Apparently some individuals are trying to retrieve copies of DHS reports that are more than 10 days old. DHS only retains the last 10 days…no more. Please read the header above to learn how to obtain older reports.

Wednesday, October 13, 2010

Complete DHS Daily Report for October 13, 2010

Daily Report

Top Stories

• According to the Houston Chronicle, the Houston school district has imposed strict rules for handling incoming mail after 17 schools discovered typewritten envelopes containing a suspicious, but non-harmful powder since October 8. (See item 33)

33. October 11, Houston Chronicle – (Texas) Amid white powder scare, HISD sets new mail rules. The Houston school district has imposed strict rules for handling incoming mail after more schools October 11 discovered typewritten envelopes containing a suspicious, but unharmful powder. On October 8, 13 schools in the Houston Independent School District received the envelopes. More envelopes were discovered by school officials at four other schools October 9 and 11. A field test done October 8 by the Houston Fire Department’s hazardous material unit indicated that the substance was cornstarch. The incident, while serious, had little impact on overall operations at the campuses. FBI officials believe each envelope is connected to an individual or a group of individuals. School officials have put in place new procedures for handling mail. All mail now must be screened and opened in an isolated area, and if an item is suspicious, the air handlers must be turned off, and the room must be evacuated and secured, said an HSID spokesperson. In addition, the person who handled the mail must be isolated, and the police should be notified, she said. School personnel also are being advised to open mail before or after school hours. The U.S. Postal Inspection Service also has implemented a special screening process for all HISD mail. Source:

• The New York Daily News reports that Al Qaeda in the Arabian Peninsula has urged attacks on U.S. government workers in crowded restaurants in Washington, D.C., according to a copy of a propaganda publication obtained by the SITE intelligence group. (See item 36)

36. October 11, New York Daily News – (District of Columbia) Terror threat to restaurants as Al Qaeda calls for attacks on government workers in D.C. The terror group tied to the Ft. Hood killings and the Christmas Day airbomber urge wannabe American jihadis to open fire on crowded restaurants in the nation’s capital to massacre U.S. government workers. The advice appears in “Inspire,” the latest issue of a slick propaganda publication by Al Qaeda in the Arabian Peninsula (AQAP). “A random hit at a crowded restaurant in Washington, D.C., at lunch hour might end up knocking out a few government employees,” a writer wrote in the 74-page jihadi how-to magazine. “Targeting such employees is paramount and the location would also give the operation additional media attention,” he added. According to a copy of the magazine obtained by the SITE intelligence group, AQAP also urged those bent on murdering for Islam to use everything from pickup trucks to improvised pressure-cooker bombs to kill. Source:


Banking and Finance Sector

17. October 12, SC Magazine UK – (International) New version of Bugat Trojan was payload in LinkedIn spam and not Zeus. Warnings have been made of a new version of the Bugat financial malware. Trusteer claimed that it was used in the recent LinkedIn phishing attack and unlike Zeus, which many assumed to be the payload of the emails, it is less well known and harder to detect. In the attack, LinkedIn users received emails reminding them of pending messages in their account that contained a malicious URL. When a victim clicked on the link they were directed to a fraudulent Web site where a Java applet fetched and installed the Bugat executable. The company claimed that the emergence of this new version of Bugat is similar in functionality to the Zeus, Clampi, and Gozi Trojans, and it targets Internet Explorer and Firefox browsers and harvests information during online banking sessions. The stolen financial credentials are then used to commit fraudulent Automated Clearing House and wire transfer transactions, mostly against small to mid-sized businesses, which result in high-value losses. Detection showed that Bugat is three times more common in the United States than in Europe, but its distribution is still fairly low. Source:

18. October 12, The New New Internet – (International) Massive phishing attack zones in on iTunes users. PandaLabs has discovered that iTunes has become a major target for hackers looking to steal credit-card data from the millions of users. Victims receive an email informing them they have made an expensive purchase on iTunes. The user, who has never made the purchase, is concerned by the email and tries to solve the problem by clicking on the fake link. After clicking the link, the victim is asked to download a fake PDF reader. Once installation is complete, the user is redirected to an infected Web page containing the Zeus Trojan, which is designed to steal personal data. This phishing attack was uncovered shortly after a similar phishing attack targeting LinkedIn users, which appears to have originated in Russia. This technique has been reported to the Anti-Phishing Working Group, which has started to block some of the Web addresses linked to in the fake email. Source:

19. October 11, Associated Press – (International) Gunmen storm Baghdad money exchange, kill 5. Iraqi officials say gunmen stormed a money exchange office in central Baghdad, killing five people in a brazen afternoon robbery. The police officials say three bystanders were also wounded in the October 11 heist in Baghdad’s busy commercial area around Rashid Street. The officials say those killed included the exchange office’s owner, his business partner and three customers. It was not immediately clear how much cash the assailants made away with. The officials spoke on condition of anonymity because they are not authorized to talk to the media.Violence has dropped in Iraq, but criminal activity has been on the rise, with a spate of brash daylight robberies of banks and jewelers in Baghdad this year. Source:

20. October 11, Washington Post – (National) Foreclosure logjam threatens Fannie, Freddie. A breakdown in the nation’s foreclosure process threatens to create billions of dollars in losses for federally controlled mortgage finance companies Fannie Mae and Freddie Mac, highlighting how improper actions by banks could impose new costs on taxpayers, said government officials and industry sources. In letters and in a conference call October 7, Fannie and Freddie told the lenders they would be on the hook for any losses the two mortgage companies might suffer as a result of flaws in the foreclosure process. Freddie has set a deadline of October 11 for banks to respond, according to the letter. The interim director of the Federal Housing Finance Agency said the two firms are trying to come up with a “tailored approach” to the debacle. In some of these meetings, administration officials have expressed concern about whether a nationwide moratorium on foreclosures would damage not only Fannie and Freddie but the fragile housing market as well. Source:

21. October 11, Wall Street Journal – (National) States to probe mortgage mess. A coalition of as many as 40 state attorneys general is expected October 13 to announce an investigation into the mortgage-servicing industry, an effort some of them hope will pressure financial institutions to rewrite large numbers of troubled loans. The move comes amid recent allegations that mortgage-servicers, which include units of major banks such as Bank of America Corp., submitted fraudulent documents in thousands of foreclosure proceedings nationwide. The banks say the document problems are technical — largely the result of papers approved by so-called robo-signers with little review — and do not reflect substantive problems with foreclosures. The attorneys’ general immediate aim is to determine the scale of the document problems and correct them. But several of them have said that the investigation could force the lenders and servicers to agree to mass loan modifications or principal forgiveness schemes. Other possibilities include financial penalties or changes in mortgage servicing practices. Source:

22. October 8, DarkReading – (International) PCI council offers guidance on point-to-point encryption. In a new document, “Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance” (PDF), the PCI Security Standards Council offers guidance on what organizations should look for when acquiring and purchasing encryption technology to protect credit cardholder data as it is authorized and transported into a database. Among other things, the new guidance helps clarify the concept of end-to-end encryption, offering the new moniker of “point-to-point encryption” (P2Pe). “The first thing you immediately notice when you begin to look at these things is that there’s really no standard for any of this stuff,” says the general manager of the PCI Council. “You’ve got many [vendors] out there extolling the virtues of their ‘end-to-end’ encryption solutions, and you’ve got lots of confusion from merchants saying, ‘Well, if I do this, then I’m OK, right?’ In an effort to straighten this stuff out, we’re looking to see if we can redefine that cardholder data environment and make this more meaningful for everyone out there.” During the past several years, some vendors have pitched end-to-end encryption as a way to eliminate the need to encrypt or tokenize database data for the purpose of PCI compliance. But as outlooks have matured, experts say, the question of how to encrypt data under PCI has become more complex. Source:

23. October 7, Krebs on Security – (National) Bill would give cities, towns and schools same e-banking security guarantees as consumers. In response to a series of costly online banking heists perpetrated against towns, cities and school districts, a Democratic senator from New York has introduced legislation that would extend those entities the same protections afforded to consumers who are victims of e-banking fraud. Under “Regulation E” of the Electronic Funds Transfer Act (EFTA) consumers are not liable for financial losses due to fraud — including account takeovers due to lost or stolen usernames and passwords — if they promptly report the unauthorized activity. However, entities that experience similar fraud with a commercial or business banking account do not enjoy the same protections and often are forced to absorb the losses. Organized cyber thieves, meanwhile, have stolen more than $70 million from small to mid-sized businesses, nonprofits, towns and cities, according to the FBI. Source:

Information Technology

52. October 12, Wall Street Journal – (International) ‘Scrapers’ dig deep for data on Web. At 1 a.m. on May 7, the Web site noticed suspicious activity on its “Mood” discussion board. There, people exchange highly personal stories about their emotional disorders, ranging from bipolar disease to a desire to cut themselves. It was a break-in. A new member of the site, using sophisticated software, was “scraping,” or copying, every single message off PatientsLikeMe’s private online forums. PatientsLikeMe managed to block and identify the intruder: Nielsen Co., the privately held New York media-research firm. Nielsen monitors online “buzz” for clients, including major drug makers, which buy data gleaned from the Web to get insight from consumers about their products, Nielsen says. The market for personal data about Internet users is booming, and in the vanguard is the practice of “scraping.” Firms offer to harvest online conversations and collect personal details from social-networking sites, resume sites, and online forums. Scrapers operate in a legal gray area. Internationally, anti-scraping laws vary. In the United States, court rulings have been contradictory. Source:

53. October 12, The H Security – (International) Trojan forces Firefox to secretly store passwords. A Trojan recently analyzed by Webroot is said to rely on retrieving Web page passwords from a browser’s password storage, rather than logging a user’s keyboard inputs. To make sure it will find all the interesting passwords in Firefox, the malware, called PWS-Nslog, makes some changes to jog the browser’s memory. A few manipulations in a JavaScript file prompt Firefox to store log-in information automatically and without requesting the user’s consent. The malware will, for instance, simply comment out Firefox’s confirmation request in the nsLoginManagerPrompter.js file and add a line with automatic storage instructions. The H’s associates at heise Security were able to reproduce the effect of the manipulations, which the malware author probably borrowed from a work around that has been in circulation since 2009. The manipulation works on all platforms on which the Trojan has the rights to modify the nsLoginManagerPrompter.js file. In tests, this worked on Windows XP, Windows 7, and Ubuntu 10.04. However, on Windows 7 and Ubuntu the user is usually working with limited privileges by default, and under these circumstances the malware is unable to manipulate the file. According to Webroot, the malware author did not put any effort into covering his tracks, as the malware contains a name as well as a Gmail address. Furthermore, Webroot soon found the Facebook page of the allegedly Iranian developer who claims he develops crimeware for fun. Source:

54. October 11, DarkReading – (International) University study offers recipe for stealth malware attacks via social networks. A group of researchers the week of October 4 published a paper that mathematically shows how a low-and-slow malware attack based on social networking behavior patterns could be more effective than a traditional network attack. In their paper, Stealing Reality, researchers from MIT, Ben Gurion University, and Deutsche Telekom Laboratories offer formulas that show the potential effectiveness of a “stealth” attack that uses social networks as its underlying platform. “In this paper we discuss the ability to steal vital pieces of information concerning networks and their users by a nonaggressive — and hence, harder to detect — malware agent,” the researchers say. “We analyze this threat and build a mathematical model capable of predicting the optimal attack strategy against various networks.” The paper offers a number of mathematical models conducted on actual mobile network data, showing that malware attacks can be adapted to follow human behavior on social networks. Source:

55. October 11, Homeland Security Newswire – (International) Experts: Stuxnet a “game changer”. The Stuxnet malware is a game changer for critical information infrastructure protection, an EU security agency has warned. ENISA (European Network and Information Security Agency) issued a technical report titled “Stuxnet Analysis,” in which it warns that a similar attack of malware capable of sabotaging industrial control systems as Stuxnet may occur in future. A researcher writes that the worm, whose primary method of entry into systems is infected USBs, essentially ignores vulnerable Windows boxes but aggressively attacks industrial control (SCADA) systems from Siemens, establishing a rootkit as well as a backdoor connection to two (now disconnected) command and control servers in Malaysia and Denmark. PLC controllers of SCADA systems infected with the worm might be programmed to establish destructive over/under pressure conditions by running pumps at different frequencies, for example. The researcher notes there is no evidence either way as to whether this has actually happened. Source:

56. October 11, Help Net Security – (International) Social media sites and universities increasingly targeted by phishers. Social media sites and educational institutions were increasingly targeted by phishers who continued to expand the targets of their attacks in the first half of 2010. With greater diversity of attacks, phishing continues to be a global problem, with numerous industries and well over 30 different countries experiencing targeted attacks, according to Cyveillance’s “1H 2010 Cyber Intelligence Report.” While banks and credit unions continue to be the top targets of phishers, social media sites and universities are growing favorites of phishers due to the inherent nature of these users to share personal information. Cyber criminals are gaining access to confidential information through simple searches in order to carry out elaborate social engineering scams. Universities are specifically targeted for credentials including name and password information. Phishers use these details to create botnets. Alternatively, social media is used as a means to distribute malware in order to reap greater financial benefits. While these avenues are used in different ways, they are both targeting large groups of individuals who are typically more willing to share information and trust online links. Source:

57. October 11, TG Daily – (International) Operation Payback causes massive service interruptions. An ongoing campaign of DDoS attacks against 11, high-profile global targets has caused more than 550 hours of downtime and 742 service interruptions since September 17. The strikes — executed by Anonymous — recently claimed 119 service interruptions and over 68 hours of downtime across multiple Spanish sites, including the Copyright Protection Society (SGAE), the Culture Ministry, and Promusicae. “Since the onset of the DDoS attacks, the websites longest affected have been ACS:Law, with 179 hours downtime; the Recording Industry Association of America (RIAA), with 127 hours and Aiplex Software with 123 hours,” explained PandaLabs’ director of research. “[Clearly], the popularization of this group’s activities has led many users without much technical know-how to join in.” As the director points out, the Internet offers easy access to basic tutorials and multiple tools for launching crippling DDoS attacks. The director also warned that Anonymous cyber activists — who communicate with each other via Facebook, Twitter, and various blogs — are likely to step up their attacks against current and new targets in the near future. Source:

58. October 11, Network World – (International) Most large companies hit by hack attacks, survey shows. A survey of 350 IT and network professionals would indicate that 2010 has been worse than 2009 for getting hacked, with large companies in particular reporting this to be worse than last in terms of suffering at least one network intrusion of their user machines, office network, or servers. The Sixth Annual Enterprise IT Security Survey, released October 11, found that 67 percent of large companies with 5,000 or more employees reported one successful intrusion or more this year, compared with 41 percent in 2009. Mid-size companies of 1,000 to 4,999 employees fared better with 59 percent reporting an intrusion, up slightly from 57 percent in 2009. For the first time, the survey, sponsored by VanDyke Software and undertaken by Amplitude Research in mid-September, delved into what the survey respondents believed primarily caused the network intrusion. Fourteen percent of those surveyed attributed their intrusion problem to “hacker/network attack,” 12 percent cited “lack of adequate security policies/measures,” 10 percent said “employee Web usage,” 9 percent pointed to “virus/malware/spyware,” 8 percent faulted other “employee carelessness, negligence,” 6 percent said “unauthorized access by current/former employees,” 5 percent blamed “weak passwords,” 5 percent thought it was because of “lack of software updates,” and 5 percent simply said “software security flaw/bug.” Source:

Communications Sector

59. October 12, – (Florida) Thief strips copper wiring from county radio tower in Molino. Copper wiring valued at over $3,000 was reported stolen October 11 from a county radio tower in Molino, Florida. A technician for CES Team One Communications, the company that maintains the radio tower for Escambia County, told deputies that the theft occurred sometime between September 1 and his service visit October 11 morning. The technician told Escambia County Sheriff’s Office investigators that someone cut a gate lock on the fence surrounding the tower, which is located behind the Escambia County Health Department on Highway 29. The thief took two copper bars about three feet in length and cut nine, two-foot sections of copper wire; and ten, six-foot sections. The items were valued at $3,450. According to Escambia County officials, the wiring was part of the tower’s electrical grounding system and no county communications systems were taken off the air by the incident. A spokesperson said the missing wiring would place the tower and equipment at a higher risk of damage from lightning, and replacement items are on order. The Escambia County Sheriff’s Office investigation into the incident is continuing. Source:

60. October 11, Charleston Gazette – (West Virginia) FiberNet outage did not jeopardize 911 calls. FiberNet’s recent phone outage inconvenienced customers and knocked out non-emergency service to police and fire departments in at least six West Virginia counties, but the problem never compromised 911 calls, a state official said October 11. The State Homeland Security Director said 911 centers across the state use phone lines operated by Frontier Communications, not FiberNet. Parts of Kanawha, Hancock, Wetzel, Marion, Monongalia and Ohio were affected by the FiberNet outage October 10 night.”We had no loss of 911 service, but if you had FiberNet, you couldn’t call anybody,” the director said. The company said the service disruption started at 6 p.m. October 10, and the problem was fixed by 10 p.m. FiberNet did not disclose how many customers were affected and what caused the outage. The company would only say that customers in West Virginia and “some surrounding states” were without service October 10 night. Source:

61. October 10, Radio and Television Business Report – (California) Fire burns KSJX-AM transmitter site. An October 9 night brush fire consumed the transmitter building for KSJX-AM San Jose, California, knocking the Vietnamese-language station off the air. According to the San Jose Mercury News, 70 firefighters were called to the scene. They managed to keep the flames from spreading to a Kellogg’s Eggo frozen waffles plant, but could not save the radio transmitter building. KSJX is one of three radio stations in the San Jose and San Francisco market owned by Multicultural Broadcasting. Source:

62. October 8, Bloomberg – (International) AT&T received security warning over Huawei, Washington Post says. AT&T Inc. was threatened by the U.S. National Security Agency (NSA) with loss of government business if it bought equipment for a next-generation phone system from China’s Huawei Technologies Co., the Washington Post reported, citing several unidentified people with knowledge of the matter. The electronic spying agency was worried that its Chinese counterparts might insert “digital trapdoors” in Huawei’s equipment that would function as secret listening posts, the newspaper said. In February, AT&T said it would obtain the necessary equipment from Ericsson AB of Sweden and France’s Alcatel-Lucent SA. Source: