Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, March 18, 2010

Complete DHS Daily Report for March 18, 2010

Daily Report

Top Stories

 National Public Radio reports that thieves cut a hole in the roof of an Enfield, Connecticut warehouse, rappelled inside, and stole about $75 million in antidepressants and other prescription drugs. The pills — stolen from pharmaceutical giant Eli Lilly & Co. — are believed to be destined for the black market, perhaps overseas. (See item 38)

38. March 17, National Public Radio – (Connecticut) Brazen Conn. warehouse heist nets $75M in pills. Thieves cut a hole in the roof of an Enfield, Connecticut warehouse, rappelled inside, and stole about $75 million in antidepressants and other prescription drugs. The pills — stolen from the pharmaceutical giant Eli Lilly & Co. in quantities big enough to fill a tractor-trailer — are believed to be destined for the black market, perhaps overseas. Experts described it as one of the biggest pharmaceutical heists in history. Other pharmaceutical warehouses have been hit with similar burglaries in recent years, but experts said the value of the Eli Lilly heist far eclipses any other prescription-drug thefts they have tracked. The thieves could easily net $20 million to $25 million. Enfield police would not say whether the building had surveillance video or whether employees are being investigated. The building is unmarked and unprotected by fences. The FBI was called in. Source:

 According to Justice News Flash, a chemical explosion at Olympia Resort and Conference Center in Oconomowoc, Wisconsin left an employee with multiple fractures and minor burns Tuesday after the worker mixed chlorine with another chemical while in the laundry room of the resort. As a safety precaution, over thirty people also reported to hospitals. (See item 60)

60. March 16, Justice News Flash – (Wisconsin) Chemical explosion at Oconomowoc resort sent over 30 people to hospitals. A chemical explosion at Olympia Resort and Conference Center left an employee with multiple fractures and minor burns Tuesday morning, March 16. The worker was reportedly mixing chlorine with another chemical while in the laundry room of the resort, prompting the blast. As a safety precaution, over thirty people, including other employees, police officers and fire rescue personnel also reported to area hospitals after the incident. None of the guests staying at the hotel at the time were reportedly affected by the small chemical explosion. HazMat teams were dispatched to the scene to aid in cleanup efforts. It was undisclosed if OSHA will be conducting independent investigations into the workplace explosion. Source:


Banking and Finance Sector

11. March 17, Washington Post – (National) Financial reform would shift Fed’s authority away from regional banks. In the details of the financial reform legislation introduced this week are fundamental changes to the Federal Reserve that would shift power from the regional Fed banks around the country and concentrate it in Washington and New York. By altering the traditional balance of power, the bill put forward by the Senate banking committee’s chairman would recast the workings of the Federal Reserve System, a unique structure set up a century ago to distribute authority and ensure the central bank was not dominated by the nation’s political and financial capitals. That is why the Senate bill is provoking dismay among many officials at the regional Fed banks even as the Fed, on the surface, appears to be a big winner. The legislation allows the Fed to maintain its role in overseeing the country’s largest banks while awarding it even more power to protect consumers and monitor the financial system for emerging risks. The central bank would also continue its most prominent job of managing the nation’s monetary policy. The Fed, however, would be stripped of its role in regulating all but the few dozen largest financial firms. The oversight of almost 6,000 small and midsize banks, one of the major tasks carried out at the 12 regional Fed banks, would be taken over by other federal agencies. Source:

12. March 17, SC Magazine – (International) A UK-specific banking malware is hitting users and proving difficult to detect for anti-virus vendors. Warnings have been made about a piece of banking malware that specifically targets UK banks. The CEO of Trusteer claimed that Silon works as a ‘man-in-the-middle’ attack and specifically targets the login page, and to date only one out of 41 anti-virus detections have been made. He said that it was able to target web pages ‘on the fly’ and collects logon information, including one-time passwords. He said: “As an .exe file it looks different on each computer so it is hard for anti-virus to detect it. The bottom line is we are facing a very sophisticated piece of malware that is flying under the radar of anti-virus vendors and it is distributed to large customers and bypassing rules put in place. It is the ultimate piece of malware.” Commenting on it specifically targeting UK banks, the CEO said that it will target two or three banks where it needs to recruit mule accounts, and once it is mastered its controller can commit a lot of fraud. Source:

13. March 17, Courthouse News Service – (California) ‘About that $19 billion...’. The Federal Home Loan Bank of San Francisco demands $19 billion from major banks and investment houses it accuses of lying about the quality of the subprime mortgage-backed securities they created and sold. The FHLB sued Deutsche Bank, Credit Suisse, JPMorgan Stanley, UBS, Banc of America, Countrywide Financial and others in two Superior Court complaints. The FHLB claims the lending giants, including now-defunct Bear Stearns, Greenwich Capital Markets, RBS Securities and others failed to disclose material facts about the mortgages, such as how much equity the borrowers had in their homes, and that the omissions and misrepresentation led to much greater rates of foreclosures than promised. The firms used exaggerated property appraisals so the loan-to-value ratios of the mortgage loans in the securities’ collateral pools understated the risks, according to the complaint. Source:

14. March 17, Omaha World-Herald – (Nebraska) Bank customers target of scam. Some customers at a bank in Broken Bow, Nebraska, have been scammed out of their debit-card and personal-identification numbers after receiving automated phone messages alerting them to “problems” with their cards. A statement on the Nebraska State Bank & Trust Co. Web site says the scam involves an automated message sent to cell phones. The message identifies the caller as Nebraska State Bank, notes a problem with the person’s debit card and asks that the person respond either by calling a certain phone number or typing his or her debit card number and PIN directly into the cell phone. The bank asks that its customers not provide any numbers or account information. Source:

15. March 17, Courthouse News Service – (National) Felon ran 200 million Ponzi, victims say. Eighteen investment LLCs say they were taken for more than $200 million by a recidivist felon who’d already served prison time for a $5 million gold swindle. The suspect and his cohorts face 79 criminal charges in California after swindling 1,000 investors for $200 million, allegedly to invest in tax-sheltered senior housing centers across the nation. The suspect set up Asset & Real Estate Investment Company (AREI) and more than 50 affiliates to run his Ponzi scam, according to the complaint in Shasta Superior Court. The scam went on for 10 years, during which the financial wrecking crew over-leveraged property, stripped it of assets and drove it into foreclosure, depriving investors of their ownership and equity, according to the complaint. Co-defendants Meecorp Capital Markets, Capital Resources Fund, and Shattuck Hammond Partners encumbered a senior housing facility, Colonnade of Schwenksville, in Pennsylvania, with undisclosed loans, preferred equity and fees to enrich themselves, according to the complaint. Still more defendants, title companies, failed to notify investors of all this, and allowed AREI to withhold title information, all to the plaintiff’s detriment, according to the complaint. Source:

16. March 17, Courthouse News Service – (National) 100 million Ponzi alleged; leaders vanish. A Colombian couple took $100 million from hundreds of investors in a Ponzi scam through their Florida-based company, FIT International Group, and when they were nailed for it, claimed to be distributing their remaining $12,690.74 “for the ‘benefit’ of creditors,” a RICO class action claims in Federal Court. The couple, whose last known addresses are the same apartment in Bogota, also used the name Forex International Team for their scam, according to the class, which is estimated at 600 victims. The FIT International Group was the main tool for their predations, though “No such company has ever been incorporated, as a corporation or limited liability company, in New York, however,” the investors say. Foreign exchange markets trade roughly $3 trillion a day, making it one of the largest markets in the world, according to the complaint. It’s fertile ground for Ponzi schemes. The couple solicited clients through “social connections,” particularly a dentist in Columbia, the complaint states. The dentist is not a party to this action. After taking more than $100 million from investors over “the course of several years,” the couple “never invested the money in Forex trading as they had promised, but merely siphoned it away to secret private accounts at HSBC, UBS, and others,” the complaint states. As the scheme unraveled in December 2008, the dentist quickly pulled out, warning investors to withdraw their money. Source:

17. March 16, KRDO 13 Colorado Springs – (Colorado) ‘Suspicious package’ at Wells Fargo blown up by bomb squad. The Pueblo Police Department’s bomb squad blew up a suspicious package that prompted the evacuation of a Wells Fargo Bank and several local businesses on March 16. Employees of the Wells Fargo Bank on the 500 block of Main Street noticed a suspicious package in the front foyer and called the police department around 9:52 a.m. The Pueblo Police Department bomb squad created a small explosion to blow open the package after x-rays gave inconclusive results. Inside was literature for the Medical Marijuana Dispensary that is adjacent to the bank. Local businesses were closed for one and a half hours due to the police investigation. Source:

18. March 16, The Register – (International) Feds sue Russian for stock pump and dump hack. The US Securities and Exchange Commission accused a Russian man of earning more than $255,000 in illegal stock sales by using hijacked brokerage accounts to artificially manipulate the price of shares in more than three dozen companies. The suspect used a legitimate account to buy positions in 38 thinly traded stocks, and then use compromised brokerage accounts to buy or sell huge numbers of the same companies, agency attorneys alleged. The 36-year-old resident of St Petersburg, Russia would then turn around and sell his holdings at a sizeable premium, according to a lawsuit filed in US District Court in Manhattan. The scheme earned at least $255,532 from August to December at a cost of $603,000 to broker-dealers, which had to reimburse customers. The suspect, who is the president and only officer of a company called BroCo Investments, has tried to withdraw $310,000 out of his account at Genesis Securities and have the money wired to a bank in Cyprus. Genesis has not yet processed the requests. Source:

19. March 16, Associated Press – (International) US official warns EU that threat to ban naked credit default swaps would not work. Europe’s threat to ban the sort of financial derivatives trading that some blame for worsening Greece’s debt crisis wouldn’t work, a senior U.S. official told EU lawmakers on March 16. German, French and Greek leaders have called on the EU’s executive to crack down on so-called naked credit default swaps, where an investor can profit by taking out insurance on a product he doesn’t own. Their call is a swipe at traders taking bets on a falling euro and a Greek default. Greece’s prime minister has blamed financial markets for intensifying his country’s debt crisis by hiking borrowing costs. He described the swaps as buying insurance on a neighbor’s house and then burning it down to collect. The chairman of the U.S. Commodity Futures Trading Commission said an outright ban would be “difficult to police” and would only encourage traders to seek other high risk and high return investments. Source:,0,2755285.story

20. March 16, WSVN 7 Miami – (Florida) Video of bomb scare at bank. Police have released surveillance video footage of a suspected bank robber who caused a bomb scare in North Miami Beach. The robbery at the Chase Bank at 1201 NE 163 St. forced the closure of 163rd Street during the evening rush on March 15, as Miami-Dade Police and Fire Rescue units responded to the scene. The bomb squad was even called out to investigate the alleged device. Authorities wound up finding a harmless bag of rocks. According to a police spokesperson, the man they are looking for was caught on video with a Macy’s bag filled with the rocks to weigh it down and a car charger sticking out of the bag, which he had attached to his cell phone. He held the phone like it was a detonator and demanded money from a teller. The FBI has now opened an investigation into the robbery. Source:

Information Technology

52. March 17, Washington Post – (National) Measure would force White House, private sector to collaborate in cyber-crisis. Key members of Congress are pushing legislation that would require the White House to collaborate with the private sector in any response to a crisis affecting the nation’s critical computer networks. The Cybersecurity Act, drafted by the Senate commerce committee chairman and a committee member, is an attempt to prod the the U.S. President’s administration and Congress to be more aggressive in crafting a coordinated national strategy for dealing with cyberthreats. It is to be unveiled on March 17. The Cybersecurity Act was introduced last year to jump-start the debate, but it proved so controversial that it was reworked three times. The new version deletes a provision that would have enabled the president to shut down portions of computer networks in an emergency. The so-called “kill switch” was seen by critics as giving the president authority to shut down the Internet. Instead, the bill would require the White House to work with the private sector in designating which industry networks are considered “critical” and to determine how those networks should be protected. Source:

53. March 17, Help Net Security – (International) 20 critical Apple vulnerabilities to be revealed. The security researcher renowned for hacking Apple products during many a hacking competition will be making public (at the CanSecWest security conference later in March) his latest research through which - he claims - he was able to find some 30 critical flaws in commonly used software. Having hacked in the past the MacBook Air and the Safari browser, he might seem bent of making Apple look bad, but his research encompassed testing of software form different vendors: Adobe Reader, Apple Preview, Microsoft PowerPoint and Oracle’s OpenOffice. Using a simple Python script in order to fuzz test the applications, he discovered more than a 1000 ways to crash them. Of that number, 30 bugs allowed him to hijack the programs. And of those 30, 20 were found in Apple’s Preview. Source:

54. March 17, Krebs on Security – (International) Researchers map multi-network cybercrime infrastructure. Recently, security experts launched a sneak attack to disconnect Troyak, an Internet service provider in Eastern Europe that served as a global gateway to a nest of cyber crime activity. For the past seven days, unnamed members of the security community reportedly have been playing Whac-a-Mole with Troyak, which has bounced from one legitimate ISP to the next in a bid to reconnect to the wider Internet. But experts say Troyak’s apparent hopscotching is expected behavior from what is in fact a carefully architected, round-robin network of backup and redundant carriers, all designed to keep a massive organized criminal operation online should a disaster like the Troyak disconnection strike. Security firm RSA believes Troyak is but one of five upstream providers that encircle a nest of eight so-called “bulletproof networks” – Web hosting providers considered impervious to takedown by local law enforcement. RSA said this group of eight hosts some of the Internet’s largest concentrations of malicious software, including password stealing banking Trojans like ZeuS and Gozi, as well as huge repositories of personal and financial data stolen by these Trojans and a notorious Russian phishing operation known as RockPhish. Source:

55. March 16, The Register – (International) Waledac botnet ‘decimated’ by MS takedown. Communications within the notorious Waledac botnet have been “effectively decimated,” thanks to a novel takedown approach that combined court actions with a variety of technical measures, a Microsoft program manager said on March 16. “Operation b49,” as Microsoft dubbed the takedown, has severed as many as 90,000 infected PCs from the master control channels that feed them updated malware, spam templates and other malicious data, a Microsoft spokesman wrote. He cautioned that security watchers can’t yet claim victory, but said the initial success of the operation provides a guide for future takedowns. He went on to say that data from Microsoft and other researchers “indicate that our actions have effectively decimated communications within the Waledac bot network”. He cited the analysis by the Shadowserver Foundation of honeypot PCs - which are infected and then quarantined so researchers can observe their behavior. It found “an effective cessation of commands to Waledac ‘zombies’”. The action has severed from 70,000 to 90,000 infected computers from the network, blocking all communication between them and the botmasters. Source:

56. March 16, DarkReading – (International) Flaw in Microsoft’s Hypervisor lets attackers bypass DEP, ASLR. Core Security Technologies has discovered a flaw in Microsoft’s Virtual PC hypervisor that can be used by an attacker to cheat built-in, advanced security features in Windows. The flaw in the memory management function of the hypervisor affects Microsoft Virtual PC 2007, Virtual PC 2007 SP1, Windows Virtual PC, Microsoft Virtual Server 2005, and the XP Mode feature in Windows 7. Microsoft’s Hyper-V technology is not affected by the vulnerability. Core first reported its discovery of the vulnerability to Microsoft in August. Microsoft will fix the issue in future updates to the products, according to Core. For now, users should run mission-critical applications on native hardware and software platforms, or employ virtualization software not affected by the flaw. Microsoft says the attack is based on using existing vulnerabilities rather than an actual vulnerability itself: “It does this by rendering a number of protection mechanisms that are present in the Windows kernel less effective inside a virtual machine as opposed to a physical Windows machine. An attacker would need to abuse an already present vulnerability in order to leverage this technique,” a Microsoft spokesperson says. Source:

For another story, see item 12 above in the Banking and Finance Sector

Communications Sector

57. March 16, ComputerWorld – (National) FCC plan calls for ‘minimal’ public safety fee for all broadband users. The FCC’s National Broadband Plan, released on March 16, calls for a new “minimal” fee on all U.S. broadband users to help pay for a new $16 billion nationwide emergency response wireless network. Public safety officials have pleaded for such an interoperable network to aid their response to disasters and potential attacks since firefighters and police could not communicate effectively during the September 11 terrorist attacks and the response following Hurricane Katrina. In its 19-page section on public safety, the plan calls for creating the national wireless network for first responders and says that the cost of between $12 billion and $16 billion over 10 years could be paid with state and local contributions. But the plan also argues for a “nominal” fee on all U.S. broadband users to “ensure that this country’s emergency responders have access to critical communications capabilities when and where they need them.” The plan urges Congress to authorize the FCC to impose or require the fee or another funding means. Source:

58. March 16, Watertown Daily Times – (New York) Public Radio station off air after storm rips antenna. North Country Public Radio has been off the air to listeners in Jefferson and Lewis counties since March 13, following a wind storm that knocked the antenna from a tower in Watertown. The chief engineer said listeners in Watertown, Cape Vincent, Clayton, Carthage, Lowville and Lyons Falls were affected. A team from Wells Communications checked the damage on the State Street hill tower on March 15. Service could be restored by March 16. Source: 59. March 16, Carbondale Southern – (Illinois) Telephone services restored for region. Full telephone services throughout Southern Illinois were restored as of 3:30 p.m. on March 16, according to an announcement from Verizon. The restoration came after several hours of downed service that affected 911 service in areas throughout the region, as well as residential long-distance phone service. Several law enforcement agencies throughout Southern Illinois were without 911 emergency phone services. Verizon officials said crews working on road construction in the Carterville area damaged a line, causing the loss of service. Source:

For another story, see item 54 above in the Information Technology Sector