The Transportation Security Administration’s (TSA’s) mission includes enhancing the security preparedness of U.S. hazardous liquid and natural gas pipeline systems. This TSA Office of Intelligence (TSA-OI) threat assessment primarily addresses the potential for attacks against the pipeline industry in the Homeland and assesses the tactics, techniques, and procedures (TTPs) used in attacks against pipelines and related infrastructure overseas for their potential use by terrorists in the Homeland.
Transportation Security Administration
(U//FOUO) TSA Pipeline Security Smart Practices Report
U.S. hazardous liquids and natural gas pipelines are critical to the nation’s commerce and economy and, as a consequence, they can be attractive targets for terrorists. Before September 11, 2001, safety concerns took precedence over physical and operational security concerns for a majority of pipeline operators. Security matters were mainly limited to prevention of minor theft and vandalism. The terrorist attacks of 9/11 forced a thorough reconsideration of security, especially with respect to critical infrastructure and key resources. Pipeline operators have responded by seeking effective ways to incorporate security practices and programs into overall business operations.
Intelligence Fusion Centers, Louisiana
(U//LES) LA-SAFE Geomagnetic Storm Warning
A series of coronal mass ejections (CMEs) are en route to Earth from a sunspot which will buffet the Earth’s magnetic field during the next 12 to 60 hours. These CMEs are a result of the strongest solar flare in more than four years, which peaked on February 15th and registered as an X-flare. X-flares are the strongest type of solar flare. NOAA forecasters estimate a 45% chance of geomagnetic activity on February 17, 2011. Geomagnetic storms usually last 24 to 48 hours, but some may last for many days. They also have the capability of disrupting communication systems, navigation systems and electric grids.
Corporate
HBGary General Dynamics Malware Development: Task Z
General Dynamics has selected HBGary Inc to provide this proposal for development of a software tool, which provides the user a command line interface, that will enable single file, or full directory exfiltration over TCP/IP. General Dynamics has requested multiple protocols to be scoped as viable options, and this quote contains options for VoIP (Skype) protocol, BitTorrent protocol, video over HTTP (port 80), and HTTPS (port 443). HBGary will research and analyze the best solution given the client’s choice of protocol(s). As outlined in the Bill of Materials on page 4 of this document, cost per protocol is provided separately, and one or more of the options can be chosen by General Dynamics. HBGary will develop this user mode application with listen capabilities, trace cleanup, and ensure network sniffer testing doesn’t trigger any alerts. The application will be provided for user testing, and validation at the close of the development cycle which will be scheduled jointly between HBGary, and General Dynamics.
Corporate
HBGary General Dynamics Malware Development: Project C
General Dynamics has selected HBGary Inc to provide this proposal for development of a software application targeting the Windows XP Operating System that, when executed, loads and enables a covert kernel-mode implant that will exfiltrate a file from disk (or other remotely called commands) over a connected serial port to a remote device. The enabling kernel mode implant will cater to a command and control element via the serial port. The demonstration will utilize an exploit in Outlook as the delivery mechanism for said software application. The subsequently loaded implant will be stable and will not crash the demonstration system. A usermode component will be included as part of the exploitation package that exercises the kernel mode implant for demonstration purposes. The loaded implant will use the connected serial port to remotely enable functions which can be visible on the collection computer connected on the other end of the serial line. The purpose of the demonstration setup is to verify the functionality for the customer and validate that all work has been completed.
Department of Homeland Security, Federal Bureau of Investigation
(U//FOUO) DHS-FBI Cyanide Production Indicators Guide
FOUO DHS-FBI Cyanide Production Indicators Reference Guide from November 2010.
News
Fusion Center Locations Revealed
Since 9/11, the U.S. Government has engaged in a multibillion-dollar effort to construct a domestic intelligence network for the ostensible purpose of combating terrorism, criminal activity and violent extremism. One of the central components of this system is the network of “fusion centers” that have sprung up around the country over the last several years. These entities integrate local law enforcement with a state’s police force, Department of Justice, or Office of Emergency Management and are designed to facilitate law enforcement intelligence activities throughout the jurisdiction, providing federal authorities access to local information and databases, while simultaneously allowing federal agencies to disseminate classified intelligence materials to local authorities. There are almost always federal representatives present in local fusion centers and Secretary Napolitano has recently testified that DHS is “committed to having an officer in each fusion center.” Most fusion centers also work with representatives of the private sector, particularly those industries related to so-called “critical infrastructure and key resources.”
Infragard
HBGary InfraGard IT/IS Rules of Behavior
HBGary InfraGard IT/IS Rules of Behavior Agreement from October 4, 2010.
Intelligence Fusion Centers
Fusion Centers Map, Locations, Contact Information
A nearly complete list of the actual physical locations, phone numbers, and email addresses of fusion centers around the United States.
Corporate
HBGary Team Themis Corporate Information Reconnaissance Cell Documents
Internet based communications, most predominately the growing spectrum of social media platforms, allow people to coordinate and communicate in a highly efficient and collaborative manner, even when vastly geographically distributed. These same services and technologies can also make it difficult to attribute information to specific entities. Anonymizing and misattribution technologies used to mask location and identity have become commonplace. In many cases, people and/or organizations use the inherent insecurity in Internet communications to conduct criminal or unethical activities. This represents a paradigm shift in the capability of individuals and small groups to conduct effective planning and execution of asymmetric operations and campaigns that can have major impacts on large organizations or corporations. Despite the increased capability and anonymity that these new communications technologies provide, it is still possible to counter individuals and groups who are leveraging networks, platforms, and/or applications to conduct criminal and/or unethical activities. In such cases, it is necessary to develop a more forward leaning investigative capability to collect, analyze, and identify people or organizations conducting such activities. In order to effectively track and understand the complex, interconnected networks involved in these actions, it becomes critical to utilize proven, cutting-edge tools and analytical processes; applying them in a deliberate, iterative manner against those involved in illicit activities. The most effective way to limit the capability of individuals and/or groups is to develop a comprehensive picture of the entities involved through focused collection, conduct rapid analysis to identify key nodes within the network, and determine the most effective method for influencing/limiting these entities.
Corporate
HBGary McAfee Management Presentation
Confidential HBGary McAfee Management Presentation from November 2010.
Federal Bureau of Investigation
HBGary Infragard Hospital Cyber Attacks Brief
HBGary Northern California Infragard “Anatomy of a Cyber Terrorist Attack on the Nation’s Hospital Infrastructure” from October 19, 2010.
Corporate, Defense Advanced Research Projects Agency
HBGary DARPA Cyber Genome Technical Management Proposal
While it is a challenging undertaking, we plan to research and develop a fully automated malware analysis framework that will produce results comparable with the best reverse engineering experts, and complete the analysis in a fast, scalable system without human interaction. In the completed mature system, the only human involvement will be the consumption of reports and visualizations of malware profiles. Our approach is a major shift from common binary and malware analysis today, requiring manual labor by highly skilled and well-paid engineers. Results are slow, unpredictable, expensive and don’t scale. Engineers are required to be proficient with low-level assembly code and operating system internals. Results depend upon their ability to interpret and model complex program logic and ever-changing computer states. The most common tools are disassemblers for static analysis and interactive debuggers for dynamic analysis. The best engineers have an ad-hoc collection of non-standard homegrown or Internet-collected plug-ins. Complex malware protection mechanisms, such as packing, obfuscation, encryption and anti-debugging techniques, present further challenges that slow down and thwart traditional reverse engineering technique.
Corporate, Defense Advanced Research Projects Agency
HBGary General Dynamics DARPA Cyber Genome Program Proposal
Current technologies and methods for producing and examining relationships between software products, particularly malware, are lacking at best. The use of hashing or “fuzzy” hashing and matching techniques are conducted at the program level, ignoring any reflection of the actual development process of malware. This approach is only effective at finding closely related variants or matching artifacts found within malware that are only tangent to the development process, such as hard coded IP address, domains, or login information. This matching process is often unaware of internal software structure except in the most rudimentary sense, dealing with entire sections of code at a time, attempting to align matches while dealing with arbitrary block boundaries. The method is akin to an illiterate attempting comparing two books on the same topic. Such a person would have a chance of correlating different editions of the same book, but not much else. The first fundamental flaw in today’s approach is that it ignores our greatest advantage in understanding relationships in malware lineage, we can deduce program structure into blocks (functions, objects, and loops) that reflect the development process and gives software its lineage through code reuse.
Federal Bureau of Investigation
FBI Academic Alliance Counterintelligence Partnership Briefing
FBI Academic Alliance Briefing from October 27, 2010.
Federal Bureau of Investigation
(U//FOUO) FBI College Campus Liaison Initiative Brief
FOUO FBI College “Campus Liaison Initiative Brief” from June 2010.
Headline
Tahrir Square Photos February 2011
See also: Egyptian Revolution Photos February 2011 Egyptian Revolution Photos January 2011 M Soli – http://www.flickr.com/photos/24610655@N08/ Kodak Afgha – http://www.flickr.com/photos/96884693@N00/ Maggie Osama – http://www.flickr.com/photos/maggieosama/ Mahmoud Saber – http://www.flickr.com/photos/mahmoudsaber/ Omar Robert Hamilton – http://www.flickr.com/photos/56458828@N02/
Intelligence Fusion Centers, New York
(U//LES) New York State Intelligence Center “Vigilance Project”: Domestic Terrorism Analysis
The Vigilance Project is a comprehensive, analytic report that examines major terrorism cases that have taken place against the Homeland since September 11, 2001. The report serves as a historical compilation of acts or attempted acts of terrorism against the United States, or its interests, and as a tool to identify trends and commonalities among the cases and the subjects involved. It is recognized that the threat environment is dynamic and potential threats are not limited to the findings contained in this report. As the title suggests, it is the duty of every citizen to remain vigilant in the face of terrorism. The findings of this report allow readers to gain an understanding of terrorism participants, their tactics and procedures, and become aware of similarities among the cases, in order to draw useful conclusions. The ultimate goal of the Vigilance Project is to provide useful information to law enforcement partners to support their role in preventing the next attack.
Department of State
U.S. State Department OSAC Caucasus Emirate Reports
Two U.S. State Department OSAC Reports on the Caucasus Emirate from August and September 2010.
Department of State
U.S. State Department OSAC Maoist/Naxalite Threat to the U.S. Private Sector
OSAC constituents operating in India face a multitude of threats, many of which are difficult to evaluate from a security standpoint. Often times, the international media will mimic the hyperbolic Indian news industry and sensationalize a security concern, resulting in significant private sector hand-wringing. One such example of this is the Communist Party of India-Maoist insurgency in India, popularly known as the Naxalite movement. For instance, Naxalites ambushed and killed 75 members of India’s Central Reserve Police Force on patrol in Chhattisgarh state on April 6, 2010. The disaster triggered alarmist headlines around the world. A headline in the British Independent on April 8 screamed “Who are the Naxalites and will they topple the Indian Government?” The attack also brought renewed attention to the Naxalites from publications such as The Economist and The New York Times, which typically publish maps showing the current “extent” of the Naxal problem alongside their analyses. Even the Prime Minister of India Manmohan Singh is on record as saying that the Naxalites are the greatest threat India faces.
Department of Homeland Security
DHS Secretary Napolitano Testimony on “Homeland Threat Landscape”
As the President said in his State of the Union address, in the face of violent extremism, “we are responding with the strength of our communities.” A vast majority of people in every American community resoundingly reject violence, and this certainly includes the violent, al-Qaeda-style ideology that claims to launch attacks in the name of their widely rejected version of Islam. We must use these facts as a tool against the threat of homegrown violent extremism. In conjunction with these communities and with the Department of Justice and the Program Manager for the Information Sharing Environment, we have published guidance on best practices for community partnerships, which has been distributed to local law enforcement across the country. DHS also holds regular regional meetings – which include state and local law enforcement, state and local governments, and community organizations – in Chicago, Detroit, Los Angeles, and Minneapolis. These regional meetings have enabled participants to provide and receive feedback on successful community-oriented policing and other programs aimed at preventing violence.
Washington
Seattle Shield Program Suspicious Activity Report: iPhone Photography
Seattle Shield Program Suspicious Activity Report: iPhone Photography, February 3, 2011.
Intelligence Fusion Centers, Massachusetts
Boston Regional Intelligence Center Counterfeit Money Advisory
There have been several reports of counterfeit money being passed around the City of Boston since the beginning of December 2008. In the majority of incidents, counterfeit $20 dollar bills were used, but $10, $50 and $100 dollar bills have been used on occasion. The most frequent recipient of these counterfeit bills have been Taxi/ Livery drivers, restaurants and bars in the Dorchester (C11), South Boston (C6), Roxbury (B2) and Jamaica Plain (E13) areas. Boston Police, in conjunction with the United States Secret Service made an arrest on 2/3/09 of an individual that may be responsible for some of the counterfeit currency being passed around (CC# 090061459). Below please find a list of serial numbers that have been used in more than one incident, as well as a list of serial numbers used since 12/12/08.
Federal Bureau of Investigation, Kansas, Missouri, Texas
(U//LES) FBI Texas, Missouri and Kansas Senior Citizen Scam Report
Warrants in Jasper County, Missouri, Cass County, Missouri, Clay County, Missouri and Grand Saline, Texas have been issued for Donald Anthony Moses, aka Tony Moses, for financial exploitation of the elderly and felony theft targeting senior citizens by committing home-repair schemes. The most recent confirmed date that Moses committed a home-repair scheme was on 18 January 2011 in Manhattan, Kansas.
Department of State
U.S. State Department OSAC Cell Phone Video Surveillance Warning
On December 15, 2009, the City of London Police released film footage of hostile reconnaissance conducted in July 2008 by an Algerian national (Subject 1). Subject 1 was stopped by two alert police officers who saw him using his cell phone camera to record video inside Liverpool Street Station in London. When the police officers examined the footage they found 90 minutes of video recording of various sites in and around London and several UK cities to include Tube and mainline rail stations, shopping areas, bars, and restaurants. His detention and the follow-up investigation led to the arrest of Subject 1’s brother (Subject 2) and a third Algerian male (Subject 3). British authorities also looked at 30 other individuals and recovered extremist material supporting al-Qa’ida in the Islamic Maghreb in one residence. Police believe the two brothers may have been fundraising and conducting surveillance for a future terrorist operation.