Department of Homeland Security Daily Open Source Infrastructure Report

Monday, June 8, 2009

Complete DHS Daily Report for June 8, 2009

Daily Report

Top Stories

 The Los Angeles Times reports that two principals of defunct Seattle investment management firm Quellos Group and a Los Angeles lawyer were indicted in a tax shelter scheme that allegedly created more than $1.3 billion in fraudulent losses for prominent clients. (See item 10)


10. June 5, Los Angeles Times – (National) $1.3-billion tax-shelter scam alleged. Two principals of defunct Seattle investment management firm Quellos Group and a Los Angeles lawyer were indicted in a tax shelter scheme that allegedly created more than $1.3 billion in fraudulent losses for prominent clients. The operation was “one of the largest tax fraud schemes ever uncovered in this country,” the U.S. attorney in Seattle said on June 4. The indictment names as defendants a Los Angeles lawyer, Quellos founder and Chief Executive, and the Quellos principal, who is also a lawyer. It chargethe two former Quellos principals with conspiracy to defraud the Internal Revenue Service, tax evasion and money laundering, among other charges. The founder of Quellos was charged with money laundering, is accused of secretly receiving a $36-million kickback for enticing one of his long-standing Los Angeles clients to funnel thbulk of more than $1 billion in proceeds from the sale of Fox Family Worldwide Inc. into money-losing investment vehicles, which the client had been repeatedly assured were legal as a tax shelter. The other two defendants are accused of setting up a complseries of sham transactions through a shell company on the Isle of Man to blend wealthinvestors’ earnings with an equal number of stock losses to avoid owing capital gains taxes. But, the indictment alleges, the losing stocks did not exist, the company that supposedly acquired the stocks had neither employees nor earnings and the blended investment vehicles were a fraud. The two men “misled some of this country’s wealthiest citizens to commit tax fraud,” the U.S. attorney said. Source: http://www.latimes.com/business/la-fi-quellos5-2009jun05,0,3888434.story


 The Lehigh Valley Express Times reports that a US Airways employee at Philadelphia International Airport is accused of helping a friend smuggle an unloaded handgun onto a flight from Philadelphia to Phoenix on June 4. (See item 15)


15. June 5, Lehigh Valley Express Times – (Pennsylvania) FBI says US Airways employee helped friend bring gun on airplane. A US Airways employee is accused of helping a friend smuggle an unloaded handgun onto a flight from Philadelphia to Phoenix on Thursday. The FBI alleges the 38 year-old employee helped his roommate, a 29 year-old male, get the Smith and Wesson 9-millimeter semi-automatic handgun past security, according to a news release. Both men face federal charges. The suspect, a customer service representative for US Airways at Philadelphia International Air Port, was working at a gate when a witness saw his roommate approach. The two men, who both were carrying black laptop bags, talked briefly then switched carry-on bags, the witness told the FBI. The witness thought one of the suspects appeared “fidgety” and nervous and contacted security staff, according to an affidavit. The roommate was already on the plane with the gun when a US Airways manager boarded the aircraft and asked if he had exchanged carry-on bags. The suspect denied doing so, and the aircraft began to taxi from the gate, but security staff then ordered the pilot to stop and came on board to retrieve the suspect and his carry-on luggage. Source: http://www.lehighvalleylive.com/breaking-news/index.ssf/2009/06/fbi_says_us_airways_employee_h.html


Details

Banking and Finance Sector

10. June 5, Los Angeles Times – (National) $1.3-billion tax-shelter scam alleged. Two principals of defunct Seattle investment management firm Quellos Group and a Los Angeles lawyer were indicted in a tax shelter scheme that allegedly created more than $1.3 billion in fraudulent losses for prominent clients. The operation was “one of the largest tax fraud schemes ever uncovered in this country,” the U.S. attorney in Seattle said on June 4. The indictment names as defendants a Los Angeles lawyer, Quellos founder and Chief Executive, and the Quellos principal, who is also a lawyer. It chargethe two former Quellos principals with conspiracy to defraud the Internal Revenue Service, tax evasion and money laundering, among other charges. The founder of Quellos was charged with money laundering, is accused of secretly receiving a $36-million kickback for enticing one of his long-standing Los Angeles clients to funnel thbulk of more than $1 billion in proceeds from the sale of Fox Family Worldwide Inc. into money-losing investment vehicles, which the client had been repeatedly assured were legal as a tax shelter. The other two defendants are accused of setting up a complseries of sham transactions through a shell company on the Isle of Man to blend wealthinvestors’ earnings with an equal number of stock losses to avoid owing capital gains taxes. But, the indictment alleges, the losing stocks did not exist, the company that supposedly acquired the stocks had neither employees nor earnings and the blended investment vehicles were a fraud. The two men “misled some of this country’s wealthiest citizens to commit tax fraud,” the U.S. attorney said. Source: http://www.latimes.com/business/la-fi-quellos5-2009jun05,0,3888434.story


11. June 5, CNN – (National) Countrywide’s Mozilo accused of fraud. The Securities anExchange Commission on June 4 said it had filed securities fraud charges against the former Countrywide chief executive and two other former executives. The trio are beincharged with deliberately misleading investors about the significant credit risk Countrywide took to build and maintain its market share. The former chief executive was also charged with insider trading for selling his Countrywide stock for nearly $14million in profits while knowing that Countrywide’s business model was deteriorating.The SEC alleges that the former chief executive, along with former the COO and President and the former CFO, misled the market by falsely assuring investors that Countrywide was primarily a prime-quality mortgage lender. “This is the tale of two companies,” said the director of the SEC’s Division of Enforcement. “Countrywide portrayed itself as underwriting mainly prime quality mortgages using high underwritistandards. But concealed from shareholders was the true Countrywide, an increasingly reckless lender assuming greater and greater risk.” From 2005 to 2007, Countrywide engaged in an unprecedented expansion of its underwriting guidelines and was writing riskier and riskier loans, according to the SEC. The senior executives knew that defaultand delinquencies would rise. “The former chief executive privately described one Countrywide product as ‘toxic,’ and said another’s performance was so uncertain that Countrywide was ‘flying blind,’” the director said. Source: http://money.cnn.com/2009/06/04/news/economy/mozilo_fraud_charges/index.htm?poversion=2009060416


12. June 4, Reuters – (New York) Nine accused of $92 million U.S. mortgage fraud cheme. Nine people have been indicted on charges of conspiring to defraud ashington Mutual Bank and DLJ Mortgage Capital Inc, a unit of Credit Suisse Group G, in a $92 million mortgage fraud scheme, prosecutors said on June 4. The nine efendants are accused of orchestrating fraudulent loans that were subsequently sold to the financial firms. Federal prosecutors and the FBI said the scheme was centered around property developments that one of the defendants bought and subdivided from 2001 to 2003 in the New York City boroughs of Brooklyn and Queens. To finance the projects, the defendants are accused of staging sales of the properties financed by mortgage loans. Bogus appraisals supported the price of the properties, even where buildings had not yet been constructed or had fictional addresses, said the U.S. Attorney’s Office in Brooklyn, which is prosecuting the case. The loans were financed by lenders controlled by one of the defendants and later sold to Washington Mutual and DLJ, prosecutors said. Entities controlled by one of the defendants made monthly payments on the mortgages, ensuring that none became delinquent, until the payments ceased in 2007 with about $92 million in principal outstanding on the fraudulent loans, prosecutors said. All nine defendants were charged with conspiracy to commit bank and wire fraud, which for each person carries a prison term of up to 30 years if convicted. Source: http://www.reuters.com/article/domesticNews/idUSTRE5534OL20090604


13. June 4, Brockton Enterprise – (Maine) Whitman bank evacuated after odor sickens employees. A noxious odor that sickened employees at the Sovereign Bank on Washington Street forced the evacuation of the building and prompted the response of a state hazardous materials team. The Whitman fire chief said the incident was reported at 3:55 p.m. on June 2 after bank employees were exposed to an “unknown noxious odor that immediately made them feel ill, dizzy and sick to their stomach.” Firefighters evacuated the building and sealed off the area with yellow tape as a state hazardous materials response team went inside the building to check for potentially hazardous fumes. The fire chief said oxygen levels appeared to be normal and there were no immediate signs of contamination. Four bank employees were treated at the scene and released, the fire chief said. Source: http://www.enterprisenews.com/news/x1513473152/Whitman-bank-evacuated-after-odor-sickens-employees


14. June 4, CNET News – (International) ATM malware lets criminals steal data and cash. Malware has been found on ATMs in Eastern Europe and elsewhere that allows criminals to steal account data and PINs and even empty the machine of its cash, a computer forensics expert said. About 20 ATMs have been compromised in that manner, mostly in Russia and the Ukraine, but there are “early indications” of compromised ATMs in the U.S., said the vice president and head of SpiderLabs at Trustwave, which provides data security and payment card compliance services. Someone had to manually install the malware on the machines, so it is likely that an insider is responsible; either an employee at the bank, the ATM vendor, a company that services the machines or someone close to an insider, the vice president said in a telephone interview on June 3. The machines, all running Windows XP, had an executable on them that was masquerading as a legitimate Windows protected storage service, he said. The malware looks at all the data being processed by the ATM and records account information that is stored on the magnetic stripes on cards inserted into the machine and encrypted PIN blocks that are generated when someone types in their personal identification number, he said. Although the PINs are encrypted, criminals could potentially intercept the encryption keys exchanged with the bank and use them to decrypt the PINs, he added. Once the malware has been hidden on the ATM for a period of time, the criminal can return to the machine and use a special “trigger” card to control the ATM and print out the stolen data directly from the machine or instruct the ATMS to dispense all the cash it has, according to the vice president. Source: http://news.cnet.com/8301-1009_3-10257277-83.html


Information Technology


32. June 5, MX Logic – (International) Microsoft, Adobe security updates coming on ‘patch Tuesday.’ Adobe will release its first batch of quarterly security patches on June 9, the same day that the monthly security update comes out from Microsoft. Adobe said it expects to deliver critical security updates for Adobe Reader and Acrobat versions 7.x, 8.x and 9.x for Windows and Macintosh, with Unix updates coming “when available.” The company said it would begin issuing quarterly patches to coincide with Microsoft’s “patch Tuesday” after it came under intense criticism for its perceived lack of responsiveness to flaws in Reader and Acrobat. Flaws in the software allowed hackers to remotely execute code as happened in February via a JBIG2 image file that unleashed a Trojan horse. Meanwhile, Microsoft will issue 10 security patches on June 9 for flaws in Windows, Excel and Internet Explorer, six of which are rated as critical. Source: http://www.mxlogic.com/securitynews/viruses-worms/microsoft-adobe-security-updates-coming-on-patch-tuesday340.cfm


33. June 5, Switched – (International) Phishing attack hits Microsoft Outlook users. In the past, Switched has warned about phishing e-mails requesting personal information. Lately, it seems many of those phishing scams have moved to social networking or microblogging sites. Recently however, a phishing e-mail popped up in the inbox of Microsoft Outlook users. According to TrendLabs Malware blog, the message asks users to re-configure their e-mail account by clicking a link that leads to a phishing Web site. By having users click this link, phishers can obtain not only a user’s name and password, but also mail server information -- the most critical part of the scam. This gives phishers complete access to a user’s e-mail account, which facilitates the theft of important personal information (credit card numbers, social security number, bank account numbers,etc.). The easiest way to avoid e-mail phishing scams is to avoid clicking suspicious or unfamiliar links. Users should also exercise extreme caution when sending personal information via e-mail. This particular scam is more dangerous than most because so many folks use Microsoft Outlook. Source: http://www.switched.com/2009/06/05/phishing-hits-microsoft-outlook-users/


34. June 4, Homeland Security Newswire – (National) Internet’s root zone to be secured. The U.S. government said on June 3 it plans to sign the Internet’s root zone digitally by the end of the year, a move that would end years of inaction securing the Internet’s most important asset. The U.S. Department of Commerce’s National Telecommunications and Information Administration (NTIA) said it was turning to ICANN, or the Internet Corporation for Assigned Names and Numbers, and VeriSign to implement the measure, which is known as DNSSEC. In October 2008, the two organizations submitted separate proposals that offered sharply contrasting visions for putting the complicated framework in place. “The parties are working on an interim approach to deployment, by year’s end, of a security technology — Domain Name System Security Extensions (DNSSEC) — at the authoritative root zone (i.e., the address book) of the Internet,” a statement issued by the NTIA read. Source: http://homelandsecuritynewswire.com/single.php?id=8089


35. June 4, DarkReading – (International) Hacking tool lets a VM break out and attack its host. Researchers for some time have demonstrated the possibility of one of virtualization’s worst nightmares, a guest virtual machine (VM) infiltrating and hacking its host system. Now another commercial tool is offering an exploit that does exactly that. The newest version of Immunity’s Canvas commercial penetration testing tool, v6.47, includes the so-called Cloudburst attack module, which was developed by an Immunity researcher to exploit a VMWare vulnerability (CVE-2009-1244) in VMware Workstation that lets a user or attacker in a “guest” VM break into the actual host operating environment. VMware issued a patch for the bug in April. “Companies and administrators tend to trust that breaking out of a VM is not possible,” says the director of the enterprise security practice at The 451 Group. “A lot of people consider this to be just another proof-of-concept. They do not understand that is a commercially available exploit.” Even though VMware has issued a patch, many enterprises may not necessarily have implemented it, the director says. “We know that people do not patch,” he adds. Immunity’s VM “breakout” exploit follows that of Core Security Technologies’ VMware Shared Folders exploit in its Impact penetration testing tool announced last year. The module “weaponized” a vulnerability discovered by Core that lets an attacker create or alter executable files on the Windows host OS. For the attack to work, VMware’s Shared Folders feature must be enabled and at least one folder on the underlying host system must be configured to share files with the VM. Source: http://www.darkreading.com/securityservices/security/app-security/showArticle.jhtml?articleID=217701908

Communications Sector

36. June 4, Financial Post – (North Carolina) Apple to invest US$1-billion in North Carolina data farm. Apple Inc plans to invest up to US$1 billion over the next nine years to build a data center in North Carolina. The data center would represent Apple’s first on the East Coast of the U.S., said an Apple spokeswoman. The spokeswoman said Apple is not commenting on how the data center will be used, or on any other details about the facility, including its size. Apple currently has a 107,000 square-foot data center in Newark, California, according to its most recent 10-K regulatory filing. According to an announcement by the North Carolina governor on June 4, the facility is expected to employ at least 50 full-time employees. Source: http://www.financialpost.com/news-sectors/story.html?id=1662097


37. June 4, Cody Enterprise – (Montana) YNP phone, electric service restored. Phone, Internet and electric service to Yellowstone Park and nearby areas were disrupted on June 3 by three apparently weather-related power outages. The first outage on June 2 cut electric service to a communications relay tower near Gardiner, Montana. Qwest Communications provides phone and Internet connectivity to the park and the nearby communities of Gardiner and Cooke City, Montana. Cell service in and near the park is dependent upon the same microwave communications relay, a Yellowstone spokesman said. The area lost phone and Internet service when back-up batteries powering the microwave relay site died. A storm also washed out the access road to the tower. Qwest technicians carried additional batteries into the site, and were able to restore phone service on June 3. Source: http://www.codyenterprise.com/articles/2009/06/04/news/doc4a26f124c0535005317166.txt


38. June 4, DarkReading – (International) Hackers arrested in China after feud causes major outage. Four individuals have been arrested in China after an alleged denial-of-service “war” between underground gaming services spun out of control, according to news reports. According to a report by Xinhua News Agency, China’s ministry of public security said on June 2 that the suspects were detained on May 29 following police investigations in the Jiangsu, Zhejiang, and Guangdong provinces. The suspects were not named, although the surnames of two were released. The ministry told the news agency that on May 19, the suspects allegedly launched a distributed denial-of-service (DDoS) attack against the servers of DNSPod, a Chinese DNS provider and domain registrar. According to the report, the DDoS attacks were motivated by fierce competition between unauthorized online gaming service providers, which lure gamers from official providers with less limited and free access. In order to sabotage “competitors,” the suspects began an attack against DNSPod, which provides access to some of those unauthorized gaming sites. Unfortunately, the attack triggered a chain reaction because DNSPod’s servers were also used by Baofeng, a highly popular Chinese video-streaming service. “Once millions of Baofeng users submitted their video application, their unanswered DNS requests were passed on to higher-level servers that did not know how to process them,” the news report says. “The requests piled up, and the resulting traffic jam slowed or halted Internet access.” Internet users in more than 20 provinces were affected on May 19, the ministry said. It was described as the “worst Internet incident in China” since an earthquake damaged undersea cables near Taiwan on December 26, 2006. Source: http://www.darkreading.com/securityservices/security/attacks/showArticle.jhtml?articleID=217701926

Weekly Summary of the "DHS Daily Open Source Infrastructure Report"

The DHS Daily Open Source Infrastructure Report covers the publicly reported material for the preceding day(s) not previously covered. This weekly summary provides a selection of those items of greatest significance to the InfoSec professional.

Week Ending: Friday, June 5, 2009

Daily Open Source Infrastructure Report for 1June 2009

Perhaps You Should Consider Blocking Some Search Terms!

25. May 28, SC Magazine – (International) McAfee documents riskiest search terms. A McAfee study into 2,600 of the most popular keyword searches on the web has concluded that hunts for “screensavers” present the most risk. The report released the week of May 25 shows that users who search for “screensavers” have a 59.1 percent chance that they will be infected by malware on a given page of results. By category, the most dangerous searches involved keywords containing the word “lyrics” (26.3 percent risk) and “free” (21.3 percent). The safest category searches, meanwhile, related to “health” (four percent) and the “economic crisis” (3.5 percent). The report also warned of the risk generated by searching for information on “work from home.” Variations of this search term — considered more popular than ever, given the state of the economy — ranged from a 6.3 percent-risk to a 40 percent-risk of infection. Source: http://www.scmagazineus.com/McAfee-documents-riskiest-search-terms/article/137632/

Daily Open Source Infrastructure Report for 2 June 2009

Are You Prepared for the Latest Corporate Spamming Techniques?

26. June 1, Computerworld – (International) Spammers find new ways to flood corporate networks. Unsolicited e-mail accounted for 90.4 percent of all messages received on corporate networks during April, an increase of 5.1 percent from a month earlier, according to a report released May 26 by Symantec Corp.’s MessageLabs Intelligence unit. The monthly MessageLabs report on threat trends also found that nearly 58 percent of all spam can be traced to botnets. A researcher at Cloudmark Inc., a provider of antispam tools, noted that in addition to using botnets, spammers in recent months have been experimenting with a new way to sneak unwanted email past corporate filters. Often, he said, a spammer will rent legitimate network services, often in an Eastern European country, and then blast a large amount of spam at the network of a specific ISP. The idea is to push as many messages as possible onto the network before any kind of filtering software detects the incident. The researcher estimates that hundreds of thousands of such messages are sent each day without detection. Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=339801&taxonomyId=17&intsrc=kc_top

Daily Open Source Infrastructure Report for 3 June 2009

Is there a “Gumblar” in your future?

32. June 2, CNET News – (International) Thought the Conficker virus was bad? Gumblar is even worse. ScanSafe, a computer security firm, has been tracking the progress of the worm since its arrival on the scene in March, according to CNET. Originally, the attack spread through infectious code that was planted in hacked Web sites and then downloaded malware from the gumblar.cn domain on to victims’ computers. But that was just the opening salvo. As Web site operators cleaned their pages of the code, Gumblar replaced the original material with dynamically generated Javascript (Web site code that is created on the spot instead of being completely determined beforehand — a key element of Web apps like Gmail) that is much harder for security software to detect and remove. The evolved version also went about adding new domains to the list of sources for downloading its malware payload, including liteautotop.cn and autobestwestern.cn, and began exploiting security holes in Flash and Adobe Reader. The worm also searches out credentials for FTP servers (a method for uploading files to a Web site) on a victim’s computer, using them to infect additional Web sites. It is not clear how many sites Gumblar has infected, but security firms seem to agree that it accounts for about 40 percent of all new malware infections right now. According to ScanSafe in just the first two weeks of May over 3,000 Web sites were compromised and spreading the worm. Most sites have been quick to clean up the infections as best they can, but, even if all the infected pages were removed, Gumblar would still have an army of infected PCs to inflict further damage. Source: http://www.switched.com/2009/06/02/though-the-conficker-virus-was-bad-meet-gumblar/

Daily Open Source Infrastructure Report for 4 June 2009

Has one of the sites for which you are responsible been compromised?

35. June 2, IDG News Service – (International) Thousands of Web sites stung by mass hacking attack. As many as 40,000 Web sites have been hacked to redirect unwitting victims to another Web site that tries to infect PCs with malicious software, according to security vendor Websense. The affected sites have been hacked to host JavaScript code that directs people to a fake Google Analytics Web site, which provides data for Web site owners on a site’s usage, then to another bad site, said the threat research manager for Websense. Those Web sites have likely been hacked via a SQL injection attack, in which improperly configured Web applications accept malicious data and get hacked, the researcher said. Another possibility is that the FTP credentials for the sites have somehow been obtained by hackers, giving them access to the inner workings of the site. It appears the hackers are using automated tools to seek out vulnerable Web sites, the researcher said. The latest campaign underscores the success hackers have at hosting dangerous code on poorly secured Web sites. Once a user has been directed to the bogus Google analytics site, it redirects again to another malicious domain. That site tests to see if the PC has software vulnerabilities in either Microsoft Corp.’s Internet Explorer browser or Firefox that can be exploited in order to deliver malware, the researcher said. If it does not find a problem there, it will launch a fake warning saying the computer is infected with malware and then try to get the user to willingly download a program that purports to be security software but is actually a Trojan downloader, he said. The fake security programs are often called “scareware” and do not work as advertised. As of May 29, only four of 39 security software programs could detect that Trojan, although that is now likely changed as vendors such as Websense swap malware samples with other companies in order to improve overall Internet security. Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9133820&taxonomyId=17&intsrc=kc_top See also: http://news.cnet.com/8301-1009_3-10255226-83.html

Daily Open Source Infrastructure Report for 5 June 2009

Will U.S. Government investment in Cyber Security help solve problems?

37. June 3, Congress Daily – (National) Obama Administration begins work on cybersecurity R&D. Maximizing government investment in federal cybersecurity research and development is a major component of the U.S. President’s plan to bolster defenses against high-tech attacks. If the White House’s new cyber strategy and key agencies’ fiscal 2010 budget requests are any indication, they are off to a solid start. In the near term, the White House’s unnamed cyber czar will be charged with developing a framework for R&D strategies that focus on “game-changing technologies” and provide the research community access to event data to help develop tools and testing theories, according to the May 29 report, which stemmed from a 60-day review. That czar will eventually develop threat scenarios and metrics for risk management decisions, recovery planning and R&D prioritization. “Research on new approaches to achieving security and resiliency in information and communications infrastructures is insufficient,” the report stated. “The government needs to increase investment in research that will help address cybersecurity vulnerabilities while also meeting our economic needs and national security requirements.” The President proposed a $37.2 million cyber R&D budget for DHS in fiscal 2010 to support operations in its national cybersecurity division as well as projects within the CNCI. DHS is using much of its fiscal 2009 allotment to deploy Einstein, a system to analyze civilian agencies’ systems for cyber threats and intrusions. Source: http://www.nextgov.com/nextgov/ng_20090603_2540.php

Perhaps something like this?

11. June 2, SC Magazine – (National) Bank of America certificate scam propagating Waledac, Virut. A new spam campaign disguised as a Bank of America email telling users they need to update their digital certificate is attempting to lure users into installing the Waledac worm. The messages, which first started being detected recently, seemingly come from Bank of America, and tell users, “The digital certificate for your Bank of America direct online account has expired. You need to update the certificate using Bank of America direct digital certificate updating procedure.” Recipients are then instructed to click on a link and follow the given instructions, the lead threat analyst at web and email security firm Marshal8e6 told SCMagazineUS.com in an email on June 1. The spam originates from the Pushdo botnet, which has been active in similar malicious phishing attacks, the analyst said. After following the link, the user is encouraged to fill in a web form, and to download a new “digital certificate” to continue, the analyst said. The “certificate” however, is an executable file which seeks to download malware to the victim’s PC. The SANS Internet Storm center said in a post on June 1 that a quick analysis of this malware showed “probable signs” of Waledac, the notorious worm capable of harvesting and forwarding password information and receiving commands from a remote server. A threat researcher for Panda Security confirmed to SCMagazineUS.com on June 2 that the threat is being detected as Waledac. Source: http://www.scmagazineus.com/Bank-of-America-certificate-scam-propagating-Waledac-Virut/article/137848/

Note: The DHS only maintains the last ten days of their reports online. To obtain copies of earlier reports or complete summaries, go to:

http://dhs-daily-report.blogspot.com/