Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, September 2, 2010

Complete DHS Daily Report for September 2, 2010

Daily Report

Top Stories

•The Washington Post reports that a standoff at the Discovery Communications building in Silver, Spring Maryland ended September 1 when authorities shot and killed the suspect holding three hostages, bringing a dramatic close to a tense situation 4 hours after it began, according to police and law enforcement sources. All three hostages are safe and there are no reports of injuries. (See item 58)

58. September 1, Washington Post – (Maryland) Discovery building hostage situation ends with suspect James J. Lee fatally shot. A standoff at the Discovery Communications building in Silver, Spring Maryland ended September 1 when authorities shot and killed the suspect holding three hostages, bringing a dramatic close to a tense situation 4 hours after it began, according to police and law enforcement sources. All three hostages are safe and there are no reports of injuries, said the Montgomery County police chief. Sources said the suspect is a man who railed against the Discovery Channel for years. Law enforcement officials fired at 4:48 p.m. because police “believed the hostages’ lives were in danger,” the police chief said. Police had been negotiating with the suspect for several hours, and spoke to him minutes before firing. An explosive device the suspect had in his possession appeared to go off, the police chief said. Police were working late September 1 to clear suspicious devices in the building. The standoff began at 1 p.m. after a man walked into the large office building waving a handgun and wearing what appeared to be metallic canisters on his chest and back. The police chief said most of the 1,900 people who work in the building were safely evacuated, including all of the children at the day-care center located there. He said some employees could still be on the upper levels of the building. A different official said the suspect previously protested outside the building. In a manifesto posted on a Web site, and in newspaper ads, he excoriated the Discovery Channel and protested it because the company’s programming had little to do with saving the planet. The suspect was arrested and charged with disorderly conduct after a February 2008 protest in front of the Discovery building. His probation for that arrest ended in the middle of August 2010. The Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) and FBI officials also responded to the September 1 incident. Discovery Communications Inc. operates cable and satellite networks in 180 countries. Source:

•According to KECI 13 Missoula, PPL Montana is reducing water level in Ennis Lake in Ennis, Montana as the first step in a plan to assess and repair the damage caused when a large boulder, about the size of a bus, broke loose and fell onto the Madison Dam August 30. (See item 66)

66. August 31, KECI 13 Missoula – (Montana) Safety top priority of PPL Montana after rock fall at Madison Dam. PPL Montana is reducing water level in Ennis Lake in Ennis, Montana as the first step in a plan to assess and repair the damage caused when a large boulder, about the size of a bus, broke loose and fell onto the Madison Dam August 30. “Safety of the public and employees is the top priority as we begin the response effort,” said the director of external affairs for PPL Montana. “The facility remains in a stable condition and there is no need for public action.” The immediate priorities of PPL Montana are to draw down Ennis Lake to reduce pressure on the dam while experts assess the status of a large section of rock remaining on the canyon wall above the dam. PPL Montana has increased the water release rate on the lower Madison River to 3,300 cubic feet per second, which will speed the drawdown and have a limited effect on downstream recreational uses of the river. To maintain recreational uses in the upper Madison River above Ennis Lake, PPL Montana proposes no flow reductions below Hebgen Reservoir at this time. Local law enforcement officials have closed the road to the dam at Trail Creek trailhead, in effect closing the Madison River immediately downstream of the dam to recreational uses. Source:


Banking and Finance Sector

8. August 31, DarkReading – (International) ‘BadB’ now charged in RBS WorldPay ATM case. A Russian man recently arrested for allegedly spearheading a global online identity theft trafficking operation has now also been charged in the RBS WorldPay ATM case, where cloned cards were used to steal nearly $10 million in less than 12 hours. The suspect who also goes by the name “BadB” — was added to a list of eight Eastern European defendants who were charged in the case late in 2009, according to a report in Wired. The suspect, who was arrested in France earlier in August for 2009 charges of access-device fraud and aggravated identity theft, is considered one of the most prolific sellers of pilfered card information in the world. In an updated indictment, the suspect is charged with wire fraud and access-device fraud for his alleged role in the crime ring’s cashing out at ATM machines around the globe with the phony, cloned debit cards during November of 2008. “[The suspect] was a casher who fraudulently withdrew RBSW funds from ATMs in or around Moscow, Russia,” the U.S. District Court of Georgia Atlanta Division indictment says. Source:

9. August 31, Houston Chronicle – (Texas) Bicycle bandit strikes two more Houston banks. The “bicycle bandit” bank robber has likely struck again, FBI officials said, pulling off two more heists at two different Houston, Texas financial institutions August 31. The latest holdups bring the bicycle bandit’s total of known Houston bank robberies to five. The robber first struck the JPMorgan Chase Bank at 7060 Highway 6 North at West Road and Sterling Bank at 15000 Northwest Highway west of West Little York a little more than 1 hour apart. In both cases, he got away. The suspect got cash in one of the incidents. He did not display a gun in either case, but handed over a threatening demand note to a bank teller and kept his hand on his waistband as if he was hiding a gun or reaching for a weapon. No injuries were reported in either incident. Source:

10. August 31, Pasadena Star-News – (California) Whittier bank evacuated due to suspicious powder. The Citibank branch at Whittwood Town Center in Whittier, California was evacuated August 31 after two employees broke out in rashes after coming in contact with a suspicious substance. The incident started at 5:15 p.m. after a person brought a bag of money into the bank at 15410 Whittier Blvd., a Los Angeles County fire captain said. Two tellers said they broke out in rashes on their forearms from a powdery substance on the money, he said. Five of the seven employees on the clock were exposed to the substance, and customers inside the bank at the time of the incident left, but were not exposed to the powder. The bank was evacuated, and at 6:46 p.m., Los Angeles County fire workers in hazardous materials suits entered the branch to test the substance. They could not determine what the substance was, according to a Los Angeles County fire inspector. Source:

11. August 31, Bank Info Security – (National) FDIC: 829 troubled banks. The Federal Deposit Insurance Corporation (FDIC) “Problem Bank List” rose to 829 in the second quarter of 2010. This number is up from 775 at the end of the first quarter, according to the federal regulator. The total assets of “problem” institutions declined from $431 billion to $403 billion. The FDIC said the number of troubled banks is the highest since March 31, 1993, when the number and assets of troubled banks was at 928. One bright spot in the FDIC’s latest announcement is that the increase is the smallest net increase since the first quarter of 2009. The increase in the number of banks on the list of troubled institutions is not surprising, given some parts of the country are still mired in the recession, the American Banking Association’s chief economist said. He noted that banks added another $27 billion in equity capital in the second quarter, and total industry capital is now just short of $1.5 trillion, but he also said the fragile economy still presents significant challenges. Not all banks that are on the list will end up failing. Industry analysts said the number of failed institutions is expected to peak in 2010 and is a lagging indicator of the country’s recovery. Source:

12. August 31, KOB 4 Albuquerque – (New Mexico) Mobile meth lab forces lockdown of buildings. The discovery of a mobile methamphetamine lab forced the lockdown of two buildings near Albuquerque, New Mexico’s Coronado Mall at 4 a.m. August 31. Albuquerque police said they pulled over a van and “the driver of the vehicle admitted there was a methamphetamine lab inside the vehicle.” Police blocked off the entire area around the First Bank Building, including Lewis University next door. Police said the risk was especially high for anybody in the area because of the type of chemicals used in the mobile meth lab. A special hazardous materials team was called in to help safely dispose of the chemicals. The area remained closed off for several hours. The buildings were reopened by mid-morning. The two people in the van were detained for questioning and subsequently one was arrested, charged with drug manufacturing and trafficking. A gun was also found during the search of the van and if the suspect is found to be a felon, he could additionally face charges of firearm possession. Source:

Information Technology

49. September 1, Help Net Security – (International) Corporate espionage for dummies: HP scanners. Web servers have become commonplace on just about every hardware device from printers to switches. Despite typically being completely insecure, such Web servers on printers/scanners are generally of little interest from a security perspective, even though they may be accessible over the Web, due to network misconfigurations. A researcher was recently looking at a newer model of an HP printer/scanner combo and something caught his eye. HP has for some time, embedded remote scanning capabilities into network aware scanners, a functionality referred to as Webscan. Webscan allows one to not only remotely trigger the scanning functionality, but also retrieve the scanned image, all via Web browser. The feature is generally turned on by default with absolutely no security whatsoever. With over $1B in printer sales in Q3 2010 alone, and with many of the devices being all-in-one printers, running across an HP scanner in the enterprise is certainly very common. What many businesses do not realize, is that their scanners may by default allow anyone on the LAN to remotely connect to the scanner and if a document was left behind, scan and retrieve it using nothing more than a browser. As everything is Web based, an enterprising but disgruntled employee could simply write a script to regularly run the scanner in the hopes of capturing an abandoned document. Source:

50. September 1, The Register – (International) Survey scammers serve up supposed shelter from survey scams. Cheeky scammers are offering prospective marks an application that supposedly shields them from exposure to survey scams. Naturally, a user first has to fill in a survey to install the script, which is punted through Userscripts(dot)org. Odds are that even after jumping through these hoops, users will still be exposed to surveys and, possibly, left at a heightened risk of malware infection. “ ‘Only install scripts from sources you trust’ is on the install box for a reason,” a security researcher of GFI Security notes.

 Survey scams are becoming increasing common on social networks. Scammers (affiliates) profit from wasting surfers’ time with the Web 2.0 equivalent of e-mail spam. Often the spammers attempt to hoodwink users into signing up to premium rate SMS services. Source:

51. August 31, Computerworld – (International) Microsoft still mum on programs prone to DLL hijacking attacks. Microsoft August 31 again abstained from naming which of its Windows programs, if any, contain bugs that could lead to widespread “DLL load hijacking” attacks. Also August 31, the company published an automated tool to make it easier for users to block attacks exploiting vulnerabilities in a host of Windows applications. The DLL load hijacking vulnerabilities exist in many Windows applications because the programs do not call code libraries — dubbed “dynamic-link library,” or “DLL” — using the full pathname, but instead use only the filename. Criminals can exploit that by tricking the application into loading a malicious file with the same name as the required DLL. The result: Hackers can hijack the PC and plant malware on the machine. Although Microsoft again declined to call out its vulnerable software, outside researchers have identified as potential targets a number of its high-profile apps, including Word 2007, PowerPoint 2007 and 2010, Address Book and Windows Contact, and Windows Live Mail. In another blog, an engineer with the Microsoft Security Response Center (MSRC) and an MSRC program manager, described how customers can deploy and use a tool Microsoft first offered August 23. That tool blocks the loading of DLLs from remote directories, such as those on USB drives, Web sites and an organization’s network, and is aimed at enterprise IT personnel. Source:

52. August 31, TrendLabs Malware Blog – (International) New zero-day vulnerabilities imminent. An independent group of security researchers has announced that they will be releasing zero-day vulnerabilities, Web application vulnerabilities, and proof-of-concept (POC) exploits for patched vulnerabilities throughout September. Many high-profile vendors such as Adobe, Apple, Microsoft, and Mozilla are among those whose products will apparently have vulnerabilities revealed during the month. According to a Trend Micro researcher, the vulnerabilities to be announced refer to a collection of old and new ones primarily targeting Microsoft. The new vulnerabilities can be considered zero-day flaws and will leave users vulnerable until a vendor patch is offered and applied. However, the process may take some time. Until then, users should use any suggested workarounds. It is also believed that detailed information for recently released advisories will be published. It is possible the data released includes POC code, making exploits more likely. Exploit packs on malicious and compromised Web sites will probably include these new exploits as well. Any new information released during this period will likely be quickly exploited, putting more users at risk. High-profile applications like Internet Explorer (one of the programs that the researchers have indicated they will release a vulnerability for) can have exploit code released within hours of the POC code’s announcement. Portions of the many exploits already in the wild can be reused in any new exploit attack, further hastening the process. Source:

53. August 31, IDG News Service – (International) Alleged ransomware gang investigated by Moscow police. Russian police are reportedly investigating a criminal gang that installed malicious “ransomware” programs on thousands of PCs and then forced victims to send SMS messages in order to unlock their PCs. The scam has been ongoing and may have made Russian criminals millions of dollars, according to reports by Russian news agencies. Russian police seized computer equipment and detained a Russian “crime family” in connection with the crime, the ITAR-TASS News Agency reported August 31. Russian-language reports said that 10 people are expected to be charged and that tens of thousands of Russian-language victims were hit by the scam, which also affected users in Ukraine, Belarus and Moldova. The criminals reportedly used news sites to spread their malicious software, known as WinLock, which disables certain Windows components, rendering the PC unusable, and then displays pornographic images. To unlock the code, victims must send SMS messages that cost between 300 rubles (US $9.72) and 1,000 rubles. The scam is “very popular” in countries such as Russia at the moment, antivirus vendor Kaspersky Lab said in an e-

mailed statement. Source:

54. August 31, IDG News Service – (International) Huge spamming botnet injured but still alive. A botnet responsible for a significant amount of spam has been crippled but may reconstitute itself in a matter of weeks, according to vendor M86 Security. The Pushdo or Cutwail network of hacked computers ranked in the top five or so botnets for spam, responsible for as much as 10 percent of all spam, said a product manager for M86 Security. The spam often advertises fake software, so-called designer goods and questionable pharmaceutical products. But security analysts with the computer security company LastLine took action recently, contacting ISPs that were hosting the command-and-control infrastructure for the botnet. About 30 servers at eight hosting providers were found to be supporting Pushdo. LastLine contacted the ISPs, and about 20 of the servers were taken offline, according to its blog. Some ISPs, however, were unresponsive. LastLine appears to have taken down parts of Pushdo and Cutwail, which work together, wrote a researcher of FireEye’s Malware Intelligence Lab, in a blog post. Pushdo is a Trojan. Once it infects a computer, it often downloads Cutwail, a piece of malware capable of spamming as well as downloading other bad programs. Source:

Communications Sector

55. September 1, TG Daily – (National) New system predicts solar storms - but ESA says satellites are safe. Researchers have developed a new method of predicting solar storms that they say could help to avoid power and communications blackouts. The next major solar storms are expected in 2012 and 2013 as part of the sun’s 11-year weather cycle. A 2008 U.S. National Academy of Sciences report estimated that modern reliance on electronics and satellite communications means a major storm could cause 20 times more economic damage than Hurricane Katrina. Up to now, solar weather prediction has been carried out manually, with experts looking at 2D satellite images of the sun and assessing the likelihood of future activity. But a team from the University of Bradford’s Centre for Visual Computing has now created the first online automated prediction system, using 3D images generated from the joint NASA/ESA Solar and Heliospheric Observatory satellite (SOHO). The Automated Solar Activity Prediction system (ASAP) identifies and classifies sunspots and then feeds this information through a model which can predict the likelihood of solar flares. The system is able to accurately predict a solar flare 6 hours in advance, said the team. According to the European Space Agency, there is little chance that satellites will actually be fried by solar storms. The agency is shortly to launch its first four operational Galileo satellites. Source:

56. August 31, De Soto Explorer – (Kansas) Schools experiencing phone outages have service restored. After more than 2 hours, phone service to five De Soto school district campuses in Johnson County, Kansas was restored shortly after 12:30 p.m. August 31. Several schools in the De Soto district began experiencing a phone outage around 10 a.m. Starside Elementary, Lexington Trails Middle School, De Soto High School, Mill Creek Middle School and Mize Elementary all experienced the loss of phone service. The cause of the outage was on AT&T’s end of the line, but the company failed to provide a definitive reason for the outage. Affected schools were still able to contact emergency services. Source: