Department of Homeland Security Daily Open Source Infrastructure Report

Friday, June 4, 2010

Complete DHS Daily Report for June 4, 2010

Daily Report

Top Stories

• According to The Associated Press, an off-duty cop pretending to be a terrorist stormed into a hospital intensive care unit brandishing a handgun, which he pointed at nurses while herding them down a corridor and into a room. There, after harrowing moments, he explained that the whole caper was a training exercise. (See item 34)

34. May 29, Associated Press – (Nevada) Hospital uses armed man in unannounced drill. An off-duty cop pretending to be a terrorist stormed into a hospital intensive care unit brandishing a handgun, which he pointed at nurses while herding them down a corridor and into a room. There, after harrowing moments, he explained that the whole caper was a training exercise. The staff at St. Rose Dominican Hospitals-Siena Campus, where the incident took place May 24, found the exercise more traumatizing than instructive. Just last year, Henderson police shot and killed an armed, hostile man in the emergency room, so security and emergency preparedness have been a focus. But in the May 24 incident, which occurred in a unit that houses the hospital’s sickest patients, nurses, patients, and their families did not know it was a drill, said the organizer of the California Nurses Association, which represents staff at the hospital. The union is investigating the incident. Many people saw the gunman, she said, and the union is gathering statements and talking to hospital administrators. The director of public policy and external affairs for the hospital, apologized for any distress caused by the incident. There has been an “ongoing effort to try and make (emergency preparedness drills) as realistic as possible,” he said. He said as many as 10 employees were involved in the incident and no one was hurt. The actor was from a local police department. The staff was supposed to have been told in advance of the exercise, but there was a “disconnect,” he said. State regulators who license hospitals said May 28 the incident may warrant investigation, depending on whether patient care was compromised. Source:

• An alleged plot by a Mexican drug cartel to blow up a dam along the Texas border — and unleash billions of gallons of water into a region with millions of residents — sent American police, federal agents and local disaster officials scrambling last month to thwart such an attack, authorities confirmed Wednesday. Whether the cartel, which is known to have stolen bulk quantities of gunpowder and dynamite, could have taken down the five-mile-long Falcon Dam along the Rio Grande River may never be known. (See item 54)

54. June 3, Houston Chronicle – (Texas; International) Bomb plot alert at Falcon Dam. An alleged plot by a Mexican drug cartel to blow up a dam along the Texas border — and unleash billions of gallons of water into a region with millions of residents — sent American police, federal agents and local disaster officials scrambling last month to thwart such an attack, authorities confirmed Wednesday. Whether the cartel, which is known to have stolen bulk quantities of gunpowder and dynamite, could have taken down the five-mile-long Falcon Dam along the Rio Grande River may never be known. But it may have been derailed by a stepped-up presence by the Mexican military, acting in part on intelligence from the U.S. government, sources said. The warning was based on what the federal government contends were “serious and reliable sources” and prompted the Homeland Security Department to sound the alarm to first responders all along the South Texas-Mexico border. Mexico’s Zeta cartel was planning to destroy the dam not to terrorize civilians, but to get back at its rival and former ally, the Gulf cartel, which controls smuggling routes from the reservoir to the Gulf of Mexico, the Zapata County sheriff and others familiar with the alleged plot said. Destroying the dam, however, also would have flooded large areas of agricultural land, as well as significant parts of a region with about 4 million border residents in Texas and Mexico. Besides the sheriff’s agency, the U.S. Border Patrol, the Texas Department of Public Safety (DPS), and even game wardens, also responded. Citing security concerns, neither Homeland Security nor DPS commented. Source:


Banking and Finance Sector

13. June 3, Reuters – (National) Ex-Goldman analyst who fled must pay $27.8 million. A former Goldman Sachs Group Inc. analyst who pleaded guilty to running an insider trading scheme and later fled while on probation has been ordered to pay nearly $27.8 million. In an opinion released late June 2, a U.S. district directed the suspect to pay a $7.72 million default judgment plus $20.05 million in fines, in a civil lawsuit filed by the U.S. Securities and Exchange Commission (SEC). The suspect pleaded guilty in April 2006 to securities fraud and conspiracy for orchestrating a $6.7 million insider trading ring. Prosecutors said the ring traded on leaks about mergers, market-moving media reports, and a grand jury probe involving the drugmaker Bristol-Myers Squibb Co. People who leaked information included a Merrill Lynch & Co analyst, workers at a printing plant for BusinessWeek magazine, and a New Jersey postal worker who sat on the grand jury. The analyst was sentenced in January 2008 to time served and three years of probation after cooperating with investigators, but soon violated his probation. An arrest warrant was issued in April 2008, court records show.The judge said the suspect failed to respond to three amended SEC complaints, and his whereabouts remain unknown. Source:

14. June 2, WAPT 16 Jackson – (Mississippi) BBB: Text message from credit union is scam. The Better Business Bureau (BBB) received several complaints recently about a text message that claimed to be from a local credit union. The text message warns of a security notice from Magnolia Federal Credit Union and urges the recipient to call a secure phone line for more details. But both the credit union and the BBB warn that the text message is a scam. “We’ve seen this type of scam before,” said the president of the Mississippi BBB. “It’s a lure to try to get you to call a particular number, and then if you connect to someone they will tell you there’s some problem with your account and they’ll need to verify your identity.” The president said all the scammers want is personal information, including a Social Security number and bank account numbers. Source:

15. June 2, KJCT 8 Grand Junction – (Colorado) 3 indicted in $5.7 million investment scheme. Three men are suspected of operating a $5.7 million investment scheme in which 70 investors were allegedly defrauded of money. The Colorado attorney general announced the indictment June 2. Investigators said the men conducted seminars to recruit investors and then failed to tell them that their investments would fund unsecured promissory notes and pay for legal fees. The 40-year-old and 48-year-old suspects of Glendale are accused of conducting the seminars. A 50-year-old suspect of Loveland is accused of failing to disclose that he lent himself money from the fund and paid himself commission. A civil case filed by the U.S. Securities and Exchange Commission is also pending in U.S. District Court. Source:

16. June 2, KPTH 44 Sioux City – (Iowa) Bank worker sentenced for Sac City fraud. A former Sac City, Iowa bank employee was sentenced for a 13-year bank fraud scheme. The 49-year-old suspect will spend more than seven years behind bars for selling $4 million worth of fake certificates of deposit to 40 victims. The plot took place between 1995 and 2008 at the Sac City Bank. The suspect must also pay restitution to the customers. Source:

17. June 2, Tampa Tribune – (Florida) Ex-call center operator pleads guilty to bank fraud. A former bank call center operator pleaded guilty June 2 to stealing customer information and trying to sell it. The 28-year-old defendant of Riverview, Florida faces up to 30 years in federal prison after pleading guilty to one count of bank fraud. A sentencing date has not been set. The defendant was a Bank of America customer service operator, handling calls from customers who had questions about their accounts. In March, he and an unnamed man met with an undercover FBI agent at a restaurant in east Hillsborough County. The defendant offered to sell customers’ personal information in return for part of the proceeds of raiding the accounts. The information included name, birthday, address, tax identification number and telephonic password. According to his plea agreement, the defendant wanted to target only customers with more than $100,000 in their accounts and wanted half of any stolen funds. He later reduced his demand to a quarter of the swag; he received $2,500 in the sting operation. Source:

18. June 2, Shreveport Times – (Louisiana) Bossier City man charged with credit card ‘skimming’. A Bossier City, Louisiana man faces theft charges after allegedly using a skimming device to steal people’s credit card information. Bossier City police arrested a 21-year-old suspect June 2 on 10 counts of theft under Louisiana’s Anti-Skimming Act following a week-long investigation. The suspect is accused of using a skimming device, also known as a skimmer, over the past several weeks to steal credit card information from customers in the drive through lane at the McDonald’s Express restaurant in the 1900 block of Airline Drive where he was employed. A skimmer is a small device that electronically scans and stores information from a credit card’s magnetic strip. The data can then be used fraudulently to make purchases on a victim’s account. Individuals who used their credit card at that McDonald’s Express within the past several weeks are advised to check their accounts for fraudulent activity. Source:

Information Technology

42. June 3, The Register – (Florida) FTC slaps down commercial keylogger firm. CyberSpy Software, which markets the controversial RemoteSpy commercial keylogging application, has agreed to rewrite the software and clean up its business practices to settle a case brought by the US Federal Trade Commission (FTC). RemoteSpy was marketed as a “100 per cent undetectable” app that might be used to “Spy on Anyone. From Anywhere”. CyberSpy provided instructions on how the software might be sent to potential victims disguised as an innocuous application or supposed image in an e-mail attachment. Following a lawsuit brought by the FTC, CyberSpy is now banned from doing this. CyberSpy was also ordered by a U.S. district court in Florida to warn potential buyers that misuse of the software may violate wiretapping laws and to remove legacy versions of its software from computers. RemoteSpy is capable of logging chat conversations, Web site history, documents opened and keystrokes. RemoteSpy clients would log onto a Web site to access harvested information. Many commercial anti-malware vendors, such as Sunbelt Software, have labeled the application as spyware since it first arrived five years ago. The technology is marketed as “especially perfect for those who want to monitor their employees or children, while away from home or work” although suspicious spouses checking up on partners, unscrupulous private eyes, or stalkers might also find the technology useful. Source:

43. June 3, SC Magazine – (International) Microsoft states that Windows is secure, as industry claims that security problems lie across all operating systems. Microsoft has responded to rumours that Google plans to stop using its products. Writing in a blog post, a Windows communications manager commented on the “coverage overnight about the security of Windows and whether or not one particular company is reducing its use.” Pointing the finger at Google, the communications manager referred to a story from Mashable where it was reported that Yale University had halted their move to Gmail (and their move to Google’s Google Apps for Education package) citing both security and privacy concerns. He said: “When it comes to security, even hackers admit we’re doing a better job making our products more secure than anyone else. And it’s not just the hackers; third party influentials and industry leaders like Cisco tell us regularly that our focus and investment continues to surpass others.” The director of McAfee Labs security research communications, said that claims that removing Windows will solve all the problems and help prevent attacks such as Operation Aurora are shortsighted, as the objection is not even close to the real issue. Source:

44. June 3, Help Net Security – (International) Samsung smartphone shipped with malware-infected memory card. The latest mass-market product that has been found being shipped to customers while containing malware is the Samsung S8500 Wave phone with the Samsung bada mobile platform. The malicious file in question is slmvsrv.exe, and can be found on the 1GB microSD memory card contained in the smartphone. The malicious file is accompanied by an Autorun.inf file, which installs itself on any Windows PC that still has the autorun feature enabled. According to an individual who tested one of the devices, he found out that the card was infected, then did an online search for the file in question and unearthed two posts on some German forums that claim the same. He contacted Samsung, and they confirmed that the initial production run of the devices shipped to Germany was infected. Source:

45. June 2, Sophos – (International) Don’t click on ‘Paramore n-a-k-ed photo leaked!’ Facebook link. Many Facebook users are being hit by further clickjacking attacks June 2, taking advantage of the social network’s “Like” facility. The latest lure is a link which claims to point to a Web site containing a naked photo of the lead singer of the American rock band Paramore. Affected profiles can be identified by seeing that the Facebook user has apparently “liked” a link: The fact that the 21-year-old singer has been the subject of much Internet interest after a topless photo was leaked online, is only likely to fuel interest in the pictures promised by these links. Clicking on the links takes Facebook users to a third-party site which displays a message saying: Click here to continue if you are 18 years of age or above. The hackers have hidden an invisible button under the mouse pointer, so the mouse-press is hijacked wherever one clicks on the Web site. So when one clicks with the mouse, one is also secretly clicking on a button which tells Facebook that one ‘likes’ the Web page. This then gets published on the user’s Facebook page, and shared with online friends, resulting in the link spreading virally. Source:

46. June 2, The Register – (International) Minor bugs bite patch security checking tool. A security researcher claims to have found a trio of coding bugs in Secunia’s popular security-inspection tool. Secunia PSI, which provides a handy way to check if applications installed on a computer are up to date, has a bug in its interface which allows anything to be inserted, according to a blogger. The blogger posted a screenshot of a (SFW) rear view of an amply proportioned lady in a tracksuit within the PSI interface to illustrate this point. Another bug allows cookies to be read while the third remains undisclosed at the time of writing. The chief security officer at Secunia told The Register that the blogger had failed to demonstrate any vulnerability with its technology. “Based on the vague information he has posted there is no proof of a security issue,” the chief security officer said. “However, assuming that one can insert images and scripts as part of the profile, then it would only be a bug and not a security issue because the user only can do this to himself.” Source:

47. June 1, The New New Internet – (International) Attempts to infect computers increases. Attempts to infect computers has increased more than 25 percent according to Kaspersky Lab. In the first three months of 2010, more than 327 million attempts were made to infect user computers in a variety of countries around the globe. From the previous quarter, this is an increase of 26.8 percent. “Cybercrime is being fueled by the spread of the Internet itself combined with ineffective legislation and growing unemployment,” according to ITNewsAfrica. The geographical areas targeted have also varied, though the main targets have remained. In the last quarter of 2009 and the first quarter of 2010, Russian, China and India were the top targets for infection. However, the first quarter of 2010 saw a decrease in the number of attacks against China while the number of attempts against Russian users increased. Source:

48. June 1, Agence France-Presse – (International) N. Korea in warship sinking cyber campaign: Seoul official. North Korea has mounted a cyber campaign — using stolen identities of South Korean Internet users — to spread its claim that Seoul faked evidence on the sinking of a warship, officials said June 1. Intelligence officials believe the North hacked into the Internet identities of housewives, students and others for its campaign, the Munhwa Ilbo afternoon newspaper said. The North has put forward the view through Web sites at home and abroad to give the impression that many South Koreans do not trust the findings of a multinational investigation team, it said. The paper said South Korean intelligence officials are tracking the campaign. “The report is true,” a National Intelligence Service spokesman told Agence France-Press, declining to give details. Source:

Communications Sector

49. June 3, eWeek – (National) FCC Chairman Pushes for Better Mobile Broadband. The Federal Communications Commission (FCC) chairman pushed for improved mobile broadband during a conference hosted by The Wall Street Journal (WSJ). He linked mobile broadband and innovation and promised to work toward increasing the available spectrum for the technology, which he said should be “unleashed”. During the D8 tech conference, he told a WSJ tech reporter that deploying 4G wireless networks would help allow the U.S. to catch up with other industrialized nations that currently offer faster, more complete wireless broadband coverage. “There’s no doubt in my mind that the biggest opportunity to drive competition to [fixed] broadband is to take advantage of mobile broadband,” WSJ reported him saying. “We need to have enough of an infrastructure here for companies to innovate here, launch here and want to do business here.” Source: