Apparently some individuals are trying to retrieve copies of DHS reports that are more than 10 days old. DHS only retains the last 10 days…no more. Please read the header above to learn how to obtain older reports.

Friday, October 8, 2010

Complete DHS Daily Report for October 8, 2010

Daily Report

Top Stories

•According to CNN, the Nuclear Regulatory Commission said it plans to improve security procedures in the wake of an investigation into an al Qaeda suspect’s 6 years of employment at several U.S. nuclear power plants. (See item 7)

7. October 6, CNN – (National) Al Qaeda suspect at nuke plants leads to promise of improved security. The Nuclear Regulatory Commission said it plans to improve security procedures in the wake of an investigation into an al Qaeda suspect’s employment at several U.S. nuclear power plants. The investigation by the commission’s inspector general was carried out at the request of two New York Congressional Democrats, after it emerged that the al Qaeda suspect had worked for 6 years at nuclear power plants in the Northeast, mainly the Salem/Hope Creek plant in New Jersey. The inspector general’s report, which is heavily redacted for security reasons, said the suspect’s had unescorted access to the sites where he worked. However, it notes he did not have access to “safeguards information” or computer systems. The commission defines safeguards information as that likely to have “a significant adverse effect on the health and safety of the public” if disclosed. The inspector general’s report said the suspect’s behavior should have raised suspicions. Source:

•The FBI announced that 89 law enforcement officers and 42 others in Puerto Rico were indicted for drug trafficking crimes October 6 in the largest police corruption investigation in the history of the agency. (See item 35)

35. October 6, Federal Bureau of Investigation – (Puerto Rico) Eighty-nine law enforcement officers and 42 others indicted for drug trafficking crimes. Eighty-nine law enforcement officers and 44 others in Puerto Rico have been charged in 26 indictments unsealed October 6 and returned by a grand jury in San Juan, Puerto Rico, during the month of September 2010, the U.S. Attorney General and a U.S. attorney for the District of Puerto Rico announced October 6. The defendants face charges ranging from conspiracy to possess with intent to distribute more than 5 kilograms of cocaine, attempt to possess with intent to distribute more than 5 kilograms of cocaine, and use of a firearm during the commission of a drug trafficking offense. The offenses charged cover a period from in or about July 26, 2008 until September 21, 2010. The arrests are the result of Operation Guard Shack, the largest police corruption investigation in the history of the FBI. Close to 750 FBI agents were flown in to Puerto Rico from across the country to assist in the arrests. Currently 129 individuals are in custody and four subjects remain at-large. Source:


Banking and Finance Sector

12. October 7, Washington Post – (National) Loan chaos may pose wider peril. Millions of U.S. mortgages have been shuttled around the global financial system — sold and resold by firms — without the documents that traditionally prove who legally owns the loans. Now, as many of these loans have fallen into default and banks have sought to seize homes, judges around the country have increasingly ruled that lenders had no right to foreclose, because they lacked clear title. These fundamental concerns over ownership extend beyond those that surfaced over the past 2 weeks amid reports of fraudulent loan documents and corporate “robo-signers.” The court decisions, should they continue to spread, could call into doubt the ownership of mortgages throughout the country, raising urgent challenges for both the real estate market and the wider financial system. Source:

13. October 6, Bank Info Security – (Maryland) Ex-Fannie Mae contractor convicted. A federal jury in Maryland convicted a disgruntled software programmer for planting a virus on mortgage giant Fannie Mae’s computer servers in late 2008. The 36-year-old programmer of Montgomery County, was charged with computer intrusion after inserting malicious script. Had the malware not been discovered shortly after the programmer’s termination, it could have shut down Fannie’s systems completely for 1 week or more, and would have cost millions to repair and restore data on the firm’s nearly 5,000 servers. The programmer, an Indian citizen, had worked as a software engineer at Fannie Mae’s Urbana offices since 2006 and for 3 years was given access to all of the firm’s servers. According to testimony and evidence presented at trial, he was fired October 24, 2008 and told to turn in all of his Fannie Mae equipment, including his laptop. On October 29, a Fannie Mae senior engineer discovered a malicious script embedded in a routine program that was intended to execute January 31, 2009. The FBI agent investigating the case said the programmer allegedly embedded the destructive code, designed to wipe out all data across the network by overwriting the data with zeroes. Source:

14. October 6, Storefront Backtalk – (National) Skim scam: Did Aldi invite 11-state coordinated attacks. When a gang of thieves physically tampers with point-of-sale systems, the tampering is usually a local operation. But that may be changing. Discount grocer Aldi said October 1 it has found tampered payment-card readers in stores in 11 states, spread from the East coast to Illinois. The retailer said the tampering was only in a limited number of its 1,100 U.S. stores, and all those stores were clustered near 10 cities — but the stolen data is being cashed out thousands of miles away. Part of what made the $70 billion global grocery chain so successful could be playing a key role in making it a cyberthief target today: The scarcity of store employees. The 10 areas hit with tampering were Chicago; Indianapolis; Pittsburgh; Philadelphia (including stores in New Jersey); Atlanta; Washington, D.C. (including stores in Virginia and Maryland); Rochester, New York; Hartford, Connecticut; Raleigh, North Carolina; and Charlotte, North Carolina. The retailer said that the skimming devices were probably placed during June, July and August. Source:

15. October 6, Bloomberg – (International) Russian cybercrime thrives as Soviet-era schools spawn hackers. The U.S. Department of Justice said it may have been the most sophisticated computer fraud ever. A 29-year-old in September pleaded guilty to participating in a worldwide hacking scheme that led to the illegal withdrawal of more than $9 million from cash machines worldwide operated by RBS WorldPay Inc., the U.S. payment-processing division of Britain’s Royal Bank of Scotland Group Plc. The conviction shed light on a growing trend from Russia. Just as the Russian president seeks to persuade investors his country is a safe place, more technology graduates are turning to cybercrime. The FBI last week charged 37 suspects from Russia, Ukraine and other eastern European countries of using a computer virus to hack into U.S. bank accounts. “The number of hackers reflects how many good engineers we potentially have in this country,” the president of Google Inc. in Russia said in a Bloomberg Television interview in Moscow. Russians committed more than 17,500 computer-related crimes last year, or 25 percent more than in 2008, according to the Interior Ministry’s latest statistics. Source:

Information Technology

37. October 7, Cnet News – (National) Keeping the masses safe on the Internet. Recognizing that all the technology in the world cannot protect the Internet from attacks, the security industry is targeting an education campaign at the weakest link — computer users. It is the first public service message of its kind in the United States and it’s simple: Stop. Think. Connect. The campaign was unveiled October 7 at Intel headquarters in California. It is part of Cyber Security Awareness Month, an annual event since October 2001, and was organized by the National Cyber Security Alliance, the Anti-Phishing Working Group (APWG) and more than two dozen government agencies and companies including Microsoft, Google, PayPal, RSA, Facebook, Visa, and Wal-Mart. The goal is to get security precautions to become second nature. A security frame of mind must be built into the culture of society and starting at the ground level with end users, said the deputy undersecretary for the national protection and programs directorate at DHS, speaking in a keynote address at the event. Source:

38. October 7, The New New Internet – (International) Anonymous strikes again; DDoS attacks Spain’s copyright society. After recently cyber assaulting anti-piracy advocates and threatening to attack until it “stops being angry,” hacker collective Anonymous has struck again. PandaLabs reported that Anonymous October 6 launched a DDoS attack against the Spanish copyright protection society. As of 2:30 p.m. October 7, PandaLabs had witnessed more than 20 service interruptions to the society’s site, as well as four interruptions to a second Spanish site. In a public statement to the media, Anonymous said: “The SGAE has a slogan ‘Believe in culture,’ while they restrict new creativity by preventing that creativity is shared. They lobbied this Canon Law, which states that suspected piracy websites can be taken down without a court order. This is a danger to freedom of speech, since any site can just be taken down with the excuse that intellectual property is hosted. The ‘Ministerio of Cultura’ should get a message that their current course will only lead to more controversy and protest.” While some have dubbed Anonymous “Internet griefers” and a “hate group,” PandaLabs calls the group’s actions an example of the first organized mass cyber protest on the Internet against entities that work to promote and enforce anti-piracy and copyright laws. Source:

39. October 7, ComputerWorld – (International) Microsoft pitches PC isolation ward to defeat botnets. Microsoft’s security chief October 6 pitched a plan that would block some botnet-infected computers from connecting to the Internet. A noted botnet researcher said the proposal did not attack the problem at its root, and like many technical solutions, was unlikely to do much good. In a paper published October 6, the individual who heads Microsoft’s trustworthy computing group, spelled out a concept of “collective defense” that he said was modeled after public health measures like vaccinations and quarantines. Under the proposal, PCs would be issued a “health certificate” that showed whether the system was fully patched, that it was running security software and a firewall, and that it was malware-free. Machines with deficiencies would require patching or an antivirus update, while bot-infected PCs might be barred from the Internet. Quarantining PCs could be a last-step measure to keep compromised PCs from threatening others on the Web. Source:

40. October 7, Help Net Security – (International) The threat behind fake LinkedIn messages. Retarus sent out a warning in response to a current wave of fake contact requests via the social media platform LinkedIn. These well-simulated e-mail messages present a considerable risk to PC-owners. Unsuspecting users are lured into a trap via the seemingly well-intentioned e-mails and their PCs are infected with malware in an attempt to gain access to personal information. The e-mails feign to be a contact request sent from the social media platform LinkedIn. Users who try to access the platform via the link are routed to an intermediary Website — with the simple notification “Please waiting ... 4 seconds”. From there, they are then redirected to Google. In these 4 seconds the spyware ZeuS is uploaded in the background and secretly installed. Cyber criminals use this type of spam to gain access to personal information, such as access data for online banking. Social media spam is on the increase. Retarus analyses have shown that one in three spam e-mails are clearly sent in the guise of social networks. The managing director of Retarus warns, “Social media spam is particularly dangerous because the contents seem well-intended, and the original e-mails are so perfectly imitated, that lay persons are unable to identify them as fakes. Mail users who have defined social media platforms as safe senders, via whitelist entries in their spam filters, are especially affected.” Source:

41. October 7, TrendLabs Malware Blog – (International) File infector uses domain generation technique like DOWNAD/Conficker. Trend Micro has received reports from users about a new, dangerous file infector. This threat, detected as PE_LICAT.A, uses a domain generation algorithm, a technique last seen in WORM_DOWNAD/Conficker variants. This technique allows the file infector to download and execute malicious files from various Internet servers. Like WORM_DOWNAD, PE_LICAT.A generates a list of domain names from which it downloads other malicious files. The domain name generation function is based on a randomizing function, which is computed from the current UTC system date and time. This particular randomizing function returns different results every minute. According to a Escalation engineer, whenever a file infected by PE_LICAT.A is executed, the malware generates a pseudorandom domain name, with the exact value depending on the system’s time. It then tries to connect to the said domain name. If it is successful, it downloads and executes the file at that pseudorandom URL. If not, it tries up to 800 times, generating a “new” URL every time. This helps ensure that the malware will be able to keep itself updated and even if one or more domains are taken offline, others can take its place. Source:

42. October 6, DarkReading – (National) Fed study: 85 percent of agencies still not using CyberScope. CyberScope is supposed to be the federal government’s new standard tool for continuous security monitoring. So far, however, the vast majority of federal CIOs said they don’t understand the technology’s mission and goals, and only 15 percent have used it at all. The deadline for filing FISMA security compliance reports using the new CyberScope tool is November 15. According to a study published this week by MeriTalk, a government IT community, the few agencies that have implemented CyberScope give the tool high marks. But 85 percent of the federal IT executives surveyed said they have not deployed it yet. In fact, 72 percent of federal IT executives surveyed said they do not have a clear understanding of CyberScope’s mission and goals. Ninety percent do not have a clear understanding of the submission requirements. The survey results may surprise some in the federal IT space, where some agencies have begun to eschew complex, paper-based FISMA security compliance reporting projects in favor of the “continuous monitoring” concept, where CyberScope provides key functionality. Some 69 percent of survey respondents said they are unsure if this new approach will result in more secure federal networks. The report, underwritten by ArcSight, Brocade, Guidance Software, McAfee, Netezza, and immixGroup, suggests the Office of Management and Budget (OMB) “must increase communication, clarify submission requirements, and provide training for the reporting protocol shift in order to achieve CyberScope’s goals of enhanced oversight and reporting simplification.” Source:

43. October 6, The Register – (International) Facebook unveils changes to enhance privacy. Facebook October 6 rolled out new features designed to make people feel more comfortable putting photos, videos, and other personal data online. In a blog post, the Facebook CEO unveiled an overhauled version of Facebook Groups that allows users to share certain content with select people, rather than with everyone listed as a friend. Vacation photos, for instance, might be shared only with family members, and a team roster might be shared only with other members of one’s Fantasy Football league. It was one of three features the CEO announced. Also unveiled was a new dashboard that tells users at a glance how various Facebook apps are using their data. The panel shows all the apps a user has authorized, what data they use and when the data was last accessed. The CEO also said Facebook was adding a tool that allows users to download everything they’ve ever posted to the social networking site. The photos, wall posts, and other content is archived in a zip file that is downloaded only after a user has entered a password and answered “appropriate security questions.” Source:

44. October 6, TrendLabs Malware Blog – (International) EMEA spam growth, APAC infections, in Global 1H 2010 threat report. Trend Micro has released its Threat Report for the first half of the year. The report focuses on the global trends in online threats. Europe became the largest source of spam globally in the first half of the year. Commercial, scam-based, and pharmaceutical/medical spam accounted for 65 percent of the total number of spam worldwide. HTML spam was the most common kind of spam. There was significant growth in the number of malicious URLs, which increased from 1.5 billion at the start of the year to over 3.5 billion by June. North America was the leading source of these while Asia/Pacific was the region with the most attempts to access these sites. The top URLs blocked by Trend Micro were adult Web sites. Trojan viruses accounted for about 60 percent of the new patterns TrendLabs created in the first half of the year. Overall, 53 percent of the overall number of detections consist of Trojans. Most Trojans lead to data-stealing malware. India and Brazil were identified as the countries with the greatest number of computers that became part of botnets. The bots are used to distribute malware, perpetrate criminal attacks, and send out spam. The full threat report is at TrendWatch under the Threat Reports section. Source:

45. October 6, IDG News Service – (Massachusetts) Would-be Akamai spy busted by feds. An Akamai Technologies staffer was arrested October 6 and charged with wire fraud after he provided confidential business information to an undercover federal agent he believed to be working for an unnamed foreign government. The suspect was charged in federal court October 6 in a case that began in June 2006, when the 42-year-old employee in the finance department of the Cambridge, Massachusetts-based Internet content delivery company sent an e-mail to the consulate of a country referred to only as “country X” in the criminal complaint. In that e-mail, he expressed his desire to help that country with whatever information he could obtain in his position, which he acknowledged was limited to “invoicing and customer contact information.” The foreign consulate the suspect contacted turned his e-mail over to law enforcement authorities, and a little over 1 year later, he was contacted by an FBI agent posing as a representative of “country X.” Over the next 18 months, the suspect left confidential business information such as customer lists and contracts at a designated spot called a dead drop, acts captured via video surveillance. The suspect faces up to 20 years in prison if convicted. Source:

46. October 6, The Register – (International) Android phone auto reverts jailbreaks. A new Android smartphone from T-Mobile ships with hardware that thwarts jailbreakers by automatically restoring modified devices to their original factory state. The HTC G2, which began shipping October 5, reinstalls the original firmware when it is rebooted, much to the chagrin of would-be jailbreakers trying to root the device so they can run their own software and third-party applications not approved by T-Mobile. The discovery has generated howls of protest from those who believe that people who buy hardware devices ought to be able to use them however they see fit. Apple has long closed jailbreak holes in iOS updates, and Texas Instruments lobbed legal threats at a hobbyist who posted the cryptographic keys used to modify calculators. Google even has the ability to remotely install or uninstall apps on Android phones. But HTC seems to have upped the ante with a hardware-based approach to meddlesome users who have the gall –- and often the expertise –- to shun the self-serving restrictions put in place by device and OS manufacturers. It’s not entirely clear how the devices are able to reset themselves. A blogger speculates the new G2 “is using a firmware rewrite system to replace ‘/system’ mods with the ‘official’ firmware upon reboot.” A security researcher tells Threatpost much the same thing. Both say it’s too early to tell if there’s a way to defeat the rollback mechanism. Source:

Communications Sector

47. October 7, Daily Tar Heel – (North Carolina) UNC sees 110 Wi-Fi locations fail. The University of North Carolina is trying to find out what caused 110 campus Wi-Fi locations to lose access to the network October 5. The director of university networking systems said the problem began at about 3 p.m. when an engineer from one of the university’s two wireless access point manufacturers made a change on one of the devices. He declined to comment on whether an employee at Cisco Systems, Inc. or Aruba Networks was at fault. The outage lasted from 3 p.m. October 5 to about noon October 6. The report noted the vendor had “never seen that anywhere else before,” and that it was unknown how exactly the outages spread across the network from a single point. “Users should be getting anywhere from 50 to 100 megabytes per second,” he said. “They were only getting around two.” After the outage, network engineers began to visit each affected location and make configuration changes to the access points, according to a summary report sent by the networking systems director. The 110 locations represent a small portion — about 5 percent — of the university’s wireless network, which contains a total of 2,159 wireless access points. Source:

48. October 6, Time – (National) ‘Facebook isn’t working’ as outage hits some users. Facebook, the social network behemoth, confirmed that unspecified site issues resulted in the site acting slow or unavailable for some of its 500 million users. A spokeswoman wrote an e-mail to the Associated Press October 6 explaining the firm was working on the problem and followed up shortly afterward to say the issue had been resolved. Source:

49. October 6, IDG News Service – (National) Verizon’s LTE network to reach 38 cities this year. Verizon Wireless announced that 38 markets, including Los Angeles, Chicago and San Francisco, will get access to the high-speed LTE network by the end of 2010. However, the operator has not yet announced devices that will be able to work on the network. The president and chief operating officer of Verizon made the announcement during a keynote speech at the CTIA conference in San Francisco. The company planned a press conference about the news for October 6. The 38 markets will cover 110 million people “on the day we flip the switch,” he said. He expects the network to offer 8-megabit download speed for users. At launch, the networks will cover on average, 70 percent of the population in each market, he said. Verizon will also launch coverage in 55 airports, he said. Source: