Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, September 30, 2009

Complete DHS Daily Report for September 30, 2009

Daily Report

Top Stories

 Reuters reports that a Singapore-flagged tanker carrying crude oil ran aground on Monday at mile marker 3 on the Lower Mississippi River, near Pilottown, Louisiana. At least eight large vessels are being held up due to the incident. (See item 3)


3. September 28, Reuters – (Louisiana) Mississippi River traffic blocked by grounded ship. A tanker carrying crude oil ran aground and is blocking vessel traffic near the mouth of the Mississippi River, the most important U.S. commercial waterway, the Coast Guard said on Monday. No leak has been detected from the ship, the Singapore-flagged Eagle Tucson, which is owned by U.K.-based AET Inc. The vessel ran aground at 2:45 a.m. on Monday with 602,000 gallons of crude oil, according to a Coast Guard statement. At least eight large vessels are being held up due to the incident, a Coast Guard spokeswoman said. No information was available on what cargoes those vessels held. Four tug boats are on the scene, with another two en route, to help to refloat the Eagle Tucson, and a lightering vessel arrived to transfer its cargo if necessary. The grounding of the Eagle Tucson, an upriver-bound, 107,000-ton deadweight, double-hull oil carrier, occurred at mile marker 3 on the Lower Mississippi, near Pilottown, Louisiana, and around 85 miles downriver from New Orleans. Oil refiners in the Gulf Coast region should not have to make any cuts in production because of the incident, said a source at a major U.S. refiner. The channel may be cleared to outbound traffic later Monday, the source said. “Deep-draft vessels are currently unable to transit through the area,” the Coast Guard said. The Coast Guard said it was not immediately clear how long it would take to clear the Eagle Tucson. Small vessels were still able to transit in the area, which serves as a key U.S. shipping corridor, the spokeswoman said. Source: http://www.reuters.com/article/domesticNews/idUSTRE58R55020090928?feedType=RSS&feedName=domesticNews


 Two U.S. sailors and a Filipino marine were killed Tuesday in a roadside bomb believed planted by al-Qaeda linked militants, the first American troops to die in an attack in the Philippines in seven years. (See item 39)


39. September 29, Associated Press – (International) 2 U.S. troops killed in Philippines blast. Two U.S. sailors and a Filipino marine were killed Tuesday in a roadside bomb believed planted by al-Qaeda linked militants, the first American troops to die in an attack in the Philippines in seven years. The Philippine military suspected Abu Sayyaf militants were behind the attack against the U.S. Navy troopers on the southern island of Jolo. Jolo lies in a poor, predominantly Muslim region. The American forces have been providing combat training and weapons to Filipino troops battling the Abu Sayyaf. Philippine officials described the blast as being caused by a land mine, a description normally used for military-grade weapons. The U.S. Embassy said it was an improvised explosive device. Source: http://www.washingtonpost.com/wp-dyn/content/article/2009/09/29/AR2009092900171.html?hpid=moreheadlines


Details

Banking and Finance Sector

19. September 29, Los Angeles Times – (California) Riverside County man sentenced to 100 years for operating Ponzi scheme. In what federal prosecutors described as the longest sentence ever imposed for a financial crime in Southern California, a Riverside County man was sentenced Monday to 100 years in prison for operating a Ponzi scheme that bilked investors of about $35 million. The guilty party, who ran the operation from 2000 to 2003 through a company he called MX Factors, was sentenced by a U.S. district judge in federal court in Riverside. Dozens of the company’s estimated 700 investors wrote the judge to demand a stiff sentence. Prosecutors said the guilty party, using a team of sales agents, told clients that he would invest their money in government-guaranteed construction loans and promised monthly returns as high as 14 percent every three months. Instead of investing in construction, the guilty party wired some of the money to foreign banks, paid high commissions to agents and launched a crab-fishing business in Ensenada, prosecutors said. Some early investors were paid dividends that came from later investors, a classic Ponzi scheme, said an assistant U.S. attorney. Source: http://www.latimes.com/business/la-fi-ponzi29-2009sep29,0,1441674.story


20. September 28, Associated Press – (Pennsylvania) Ex-CEO of Pa. drinks-maker charged in $806M fraud. A federal grand jury accused the former chief executive officer of a defunct soft-drink-maker and four others connected to the company of perpetrating an $806 million bank fraud, much of which went to the ex-CEO and his family. The suspect, of Ligonier, provided financial institutions and equipment suppliers “with dramatically false financial statements” to get equipment leases and loans for Latrobe-based Le-Nature’s Inc., said the U.S. Attorney. She called it the “largest fraud in the history of the Western District of Pennsylvania,” a 25-county area. According to the 29-count indictment unsealed on September 28, lenders and investors poured money into the company on the basis of the phony financial statements. The government wants the suspect to forfeit bank accounts worth more than $7 million. Investigators have already seized tens of millions of dollars in jewelry and an 8,000-piece model train collection worth about $1 million from the suspect. Authorities believe the suspect spent much of the money on himself or his family, as he once drove a Hummer and a high-end Mercedes, and was building a mansion in Ligonier, 45 miles southeast of Pittsburgh. The U.S. Attorney said the loss to the lenders and investors continues to exceed $700 million. The criminal investigation grew out of Le-Nature’s forced bankruptcy in October 2006, when a judge determined it was likely the suspect and other company directors had engaged in criminal activity. The bankruptcy of Le-Nature has spawned a raft of litigation, including a racketeering suit brought by the bankruptcy trustee that accuses Charlotte, North Coralina-based Wachovia Corp. of aiding the scheme. Earlier this month, a federal judge ruled the trustee can continue to pursue Wachovia for allegedly continuing to lend money to Le-Nature’s despite red flags raised by Wachovia’s own analysts. Source: http://www.google.com/hostednews/ap/article/ALeqM5iEbHtufksKXavPm47UElkLLUn_sgD9B0IK0O1


21. September 28, Bloomberg – (Michigan) SEC sues Detroit broker for luring elderly to $250 million scam. The U.S. Securities and Exchange Commission sued a Detroit-area broker for allegedly defrauding elderly investors by selling interests in a firm that claimed it had telecommunications deals with hotels and truck stops. The suspect reaped at least $3.8 million for himself and his company, Fast Frank Inc., by encouraging investors to refinance their homes to participate in a $250 million Ponzi scheme run by the owner of the company E-M Management Co. LLC, the SEC said. The suspect raised $74 million and the SEC said he was the most successful salesperson for the company owner, who was sued in 2007 for running the scam. The suspect falsely told investors he conducted due diligence in E-M, which claimed to have contracts to install and service telecommunications equipment with hotels and casinos in Las Vegas, the SEC said in a complaint filed at federal court in Michigan. Most, if not all, of the purported contracts did not exist, the agency said. The suspect did not know about the scam, has been cooperating for more than a year and provided documents to the agency, said his attorney. The regulator did not claim in its complaint that the suspect signed checks, received bank statements or that his name was mentioned in offering documents “that would show he had any actual knowledge that this was an alleged Ponzi scheme,” the attorney said. Several of the suspect’s 800 clients in Michigan and California used home-equity lines of credit to borrow $100,000 or more, and he encouraged one investor to borrow $1 million on her home to buy interests in the the company owner’s projects, the SEC said. The company owner had 1,200 clients. Source: http://www.bloomberg.com/apps/news?pid=20601087&sid=a7Z1V_CXOKDw


22. September 28, Canwest News Service – (International) Worm infecting banks’ computers can steal passwords, company warns. Computers at a majority of Canada’s big banks are infected with a malicious computer worm capable of logging keystrokes and stealing passwords, an Ottawa security firm has warned. Defence Intelligence Inc. said on September 28 it has been monitoring the worm dubbed Mariposa for five months and has watched it spread to machines at more than 50 of the top 100 Fortune 500 companies as well as Canada’s banks. The Canadian Bankers Association said it is aware of the worm, which it believes has done little if any damage. But the chief executive officer of Defence Intelligence called Mariposa “a highly sophisticated piece of malicious software” that appears to be very selective in its targets. “We’ve detected compromised behaviour from hundreds of government agencies, financial institutions, universities and corporate networks worldwide, but surprisingly few home users,” he said. The chief executive officer said his team of 11 employees stumbled across the worm while monitoring routine Internet traffic in May. They noticed packets that seemed to be coming from a well known financial institution reporting back to servers in Israel and Germany. Further inspection revealed the packets were coming from a malicious software program designed to steal information from banks, government and other financial institutions. A spokesman for the Canadian Bankers Association, said Mariposa has not breached the sophisticated security systems in place to protect customers’ personal and financial information. “Banks are aware of this malicious software and, based on discussions last week with a number of banks, there has been little-to-no-impact from it at all,” he said. Still, banks are working to eliminate the worm, the spokesman said. Source: http://www.financialpost.com/news-sectors/story.html?id=2044247


Information Technology


44. September 29, Digital Signage Expo – (National) ICSA Labs addresses security threat to network-connected devices, including digital signs. Responding to an often overlooked security risk, ICSA Labs, an independent division of Verizon Business, recently introduced a new program to help enterprises safeguard against intrusions through network-connected devices such as printers, faxes and point-of-sale systems, as well as help device manufacturers ensure that their products are secure. The new capabilities offered by ICSA Labs, a vendor certification program and a comprehensive enterprise assessment, are designed to protect these typically stand-alone, unattended devices, which connect directly to a network but are not part of the network infrastructure itself, according to the company. Also included in this product class of network-attached devices are copiers, ATM machines, digital signs, proximity readers, security cameras and facility management systems for power, lighting and HVAC systems, said the company. ICSA Labs has found that these unprotected devices can allow hackers easy access to corporate networks. According to the Verizon Business 2009 Data Breach Investigations Report, many breaches occur through what is called “unknown, unknowns,” which can involve systems such as printers and faxes. The report also points out that attackers choose the path of least resistance, targeting vulnerable systems. ICSA Labs’ first new offering, Network Attached Peripheral Security (NAPS) certification, provides manufacturers an opportunity to work with ICSA Labs to help identify and remediate existing and potential vulnerabilities in the devices the manufacturers sell, said the company. The NAPS certification program service also applies to manufacturers whose products are still under development and are seeking recommendations to make their products safer. Source: http://digitalsignageexpo.net/IndustryNews/tabid/317/smid/1236/ArticleID/1942/t/ICSA-Labs-Addresses-Security-Threat-to-Network-Connected-Devices-Including-Digital-Signs/Default.aspx


45. September 28, The Register – (International) Sunbelt buckles up for anti-bloatware drive. The anti-virus bloatware problem is getting worse despite what some vendors may claim, according to figures from Sunbelt Software. The Florida based vendor’s marketing claims tap into a deep well of discontent about anti-virus products but are not supported by the latest results from independent testing labs, such as AV-Test.org, and therefore ought to be treated with caution. What is not in dispute is that slow, bloated anti-virus engines chew up system resources. The problem has been a continual source of frustration for Windows users for years, and something their Mac and Linux-using peers always cite in operating system arguments. Worse yet, each new version of the leading Windows anti-virus products from Symantec, Trend and McAfee et al can increases the demand on CPU and memory by a significant factor, Sunbelt claims. This can effectively reduce the useful life of existing machines which, according to Sunbelt, need 20 per cent more grunt (extra CPU power and RAM) for each update. Source: http://www.theregister.co.uk/2009/09/28/bloatware_survey/


46. September 28, IDG News Service – (International) Pressure on Microsoft, as Windows attack now public. Hackers have publicly released new attack code that exploits a critical bug in the Windows operating system, putting pressure on Microsoft to fix the flaw before it leads to a worm outbreak. The vulnerability has been known since September 7, but until September 28 the publicly available programs that leverage it to attack PCs have not been able to do more than crash the operating system. A new attack, developed by a Harmony Security senior researcher, lets the attacker run unauthorized software on the computer, in theory making it a much more serious problem. The researcher’s code was added to the open-source Metasploit penetration testing kit on on September 28. Two weeks ago, a small software company called Immunity developed its own attack code for the bug, but that code is available only to the company’s paying subscribers. Metasploit, by contrast, can be downloaded by anyone, meaning the attack code is now much more widely available. A Metasploit developer said on September 28 that the exploit works on Windows Vista Service Pack 1 and 2 as well as Windows 2008 SP1 server. It should also work on Windows 2008 Service Pack 2, he added in a Twitter message. But the code may not be completely reliable. The Immunity senior researcher said that he could get the Metasploit attack to work only on the Windows Vista operating system running within a VMware virtual machine session. When he ran it on native Windows systems, it simply caused the machines to crash. Either way, the public release of this code should put Windows users on alert. Security experts worry that this code could be adapting to create a self-copying worm attack, much like last year’s Conficker outbreak. Source: http://www.pcworld.com/businesscenter/article/172739/pressure_on_microsoft_as_windows_attack_now_public.html


For another story, see item 5 in the full report

Communications Sector

See item 5 in the full report

Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, September 29, 2009

Complete DHS Daily Report for September 29, 2009

Daily Report

Top Stories

 According to the Houston Chronicle, a 2-mile stretch of the Houston Ship Channel remains closed indefinitely to ship traffic as crews work to remove 10,500 gallons of fuel oil from the water after a ship collided with a barge on Friday. (See item 1)


1. September 28, Houston Chronicle – (Texas) Ship Channel stretch could reopen this week. A 2-mile stretch of the Houston Ship Channel remains closed indefinitely to ship traffic Monday as crews work to remove thousands of gallons of fuel oil from the water. Although the cleanup could take as long as three weeks, Coast Guard officials are hopeful that the channel could reopen this week. The channel is closed to all vessel traffic north of the Sidney Sherman Bridge over East Loop 610. The spill is contained, but it is unclear how long it will take to clean up the 10,500 gallons of fuel oil that flowed into the water after a ship collided with a barge Friday in the channel’s northernmost area. As of Monday morning, crews had recovered 4,280 gallons. About 10 vessels — four inbound and six outbound — are blocked from moving as the cleanup progresses. Officials are trying to determine how to get the vessels — ships, tugs, and barges — moving without disturbing the cleanup. The oil is in the channel’s last few miles, which is much less traveled than other areas. “Right now we don’t have a major problem and don’t have major impact on port operations,” a chief petty officer said. The spill happened when a 458-foot vessel, owned by W.O. Ship Management based in the Marshall Islands, was trying to turn around near Brady’s Island around 9 p.m. Friday and struck Buffalo Barge No. 251. One of the vessel’s fuel tanks was damaged, and heavy fuel oil leaked for more than four hours out of a 2-foot-by-4-foot gash that was about 5 feet above the water line. The vessel’s owner has taken responsibility for the spill and will pay for the cleanup. At least 130 people are working on the cleanup. Source: http://www.chron.com/disp/story.mpl/hotstories/6640783.html


 The Kentucky Enquirer reports that the Army Corps of Engineers used sonar equipment on Monday to locate a lock gate that fell into the Ohio River at the Markland Locks and Dam near Warsaw, Kentucky, following what officials called a catastrophic equipment malfunction on Sunday. (See item 43)


43. September 27, Kentucky Enquirer – (Kentucky) River traffic resumes after lock damaged. The Army Corps of Engineers will use sonar equipment on Monday to locate a lock gate that fell into the Ohio River at the Markland Locks following what officials called a catastrophic equipment malfunction on Sunday. The Markland Locks and Dam stretches across the river from Gallatin County in Kentucky to Switzerland County in Indiana, northeast of Louisville. River traffic was halted through the 1,200-foot main chamber after the 8 a.m. incident, a Corps of Engineers spokesman said. Engineers later in the day opened a 600-foot auxiliary chamber. “I have not seen anything like this or remember anything like this in 24 years,” he said. River traffic was flowing slowly again by early Sunday evening. It was not known when the locks would again be in full operation. The Markland Locks pass 55 million tons of commodities each year. According to the Waterways Council Inc., the principal commodity moving through the locks is coal that fuels power plants along the Ohio River. The Army Corps of Engineers has given the locks a performance rating of D because of a risk of failure due to the unreliability of miter gates. According to a February 2008 report by the Waterways Council Inc., the locks are drained annually instead of every five years to inspect and repair gates because of the high risk of failure. “The risk is very high that a failure of the lock gates will occur, forcing traffic through the auxiliary lock for an extended period, causing huge delays and costs to the towing industry,” the report said. Source: http://www.courier-journal.com/article/20090927/NEWS01/909270349/River+traffic+resumes+after+lock+damaged


Details

Banking and Finance Sector

15. September 28, CNN – (Georgia) Georgia bank is 95th to fail this year. Atlanta-based Georgian Bank was closed by state regulators on September 25, according to the Federal Deposit Insurance Corporation, becoming the 95th to fail in the nation this year. Customers of Georgian Bank are protected. The FDIC, which has insured bank deposits since the Great Depression, currently covers customer accounts up to $250,000. First Citizens Bank and Trust Company, Inc., of Columbia, South Carolina, agreed to assume all of Georgian’s $2 billion deposits and will purchase “essentially all” of its $2 billion in assets, the FDIC said. The five branches of Georgian Bank will reopen on September 28 as branches of First Citizens Bank. “We view this transaction as a unique opportunity based on current developments in our industry,” said the president and chief operating officer for First Citizens, in a statement. The acquisition is part of First Citizens’ “expansion strategy” in South Carolina and Georgia, he added. The 95 banks that have failed so far this year, an average of more than 10 per month, is nearly four times the number of banks that failed in 2008. It’s the highest tally since 1992, when 181 banks failed. Source: http://money.cnn.com/2009/09/25/news/economy/bank_failure/?postversion=2009092517


16. September 27, USA Today – (National) FDIC chief wants overdraft fees restricted. The head of the Federal Deposit Insurance Corp. (FDIC) is calling for tight restrictions on fees charged for overdrawn checking accounts. In the past week, some of the nation’s largest banks have announced plans to change the way they assess overdraft fees. The Federal Reserve has said it plans to release a rule by the end of the year on overdrafts. But it is unclear whether, and to what extent, it will require banks to curtail overdraft practices. Some analysts say that onerous restrictions could also make it harder for the troubled industry to recover. Overdraft fee income has been a huge source of profits for banks. In 2009, banks are expected to reap a record $38.5 billion from overdraft fees, nearly twice the $20.5 billion they stand to collect from credit card penalties such as late and over-limit fees, according to research firms Moebs Services and R.K. Hammer. Source: http://www.usatoday.com/money/industries/banking/2009-09-27-bank-overdraft-fees-regulation_N.htm


17. September 27, Reuters – (New York) Madoff sons, brother, niece to be sued: report. An epic swindler’s two sons, his brother and a niece will be sued this week for $198 million, the trustee winding down the Madoff firm told CBS News’ “60 Minutes” broadcast on September 27. The sons, brother and niece all held executive positions with the firm and should have known about the multibillion-dollar, worldwide 20-year-long Ponzi scheme, the trustee and his chief counsel told the program. Wall Street’s biggest investment fraud, a Ponzi scheme in which early investors are paid with the money of new clients, collapsed in the declining economy in December 2008. The mastermind confessed to the fraud of as much as $64.8 billion and is serving a 150-year prison sentence. Asked by “60 Minutes” whether investigators were working under the assumption that there was money still hidden, the chief counsel said: “Yes, we are” and the trustee said, “We’d assume it’s millions and millions of dollars.” The chief counsel told “60 Minutes” he estimated about $36 billion went into the whole scheme. “About $18 (billion) of it went out before the collapse. And $18 (billion) of it is just missing. And that $18 billion is what we’re trying to get back.” The New York lawyers said the latest lawsuit to recover money for defrauded investors under the Securities Investor Protection Act would accuse the family members of negligence and breach of fiduciary duty. The lawsuits to be filed in U.S. bankruptcy court in New York would also accuse them of profiting personally in the tens of millions of dollars while working at the firm. Source: http://abcnews.go.com/Business/wireStory?id=8688396


Information Technology


35. September 28, The Register – (International) Reddit swiftly squishes XSS worm. Popular social news website Reddit has stopped the spread of a cross-site scripting (XSS) worm that hit the site on Monday. The XSS worm spread via comments on the site, originally from the account of a user called xssfinder. Reddit failed to filter out JavaScript in some cases, specifically when a user hovered his or her mouse over a link, a factor the miscreants behind xssfinder’s account exploited to run a proof of concept attack. In an apparent test attack, xssfinder posted a comment linked to malicious scripts on a thread called “Guy on a bike in New York ‘high fives’ people hailing cabs.” Users reading the comment ended up sending massive amounts of spam comments onto other Reddit threads. Reddit administrators moved in promptly to close the vulnerability and restore order before things got out of hand. Throughout the confusion the site was never down. Xssfinder’s account was deleted soon after the attack began, reports Finnish web security firm F-Secure. Source: http://www.theregister.co.uk/2009/09/28/reddit_xss_worm/


36. September 28, The Register – (International) Phishing fraud hits two year high. Phishing attacks reached a record high during the second quarter of 2009, with 151,000 unique attacks, according to a study by brand reputation firm MarkMonitor. Brands in the financial and payment services sectors continue to be the favourite targets for fraudulent emails that attempt to trick users into handing over their login credentials. They were the subject of four in five (80 per cent) of all phish attacks in Q2 2009. Elsewhere, attacks targeting the login credentials of social networking websites more than doubled between Q2 2008 and Q2 2009, increasing 168 per cent over the course of 12 months. An analysis of the millions of URLs in fraudulent emails by MarkMonitor identified a shift in the phishing techniques used by fraudsters, with 351 attacks per organisation, on average, in Q2 2009. The US hosted half (50 per cent) of the sites associated with phishing attacks during Q2 2009. MarkMonitor believes phishing attacks are at a two-year high, contrary to some reports that suggest fraudulent email attacks are on the decline. Source: http://www.theregister.co.uk/2009/09/28/phishing_fraud_trends/


37. September 25, ComputerWorld – (International) Hackers pay 43 cents per hijacked Mac. A network of Russian malware writers and spammers paid hackers 43 cents for each Mac machine they infected with bogus video software, a sign that Macs have become attack targets, a security researcher said on September 24. In a presentation on September 24 at the Virus Bulletin 2009 security conference in Geneva, Switzerland, a Sophos researcher discussed his investigation of the Russian “Partnerka,” a tangled collection of Web affiliates who rake in hundreds of thousands of dollars from spam and malware, most of the former related to phony drug sites, and much of the latter targeting Windows users with fake security software, or “scareware.” But the researcher also said he had uncovered affiliates, which he dubbed “codec-partnerka,” that aim for Macs. “Mac users are not immune to the scareware threat,” said the researcher in the research paper he released at the conference to accompany his presentation. “In fact, there are ‘codec-partnerka’ dedicated to the sale and promotion of fake Mac software.” One example, which has since gone offline, was Mac-codec.com, said the researcher. “Just a few months ago it was offering [43 cents] for each install and offered various promo materials in the form of Mac OS ‘video players,’” he said. Another Sophos researcher argued that the researcher’s evidence shows Mac users, who often dismiss security as a problem only for people running Microsoft’s Windows, are increasingly at risk on the Web. Source: http://www.computerworld.com/s/article/9138517/Hackers_pay_43_cents_per_hijacked_Mac?taxonomyId=17

Communications Sector

38. September 28, Mobile Burn – (National) AT&T asks FCC to investigate Google Voice. AT&T is urging the Federal Communications Commission to review the Google Voice call-forwarding system because it blocks outgoing calls to some phone numbers, the Wall Street Journal reports. The network carrier also called into question Google’s net neutrality double standard, its “noisome trumpeting” of the policy while it simultaneously limits traffic through Google Voice. The service prohibits users from calling adult lines and conference-call centers to keep costs down, Google says. Google responded to the letter on its policy blog, stating that the web-based software is not subject to common carrier laws and that users still need a traditional phone service to use Voice. Lastly, Google says AT&T’s net neutrality comparison “doesn’t fly,” since the FCC open Internet principles regulate broadband carriers, not software creators. The FCC is reviewing the letter but has not commented whether or not it will investigate the situation. Source: http://www.mobileburn.com/news.jsp?Id=7900

Department of Homeland Security Daily Open Source Infrastructure Report

Monday, September 28, 2009

Complete DHS Daily Report for September 28, 2009

Daily Report

Top Stories

 NBC Washington reports that a Jordanian national was arrested on September 24 and charged with attempting to bomb the Fountain Place skyscraper in Dallas, the FBI said. The suspect is accused of targeting the Wells Fargo Bank offices in the 60-story glass office tower, according to an arrest affidavit. (See item 13 below in the Banking and Finance Sector)


 According to CNN, a would-be terrorist, of Decatur, Illinois, was arrested for allegedly attempting to detonate a truck bomb to blow up the Paul Findley Federal Building and Courthouse in Springfield, Illinois, officials said on September 24. (See item 30)


30. September 24, CNN – (Illinois) Sting catches alleged terrorist in plot to blow up courthouse. A would-be terrorist was arrested in Springfield, Illinois for allegedly attempting to detonate a truck bomb to blow up a federal building and kill its occupants, officials said on September 24. Authorities were waiting on September 23 for the suspect who unwittingly had been dealing with undercover FBI agents continually monitoring his activities. Justice Department officials said the suspect, 29, of Decatur, Illinois, drove a vehicle he believed contained a ton of explosives to the Paul Findley Federal Building and Courthouse in Springfield. He got out of the truck, got into a waiting car with an undercover agent, and then, when he was a few blocks away, attempted to detonate the bomb with a remote-control device. “When he pushed the button, nothing happened except he got handcuffs slapped on him,” said one Justice Department official familiar with the case. The truck contained inactive explosives. Authorities said the suspect idolized a known convicted terrorist — an American who was captured fighting for the Taliban in Afghanistan — and said he wanted to go to a training camp abroad to become a jihadist fighter. The suspect made an initial appearance in court in Springfield on September 24 to face charges of attempted use of a weapon of mass destruction and attempted murder of federal employees, according to the Acting U.S. Attorney. The affidavit provided in court said he had received funds from an individual in Saudi Arabia, which he used for a month-long trip to that country in April and May of 2008. Authorities stressed the plot was in no way related to the terrorist plot unfolding in New York and Denver. Source: http://www.cnn.com/2009/CRIME/09/24/illinois.sting.truck.bomb/


Details

Banking and Finance Sector

13. September 24, NBC Washington – (Texas) FBI arrests man in Dallas skyscraper bomb plot. A Jordanian national was arrested on September 24 and charged with attempting to bomb a Dallas skyscraper, the FBI said. The suspect, 19, will make his first appearance in U.S. District Court before a Magistrate Judge on September 25. The suspect was arrested near Fountain Place, a 60-story glass office tower in downtown Dallas. He is accused of placing an inactive bomb in the building’s parking garage, investigators said. The FBI said the suspect believed the device, which was provided by an undercover agent, was a car bomb. The suspect is accused of targeting the Wells Fargo Bank offices in Fountain Place, according to an arrest affidavit. Federal officials said the case has no connection with the major terrorism investigation under way in Colorado and New York or the September 24 arrest of a man facing similar charges in Springfield, Illinois. The suspect had been the focus of an undercover FBI investigation and was under continuous surveillance since undercover agents said they discovered him in an online group of extremists. Undercover FBI agents made more than 60 communications with the man since early March. On June 24, while meeting with an undercover FBI agent at a Dallas hotel, the man allegedly stated he had a new idea to target the buildings belonging to the biggest credit card companies, such as American Express or Visa. The suspect said credit cards drive America, and that he desired to attack one of the main locations where the building accommodates the management and administration, according to the arrest affidavit. Source: http://www.nbcwashington.com/news/breaking/FBI-Arrests-Man-Accused-in-Skyscraper-Bomb-Plot--61272512.html


14. September 24, IDG News Service – (Maine) Construction firm sues after $588,000 online theft. A construction company in Maine is suing its bank after about $588,000 disappeared from its accounts, alleging the bank failed to spot suspicious account activity before it was too late. Over a week-long period in May, fraudsters made six transfers from the online bank accounts of Patco Construction Company, a family-owned developer in Sanford, Maine, according a copy of the lawsuit on the Washington Post’s Web site. The money went to so-called “mules,” or people who have agreed to receive the funds and then further transfer it to the fraudsters. The hefty withdrawals exceeded the amount of money Patco had in its account, which was used solely for payroll. To make matters worse for Patco, its bank — People’s United Bank, or Ocean Bank of Delaware — drew $223,237 on the company’s line of credit to cover the withdrawals. Ocean Bank now wants Patco to pay that money back with interest, the lawsuit said. After the bad transfer came to light, Ocean Bank did recover or block $243,406, but Patco is still on the hook for $345,444. The fraudsters had a lot of key information needed to do the transfers, conducted through the ACH (Automated Clearing House) Network, used by institutions to handle direct deposits, checks, bill payments and cash transfers between businesses and individuals. Source: http://www.computerworld.com/s/article/9138467/Construction_firm_sues_after_588_000_online_theft?taxonomyId=82


15. September 24, CNET News – (National) Survey: Half of businesses don’t secure personal data. The personal information one gives to businesses may not be as secure as one hopes, according to a new survey. Around 55 percent of all businesses acknowledge that they secure credit card information but not Social Security numbers, bank account details, and other personal data, according to a survey of more than 500 companies released Wednesday by Imperva and Ponemon Institute. The survey was conducted to determine how many companies are complying with PCI DSS, the Payment Card Industry’s Data Security Standard. PCI DSS tries to ensure that businesses take specific measures to secure their Web sites, databases, and other systems that process and store credit card information. Of the companies surveyed, 71 percent acknowledged not making data security a top initiative, despite the fact that 79 percent of them said they have been hit by one or more data breaches. In fact, Ponemon and Imperva noted that since the PCI DSS standard was enacted in 2005, the number of breaches and cases of credit card fraud has actually risen. Cost and lack of resources were the biggest factors cited for not focusing on PCI DSS compliance. For those reasons, larger firms fared better than smaller ones. Only 28 percent of businesses with 501 to 1,000 employees were compliant as opposed to 70 percent of companies with 75,000 or more employees. Source: http://news.cnet.com/8301-1009_3-10360639-83.html?tag=mncol;title


16. September 23, U.S. Department of Justice – (National) Five individuals charged in scheme to defraud U.S. government agency related to $9.4 million loan. Four suspects have been charged in conjunction with a scheme to defraud the Overseas Private Investment Corporation (OPIC), a government lending agency, announced the Assistant Attorney General of the Criminal Division and the U.S. Attorney for the Northern District of California. The defendants, who have made initial appearances in federal court in San Francisco, were charged in an indictment returned by a federal grand jury on August 27, 2009, and unsealed September 17, 2009, with conspiracy to commit mail and wire fraud, wire fraud, money laundering conspiracy and substantive money laundering counts. Separately, another suspect was arrested September 16, 2009, based on a criminal complaint and made his initial appearance in federal court the week of September 14. The suspect was charged in a related extortion conspiracy. According to the indictment, the four suspects allegedly conspired to defraud OPIC, a government agency that provides loans for U.S. sponsored companies to invest in overseas projects. The indictment alleges that the defendants defrauded OPIC in conjunction with a loan to Golden Sierra Partners LLC (GSP) to establish a milling and bakery operation in Estonia. Specifically, the defendants allegedly misrepresented to OPIC that GSP’s members contributed equity to the project and misrepresented equipment costs, to obtain a $9.4 million loan from OPIC and related disbursements. As a result of these alleged misrepresentations and others, OPIC disbursed approximately $8 million. Source: http://www.usdoj.gov/opa/pr/2009/September/09-crm-1016.html


17. September 23, WOWT 6 Omaha – (Nebraska) Irate bank customer busted for making threats. A Lincoln man faces charges for making terroristic threats at a Lincoln bank on Monday. Witnesses say the 52-year-old became upset when Wells Fargo Bank employees at North 16th and P streets told him his account was being closed due to overdraft fees. He eventually left, but returned to get his briefcase. That is when police say he pulled out a knife and glared at an employee. Minutes later, officers were called to the Wells Fargo branch at 13th and O streets where the suspect was allegedly creating another disturbance. Source: http://www.wowt.com/news/headlines/60727882.html


For another story, see item 42 in the full report


Information Technology


38. September 25, MX Logic – (International) Network security concerns cause browser spat between Google, Microsoft. Google’s recent release of a plug-in for Microsoft’s ubiquitous Internet Explorer browser has fueled an acrimonious exchange between the two computer giants. Google’s Chrome Frame, a product that more or less transforms Internet Explorer into Google’s Chrome browser, immediately produced a condemnatory release from Microsoft, which claimed that Chrome Frame made Internet Explorer less secure, and chastised Google for releasing the product. Google almost immediately fired back, implying that Microsoft was being deceptive toward its customers by painting Google’s up-to-date Chrome browser as less safe than antiquated versions of Internet Explorer in widespread enterprise use, citing Chrome’s modern malware protection and anti-phishing features. Google also pointedly excluded Internet Explorer from a list of browsers it says are modern and standards-compliant. Google’s browser, despite critical acclaim, has not managed to capture a significant slice of the enterprise market, over which Microsoft maintains a stranglehold. Experts say that Chrome Frame is part of a Google strategy to break that stranglehold by demonstrating Chrome’s high-speed performance and advanced functionality without forcing users to make a browser switch. Source: http://www.mxlogic.com/securitynews/web-security/network-security-concerns-cause-browser-spat-between-google-microsoft615.cfm


39. September 24, DarkReading – (International) Up to 9 percent of machines in an enterprise are bot-infected. In a three-month study of more than 600 different botnets found having infiltrated enterprise networks, researchers from Damballa discovered nearly 60 percent are botnets that contain only a handful to a few hundred bots built to target a particular organization. Only 5 percent of the bot infections were from big-name botnets, such as Zeus/ZDbot and Koobface. And Damballa has seen bot infections grow in enterprises as well, from 5 to 7 percent of an enterprise’s IP address space and hosts last year, to 7 to 9 percent of them bot-infected this year. “It’s more the smaller, customized and targeted types of botnets [that infect the enterprise],” says the vice president of research for Damballa. “Corporations have become very good at dealing with the larger threats that get publicized — they tend not to get affected widely by Conficker, for instance,” he said. This latest research was revealed on September 24 during a presentation at the Virus Bulletin Conference in Geneva. A researcher with SecureWorks’ Counter Threat Unit says botnet operators who execute targeted attacks do so with fewer bots. The bad guys are also finding that deploying a small botnet inside a targeted organization is a more efficient way of stealing information than deploying a traditional exploit on a specific machine. And the vice president of research for Damballa says many of the smaller botnets appear to have more knowledge of the targeted organization as well. “They are very strongly associated with a lot of insider knowledge...and we see a lot of hands-on command and control with these small botnets,” he says. Botnets of all sizes are also increasingly using more and different types of malware rather than one particular family in order to evade detection. “Most botnets, even small ones, have hundreds of different pieces of malware and families in use,” he says. Source: http://www.darkreading.com/insiderthreat/security/client/showArticle.jhtml?articleID=220200118


40. September 23, ZDNet – (International) Hijacking Windows System Restore for cybercrime profits. Cyber crime gangs in China are penetrating the hard disk recovery cards on computers in Internet cafes and using a combination of zero-day flaws, rootkits, and ARP spoofing techniques to steal billions of dollars worth of online gaming credentials. According to a Microsoft anti-virus researcher, five generations of the Win32/Dogrobot malware family have perfected the novel rootkit technique to hijack System Restore on Windows — effectively allowing the malicious file to survive even after the compromised machine is reverted to its previous clean state. At the Virus Bulletin 2009 conference in Geneva, he provided a look at the techniques used by Dogrobot, which is directly linked to the lucrative underground trading of online gaming assets like passwords and virtual property. According to data presented by Feng, the Dogrobot family has caused more than USD$1.2 billion in losses to Chinese Internet cafes. He explained that earlier Dogrobot used disk-level I/O file manipulation to penetrate System Restore but, as the malware evolved, it started using a “backdoor” that already exists in the System Restore functionality. A third generation introduced extensive unhooking code to thwart the protection offered by security programs and avoid removal. Along the way, he discovered that newer variants were tweaked to get around security software and strengthen the code’s ability to maintain persistent stealth on compromised Windows computers. In China, Internet cafes are very popular among the online gaming crowd where the use of USB sticks with account credentials is the norm. Dogrobot takes advantage of this, abusing the USB AutoRun functionality on older machines to propagate. He explained that the malware author has found success exploiting zero-day ActiveX vulnerabilities and other flaws in Windows OS and third-party software — especially RealPlayer and WebThunder. The attackers also use ARP cache poisoning to send malicious ARP packets to instruct other machines within the same LAN to download Dogrobot samples. Source: http://blogs.zdnet.com/security/?p=4423


For another story, see item 3 in the full report

Communications Sector

See Item 3 in the full report