Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, September 7, 2010

Complete DHS Daily Report for September 7, 2010

Daily Report

Top Stories

•The discovery of a suspicious package at Miami International Airport September 2, brought out a bomb squad and forced the evacuation and closing of four terminals for about 7 hours, CBS and the Associated Press reported. Tests eventually concluded the package was not hazardous. (See item 19)

19. September 3, CBS & Associated Press – (National) Scientist in Miami Airport scare has rap sheet. The discovery of a suspicious package at Miami International Airport September 2, brought out a bomb squad and forced the evacuation and closing of four terminals for about 7 hours. Tests eventually showed that the passenger, the suspicious metal canister in his luggage, and his other belonging did not contain any hazardous biological material or explosives. But a senior law enforcement official indicated that the passenger who was detained in the incident, was a scientist who had once been charged with illegally transporting bubonic plague. He was acquitted of the charges of transporting the potentially deadly germ in 2003. The scientist cooperated fully September 2 after he arrived on a flight from the Middle East, said the official, who requested anonymity because he wasn’t authorized to release the information. Most of Miami International was shut down September 2 after a Transportation Security Administration officer found what appeared to be a pipe bomb in the scientist’s luggage. Source:

•According to CBS 13 Sacramento, Folsom State Prison in Folsom, California remains locked down and could stay that way for weeks while authorities investigate the circumstances surrounding an August 27 riot that left five inmates wounded from guards’ bullets.(See item 43)

43. August 30, CBS 13 Sacramento – (California) Investigations launched into Folsom prison riot. Folsom State Prison in Folsom, California remains locked down and could stay that way for weeks while authorities investigate the circumstances surrounding the riot that left five inmates wounded from guards’ bullets. A Folsom prison lieutenant said the situation exploded when an argument broke out between two men on the handball court in the prison’s recreation yard August 27. The verbal altercation turned physical and escalated into a full-fledged melee involving more than 200 inmates. Officials called for backup from nearby California State Prison in Sacramento, to help quell the riot. When the chemical agents had little effect, guards began firing rubber bullets at the participants. When even that failed to stop the brawl, guards used conventional firearms. In all, 60 prisoners were injured. Seven inmates needed hospitalization for their wounds; five from bullet wounds and two from assault injuries. Three inmates remain hospitalized in stable condition. The fight only lasted for 6 minutes, but it took 45 staff members about half an hour to calm the crowd. The investigations into the events leaded up to the riot and the use of potentially lethal force could take weeks, and inmates could remain in lockdown until then. Source:


Banking and Finance Sector

16. September 3, SC Magazine – (International) Cyber criminals seek ‘full’ sets of credentials that trade for only a few pounds. Malicious software kits are available for under £2,000 on the Internet, while online bank logins trade for just £32. A report by RSA revealed that Zeus Trojan kits are now on sale for £1,944 in some cases. Basic kits for the SpyEye Trojan, what the RSA FraudAction Intelligence Team called “2010’s biggest Trojan innovation” and “the only commercially available banking Trojan able to challenge Zeus’ market-share,” are available for under £700. A Firefox injection tool is available for anywhere between $1,000 and $2,000. RSA’s online fraud report for August said: “If you were to take a glimpse into the fraud black market, you would see that not only do cyber criminals trade stolen data, but they also offer a multitude of tools and services for sale that enable others to harvest this information and/or monetize it. Examples of some criminal ‘product’ offerings would include fraudster call center services that ‘outsource’ fraudulent phone calls made to banks or merchants; information services that provide a rich set of personal and financial data on potential victims; phishing kits that target different banks: Trojan infection kits; and credit card checking services, just to name a few.” It also reported on how seasoned fraudsters are opting for the purchase of “Fulls,” which comprise the genuine cardholder’s information including online banking account (via username and password combination), billing address, credit card number, CVV2 code, expiration date, mother’s maiden name, date of birth and Social Security number. Source:

17. September 3, SC Magazine UK – (International) Heartland pays $5 million over 2008 intrusion to credit card provider. Heartland Payment Systems must pay $5 million to a financial services customer over the 2008 data breach. In a statement that describes the payment to Discover as an “intrusion settlement,” Heartland confirmed it will pay Discover $5 million to resolve “all issues related to the 2008 intrusion.” Heartland’s chairman and chief executive officer, said: “We are pleased to have reached an equitable settlement with Discover.” The payments processor had already paid American Express $3.6 million over the same breach, while Visa agreed to cap its compensation demands to $59.2 million, according to Australia’s IT News. The Heartland incident was initially believed to have affected over 100 million cards, after intruders broke into the systems and planted malicious software to steal card data carried on the company’s networks. One estimate claims that as many as 130 million cards were affected. The incident led to a Colorado bank blocking all point of sale purchases on issued debit cards, while Heartland’s CEO called for better industry collaboration and information sharing. Source:

18. September 1, Infosecurity – (International) New Zeus campaign uses FedEx notice scam. Security firm McAfee has alerted the online community to a new Zeus botnet attack using bogus FedEx notification e-mails. McAfee malware research scientist made note of the new Zeus push August 31 in a McAfee Labs blog posting. The scientist said the new spam campaign is linked to the Asprox botnet, which is spreading e-mails that use FedEx branding. The research scientist said these fake FedEx e-mails contain attachments that are really executables, with file names starting in FedExDoc or FedExInvoice. “Those attachments are recognized as the Bredolab Trojan,” wrote one Malware research scientist, “which will download the Zeus component.” Zeus is the notorious Trojan delivered via e-mail files with .exe attachments, and is designed to make off with personal and banking information. Malware research scientist also added that several large U.S. banks are among targets of the fake FedEx e-mails –- including Citibank, Comerica, USBank and Wells Fargo –- in addition to several other banks in Europe, the Middle East, Asia, and South America. Source:

Information Technology

44. September 3, SC Magazine UK – (International) SQL injections dominated malware in 2010, as Gumblar botnet named as ‘the most significant malware development in years’. The number of IPS SQL injections increased substantially in the second quarter of 2010 following a downturn. Cisco’s global threat report for the second quarter revealed IPS SQL injection signature firings increased substantially in the period to coincide with outbreaks of SQL injection-compromised Web sites. It also claimed Asprox SQL injection attacks made a reappearance in June of 2010, after nearly 6 months of inactivity. A senior security researcher at Cisco said: “SQL reappears in this period, but we can predict with some certainty where the next wave of SQL injections are coming from using our statistics.” The report also found that 7.4 percent of all Web-based malware encounters in the first quarter of 2010 resulted from search engine queries, while nearly 90 percent of all Asprox encounters in June of 2010 were the results of links in search engine results pages. The researcher noted the data was collected from actual user clicks, and not overall detections. “This is based on actual users who encountered malware and on actual events ... we are reporting on actual events and I see that as a high figure and the only one that tops it is Gumblar.” The Gumblar “botnet” of compromised Web sites was first detected by ScanSafe as a collection of Web sites being used to distribute Web-based malware. Asked if it was still active, the Cisco researcher called it “the most significant malware development in years.” She said: “We took notice of trusted Web sites and the themes on the Web site, and Gumblar took it to a new level with botnets of compromised Web sites.” Source:

45. September 2, Threatpost – (International) Google releases Chrome 6 with 14 security updates. Google has released a new version of its Chrome browser and has included more than a dozen security fixes in the update. The new version, 6.0.472.53, was released 2 years to the day after the company pushed out the first version of Chrome. Google Chrome 6 includes patches 14 total security vulnerabilities, including six high-priority flaws, and the company paid out a total of $4,337 in bug bounties to researchers who reported the vulnerabilities. A number of the flaws that didn’t qualify for bug bounties were discovered by members of Google’s internal security team. The new release of Chrome also fixes an older bug, a Windows kernel flaw, that Google had thought it fixed in a previous version. The highest bug bounty, $1,337, was paid for the user who discovered an integer error in WebSockets. A second high-priority flaw, a sandbox parameter deserialization error, was discovered by two members of Adobe’s Reader Sandbox Team. This is the first major release of Chrome since Google increased the rewards it pays to researchers who identify bugs in the browser. None of the bugs fixed in Chrome 6 qualified for the maximum reward of $3,133.7, which Google said it will pay out for bugs deemed to be SecSeverity Critical. Source:

46. September 2, Compterworld – (International) Northrop Grumman takes blame for Va. IT services outage. Northrop Grumman September 2 apologized for an outage that began August 24 and caused 26 Virginia state agencies to lose their Web services, some for more than 1 week. “Northrop Grumman deeply regrets the disruption and inconvenience this has caused state agencies and Virginia citizens,” the president of Northrop Grumman Information Systems, said in a statement. The Virginia Information Technologies Agency (VITA) outsources the management of its data centers to Northrop Grumman through a 10-year, $2.4 billion contract that it signed in 2005. The outage affected 13 percent of the Commonwealth’s file servers. VITA’s contract with Northrop Grumman has been criticized in the past for a number of project delays, cost overruns and performance problems that included other service outages. Virginia’s governor has called for an outside investigation of the latest incident. On August 25, the failure of a storage area network (SAN) caused Web site outages at 26 of Virginia’s 83 state agencies. As of August 31, all but three agency sites had been restored, leaving the commonwealth’s Department of Motor Vehicles (DMV), the Department of Taxation and the state Board of Elections without services. At the root of the outage was an EMC DMX-3 storage array — the vendor’s flagship product, according to published reports. On September 1, the president of Northrop Grumman Information Systems said the failure wasn’t so much the memory card as it was the system in place to back it up. The company indicated it supports an independent inquiry and noted it would reimburse Virginia “for the reasonable costs of an assessment.” Source:

47. September 2, IDG News Service – (International) Hotmail suffers hours-long outage on Thursday. A technical problem kept an undetermined number of Windows Live Hotmail users locked out of their e-mail accounts for hours September 2. The problem, which started at around 3:30 a.m. U.S. Eastern Time, has affected “a small amount of customers,” a spokeswoman for Microsoft said via e-mail. She declined to be more specific about the number of people affected. “We are continuing to investigate the issue, but can confirm that the majority of customers that were affected are now able to access their Hotmail accounts,” she wrote. The outage apparently was large enough to warrant the posting of a prominent note at the top of the Windows Live Solution Center stating that Hotmail is experiencing lo-gin issues. The message remained on the page as of 7 p.m. September 2, meaning the problem is now entering approximately its 16th hour. Hotmail has about 355 million active accounts worldwide, the spokeswoman said, citing figures from comScore. Source:

48. September 2, DarkReading – (National) IPv6 transition poses new security threats. The countdown to the saturation of the IPv4 address supply is now down to a matter of months: and along with the vast address space of the next-generation IPv6 architecture comes more built-in network security as well as some new potential security threats. IPv6 has been in the works for over a decade now, but with the exhaustion of the IPv4 address space expected anywhere from spring to June of 2011, the long transition to the new IP may finally be on the radar screen for some organizations. Unlike its predecessor, the “new” protocol was built with security in mind: it comes with IPSec encryption, for instance, and its massive address space could help prevent worms from propagating, security experts said. But its adoption also poses new security issues, everything from distributed denial-of-service (DDoS) attacks to new vulnerabilities in IPv6 to misconfigurations that expose security holes. Some experts expect implementing DNSSEC in an IPv6 network to be simpler than in existing IPv4 networks. “It eases the transition to DNSSEC. IPv6 lets you migrate to DNSSEC much more easily than trying to do so on an old IPv4 stack. The concern with DNSSEC has been you’ve got a lot of legacy IPv4 equipment out there, and some of it is non-standard, which is very difficult” to integrate with DNSSEC, said the COO of Lumeta. Source:

Communications Sector

49. September 3, ChicagoNow – (Illinois) US Cellular customers lose Bus Tracker texting service. A US Cellular customer had problems getting Bus Tracker text alerts to his phone September 2. He wrote to Chicago Transit Authority customer service and got this response: “US Cellular customers are currently unable to use 41411 as of right now, due to a temporary outage between our vendor and US Cellular. However, you will regain access next week.” It turns out that the problem is not with the CTA Bus Tracker program. It seems that US Cellular customers are temporarily blocked from using any services supported by TextMarks, including CTA Bus Tracker two-way texting, said the spokesperson. TextMarks allows companies, churches and agencies like the CTA to communicate with large groups using a keyword. For the CTA, cell phone users can text CTABUS with the four-digit bus stop identifier, such as “CTABUS 5926” to the TextMark number 41411. The CTA would return next-bus time information for the northbound #8 Halsted at Halsted and 14 Place. “CTA first learned of this blockage when the complaint was received through CTA Customer Service,” the spokesperson noted. “It appears that US Cellular customers were blocked from TextMarks services beginning August 26 and are expected to have access restored sometime next week.” Source:

50. September 1, The Register – (National) Feds crack phone clone scam that cost Sprint $15m. Federal prosecutors have uncovered a scam that used tens of thousands of cloned cellphones to defraud Sprint out of $15 million in lost long distance revenue. The operation dates back to at least the latter half of 2009, when cellular customers began complaining that they were billed for international calls they didn’t make, according to court documents made public September 1. When Sprint employees looked into the matter, they discovered that many of the calls were made from hundreds of miles away from where the customers lived and within minutes of other calls made from the customers’ homes. Eventually, the Sprint investigators discovered that electronic credentials were used to make international calls that would have cost $15 million had they been billed at the going rate. What is more, many of the defrauded customers’ online accounts were breached so that changes could be made to passwords, international calling features and other settings. The fraud came to light in a criminal complaint that accused nine Sprint employees of illegally accessing customer accounts more than 16,000 times between January and June of 2010. Among the information they took were the MSID, or mobile station ID, and the ESN, or electronic serial number, that are used to uniquely identify each handset on the Sprint network. By plugging the credentials into new cellphones, people were able to make phone calls that were charged to the accounts of the defrauded customers. Source: