Department of Homeland Security Daily Open Source Infrastructure Report

Monday, September 28, 2009

Complete DHS Daily Report for September 28, 2009

Daily Report

Top Stories

 NBC Washington reports that a Jordanian national was arrested on September 24 and charged with attempting to bomb the Fountain Place skyscraper in Dallas, the FBI said. The suspect is accused of targeting the Wells Fargo Bank offices in the 60-story glass office tower, according to an arrest affidavit. (See item 13 below in the Banking and Finance Sector)

 According to CNN, a would-be terrorist, of Decatur, Illinois, was arrested for allegedly attempting to detonate a truck bomb to blow up the Paul Findley Federal Building and Courthouse in Springfield, Illinois, officials said on September 24. (See item 30)

30. September 24, CNN – (Illinois) Sting catches alleged terrorist in plot to blow up courthouse. A would-be terrorist was arrested in Springfield, Illinois for allegedly attempting to detonate a truck bomb to blow up a federal building and kill its occupants, officials said on September 24. Authorities were waiting on September 23 for the suspect who unwittingly had been dealing with undercover FBI agents continually monitoring his activities. Justice Department officials said the suspect, 29, of Decatur, Illinois, drove a vehicle he believed contained a ton of explosives to the Paul Findley Federal Building and Courthouse in Springfield. He got out of the truck, got into a waiting car with an undercover agent, and then, when he was a few blocks away, attempted to detonate the bomb with a remote-control device. “When he pushed the button, nothing happened except he got handcuffs slapped on him,” said one Justice Department official familiar with the case. The truck contained inactive explosives. Authorities said the suspect idolized a known convicted terrorist — an American who was captured fighting for the Taliban in Afghanistan — and said he wanted to go to a training camp abroad to become a jihadist fighter. The suspect made an initial appearance in court in Springfield on September 24 to face charges of attempted use of a weapon of mass destruction and attempted murder of federal employees, according to the Acting U.S. Attorney. The affidavit provided in court said he had received funds from an individual in Saudi Arabia, which he used for a month-long trip to that country in April and May of 2008. Authorities stressed the plot was in no way related to the terrorist plot unfolding in New York and Denver. Source:


Banking and Finance Sector

13. September 24, NBC Washington – (Texas) FBI arrests man in Dallas skyscraper bomb plot. A Jordanian national was arrested on September 24 and charged with attempting to bomb a Dallas skyscraper, the FBI said. The suspect, 19, will make his first appearance in U.S. District Court before a Magistrate Judge on September 25. The suspect was arrested near Fountain Place, a 60-story glass office tower in downtown Dallas. He is accused of placing an inactive bomb in the building’s parking garage, investigators said. The FBI said the suspect believed the device, which was provided by an undercover agent, was a car bomb. The suspect is accused of targeting the Wells Fargo Bank offices in Fountain Place, according to an arrest affidavit. Federal officials said the case has no connection with the major terrorism investigation under way in Colorado and New York or the September 24 arrest of a man facing similar charges in Springfield, Illinois. The suspect had been the focus of an undercover FBI investigation and was under continuous surveillance since undercover agents said they discovered him in an online group of extremists. Undercover FBI agents made more than 60 communications with the man since early March. On June 24, while meeting with an undercover FBI agent at a Dallas hotel, the man allegedly stated he had a new idea to target the buildings belonging to the biggest credit card companies, such as American Express or Visa. The suspect said credit cards drive America, and that he desired to attack one of the main locations where the building accommodates the management and administration, according to the arrest affidavit. Source:

14. September 24, IDG News Service – (Maine) Construction firm sues after $588,000 online theft. A construction company in Maine is suing its bank after about $588,000 disappeared from its accounts, alleging the bank failed to spot suspicious account activity before it was too late. Over a week-long period in May, fraudsters made six transfers from the online bank accounts of Patco Construction Company, a family-owned developer in Sanford, Maine, according a copy of the lawsuit on the Washington Post’s Web site. The money went to so-called “mules,” or people who have agreed to receive the funds and then further transfer it to the fraudsters. The hefty withdrawals exceeded the amount of money Patco had in its account, which was used solely for payroll. To make matters worse for Patco, its bank — People’s United Bank, or Ocean Bank of Delaware — drew $223,237 on the company’s line of credit to cover the withdrawals. Ocean Bank now wants Patco to pay that money back with interest, the lawsuit said. After the bad transfer came to light, Ocean Bank did recover or block $243,406, but Patco is still on the hook for $345,444. The fraudsters had a lot of key information needed to do the transfers, conducted through the ACH (Automated Clearing House) Network, used by institutions to handle direct deposits, checks, bill payments and cash transfers between businesses and individuals. Source:

15. September 24, CNET News – (National) Survey: Half of businesses don’t secure personal data. The personal information one gives to businesses may not be as secure as one hopes, according to a new survey. Around 55 percent of all businesses acknowledge that they secure credit card information but not Social Security numbers, bank account details, and other personal data, according to a survey of more than 500 companies released Wednesday by Imperva and Ponemon Institute. The survey was conducted to determine how many companies are complying with PCI DSS, the Payment Card Industry’s Data Security Standard. PCI DSS tries to ensure that businesses take specific measures to secure their Web sites, databases, and other systems that process and store credit card information. Of the companies surveyed, 71 percent acknowledged not making data security a top initiative, despite the fact that 79 percent of them said they have been hit by one or more data breaches. In fact, Ponemon and Imperva noted that since the PCI DSS standard was enacted in 2005, the number of breaches and cases of credit card fraud has actually risen. Cost and lack of resources were the biggest factors cited for not focusing on PCI DSS compliance. For those reasons, larger firms fared better than smaller ones. Only 28 percent of businesses with 501 to 1,000 employees were compliant as opposed to 70 percent of companies with 75,000 or more employees. Source:;title

16. September 23, U.S. Department of Justice – (National) Five individuals charged in scheme to defraud U.S. government agency related to $9.4 million loan. Four suspects have been charged in conjunction with a scheme to defraud the Overseas Private Investment Corporation (OPIC), a government lending agency, announced the Assistant Attorney General of the Criminal Division and the U.S. Attorney for the Northern District of California. The defendants, who have made initial appearances in federal court in San Francisco, were charged in an indictment returned by a federal grand jury on August 27, 2009, and unsealed September 17, 2009, with conspiracy to commit mail and wire fraud, wire fraud, money laundering conspiracy and substantive money laundering counts. Separately, another suspect was arrested September 16, 2009, based on a criminal complaint and made his initial appearance in federal court the week of September 14. The suspect was charged in a related extortion conspiracy. According to the indictment, the four suspects allegedly conspired to defraud OPIC, a government agency that provides loans for U.S. sponsored companies to invest in overseas projects. The indictment alleges that the defendants defrauded OPIC in conjunction with a loan to Golden Sierra Partners LLC (GSP) to establish a milling and bakery operation in Estonia. Specifically, the defendants allegedly misrepresented to OPIC that GSP’s members contributed equity to the project and misrepresented equipment costs, to obtain a $9.4 million loan from OPIC and related disbursements. As a result of these alleged misrepresentations and others, OPIC disbursed approximately $8 million. Source:

17. September 23, WOWT 6 Omaha – (Nebraska) Irate bank customer busted for making threats. A Lincoln man faces charges for making terroristic threats at a Lincoln bank on Monday. Witnesses say the 52-year-old became upset when Wells Fargo Bank employees at North 16th and P streets told him his account was being closed due to overdraft fees. He eventually left, but returned to get his briefcase. That is when police say he pulled out a knife and glared at an employee. Minutes later, officers were called to the Wells Fargo branch at 13th and O streets where the suspect was allegedly creating another disturbance. Source:

For another story, see item 42 in the full report

Information Technology

38. September 25, MX Logic – (International) Network security concerns cause browser spat between Google, Microsoft. Google’s recent release of a plug-in for Microsoft’s ubiquitous Internet Explorer browser has fueled an acrimonious exchange between the two computer giants. Google’s Chrome Frame, a product that more or less transforms Internet Explorer into Google’s Chrome browser, immediately produced a condemnatory release from Microsoft, which claimed that Chrome Frame made Internet Explorer less secure, and chastised Google for releasing the product. Google almost immediately fired back, implying that Microsoft was being deceptive toward its customers by painting Google’s up-to-date Chrome browser as less safe than antiquated versions of Internet Explorer in widespread enterprise use, citing Chrome’s modern malware protection and anti-phishing features. Google also pointedly excluded Internet Explorer from a list of browsers it says are modern and standards-compliant. Google’s browser, despite critical acclaim, has not managed to capture a significant slice of the enterprise market, over which Microsoft maintains a stranglehold. Experts say that Chrome Frame is part of a Google strategy to break that stranglehold by demonstrating Chrome’s high-speed performance and advanced functionality without forcing users to make a browser switch. Source:

39. September 24, DarkReading – (International) Up to 9 percent of machines in an enterprise are bot-infected. In a three-month study of more than 600 different botnets found having infiltrated enterprise networks, researchers from Damballa discovered nearly 60 percent are botnets that contain only a handful to a few hundred bots built to target a particular organization. Only 5 percent of the bot infections were from big-name botnets, such as Zeus/ZDbot and Koobface. And Damballa has seen bot infections grow in enterprises as well, from 5 to 7 percent of an enterprise’s IP address space and hosts last year, to 7 to 9 percent of them bot-infected this year. “It’s more the smaller, customized and targeted types of botnets [that infect the enterprise],” says the vice president of research for Damballa. “Corporations have become very good at dealing with the larger threats that get publicized — they tend not to get affected widely by Conficker, for instance,” he said. This latest research was revealed on September 24 during a presentation at the Virus Bulletin Conference in Geneva. A researcher with SecureWorks’ Counter Threat Unit says botnet operators who execute targeted attacks do so with fewer bots. The bad guys are also finding that deploying a small botnet inside a targeted organization is a more efficient way of stealing information than deploying a traditional exploit on a specific machine. And the vice president of research for Damballa says many of the smaller botnets appear to have more knowledge of the targeted organization as well. “They are very strongly associated with a lot of insider knowledge...and we see a lot of hands-on command and control with these small botnets,” he says. Botnets of all sizes are also increasingly using more and different types of malware rather than one particular family in order to evade detection. “Most botnets, even small ones, have hundreds of different pieces of malware and families in use,” he says. Source:

40. September 23, ZDNet – (International) Hijacking Windows System Restore for cybercrime profits. Cyber crime gangs in China are penetrating the hard disk recovery cards on computers in Internet cafes and using a combination of zero-day flaws, rootkits, and ARP spoofing techniques to steal billions of dollars worth of online gaming credentials. According to a Microsoft anti-virus researcher, five generations of the Win32/Dogrobot malware family have perfected the novel rootkit technique to hijack System Restore on Windows — effectively allowing the malicious file to survive even after the compromised machine is reverted to its previous clean state. At the Virus Bulletin 2009 conference in Geneva, he provided a look at the techniques used by Dogrobot, which is directly linked to the lucrative underground trading of online gaming assets like passwords and virtual property. According to data presented by Feng, the Dogrobot family has caused more than USD$1.2 billion in losses to Chinese Internet cafes. He explained that earlier Dogrobot used disk-level I/O file manipulation to penetrate System Restore but, as the malware evolved, it started using a “backdoor” that already exists in the System Restore functionality. A third generation introduced extensive unhooking code to thwart the protection offered by security programs and avoid removal. Along the way, he discovered that newer variants were tweaked to get around security software and strengthen the code’s ability to maintain persistent stealth on compromised Windows computers. In China, Internet cafes are very popular among the online gaming crowd where the use of USB sticks with account credentials is the norm. Dogrobot takes advantage of this, abusing the USB AutoRun functionality on older machines to propagate. He explained that the malware author has found success exploiting zero-day ActiveX vulnerabilities and other flaws in Windows OS and third-party software — especially RealPlayer and WebThunder. The attackers also use ARP cache poisoning to send malicious ARP packets to instruct other machines within the same LAN to download Dogrobot samples. Source:

For another story, see item 3 in the full report

Communications Sector

See Item 3 in the full report