Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, September 8, 2010

Complete DHS Daily Report for September 8, 2010

Daily Report

Top Stories

• The Associated Press reports that a former Army soldier seeking help for mental problems at Winn Army Community Hospital on Fort Stewart in Georgia took three workers hostage at gunpoint Monday before authorities persuaded the gunman to surrender peacefully. (See item 35)

35. September 6, Associated Press – (Georgia) Army: Ex-soldier takes 3 hospital workers hostage. A former Army soldier seeking help for mental problems at a Georgia military hospital took three workers hostage at gunpoint September 6 before authorities persuaded the gunman to surrender peacefully. A Fort Stewart spokesman said no one was hurt and no shots were fired in a short standoff at Winn Army Community Hospital on Fort Stewart, about 40 miles southwest of Savannah. Military officials said the hostages were able to calm the gunman and keep him away from patients until he surrendered. The gunman was arrested by military police. The gunman walked into the hospital’s emergency room at about 4 a.m. carrying four guns — two handguns, a semiautomatic rifle, and a semiautomatic version of a submachine gun, a senior Fort Stewart commander said. He had seen nothing to indicate the former soldier had previously sought treatment at the Fort Stewart hospital. Source:

• According to the Denver Post, wildfire fanned by heavy wind charred more than 3,500 acres in the foothills west of Boulder, forcing the evacuation of about 1,000 homes. More than 35 fire departments and agencies, including the U.S. Forest Service and the Colorado State Forest Service, responded to the blaze, which started about 10 a.m. Monday. (See item 60)

60. September 7, Denver Post – (Colorado) Blaze near Boulder ravages 3,500 acres, firefighters’ homes. Wildfire fanned by heavy wind charred more than 3,500 acres and an untold number of structures in the foothills west of Boulder on September 6, including the homes of four firefighters. A spokeswoman for the countywide coalition of fire departments tackling the blaze said the four firefighters had been relieved of duty. More than 35 fire departments and agencies, including the U.S. Forest Service and the Colorado State Forest Service, responded to the blaze, which started about 10 a.m. September 6 in the 7100 block of Fourmile Canyon Road, about 6 miles northwest of Boulder. About 100 fire crews were on the line September 6, with about 70 on standby. More local, state and federal aid was expected September 7, including four more air tankers to join the three that dropped fire retardant from about 5:15 to 8 p.m. September 6. Many structures were lost after winds gusting up to 45 mph buffeted flames in a pine forest. About 1,000 homes were evacuated. Shelters were set up at the North Boulder Recreation Center, New Vista High School, Nederland Community Center, and the Coors Events Center at the University of Colorado. The night of September 6, FEMA authorized the use of federal funds to pay for up to 75 percent of the cost of fighting the Fourmile Canyon fire. Source:


Banking and Finance Sector

16. September 7, The New New Internet – (International) First suspects charged under Jamaica’s new cyber law. Two men in Jamaica have become the first individuals in the country to be arrested and charged under the new Cyber Crimes Act, which was passed last December. The men were charged last week following an investigation that started August 28, Jamaica Observer reports. Earlier that day, the accused men were seen acting suspiciously in a car in front of an ATM in Manchester, which is located in the west-central part of the island. When police searched the men and the vehicle, they found electronic devices used to intercept transactions and to duplicate the PIN and other personal information of customers using the ATM. The men were charged under sections 3, 6 and 8 of the Cyber Crimes Act, and are to appear in court August 8. Source:

17. September 7, Sky News – (International) Fraud probe at UK money printing factory. One of the world’s biggest money printing factories is being probed by fraud investigators over dud banknote paper. De La Rue — which employs 600 people at its Overton factory in Hampshire, United Kingdom — has sent a file on some workers to the Serious Fraud Office. The probe will center on allegations staff faked certificates which verified the quality of banknote paper. The company has reported its findings to the relevant law enforcement agencies. The company said “appropriate disciplinary action” was being taken. The company is the world’s biggest supplier of banknotes, and paper to print it on, and has customers in 150 countries. Source:

18. September 7, Bank Info Security – (National) New vishing spree strikes U.S. In July, two phone-based phishing, or vishing attacks, hit residents in Provo, Utah. In August, 10 additional attacks were reported, incorporating a combination of vishing and text-message-based smishing scams, aimed at various communities scattered throughout the United States. The common factor: Perpetrators targeting customers of community banking institutions. “Recently, we’ve seen them pop up in low-fraud, small places,” hitting markets where consumers might not be so savvy or prepared for a socially engineered attack, says the individual who oversees client relations for FICO’s Card Alert Service, which provides decision management and predictive analytics solutions for card issuers. Vishing and smishing have replaced the traditional e-mail phishing attacks that were more prevalent three years ago, he says. Since January, the documented number of traditional e-mail or phishing attacks has significantly dropped. “What’s replacing them are these new waves of text and person-to-person scams,” he says, “and they’re not being tracked.” August’s vishing and smishing schemes hit residents in Elgin, Illinois.; Long Island, New York; Binghamton, New York; New York’s Chautauqua and Cattaraugus counties; Bend, Oregon; Arkansas City, Arkansas; Rocky Mount and Henry County, Virginia; Auburn, Alabama; Texarkana, Texas; and Central Falls, Rhode Island. Rather than being generic, in most cases, the calls and texts identified specific institutions by name. Source:

19. September 7, The New New Internet – (Virginia) Stolen funds from University of Virginia recovered. The nearly $1 million that was stolen from a satellite campus of The University of Virginia in late August has been recovered, according to the school’s student newspaper. reported September 2 how thieves stole the funds after hacking the computer of the university’s comptroller. The attackers used a virus to steal the online-banking credentials for the university’s accounts at BB&T Bank, and initiated a fraudulent wire transfer in the amount of $996,000 to the Agricultural Bank of China. The student newspaper The Highland Cavalier reported September 3 that the vice chancellor for finance and administration had alerted faculty and staff in an e-mail on August 27 that a hacking incident had occurred on campus. He said that no personal data had been compromised. The college’s director of news and media relations said the stolen funds have since been recovered. “No funds have been lost,” she told The Highland Cavalier. “We caught it early on.” Source:

For another story, see item 48 below in the Information Technology Sector

Information Technology

46. September 7, SC Magazine UK – (International) Twitter fixes cross-site scripting vulnerability that was used to distribute compromised links. Twitter has fixed a cross-site scripting (XSS) vulnerability that stole a user’s cookie to distribute compromised links. It was detected by a senior security researcher at Kaspersky Lab. He said that the exploit steals the cookie of the Twitter user, which is transferred to two specific servers and essentially, any account that clicked on the malicious links is compromised. The statistics for one of the malicious links show that more than 100,000 users clicked on the link. “All clues point to Brazil as the originating country for this attack. First, the two domain names used to get the stolen cookies are registered under Brazilian names. More than that, one of them is actually also hosted in Brazil,” he said. The malicious scripts were detected by Kaspersky Lab as Exploit.JS.Twetti.a, and it has blacklisted the URLs used in this attack. Twitter commented that the vulnerability is now fixed. Source:

47. September 7, Computerworld – (International) Microsoft investigates two-year-old IE bug. On August 3, Microsoft said it was looking into a long-known vulnerability in Internet Explorer (IE) that could be used to access users’ data and Web-based accounts. The bug can allow hackers to hijack Web mail accounts, steal data and send illicit tweets, said a Google security engineer in a message posted on the Full Disclosure mailing list. He also published a demonstration that showed how the flaw in IE8 could be used to commandeer a user’s Twitter account and send unauthorized tweets. The vulnerability, known as a “CSS cross-origin theft” bug, has a long history. Researchers at Carnegie Mellon University, who recently published a paper on the subject, have traced it back as far as 2002. Those researchers will present their paper at the Conference on Computer and Communications Security in October. Although Microsoft has not patched the vulnerability in IE8, other browsers, including Firefox, Chrome, Safari and Opera, have fixed the flaw. Google patched the bug in Chrome last January, while Mozilla did the same in July with Firefox 3.6.7 and Firefox 3.5.11. Source:

48. September 6, Help Net Security – (International) Every week 57,000 fake Web addresses try to infect users. Every week, hackers are creating 57,000 new Web addresses which they position and index on leading search engines in the hope that unwary users will click them by mistake. Those who do, will see their computers infected or any data they enter on these pages fall into the hands of criminals. To do this, they use an average of 375 company brands and names of private institutions from all over the world, all of them instantly recognizable. eBay, Western Union and Visa top the rankings of the most frequently used keywords; followed by Amazon, Bank of America, Paypal and the US revenue service. These are the conclusions of a study carried out by PandaLabs, which has monitored and analyzed the major blackhat SEO attacks of the last three months. Some 65 percent of these fake websites are positioned as belonging to banks. For the most part, they pose as banks in order to steal users’ login credentials. Online stores and auction sites are also popular (27 percent), with eBay the most widely used. Other financial institutions (such as investment funds or stockbrokers) and government organizations occupy the following positions, with 2.3 percent and 1.9 percent respectively. The latter is largely accounted for by the US revenue service or other tax collecting agencies. Payment platforms, led by Paypal, and ISPs are in fifth and sixth place, while gaming sites — topped by World of Warcraft — complete the ranking. Source:

49. September 6, Sophos – (International) TechCrunch Europe serves up malware attack. The European website of TechCrunch (, one of the world’s most popular blogs, appears to have fallen victim to hackers, who have planted a malicious script on their site, designed to infect unsuspecting visitors. TechCrunch Europe posted a message on its Twitter feed earlier today describing warnings about malware being distributed via the site as “annoying.” Perhaps a rather unusual turn of phrase, which might suggest to observers that the warnings were erroneous rather than the result of a serious security problem. A closer examination of TechCrunch Europe’s site reveals that the offending code — which uses a malicious iFrame — is found in a JavaScript file, used by the site as part of its WordPress infrastructure. This attempts to serve up a malicious PDF file, exploiting a vulnerability that brings to a computer a nasty infection from the ZBot (also known as Zeus) malware family. Users of some web browsers may also be protected — for instance, Firefox. An engineer who works for TechCrunch in California contacted Sophos at about 10pm GMT August 6, to say that the malicious JavaScript code has been removed from the site, although it may take some time before browsers which rely on third-party blacklists stop warning about pages on the site. Source:

50. September 6, All Facebook – (International) Massive new survey worm spreading on Facebook. A group of developers have found a loophole in Facebook’s application Platform which enables them to automatically post messages to a user’s wall. This loophole does not require any action by the user, it simply posts to the user’s wall the moment they load the application. Right now the messages being spread state “I thought this survey stuff was GARBAGE but i just went on a shopping spree at walmart thanks to FB.” This happens to be one of the fastest spreading scams ever seen on Facebook to date, and also one of the largest security glitches in the Facebook Platform. While All Facebook is not aware of any viruses that result from the system, it appears to be the standard offers system which is driving this scam. There appears to be thousands of applications that have been used as part of this scam, which will make it much more time consuming for Facebook to shut down the scammers. Source:

51. September 6, The Register – (International) Browser security warning lookalike pushes malware. Scareware peddlers have developed a new ruse that relies on mimicking browser warning pages. The malicious code — dubbed Zeven — auto-detects a user’s browser before serving up a warning page that poses as the genuine pages generated by IE, Firefox or Chrome. Prospective marks are warned that their systems are riddled with malware to trick them into running a fake anti-virus software package, called Win7 AV. The warnings are generated from malicious scripts planted on compromised websites. The social engineering scam hinges on the fact a user is more likely to trust a warning and security recommendation ostensibly generated from their browser software than a random “your security is at risk” pop-up. The Win 7 AV scareware package at the center of the scam is served from a site designed to look like the genuine Microsoft Security Essentials website. Source:

52. September 6, The H Security – (International) Flash Player as a spy system. If a forged certificate is accepted when accessing the Flash Player’s Settings Manager, which is available exclusively online, attackers can potentially manipulate the player’s website privacy settings. This allows a web page to access a computer’s web cams and microphones and remotely turn the computer into a covert listening device or surveillance camera. At the “Meta Rhein Main Chaos Days 111b,” a Fraunhofer SIT employee presented a scenario in which he used a man-in-the-middle attack (MiTM) to intercept the communication with Adobe’s Settings Manager. The Settings Manager itself is a simple Flash applet, and the Adobe pages load it into the browser as an SWF file via HTTPS — a fixed link to it is encoded into the browser. However, the MiTM attack allows attackers to inject a specially crafted applet which manipulates the Flash cookies (Local Shared Objects, LSOs) on the victim’s computer. Adobe has been informed about the problem and is considering whether to release a new GUI for the Settings Manager. Source:

For more stories, see item 55 below in the Communications Sector

Communications Sector

53. September 7, Omaha World-Herald News Service – (National) FCC to finalize rules. The U.S. Federal Communications Commission says it plans to finalize rules for the use of wireless Internet devices on unused TV airwaves, an initiative that has been touted by Google Inc., Microsoft Corp. and other technology companies. The FCC said that usage of so-called white-spaces spectrum is on its agenda for the commission’s next open meeting September 23. While the use of white-spaces spectrum was approved by the FCC in 2008, the initiative has since bogged down as proponents and critics argued over the best way to use vacated airwaves without interfering with other signals. Use of the vacated white spaces became possible thanks to the transition to digital TV transmissions. Google has made a concerted effort to lobby for the use of the white spaces, which could provide stronger wireless-Internet access than what’s currently available through Wi-Fi connections. Source:

54. September 3, Bloomfield Life – (New Jersey) Communications breakdown - in more ways than one. The municipal building in Bloomfield, New Jersey, was without phone and Internet service for an entire day September 1, although local Verizon officials are not entirely sure why the outage occurred. Service was lost around 8 a.m. and did not return until after midnight on September 2, according to the director of the township’s Information Systems Department. Municipal officials claim they were told a contractor accidentally cut through a fiber-optic line while digging in Morristown, causing the outage. But a media relations representative for Verizon said the company has no records of cables being cut. Verizon’s account manager for Bloomfield will work with the municipality to determine the cause. Emergency police and fire phone connections were operational during the outage. Despite the lack of phone, Internet and e-mail access, employees were able to continue working. Source:

55. September 2, DarkReading – (International) IPv6 transition poses new security threats. The countdown to the saturation of the IPv4 address supply is now down to a matter of months, and along with the vast address space of the next-generation IPv6 architecture comes more built-in network security as well as some new potential security threats. IPv6 has been in the works for over a decade now, but with the exhaustion of the IPv4 address space expected anywhere from spring to June of 2011, the long transition to the new IP may finally be on the radar screen for some organizations. Unlike its predecessor, the “new” protocol was built with security in mind: it comes with IPSec encryption, for instance, and its massive address space could help prevent worms from propagating, security experts say. But its adoption also poses new security issues, everything from distributed denial-of-service attacks to new vulnerabilities in IPv6 to misconfigurations that expose security holes. Source: