Department of Homeland Security

(U//FOUO) DHS-FBI-NCTC Bulletin: Fake Help Desk Scams an Ongoing Problem

DHS-FBI-NCTC-FakeHelpDesk

Law enforcement continues to see reporting of malicious cyber actors using fake help desk scams, also known as technical support scams. These scams, if successful, seek to compromise and take control of computer systems. Malicious cyber actors send users an e-mail or they make cold calls, purportedly representing a help desk from a legitimate software or hardware vendor. The malicious cyber actors try to trick users into believing that their computer is malfunctioning—often by having them look at a system log that typically shows scores of harmless or low-level errors—then convincing them to download software or let the “technician” remotely access the personal computer to “repair” it.

(U//FOUO) New Jersey Fusion Center Bulletin: Suspicious Activity Regarding the Electrical Grid in New Jersey

NJROIC-ElectricGridThreats

In the past year, the NJ Suspicious Activity Reporting System (NJ SARS) has received multiple reports of intrusions at electrical grid facilities in New Jersey. The NJ ROIC currently has no indication of any specific threats associated with these incidents, but provides this information for situational awareness and requests information on any similar, previously unreported incidents in New Jersey.

(U//FOUO) DHS Infrastructure Protection Report: Higher Education Institutions

DHS-HigherEducationInstitutions

The higher education community in the United States consists of more than 11,000 higher education institutions that collectively serve more than 17 million students, employ more than 3.4 million faculty and staff, and have combined budgets approaching $360 billion. Higher education institutions range in size from small institutions with fewer than 100 students to large universities with tens of thousands of students and faculty occupying campuses the size of a small town or city. Institution grounds are generally open-access, with varying levels of security within the campus.

(U//FOUO) DHS-FBI-NCTC Bulletin: Building Security Measures May Hinder Emergency Response Efforts

DHS-FBI-NCTC-SecurityMeasuresResponse

Facility security measures, such as interior control points or exterior barriers, may require first responders to adjust normal protocols and procedures to operate rapidly during emergencies. The timeline below is an overview of attacks and plots against US-based facilities with varying levels of security. The diversity of tactics and targets used underscores the need for interagency exercises and training that incorporates multiple scenarios to account for building security measures likely to be encountered.

(U//FOUO) DHS-FBI-NCTC Bulletin: Extortion Schemes Use Telephony-Based Denial-of-Service Attacks

DHS-FBI-NCTC-TDoSExtortion

Since at least January 2012, criminals are using telephony-based denial-of-service (TDoS) combined with extortion scams to phone an employee’s office and demand the employee repay an alleged loan. If the victim does not comply, the criminals initiate TDoS attacks against the employer’s phone numbers. TDoS uses automated calling programs—similar to those used by telemarketers—to prevent victims from making or receiving calls.

(U//FOUO) Kansas Intelligence Fusion Center Nairobi Westgate Mall Attack Lessons Learned

KIFC-WestgateAttack

On Saturday, September 21, 2013, members of Al Shabaab, a Somali based Islamic terrorist organization affiliated with the international Al Qaeda network, executed a complex terrorist attack on an upscale shopping mall in Nairobi, Kenya. The attackers simultaneously entered the mall from two different entrances, shooting shoppers with assault rifles and throwing hand grenades. The terrorists remained in the mall, engaging government security forces for the next four days, resulting in a major fire and partial collapse of the mall. The Kenyan government has officially reported 72 deaths and more than 200 injured as a result of the attack. A significant number of those killed and injured were foreign citizens, including 6 U.S. citizens who were injured in the attack.

(U//LES) Virginia Fusion Center Bulletin: TOR, Bitcoins, Silk Road and the Hidden Internet

VFC-Tor

The purpose of this bulletin is to provide awareness and a basic understanding of the “Hidden Internet” to investigators in the field, as well as provide some examples of how the Hidden Internet can be exploited by criminal elements. While the term “Hidden Internet” can be used in a broader context and refer to other internet terms such as the “Deep Web” or “Deepnet,” for the purpose of this bulletin the term “Hidden Internet” will refer to the hidden services provided by the TOR project to internet users, specifically relating to the Silk road website and use of Bitcoins.

(U//FOUO) Kansas Intelligence Fusion Center Bulletin: pH1N1 Emerging Infectious Disease

KIFC-pH1N1

From November through December 2013, CDC has received a number of reports of severe respiratory illness among young and middle-aged adults, many of whom were infected with influenza A (H1N1) pdm09 (pH1N1) virus. Multiple pH1N1-associated hospitalizations, including many requiring intensive care unit (ICU) admission, and some fatalities have been reported. The pH1N1 virus that emerged in 2009 caused more illness in children and young adults, compared to older adults, although severe illness was seen in all age groups. While it is not possible to predict which influenza viruses will predominate during the entire 2013- 14 influenza season, pH1N1 has been the predominant circulating virus so far. For the 2013-14 season, if pH1N1 virus continues to circulate widely, illness that disproportionately affects young and middle-aged adults may occur.

(U//FOUO) DHS Bulletin: Self-identified Anarchist Extremists Target Urban Gentrification Sites with Arson

DHS-AnarchistGentrificationArson

This Note analyzes the recent use of arson by anarchist extremists targeting urban development sites they describe as negatively impacting lower income residents through “gentrification.” This information is provided to enable federal, state, local, tribal, and territorial law enforcement; first responders; and private sector security officials to identify, preempt, prevent, or respond to intentional acts targeting urban development sites by anarchist extremist campaigns.

(U//FOUO) New Jersey Fusion Center: School Attacks and Plots Since Sandy Hook

NJROIC-SchoolShootings-2013

In the year since Sandy Hook, there have been a combined total of 22 actual school attacks and disrupted plots nationwide with some of the attacks resulting in the deaths of students and school personnel. The New Jersey Regional Operations Intelligence Center (ROIC) has examined recent reporting on the Sandy Hook attack and the incidents over the last year and provides the following analysis to law enforcement, school resource officers (SROs), and administrators to assist in school security planning efforts.

City of Oakland Domain Awareness Center Emails

Oakland-DAC-Emails-1-3_Page_0003

Hundreds of emails from the City of Oakland relating to the construction of the City/Port of Oakland Joint Domain Awareness Center. The files were scanned from printouts held in a series of folders by the City of Oakland and were obtained via a public records request made by members of Occupy Oakland. The emails were the source material for a recent story in the East Bay Express by Darwin BondGraham stating that the City of Oakland had allowed the Domain Awareness Center’s prime contractor Science Applications International Corporation (SAIC) to perjure themselves by signing a disclosure form claiming that the company was in compliance with the city’s Nuclear Weapons Free Zone Ordinance which prohibits the city from doing business with contractors that are connected to the production or use of nuclear weapons. According to the article, SAIC has had a number of contracts relating to nuclear weapons for more than a decade, including a May 2013 U.S. Navy contact for “engineering services, testing, and integration for nuclear command control and communication (NC3) messaging systems.”

(U//FOUO) New Jersey Fusion Center Active Shooter Awareness for the 2013 Holiday Season

NJROIC-HolidayActiveShooters

One of the most serious threats facing New Jersey and the entire U.S. Homeland continues to be that of the active shooter, regardless of motivation, who by the very nature of their associated tactics, techniques, and procedures, pose a serious challenge to security personnel based on their ability to operate independently, making them extremely difficult to detect and disrupt before conducting an attack.

(U//FOUO) New Jersey Fusion Center Mass Shootings Commonalities December 2012-October 2013

NJROIC-MassShootings-2013-1

The New Jersey Regional Operations Intelligence Center (NJ ROIC) provides the following updated analysis of mass shootings in the last year (December 2012 to October 2013) in order to provide law enforcement personnel, security managers and emergency personnel with identified commonalities and trends, as well as indicators of potential violence.

DHS National Incident Management System: Intelligence/Investigations Function Guidance and Field Operations Guide

DHS-NIMS-IntelGuide

This document includes guidance on how various disciplines can use and integrate the I/I Function while adhering to NIMS concepts and principles. It includes information intended for the NIMS practitioner (including the Incident Commander/Unified Command [IC/UC]) that assists in the placement of the I/I Function within the command structure; provides guidance that may be used while implementing the I/I Function; and has an accompanying Intelligence/ Investigations Function Field Operations Guide (I/I FFOG). While this document provides an example of the I/I Function at the Section level, the IC/UC has the final determination of the scope and placement of the I/I Function within the command structure. The guidance provided in this document is applicable for both domestic incidents that use conventional unclassified information (e.g., open source information, criminal histories, medical records, or educational records) and terrorism incidents where information is often classified and requires the use of national intelligence capabilities.

(U//FOUO) DHS National Cybersecurity and Communications Integration Center (NCCIC) Capabilities Guide

NCCIC-CapabilitiesGuide

The National Cybersecurity and Communications Integration Center (NCCIC) Resource and Capabilities Guide is intended to enhance cross-sector cyber security efforts and collaboration by better informing our cybersecurity and communications partners of the NCCIC’s tools, assets, and collaboration mechanisms offered. This guide also identifies the Center’s resources and capabilities as well as describes the processes for accessing NCCIC information portals and products, incident reporting systems, and relevant point of contact information for our community of partners.

DHS National Cybersecurity and Communications Integration Center Bulletin: Destructive Malware

NCCIC-DestructiveMalware

As related to malware which may exhibit a potentially destructive capability, organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event. Destructive malware presents a direct threat to an organization’s daily operations, directly impacting the availability of critical assets and data. In addition, the response required for such an event can be extremely resource intensive.

DHS National Cybersecurity and Communications Integration Center Bulletin: Cryptolocker Ransomware

NCCIC-Cryptolocker

The following product is a coordinated effort between NCCIC, U.S. Secret Service and The Cyber Intelligence Network (CIN), provided to assist in prevention, detection and mitigation of a new ransomeware campaign. Ransomware is malware that restricts access to infected computers and requires victims to pay a ransom in order to regain full access. Cryptolocker is particularly interesting in that it functions by encrypting victims computer files with a combination of RSA-2048 and AES-256 encryption. Once encrypted, victims are provided a window of time in which they can pay the actors to receive the key needed to decrypt their files.

Oakland Domain Awareness Center Purchasing Invoices March-July 2013

Oakland-DAC-SAIC-1_Page_003

Scans of all invoices related to the City of Oakland’s contract with Science Applications International Corporation for the construction of the City/Port of Oakland Joint Domain Awareness Center. The documents were collected in a binder held by the City of Oakland and obtained via a public records request made by members of Occupy Oakland. The invoices are organized by month and range in date from March to July 2013.

(U//FOUO) Central Florida Intelligence Exchange Bulletin: Smoking Alcohol

CFIX-SmokingAlcohol

This Brief was produced to alert emergency medical responders and healthcare providers to the dangerous levels of toxicity that can be presented by patients who have smoked alcohol. Although this practice is dangerous, it is not illegal. It is being practiced by young adults all over the country and causing serious medical emergencies and deaths as a result. Because this is a returning trend, unfamiliar to health care providers, there is no statistical data available concerning hospitalizations and deaths. The below information was assembled from open source research and can be duplicated and shared for the purposes of awareness and education.

(U//FOUO) DHS-FBI Bulletin: Compromises of Official Social Media Accounts Spread Disinformation

DHS-FBI-SocialMediaDisinfo

Malicious cyber actors have used compromised social media accounts to spread disinformation about alleged emergencies and attacks, most prominently through Twitter. Because it is difficult to determine the authenticity of a tweet, we anticipate malicious cyber actors will continue to seek to exploit Twitter and other social media platforms used by news organizations and public safety agencies to propagate disinformation.