Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, August 31, 2010

Complete DHS Daily Report for August 31, 2010

Daily Report

Top Stories

•Typically associated with banking fraud, Zeus malware has recently been used to try to compromise government networks, and steal intelligence and defense data and information,according to the Information Warfare Monitor. (See item 49)

49. August 28, Information Warfare Monitor – (International) Crime or espionage? Zeus is a well known crimeware tool kit that is readily available online. Typically, Zeus has been associated with banking fraud. Recently, there have been a series of attacks using the Zeus malware that appear to be less motivated by bank fraud and more focused on acquiring data from compromised computers. The themes in the e-mails — often sent out to .mil and .gov e-mail addresses — focus on intelligence and government issues. After the user receives such an e-mail, and downloads the file referenced in the e-mail, his or her computer will likely (due to the low AV coverage) become compromised by the ZeuS malware used by the attackers and will begin communicating with a command and control server. It will then download an additional piece of malware, an “infostealer,” which will begin uploading documents from the compromised computer to a drop zone under the control of the attackers. What appears to be a one-off attack using Zeus, the author believes, is actually another round of a series of Zeus attacks. These attacks appear to be aimed at those interested in intelligence issues and those in the government and military, although the targeting appears to be general rather than targeted. Details of such an attack were recently posted on The e-mail used in the attack appeared to be from “” with the subject “Intelligence Fusion Centre” and contained links to a report EuropeanUnion_MilitaryOperations_EN.pdf that exploits CVE-2010-1240 in order to drop a Zeus binary. Source:

•CBS and The Associated Press report that federal officials are investigating an arson-fire that started overnight August 28 at the site of a new Islamic center in a Nashville, Tennessee suburb. (See item 69)

69. August 28, CBS & Associated Press – (Tennessee) Fire at Tenn. mosque building site ruled arson. Federal officials are investigating an arson-fire that started overnight August 28 at the site of a new Islamic center in a Nashville, Tennessee suburb. A special agent of the federal Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) told CBS News the fire destroyed one piece of construction equipment and damaged three others. Gas was poured over the equipment to start the fire. The ATF, FBI and Rutherford County Sheriff’s Office are conducting a joint investigation into the fire. WTVF reports firefighters were alerted by a passerby who saw flames at the site. One large earth hauler was set on fire before the suspect or suspects left the scene. Digging had begun at the site, which was planned as a place of worship for the approximately 250 Muslim families in the Murfreesboro area, but no structure had been built yet. The center had operated for years out of a small business suite. Planning members said the new building, which was being constructed next to a church, would help accommodate the area’s growing Muslim community. However, opponents of a new Islamic center said they believe the mosque will be more than a place of prayer; they are afraid the 15-acre site that was once farmland will be turned into a terrorist training ground for Muslim militants bent on overthrowing the U.S. government. Source:


Banking and Finance Sector

18. August 28, Associated Press – (National) Bank of America online banking down for 4 hours. Bank of America Corp. said its online banking service was down for about 4 hours August 27 but service has been restored. A representative for the nation’s largest bank declined to specify a reason for the outage except to say that it was a “temporary system” issue. She could not say whether the site has experienced a similar across-the-board outage before. The bank, based in Charlotte, North Carolina, said service was restored at around 5:15 p.m. EDT. The outage began at around 1:25 p.m. EDT. Some customers may still have trouble signing on because of the volume of people trying to access the site. Customers can also get account information from ATMs or banking centers. The representative said none of Bank of America’s 18,000 ATMs were affected by the outage. Source:

19. August 27, Bank Info Security – (National) Bank takes tough stand on fraud. An extreme decision made by one small bank in Utah to reduce fraud losses is not likely to become the norm. But the move by Provo, Utah-based Bonneville Bancorp ($34 million in assets) to block signature-based debit transactions in California, Georgia and Florida shows that banking institutions have avenues to pursue in their fight against card fraud. “I don’t think this decision to block entire states is indicative of a trend at all,” said a financial industry consultant and owner of PG Silva Consulting. “But I think it does show that banks have ways of combating fraud, even if it is heavy-handed, such as this move.” Bonneville Bank declined to comment on its decision; but according to the bank’s Web site, Bonneville announced July 6 that “high amounts of fraudulent card activity in California, Florida and Georgia,” pushed the bank’s leadership to cut off all signature-based debit transactions in those markets. Only PIN-debit will now be allowed. Signature-based debit transactions do not require the entry of a PIN. When the debit card is swiped, the transaction is run like a credit transaction, and therefore carries a higher interchange fee. But signature-based transactions also are more prone to fraud, because they do not have the second layer of authentication that the PIN provides. Source:

20. August 26, Bank Info Security – (National) ACH fraud: action plan in Oct. A working group created by the Financial Services Information Sharing and Analysis Center is working on developing best practices to fight corporate account takeover. These incidents, resulting from ACH and wire fraud against business accounts, have been the focus of industry experts for 1 year. The FBI said that at least one or two incidents [er weel of corporate account takeover are reported, resulting in financial losses for businesses and lawsuits against banks. An information security professional at a worldwide bank is leading FS-ISAC’s Corporate Account Takeover Working Group. Since the formiation of the 45-member task force in May, 31 financial services companies, including banks, have joined the group. Five industry associations, including the American Banking Association, the Independent Community Bankers Association, the Financial Services Roundtable technology arm BITS, NACHA and SWACHA, and eight government and law enforcement agencies have also joined the group. The group’s short term goals are a September 22 presentation at an FS-ISAC meeting on recommendations for advisories and best practices that will be presented during the National Cyber Security Alliance’s cyber awareness month in October. Source:

21. August 23, ZD Net – (International) ATM makers patch Black Hat cash-dispensing flaw. Two automated teller machine (ATM) manufacturers have shipped patches to block the cash-dispensing attack demonstrated by a researcher at the 2010 Black Hat conference. Hantle (formerly Tranax) and Triton released separate bulletins to address the issue, which lets a remote hacker overwrite the machine’s internal operating system, take complete control of the ATM and send commands for it to spew cash on demand. At the Black Hat conference, the researcher demonstrated two different attacks against Windows CE-based ATMs — a physical attack using a master key purchased on the Web and a USB stick to overwrite the machine’s firmware; and a remote attack that exploited a flaw in the way ATMs authenticate firmware upgrades. Source:

For another story, see item 61 below in the Communications Sector

Information Technology

56. August 30, Help Net Security – (International) Too many disclose sensitive information on social networks. Social networking users should be careful when accepting friend requests, and must be conscious of the data they share. According to a new study by BitDefender, social network users do not appear to be preoccupied with the real identity of the people they meet online or about the details they disclose while chatting with total strangers. The study revealed that 94 percent of those asked to “friend” the test profile, an unknown, attractive young woman, accepted the request without knowing who the requester really was. The study sample group included 2,000 users from all over the world registered on one of the most popular social networks. These users were randomly chosen in order to cover different aspects: sex (1,000 females, 1,000 males), age (the sample ranged from 17 to 65 years with a mean age of 27.3 years), professional affiliation, interests etc. In the first step, the users were only requested to add the unknown test profile as their friend, while in the second step, several conversations with randomly selected users aimed to determine what kind of details they would disclose. The study showed that more than 86 percent of the users who accepted the test-profile’s friend request work in the IT industry, of which 31 percent work in IT Security. It also found the most frequent reason for accepting the test profile’s friend request was her “lovely face” (53 percent.) After a half an hour conversation, 10 percent disclosed personal sensitive information, such as: address, phone number, mother’s and father’s name, etc –- information usually requested as answers to password recovery questions. Two hours later, 73 percent siphoned what appears to be confidential information from their workplace, such as future strategies, plans, as well as unreleased technologies/software. Source:

57. August 30, Computerworld – (International) American Eagle Outfitters learns a painful service provider lesson. As American Eagle Outfitters learned in July, even if a company does everything right to ensure disaster recovery and business continuity plans are in place, Murphy’s Law sometimes takes over. And problems can be compounded if one rely on an outsourcer for disaster recovery services. The multibillion-dollar clothing retailer suffered an 8-day Web site outage because its Oracle backup utility failed — and then an IBM disaster recovery site was not up and running as it should have been, according to a report from American Eagle did not dispute the basic account of what happened, though a spokeswoman said a few details were incorrect. According to a reporter from, which monitors retail Web sites, the outage began with a series of server failures. The reporter, who said he spoke with an unnamed IT source at American Eagle, said a storage drive failed at an IBM off-site hosting facility. That failure was followed by a secondary backup disk drive failure. Once the drives were replaced, the company attempted a restore of about 400GB of data from backup, but the Oracle backup utility failed, possibly as a result of data corruption. Finally, American Eagle attempted to restore its data from its disaster recovery site, only to discover the site was not ready and could not get the logs up and running. In an e-mail response to questions from Computerworld, an American Eagle spokeswoman said was “off track” by saying the retailer should have directed Web traffic to its mobile Web site. That is because the mobile site was also down. Source:

58. August 27, The Register – (International) Once-prolific Pushdo botnet crippled. Security researchers have disrupted the botnet known as Pushdo, a coup that over August 26 and 27 has almost completely choked the torrent of junkmail from the once-prolific spam network. Researchers from the security intelLigence firm LastLine said they identified a total of 30 servers used as Pushdo command and control channels and managed to get the plug pulled on 20 of them. As a result, the torrent of junkmail spewing from it dropped to almost zero August 26, according to figures from M86 Security Labs. Also known as Cutwail, Pushdo has long maintained a strong presence. It is known for spam that attempts to trick recipients into installing malware, and it also excels at hiding itself from intrusion-prevention systems, security researches have said. Its output has varied over the years with estimates as high as 20 percent of the world’s spam at some points. Pushdo was also notable for other technical feats, including its ability to pierce Microsoft Live by defeating its audio captchas. Source:

For another story, see item 63

Communications Sector

59. August 28, KGUN 9 Tucson – (Arizona) Power outage at KGUN 9 affects broadcast signal. A major storm August 28 hit the east side of Tucson, Arizona, striking the KGUN 9 studios with a lightning bolt, killing power. It happened at around 6:45 p.m. The power loss affected the over-the-air signal on KGUN 9 and KWBA. Source:

60. August 27, Mt. Carmel Daily Republican Register – (Illinois) Fiber line cut in Southern Illinois hits NewWave customers for hours. According to the vice president of marketing for NewWave Communications, a cut fiber optic line August 26 led to a 7-hour outage of Internet services, e-mail and cable television reception in Wabash County, Illinois. The outage was between McLeansboro and Enfield, Illinois, where a 24-count fiber line suffered the damage. “Most services were restored about 6 p.m.” he said. The outage affected about 4,500 customers, and occurred around 10:30-11 a.m. Source:

61. August 27, Canton Repository – (Ohio) Severed line causes phone outages. A third-party contractor working August 26 near a section of Cleveland Avenue NW in Canton, Ohio, accidentally cut through an AT&T line. The accident caused customers in areas near and north of 30th Street to lose phone and/or Internet service. An AT&T Ohio spokesman said he was not certain of the number of customers affected, but added the company had fielded more than 100 reports of loss of service. “The good news is the estimated time of restoral is (Saturday) afternoon,” he said. The Stark Federal Credit Union branch at 3426 Cleveland Ave. NW is among those without service. The chief executive said that the office was closed August 27 and may not open August 28, either. Source:

62. August 27, WINK 9 Fort Meyers – (Florida) 2 charged with stealing copper wire from Collier County tower. Information sharing between law enforcement agencies and detective work in Collier County, Florida, helped lead to the arrests of two men — including a career criminal — on multiple felony charges after deputies said the men stole copper wire from a communications tower owned by Renda Broadcasting in East Naples August 26. A 28-year-old man from Golden Gate, and a 32-year-old man from Golden Gate were each charged with burglary, grand theft $300 to $5,000 and possession of burglary tools. A search of the van turned up fresh-cut copper wire and cables, along with large bolt cutters, a pry bar and large channel lock pliers. The suspects were arrested and booked into the Collier County jail. The 32-year-old suspect was additionally charged with two felony counts of possession of a controlled substance after deputies found a small plastic bag containing Xanax and Oxycontin pills in his possession during the traffic stop, according to arrest reports. Source:

63. August 27, IDG News Service – (International) Research experiment disrupts Internet, for some. An experiment run by Duke University and a European group responsible for managing Internet resources went wrong August 27, disrupting a small percentage of Internet traffic. The damage could have been far worse however, and the incident shows just how fragile one of the Internet’s core protocols really is, security experts said. The problem started just before 9 a.m. Greenwich Mean Time August 27 and lasted less than half an hour. It was kicked off when RIPE NCC (Reseaux IP Europeens Network Coordination Centre) and Duke ran an experiment that involved the Border Gateway Protocol (BGP) — used by routers to know where to send their traffic on the Internet. RIPE started announcing BGP routes that were configured a little differently from normal because they used an experimental data format. RIPE’s data was soon passed from router to router on the Internet, and within minutes it became clear that this was causing problems. “During this announcement, some Internet service providers reported problems with their networking infrastructure,” wrote RIPE NCC’s in a note posted to the NANOG (North American Network Operators Group) discussion list. “Immediately after discovering this, we stopped the announcement and started investigating the problem. Our investigation has shown that the problem was likely to have been caused by certain router types incorrectly modifying the experimental attribute and then further announcing the malformed route to their peers.” Source: