Wednesday, September 12, 2012

Complete DHS Daily Report for September 12, 2012

Daily Report

Top Stories

• A new federal report says hospitals have been negligent in securing radioactive materials they use to treat cancer patients, potentially putting the materials in the hands of terrorists who could use them to make a dirty bomb. – ABC News

7. September 11, ABC News – (National) Dirty bomb threat lurks in U.S. hospitals, fed study warns. The Government Accountability Office (GAO) released a report September 11 saying that hospitals have been negligent in securing the radioactive materials they use to treat cancer patients, potentially putting the materials in the hands of terrorists who could use them to make a dirty bomb. The GAO warned Congress about lapses in hospitals, many of which routinely use equipment containing radioactive materials. Nearly four out of five hospitals across the country have failed to put in place safeguards to secure radiological material that could be used in a dirty bomb, according to the report, which identifies more than 1,500 hospitals as having high-risk radiological sources. According to the report, the National Nuclear Security Administration spent $105 million to complete security upgrades at 321 of more than 1,500 hospitals and medical facilities that were identified as having high-risk radiological sources. The upgrades included security cameras, iris scanners, motion detectors, and tamper alarms. But these upgrades are not expected to be completed until 2025, so many hospitals and medical centers remain vulnerable, the GAO said. The Nuclear Regulatory Commission challenged the GAO’s findings, saying that the agency and its partners are vigilant about protecting hospitals and medical facilities, and had developed additional voluntary layers of security to do so. The American Hospital Association said it was reviewing the GAO’s recommendations. Source:

• Four of five men who escaped September 8 from the Pike County, Missouri, detention center by removing a tamper-resistant shower panel were back in custody, officials said. – KTVI 2 St. Louis

28. September 11, KTVI 2 St. Louis – (Missouri) 4 men captured, 1 still missing from Pike County Jail. Four of five men who escaped from the Pike County, Missouri, detention center are back in custody, KTVI 2 St. Louis reported September 11. All five escaped September 8 by removing a tamper-resistant stainless steel shower panel, giving them access to a service area. According to the Pike County Sheriff’s Department, three escapees were captured in Midwest City, Oklahoma, September 10. A fourth man has also been captured. He was taken into custody without incident on Pike 411 less than 1 mile from Hwy. 161 and is back in Pike County jail. The fifth man is still on the loose. Source:

• An outage to Internet registrar that took thousands of Web sites offline for 6 hours September 10 was the result of internal network events, not a malicious hacker, the company said. – Fox News See item 36 below in the Information Technology Sector

• Authorities evacuated thousands of people in Wyoming, Washington, and Montana as raging wildfires continued to destroy and threaten homes, businesses, and other buildings. – Associated Press

43. September 11, Associated Press – (West) Evacuations ordered in Washington State, Wyoming, Montana as fire season rages on across west. Crews in central Washington and Wyoming worked September 10 to protect homes from two of the many wildfires burning across the west as a destructive fire season stretches into September with no relief expected from the weather anytime soon, the Associated Press reported September 11. The National Weather service issued red-flag warnings for wide swaths of eastern Washington and Oregon, Idaho, Montana, and all of Wyoming. In Wyoming, authorities evacuated 500 people from homes and cabins as a wildfire about 10 miles southeast of Casper, the Sheep Herder Hill Fire, quickly grew. The fire started September 9, burned at least six structures, and scorched more than 15 square miles by September 10. About 1,000 residents had been told to prepare to leave as the Little Horsethief Fire burned more than 4 squares miles in a mountainous area less than 2 miles south of Jackson. The blaze was about 15 percent contained. In Washington State, residents of about 180 homes on the west side of Wenatchee, were told to evacuate September 9, a Wenatchee police sergeant said. In western Montana, residents of about 350 homes threatened by a wildfire west of Hamilton were told to leave September 10. The Sawtooth Fire grew to 2 square miles and was threatening houses, two businesses, and scores of sheds, barns, and other buildings spread out over a 10-mile area, a fire information officer said. Blazes have scorched more than 8.1 million acres across the west so far in 2012, up from the 10-year average of 6.1 million, according to the National Interagency Fire Center. Source:


Banking and Finance Sector

12. September 11, Erie Times-News – (Pennsylvania; National) Police suspect ‘Bucket List Bandit’ in Erie bank robbery. Police searched September 10 for a man accused of using a note to rob an Erie, Pennsylvania branch of Huntington Bank, and the suspected robber could be a man known as the ―Bucket List Bandit‖ and wanted in nine other States for similar crimes. Police said the man walked into the bank with a note demanding money and indicating that the man had a gun. No gun was shown, however, according to Erie police. He walked out of the bank with an undisclosed sum of cash. The man was reportedly given a dye pack and it exploded after he left the bank. Police found some bills with dye on them. Surveillance footage led police to believe he was the so-called ―Bucket List Bandit,‖ who earned that nickname after passing a note to a bank teller in Roy, Utah. The man is also wanted for robberies in Arizona, Colorado, Idaho, Illinois, Missouri, North Carolina, and Tennessee. Source:’Bucket-List-Bandit

13. September 11, South Florida Sun Sentinel – (Florida) ATM skimming gang suspected in recent cases at Publix Supermarkets. A man seen on security cameras was believed to be part of a gang responsible for ATM skimmer devices discovered at Publix Supermarkets along Florida’s east coast, authorities said September 10. Since August 5, police in six different cities in four counties have reported cases of debit- or credit-card stealing devices being used at machines outside of seven Publix Supermarkets. The devices, known as skimmers, all appear to be molded, painted, and designed to fit the supermarket chain’s Presto ATMs. In at least three of the cities, a man wearing Bermuda shorts with colorful patterns, a ball cap, and sunglasses was seen on surveillance tapes working with other people installing the high-tech pickpocket devices. In at least one of the cases, a pinhole camera that records people punching in PIN codes was found along with a skimmer. Since September 7, skimmers have been found at Publixes in Coral Springs and Fort Lauderdale. In Daytona Beach, surveillance video showed a man installing what appeared to be a skimmer and removing it hours later. Source:,0,6434089,full.story

14. September 10, Boston Herald – (Massachusetts; International) SEC accuses Hub firm of $26M fraud. The U.S. Securities and Exchange Commission (SEC) September 10 accused a Boston company of defrauding investors through an alleged $26 million scheme that involved claims of manufacturing and selling the ―MailDefender,‖ a machine that could irradiate dangerous biological agents such as anthrax in mail. Of the approximately $26.8 million in cash generated by BioDefense Corp. from 2004 to early 2011, $26.2 million came from alleged unlawful security sales to investors rather than sales of its ―purported‖ product, said the complaint. BioDefense principals sold unregistered securities to investors in the United States by at least 2004 and then started using so-called ―boiler room‖ firms to sell shares to overseas investors primarily in the United Kingdom in 2008 after attracting the attention of Texas and Massachusetts regulators, the SEC claimed. The firm falsely claimed it was preserving its cash assets by having employees work for equity, when in fact its largest expense was its compensation of its founder, former senior executive vice president, senior officer, and others, the SEC alleged. The Massachusetts Securities Division and British authorities assisted the SEC in the investigation. Source:

15. September 10, U.S. Department of Justice – (Texas) Dallas County man convicted in multi-million dollar mortgage fraud scheme involving upscale town homes in Dallas. A federal jury convicted a man on various offenses related to a $8 million mortgage fraud scheme he ran in the Dallas area, according to the U.S. Department of Justice September 10. The jury convicted the man on one count of conspiracy to commit mail fraud and three counts of mail fraud. The evidence at trial showed he ran two real estate ―investment‖ businesses called Investor Source and Myriad Investments. He located sellers who wanted to unload excess properties and were willing to ―kick back‖ substantially all of their proceeds to the defendant. He then recruited straw buyers and worked with loan officers to prepare and submit fraudulent loan applications on the buyers’ behalf. The loan applications contained numerous material false statements, such as overstating the buyer’s income level or assets. He also received a substantial kickback from the seller after each of the transactions closed and then disbursed a portion of those kickbacks to co-defendants and others involved in the fraud. The scheme involved about $6 million in fraudulently obtained proceeds and $2 million in estimated losses. Source:

16. September 10, PC Magazine – (National) SMS phishing attacks skyrocketed last week. In the first week of September, SMS phishing attacks rose 913 percent, making spam the No. 1 text-based threat, said a report from Cloudmark, PC Magazine reported September 10. In a September 7 blog post, Cloudmark’s senior security researcher cited a single set of attacks that began September 4 as the culprit for the week’s surge. Over the course of 4 days, more than 500 unique phishing scams were sent out by attackers. Each one followed the same general format – ―Fwd: Good Afternoon .Attention Required Call.(xxx)xxxxxxx‖ The phone numbers victims were asked to call included area codes from New Jersey, Alabama, Texas, Illinois, California, New York, Rhode Island, Missouri, Florida, Michigan, Georgia, and South Carolina, as well as 866, 877, and 888 toll-free numbers. Cloudmark reported the attackers were phishing for victims’ sensitive credentials via Bank of America account suspensions, Macy’s credit card collections, and the U.S. Veteran’s Administration health services. Source:,2817,2409520,00.asp

Information Technology Sector

33. September 11, Softpedia – (International) Researchers find flaws in Army-approved FortiGate appliances. Experts from the Vulnerability Lab identified a number of security holes in FortiGate UMT appliances found on the U.S. Army’s 2012 Information Assurance Approved Products List (IA APL). The company addressed the vulnerabilities to ensure their customers are protected. Multiple cross-site scripting (XSS) issues were found to affect UTM Firewall appliance applications such as FortiGate-5000 Series, FortiGate-3950 Series, and FortiGate-3810A. Identified in May, the medium-severity flaws could have been leveraged by a remote attacker to hijack customer and administrator sessions, manipulate Web site context on the client side, and for phishing campaigns. Multiple persistent Web Vulnerabilities also affected the same FortiGate UTM appliance applications. They allowed a remote attacker to persistently inject their own malicious script code to manipulate specific customer and administrator requests. Source:

34. September 10, IDG News Service – (International) Glastopf Web application honeypot gets SQL injection emulation capability. The Honeynet Project, a non-profit organization that develops open-source security research tools, created a component for the Glastopf Web application honeypot software that can emulate applications vulnerable to SQL injection attacks to trick attackers into revealing their intentions. One of the several honeypot tools created by those involved in the Honeynet Project is called Glastopf and consists of a Web server that dynamically emulates vulnerable Web applications to attract attackers. September 8, the Honeynet Project released a SQL injection ―handler‖ for the Glastopf Web application honeypot. The component was developed as part of Cyber Fast Track, a research program funded by the Defense Advanced Research Projects Agency. ―The main goal of this project was the development of a SQL injection vulnerability emulator that goes beyond the collection of SQL vulnerability probings,‖ the Honeynet Project said. ―It deceives the adversary with crafted responses matching his request into sending us the malicious payload which could include all kinds of malicious code.‖ Source:

35. September 10, Dark Reading – (National) Retail fail: Walmart, Target fared worst in Def Con social engineering contest. The third annual Def Con Social Engineering Capture the Flag Contest held at the Def Con 20 conference in July featured 20 contestants competing to elicit as much specific information, or ―flags,‖ out of employees at Walmart, AT&T, Verizon, Target, HP, Cisco, Mobil, Shell, FedEx, and UPS in cold-calls. Walmart and Target ended up with the highest scores, which means they did the worst, said a professional social engineer with who lead the contest. Walmart performed the worst by exposing the most information both online and when its employees were cold-called by the social engineering contestants. Contestants posed as everything from fellow employees to office-cleaning service providers, using these phony personae as pretexts to schmooze the employees to give up seemingly benign but actually very valuable data that can expose an organization to attack. One disturbing trend: every employee who was asked to visit a URL during the call did so. Among the flags contestants could pursue were disk-encryption type, ESSID name, computer model and OS, antivirus software, name of cleaning/janitorial service, and the name of the company’s third-party security guard company. Mobil and Shell employees contacted by the contestants posing as their various pretext characters were the most cautious and uncooperative in giving up information. Source:

For more stories, see items 13 and 16 above in the Banking and Finance Sector and 36 below in the Communications Sector

Communications Sector

36. September 11, Fox News – (International) What really caused the massive GoDaddy outage? An outage to popular Internet registrar that took thousands of Web sites offline for 6 hours September 10 was the result of internal network events, not a malicious hacker, the company said September 11. In a statement released September 11, the company’s interim CEO said the incident was due to a corruption of network router tables. An anonymous Twitter user calling himself ―Anonymous Own3r‖ had claimed credit for the September 10 attack. GoDaddy immediately acknowledged the incident September 10, which took down the company’s own Web site and email services. Source:

For more stories, see items above in the Banking and Finance Sector and 35 above in the Information Technology Sector

Department of Homeland Security (DHS)

DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site:

Contact Information

Content and Suggestions: Send mail to or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List: Send mail to

Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure

Coordinating Center at or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at or visit their Web page at v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.