Department of Homeland Security Daily Open Source Infrastructure Report

Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, March 30, 2010

Complete DHS Daily Report for March 30, 2010

Daily Report

Top Stories


 The Associated Press reports that nine suspects tied to Midwest Christian militia group Hutaree were charged on Monday with conspiring to kill police officers, then attack a funeral using homemade bombs in the hopes of killing more law enforcement personnel. The Detroit Examiner reports that the Joint Terrorism Task Force became interested in Hutaree when the group made threats of violence against certain Islamic organizations. (See items 55 and 70)

55. March 29, Associated Press – (National) 9 militia members charged in police-killing plot. Nine suspects tied to a Midwest Christian militia that was preparing for the Antichrist were charged with conspiring to kill police officers, then attack a funeral using homemade bombs in the hopes of killing more law enforcement personnel, federal prosecutors said Monday. The Michigan-based group, called Hutaree, planned to use the attack on police as a catalyst for a larger uprising against the government, according to newly unsealed court papers. A U.S. Attorney said agents moved on the group because its members were planning a violent mission sometime in April. Members of the group were charged following FBI raids over the weekend on locations in Michigan, Ohio, and Indiana. The idea of attacking a police funeral was one of numerous scenarios discussed as ways to go after law enforcement officers, the indictment said. Other scenarios included a fake 911 call to lure an officer to his or her death, or an attack on the family of a police officer. Once other officers gathered for a slain officer’s funeral, the group planned to detonate homemade bombs at the funeral, killing more. After such attacks, the group allegedly planned to retreat to “rally points” protected by trip-wired improvised explosive devices for what they expected would become a violent standoff with law enforcement personnel. Eight suspects have been arrested by the FBI, and one more is being sought. The charges against the eight include seditious conspiracy, possessing a firearm during a crime of violence, teaching the use of explosives, and attempting to use a weapon of mass destruction. Source:

70. March 29, Detroit Examiner – (National) FBI task force busts members of Christian militia, charges to be revealed today. At least seven members of the Hutaree, a militant Christian group based in Adrian, were taken into custody by the FBI-led Joint Terrorism Task Force over the weekend. The members, picked up in Michigan, Ohio, Indiana and Illinois, will learn their fate at the US district courthouse in Detroit Monday, when an indictment against them will be unsealed. The task force reportedly became interested in the Hutaree when the fringe group made threats of violence against certain Islamic organizations. The Michigan Militia has taken care to distance itself from the Hutaree. A militia spokesman referred to them as “too extreme or radical for us.” One source claims that among other activities, the members arrested had made pipe bombs for distribution in their respective states. Source:

 The Associated Press reports that federal prosecutors charged a Chicago cab driver on March 26 with trying to provide funds to al-Qaeda, saying the man planned to send money to a terrorist leader in Pakistan who had said he needed cash to buy explosives. According to the criminal complaint, the cab driver also discussed a possible bomb attack on an unspecified U.S. stadium this summer. (See item 73)

73. March 27, Associated Press – (National) Chicago taxi driver accused of supporting al-Qaeda. Federal prosecutors have charged a Chicago cab driver with trying to provide funds to al-Qaeda, saying the man planned to send money to a terrorist leader in Pakistan who had said he needed cash to buy explosives. A 56-year-old naturalized U.S. citizen of Pakistani origin, was charged Friday with attempting to provide material support to a foreign terrorist organization. According to the criminal complaint, he also discussed a possible bomb attack on an unspecified U.S. stadium this summer. Speaking with a man identified only as Individual B, he allegedly said bags containing remote-controlled bombs could be placed in the stadium and then, “boom, boom, boom, boom,” prosecutors said. A U.S. attorney said there was no imminent danger to the Chicago area. Authorities say the cab driver claimed to have known another man for 15 years and the cab driver came to believe that this other man was receiving orders from al-Qaeda’s leader. Prosecutors have said that this other man does in fact maintain close ties with at least one al-Qaeda leader. According to the complaint, the cab driver sent $950 from a currency exchange in Chicago to “Lala,” a name meaning older brother that he used in speaking of the other man. It said the money was sent after the other man after the other man indicated that he needed cash to buy explosives. On March 17, the cab driver accepted $1,000 from the undercover agent and assured him that the money would be used to purchase weapons and possibly other supplies, the complaint said. Source:

Banking and Finance Sector

17. March 29, IDG News Service – (National) Company says 3.3M student loan records stolen. Data on 3.3 million borrowers was stolen from a nonprofit company that helps with student loan financing. The theft occurred on March 20 or 21 from the headquarters of Educational Credit Management Corp. (ECMC), which services loans when student borrowers enter bankruptcy. The data was contained on portable media, said the organization, which is a dedicated guaranty agency for Virginia, Oregon, and Connecticut. The data included names, addresses, birth dates and Social Security numbers but no financial information such as credit card numbers or bank account data, ECMC said in a news release. Law enforcement has been notified. “ECMC is cooperating fully with local, state and federal law enforcement agencies conducting the investigation,” it said in a statement. ECMC will send a written notification to affected borrowers “as soon as possible” and offer them free services from Experian, a credit monitoring agency. Source:

18. March 27, Bank Info Security – (National) Four banks closed on March 26. Four banks were closed by state and federal regulators on Friday, March 26, raising to 46 the number of failed banks and credit unions so far in 2010. McIntosh Commercial Bank, Carrollton, Georgia, was closed by the Georgia Department of Banking and Finance, which appointed the Federal Deposit Insurance Corporation (FDIC) as receiver. The FDIC estimates that the cost to the Deposit Insurance Fund (DIF) will be $123.3 million. Key West Bank, Key West, Florida, was closed by the Office of Thrift Supervision, which appointed the FDIC as receiver. The FDIC estimates that the cost to the Deposit Insurance Fund (DIF) will be $23.1 million. Unity National Bank, Cartersville, Georgia, was closed by the Office of the Comptroller of the Currency, which appointed the FDIC as receiver. The FDIC estimates that the cost to the Deposit Insurance Fund (DIF) will be $67.2 million. Desert Hills Bank, Phoenix, Arizona, was closed by the Arizona Department of Financial Institutions, which appointed the FDIC as receiver. The FDIC estimates that the cost to the Deposit Insurance Fund (DIF) will be $106.7 million. Source:

19. March 26, U.S. Department of Justice – (National) Kentucky attorney pleads guilty for role in stock manipulation scheme and obstruction of justice. A Louisville, Kentucky, attorney pleaded guilty late March 26 in U.S. District Court in Tulsa for his role in a scheme to defraud investors through the manipulation of the publicly traded stocks of three companies, announced the Assistant Attorney General of the Criminal Division and the U.S. Attorney for the Northern District of Oklahoma. The defendant pleaded guilty to one count of conspiracy to commit wire fraud, securities fraud and money laundering, as charged in the indictment returned by a federal grand jury in Tulsa on January 15, 2009. He also pleaded guilty to one count of obstruction of justice, contained in a criminal information filed March 25, 2010. Specifically, he pleaded guilty to making false and misleading statements to the Internal Revenue Service (IRS) and to the Department of Justice regarding stock promotions and movement of stock proceeds. According to the indictment, between April 2004 and December 2006, the attorney and his co-conspirators devised and engaged in a scheme to defraud investors known as a “pump and dump,” in which they manipulated three publicly traded penny stocks. A penny stock is a common stock that trades for less than $5 per share in the over the counter market, rather than on national exchanges. According to the indictment, the scheme reaped from the defendants more than $41 million. Source:

20. March 26, WRCB 3 Chattanooga – (Florida; Georgia) Pink haired bank robbery suspect linked to Florida heist. Officers have a man in custody after the robbery of a Catoosa County bank. Authorities say they found a cellphone with a suspicious device attached to it at the Capitol Bank on Highway 41. The bank was robbed at 9am. The suspect fled in a van but was later captured on Interstate 75. Our reporter says 25 law enforcement cars are on the scene. Members of a police bomb squad are sweeping the building. The suspect has been identified as as a suspect in a January 23rd bank robbery in Ft Myers, Florida. Authorities in Catoosa County, Georgia say around 9:05am the suspect entered Capitol Bank and handed a bank teller a note. He then allegedly took $10,000 from the teller and fled, leaving the suspicious cellphone. He was later captured on I-75. Source:

21. March 26, Tennessean – (Tennessee) Smyrna police investigating ATM theft. Police are searching for the person or persons responsible for stealing an ATM from a bank early on March 26. Dispatchers received a call from a Bank of America’s alarm company at 4:25 a.m. that someone had possibly attempted to break into the machine. The operator asked that officers check the Sam Ridley Parkway location for burn marks, smoke, damage to the exterior and to make sure the machine’s screen did not read “out of order,” a transcript of the call shows. About three minutes later, the operator called back and said the company had placed a tracking device on the ATM and that it had been moved to Sanford Road, near La Vergne city limits. When officers arrived at the bank, they found a forklift on the scene and determined it was used to move the ATM. Glass was also found in the area near the ATM, and it’s possible the suspect broke a window while loading the ATM, the report said. Source:

22. March 26, WLWT 5 Cincinnati – (Ohio) Thieves use skimmer to take $50,000 from ATM customers. Norwood police are looking for the men who used an ATM skimmer to steal money from dozens of bank accounts. Police said the skimmer device was placed on a US Bank ATM on the weekend of February 27 and removed before March 22. Investigators said more than 120 customer accounts were compromised, taking about $50,000 in all. A police detective said that the thieves waited until the last week or so to begin using the information at ATMs to take money from accounts. Police said they have video from the ATM’s camera that shows the men they believe installed and removed the device. The detective said there appear to be at least four men involved, some of whom were also captured on tape putting a skimmer on an ATM in Wisconsin. Source:

Information Technology

60. March 29, SC Magazine – (International) Could blocking access to webmail save you from insider threat problems, and what are the ethics behind scanning sent emails. Companies should look to scan webmail activity for malicious activity, data loss and to control the insider threat. According to the chief marketing officer for Proofpoint, email companies should look to scan other email applications, or at least monitor use on it and then choose to block it or not. When asked if this would infringe privacy policies, the chief marketing officer said: “It depends on the organization and its policies, in a financial services company they are trying anything that secures the network. It does have an impact and it depends on the company, as an organization should be comfortable with monitoring, but the rule is do not use it. It is still a requirement to protect confidentiality of information in the organization.” A malware data analyst at Symantec Hosted Services claimed that traditionally, the vast majority of 419 scams are sent from webmail accounts and sending the scam via a webmail adds legitimacy to the mail, makes the email harder for security vendors to block, and helps to hide the identity of the scammers. Source:

61. March 29, The Register – (International) Trojan poses as Adobe update utility. Miscreants have begun creating malware that overwrites software update applications from Adobe and others. Email malware that poses as security updates from trusted companies is a frequently used hacker ruse. Malware posing as update utilities, rather than individual updates, represents a new take on the ruse. Vietnam-based anti-virus firm Bkis said the tactic is a logical follow-on from earlier approaches where viruses replace system-files and startup-program files. The director of Bkis Security writes that the recently detected Fakeupver trojan establishes a backdoor on compromised systems while camouflaging its presence by posing as an Adobe update utility. The malware camouflages itself by using the same icons and version number as the official package. Source:

62. March 29, Computerworld – (International) Microsoft defends Windows 7 security after Pwn2Own hacks. Just days after a pair of researchers outwitted major Windows 7 defenses to exploit Internet Explorer (IE) and Firefox, Microsoft said the measures aren’t meant to “prevent every attack forever.” At the same time, it defended the security measures, saying they remained an effective way to hinder exploits. A product manager with IE’s developer division, stood up for DEP (data execution) and ASLR (address space layout randomization), the security features that two hackers sidestepped to win $10,000 each at the high-profile Pwn2Own hacking contest on March 24. “Defense in depth techniques aren’t designed to prevent every attack forever, but to instead make it significantly harder to exploit a vulnerability,” the product manager said, referring to DEP, ASLR and another feature specific to IE, called Protected Mode. DEP, which Microsoft introduced in 2004 with Windows XP SP2, is designed to prevent attack code from executing in memory not intended for code execution. ASLR, a feature that debuted with Windows Vista three years ago, randomly shuffles the positions of key memory areas, such as the stack, to make it more difficult for hackers to predict whether their attack code will run. Protected Mode, a sandbox-like technology in which IE runs with restricted rights, is designed to reduce the ability of attack code to “escape” from the browser to write, alter or delete data elsewhere on the PC. Source:

63. March 28, Techworld – (International) Beware botnet’s return, security firms warn. The volume of spam being sent by the notorious Rustock botnet using TLS encryption has surged in recent weeks, establishing an important new trend in botnet behavior, security companies have said. Roughly the week of March 15, Symantec’s MessageLabs division reported noticing large volumes of spam using TLS (Transport Layer Security), an encryption protocol successor to the better-known SSL (Secure Sockets Layer), and normally a way of securing the contents of an email between server and client. At that point, the percentage of spam encrypted by Rustock using TLS was around the 35 percent mark, a figure the company says in its latest Intelligence Report this week has surged to as much as 77 percent of its activity during the month. The challenge is that TLS imposes higher processing demands on mail servers compared to non-TLS traffic, estimated to be around 1 kilobyte overhead for every spam email. Given that most email is now spam, the accumulated overhead on mail servers has the potential to be high whether the messages are detected as spam or not. Source:

64. March 26, The Register – (International) World Cup-themed PDF attack kicks off. Miscreants have booted a World Cup-themed email malware attack onto the web, taking advantage of existing material on the tournament. Booby-trapped emails are doing the rounds, posing as messages from African Safari organizer Greenlife. The emails contain an attached PDF file claiming to provide a guide to the first African edition of football’s most prestigious tournament. In reality, the attachment payload takes advantage of a recently patched Adobe Reader vulnerability (involving the handling of TIFF files and resolved with a patch on 16 February) to drop malware into machines running an unpatched version of Adobe reader. Hackers behind the attack have taken Greenlife’s genuine guide (available on its website) and inserted exploit code instead of content related to this June’s tournament and travel in South Africa. The poisoned version of the guide was sent to an unspecified “major international organization”, email filtering outfit MessageLabs reports. The Symantec-owned hosted security operation adds that successful execution of the attack drops a rootlet and a backdoor Trojan on compromised machines. Source:

65. March 26, The Register – (International) Kit attacks Microsoft keyboards (and a whole lot more). Security researchers on March 26 unveiled an open-source device that captures the traffic of a wide variety of wireless devices, including keyboards, medical devices, and remote controls. Keykeriki version 2 captures the entire data stream sent between wireless devices using a popular series of chips made by Norway-based Nordic Semiconductor. That includes the device addresses and the raw payload being sent between them. The open-source package was developed by researchers of Switzerland-based Dreamlab Technologies and includes complete software, firmware, and schematics for building the $100 sniffer. Keykeriki not only allows researchers or attackers to capture the entire layer 2 frames, it also allows them to send their own unauthorized payloads. That means devices that don’t encrypt communications - or don’t encrypt them properly - can be forced to cough up sensitive communications or be forced to execute rogue commands. Source:

66. March 26, Homeland Security NewsWire – (International) iPhone, IE8, Firefox, and Safari easily hacked at Pwn2Own contest. Hackers gathered for an annual contest in Vancouver demonstrate easy hacking of iPhone and all major browsers; a non-jailbroken iPhone was also hacked and its SMS database stolen; security measures taken by Firefox, Safari, and IE8 no match for hackers. The annual Pwn2Own contest has seen the Apple iPhone and nearly all the major browsers hacked. At the contest, held at the CanSecWest show in Vancouver, interest has so far centered on the revelation of twenty zero-day flaws in Apple’s OS X by a security researcher. As attendants wait for his keynote address, the Pwn2Own content gave hackers and security experts a chance to demonstrate their ability and try to breach the security of various devices and software. Reporting from the event, Mashable claimed that Firefox, Safari, and IE8 were hacked at the contest. A non-jailbroken iPhone was also hacked and its SMS database stolen by two researchers, who were able to send an iPhone to a Web site they had set up, crashed its browser, and stole its SMS database — including some erased messages. Source:

For more stories, see items 68 and 69 below.

Communications Sector

67. March 27, – (National) Google sheds new light on broadband plans. Google has posted an update concerning its planned high-speed fiber broadband network, and will announce the target market for the first tests by the end of the year. The initial trial will cover a group ranging from 50,000 to 500,000 people. The project, announced in February, will provide 1Gbit/s fiber networks in targeted markets as a way of testing open broadband networks. Google will also make its broadband cables open to other service providers. Interest in the project has been high since the announcement, and Google claims that some 600 community groups have expressed interest in participating, as well as more than 190,000 individuals. Google will visit prospective sites and speak with local leaders and community groups before making a final decision later this year. Source:

68. March 26, Network World – (International) Yahoo proposes ‘really ugly hack’ to DNS. Network engineers from Yahoo are pitching what they admit is a “really ugly hack” to the Internet’s Domain Name System, but they say it is necessary for the popular Web content provider to support IPv6, the long-anticipated upgrade to the Internet’s main communications protocol. Major ‘Net players mulling IPv6 “whitelist” Yahoo outlined its proposal for changes to DNS recursive name resolvers at a meeting of the Internet Engineering Task Force (IETF) held in California recently. Yahoo says it needs a major change to the DNS — which matches IP addresses with corresponding domain names — in order to provide IPv6 service without inadvertently cutting off access to hundreds of thousands of visitors. Under Yahoo’s proposal, these visitors would continue accessing content via IPv4, the current version of the Internet Protocol. The reason Yahoo is seeking this change to the DNS is that a significant percentage of Internet users have broken IPv6 connectivity. Source:

69. March 26, IDG News Service – (International) After DNS problem, Chinese root server is shut down. A China-based root DNS server associated with networking problems in Chile and the U.S. has been disconnected from the Internet. The action by the server’s operator, Netnod, appears to have resolved a problem that was causing some Internet sites to be inadvertently censored by a system set up in the People’s Republic of China. On March 24, operators at NIC Chile noticed that several ISPs (Internet service providers) were providing faulty DNS information, apparently derived from China. China uses the DNS system to enforce Internet censorship on its so-called Great Firewall of China, and the ISPs were using this incorrect DNS information. That meant that users of the network trying to visit Facebook, Twitter and YouTube were directed to Chinese computers instead. In Chile, ISPs VTR, Telmex and several others — all of them customers of upstream provider Global Crossing — were affected, NIC Chile said in a statement on March 26. The problem, first publicly reported on March 24, appears to have persisted for a few days before it was made public, the statement says. A NIC Chile server in California was also hit with the problem, NIC Chile said. While it’s not clear how this server was getting the bad DNS information, it came via either Network Solutions or Equinix, according to NIC Chile. Source: