Monday, September 27, 2010

Complete DHS Daily Report for September 27, 2010

Daily Report

Top Stories

 CNN reports federal authorities charged a Connecticut man with sending more than 50 anthrax hoax and bomb threat letters to recipients including government officials and buildings. (See item 26)

26. September 23, CNN – (National) Feds: Man sent more than 50 anthrax hoax, bomb threat letters. A Connecticut man was charged with sending more than 50 anthrax hoax and bomb threat letters to recipients including government officials and buildings, federal authorities said. A complaint charging the 43-year-old of Thomaston and Morris, Connecticut, was unsealed September 22, the Department of Justice said in a statement. The suspect has been in custody since he surrendered to authorities in North Dakota September 7. He appeared September 22 in federal court in North Dakota, where he agreed to be returned to Connecticut. “This defendant is alleged to have sent more than 50 letters nationwide, in which he threatened to kill numerous victims, by shooting them, bombing the buildings in which they work or exposing them to a substance that he claimed was, but was not, anthrax,” the U.S. attorney for the District of Connecticut said in the statement. The letters resulted in the evacuation of a post office, a town hall and a public school, he said. The suspect is charged with mailing threatening communications and with making threats through the mail to kill, injure or intimidate a person, or to damage or destroy any building by means of an explosive, authorities said. If convicted, he faces a maximum sentence of 10 years in prison on each charge. Source:

 According to the Associated Press, Minnesota and Wisconsin’s governors declared emergencies for large segments of their states September 24 due to flooding caused by heavy rain. The Wisconsin National Guard distributed thousands of sandbags to municipalities; and in Oronoco, Minnesota more than a dozen homes near a dam were evacuated. (See items 64 and 66)

64. September 24, Associated Press – (Minnesota; Wisconsin) Flooding threatens cities in Wisconsin and Minnesota, forcing evacuation of dozens more homes. Flooding caused by heavy rain that has lashed parts of Minnesota and Wisconsin forced the evacuation September 24 of dozens of homes in the small city of Owatonna, where swollen waterways closed bridges and threatened to swamp neighborhoods. Five businesses in Owatonna, a city of about 24,000 residents 65 miles south of Minneapolis, were closed due to floodwater from two creeks and the Straight River, the Steele County commissioner said. The creeks were receding the morning of September 24 but the river was still rising. No injuries had been reported. Friday’s forecast called for dry conditions for much of the region, offering a breather for exhausted emergency personnel who have been working long hours to deal with the flooding. But some rivers and streams were likely to continue to rise from as much as 10.5 inches of rain September 23, and another storm was expected to creep into the region September 25. In southeast Minnesota, more than a dozen homes near a dam in the small town of Oronoco were evacuated for fear that torrential rains had weakened the dam. About 90 miles east of Owatonna in Arcadia, Wisconsin, emergency officials evacuated 343 homes September 23 as 3-foot floodwaters surged through the city’s downtown area. Nearly half of the city’s 2,400 residents were told to seek shelter elsewhere. Crews also worked to evacuate 80 homes in the nearby city of Black River Falls. The Wisconsin National Guard distributed thousands of sandbags to municipalities, including 20,000 to Arcadia and 10,000 each to Neillsville and Osseo. Minnesota and Wisconsin’s governors declared emergencies for large segments of their states September 24, and the Minnesota governor planned to tour flood-damaged areas September 24. Source:

66. September 23, WJFW 12 Rhinelander – (Wisconsin) Willow Reservior at capacity, dam open. The Willow Reservior near the town of Little Rice in Oneida County, Wisconsin, is almost at capacity. The National Weather Service Web site said the Willow Flowage is at the action stage, which means the dam is open to prevent the river from reaching the flooding stage. On the reservior side, plants are visible underwater. According to the Wisconsin Valley Improvement Company Web site, just 6 months ago, the Willow Reservior was more than 10 feet below where it is now. The Web site said that it is not the only reservior that is near capacity, the Rainbow Reservior near Lake Tomahawk is also at capacity. Both reservoirs flow into the Wisconsin River, where experts are urging people who live in any area near the river to be cautious. Source:


Banking and Finance Sector

15. September 24, Associated Press – (Florida) Fla. bank robbers strap bomb to abducted teller. A bank teller was kidnapped early September 24 from his home by robbers who strapped a suspected bomb to his chest and used him to steal money from a Bank of America branch near the University of Miami in Coral Gables, Florida according to the FBI. The suspected explosive device was safely removed, and the teller was brought out of the bank shortly before noon. The device remained in the bank at midday and authorities were working to detonate it, said a lieutenant of the Coral Gables Police Department. A major South Florida thoroughfare, U.S. 1, was closed for hours in both directions at the height of rush hour. Three local schools were on lockdown as a precaution, and the University of Miami sent out a campus-wide alert. The incident began with a home invasion at an apartment complex in the suburb of Kendall, where the bank teller lived. Three suspects later took the teller to the Coral Gables bank, used him to steal an undetermined amount of cash, and then made a getaway in a stolen red Ford Mustang. Police were still investigating whether the teller was involved in the crime or just a victim. Source:

16. September 23, Associated Press – (Florida) FBI offers $40K reward for ‘Sundown Bandits’. The FBI is offering a $40,000 reward for information leading to the arrest of the so-called “Sundown Bandits” who have robbed six South Florida banks in recent months. The FBI said the robbers usually enter banks carrying weapons and wearing baseball caps. They also sometimes wear neckties and long-sleeved shirts. Both are described as black men between 25 and 30. They are called the “Sundown Bandits” because they strike near bank closing time. It is believed the same two have committed bank robberies in Miami-Dade, Broward and Palm Beach counties since December of last year. The most recent robbery was September 9 at a Wachovia branch in Boca Raton. Source:

17. September 23, Salt Lake Tribune – (Utah) Utah businesses told thieves stealing data at will. In the area of cybercrime, it’s the criminals who are winning. That was the message September 22 to a group of business representatives gathered in West Valley City, Utah, to exchange information about criminal activity, including the exploding rise in the harvesting of credit card and other data used to steal money from consumers and businesses. Organized crime enterprises, mostly from foreign countries, have the time and the money to defeat nearly every protection businesses have put in place on credit card transactions, said an executive vice president at ProPay, a Lehi company that provides payment services to businesses. Criminal investigations and lawsuits are time-consuming and often ineffective. Credit cards and other data are openly for sale on the Internet, he said. One site even guaranteed its products. “If you bought cards and they didn’t work, they’d overnight new ones to you.” He spoke to a meeting of the local chapter of InfraGard, a FBI program that began in Cleveland,Ohio in 1996 and spread nationwide. Local business representatives at the September 22 session were told that one solution would be for merchants to contract with specialized companies to process credit card information and guard that data. Even those companies remain under constant cyberattack. The president of the Utah InfraGard chapter said he witnessed an extortion attempt at ProPay, where he formerly was director of information technology. A Baltics-based criminal organization demanded $10,000 to protect the company from an attack, he said in an interview. The company went to the FBI and received information about those behind the attack, which was ultimately unsuccessful. Source:

18. September 23, Associated Press – (International) Romanian detained over eBay cyber fraud. Romanian authorities have detained a man suspected of committing cyber fraud worth $3 million against the company eBay Inc. Organized crime prosecutors said he is being investigated for “phishing” attacks against 3,000 of eBay Inc. employees. They said September 23 that he allegedly stole the employees’ IDs and passwords in 2009 and accessed company files, including an application with the data base of eBay clients and their transactions. He then used “phishing” sites to access the accounts of about 1,200 eBay users. Prosecutors also said he and some accomplices withdrew 300,000 euros ($400,000) from Italian bank accounts. Romanian authorities worked with the U.S. Secret Service and Italian authorities in this case. Source:

19. September 22, United Press International – (National) FBI: ‘Massive frauds’ uncovered. An FBI official told the U.S. Senate Judiciary Committee September 22 the bureau has uncovered “massive frauds” in its ongoing effort to fight financial crime. The assistant director who heads the FBI’s Criminal Investigative Division told the panel “the FBI has continued to uncover massive frauds, including newly identified Ponzi schemes.” New corporate fraud cases are up by 111 percent, he said, while high-yield securities frauds have grown by more than 200 percent. “In the last three years alone, the FBI has seen the number of mortgage fraud cases steadily climb from 1,200 in 2007 to over 3,000 in 2010,” the assistant director said. “Nearly 70 percent of these pending cases represent losses to financial institutions and other victims exceeding $1 million. In many of these cases the loss far exceeds $1 million.” Operation Stolen Dreams, a take-down of mortgage fraud schemes throughout the country, “demonstrates just how rampant mortgage fraud is in this country,” he said. Source:

20. September 22, Vancouver Columbian – (Oregon) 1,000 reward offered for ‘Where’s Waldo’ bandit. On September 22, one day after a man allegedly used a bomb threat to rob a Key Bank branch in the Tigard, Oregon area, FBI agents have charged him with the holdup, dubbed him the “Where’s Waldo” bandit, and arranged for a reward of up to $1,000 for his whereabouts. The man, identified as a 29-year-old Portland, Oregon resident, allegedly told bank employees he had an explosive device and, as he left the bank, left a small box behind, according to a bulletin from a FBI spokeswoman. He also allegedly dropped a backpack near the bank. Experts with the metropolitan explosive disposal unit determined the box and backpack contained no explosives. The award for information leading to the suspect’s arrest and conviction is offered by the Oregon Financial Institutions Security Task Force, the bulletin said. The suspect is about 5 feet 8 inches tall, with an average build, perhaps weighing 200 pounds, the FBI spokeswoman said. He has short, thick dark hair and wore prescription glasses with thick black plastic frames. He also wore a striped shirt with a black T-shirt underneath. Source:

Information Technology

47. September 24, SC Magazine UK – (International) More than 6,000 Russian domains registered in two weeks as spam domains move back to .ru. Spammers are increasing the use of Russian domain registrars for their various spam campaigns with up to 600 domains registered at once. Detection by M86 Security of a continuous stream of newly registered .ru domains in spam e-mail has led to one third of all unique domains being a .ru domain. Almost all of the .ru domains are registered though two registrars, Naunet and, with spammers generally advertising each domain for only few hours and registering new ones all the time. It said that in the last month from spam alone, it has seen over 4,000 .ru domains registered through Naunet. These are hosting a variety of spam Web sites including ultimate replica, Dr Maxman, online casinos, via grow and Eurosoft software. Although the spammed Web sites are generally non-malicious as they do not try to exploit vulnerabilities on the visitor’s machine, M86 said it has seen domains registered with both of these registrars used as controllers for the Zeus crimeware kit. Naunet was recently used to register domains used as control servers for the Asprox botnet, although these were done on a much smaller scale than the spam domains. Source:

48. September 24, SC Magazine UK – (International) Gartner: Difficulties in monitoring outsourced applications could lead to undetected access from within the provider. It can be difficult to monitor internal and external interception inside outsourced applications. A Gartner Research vice president said that if applications and services are to be put into the cloud, they need to be properly monitored for malicious activity. He said that with cloud-based monitoring, five things can be put in but then there are “five blind spots,” and security managers need to make sure that they are part of the decision for monitoring requirements. Asked if providers should offer event monitoring as a service, he said: “Take a managed security service provider (MSSP), a cloud provider who delivers a service via the Internet using service infrastructure and using Internet technology in a scalable shared environment.” “You can slap the cloud label on the MSSP if you like, I think the monitoring issue at the application layer is what I described — you need to get the cloud application provider to generate the audit trail that you require. If you look at other layers in the stack the problem is different, if you use the Amazon environment you can use their servers, and their images are going to produce logs like any server would, you should be able to pick those up.” Source:

49. September 24, The H Security – (International) Vulnerability exploited by Stuxnet discovered more than a year ago. One of the vulnerabilities exploited by the Stuxnet worm was apparently not all that new. The printer spooler vulnerability was described in an article in the April 2009 edition of hakin9, a Polish publication that is fairly well known in hacking circles. The article was entitled “Print your Shell”. The security specialist who wrote the article also published a demo exploit for the vulnerability. Microsoft fixed a vulnerability in the printer spooler last patch day and stated that Stuxnet was exploiting the vulnerability to spread across networks. Microsoft has also confirmed that the vulnerability in question was indeed that described by the security specialist. It is not clear why the vulnerability was ignored for so long. After analyzing the Stuxnet worm, Kaspersky and Symantec had stated that the vulnerability was new. Source:

50. September 23, Computerworld – (International) Hackers exploit latest Microsoft zero-day bug. Microsoft has warned users that hackers are exploiting the unpatched bug in ASP.Net to hijack encrypted Web sessions. In a September 20 update to a previously-published security advisory, Microsoft said that it was seeing “limited, active attacks at this time.” Symantec said it had not seen any attacks, however. The company did not set a delivery date for the fix. “We will be releasing a patch on Windows Update, so all machines will get it,” said the Microsoft executive who runs the ASP.Net development team. Until the company releases a fix, the executive continued to urge Web site and application developers to plug the hole with a temporary workaround that involves editing the “web.config” file. SharePoint Server 2007 and SharePoint 2010 are also vulnerable to ASP.Net attacks, said Microsoft. The SharePoint team has published different web.config editing instructions for its collaboration software. “The publicly disclosed exploit can be used against all types of ASP.NET applications,” the executive said in an FAQ he posted September 20. Source:

51. September 22, USA Today – (International) Free anti-virus protection spurs more robust options. No-cost basic anti-virus (AV) protection is fast catching on. A recent Morgan Stanley survey of 2,500 U.S. consumers showed 46 percent of the respondents used free anti-virus products. This trend is expected to continue. Anti-virus giants have begun stepping up marketing campaigns to convey why full AV suites, priced from $30 to $80 for 1 year’s worth of continuously updated protection, are well worth the money. “Freeware vendors have created a false perception that free, basic security is enough to protect you from today’s online threats,” said the president of Symantec’s consumer business unit. “The reality is, free is not enough. It’s like wearing a light windbreaker in a snowstorm.” A USA Today survey of 16 anti-virus companies shows that no-cost anti-virus programs generally lack important features such as a firewall, Web site health checks, automatic updates, and customer support. Symantec, McAfee and most others, for instance, incorporate technology designed to predict, rather than react to, new attacks. Complicating matters, a thriving “scareware” criminal industry revolves around mimicking free infection scans of a user’s PC, a promotional tool used by legitimate AV vendors. Source:

For another story, see item 18 above in the Banking and Finance Sector

Communications Sector

52. September 24, Government Computer News – (Mississippi) Mississippi systems controls cell phone use in prison without jamming signals. Mississippi State Penitentiary officials appear to have taken a big step toward solving the problem of cell phone use within prisons without violating federal law against jamming radio signals. Earlier this month, the state’s department of corrections announced it had signed an agreement with Global Tel Link and Tecore Networks to immobilize illegal cell phones used by inmates at the state penitentiary in Parchman, according to an Associated Press report in the Kansas City Star. The systems employs radio frequencies to intercept unauthorized transmissions, but allows authorized and 911 calls to go through. More than 216,320 texts and cellular phone calls have been blocked from being delivered inside Parchman since August 6, according to a report in the Clarion Ledger in Mississippi. Telcore’s marketing vice president told AP the system checks all calls before blocking or allowing them. “Any cell phones brought in register with our system before they go out to the tower of the commercial cell carriers,” he said. “It will go through our system first and go through the database and see if it is an authorized phone. If it is, it’ll be sent out to complete the call, but if it’s not, it’ll be held by our system.” The system amounts to access control, rather than the jamming of signals, which is something prison officials have asked for but so far been denied. A 1934 law forbids anyone but federal agencies from jamming public airwaves. Source:

53. September 23, WSPA 7 Spartanburg – (South Carolina) Thieves steal copper from cell phone towers. The Greenville County Sheriff’s Office arrested two men in connection to a series of copper thefts from cell phone tower locations in Greenville, South Carolina. Dating back to the first part of August, through mid-September, the men are accused of accessing the areas around cell phone towers and stealing copper wire and bars. Deputies said they would then take the copper to area scrapyards where they would sell it. One of the men, who was arrested September 18, faces three counts of Injury to Real Property to obtain Nonferrous Metals, two counts each of Criminal Conspiracy and Grand Larceny, as well as one count each of Unlawful Possession/Transportation of Nonferrous Metals weighing more than 25 pounds and Petit Larceny. The other, who was arrested September 22, faces three counts each of Injury to Real Property to obtain Nonferrous Metals and Criminal Conspiracy, as well as one count each of Grand Larceny and Petit Larceny. Source:

54. September 23, Nextgov – (National) Senator, first responders lay claim to open spectrum. If public safety agencies do not receive more spectrum or a system is not in development by September 2011, 10 years after the terrorist attacks on the World Trade Center and Pentagon, it would be a “sheer national embarrassment,” a U.S. Senator said at a hearing September 23. The Senator, D-W.Va., and chairman of the Commerce, Science and Transportation Committee, said the United States should have a nationwide, interoperable wireless broadband communications system. A Houston mayor echoed the Senator’s comments during her testimony. “It is unconscionable that 9 years after Sept. 11 and 5 years after Hurricane Katrina we still do not have a nationwide interoperable public safety broadband network,” said the mayor, who is chairwoman of the criminal and social justice committee for the U.S. Conference of Mayors. Public safety officials argued they need an additional 10 megahertz of spectrum that is available next to space they currently use so they can communicate without multiple devices. Public safety officials said a plan to sell the spectrum but have it available for public safety use during emergencies is not feasible. “[That] simply will not work for public safety,” said the police chief in San Jose, California. Source:

55. September 23, Government Computer News – (National) DNSSEC spreads slowly through government domains. Nine months after the deadline for federal agencies to implement DNS Security Extensions in their Internet domains, a little more than one-third have successfully deployed the security protocols, according to a new study. The study, conducted for the Internet security company Internet Identity, found that 38 percent of the federal domains tested had been digitally signed using the DNSSEC by mid-September. But 2 percent were incorrectly configured so that signatures could not be validated. The news was not entirely bad, said the president and CTO of Internet Identity. “It’s not as bad as I feared, but it’s not as good as I had hoped for,” he said. Source:

For another story, see item 47 above in the Information Technology Sector