit protections Microsoft built into 64-bit Windows, Kernel Mode Code Signing and Kernel Patch Protection, also known as PatchGuard. The pair are designed to make it more difficult for malware to tamper with the operating system's kernel. Rootkits that overwrite the hard drive's master boot record, where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks, are essentially invisible to the operating system and security software. Source:

49. August 27, – (International) Russia, Turkey named 'most dangerous' web countries. Computer users in Turkey and Russia are at the greatest risk of online attacks, according to a recent report. Security firm AVG said the two nations had the highest concentration of attack attempts per citizen. The report compared attack attempts collected by its Threat Labs to the total number of users in a country. AVG said 1 in 10 of its Turkish users had been subject to an attack attempt this year. In Russia, 1 in every 14 users had been attacked. Ranking third on the list was Armenia, with 1 of every 24 users subject to attack, followed by Azerbaijan and Bangladesh. The U.K. ranked 31 on the list, with 1 in 63 users attacked. Users in the United States had a 1 in 48 chance of attack, earning it the ninth spot on the list. Among the safest countries to surf were Japan, which logged attacks on just 1 in every 404 users. Taiwan, Argentina and France were also noted for low attack levels. AVG's chief research officer said while the report reviewed risks residents take in visiting sites in their native countries and languages, users who are traveling in high-risk countries should exercise extra caution. Source:

50. August 27, SC Magazine – (International) Kaspersky Lab warns of advanced instant messenger threat. Warnings have been made about worms spreading via instant messaging (IM) clients. Kaspersky Lab said the new family of worms are multilingual and capable of infecting users via several IM clients simultaneously, including Yahoo! Messenger, Skype, Paltalk Messenger, ICQ, Windows Live Messenger, Google Talk and the XFire client for gamers. It said four variants of IM-Worm.Win32.Zeroll have been detected so far. Kaspersky Lab said once it penetrates a computer, the worm looks in the contact list of any IM client present and sends itself to all the addresses it finds. Infection occurs when a user follows what they think is a hyperlink in an IM to an interesting picture, that leads to a malicious file. IM-Worm.Win32.Zeroll also has backdoor functionality to gain control of a computer without the user's knowledge. Once it has penetrated a system, the worm contacts a remote command and control center, and after receiving its instructions, it starts downloading other malicious programs. Kaspersky Lab said it uses 13 different languages, including English, German, Spanish and Portuguese, sending users in various countries messages in a language that they will understand. At the present time, Mexico, Brazil, Peru and the United States have seen the greatest numbers of infections, but many instances have also been recorded in Africa, India and European countries, particularly Spain. Source:

51. August 26, eWeek – (International) Researchers warn of .Zip file spam surge. Security researchers are reporting an uptick in malware hidden in .zip files being sent out in spam to Web users. According to IBM's X-Force, there has been a significant increase in the number of spam messages with malicious .zip file attachments. "Normally we see that between 0.1 and 1.5 percent of all spam messages contain a .zip attachment … Since [the] beginning of August, the percentage of .zip spam has increased significantly," said a joint August 24 blog post by X-Force researchers. Sophos reported August 26 a widespread campaign of spam posing as e-mails from FedEx with subject lines such as "Fedex Tracking number" and "Fedex Invoice copy." As a lure, the e-mails mention a failed package delivery. Unlike many of the other FedEx-related malware attacks in the past, the e-mails' message about a failed delivery comes in the form of an image rather than text — possibly in an attempt to avoid anti-spam filters. Anyone who makes the mistake of opening the attachment is greeted with a Trojan. Sophos has not linked the FedEx attack to any particular botnet, but as of approximately noon EDT, the Trojan represented a third of the malware the company was seeing August 26, a Sophos researcher said. According to IBM, the increase during the past few weeks has not been tied to a single malware campaign or spam botnet, and there are a few different types of malware used. Source:

52. August 26, DarkReading – (International) Mariposa botnet operators didn't bite in 'cookie-stuffing' offer. The Slovenian man recently arrested for allegedly writing malware used to build the now-infamous Mariposa botnet also sold an additional feature for his bot software, a form of cookie fraud known as "cookie-stuffing." According to the researcher who helped take down Mariposa, the Spanish operators who purchased the bot software from the Slovenian man known as "Iserdo" and then built Mariposa, for some reason did not opt for the feature, which he offered for 200 euros, even though it would have increased their potential profits. "That was one module they didn't buy," said a technical director of PandaLabs, which teamed up with the FBI, Defence Intelligence, and Georgia Tech University researchers to derail the botnet in December of last year. "The most likely explanation is that they didn't even know what it was about. Otherwise, they could have multiplied the profit they were doing." Cookie-stuffing would have added another revenue stream for the Mariposa operators. This often-overlooked but lucrative form of crime is where a fraudster sticks his own cookies atop legitimate cookies planted for affiliate marketing purposes. Source:

Communications Sector

53. August 27, Reuters – (International) Car bomb explodes outside Mexico TV studio. A car bomb exploded in the northern Mexican city of Ciudad Victoria August 27 outside a studio of top broadcaster Televisa, but there were no injuries, Mexican media and witnesses said. Two witnesses saw the charred remains of a parked vehicle outside the TV studio in the city in Tamaulipas state, and Televisa's main morning news anchorman said nearby buildings were damaged, causing a power outage. No group was immediately blamed for the blast but drug cartels set off a car bomb in Mexico's most violent city Ciudad Juarez in July, the first of its kind, and another earlier this month in Tamaulipas in Mexico's escalating drug war. Source:

54. August 27, Anderson Independent-Mail – (South Carolina) Phone service working again in Abbeville County. Phone service that was out in areas of Abbeville County, South Carolina August 26 is now back up, according to the South Carolina Emergency Management Agency. Service for phone numbers with the prefix 459 or 447 was out of order in some areas, causing a disruption of emergency phone service, according to the South Carolina Emergency Management Division. Service was restored that evening. Source:

55. August 26, Steamboat Springs Pilot & Today – (Colorado) Jackson County communication severed after fiber optic line was cut. The Walden, Colorado area mostly was isolated from outside communication the afternoon of August 26 because of a cut fiber optic line. Officials reported that residents in the area could call one another but could not call out of the area or reach 911 services. Phone service was interrupted from about 1:30 to 6:30 p.m. Routt County Emergency ManÂÂÂÂÂÂÂ-agement's director said Jackson County officials notified his office of the outage. Jackson County communications workers asked to route 911 calls to the Routt County ComÂmunications center, and Routt CounÂÂty officials agreed, but the patch did not work. Emergency services in the area still could use radios to communicate and process some information through Routt County dispatchers. Most cell phones in the affected area also were not usable because they are routed from cell towers to the fiber optic line. That is especially common in rural areas, Routt County's communications dirÂÂ-ector said. No 911 calls made it from Jackson County to his dispatchers. Source:

56. August 26, Associated Press – (South Dakota) Alltel service restored in Western SD. A South Dakota Public Utilities commissioner said Alltel has restored cellular service in the western part of the state after a 12-hour outage. The outage began about 3 a.m. August 26, and stretched from Pierre to Rapid City. Thousands of Alltel customers lost the ability to make voice calls, though they could still text. The state public utilities commission chairman said service was restored about 3 p.m. that day. The outage appears to have been caused by a technical problem, but the chairman said his commission will look into the incident. Source:

57. August 26, – (National) Smartphones add to Wi-Fi data deluge. The demand for mobile connectivity is pushing the amount of data being sent over Wi-Fi networks ever higher, new figures from wireless network access firm WeFi reveal. Among the main findings of the WeFi Analytics Report Q2/2010: An Analysis of Global Wi-Fi, was a massive rise in the amount of data being sent to and from smartphones over Wi-Fi. The Android platform in particular saw tremendous growth, with 30 percent of Android platforms consuming 500MB to 2GB of data and 20 percent going over 2GB. Breaking down the figures for Android phones further reveals that 35 percent of devices monitored were in the United States, while the U.K. accounted for just 6 percent. Symbian devices are also gobbling up data, according to the report, with 32 percent of devices running the platform consuming between 100MB and 500MB per month, up from 20 percent in Q1, while 10 percent use over 2GB on Wi-Fi connections. Source:

For another story, see item 42 above in the Top Stories