Department of Homeland Security Daily Open Source Infrastructure Report

Monday, June 21, 2010

Complete DHS Daily Report for June 21, 2010

Daily Report

Top Stories

• Reuters reports that U.S. authorities have charged 1,215 people in hundreds of mortgage fraud cases that resulted in estimated losses of $2.3 billion, top presidential administration officials said June 17, unveiling a crackdown after the housing market collapse. (See item 16 below in the Banking and Finance Sector)

• A nationwide alert has been issued for 17 members of the Afghan military who have gone AWOL from an Air Force base in Texas where foreign military officers who are training to become pilots are taught English, according to Fox News. The lookout bulletin states that Afghan officers and enlisted men have security badges that give them access to secure U.S. defense installations. (See item 42)

42. June 17, Fox News – (National) Alert issued for 17 Afghan military members AWOL from U.S. air force base. A nationwide alert has been issued for 17 members of the Afghan military who have gone AWOL from an Air Force base in Texas where foreign military officers who are training to become pilots are taught English, has learned. The Afghan officers and enlisted men have security badges that give them access to secure U.S. defense installations, according to the lookout bulletin, “Afghan Military Deserters in CONUS [Continental U.S.],” written by Naval Criminal Investigative Service in Dallas and obtained by The Be-On-the-Lookout (BOLO) bulletin was distributed to local and federal law enforcement officials Wednesday night. The Afghans were attending the Defense Language Institute (DLI) at Lackland Air Force Base in Texas. The DLI program teaches English to military pilot candidates and other Air Force prospects from foreign countries allied with the U.S. “I can confirm that 17 have gone missing from the Defense Language Institute,” said the chief of public affairs, 37th Training Wing, at Lackland AFB. “They disappeared over the course of the last two years, and none in the last three months.” Source:


Banking and Finance Sector

15. June 18, USA TODAY – (National) Microsoft opens center for reports of stolen identities, data. In a major step to slow cybercrime, Microsoft June 17 launched a coalition that will serve as a clearinghouse for reports about caches of stolen data stashed all across the Internet. Malicious programs crafted to swipe financial and personal data have come to saturate the Internet — so much so that security researchers routinely ferret out computer servers used by cybercrooks to hoard stolen data. Until now, there was no specific process for reporting such discoveries. The Internet Fraud Alert center — spearheaded by Microsoft, and managed by the National Cyber-Forensics & Training Alliance (NCFTA) — will serve as a reporting hub. Stolen payment-card numbers and online banking-account log-ons will be routed to the issuing banks. The institutions will then decide whether to alert customers, suspend the accounts or pursue legal remedies. Stolen Social Security numbers, birth dates and other personal data will be archived offline by the NCFTA and made available, as needed, to law enforcement. “This fills a big gap in the arsenal of weapons we need to fight online fraud,” said Microsoft’s deputy general counsel. The stakes are high. Phishing scams, just one method of cyberthievery, revolve around tricking Web users into divulging sensitive data. Last year, phishing gangs duped 1 million U.S. households into losses of $650 million, according to Anti-Phishing Working Group, a consortium of banks, retailers, Internet host providers, tech-security companies, and law enforcement agencies. Source:

16. June 17, Reuters – (International) Authorities reveal mortgage fraud crackdown, 485 arrests. U.S. authorities have charged 1,215 people in hundreds of mortgage fraud cases that resulted in estimated losses of $2.3 billion, top presidential administration officials said June 17, unveiling a crackdown after the housing market collapse. The administration has been under pressure to root out mortgage fraud and improve oversight of the housing market after the housing bubble touched off a global economic slide, and led to a cascade of home foreclosures in the United States. Over the last three-and-a-half months, authorities have made 485 arrests in the fraud cases, obtained 336 individual convictions and recovered more than $147 million, the Justice Department said. The announcement comes a day after U.S. prosecutors unveiled charges against the former head of a now-defunct mortgage lender for an alleged fraud scheme that led to multibillion-dollar losses. Source:

17. June 17, WBBM 780 Chicago – (Illinois) Serbian national arrested in ATM skimming plot. A Serbian national living in north suburban Niles, Illinois was arrested June 18 for allegedly trying to buy a device commonly used for ATM skimming. The 59-year-old suspect, whose last known address was on the 8000 block of West Foster Lane, was arrested by FBI special agents at his home, according to an FBI release. He was charged in a criminal complaint filed last week in U.S. district court with one count of attempting to obtain device-making equipment with intent to defraud, which is a felony offense. Beginning in July 2008, the suspect began negotiating to purchase a device commonly used to skim account information from users of ATM machines, the complaint alleges. But unbeknownst to the suspect, the person he was negotiating with was working with the FBI. During the investigation, he allegedly made frequent mentions of the device, which would be used to capture account info and PINs from unsuspecting ATM users. He would then use that information to steal funds from accounts, the release said. Source:

18. June 17, The Montclair Times – (New Jersey; New York) Feds expose $45M Ponzi scheme. A Montclair, New Jersey woman surrendered to the FBI June 17 on charges of running a $45-million real estate investment Ponzi scheme, the U.S. Attorney’s office in Manhattan announced. The 58-year-old suspect allegedly bilked more than 20 investors in New York and New Jersey of tens of millions of dollars, allegedly telling her victims she was using their money to buy and renovate homes and sell them for high returns, prosecutors said. However, authorities said, she allegedly used the money to repay previous investors in the pattern of a classic Ponzi scheme, according to the complaint unsealed June 17 in Manhattan federal court. The suspect is charged with conspiracy to commit wire fraud and wire fraud, authorities said. If convicted, she could face a maximum sentence of 20 years in prison for each of the conspiracy and wire fraud counts. Source:

19. June 17, Krebs on Security – (International) Sophisticated ATM skimmer transmits stolen data via text message. Operating and planting an ATM skimmer — cleverly disguised technology that thieves attach to cash machines to intercept credit- and debit-card data — can be a risky venture, because the crooks have to return to the scene of the crime to retrieve their skimmers along with the purloined data. Increasingly, however, criminals are using ATM skimmers that eliminate much of that risk by relaying the information via text message. One particular craftsman, designs the fraud devices made-to-order, even requesting photos of the customer’s targeted ATMs before embarking on a sale. Just as virus writers target Windows because it is the dominant operating system on the planet, skimmer makers center their designs around one or two ATM models that are broadly deployed around the globe. Among the most popular is the NCR 5886. This skimmer sells for between $7,000 and $8,000, and includes two main components: The card-skimmer device that fits over the card acceptance slot and records the data that is stored on the back of any ATM cards inserted into the device; and a metal plate with a fake PIN pad that is designed to sit directly on top of the real PIN pad and capture the victim’s personal identification number (PIN) while simultaneously passing it on to the real PIN pad underneath. Not all skimmers are so pricey: Many are prefabricated, relatively simple devices that fraudsters attach to an ATM and then collect at some later point to retrieve the stolen data. Source:

20. June 16, Arizona Republic – (Arizona) Goodyear man accused in ‘Hot Head Bandit’ bank robberies. A man suspected of robbing several Phoenix-area banks previously has been convicted of armed robbery and served time in prison. The 55-year-old suspect, who lives in an unincorporated area near Goodyear, Arizona was arrested June 7 by a Peoria, Arizona police detective who noticed his truck matched the description of a pickup used during a bank robbery in Chandler in April, according to an FBI media release. A criminal complaint filed in U.S. district court June 8 charges the suspect with three counts each of armed bank robbery and brandishing a firearm during a crime of violence, federal court records show. The complaint links the man to three robberies in January and April. Investigators believe the suspect is the “Hot Head Bandit,” who has robbed several banks in the West Valley since August, including ones in Goodyear, Peoria, Litchfield Park and Phoenix. The nickname came from a baseball cap with flames on the bill that he wore during two of the robberies. Source:

21. June 16, WBAY 2 Green Bay – (Wisconsin) Police, credit union warn of phone scam resurfacing. Menasha, Wisconsin police and Lakeview Credit Union are issuing warnings about a phone scam. Lakeview said numerous automated calls are going out, telling people their credit or debit card has been compromised. Listeners are then asked to enter their credit card number and its expiration date. The credit union said anyone who entered a card number should consider it stolen and request a new card. Police and the credit union said people are receiving these calls at all hours both at home and on cell phones, even if they are on the Do Not Call list. Police remind people that financial institutions do not make unsolicited calls to request information which they already have on file. Source:

22. June 16, Victoria Advocate – (National) Security breach pushes First Victoria to block signature-based transactions on debit cards. First Victoria bank in Texas placed blocks on its MasterCard debit cards after a small amount of card numbers were compromised by a third-party source. The bank suspects the issue has to do with a merchant somewhere in the southwestern United States, said the senior vice president and bank services manager for First Victoria. The security breach also affects other banks throughout the Southwest. “This is not unique to First Victoria,” he said. “It’s a problem affecting many financial institutions.” The issue began about May 24 for First Victoria and, since then, the bank has made various changes to protect customers’ information. Currently, the bank has blocked signature-based transactions from a variety of stores, including department stores, grocery stores, drug stores, convenience stores and more. Such transactions are also blocked in a number of countries, as well as the state of Michigan. Customers can still use their cards at all locations; however, they do this by selecting the “debit” option and entering the PIN code. The bank has experienced “minor impacts” from the situation, the vice president said, but he declined further comment. Source:

23. June 15, Bank Info Security – (Pennsylvania) Ex-Teller guilty of insider scheme. In the latest example of insider fraud, a former JPMorgan Chase employee pleaded guilty to participating in a scheme to steal more than $60,000 from New Jersey bank customers’ accounts. The 22-year-old suspect, of Sciota, Pennsylvania, admitted that she took part in the scheme in 2008 and 2009. As a teller at the JPMorgan Chase bank in Hackettstown, New Jersey, according to a release from the U.S. Department of Justice, the suspect accessed 12 customer account profiles and sold them to two people in Monroe County, Pennsylvania. The two individuals used the information to have false identification documents made, and used those credentials to access the accounts. The other two suspects have already pleaded guilty to bank fraud and attempted bank fraud as aiders and abettors. They are awaiting sentencing. The former Chase employee was charged in a complaint filed by the United States Attorney’s Office in April 2010. Her charge resulted from an investigation conducted by the FBI and Hackettstown police. The for the Middle District of Pennsylvania said that as a result of the guilty plea, the suspect faces up to 10 years in prison and a $250,000 fine. She will be sentenced September 8. Source:

Information Technology

50. June 18, – (International) Anti-vuvuzela trumpet software is a scam. Security experts are warning World Cup fans not to fall for a piece of scam software promising to remove the noise of the South African vuvuzela trumpets during TV broadcasts. Links to a Web site selling the ‘Anti-Vuvuzela Filter’ have been making the rounds on various social networks this week, but a Webroot malware researcher said that the 2.95 Euro price tag will leave users with nothing but an empty wallet. “The site claims to be able to ‘get rid of the vuvuzela noise through active noise cancellation’ but all you get for your money is, apparently, a 45-minute MP3 file,” he wrote in a blog post. “Seriously. Call it a rogue AV (anti-vuvuzela) of a variety we haven’t seen before. Don’t be a sucker. Just reduce the volume on your TV if the vuvuzelas get you down.” The scam is the latest in a string of attempts by cyber criminals to extort money by using the World Cup as a lure. Trend Micro and Symantec Hosted Services have both alerted users to Nigerian e-mail scams, while Symantec warned of more sophisticated information stealing malware using the World Cup to target specific corporate systems. Source:

51. June 18, IDG News Service – (International) Google Wi-Fi data grab snared passwords, e-mail. Wi-Fi traffic intercepted by Google’s Street View cars included passwords and e-mail, according to the French National Commission on Computing and Liberty (CNIL). CNIL launched an investigation last month into Google’s recording of traffic carried over unencrypted Wi-Fi networks, and has begun examining the data Google handed over as part of that investigation. Google revealed May 14 that the fleet of vehicles it operates to compile panoramic images of city streets for its Google Maps site had inadvertently recorded traffic from unencrypted Wi-Fi networks. Google’s intention was only to record the identity and position of Wi-Fi hotspots in order to power a location service it operates, the company said. However, the software it used to record that information went much further, intercepting and storing data packets too. At the time, Google said it only collected “fragments” of personal Web traffic as it passed by, because its Wi-Fi equipment automatically changes channels five times a second. However, with Wi-Fi networks operating at up to 54M bits per second, it always seemed likely that those one-fifth of a second recordings would contain more than just “fragments” of personal data. That has now been confirmed by CNIL, which since June 4 has been examining Wi-Fi traffic and other data provided by Google on two hard disks, and over a secure data connection to its servers. Data-protection authorities in Spain and Germany have also asked Google for access to Wi-Fi traffic data intercepted in their countries, but the CNIL was the first to have its request granted, it said. Source:

52. June 18, SC Magazine – (International) Kaspersky Lab: Mobile malware evolves as an industry focus on it is the next step. The threat of malware and botnets for mobile phones could become as much of a problem as they are for PCs. The mobile research group manager and senior analyst at Kaspersky Lab pointed at threats such as the “brother” and “Ikee” worms, and said that it was now seeing 30 developments a month in mobile malware, and 35 percent of malware is now designed to infect mobile Internet. He said: “This threat will not go away, and the reasons for the whole Internet-based malware appearance is that new technologies will be the future. A mobile botnet will have the same impact as a simple PC botnet. They will be able to send SMS, MMS, Google spam and mask passwords, and maybe provide telephone DDoS attacks. Imagine a big organization and they have four main telephone numbers, and the competitor does not want to work honestly and decides to do bad things such as a telephone DDoS. Imagine all of the smartphones all started to dial four numbers, and will always be busy so users will have no chance to dial and the company will not be able to do anything.” Asked about the specific threats for mobiles, the analyst told SC Magazine that the threats are more Web-based and are mainly Trojans. He said: “Cyber criminals try to mask applications to download software, so when people use computers for downloading software for mobile, that is how we detect Trojan programs.” Source:

53. June 17, The Register – (International) Researcher shows how to strike back at web assailants. A security researcher has disclosed details on more than a dozen previously unknown vulnerabilities that people responding to Web-based attacks can exploit to strike back at online assailants. The bugs reside in off-the-shelf crimeware kits that go by names such as Eleonore, Liberty, Neon, and Yes. Attackers install them on compromised Web sites to streamline the process of exploiting unpatched vulnerabilities on the PCs of people who visit them. It has long been known that some of the exploit kits are themselves susceptible to attacks, and June 17 the CEO of French security consultancy Tehtri-Security detailed 13 bugs that can be exploited to turn the tables on the criminals running the software. They make it possible for law enforcement agents and other investigators of online attacks to destroy command and control servers, identify the miscreants, and in some cases even launch client-side attacks against the intruders. “The offensive concepts that we’ve shown today were how to strike back at attackers who use evil Web tools like exploit packs, Web backdoors, etc.,” the CEO told The Register in an online discussion a few hours after he made a presentation at the SyScan security conference in Singapore. “Basically, we explained that it is possible to create traps or to remotely attack the malicious Web tools used by people controlling botnets.” One of the attacks against Eleonore allows investigators to steal the authentication cookies of miscreants logging in to the administrative panel used to control an attack site. It starts with as SQL-injection exploit through a browser’s referrer field to plant strings in the server’s database that make the panel vulnerable to XSS, or cross-site scripting exploits. Investigators can then exploit that hole and steal the cookies, which are used to gain administrative access to the panel. Source:

54. June 17, DarkReading – (International) Cybersecurity not a ‘Command And Control’ effort. Cybersecurity initiatives will always be distributed efforts, which is what makes the cybersecurity czar’s position so crucial, according to the Department of Homeland Security’s cybersecurity director. “This is not a command and control environment,” said the director of the National Cybersecurity Center at DHS, in an interview June 17. “DoD has key responsibilities, DHS has key responsibilities, and so do the Department of Commerce and NIST, which is part of Commerce. And there are multiple entities in the private sector [with responsibilities as well].” With the flurry of activity on Capitol Hill these days over cybersecurity legislation and the recent formation of the U.S. Cyber Command, the U.S.’s cybersecurity policy and efforts are getting difficult to pin down. But the director said that is where the administration’s cybersecurity coordinator comes in. “Cybersecurity has always been distributed and will remain distributed,” he said. The administration is getting close to actually testing out its newest cyberincident-response plan. The DHS will sponsor the CyberStorm III cybersecurity drill in September, which will put the nation’s new cyber response plan through its paces in a simulated attack scenario to see if it is on the mark and whether it needs any tweaks. This simulation will be different from previous ones because it will include international players. “Cybercrime is inherently international,” the director said. “Even if someone in the U.S. is breaking into another system in the U.S., the chances are that communication is going to go internationally.” Source:

For another story, see item 56 below in the Communications Sector

Communications Sector

55. June 18, InformationWeek – (International) FCC considers broadband regulation. Major high-technology providers are divided over the Federal Communication Commison’s (FCC) plan — approved in a 3-2 vote Thursday — to consider the reregulation of Internet broadband. The big three broadband carriers — AT&T, Comcast and Verizon — issued statements opposing the FCC’s decision to conduct an inquiry into whether broadband should be classified as a telecommunications service, giving the FCC more regulatory power over the carriers. Content providers like Amazon, Google and Skype, however, favored the FCC action. On the other side of the issue is the Open Internet Coalition whose members include Amazon, eBay, Google, and Skype. The coalition’s executive director said: “There is a real urgency to this because right now there are no rules of the road to protect consumers from even the most egregious discriminatory behavior by telephone and cable companies.” Source:

56. June 15, Federal Computer Week – (International) Internet gatekeepers strengthen security at the root. The Commerce Department and global Internet authorities will begin deploying a worldwide root-system improvement to the Internet designed to enhance security in the Internet’s domain name structure. The Internet Corporation for Assigned Names and Numbers will host a ceremony June 16 at a high-security data center in Culpeper, Virginia, to install the first Domain Name System Security Extensions. During the ceremony in Virginia, the first cryptographic digital key used to secure the Internet root zone will be generated and securely stored, according to a news release. Official procedures will be carried out to assure the security of the key. The security-extensions system is a cryptographic framework that provides greater assurance to all Internet users so that, when they type in a Web address, there is more confidence they will reach that destination. The security extensions have been in development for more than a year to address a well-known flaw in the Internet that has been exploited by hackers and phishers. The longstanding domain name vulnerability has allowed hackers to misdirect Internet traffic to malicious Web sites. Source: