Thursday, March 24, 2011

Complete DHS Daily Report for March 24, 2011

Daily Report

Top Stories

• According to Global Security Newswire, the United States is spending millions of dollars to help hospitals reduce the potential for terrorists to acquire sufficient amounts of medical isotopes to build a radiological “dirty bomb.” (See item 6)

6. March 22, Global Security Newswire – (National) U.S. looks to safeguard medical isotopes from terrorists. The United States is spending millions of dollars to help hospitals reduce the potential for terrorists to acquire sufficient amounts of medical isotopes to build a radiological “dirty bomb,” New York Newsday reported March 21. The National Nuclear Security Administration (NNSA) is funding the effort as part of its initiative to assess and improve radioactive substance safeguards at almost 2,700 sites no later than 2020, according to the NNSA deputy director. In excess of 120 of the sites covered by the program are in New York state, including 50 facilities in New York City. Thirty facilities have already been examined in the city, including 18 hospitals. Before the end of 2011, officials want to see safeguard studies completed for all New York City hospitals. U.S. counterterrorism experts fear widely used and inadequately secured devices that house radioactive materials could create an opening for terrorist organizations such as al-Qaeda to produce a dirty bomb, which would use conventional explosives to disperse radiological substance over a wide area. The Presidential administration requested $25 million in fiscal year 2011 for a program to secure radioactive materials. Congress has not passed a final budget for the current budget year, which ends September 30, instead approving a series of continuing funding resolutions. The White House is seeking to increase funding for the program to $51 million in fiscal year 2012. Washington is also training state and local law enforcement officials and hospital security guards, among others, at a specialized security facility in Oak Ridge, Tennessee. The training includes countering a terrorist attempt to invade a hospital in order to obtain radioactive substances. Source:

• The West Chester PA Patch reports police arrested a suspect March 22 with large amounts of explosive material in a hotel room, who they said blew up a stick of dynamite in a crowded, Phoenixville, Pennsylvania bar. (See item 23)

23. March 22, West Chester, PA Patch – (Pennsylvania) Suspect arrested for possible dynamite explosion in crowded Phoenixville bar. Police said a 51-year-old suspect arrested March 22 in Phoenixville, Pennsylvania, put hundreds of people in danger March 12, and had enough bomb making materials in his hotel room to cause death and major damage. The Phoenixville man will be charged with the felonies of risking a catastrophe and arson, the Phoenixville police chief said. The man allegedly set off a stick of dynamite in the bathroom March 12 at Molly Maguire’s Restaurant and Pub during a downtown pub crawl. Someone had just left the bathroom and someone was getting ready to go in when the explosion occurred, the chief said. The force of the blast blew apart a bathroom stall, destroying tile and the ceiling. “Immediately when we looked at the damage, we thought that it had to have been at least a quarter stick if not a half stick of dynamite,” he said. A week or two prior to the incident, the chief said there was another explosion behind the Mainstay Inn on Bridge Street. The inn is directly across the street from Molly Maguire’s. Because the officer already had the suspect’s information, police went March 22 to question him. A maintenance worker was in the suspect’s room at the Mainstay, and pointed out dangerous materials. The room contained powder, scales, and tubes. The Montgomery County Sheriff’s Office was contacted, as well as the county district attorney. The bomb squad had police create a 300-foot perimeter around the Mainstay Inn. The 100 block of Bridge Street was closed from 10:30 a.m. to 1 p.m. Source:


Banking and Finance Sector

7. March 23, Savannah Morning News – (Georgia) City Market ATM found to have theft device. Savannah-Chatham, Georgia, police are asking customers who may have used the Automated Transaction Machine at the SunTrust Bank in City Market near St. Julian Street at Jefferson Street to check their accounts for inappropriate charges. A customer alerted police he had discovered a “skimmer,” a device attached to an ATM to record bank card numbers and PIN numbers, March 17, a police spokesman said. The device discovered last week recorded the information off the magnetic strip and stored it for retrieval later. Police feel they recovered the device before any information was provided, but advised customers who used the ATM to check with their banks. The sergeant in charge of Savannah’s Financial Crimes Division said SunTrust Corporate Security advised him that similar devices have been found on ATMs in Tennessee. Source:

8. March 23, Honolulu Star-Advertiser – (National) Three indicted for ID theft as drivers filled tanks. An Oahu, Hawaii, grand jury returned an indictment March 22 charging three men from California with identity theft and credit card fraud for using information they “skimmed” from gasoline pumps. According to the indictment, the three men installed skimming devices at four Aloha Island Mini Mart gas stations on Oahu in September 2010, returned to California with the account data the devices recorded, and made counterfeit credit and debit cards using the information. They then stole more than $150,000 from the 6 Hawaii financial institutions of the 156 account holders who used the compromised pumps. To install the devices, the defendants rented from United Truck Rental in HonoƂlulu a van equipped with side panel doors on both sides of the vehicle. They then parked the vehicle next to the gasoline pumps. As the accomplice and other defendants served as lookouts, created distractions, and blocked views to the front of the pumps, a ringleader of the group used a “master key” to open the pumps’ front panels and attached skimming devices to their internal hardware components, the indictment said. The defendants returned later and used the same techniques to retrieve the devices. Police in California said the ringleader did the same thing in Laguna Beach, California last summer. They arrested him at his home in Glendale, Arizona in January 2011 and charged him with using unauthorized credit card information to purchase items in California, Arizona and New Mexico. Source:

9. March 22, Philippine Daily Inquirer – (International) PH named among major drug money-laundering countries. The Philippines has been identified by the U.S. Department of State as one of the 63 “major drug money-laundering countries” in the world. In its 2011 International Narcotics Control Strategy Report, the State Department’s Bureau of International Narcotics and Law Enforcement Affairs said financial institutions in these countries “engage in currency transactions involving significant amounts of proceeds from international narcotics trafficking.” Aside from the Philippines, other members of the Association of Southeast Asian Nations on the list are Thailand, Indonesia, Singapore, Cambodia, and Myanmar (formerly Burma). Also on the list are: Australia, Austria, Canada, China, Colombia, France, Germany, Hong Kong, Iran, India, Macau, Pakistan, the Netherlands, Russia, Somalia, Spain, Switzerland, Taiwan, United Arab Emirates, United Kingdom, and the United States, among others. According to the report, the Philippines “continues to face challenges in the areas of drug production, drug trafficking and internal drug consumption.” It said the Manila government “takes drug trafficking and drug abuse seriously, and has made substantial efforts to address these problems.” However, it pointed out that “lack of law enforcement resources, the slow pace of judicial and investigative reforms and lack of law enforcement inter-agency cooperation continue to hamper government efforts to investigate and prosecute higher echelons of drug trafficking organizations operating in the Philippines.” Source:

10. March 22, San Jose Mercury News – (California) SEC files fraud charges against Mountain View investment firm. A Mountain View, California, firm allegedly defrauded its investors out of $17 million while assuring them their money was safe, according to federal authorities. The Securities and Exchange Commission (SEC) announced March 22 it filed charges in federal court against JSW Financial and five of its officers, seeking civil penalties and repayment of the defendants’ “ill-gotten gains.” SEC said in a statement that between 2002 and 2008, JSW and its predecessor created two real estate investment firms, called Blue Chip Realty Fund and Shoreline Investment Fund. “The defendants told investors, many of whom were seniors, that their investments were safe because they were being used for secured real estate loans,” the director of the SEC’s San Francisco regional office said in a statement. Instead, firm officers used the money to fund their own failing real estate projects, SEC said. As the firm lost money, officers sent investors fraudulent account statements claiming the funds were earning more than 10 percent in annual profits, SEC noted. JSW is in bankruptcy and has been out of business since November 2008. SEC also claimed two of the men charged in the case together used $900,000 worth of investor money to purchase homes for themselves. Source:

11. March 22, WDRB 41 Louisville – (Kentucky) Two men arrested for having 193 fake credit cards. Two men were under arrest March 21, caught with almost 200 fake credit cards. The two men were stopped by police on the Gene Snyder Freeway, near Westport Road in Louisville, Kentucky. Officers said they had 193 fake credit cards. At least 140 of those had magnetic strips that had been encoded with false information. Police said the two men had recently moved to Louisville from Florida. On March 21, they were indicted on more than 190 counts for making and possessing fake credit cards. Source:

12. March 22, Associated Press – (International) $500,000 vanishes from tsunami-ravaged bank. The earthquake and tsunami that pulverized coastal Japan crippled a bank’s security mechanisms and left a vault wide open. That allowed someone to walk off with 40 million yen ($500,000). The March 11 tsunami washed over the Shinkin Bank, like much else in Kesennuma, and police said between the wave’s power and the ensuing power outages, the vault came open. “The bank was flooded, and things were thrown all over. It was a total mess. Somebody stole the money in the midst of the chaos,” said a police official in Miyagi prefecture, where Kesennuma is located. The bank notified police March 22, 11 days after the disaster, said the official. Source:`

Information Technology

35. March 23, The Register – (International) Fake Japan blackout alerts cloak Flash malware. Scammers are taking advantage of the situation in Japan by distributing malware that poses as information about a rolling electricity blackout program. Malicious e-mails contain infected Excel attachments hosting a Flash exploit ultimately designed to drop a malicious executable on compromised Windows PCs. The emergence of an attack serves as a reminder of the need to update Adobe Flash, using a patch released earlier the week of March 21. Source:

36. March 23, H Security – (International) Security flaw in RealPlayer. For the time being, users of RealPlayer should be careful to check the origin of files in the “Internet Video Recording” before playing them. A heap buffer overflow that occurs when the file is parsed allows attackers to inject and execute code locally. Because RealPlayer also runs as a browser plug-in, users PC’s will become infected if they visit a specially crafted Web site. According to the researcher who discovered the vulnerability, the hole is in the Windows version of RealPlayer, though previous versions and other platforms such as Linux and Mac OS X are also likely to be affected. There is no update or patch, and Real probably only recently found out about the problem because the researcher generally does not inform vendors in advance, but publishes his reports without contacting them. As a workaround, users can disable or remove the plug-in and/or the browser’s ActiveX control. While RealPlayer not only plays RealMedia, but also many other formats, users can also switch to a wide range of other media players. Source:

37. March 23, H Security – (International) SSL meltdown forces browser developers to update. According to a Tor developer and a blog posting by the Mozilla Foundation, the Comodo SSL Certification Authority may have been compromised. As a consequence, criminals apparently obtained nine certificates for Web sites that already existed, including There is no official statement on whether the situation was caused by insufficient checks during the certification process or by a breach of Comodo’s infrastructure. However, what initially appeared to be a problem for Comodo is now forcing browser developers to take counter measures and release updates. Otherwise, criminals could, for example, redirect users to a bogus Firefox plug-in page and offer them infected add-ons to install –- as the page would possess a valid server certificate for, users would be unaware, and Firefox would not issue an alert. Source:

38. March 22, Help Net Security – (International) Malicious app found in Android Market. To infect a mobile device, the Rootcager/DroidDream Trojan used two known exploits: exploid and rageagainstthecage. If the first one failed to root the device, the malware would attempt to use the second one. According to researchers from Lookout, a malicious application that uses the exploid exploit has turned up masked as a legitimate calling plan management application on unofficial Chinese app markets. Now, a version of the app has also been spotted on the Android Market. But, while the first one contains a binary called zHash that attempts to root a device using the aforementioned exploit, the one found on the official market has the same binary, but lacks the code required to invoke the exploit. Lookout warned the mere existence of the zHash binary on the device leaves it vulnerable to future exploits. “The app’s use of the backdoor shell is extremely limited and not clearly malicious, however, zHash creates a hole in the security layer of the phone, leaving it vulnerable to other applications wanting to take advantage of the device. If the device was successfully rooted by this app, any other app on the device could gain root access without the user’s knowledge.” Lookout said Google has removed the application from the Android Market, and used the kill switch again, but the problem for users who downloaded the app from an unofficial market is the app is still there and working. Source:

39. March 22, Softpedia – (International) Spam received by customers possibly tied to Silverpop breach. has apologized for a wave of malicious spam received by its customers and said it is possibly connected to a breach at the e-mail marketing company Silverpop. According to The Register, customers began receiving rogue e-mail messages March 21 that advertised Adobe Reader upgrades but led to malware. Affected individuals were able to track down the problem to, because they only registered their e-mail addresses with the Web site. After being notified of the problem, the company alerted all customers of the threat and apologized for the incident.’s chief executive explained the company’s systems have not been compromised, but the e-mail database might have been stolen from their e-mail marketing partner, Silverpop. Silverpop’s systems were breached in 2010, and e-mail databases for more than 100 of its clients have been compromised. Source:

40. March 22, threatpost – (International) Spam down 40 pecent in Rustock’s absence. The takedown of the Rustock botnet has measurably reduced the amount of spam e-mail, according to an IBM Internet Security Systems report. IBM said it has observed a sustained drop off of between 35 and 40 percent in global spam levels almost 1 week after law enforcement in the United States and abroad, along with attorneys from Microsoft, seized servers used as the command and control infrastructure for the botnet. In early March, the United States was the second most common source of spam on the Web. Now, in the wake of Rustock, the United States ranks 15th. That is due to Rustock’s heavy reliance on U.S.-based servers. IBM said the declines are not unprecedented in the spam industry, and are only about half of what they were when the spamming industry went on holiday at the beginning of the year. They noted that over time, global spam levels might return to the levels seen before the Rustock takedown. Source:

Communications Sector

41. March 23, Associated Press – (Wisconsin) Tower collapse knocks WI television station off the air. A television station in Eau Claire, Wisconsin, was knocked off the air March 22 after its transmitting tower in Fairchild collapsed. Witnesses said several pieces of equipment fell from the sky when WEAU 13 went off the air around 8:30 p.m. WAXX radio is also on the tower and also went off air at the time. The top of the tower is what sends broadcast signals over the air and into living rooms across western Wisconsin. The tallest point, which is about 2,000 feet, now sits in the snow. The tower fell in about three different directions. One part of the tower is across County Road H and will not be cleared until March 23. “There were no injuries, there are no homes around, there was no one around that I know of that even saw it come down,” a Fairchild Fire Department spokeswoman said. “The only damage would be to the TV-13 tower and the building, and there’s substantial tree damage from all the cables whipping around.” It is unclear exactly what caused the tower to collapse, but the weather March 22 was windy and icy. The station is now streaming its news broadcasts on WEAU’s Web site. Source:

42. March 23, The Register – (International) Facebook traffic mysteriously passes through Chinese ISP. For a short time March 22, Internet traffic sent between Facebook and subscribers to AT&T’s Internet service passed through hardware belonging to the state-owned China Telecom before reaching its final destination, a security researcher said. An routing error is the most likely explanation for the circuitous route, but it is troubling nonetheless, according to an independent researcher who helped discover the anomaly. In the past, China has been accused of monitoring the Internet communications of dissidents, and in 2010, U.S. companies were the targets of a Chinese hacking campaign. During a window that lasted 30 minutes to an hour March 22, all unencrypted traffic passing between AT&T customers and Facebook might have been open to similar monitoring. The independent researcher said he has no evidence any data was in fact stolen, but he said the potential for that is certainly there because the hardware belonged to China Telecom, which in turn is owned by the Chinese government. Internet traffic has been diverted through Chinese networks under mysterious circumstances in the past. Source:

43. March 23, WMUR 9 Manchester – (New Hampshire) N.H. phone outages affects 911 services. Phone outages were reported for Comcast customers in 19 New Hampshire communities March 22, and emergency dispatchers said those affected may not be able to dial 911. A Comcast spokesman said some customers experienced intermittent phone issues March 22, primarily with long distance and international calling. As of about 6:30 p.m., he said 911 services were working properly. An investigation has been launched to determine what caused the outage. The state’s 911 dispatch center issued a warning to residents to have cell phones handy to call 911. Emergency crews said residents should have a cell phone ready for such an outage. Firefighters said any cell phone, even old models, can be used to dial 911. The Concord battalion chief stated, “Any cell phone company in the U.S. — the FCC (Federal Communications Commission) mandates the 911 feature is still active.” Source: