Department of Homeland Security Daily Open Source Infrastructure Report

Friday, August 14, 2009

Complete DHS Daily Report for August 14, 2009

Daily Report

Top Stories

 The U.S. Department of Justice announced that two men from Oklahoma and Texas pleaded guilty on Wednesday to conspiring to manufacture and sell oilfield pipe couplings stamped with a certification mark owned and registered by the American Petroleum Institute, without a license or other authorization to do so. (See item 12)

12. August 12, U.S. Department of Justice – (National) Two defendants plead guilty in counterfeit pipe coupling scheme. Two men from Oklahoma and Texas pleaded guilty on August 12 to conspiring to manufacture and sell counterfeit pipe couplings. They pleaded guilty to one count of conspiracy to traffic in counterfeit goods and commit fraud. They each face up to five years in prison. Sentencing is scheduled for November 5, 2009. In their plea agreements, the two men admitted that they conspired with another co-defendant in a counterfeiting scheme to manufacture and sell oilfield pipe couplings stamped with a certification mark owned and registered by the American Petroleum Institute (API), without a license or other authorization to do so. API’s certification program is a quality-control program designed to insure against injury and catastrophic loss from substandard, unsafe products. The API monogram certifies that products and equipment used in the exploration and production of petroleum and natural gas meet certain API standards, specifications and recommended practices. Couplings that do not meet the API standards are sold for limited service applications at substantially lower prices than API-certified products. Only manufacturers licensed by API after meeting strict quality control standards, and who are subject to continued monitoring by API, are authorized to manufacture and sell products containing an API certification mark. According to the plea agreement, they acknowledged that they not only manufactured and sold couplings containing an API certification mark without a license, but profited at the expense of customers by manufacturing many of those couplings using substandard materials. Source:

 Reuters reports that pirates probably hijacked a 4,000-ton, 98-meter merchant ship which disappeared after sailing through the English Channel last month, its operator said on Wednesday. A hijacking in European waters would be almost unprecedented in modern times. (See item 17)

17. August 13, Reuters – (International) Mystery deepens over disappearing merchant ship. Pirates probably hijacked a merchant ship which disappeared after sailing through the English Channel last month, its operator said on August 12. The Kremlin has ordered Russian warships to join the hunt for the 4,000-ton, 98-meter bulk carrier Arctic Sea, whose mysterious fate has baffled national maritime authorities across Europe and North Africa. The Maltese-registered vessel, carrying a cargo of timber worth $1.3 million, was supposed to have docked on August 4 in the Algerian port of Bejaia. It never arrived, raising fears of a rare case of piracy in northern European seas. “My view is that it is most likely that the vessel has been hijacked,” the director of the Finnish company Solchart, which operates the vessel, told Reuters. “It is unclear where the vessel is now.” A wave of piracy has hit shipping off Somalia, and an international naval force patrols its coast in an effort to protect merchant vessels. But a hijacking in European waters would be almost unprecedented in modern times. “If this is piracy, and it seems most likely of all that it is, then it is one of the first cases in recent history of piracy in these seas,” he said. Concerns over the safety of the 15-member Russian crew were raised after the Malta Maritime Authority said it received reports the ship had been boarded by armed men in masks posing as anti-drugs police in Swedish waters on July 24. Swedish authorities said none of its law enforcement agencies had been involved. An editor of Russia’s respected Sovfracht maritime journal, said that the ship may have been carrying a secret cargo unknown to the vessel’s owners or operators. Source:


Banking and Finance Sector

14. August 12, U.S. Department of Justice – (International) North Miami Beach resident arrested in foreign currency investment scheme. The acting United States attorney for the southern district of Florida and the acting special agent in charge, Federal Bureau of Investigation (FBI), Miami Field Office, announced on August 12 that a North Miami Beach resident was arrested earlier on August 12 on mail and wire fraud charges arising from an investment fraud scheme in which more than 100 investors lost approximately $4,000,000. The suspect is currently being held without bond. A pre-trial detention hearing is scheduled for August 14 before the duty Magistrate Judge. As alleged in the Indictment, from January 2002 through November 2004, the suspect defrauded investors by soliciting investments for the purported purpose of trading foreign currencies in the international foreign exchange market. The suspect caused investors to believe that, based on his alleged extensive experience trading foreign currencies, he would trade foreign currencies on the investors’ behalf in return for a share of the profits generated by his trading activities. Investors were led to believe that the suspect was generating positive monthly returns trading foreign currencies each and every month during the course of the scheme. In fact, during most of the scheme’s existence, the suspect did not even attempt to trade foreign currencies, and, when he did attempt to do so, he lost significant amounts of investors’ money. As the Indictment alleges, the suspect used most of the investors’ money for his own personal benefit and to make payments in Ponzi scheme fashion to investors who occasionally sought to redeem some of the money that they had invested with him and his various corporate entities. Source:

15. August 11, Detroit Free Press – (Michigan) No explosives in packages at Macomb credit unions. Authorities have determined that two suspicious packages left outside credit unions in Eastpointe and Warren on August 11 are not explosives and people who were evacuated because of the incidents have been able to return to their locations, police in both cities said. The package at Peoples Trust Credit Union, 30800 Van Dyke, in Warren contained a travel mug and shirt wrapped in plastic, police said. The package did not appear to contain death threats against police officers once officers were able to read a note with the items, police said. In Eastpointe, the suspicious briefcase-type bag left outside Michigan First Credit Union at Gratiot and Toepfer is believed to be a service call box left by an electrician or someone doing work in the area, police said. It does not appear the two incidents are connected, Eastpointe police said. Warren police evacuated between 50 and 60 people from Peoples Trust Credit Union, just south of 13 Mile, and the Fifth-Third Bank next door. Eastpointe police also evacuated the area around Michigan First Credit Union. Source:

16. August 10, American Chronicle – (National) Internet gambling payment processor charged with bank fraud, money laundering. The acting U.S. attorney for the southern district of New York and the assistant director-in-charge of the New York office of the Federal Bureau of Investigation (FBI), announced on August 10 the filing of an indictment charging a suspect with bank fraud and other offenses stemming from his role in processing more than $350 million for Internet gambling companies. Since at least 2007 through June 2009, the suspect opened a number of bank accounts in the United States under various corporate names, such as KJB Financial Corporation, Account Services Corporation and Check Payment Financial Co. In opening the accounts, he and his co-conspirators falsely represented that the accounts would be used for such purposes as issuing rebate checks, refund checks, sponsorship checks, affiliate checks and minor payroll processing. In fact, the suspect and his co-conspirators used the accounts to receive funds from offshore Internet gambling companies that offered, variously, poker, blackjack, slots and other casino games. The suspect and his co-conspirators then disbursed those funds via checks to U.S. residents seeking to cash out their gambling winnings. The suspect and his co-conspirators provided false and misleading information to U.S. banks about the purpose of the accounts because the banks would not have processed the transactions had they known they were gambling-related. In total, the suspect and his co-conspirators processed more than $350 million transferred from a Cyprus bank account to various U.S. bank accounts for this purpose. The suspect is charged with one count each of conspiracy to commit bank fraud, conspiracy to engage in money laundering and conspiracy to operate an illegal gambling business. Source:

Information Technology

41. August 13, The Register – (International) Virus arms race primes malware numbers surge. Half (52 percent) of new malware strains only stick around for 24 hours or less. The prevalence of short lived variants reflects a tactic by miscreants aimed at overloading security firms so that more damaging strains of malware remain undetected for longer, according to a study by Panda Security. The security firm, based in Bilbao, Spain, detects an average of 37,000 new viruses, worms, Trojans and other security threats per day. Around an average of 19,240 spread and try to infect users for just 24 hours, after which they become inactive as they are replaced by other, new variants. Virus writers — increasingly motivated by profit — try to ensure their creations go unnoticed by users and stay under the radar of firms. It has now become common practice for VXers to review detection rates and modify viral code after 24 hours. The practice goes towards explaining the growing malware production rate. The amount of catalogued malware by Panda was 18 million in the 20 years from the firm’s foundation until the end of 2008. This figure increased 60 percent in just seven months to reach 30 million by 31 July 2009. Source:

42. August 12, The Register – (International) WordPress bug resets admin password. Developers of the widely used WordPress blogging software have released an update that fixes a vulnerability that let attackers reset the administrator password. The bug in version 2.8.3 is trivial to exploit remotely using nothing more than a web browser and a specially manipulated link. Using the special URL, the old password is removed and a new one generated in its place with no confirmation required, according to this alert published on the Full-Disclosure mailing list. The flaw lurks in some of the PHP code that fails to properly scrutinize user input when the password reset feature is invoked. According to WordPress documentation here, the bug has been fixed by changing a single line of code so the program checks to make sure the input supplied for the new password is not an array. If it is, the user gets an error message and must try again. After this article was first published, version 2.8.4 was released. That would appear to be the end of it, but two security researchers wonder aloud here whether it would have made more sense to check instead whether the input is a string. After this article was first published, WordPress documentation showed the suggestion from security researchers was being formally adopted. Source:

43. August 12, The Register – (International) CA auto-immune update trashes systems. A beserker update to CA eTrust anti-virus software created confusion on August 12. The 33.3.7051 update labeled a large number of binaries (.DLL and .exe files) — including some components of eTrust itself — as infected with something called StdWin32. These files were sent off to quarantine, resulting in disabled systems that may be far from easy to recover. Users are strongly advised to block the update. Temporarily disabling on-access scanning, normally a bad idea, might also be worth considering. Several Register readers have informed us of the problem. “CA have got it so wrong with this update that the Anti-Virus is even renaming core elements of its own program directory, to be honest E-Trust could be deemed a virus in itself,” one correspondent notes. CA issue a statement on August 12 explaining that the glitch was due to an engine overhaul that had obviously gone wrong, it said that it has developed a remediation tool. Source:

Communications Sector

44. August 13, Lawrence Journal-World and 6News – (Kansas) Maintenance hampers local Internet access, takes down local Web sites. Planned maintenance early on August 12 by Level 3 Communications, one of the vendors that provide Internet bandwidth to Sunflower Broadband, went awry and hampered several local Web sites. That unsuccessful maintenance led to hours-long Internet outages for Sunflower Broadband customers and prevented some users outside of the Sunflower Broadband network from accessing, and other World Company Web sites. Most users who subscribe to Sunflower Broadband were still able to access and other World Company sites, but some had intermittent access problems. By the evening of August 12, Internet service had been restored to most of the community, Sunflower said, though the fix was only a temporary one. Level 3 officials were still trying to identify the initial cause of the outage. The Sunflower Broadband general manager said Level 3 was one of three bandwidth providers for Sunflower Broadband. The other two continued working through the outage, but as bandwidth use peaked in the after-work hours, the two remaining Internet providers could not handle the traffic load. The manager said Level 3 became aware of the problem early August 12 and spent most of the day looking for the cause. Sunflower officials said the problem could not be addressed at the local level, but only by Level 3. Source:

45. August 13, FierceTelecom – (National) FCC gets serious about smart grids. While it has pretty much kept out of the smart grid fray, it looks like the FCC is now making its move, as it recently hired a former venture capitalist of Polaris Ventures as Energy and Environmental director. He is being tasked with heading a team that he said “will examine how broadband/communications infrastructure and policies can support our national energy and environmental goals, with an emphasis on the Smart Grid.” The idea is not completely far-fetched as Qwest Communications, for example, is providing DSL-based backhaul network services to Xcel Energy in Boulder, Colorado. Thus far, the loudest proponents for Smart Grid have been the National Institute for Standards and Technology (NIST) and the IEEE, which jointly have been vocal proponents of smart grids with the launch of their Smart Grid Interoperability Standards Project P2030. Still, the FCC’s influence cannot be understated. Not only will the agency develop rules and regulations for utility companies leveraging wireless spectrum and broadband access technologies, but it also is crafting a National Broadband Task Force that is analyzing the state of broadband in the U.S. One of the new directors first tasks in his new role will be to hold a workshop that will look at how broadband technology will enhance smart grid rollouts. It appears at this point that the FCC’s actual plans are still a work in progress. “Right now we are gathering data and information from experts that will help us develop a plan regarding broadband’s role in energy, so we’ll be able to better answer that question in a few months,” the new director said in the earth2tech article. Source: