Department of Homeland Security Daily Open Source Infrastructure Report

Monday, June 15, 2009

Complete DHS Daily Report for June 15, 2009

Daily Report

Top Stories

· The Associated Press reports that Cargill Inc.’s Wilbur Chocolate plant in Lancaster County, Pennsylvania is shut down while federal officials look into a possible case of product tampering. (See item 24)

24. June 12, Associated Press – (Pennsylvania) Feds investigate ‘foreign material’ at chocolate plant. Production at a Lancaster County, Pennsylvania chocolate plant is shut down while federal officials look into a possible case of product tampering. A representative for Cargill Inc. says three pieces of “foreign material” were discovered at the Wilbur Chocolate plant in Lititz, and the FBI and the Food and Drug Administration are investigating. The plant may not reopen for several weeks. Only one-third of the employees will report to work and they will be cleaning the plant. The representative would not say what kind of foreign material was found. The workers’ union has been trying to reach a contract agreement for more than two years. A representative says only that the two sides are negotiating in good faith. Source:

· According to Sky News, Italian police have thwarted a suspected plot to attack next month’s G8 summit in Italy which world leaders including the U.S. President and the U.K. prime minister are due to attend. Six people were arrested and accused of criminal association for the purposes of terrorism and arms possession. (See item 32)

32. June 11, Sky News – (International) G8 attack plot: suspects arrested in raids. Italian police have thwarted a suspected plot to attack the G8 summit which world leaders including the U.S. President and the U.K. prime minister are due to attend. Six people were arrested and accused of criminal association for the purposes of terrorism and arms possession, an anti-terrorist police chief said. Officers reportedly seized weapons including a bomb during the raids in Rome, Milan, and Genoa. The suspects had maps of the summit’s closed-circuit surveillance system and “were trying to figure out how to bypass the security systems,” the police chief said. The investigation into the alleged plot started two years ago. According to, the group had plotted to attack the original venue of next month’s G8 summit, a former U.S. Navy base on the Sardinian island of La Maddalena, police said. The venue was recently moved to the Abruzzo capital L’Aquila to help it recover from a devastating earthquake in April. The suspected plotters shifted their attention to target the new venue, according to Italian newspapers Corriere della Sera and La Stampa. They were trying to “reconstitute a formation similar to the Red Brigades,” a terrorist group who carried out attacks in Italy in the 1970s and 1980s, the police chief said. Source:

See also:


Banking and Finance Sector

12. June 12, Courthouse News Service – (International) SEC alleges cold-blooded bank scam. Four people and their three companies defrauded investors of millions of dollars in a prime-bank scam, claiming their investment plan had to be kept secret because if people knew about it, it would encourage “the flight of capital from the United States,” the SEC claims in Federal Court. The SEC sued the four defendants, Morgan European Holdings ApS aka Money Talks, ApS, and Bowman Marketing Group. According to the SEC complaint, the defendants raised $14 million or more by promising monthly returns of 14 to 70 percent. The defendants sent $4.5 million to Denmark, and then sent it back to themselves in the United States. The SEC says the defendants’ pitches “describe the operation of a class prime bank scheme.” They used apparently sophisticated, conspiratorial language to gull 150 or more victims. For example, some of these materials describe how the ‘top fifty financial institutions’ or the U.S. Federal Reserve trade with each other to ‘artificially inflate the money supply’ for international commerce. According to the offering materials distributed by one of the defendants, participants were to provide money to supply ‘the margin’ for a trader to pass a ‘debenture or treasury’ to the end user, generating returns through the leveraging of financial instruments. “The materials distributed by one of the defendants stated that these programs were secret but real, even though the ‘official position’ of the U.S. government was that such trading programs did not exist so as ‘to increase the participation in traditional investments and reduce the flight of capital from the United States.” After the fraud was discovered, the defendants “urged investors not to cooperate with the Commission or other authorities.” Source:

13. June 12, Bloomberg – (International) Italian police ask SEC to authenticate seized U.S. Treasuries. Italy’s financial police said they asked the U.S. Securities and Exchange Commission to authenticate U.S. government bonds found in the false bottom of a suitcase carried by two Japanese travelers attempting to cross into Switzerland. The bonds, with a face value of more than $134 billion, are probably forgeries, a colonel of the Guardia di Finanza in Como, Italy, said on June 12. If the notes are genuine, the pair would be the U.S. government’s fourth-biggest creditor, ahead of the U.K. with $128 billion of U.S. debt and just behind Russia, which is owed $138 billion. The seized notes include 249 securities with a face value of $500 million each and 10 additional bonds with a value of more than $1 billion, the police force said on its Web site. Such high denominations would not have existed in 1934, the purported issue date of the notes, the colonel said. Moreover, the “Kennedy” classification of the bonds does not appear to exist, he said. The bonds were seized in Chiasso, Italy. The colonel said he expects a determination from the SEC “within a few days.” Source:

14. June 11, St. Louis Business Journal – (Missouri) Father-and-son developers indicted in multimillion fraud scheme. A father and son have been indicted on multiple charges involving a broad-ranging bank fraud and money laundering scheme that covered nearly three years affected five local banks and involved commercial loans of nearly $5 million. The defendants, of Creve Coeur, have been indicted by a federal grand jury on five felony counts of bank fraud, three felony counts of money laundering and a forfeiture count involving personal and real property financed by the alleged scheme, the U.S. attorney’s office for Eastern Missouri said. The defendants were in the real estate development business under the name Real Estate Management Services LLC and sought to develop five residences in Ladue and other high-end suburbs. In order to obtain financing for these developments, the defendants are alleged to have submitted phony income tax returns, sales contracts and financial statements, according to the indictment. The government seeks two of the residential properties that remain in the name of the defendants’ business, a vehicle and a diamond ring purchased with proceeds from the fraud. Source:

15. June 11, Reuters – (New Jersey) NJ mortgage exec pleads guilty in $140 million fraud. The former president of U.S. Mortgage Corp, a New Jersey mortgage lender and broker that filed for bankruptcy in February, has pleaded guilty to two criminal conspiracy charges in a $139.6 million scheme to defraud credit unions and others, prosecutors said. The defendant pleaded guilty in federal court in Newark, New Jersey, to one count of mail and wire fraud conspiracy and one count of money laundering conspiracy, according to the acting U.S. Attorney for the District of New Jersey. The defendant is expected to be sentenced under a plea deal to between 12-1/2 and 20 years, and to pay restitution to victims. A U.S. District Judge scheduled an October 1 sentencing hearing. She allowed the defendant’s release on a $1 million bond to home confinement. The defendant admitted to conspiring with others from January 2004 to January 2009 to fraudulently sell credit union loans, and use proceeds to finance U.S. Mortgage’s operations and investments for himself and the Pine Brook, New Jersey-based company, prosecutors said. He also admitted to diverting funds that should have been paid to credit unions for mortgage loans that were to be sold to Fannie Mae, to help offset bad investments that he had made in mortgage-backed securities, prosecutors said.


16. June 11, Reuters – (International) S.Africa fraud worth up to $1.2 billion uncovered. Hundreds of investors have been fleeced of up to 10 billion rand ($1.2 billion) in what could be South Africa’s biggest corporate fraud, a private investigator and lawyer representing investors said. A South African businessman living in Australia, was said to have lured investors with the promise of 200 percent annual returns linked to pharmaceutical imports, and forged AIDS drug orders to reassure its funders when money started to dry up. The scheme is still unraveling, but lawyers and investigators believe hundreds of investors, including top businessmen from South Africa, the United States, Germany and Australia, were involved. The case looks set to rank as South Africa’s biggest corporate fraud and has shocked the country’s business community, known for its conservative approach to risk and investment. Source:

17. June 11, MSNBC – (National) Most banks still getting weaker, analysis shows. Bad loans on real estate continue to push harder on the nation’s banks. At the end of the first quarter, six out of every 10 banks in the U.S. were less well prepared to withstand their potential loan losses than they had been at the end of 2008, according to a new analysis by and the Investigative Reporting Workshop at American University in Washington. Overall, bad loans rose another 22 percent in the quarter as the recession continued. is publishing information on the nation’s 400 largest banks as well as all banks with high ratios of troubled loans to assets. Information on the financial health of more than 8,000 banks nationwide is available at the updated BankTracker site published by the American University group. The analysis relies on information reported through March 31 to the Federal Deposit Insurance Corp., calculating each bank’s troubled asset ratio, which compares troubled loans against the bank’s capital and loan loss reserves. A similar ratio, known as a Texas Ratio, is commonly used by bank analysts as a snapshot of a bank’s financial health, though it cannot capture all the nuances of a bank’s condition. Although much attention has been focused on surprising profits at U.S. banks in the first quarter of 2009, under the surface lurks an industry still suffering from the recession. If an individual sets aside the 10 largest banks, the rest of the industry lost money in the quarter, primarily because of very large losses at a few banks. While the 10 largest banks reported $10.2 billion in earnings for the quarter, the remaining 8,245 banks together lost $2.6 billion, according to the analysis. One in five banks lost money in the quarter, and several lost big, weighing down the rest. Four large banks account for more than $5 billion in losses. Huntington National Bank of Columbus, Ohio, lost $2.46 billion. FIA Card Services of Wilmington, Del., lost $1.47 billion. SunTrust Bank of Atlanta lost $783 million. Sovereign Bank of Wyomissing, Pa., lost $764 million. Source:

18. June 10, Washington Post – (National) Spear-phishing gang resurfaces, nets big catch. A prolific phishing gang known for using sophisticated and targeted e-mail attacks to siphon cash from small to mid-sized business bank accounts appears to be back in operation after more than a 5-month hiatus, security experts warn. From February 2007 to January 2009, analysts at Sterling, Virginia-based security intelligence firm iDefense tracked 38 separate phishing campaigns from am Eastern European gang they simply call “Group A.” iDefense believes this group was one of two responsible for a series of successful phishing attacks that spoofed the U.S. Better Business Bureau (BBB), the U.S. Department of Justice, the IRS, as well as Suntrust and payroll giant ADP. Last summer, authorities in Europe and Romania are thought to have arrested most members of a rival BBB phishing gang that iDefense called Group B. While the type of tricks that Group A employs once victims are hooked have grown more sophisticated, the initial lure used to snare people has not changed: In each attack, the scammers send out “spear phishing” e-mail messages (so called because they use the victim’s name in the message) and urge the recipient to click on an attachment. The attached file is, naturally, a Trojan horse that steals stored user names and passwords, and looks for victims logging in at commercial banks. If the victim logs in to a bank that requires so-called two-factor authentication — such as the input of a one-time pass phrase or random number from a supplied hardware token — the Trojan re-writes the bank’s Web page on the fly, inserting a form that requests the information. The attackers typically begin initiating wire transfers out of the victim accounts shortly after the credentials are stolen, said an iDefense analyst. Source:

Information Technology

37. June 12, The Register – (International) Chrome update completes busy browser patch week. Google has pushed out an update designed to fix a pair of vulnerabilities involving the WebKit application framework that underpins its Chrome browser. The most severe of the two flaws involved a “high risk” memory corruption flaw in WebKit, which creates a potential means for hackers to inject hostile code into the sandbox used by the browser. The second flaw involves a less severe information disclosure risk, involving the Drag and Drop functionality built into WebKit. The update completes a busy week on the browser security front with a significant cumulative update for Internet Explorer on June 9 and a Firefox update on June 11. In addition, Apple released a beta version of its Safari 4 browser. Outside the browser security arena, Adobe released the first of its scheduled patch updates on June 9, and FreeBSD dropped an update designed to defend against a stack-based buffer-overflow that poses a potential code injection risk. It is becoming more difficult for hard-pressed system administrators to keep track of updates, especially when many arrive without any indication a fix is in development. Some security patching experts, such as the director of security operations at nCircle, advocate the creation on a general industry patching day to make the patching process easier to plan and manage. Source:

38. June 11, – (International) Symantec warns of wireless keyboard security threat. Security firm Symantec has uncovered a new form of attack aimed at users of wireless keyboards. The warning follows the release of Keykeriki, an open-source “sniffer” project that allows users to remotely decode wireless transmissions. Symantec said that this effectively creates a new type of key-logger that could be used by cybercriminals to steal sensitive data such as user names, passwords and bank details. The project was created by a site called “This open-source hardware and software project enables every person to verify the security level of their own keyboard transmissions, and/or demonstrate the sniffing attacks (for educational purpose only),” the site notes. Symantec warned that, although the creator’s intentions appear honorable, making the software code and hardware schematics open to everyone means that criminals could use the software to eavesdrop on wireless keyboard inputs. The criminals would not have to install anything on the host system, but would simply have to be in range of the keyboard’s wireless signal. Symantec said that future wireless keyboards should introduce encrypted communication between the device and the receiver, and warned those working on office or public computers to resort to wired keyboards for the time being. Source:

39. June 11, InformationWeek – (International) Microsoft to launch Morro antivirus ‘soon.’ Microsoft on June 11 confirmed plans to kill off its Windows Live OneCare subscription security service in favor of a free offering that will feature a core of essential anti-malware tools while excluding peripheral services, such as PC tune-up programs, found in OneCare. A spokesman for the company told news agency Reuters that Microsoft will launch the free product, code-named Morro, “soon” but did not provide further details. Microsoft has said previously that Morro will be suitable for use on low-cost, low-powered netbooks that are growing in popularity in emerging markets and in some segments of the North American computer market. Microsoft also is planning to launch versions of Windows 7 that are netbook-compatible. The definition of malware covers a range of computer threats, including viruses, spyware, rootkits, and Trojans. Hackers, many of them connected to organized crime, often use such tools to extract sensitive data like bank account numbers and passwords from users’ PCs. Microsoft announced in November that it will launch Morro in this month, at which time it will discontinue the $49.95-per-year OneCare service. As of June 11, Microsoft was still selling OneCare subscriptions. Morro will be compatible with Windows XP, Windows Vista, and the forthcoming Windows 7 operating systems, the company has said. While users and analysts may welcome Microsoft’s offer of free antivirus software, competitors such as Symantec and McAfee and government competition watchdogs may not. Microsoft could draw antitrust complaints if it integrates Morro so tightly into Windows that it makes security software from third parties difficult to install or use. Source:

40. June 11, New York Times – (International) More scamming and spamming on Twitter. Twitter is seeing a surge in activity from the scamming and spamming classes. A spate of phishing attacks have been followed by myriad other efforts to soak Twitter’s enthusiastic and rapidly growing user base. Recently, attackers have tapped into popular topics and latched onto popular people to get in front of big Twitter audiences. Their goal: to persuade people to click and visit their Web sites and then hand over personal information, be sold a bill of goods or become infected with a malicious program. The first strategy capitalizes on Twitter users’ penchant for searching for random commentary on news subjects. Lately, attackers have been using hundreds of dummy accounts to tweet messages about popular subjects. Links in the messages pointed to malicious video sites pretending to show porn. Visitors who clicked to download a program supposedly needed to watch videos actually installed a fake security application called Privacy Center, which tried to hit them up for money for a full version of the bogus product. Pop culture buzz and shocking breaking news are not the only lures, though. Users should beware any topic that hits Twitter’s list of “Trending Topics.” The hashtag #smx, used to call out news about a search-marketing conference, reached the list recently and was summarily added to blasts of spam tweets. In a blog post, an irritated conference host said: “We knew this would happen, but it is annoying and becoming a growing problem. Question is, will Twitter do anything about it, beginning with removing its ‘Trends’ feature?” Source:

Communications Sector

41. June 11, Victoria Advocate – (Texas) Phone service out Wednesday due to cut fiber optic line. A fiber cut on June 10 left several people in the Crossroads region without phone service. The cut affected both wireless and wireline services, an AT&T spokesman for South Texas said in an e-mail. “The cut was repaired about 1:45 a.m. on June 11, and all service should be running normally for customers,” he wrote on June 11 in the e-mail. It is difficult to determine how many customers were affected by the outage and where the outages took place, the spokesman said, explaining that, with different cables serving different customers, one home could be fine while the home next door loses service. The outage affected customers in the Victoria area, he said, and possibly others in Yorktown and DeWitt County. Other areas most likely remained unaffected. Source: