Department of Homeland Security Daily Open Source Infrastructure Report

Monday, May 24, 2010

Complete DHS Daily Report for May 24, 2010

Daily Report

Top Stories

 The Associate Press reports that two police officers looking for illegal drug smuggling on a busy Arkansas interstate were shot and killed by two men with assault rifles May 20. The suspects later died in a shootout with police in a crowded Walmart parking lot. (See item 29)

29. May 20, Associated Press – (National) Report: Airport watchers miss 16 linked to terror. At least 16 people later linked to terror plots passed through U.S. airports undetected by federal officials who were on duty to spot suspicious behavior, according to a government report. The airport-based officials were part of a federal behavior detection program designed to spot potential terrorists and others who pose a threat to aviation. The program, started in 2003, is one of 20 layers built into the nation’s aviation security system. The Government Accountability Office (GAO) questioned the scientific basis of the entire program in a report released May 20. The program is dubbed SPOT — Screening Passengers by Observation Techniques. It was instituted by the Transportation Security Administration “without first validating the scientific basis for identifying passengers in an airport environment,” the GAO said. “A scientific consensus does not exist on whether behavior-detection principles can be reliably used for counterterrorism purposes,” the congressional auditors said. The agency did not agree with all of the GAO’s findings. “TSA strongly believes that behavior detection is a vital layer in its aviation security strategy. ... Leaders within the community of behavior detection researchers agree,” the director of the Homeland Security Department’s GAO liaison office said in a response included in the report. Source:

 According to The Associated Press, at least 16 people later linked to terror plots passed through U.S. airports undetected by federal officials who were on duty to spot suspicious behavior, a new Government Accountability Office report found. The airport-based officials were part of a federal behavior detection program designed to spot potential terrorists and others who pose a threat to aviation. (See item 67)

67. May 21, Associated Press – (Arkansas) Latest news issued on West Memphis officer shooting. Two police officers looking for illegal drug smuggling on a busy Arkansas interstate were shot and killed by two men with assault rifles May 20. The suspects later died in a shootout with police in a crowded Walmart parking lot. Police said an officer pulled over a white minivan with Ohio license plates while “running drug interdiction” on Interstate 40 in east Arkansas, and another officer arrived moments later to provide backup. Two men with AK-47s got out of the van, pushed one officer to the ground and opened fire. One officer died at the scene, the other died later at a hospital. Investigators believe the van then sped away. Traffic stopped as authorities searched vehicles on I-40 looking for the suspects, who were later spotted in the parking lot of a Walmart. Dozens of officers swarmed the van, and both men inside were shot and killed. During that shootout, the Crittenden County sheriff was shot in the arm and his chief deputy was shot in the abdomen. Both are in serious condition this morning. Identities of the slain suspects were not released. During and after the standoff, Walmart employees moved shoppers into the store’s lawn-and-garden section and eventually told them they could get their cars if the vehicles were outside police tape cordoning off the shooting scene. Source:


Banking and Finance Sector

14. May 21, USA Today – (National) Feds unite to form a new financial fraud task force. On May 21, federal officials plan to unveil May 21 a potentially important effort to investigate and prosecute financial fraud cases. The launch will take place in eastern Virginia instead of the most prominent venue, New York City. The U.S. Attorney’s Office in Richmond will coordinate the Virginia Financial and Securities Fraud Task Force with representatives of the Securities and Exchange Commission, Commodity Futures Trading Commission, FBI, U.S. Postal Service and IRS, as well as state law enforcement agencies. “It will allow us to share information, connect the dots, and pursue criminal as well as civil tracks,” said the U.S. attorney for the Eastern District of Virginia. The new effort could boost Virginia’s prominence in legal circles as a center for splashy cases similar to the one that the SEC announced last month against Goldman Sachs. Source:

15. May 21, Associated Press – (National) FDIC says number of ‘problem’ banks is growing. The number of troubled banks kept growing last quarter even as the industry as a whole had its best quarter in two years. The Federal Deposit Insurance Corp. said May 20 that the number of banks on its confidential “problem” list grew to 775 in the January-March period from 702 in the previous quarter. “The banking system still has many problems to work through, and we cannot ignore the possibility of more financial market volatility,” the FDIC chairman acknowledged. But she added: “The trends continue to move in the right direction.” The largest banks showed the most improvement, though a majority of institutions posted gains in net income. Banks overall posted net income of $18 billion, up from $5.6 billion in the same quarter a year earlier. In another sign of health, the FDIC’s deposit insurance fund, which fell into the red last fall, posted its first improvement in two years. Its deficit shrank by $145 million to $20.7 billion. Source:

16. May 21, Associated Press – (National) Ex-Wachovia VP charged in 9-year, $11M bank scam. A former vice president for North Carolina-based Wachovia Bank faces federal charges that he was at the core of a conspiracy that fleeced the company of $11 million. Attorneys for 47-year-old suspect of Mooresville did not immediately respond to requests for comment May 21. Federal prosecutors have charged the suspect with mail fraud and tax evasion. Authorities said the scam went on for nine years. Two other men also have been charged in the scam. An indictment accuses the main suspect of getting the two other men and some others to turn in fake invoices for goods and services the bank never received. Attorneys for the two other suspects said they will plead guilty in a deal with prosecutors. The bank declined comment. Source:

17. May 21, Canwest News Service – (International) Suspects identified in Ottawa firebombing. Police have identified suspects in the May 18 firebombing of a Royal Bank as Ottawa residents linked to an anarchist group, FFFC-Ottawa. The firebombing, which was filmed and posted online, was an unsophisticated attack, said detectives who have collected trace evidence from the burned-out building at Bank Street and First Avenue. Investigators have obtained security video from storefronts along the streets, including high-definition images. The suspects, of which there are believed to be at least four, said in the video that they firebombed the building because the Royal Bank was a sponsor of the Vancouver Olympics. They made their getaway in a SUV. The suspects are linked to an online independent media site and an anti-establishment network that organizes protests against G8 and G20 summits, unfair trade and government cuts to welfare. Police said some of the network’s meetings are held at a coffee and juice shop in Ottawa’s Chinatown. Several anarchist Web sites are threatening confrontations at the June G8 summit in Huntsville, Ontario, and the G20 summit in Toronto. Source:

18. May 20, Spokane Spokesman-Review – (Washington) Chase Bank robber suspected in 3 other crimes. A man who targeted a Chase Bank branch in Spokane, Washington Tuesday may be a serial robber responsible for three other holdups at two banks since December. The FBI is looking into the robberies, the first of which was December 22 at Sterling Savings Bank, 3000 S. Grand Blvd. Chase Bank, 2215 W. Northwest Blvd, was robbed February 13 and April 19. In each of those robberies, the gunman wore a mask and a hooded jacket, though a different one each time. In Tuesday’s robbery, the culprit wore a motorcycle helmet and forced an employee to the ground at gunpoint. The man is described as white, 6-feet tall, in his 30s with a thin-to-medium build and fair complexion. Source:

19. May 20, U.S. Department of Justice – (California) Six charged with wire fraud based on $20-million mortgage fraud scheme. A 10-count indictment has been unsealed in San Diego, California charging six individuals with conspiracy to commit wire fraud and wire fraud, a U.S. attorney announced. The defendants are charged with submitting false and fraudulent mortgage loan applications and related documents to banks and other lending institutions, thereby inducing the institutions to make approximately 36 loans totaling approximately $20.8 million. The indictment alleges that the defendants devised a scheme to defraud mortgage lenders and to obtain money and property by false and fraudulent means, and diverted the proceeds for their personal use and benefit. According to the indictment, from May 2008, the defendants agreed to submit false loan applications to mortgage lenders to obtain financing to purchase residential properties. The defendants recruited “straw buyers” who had sound credit histories but who otherwise would not have qualified to purchase the residential properties selected by the defendants. The indictment further alleges that, as part of the conspiracy, two of the suspects prepared fraudulent loan applications on behalf of the straw purchasers, falsely stating the employment and monthly salaries of the straw purchasers. The indictment further alleges that the defendants submitted fraudulent loan applications on behalf of the straw purchasers to mortgage lenders, including OwnIt Mortgage Solutions Inc., WMC Mortgage Corp., Argent Mortgage Company, Countrywide Home Loans, First Franklin, Finance America LLC and other mortgage lenders. The defendants then caused escrow agents to disburse the funds to the defendants and others so that the defendants could divert to themselves and others the proceeds of the fraud. Source:

20. May 20, New York Times – (National) Bill passed in Senate broadly expands oversight of Wall St. The U.S. Senate May 20, approved a far-reaching financial regulatory bill putting Congress on the brink of approving a broad expansion of government oversight of the increasingly complex banking system and financial markets. The legislation is intended to prevent a repeat of the 2008 financial crisis, but also reshapes the role of numerous federal agencies and vastly empowers the Federal Reserve in an attempt to predict and contain future debacles. The vote was 59 to 39, with four Republicans joining the Democratic majority in favor of the bill. Two Democrats opposed the measure, saying it was still not tough enough. Democratic Congressional leaders and the U.S. President must now work to combine the Senate measure with a version approved by the House in December, a process that is expected to take several weeks. While there are important differences — notably a Senate provision that would force big banks to spin off some of their most lucrative derivatives business into separate subsidiaries — the bills are broadly similar, and it is virtually certain that Congress will adopt the most sweeping regulatory overhaul since the aftermath of the Great Depression. Source:

21. May 20, KKTV 11 Colorado Springs – (Colorado) FBI catches alleged bank robber dubbed ‘portfolio bandit’. An accused bank robber has been caught and indicted on 11 counts. The suspect, dubbed the “portfolio bandit” by the FBI, allegedly robbed 11 banks in Denver. The FBI told 11 News a month ago, they thought the suspect would eventually hit Colorado Springs, Colorado banks if he was not caught. Because he was featured on the news, investigators said they received tips about the suspect’s whereabouts. According to the indictment, on 11 different occasions, the suspect did knowingly, by force and violence, and by intimidation, take and attempt to take money from FDIC insured banks. If convicted, the suspect faces up to 20 years in federal prison, and up to a $250,000 fine, per count, plus restitution. Source:

22. May 20, Libby Western News – (Montana) Bank phone scam targets locals. Montanans are being targeted by a new version of a phone scam, the Montana attorney general warned May 17. A Libby resident reported to authorities that she had received a phone call purportedly from First National Bank requesting her ATM card information. She did what bank and law-enforcement officials advise — refused to give out sensitive personal or financial information. She hung up and reportedly contacted First Montana Bank (formally First National Bank) and learned that several customers have received the same phone call scam. The attorney general’s Office of Consumer Protection became aware of the scam when its lead attorney also received an automated call on his cell phone claiming to be from First National Bank. The message said his ATM card had been “suspended because it was compromised” and directed him to press 1 and then to enter his 14-digit ATM card number. The lead attorney hung up without providing the information and instead called the bank. The chief executive officer with First Montana Bank confirmed that the phone pitch is a scam and that he has heard from half a dozen customers who have provided their card numbers. While the message purports to be from First National Bank, the calls are part of a “phishing” scam that tries to trick unsuspecting consumers into giving up their personal account information. Source:

Information Technology

58. May 21, The Register – (International) Facebook gives users’ names to advertisers. Facebook has been giving advertisers data that they can use to discover users’ names and locations, contrary to its privacy policy. The dominant social network tells users it will not share their details without consent, but according to the Wall Street Journal, it has handed over information that advertisers can use to look up individual profiles. MySpace had a similar loophole, it is reported. Both sites said they were making changes to stop the handover. Advertisers were getting reports whenever users clicked on their ads, as is typical across the Web. However, Facebook and MySpace’s reports contained the URL of the user’s profile page, which often included their real name or user name. Neither site had bothered to obscure the data, in breach of their own privacy policies. It is just the latest privacy failing by Facebook, which has suffered heavy criticism this month. Major changes to its privacy settings are expected after it decided to publish users’ private information, and Instant Message transcripts showed the CEO of Facebook calling those same users “dumb [expletive]s” for trusting him with their data. Source:

59. May 20, Computerworld – (National) Google hit with class-action lawsuit over Wi-Fi snooping. Google’s secret Wi-Fi sniffing has prompted a class-action lawsuit that could force the company to pay up to $10,000 for each time it snatched data from unprotected hotspots, court documents show. The lawsuit, which was filed by an Oregon woman and a Washington man in a Portland, Oregon federal court May 17, accused Google of violating federal privacy and data-acquisition laws. “When Google created its data collection systems on its GSV [Google Street View] vehicles, it included wireless packet sniffers that, in addition to collecting the user’s unique or chosen Wi-Fi network name (SSID information), the unique number given to the user’s hardware used to broadcast a user’s Wi-Fi signal MAC address, the GSV data collection systems also collected data consisting of all or part of any documents, e-mails, video, audio, and VoIP information being sent over the network by the user [payload data],” the lawsuit stated. On May 18, the same plaintiffs filed a motion for a temporary restraining order to prevent Google from deleting the data, a move the company has said it would make “as soon as possible.” Oral arguments before a U.S. district court judge on the restraining order are scheduled for May 24. Source:

60. May 20, DarkReading – (International) New Twitter worm abuses iPhone app news. Twitter’s new iPhone app is being used as a lure for a new worm attack that ultimately steals a victim’s financial credentials. The attack abuses Twitter trending topics — a popular source of abuse — but with a twist: Rather than installing fake antivirus software like most similar attacks, it installs a new banking Trojan that steals online banking accounts, credit card PIN numbers, and online payment system passwords, according to Kaspersky Lab. The senior antivirus researcher at Kaspersky Lab said the attack injects malicious tweets from the attackers’ own malicious Twitter profiles. Tweets include the words “Official Twitter App,” which was No. 7 of the Top 10 trending topics on Twitter. In one case, the tweet includes a link to a “video” purportedly of the Olympic mascot. The aggressive Trojan also disables Windows Task Manager, regedit, and notifications from Windows Security Center as a way to avoid detection. The Trojan can also spread via USB devices. Kaspersky Lab discovered the Trojan worm copies itself onto the infected system with the name “Live Messenger,” and it can check whether the hard drive is virtualized. If it is, the malware will not run. The anti-malware firm calls the Trojan “Worm.Win32.VBNA.b.” Source:

61. May 20, SC Magazine – (International) Over 4,500 logins uploaded to open source content site. Over 4,500 logins have been published on a 77-page document on a shared content Web site. A malware researcher at Sunbelt Software claimed that as Scribd allows users to share written content online, converting PowerPoint, PDFs and Word documents into Web documents that can be viewed through sites such as Facebook and other social networking services, it was inevitable that a scammer would decide to use such a service for foul means. He detected that a little over 4,500 mail logins (mostly from .ru domains, and possibly used for a .ru social networking site) in the form of a 77-page text document available for anybody to download and plunder was uploaded to the site. At the time of this writing, the document had been viewed 94 times and by the time it was deleted, that figure had increased to 152. With 970 uploads, the account was up to 1,308 with fresh (and entirely random) uploads appearing constantly, possibly by an automated process. The researcher also pointed at a Russian forum, where victims noticed an increase in spam coming from their account, and a Web search saw their stolen logins sitting on the Scribd page. Source:

62. May 20, – (Pennsylvania) School spy program used on students contains hacker-friendly security hole. A controversial remote administration program that a Pennsylvania school district installed on student-issued laptops contains a security hole that put the students at risk of being spied on by people outside the school, according to a security firm that examined the software. The LANrev program contains a vulnerability that would allow someone using the same network as one of the students to install malware on the laptop that could remotely control the computer. An intruder would be able to steal data from the computer or control the laptop Webcam to snap surreptitious pictures. The vulnerability was discovered by researchers at Leviathan Security Group, who provided Threat Level with a video demonstrating an exploit they developed. They began examining the program after customers who saw media coverage of the Pennsylvania case expressed concern that the program might be exposing their employee computers to intrusion from outsiders. The same software is used by many businesses to monitor and maintain their employee laptops. Source:

63. May 20, eSecurity Planet – (International) Malware is South America’s new growth industry. Malware syndicates in China have been implicated in a number of recent high-profile, targeted cyber attacks against American companies and organizations, but the latest data from security software vendor Zscaler indicates a new and equally dangerous threat is emerging in South and Central America. In its first-quarter “State of the Web” report, Sunnyvale, California-based Zscaler aimed to provide some meaningful analysis and context for enterprises struggling to safeguard their data networks from organized groups of hackers and phishers who are exploiting both lax local enforcement and a laissez-faire attitude by international hosting companies to steal identities, assets and intellectual property. To no one’s surprise, the Zscaler report pegs the U.S. as the leading source of malicious traffic including botnets, worms and aggravating SQL-injection attacks. Of course, that is to be expected because the U.S. is also the runaway leader in generating and serving up Internet traffic of all types. What is interesting is that when Zscaler analyzed each country based on the largest percentage of malicious versus benign servers, seven of the top 10 countries with high saturations of malware-distributing servers were South and Central American nations. Honduras checked in with a ratio of 7.5 percent, good enough (or bad enough, depending on one views it) for second in the world behind only the Cayman Islands (10.2 percent). The rest of the Malware Top 10 included Bolivia (6.25 percent); Peru (6.11 percent); Argentina (6 percent); Paraguay (5.13 percent); Ecuador (5.05 percent); Columbia (4.54 percent); Luxembourg (4.47 percent) and Turkey (3.94 percent). Source:

Communications Sector

64. May 20, WGHP 8 Greensboro – (North Carolina) Copper theft impacts phone service in Davidson Co., again. For the second time in two months, phone customers in Davidson County, North Carolina were without telephone and 911 service after someone cut copper wiring from a telephone line Thursday. A spokesperson with Windstream said 800-1,000 customers in the Southmont area of Oakwood Acres were without phone service for the morning and early afternoon. Service was restored shortly after 2 p.m. Customers unable to reach 911 were advised to go to the Southmont Fire Department for assistance. In March, a copper thief stole 50 feet of copper wiring from a telephone line near the same area. The theft disrupted land-line telephone service to 300-400 households. Source:,0,1137192.story

65. May 20, IDG News Service – (National) FCC frees up 25MHz of wireless spectrum for broadband. The U.S. Federal Communications Commission (FCC) has adopted rules that would allow mobile broadband providers to offer services on a 25MHz band of spectrum that has been controversial because of interference concerns from satellite radio provider Sirius XM Radio and other users of nearby spectrum. The FCC May 20 voted to amend the Wireless Communications Service (WCS) spectrum rules to include mobile broadband uses, in addition to fixed wireless services previously permitted. The commission’s action to free up the WCS spectrum for mobile broadband use is the first step in the FCC’s plan to find 500MHz of spectrum for mobile broadband over the next 10 years, a goal outlined in the agency’s national broadband plan released in March. The WCS spectrum, in the 2.3MHz band, surrounds spectrum used by Sirius to deliver its service. Complaints about potential interference have been levied by both WCS owners and satellite radio operators since the late ‘90s, when the FCC auctioned off both the WCS spectrum and the satellite radio spectrum. Comcast and BellSouth (now AT&T) were among the big winners in the WCS spectrum auction in 1997. Source: