Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, September 30, 2009

Complete DHS Daily Report for September 30, 2009

Daily Report

Top Stories

 Reuters reports that a Singapore-flagged tanker carrying crude oil ran aground on Monday at mile marker 3 on the Lower Mississippi River, near Pilottown, Louisiana. At least eight large vessels are being held up due to the incident. (See item 3)

3. September 28, Reuters – (Louisiana) Mississippi River traffic blocked by grounded ship. A tanker carrying crude oil ran aground and is blocking vessel traffic near the mouth of the Mississippi River, the most important U.S. commercial waterway, the Coast Guard said on Monday. No leak has been detected from the ship, the Singapore-flagged Eagle Tucson, which is owned by U.K.-based AET Inc. The vessel ran aground at 2:45 a.m. on Monday with 602,000 gallons of crude oil, according to a Coast Guard statement. At least eight large vessels are being held up due to the incident, a Coast Guard spokeswoman said. No information was available on what cargoes those vessels held. Four tug boats are on the scene, with another two en route, to help to refloat the Eagle Tucson, and a lightering vessel arrived to transfer its cargo if necessary. The grounding of the Eagle Tucson, an upriver-bound, 107,000-ton deadweight, double-hull oil carrier, occurred at mile marker 3 on the Lower Mississippi, near Pilottown, Louisiana, and around 85 miles downriver from New Orleans. Oil refiners in the Gulf Coast region should not have to make any cuts in production because of the incident, said a source at a major U.S. refiner. The channel may be cleared to outbound traffic later Monday, the source said. “Deep-draft vessels are currently unable to transit through the area,” the Coast Guard said. The Coast Guard said it was not immediately clear how long it would take to clear the Eagle Tucson. Small vessels were still able to transit in the area, which serves as a key U.S. shipping corridor, the spokeswoman said. Source:

 Two U.S. sailors and a Filipino marine were killed Tuesday in a roadside bomb believed planted by al-Qaeda linked militants, the first American troops to die in an attack in the Philippines in seven years. (See item 39)

39. September 29, Associated Press – (International) 2 U.S. troops killed in Philippines blast. Two U.S. sailors and a Filipino marine were killed Tuesday in a roadside bomb believed planted by al-Qaeda linked militants, the first American troops to die in an attack in the Philippines in seven years. The Philippine military suspected Abu Sayyaf militants were behind the attack against the U.S. Navy troopers on the southern island of Jolo. Jolo lies in a poor, predominantly Muslim region. The American forces have been providing combat training and weapons to Filipino troops battling the Abu Sayyaf. Philippine officials described the blast as being caused by a land mine, a description normally used for military-grade weapons. The U.S. Embassy said it was an improvised explosive device. Source:


Banking and Finance Sector

19. September 29, Los Angeles Times – (California) Riverside County man sentenced to 100 years for operating Ponzi scheme. In what federal prosecutors described as the longest sentence ever imposed for a financial crime in Southern California, a Riverside County man was sentenced Monday to 100 years in prison for operating a Ponzi scheme that bilked investors of about $35 million. The guilty party, who ran the operation from 2000 to 2003 through a company he called MX Factors, was sentenced by a U.S. district judge in federal court in Riverside. Dozens of the company’s estimated 700 investors wrote the judge to demand a stiff sentence. Prosecutors said the guilty party, using a team of sales agents, told clients that he would invest their money in government-guaranteed construction loans and promised monthly returns as high as 14 percent every three months. Instead of investing in construction, the guilty party wired some of the money to foreign banks, paid high commissions to agents and launched a crab-fishing business in Ensenada, prosecutors said. Some early investors were paid dividends that came from later investors, a classic Ponzi scheme, said an assistant U.S. attorney. Source:,0,1441674.story

20. September 28, Associated Press – (Pennsylvania) Ex-CEO of Pa. drinks-maker charged in $806M fraud. A federal grand jury accused the former chief executive officer of a defunct soft-drink-maker and four others connected to the company of perpetrating an $806 million bank fraud, much of which went to the ex-CEO and his family. The suspect, of Ligonier, provided financial institutions and equipment suppliers “with dramatically false financial statements” to get equipment leases and loans for Latrobe-based Le-Nature’s Inc., said the U.S. Attorney. She called it the “largest fraud in the history of the Western District of Pennsylvania,” a 25-county area. According to the 29-count indictment unsealed on September 28, lenders and investors poured money into the company on the basis of the phony financial statements. The government wants the suspect to forfeit bank accounts worth more than $7 million. Investigators have already seized tens of millions of dollars in jewelry and an 8,000-piece model train collection worth about $1 million from the suspect. Authorities believe the suspect spent much of the money on himself or his family, as he once drove a Hummer and a high-end Mercedes, and was building a mansion in Ligonier, 45 miles southeast of Pittsburgh. The U.S. Attorney said the loss to the lenders and investors continues to exceed $700 million. The criminal investigation grew out of Le-Nature’s forced bankruptcy in October 2006, when a judge determined it was likely the suspect and other company directors had engaged in criminal activity. The bankruptcy of Le-Nature has spawned a raft of litigation, including a racketeering suit brought by the bankruptcy trustee that accuses Charlotte, North Coralina-based Wachovia Corp. of aiding the scheme. Earlier this month, a federal judge ruled the trustee can continue to pursue Wachovia for allegedly continuing to lend money to Le-Nature’s despite red flags raised by Wachovia’s own analysts. Source:

21. September 28, Bloomberg – (Michigan) SEC sues Detroit broker for luring elderly to $250 million scam. The U.S. Securities and Exchange Commission sued a Detroit-area broker for allegedly defrauding elderly investors by selling interests in a firm that claimed it had telecommunications deals with hotels and truck stops. The suspect reaped at least $3.8 million for himself and his company, Fast Frank Inc., by encouraging investors to refinance their homes to participate in a $250 million Ponzi scheme run by the owner of the company E-M Management Co. LLC, the SEC said. The suspect raised $74 million and the SEC said he was the most successful salesperson for the company owner, who was sued in 2007 for running the scam. The suspect falsely told investors he conducted due diligence in E-M, which claimed to have contracts to install and service telecommunications equipment with hotels and casinos in Las Vegas, the SEC said in a complaint filed at federal court in Michigan. Most, if not all, of the purported contracts did not exist, the agency said. The suspect did not know about the scam, has been cooperating for more than a year and provided documents to the agency, said his attorney. The regulator did not claim in its complaint that the suspect signed checks, received bank statements or that his name was mentioned in offering documents “that would show he had any actual knowledge that this was an alleged Ponzi scheme,” the attorney said. Several of the suspect’s 800 clients in Michigan and California used home-equity lines of credit to borrow $100,000 or more, and he encouraged one investor to borrow $1 million on her home to buy interests in the the company owner’s projects, the SEC said. The company owner had 1,200 clients. Source:

22. September 28, Canwest News Service – (International) Worm infecting banks’ computers can steal passwords, company warns. Computers at a majority of Canada’s big banks are infected with a malicious computer worm capable of logging keystrokes and stealing passwords, an Ottawa security firm has warned. Defence Intelligence Inc. said on September 28 it has been monitoring the worm dubbed Mariposa for five months and has watched it spread to machines at more than 50 of the top 100 Fortune 500 companies as well as Canada’s banks. The Canadian Bankers Association said it is aware of the worm, which it believes has done little if any damage. But the chief executive officer of Defence Intelligence called Mariposa “a highly sophisticated piece of malicious software” that appears to be very selective in its targets. “We’ve detected compromised behaviour from hundreds of government agencies, financial institutions, universities and corporate networks worldwide, but surprisingly few home users,” he said. The chief executive officer said his team of 11 employees stumbled across the worm while monitoring routine Internet traffic in May. They noticed packets that seemed to be coming from a well known financial institution reporting back to servers in Israel and Germany. Further inspection revealed the packets were coming from a malicious software program designed to steal information from banks, government and other financial institutions. A spokesman for the Canadian Bankers Association, said Mariposa has not breached the sophisticated security systems in place to protect customers’ personal and financial information. “Banks are aware of this malicious software and, based on discussions last week with a number of banks, there has been little-to-no-impact from it at all,” he said. Still, banks are working to eliminate the worm, the spokesman said. Source:

Information Technology

44. September 29, Digital Signage Expo – (National) ICSA Labs addresses security threat to network-connected devices, including digital signs. Responding to an often overlooked security risk, ICSA Labs, an independent division of Verizon Business, recently introduced a new program to help enterprises safeguard against intrusions through network-connected devices such as printers, faxes and point-of-sale systems, as well as help device manufacturers ensure that their products are secure. The new capabilities offered by ICSA Labs, a vendor certification program and a comprehensive enterprise assessment, are designed to protect these typically stand-alone, unattended devices, which connect directly to a network but are not part of the network infrastructure itself, according to the company. Also included in this product class of network-attached devices are copiers, ATM machines, digital signs, proximity readers, security cameras and facility management systems for power, lighting and HVAC systems, said the company. ICSA Labs has found that these unprotected devices can allow hackers easy access to corporate networks. According to the Verizon Business 2009 Data Breach Investigations Report, many breaches occur through what is called “unknown, unknowns,” which can involve systems such as printers and faxes. The report also points out that attackers choose the path of least resistance, targeting vulnerable systems. ICSA Labs’ first new offering, Network Attached Peripheral Security (NAPS) certification, provides manufacturers an opportunity to work with ICSA Labs to help identify and remediate existing and potential vulnerabilities in the devices the manufacturers sell, said the company. The NAPS certification program service also applies to manufacturers whose products are still under development and are seeking recommendations to make their products safer. Source:

45. September 28, The Register – (International) Sunbelt buckles up for anti-bloatware drive. The anti-virus bloatware problem is getting worse despite what some vendors may claim, according to figures from Sunbelt Software. The Florida based vendor’s marketing claims tap into a deep well of discontent about anti-virus products but are not supported by the latest results from independent testing labs, such as, and therefore ought to be treated with caution. What is not in dispute is that slow, bloated anti-virus engines chew up system resources. The problem has been a continual source of frustration for Windows users for years, and something their Mac and Linux-using peers always cite in operating system arguments. Worse yet, each new version of the leading Windows anti-virus products from Symantec, Trend and McAfee et al can increases the demand on CPU and memory by a significant factor, Sunbelt claims. This can effectively reduce the useful life of existing machines which, according to Sunbelt, need 20 per cent more grunt (extra CPU power and RAM) for each update. Source:

46. September 28, IDG News Service – (International) Pressure on Microsoft, as Windows attack now public. Hackers have publicly released new attack code that exploits a critical bug in the Windows operating system, putting pressure on Microsoft to fix the flaw before it leads to a worm outbreak. The vulnerability has been known since September 7, but until September 28 the publicly available programs that leverage it to attack PCs have not been able to do more than crash the operating system. A new attack, developed by a Harmony Security senior researcher, lets the attacker run unauthorized software on the computer, in theory making it a much more serious problem. The researcher’s code was added to the open-source Metasploit penetration testing kit on on September 28. Two weeks ago, a small software company called Immunity developed its own attack code for the bug, but that code is available only to the company’s paying subscribers. Metasploit, by contrast, can be downloaded by anyone, meaning the attack code is now much more widely available. A Metasploit developer said on September 28 that the exploit works on Windows Vista Service Pack 1 and 2 as well as Windows 2008 SP1 server. It should also work on Windows 2008 Service Pack 2, he added in a Twitter message. But the code may not be completely reliable. The Immunity senior researcher said that he could get the Metasploit attack to work only on the Windows Vista operating system running within a VMware virtual machine session. When he ran it on native Windows systems, it simply caused the machines to crash. Either way, the public release of this code should put Windows users on alert. Security experts worry that this code could be adapting to create a self-copying worm attack, much like last year’s Conficker outbreak. Source:

For another story, see item 5 in the full report

Communications Sector

See item 5 in the full report