Law enforcement continues to see reporting of malicious cyber actors using fake help desk scams, also known as technical support scams. These scams, if successful, seek to compromise and take control of computer systems. Malicious cyber actors send users an e-mail or they make cold calls, purportedly representing a help desk from a legitimate software or hardware vendor. The malicious cyber actors try to trick users into believing that their computer is malfunctioning—often by having them look at a system log that typically shows scores of harmless or low-level errors—then convincing them to download software or let the “technician” remotely access the personal computer to “repair” it.
(U//FOUO) New Jersey Fusion Center Bulletin: Suspicious Activity Regarding the Electrical Grid in New Jersey
In the past year, the NJ Suspicious Activity Reporting System (NJ SARS) has received multiple reports of intrusions at electrical grid facilities in New Jersey. The NJ ROIC currently has no indication of any specific threats associated with these incidents, but provides this information for situational awareness and requests information on any similar, previously unreported incidents in New Jersey.
The higher education community in the United States consists of more than 11,000 higher education institutions that collectively serve more than 17 million students, employ more than 3.4 million faculty and staff, and have combined budgets approaching $360 billion. Higher education institutions range in size from small institutions with fewer than 100 students to large universities with tens of thousands of students and faculty occupying campuses the size of a small town or city. Institution grounds are generally open-access, with varying levels of security within the campus.
Facility security measures, such as interior control points or exterior barriers, may require first responders to adjust normal protocols and procedures to operate rapidly during emergencies. The timeline below is an overview of attacks and plots against US-based facilities with varying levels of security. The diversity of tactics and targets used underscores the need for interagency exercises and training that incorporates multiple scenarios to account for building security measures likely to be encountered.
Since at least January 2012, criminals are using telephony-based denial-of-service (TDoS) combined with extortion scams to phone an employee’s office and demand the employee repay an alleged loan. If the victim does not comply, the criminals initiate TDoS attacks against the employer’s phone numbers. TDoS uses automated calling programs—similar to those used by telemarketers—to prevent victims from making or receiving calls.
On Saturday, September 21, 2013, members of Al Shabaab, a Somali based Islamic terrorist organization affiliated with the international Al Qaeda network, executed a complex terrorist attack on an upscale shopping mall in Nairobi, Kenya. The attackers simultaneously entered the mall from two different entrances, shooting shoppers with assault rifles and throwing hand grenades. The terrorists remained in the mall, engaging government security forces for the next four days, resulting in a major fire and partial collapse of the mall. The Kenyan government has officially reported 72 deaths and more than 200 injured as a result of the attack. A significant number of those killed and injured were foreign citizens, including 6 U.S. citizens who were injured in the attack.
The purpose of this bulletin is to provide awareness and a basic understanding of the “Hidden Internet” to investigators in the field, as well as provide some examples of how the Hidden Internet can be exploited by criminal elements. While the term “Hidden Internet” can be used in a broader context and refer to other internet terms such as the “Deep Web” or “Deepnet,” for the purpose of this bulletin the term “Hidden Internet” will refer to the hidden services provided by the TOR project to internet users, specifically relating to the Silk road website and use of Bitcoins.
From November through December 2013, CDC has received a number of reports of severe respiratory illness among young and middle-aged adults, many of whom were infected with influenza A (H1N1) pdm09 (pH1N1) virus. Multiple pH1N1-associated hospitalizations, including many requiring intensive care unit (ICU) admission, and some fatalities have been reported. The pH1N1 virus that emerged in 2009 caused more illness in children and young adults, compared to older adults, although severe illness was seen in all age groups. While it is not possible to predict which influenza viruses will predominate during the entire 2013- 14 influenza season, pH1N1 has been the predominant circulating virus so far. For the 2013-14 season, if pH1N1 virus continues to circulate widely, illness that disproportionately affects young and middle-aged adults may occur.
(U//FOUO) DHS Bulletin: Self-identified Anarchist Extremists Target Urban Gentrification Sites with Arson
This Note analyzes the recent use of arson by anarchist extremists targeting urban development sites they describe as negatively impacting lower income residents through “gentrification.” This information is provided to enable federal, state, local, tribal, and territorial law enforcement; first responders; and private sector security officials to identify, preempt, prevent, or respond to intentional acts targeting urban development sites by anarchist extremist campaigns.
In the year since Sandy Hook, there have been a combined total of 22 actual school attacks and disrupted plots nationwide with some of the attacks resulting in the deaths of students and school personnel. The New Jersey Regional Operations Intelligence Center (ROIC) has examined recent reporting on the Sandy Hook attack and the incidents over the last year and provides the following analysis to law enforcement, school resource officers (SROs), and administrators to assist in school security planning efforts.
Hundreds of emails from the City of Oakland relating to the construction of the City/Port of Oakland Joint Domain Awareness Center. The files were scanned from printouts held in a series of folders by the City of Oakland and were obtained via a public records request made by members of Occupy Oakland. The emails were the source material for a recent story in the East Bay Express by Darwin BondGraham stating that the City of Oakland had allowed the Domain Awareness Center’s prime contractor Science Applications International Corporation (SAIC) to perjure themselves by signing a disclosure form claiming that the company was in compliance with the city’s Nuclear Weapons Free Zone Ordinance which prohibits the city from doing business with contractors that are connected to the production or use of nuclear weapons. According to the article, SAIC has had a number of contracts relating to nuclear weapons for more than a decade, including a May 2013 U.S. Navy contact for “engineering services, testing, and integration for nuclear command control and communication (NC3) messaging systems.”
One of the most serious threats facing New Jersey and the entire U.S. Homeland continues to be that of the active shooter, regardless of motivation, who by the very nature of their associated tactics, techniques, and procedures, pose a serious challenge to security personnel based on their ability to operate independently, making them extremely difficult to detect and disrupt before conducting an attack.
The New Jersey Regional Operations Intelligence Center (NJ ROIC) provides the following updated analysis of mass shootings in the last year (December 2012 to October 2013) in order to provide law enforcement personnel, security managers and emergency personnel with identified commonalities and trends, as well as indicators of potential violence.
DHS National Incident Management System: Intelligence/Investigations Function Guidance and Field Operations Guide
This document includes guidance on how various disciplines can use and integrate the I/I Function while adhering to NIMS concepts and principles. It includes information intended for the NIMS practitioner (including the Incident Commander/Unified Command [IC/UC]) that assists in the placement of the I/I Function within the command structure; provides guidance that may be used while implementing the I/I Function; and has an accompanying Intelligence/ Investigations Function Field Operations Guide (I/I FFOG). While this document provides an example of the I/I Function at the Section level, the IC/UC has the final determination of the scope and placement of the I/I Function within the command structure. The guidance provided in this document is applicable for both domestic incidents that use conventional unclassified information (e.g., open source information, criminal histories, medical records, or educational records) and terrorism incidents where information is often classified and requires the use of national intelligence capabilities.
This Note describes a new combination of tactics by cyber criminals that disrupts telephone systems of targeted organizations. This information is provided to assist and inform the Department and federal, state, local, territorial, tribal, and private sector partners in mitigation efforts regarding criminal activity that could affect their operations.
(U//FOUO) DHS National Cybersecurity and Communications Integration Center (NCCIC) Capabilities Guide
The National Cybersecurity and Communications Integration Center (NCCIC) Resource and Capabilities Guide is intended to enhance cross-sector cyber security efforts and collaboration by better informing our cybersecurity and communications partners of the NCCIC’s tools, assets, and collaboration mechanisms offered. This guide also identifies the Center’s resources and capabilities as well as describes the processes for accessing NCCIC information portals and products, incident reporting systems, and relevant point of contact information for our community of partners.
As related to malware which may exhibit a potentially destructive capability, organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event. Destructive malware presents a direct threat to an organization’s daily operations, directly impacting the availability of critical assets and data. In addition, the response required for such an event can be extremely resource intensive.
The following product is a coordinated effort between NCCIC, U.S. Secret Service and The Cyber Intelligence Network (CIN), provided to assist in prevention, detection and mitigation of a new ransomeware campaign. Ransomware is malware that restricts access to infected computers and requires victims to pay a ransom in order to regain full access. Cryptolocker is particularly interesting in that it functions by encrypting victims computer files with a combination of RSA-2048 and AES-256 encryption. Once encrypted, victims are provided a window of time in which they can pay the actors to receive the key needed to decrypt their files.
Scans of all invoices related to the City of Oakland’s contract with Science Applications International Corporation for the construction of the City/Port of Oakland Joint Domain Awareness Center. The documents were collected in a binder held by the City of Oakland and obtained via a public records request made by members of Occupy Oakland. The invoices are organized by month and range in date from March to July 2013.
(U//FOUO) Colorado Information Analysis Center: Butane Hash Oil Production Poses Risks to First Responders
This Brief was produced to alert emergency medical responders and healthcare providers to the dangerous levels of toxicity that can be presented by patients who have smoked alcohol. Although this practice is dangerous, it is not illegal. It is being practiced by young adults all over the country and causing serious medical emergencies and deaths as a result. Because this is a returning trend, unfamiliar to health care providers, there is no statistical data available concerning hospitalizations and deaths. The below information was assembled from open source research and can be duplicated and shared for the purposes of awareness and education.
Malicious cyber actors have used compromised social media accounts to spread disinformation about alleged emergencies and attacks, most prominently through Twitter. Because it is difficult to determine the authenticity of a tweet, we anticipate malicious cyber actors will continue to seek to exploit Twitter and other social media platforms used by news organizations and public safety agencies to propagate disinformation.