Wednesday, June 15, 2011

Complete DHS Daily Report for June 15, 2011

Daily Report

Top Stories

• According to, federal and state agents searched a 30-square-mile swath of Montana forest June 13 for a former militia leader following a shootout with sheriff’s deputies. (See item 45)

45. June 14,, Reuters, Associated Press, and NBC – (Montana) ‘Armed and extremely dangerous’ ex-militia leader hunted after Mont. shootout. Federal and state agents searched a 30-square-mile swath of rugged Montana forest June 13 for a former militia leader following a shootout with sheriff’s deputies, authorities said. The 47-year-old exchanged gunfire with Missoula County sheriff’s deputies along a logging trail June 12 after a slow-speed chase near Lolo, officials said. No one was hurt. Known for his anti-government sentiments, the suspect previously told police “he wasn’t going to be taken down like last time,” the Missoula County undersheriff said. He told the Associated Press June 13 the former Marine may have planned the attack. Officials believe he may have placed caches of food and weapons along his planned escape route. Authorities seized two of three vehicles registered to him, including the Jeep Cherokee loaded with rifles that he abandoned June 12, but suspect he may have stashed another SUV in the Lolo National Forest, the Missoula County undersheriff said. Tactical agents from the FBI and agents from U.S. Marshals Service, Missoula police, Missoula County sheriff’s officers, as well as law officers from the U.S. Forest Service, Bureau of Land Management, and the Montana National Guard assisted in the search. The incident began when deputies responded to a report that the operator of a car registered to the suspect was driving erratically at a rest stop near Lolo. When patrol cars arrived, the driver allegedly ran a stop sign. Officers pursued the car for 30 miles before it spun onto a side road near a trailhead. The former militia leader allegedly responded to commands that he surrender by shooting at deputies before disappearing into the forest. The suspect is the former leader of a Flathead County militia group known as Project 7, named for the number “7” on Flathead County license plates in Montana. Project 7 allegedly plotted to assassinate local officials, go to war with the National Guard, and overthrow the federal government. The week of June 6, the suspect was stopped by the Montana Highway Patrol for a moving violation. He told patrolmen then that “it would take a SWAT team” to bring him in. “He’s a danger to anyone he meets,” the undersheriff said. Source:

• The Associated Press reports the swollen Missouri River ruptured two levees in northwest Missouri June 13, sending floodwater over rural farmland toward a small town in Iowa and a resort community in Missouri. (See item 62)

62. June 13, Associated Press – (Iowa; Missouri) 2 Missouri River levees break near Iowa-Mo. border. The swollen Missouri River ruptured two levees in northwest Missouri June 13, sending floodwater over rural farmland toward a small town in Iowa and a resort community in Missouri. Water rushing from a nearly 300-foot-wide hole in a levee near Hamburg was expected to continue widening the breach and reach the top of a secondary levee protecting the southwest Iowa town by June 15, the U.S. Army Corps of Engineers said. If the secondary wall fails, parts of Hamburg could be under as much as 10 feet of standing water. Crews were working to add another 3 feet to the levee, said the Corps’ Omaha District commander. Officials originally estimated the levee had a 50-foot hole, but it had grown to nearly 300 feet by the evening of June 13 and was continuing to widen. Across the border in Missouri, the river punched a 225-foot-wide hole through a levee about 45 miles downriver near Big Lake in Holt County. The roughly 30 residents who stayed in the resort town after the river started rising were told to leave June 13. Source:


Banking and Finance Sector

15. June 14, WHP 21 Harrisburg – (Pennsylvania; North Carolina; New York) Two fugitives from string of bank robberies arrested. Two fugitives involved with 11 different bank robberies in Central Pennsylvania were arrested June 9 and June 11. Officials say these robbers used elaborate old man masks. On June 2, it was announced that the men were considered fugitives. On June 9, one of the men was arrested in Charlotte, North Carolina, by the FBI. On June 11, the other man was arrested in Long Island, New York, by the FBI and the Suffolk County Police Department. Both men are being returned to the area for prosecution. If convicted, the man arrested in New York faces life in prison, while the other suspect faces up to 3 years in jail. Source:

16. June 13, Minneapolis Star Tribune – (Minnesota) Plymouth broker is third to be charged in Cook’s Ponzi scheme. A Plymouth, Minnesota, securities broker was charged June 13 in a Minneapolis federal court with securities fraud, wire fraud conspiracy, and money laundering in connection with another man’s $194 million Ponzi scheme. The 54-year-old man is the third person to be criminally charged in connection with the scheme but may not be the last. The charges were filed by way of “criminal information” rather than indictment, and search warrant documents filed in May suggest that the securities broker is helping the government investigate his former associates. According to the charges filed against the man, for 6 months in 2008 he conspired with others to pitch a fraudulent foreign currency investment program, which led to losses of more than $150 million for nearly 1,000 investors, mostly retirees. He used his position as a licensed securities broker to lend credibility to the program, the U.S. attorney’s office said in a statement June 13. He faces up to 10 years in prison on the money-laundering charge, and 5 years each on the securities fraud and conspiracy charges. Source:

17. June 13, Bay City News – (California) Police investigating suspicious fire at downtown Wells Fargo. Police were investigating a suspicious fire that burned at a Wells Fargo bank in San Francisco, California’s financial district June 13. The fire was reported at about 1 a.m. at the bank, located at 464 California Street. A window on the front of the building was broken and newspapers were set on fire inside underneath the windowsill, according to police. The fire is considered suspicious, police said. Source:

18. June 13, Seattle Post-Intelligencer – (Washington) Police: Man arrested for ATM skimming has crime-ring ties. A Seattle, Washington man was charged June 13 with four counts of identity theft after police said he used information skimmed from Chase bank ATM machines. Prosecutors said the suspect has ties to organized crime rings operating in Washington State and other states. The 21-year-old is being held on $250,000 bail after previously posting $50,000 bond earlier in June. The man “attempted to make 66 transactions with the counterfeit credit cards that he made from information ‘skimmed’ from the victims,” a senior deputy prosecutor wrote in charging documents. “He was found with 22 different victims’ financial information stored onto counterfeit cards.” Prosecutors said more counts are expected as they search for additional victims, and the U.S. attorney’s office may take over prosecution of the case. Chase fraud-monitoring staff identified 15 locations where skimmed information was used in the Seattle area. According to a search warrant, “the identified losses to Chase from [his] ATM skimming activities are in excess of $135,000.” Source:

19. June 13, New York Times – (International) Zvi Goffer found guilty in insider trading case. A man was found guilty of insider trading June 13 in New York. A 12-person jury convicted the uspect and two accused co-conspirators on its fifth day of deliberations in federal court in Manhattan. They each face up to 25 years in prison and are free on bail until their sentencing later in 2011. The case was connected to the prosecution of the hedge fund tycoon and co-founder of the Galleon Group who was found guilty in May in the largest insider trading case in a generation. Wiretaps played a central role in the trial. The jury heard secretly recorded telephone conversations between the suspect and co-conspirators, swapping confidential information about coming mergers and acquisitions. The suspect received his corporate secrets from low-level associates at a corporate law firm. Both of the lawyers at that firm pleaded guilty to passing information about deals the firm was working on. The two fed their tips to a third lawyer who then passed the intelligence on to the suspect. The way the suspect paid his sources included an elaborate scheme involving wiring money into a Swiss bank account, and into another in the name of a tipster’s housekeeper. Source:

20. June 13, WFMY 2 Greensboro; FBI – (Texas; Georgia) Bank robber wanted in two states called ‘Cool Calm Bandit’ by FBI. A man is wanted in connection with at least four bank robberies in Texas and Georgia. FBI officials have dubbed the man the “Cool and Calm Bandit.” They said he enters the bank in a calm manner and waits in line for his turn. The suspect then presents a note demanding money and produces a pistol/semi-automatic handgun from his waistband. He places the weapon on the counter and usually covers it with his hand. Investigators said after the suspect gets the money, he leaves the bank on foot. Investigators said the unknown suspect has robbed the following banks: March 31, a bank in San Antonio, Texas; April 8, a bank in Savannah, Georgia; April 13, a bank in Savannah; and May 18, a bank in Pooler, Georgia. The FBI describes the suspect as a black male in his late 20s to early 30s, about 5’10” to 6’1”, and 190 to 210 pounds. He may have some facial hair. Law enforcement officials said the getaway car may be an Astro-style blue mini-van, or a gold colored box-style car. Source:

21. June 13, Federal Bureau of Investigation – (National) Alpha One: Foreign currency trader convicted of securities fraud. A 50-year-old man from Spring, Texas, the “developer and owner” of “Alpha One”, a purportedly profitable foreign currency investment model, was convicted of securities fraud after defrauding investors of millions of dollars, a U.S. Attorney announced June 13. The man faces up to 20 years in prison and $5 million fine at sentencing. He admitted that between 2003 and 2009, he used and employed manipulative and deceptive devices and contrivances in connection with the purchase and sale of investments in a sequence of trading enterprises he formed. The convict admitted raising tens of millions of dollars from scores of investors and to having exercised custody and control over those funds under the pretense that he used them to trade, including buying and selling foreign currencies. To persuade people to invest or remain invested in his enterprises, he represented that he sought profits in the foreign currency markets using a model called “Alpha One”, which he maintained he developed and owned. The convcit admitted that he failed to trade as he represented. Rather, he made a minimal number of trades and earned little if any profits. Source:

Information Technology Sector

48. June 14, Softpedia – (International) LulzSec hacks Bethesda Softworks and dumps private data. LulzSec has hacked into Bethesda Softworks’ computer network and leaked information about accounts registered on its Web sites. Bethesda Softworks, a subsidiary of ZeniMax Media, is one of the most appreciated game developers and is responsible for several popular series. It is unclear why LulzSec targeted this particular company, but the hackers said before the dump that “we did it because they couldn’t stop us — and did it we did, as you’ll see.” The data posted online includes a large number of e-mail addresses extracted from the company’s official blog, the registration site for its latest game, BRINK, and its jobs portal. LulzSec claims to have actually held back on publishing the personal data of more than 200,000 BRINK players. Besides the dumped data, the hacking outfit claims to extracted source code related to Quake 4, the popular title developed by id Software, now also a ZeniMax Media subsidiary. Bethesda acknowledged the hack and advised users to change their passwords on all of its Web sites, including the community forums and the BRINK player statistics site. Source:

49. June 13, New Castle News Journal – (International) Latest hacker target: Delaware IT firm. Delaware-based Unveillance LLC, a botnet-monitoring service, acknowledged it was targeted by the Lulz Security hackers group, which claimed it used a surreptitiously obtained password to steal nearly 1,000 work and personal e-mails from the chief executive. “Over the last two weeks, my company, Unveillance, has been the target of a sophisticated group of hackers now identified as LulzSec,” the CEO said in a statement. “I was personally contacted by several members of this group who made threats against me and my company to try to obtain money as well as to force me into revealing sensitive data about my botnet intelligence that would have put many other businesses, government agencies and individuals at risk of massive Distributed Denial of Service (DDoS) attacks,” he stated. “In spite of these threats, I refused to pay off LulzSec or to supply them with access to this sensitive botnet information. Had we agreed to provide this data to them, LulzSec would have been able to grow the size and scope of their DDoS attack and fraud capabilities,” the CEO continued. “Plain and simple, I refused to comply with their demands. Because of this, they followed through in their threats –- and attacked me, my business and my personal reputation.” LulzSec obtained the logins from an Atlanta, Georgia-based FBI partner organization called InfraGard and leaked them to the Internet. Source:

50. June 13, The Register – (International) Nissan car secretly shares driver data with Websites. Electric cars manufactured by Nissan surreptitiously leak detailed information about a driver’s location, speed, and destination to Web sites accessed through the vehicle’s built in RSS reader, a security blogger has found. The Nissan Leaf is a 100-percent electric car Nissan introduced 7 months ago. Among its many innovations is a GSM cellular connection that lets drivers share real-time data about the car, including its location, driving history, power consumption, and battery reserves. Carwings, as the service is known, then provides many services designed to support “eco-driving,” such as breakdowns of the vehicle’s energy efficiency based on comparisons with other owners. But according to a Seattle, Washington-based blogger, Carwings includes the data in all Web requests the Nissan Leaf sends to third-party servers the driver has subscribed to through RSS, or real simple syndication. Each time the driver accesses a given RSS feed, the car’s precise geographic coordinates, speed, and direction are sent in clear text. The data will also include the driver’s destination if it is programmed in to the Leaf’s navigation system, as well as data available from the car’s climate control settings. Source:

51. June 10, Help Net Security – (International) Malware writers rely on users not updating. When infecting PCs, online criminals are increasingly benefiting from uninstalled updates for browsers and their components. Research carried out by G Data SecurityLabs indicates unclosed security holes in browser plug-ins are in fashion with cybercriminals. This distribution concept means current security holes are far from being the only ones exploited by the perpetrators, as evidenced in the current malware analysis for the month of May 2011. In May alone, 4 of the top 10 computer malware programs targeted Java security holes for which Oracle had been offering an update since March 2010. There also was an increase in malware that installs adware or tries to lure users to install bogus antivirus programs. The malware industry has focused on Java security holes since the end of 2010. Source:

Communications Sector

52. June 10, Nextgov – (International) LightSquared cellular network interferes with all GPS applications, latest tests show. Transmissions from the nationwide cellular network planned by LightSquared knocked out GPS receivers operating at distances of 600 feet to 185 miles from the company’s base station, according to the latest test report on interference caused by the company’s system. The Federal Aviation Administration co-chairman of the National Position, Navigation and Timing Engineering (PNT) Forum, a multiagency group chartered to assess GPS technical issues, told a meeting of the National Space-Based PNT Advisory Board June 9 that tests in April showed “all GPS receiver applications [are] impacted by [the] proposed LightSquared network.” The Federal Communications Commission approved LightSquared’s hybrid satellite-terrestrial network January 26, which will include 40,000 base stations. The agency directed the company to work with the GPS industry to determine the potential effect its terrestrial transmitters, which operate in the 1525-1559 MHz and 1626.5-1660.5 MHz bands, would have on GPS systems that operate in the nearby 1559-1610 MHz band. The PNT co-chairman said simulation of the planned LightSquared network showed it would “degrade or result in loss of GPS function ... at standoff distances ranging from a few kilometers and extending to space operations.” Source:

Tuesday, June 14, 2011

Complete DHS Daily Report for June 14, 2011

Daily Report

Top Stories

• According to Reuters, health officials in Ohio said 8 people were sickened in the state as a result of a growing salmonella outbreak that federal officials said has now spread to 15 states.

29. June 13, Reuters – (Ohio; National) Salmonella outbreak linked to Ohio sickens 39 nationwide. Health officials in Ohio said June 9 that eight people had been sickened in the state as a result of a growing salmonella outbreak that federal officials say has now spread to 15 states. The Ohio Department of Health and the Ohio Department of Agriculture said the outbreak appeared to be linked to Mt. Healthy Hatchery, which supplies chicks and ducklings to an unnamed nationwide agricultural feedstore. The two businesses have been working with state and federal investigators looking into the outbreak, Ohio officials said. In addition to the eight cases in Ohio, the U.S. Center for Disease Control and Prevention said 31 people have become ill with salmonella as a result of this outbreak in Georgia, Indiana, Kentucky, Michigan, Maryland, Minnesota, North Carolina, New York, Ohio, Pennsylvania, Tennessee, and Virginia. Source:

• IDG News Service reports Siemens has fixed bugs in its Simatic S7 industrial computer systems, used to control machines on factory floors, power stations, and chemical plants. See item 51 below in the Information Technology Sector.


Banking and Finance Sector

16. June 13, – (International) IMF suffers major sophisticated data breach. The International Monetary Fund (IMF) has become the latest well-known organization to suffer a major breach of its IT systems, in what some reports have suggested was a spear phishing attack orchestrated by a foreign government. The IMF, which oversees the global financial system and was instrumental in the economic bailout of countries such as Greece, Ireland, and Portugal, said it had suffered “an incident,” but maintained that its fund is “fully functional.” Reports suggested the IMF was forced to cut its network connection to the IT systems of the World Bank, located nearby, after finding that a compromised desktop had been used to access confidential files. Security experts warned that the security of the world’s critical infrastructures is at risk unless large organizations better prepare themselves for such sophisticated attacks. The IMF breach comes as hacking attacks on major businesses and governmental organizations are snowballing, with Chinese perpetrators often suspected. Source:

17. June 13, HedgeCo.Net – (International) Houston hedge fund manager convicted for fraud. A Houston, Texas-based hedge fund manager was convicted the weekend of June 11 and 12 by a federal jury for his role in a $100-million hedge fund fraud scheme with more than 800 victims across the United States and Canada. “The verdict found [the man] guilty of a $100 million fraud and stealing the life savings of elderly retirees and hundreds of others who have seen everything they worked years for disappear,” said a U.S. attorney. On September 7, 2010, a federal grand jury returned an 18-count indictment against the man and two other principals of hedge fund A&O Resource Management Ltd. and various related entities that acquired and marketed life settlements to investors. The man was convicted on all counts, he faces up to 20 years for each count. Source:

18. June 11, Chicago Tribune – (Illinois) 2 charged in 2010 bomb-threat bank heist try. Two 21-year-old Orland Park, Illinois men have been charged in a bomb threat and attempted bank robbery in 2010 in the southwest suburb, police announced June 11. The attempted robbery took place August 20, 2010 when someone made a bomb threat to the Chase Bank at 15100 LaGrange Road, police said in a news release. Officers were told a suitcase was placed next to the building and bank personnel had been told it contained instructions to follow. Officers cleared the bank and surrounding area because of the bomb threat, and called in the Cook County Bomb Squad. Police found a note in the suitcase that told the Chase Bank manager to put $4 million into the suitcase and deliver it to Union Station. If the money was not delivered, the note said, “several bombs surrounding the bank and in the suitcase would be triggered,” according to the police release. Source:,0,6291541.story

19. June 10, KPTV 12 Portland – (Oregon) Police: ‘Beastie Boys Bandit’ strikes again. A man known as the “Beastie Boys Bandit” has struck again in Portland, Oregon, police said June 10. Portland officers said the man tried to rob a Wells Fargo bank on Southwest Macadam Avenue June 9. Investigators said he did not get away with any cash. Police believe the man is the same person responsible for a string of robberies in March. Investigators said the thief wears a wig, fake mustache, and dark-colored suit similar to an outfit in the Beasties Boys’ “Sabotage” music video. Source:

20. June 10, Reuters – (Colorado) Elderly woman uses AIDS threat to rob Colorado bank: police. An elderly woman robbed a Colorado bank by passing a note saying she would infect a teller with AIDS if the clerk did not hand over money, police said June 10. A spokesman for the Longmont, Colorado police department said detectives are searching for a pale woman between the ages of 55 and 75 with a “boney build.” He said a woman, who was wearing a train conductor’s cap and a gray sweatshirt, walked into a Wells Fargo bank inside a Safeway grocery store June 9 and handed a note to a teller. “She indicated she had AIDS and would give it to a teller if she didn’t cooperate,” he said. The woman coughed frequently into a blue bandana during the robbery, and fled with an undisclosed amount of cash, he said. No weapon was displayed during the robbery, and no one was injured, police said. Source:

Information Technology Sector

47. June 13, IDG News Service – (International) PlayBook OS updated after Adobe Flash security issue. A new version of the BlackBerry Tablet OS will soon be available to all BlackBerry PlayBook tablet users, to address a security issue raised by Adobe about its Flash Player, Research In Motion said June 12. The new version of the operating system, version, will contain an updated version of the Flash Player, RIM said in a blog post. Adobe issued an update the week of June 6 for its Flash Player to deal with a cross-site scripting vulnerability. The problem could be exploited to perform actions on behalf of a BlackBerry PlayBook tablet user on any Web site or Web mail provider if the user visits a malicious Web site that loads Adobe Flash content, RIM said on a support page. The PlayBook’s operating system is built from the ground up to run Adobe Flash. Source:

48. June 13, Softpedia – (International) Epic Games forum hack prompts password resets. Epic Games has reset passwords across its entire forum after hackers got access to the underlying database. An announcement of the hack posted on the forum the week of June 6 includes a message from the Epic Games CEO that reads: “Our Epic Games web sites and forums were recently hacked. We’re working on getting them back up and running, and expect everything to be restored in a few days. The hackers likely obtained the email addresses and encrypted passwords of forum users. Plain text passwords weren’t revealed, but short or common passwords could be obtained by brute-force attack. Therefore, we are resetting all passwords. If you have an account on the Epic Games forums, you can request to receive your new password by email to the address we have on file for you.” It appeared the forum was reset to a previous state and everyone will have to repost anything posted since June 6. Accounts registered during this period also must be recreated. Unreal Developer Network was not compromised, and none of the site store sensitive financial or customer data. Epic Games is best known for creating the Unreal game engine. Source:

49. June 11, Softpedia – (International) LulzSec leaks over 26k new emails and passwords. LulzSec leaked over 26,000 e-mail addresses and plain text passwords stolen from the database of an adult Web site. After dumping the data online, the group encouraged people to try the log-in credentials on Facebook and tell the victims’ family members how they signed up for the adult site. Word of the potential abuse quickly reached Facebook’s security team, which forced password resets for all accounts corresponding to those e-mail addresses. LulzSec noted here were a number of .gov and .mil e-mail addresses registered on the compromised site, as well as some 55 accounts belonging to admins of other adult portals. LulzSec also published the personal information (dox) of executive officers and other employees from vulnerability research company Endgame Systems and anti-DDoS solutions provider Prolexic Technologies. The dox included information about these individuals themselves, their spouses, children, and other family members, and their respective social media accounts. Source:

50. June 11, Softpedia – (International) CO.TV free domain provider abused in Google News BHSEO campaign. Security researchers from cloud security provider Zscaler have come across a Google News black hat SEO campaign that uses numerous co(dot)tv rogue domains. The targeted keywords are related to an actor’s departure from a popular television series. The news generated noticeable attention online the week of June 6, and was apparently popular enough for cyber crooks to try and exploit. Experts note search results poisoning has moved away from the traditional Web search and towards complementary services such as image search or news search. This switch has also been influenced by the fact Google has gotten better at preventing the rogue links from appearing at the top of its search results. However, Google has not paid the same attention to the other types of searches it offers. Black hat SEO attacks involve the creation of keyword-riddled pages on compromised domains and leveraging their Google rank to push the links at the top of the results for particular topics. Source:

51. June 10, IDG News Service – (International) Siemens fixes industrial flaws found by hacker. Siemens has fixed bugs in its Simatic S7 industrial computer systems, used to control machines on factory floors, power stations, and chemical plants. The patches, released June 10, mark Siemens’ first response to a high-profile computer security incident since the Stuxnet worm, which was discovered a year ago circulating on computer networks in Iran. Siemens fixed a pair of flaws in the S7-1200 controller, acknowledging that one could be leveraged to take control of the system using what’s known as a replay attack. A second flaw, in a Web server that ships with the device, could give attackers a way to crash the system. However, the attacker would have to first find a way onto the victim’s network before launching these attacks. Siemens had been scrambling to fix the bugs since they were discovered earlier this year by a researcher with security vendor NSS Labs. Source:

52. June 9, threatpost – (International) Hackers pinch obfuscation technique from DEFCON presentation. The week of June 6, a Kaspersky Lab researcher blogged about a new code obfuscation technique she discovered while analyzing a Polish e-commerce Web site that had been compromised. The technique was first demonstrated at the DEFCON 16 security conference in 2008. While analyzing some of the PHP scripts running on the site to try to discover how the attackers were inserting malicious links into the site’s Web pages, the researcher discovered a new technique the attackers used to hide their work: using a mix of non-printing characters, particularly, spaces and tabs to “write” the name of a malicious URL that was then inserted, as a link, into the e-commerce sites HTML pages. “The function splits this whitespace mix into 8-digit pieces, and then it changes all TAB chars into ‘1’ and all spaces into ‘0’,” she wrote. That leaves the hacker with binary code, which is later transformed into decimal values and printed as the final URL using ASCII characters. Source:

For another story, see item 16 above in the Banking and Finance Sector

Communications Sector

See item 47 above in the Information Technology Sector