Superstorm Sandy, a late-season post-tropical cyclone and the tenth storm of the 2012 Atlantic hurricane season, swept through the Caribbean and up the East Coast of the United States in late October 2012. The storm left 42 dead in New York State (NYS), thousands homeless and millions without power. Superstorm Sandy began as a tropical wave in the Caribbean on October 19, 2012. It quickly developed into a tropical depression and then a tropical storm in six hours. It quickly moved north, then turned northwest within the next week, making landfall on October 29, 2012 striking near Atlantic City, New Jersey with winds of 80 miles per hour. At one point, Superstorm Sandy’s hurricane force winds (74 mph) extended up to 175 miles from its center and tropical storm force winds (39 mph) out to 485 miles. A full moon made high tides 20 percent higher than normal, amplifying Superstorm Sandy’s storm surge.
DHS National Incident Management System: Intelligence/Investigations Function Guidance and Field Operations Guide
This document includes guidance on how various disciplines can use and integrate the I/I Function while adhering to NIMS concepts and principles. It includes information intended for the NIMS practitioner (including the Incident Commander/Unified Command [IC/UC]) that assists in the placement of the I/I Function within the command structure; provides guidance that may be used while implementing the I/I Function; and has an accompanying Intelligence/ Investigations Function Field Operations Guide (I/I FFOG). While this document provides an example of the I/I Function at the Section level, the IC/UC has the final determination of the scope and placement of the I/I Function within the command structure. The guidance provided in this document is applicable for both domestic incidents that use conventional unclassified information (e.g., open source information, criminal histories, medical records, or educational records) and terrorism incidents where information is often classified and requires the use of national intelligence capabilities.
This Note describes a new combination of tactics by cyber criminals that disrupts telephone systems of targeted organizations. This information is provided to assist and inform the Department and federal, state, local, territorial, tribal, and private sector partners in mitigation efforts regarding criminal activity that could affect their operations.
(U//FOUO) DHS National Cybersecurity and Communications Integration Center (NCCIC) Capabilities Guide
The National Cybersecurity and Communications Integration Center (NCCIC) Resource and Capabilities Guide is intended to enhance cross-sector cyber security efforts and collaboration by better informing our cybersecurity and communications partners of the NCCIC’s tools, assets, and collaboration mechanisms offered. This guide also identifies the Center’s resources and capabilities as well as describes the processes for accessing NCCIC information portals and products, incident reporting systems, and relevant point of contact information for our community of partners.
As related to malware which may exhibit a potentially destructive capability, organizations should increase vigilance and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event. Destructive malware presents a direct threat to an organization’s daily operations, directly impacting the availability of critical assets and data. In addition, the response required for such an event can be extremely resource intensive.
The following product is a coordinated effort between NCCIC, U.S. Secret Service and The Cyber Intelligence Network (CIN), provided to assist in prevention, detection and mitigation of a new ransomeware campaign. Ransomware is malware that restricts access to infected computers and requires victims to pay a ransom in order to regain full access. Cryptolocker is particularly interesting in that it functions by encrypting victims computer files with a combination of RSA-2048 and AES-256 encryption. Once encrypted, victims are provided a window of time in which they can pay the actors to receive the key needed to decrypt their files.
Malicious cyber actors have used compromised social media accounts to spread disinformation about alleged emergencies and attacks, most prominently through Twitter. Because it is difficult to determine the authenticity of a tweet, we anticipate malicious cyber actors will continue to seek to exploit Twitter and other social media platforms used by news organizations and public safety agencies to propagate disinformation.
A joint bulletin issued in early August by the Department of Homeland Security and FBI warns state and local law enforcement agencies to look out for people in possession of “large amounts” of weapons and ammunition, describing the discovery of “unusual amounts” of weapons as a potential indicator of criminal or terrorist activity.
Possession of large amounts of weapons, ammunition, explosives, accelerants, or explosive precursor chemicals could indicate pre-operational terrorist attack planning or criminal activity. For example, in preparation for conducting the July 2011 attacks in Norway, Anders Behring Breivik stockpiled approximately 12,000 pounds of precursors, weapons, and armor and hid them underground in remote, wooded locations.
Over the past year, the NSI PMO has continued its implementation efforts and outreach to NSI stakeholders to help ensure that law enforcement and homeland security partners are afforded another tool to help identify and prevent terrorism and other related criminal activity. The ongoing collaboration among DOJ, DHS, the FBI, SLTT partners, and the National Network of Fusion Centers has strengthened, allowing the NSI to expand its nationwide information sharing capability. As of March 2013, 73 fusion centers have met the requirements outlined by the NSI PMO to be fully NSI-Operational—an increase of 5 centers from the same time last year—and all 78 fusion centers now maintain the capability to contribute and share suspicious activity reports through the Shared Space or eGuardian. This expansion of the NSI has allowed the Federated Search Tool to be accessed by more trained users—increasing the number of searches to more than 76,400—and more than 25,900 Information Sharing Environment (ISE)-SARs had been submitted and shared by the end of March 2013. Further, with the support of the National Network of Fusion Centers, 46 states and the District of Columbia are participating in statewide implementation of the NSI; implementation efforts are currently under way in Guam, Puerto Rico, and the U.S. Virgin Islands to ensure a strengthened nationwide capacity for sharing ISE-SAR information.
This Joint Intelligence Bulletin (JIB) provides information on the 21 September 2013 attack in Nairobi, Kenya likely conducted by al-Shabaab—an al-Qai‘da linked militant group based in Somalia. This JIB examines the ongoing incident and provides background on the threat from al-Shabaab. This JIB also highlights protective measures that can assist in mitigating threats in the United States using similar tactics and is provided to support the activities of FBI and DHS and to assist federal, state, local, tribal, and territorial government counterterrorism and law enforcement officials, as well as first responders and private sector security officials to deter, prevent, preempt, or respond to terrorist attacks in the United States or overseas targeting US interests.
Terrorists may engage in sabotage, tampering, or vandalism as part of an attack or to gain access to restricted areas, steal materials, or provoke and observe security responses. For example, the 1Oth edition of al-Qa’ida in the Arabian Peninsula’s Inspire magazine suggests torching parked vehicles and causing automobile accidents by using lubricating oil or nails driven through wooden boards as simple tactics to cause both casualties and economic damage.
Impersonation by assuming the identity, behavior, or appearance of first responders can allow terrorists access to restricted or secure locations, including the scene of emergencies when unchallenged. This access can allow terrorists the ability to conduct pre-operational surveillance or carry out a primary attack or a secondary attack against first responders. The method of impersonation may not be limited to the use of uniforms, clothing, badges and identification; civilian vehicles may be accessorized to appear as legitimate emergency vehicles.
DHS and its operational components have recognized the value of using social media to gain situational awareness and support mission operations, including law enforcement and intelligence-gathering efforts. However, additional oversight and guidance are needed to ensure that employees use technologies appropriately. In addition, improvements are needed for centralized oversight to ensure that leadership is aware of how social media are being used and for better coordination to share best practices. Until improvements are made, the Department is hindered in its ability to assess all the benefits and risks of using social media to support mission operations.
Android is the world’s most widely used mobile operating system (OS) and continues to be a primary target for malware attacks due to its market share and open source architecture. Industry reporting indicates 44 percent of Android users are still using versions 2.3.3 through 2.3.7-known as Gingerbread-which were released in 2011 and have a number of security vulnerabilities that were fixed in later versions. The growing use of mobile devices by federal, state, and local authorities makes it more important than ever to keep mobile OS patched and up-to-date.
(U//FOUO) FBI Cyber Division Bulletin: Advanced Persistent Threat (APT) Actors Targeting Aviation Industry
Since June 2013, the FBI has observed advanced persistent threat (APT) actors’ increased interest in the aviation industry. APT actors have sent spear-phishing e-mails targeting individuals associated with the air travel industry. Some of the spear-phishing e-mails originated from a spoofed sender in an attempt to make the e-mail appear more legitimate. E-mail recipients should be aware of suspicious and potentially malicious e-mail attachments or links.
In 2011, the U.S. Department of Homeland Security’s (DHS) Office of Intelligence and Analysis (I&A), in coordination with federal and SLTT partners, began conducting an annual assessment of fusion centers to evaluate their progress in achieving the COCs and ECs and to collect additional data to better understand the characteristics of individual fusion centers and the National Network as a whole. DHS/I&A initiated the 2012 Fusion Center Assessment (2012 Assessment) in August 2012 as the second iteration of the annual assessment process and the first assessment to provide data on year-over-year progress in implementing the COCs and ECs. The 2012 Assessment was also the first assessment to collect National Network performance data based on an initial set of five performance measures adopted in 2011. This 2012 National Network of Fusion Centers Final Report (2012 Final Report) summarizes and characterizes the overall capabilities and performance of the National Network based on the results of the 2012 Assessment. This report does not include fusion center-specific capability or performance data. Instead, it uses aggregated data from the 2012 Assessment to describe the capability and performance achievements of the National Network.
During the 112th Congress, then-Committee on Homeland Security (Committee) Chairman Peter T. King, currently the Chairman of the Subcommittee on Counterterrorism and Intelligence, directed Committee Majority staff to conduct a comprehensive study of the National Network in an effort to understand current strengths and gaps and provide recommendations for improvement. This work continued into the 113th Congress under the additional direction of current Committee Chairman Michael T. McCaul. Over the course of nineteen months (January 2012-July 2013), the Committee logged 147 meeting hours during visits to 32 fusion centers, in addition to numerous briefings and discussions with various Federal partners, representatives of the National Fusion Center Association, and follow-up conversations with fusion center directors and personnel.
Department of Defense, Department of Homeland Security, Department of Justice, Federal Bureau of Investigation
A collection of Network Security Agreements (NSAs) entered into with foreign communications infrastructure providers ensuring U.S. government agencies the ability to access communications data when legally requested. The agreements range in date from 1999 to 2011 and involve a rotating group of government agencies including the Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS), Department of Justice (DoJ), Department of Defense (DoD) and sometimes the Department of the Treasury. According to the Washington Post, the agreements require companies to maintain what amounts to an “internal corporate cell of American citizens with government clearances” ensuring that “when U.S. government agencies seek access to the massive amounts of data flowing through their networks, the companies have systems in place to provide it securely.”
Recent incidents in the Homeland demonstrate that consumer fireworks—widely used during the upcoming 4 July 2013 celebrations—can be misused by criminals and violent extremists to construct improvised explosive devices (IEDs). Consumer fireworks are defined as devices that produce audible and visible effects by combustion, containing between 50-130 milligrams of explosive material. They are banned in Delaware, Massachusetts, New Jersey, and New York.
Within DHS, this overarching responsibility for critical infrastructure protection is delegated to the National Protection and Programs Directorate’s (NPPD) Office of Infrastructure Protection (IP), specifically the Sector-Specific Agency Executive Management Office (SSA EMO) CF Branch for commercial facilities. Serving as the Sector-Specific Agency (SSA) for the CF Sector, the CF Branch works with its partners to address and highlight low-cost preparedness and risk management options in the products and tools it makes available to the private sector. For example, the CF SSA has been working to produce a suite of protective measures guides that provide an overview of best practices and protective measures designed to assist owners and operators in planning and managing security at their facilities or events. The Protective Measures Guide for the U.S. Outdoor Venues Industry is one of these guides and reflects the special considerations and challenges posed by the Outdoor Venues Subsector.
Malicious actors may leverage the Internet to gain information against a potential target to support pre-operational planning efforts for kinetic or cyber attacks. Malicious actors can use Internet search engines for information such as maps, company photographs or blueprints, and gain additional details from social media sites and Web blogs. Some actors may use more sophisticated techniques—such as phishing, spear phishing, or actual penetration of an organization’s network or devices—which can be used to gather personal, sensitive, or proprietary data.