Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, August 24, 2010

Complete DHS Daily Report for August 24, 2010

Daily Report

Top Stories

• According to the Atlanta Journal-Constitution, anti-government extremists who believe they are immune to state and federal laws, and also that banks cannot own land, have been using paper transactions to steal homes throughout Georgia. (See item 22 below in the Banking and Finance Sector)

• The Springfield News-Leader reports that the Springfield, Missouri Police Department is investigating the theft of nearly 6 tons of stainless steel from the Southwest Wastewater Treatment Plant.(See item 35)

35. August 21, Springfield News-Leader – (Missouri) Nearly 6 tons of steel stolen from plant. The Springfield, Missouri Police Department is investigating the theft of nearly 6 tons of stainless steel from the Southwest Wastewater Treatment Plant. The materials were used parts that were being stored in an outdoor area, according to police. The city will not need to replace the parts, which have an approximate value of $25,000. The materials include: 11 stainless steel hubs, 34 stainless steel blades, two stainless steel shafts and 480 stainless steel bolts. Parts began disappearing several weeks ago, but the bulk of the material appears to have been taken in recent days. Source:


Banking and Finance Sector

16. August 23, Washington Post – (National) Last phase of credit card reform law in place, taking aim at penalty fees. The sweeping reform of the credit card industry was finally completed August 22 as the last pieces of the landmark federal law designed to stop unfair or deceptive practices took effect. The final phase restricts how much card issuers can charge in penalty fees compared with the amount of the violation. For example, if one is late paying a credit card bill with a $10 minimum payment, the penalty charge cannot be more than $10. In addition, new rules governing gift cards also took effect August 22 that require them to be honored for at least 5 years and allow only one fee per month. Congress passed the Credit CARD Act last year, which set up a rolling timetable to phase it in. The bulk of the law’s provisions took effect in February, and prevented issuers from raising interest rates on existing balances, among other changes. The American Bankers Association, an industry trade group, called the implementation of the law a “transformative process that signifies a fundamental change for both consumers and the industry.” A study by Pew Charitable Trusts released this summer showed that the largest card issuers have complied with the new regulations. However, Pew’s study pointed out that the new rules do not limit increases in penalty interest rates, only the amount of fees. It also found that some credit card agreements did not disclose the size of any penalty rate hikes. The group has urged the Federal Reserve to issue rules governing those increases as well. Source:

17. August 23, San Jose Business Journal – (National) Report: Calif. had most mortgage fraud in Q2. California had the highest number of reported mortgage fraud cases in the second quarter, according to a report August 23. The 283 active cases in the Golden State involved about $436 million in mortgages — more than any other state, according to the report Second highest was Florida, with 213 cases and about $147 million in mortgages. Source:

18. August 23, Dow Jones Newswires – (International) UPDATE: Barclays computer glitch hit customers Saturday. U.K. bank Barclays PLC (BCS) confirmed that customers were unable to access their bank accounts and withdraw money for a time Saturday after cash machines went down during a short outage. Systems were hit at 1300 GMT by a 20-minute blackout caused by power outage. It is thought the problems were associated specifically with LINK ATMs, the system that connects the U.K.’s ATM network, allowing customers from various banks or building societies to use other bank’s machines. A spokeswoman for Barclays said the bank became aware of the problem August 21 and it “was swiftly resolved,” and the bank apologized to customers for the inconvenience. She said the company is still looking into the matter “as a matter of priority,” adding any that further comment without proper understanding of what cause the problems “would be inappropriate.” The bank was unable to say how many customers had been affected. Source:

19. August 23, Help Net Security – (National) U.S. military personnel targeted by malware. U.S. military personnel is again targeted by malware-peddling cybercriminals. Fake email purportedly coming from Bank of America is asking holders of Military Bank accounts to update them by following the given link. According to Trend Micro, the link takes them to a very faithfully recreated bank login page, where they must enter their account username and password. So far, there is no indication that this is an actual phishing page, but the possibility exists. In any case, whatever information the victims enter, clicking on the “Sign In” button will take them to a page where an “Update Tool” is offered: The provided executable file is actually a ZeuS variant. But even if the victims choose not to download and install it because they became suspicious at the last moment, it may be already too late. The attack doesn’t rely on manual download — it runs a multitude of browser exploits on the target systems as soon as the user lands on the page. Source:

20. August 21, Bank Info Security – (National) Eight banks closed on Aug. 20. Federal and state banking regulators closed eight banks August 20, raising the number of failed institutions to 132 so far in 2010. Two of the failed banks in Florida were purchased by a Florida bank. Another two in California were purchased by a California bank. The latest closings are: Imperial Savings and Loan Association, Martinsville, Virginia, was closed by the Office of Thrift Supervision (OTS), which appointed the Federal Deposit Insurance Corporation (FDIC) as receiver The FDIC arranged for the River Community Bank, National Association, Martinsville, to assume all deposit. The estimated cost to the Deposit Insurance Fund (DIF) will be $3.5 million. Community National Bank At Bartow, Bartow, Florida, was closed by the Office of the Comptroller of the Currency (OCC), which appointed FDIC as receiver. The FDIC arranged for CenterState Bank of Florida, National Association, Winter Haven to assume all deposits. CenterState Bank of Florida also bought Independent National Bank, Ocala, Florida. The estimated cost to the DIF for Community National Bank At Bartow will be $10.3 million. The estimated cost to the DIF for Independent National Bank is $23.2 million. ShoreBank, Chicago, was closed by the Illinois Department of Financial and Professional Regulation, which appointed FDIC as receiver. The FDIC arranged for Urban Partnership Bank, Chicago, to assume all deposits. The estimated cost to the DIF will be $367.7 million. Butte Community Bank, Chico, California, was closed by the California Department of Financial Institutions (CDFI), which appointed FDIC as receiver. The FDIC arranged with Rabobank, National Association, El Centro, California, to assume all deposits. Rabobank also assumed the assets of Pacific State Bank at the same time. The estimated cost to the DIF for Butte Community Bank will be $17.4 million. Pacific State Bank, Stockton, California, was closed by CDFI. FDIC was appointed as receiver. Rabobank bought out Pacific’s $312.1 million in assets. Los Padres Bank, Solvang, California, was closed by OTS, which appointed FDIC as receiver. The FDIC arranged with Pacific Western Bank, San Diego, California, to assume all deposits. The estimated cost to the DIF will be $8.7 million. Sonoma Valley Bank, Sonoma, California, was closed by CDFI, which appointed FDIC as receiver. The FDIC arranged for Westamerica Bank, San Rafael, California, to assume all deposits. The estimated cost to the DIF will be $10.1 million. Source:

21. August 20, South Florida Sun Sentinel – (Florida) FBI offers $25,000 in case of ‘Brazen Bandit’ bank robberies in Deerfield Beach, Boca Raton. The FBI has announced a $25,000 reward for information leading to the arrest of the “Brazen Bandit,” who shot a Deerfield Beach, Florida bank customer August 18, and is also being sought for a bank heist in Boca Raton August 13. The shooting victim was taken to North Broward Medical Center, where he was listed August 20 in critical but stable condition. The victim was shot in the neck at the AmTrust Bank at 3600 W. Hillsboro Blvd., at 3:30 p.m. August 18 a FBI spokeswoman said. The gunman, who eluded a police dragnet, was dubbed the Brazen Bandit because of his bold behavior. He wore sunglasses, a black baseball cap, black shirt, blue jeans, latex gloves and a black bandana covering his mouth, the spokeswoman said. He is described as being 35 to 40, about 5 foot 8 inches tall and having a shaved head and athletic build. He jumped a bank counter and snatched money from several drawers, putting it in a black backpack. Then he fired a shot at the customer. He left the bank, dropping some cash, then fired several more shots, shattering the window of a nearby tax office. The FBI said he got away in a brown, possibly two-toned small pickup with tinted windows. No one else was hurt. On August 13, the same robber struck PNC Bank’s southeast Mizner branch at 520 S. Federal Highway in Boca Raton, the FBI said. The robber walked up to a teller, placed a black backpack on the counter and demanded money. He exited the bank with an undetermined sum, officials said. No one was hurt. Source:

22. August 19, Atlanta Journal-Constitution – (Georgia) DA: Paper terrorists stealing homes. When a new family moved into the mansion on South Goddard Road in south DeKalb County, Georgia residents just assumed they were “city folks” too busy to meet neighbors. Prosecutors said the $1 million brick home is one of at least 19 properties that have been taken over by a sect of anti-government extremists involved in criminal behavior. They call themselves “sovereign citizens” and believe they are immune to state and federal laws. They assert, among other things, that banks can’t own land and that any home owned by a bank –- including the thousands throughout Georgia –- is free for the taking. Police and prosecutors take a different view. The FBI has listed them on the domestic terrorist list, saying their crime of choice is paper terrorism and attempting to disrupt the U.S. economy. Prosecutors said the local sovereign citizens are consistent with other anarchist movements, filing lawsuits and liens on police, government officials and anyone who questions them. They are all born in the U.S., but create their own drivers’ licenses, complete with seals for fictitious nations. Many of the suspects have multiple names and a history of not paying taxes. Investigators in Georgia have tied the sovereign citizens to at least 19 property thefts in DeKalb, Fulton, Gwinnett, Henry, Spalding, Newton and Richmond counties. They include mansions –- some still under construction –- and a shopping center in Buckhead valued at $13 million. Police have charged six suspects with violating the Racketeer Influenced and Corruption Organizations Act. Warrants have been issued for another five suspects. Most of the properties are in foreclosure, but there also were some vacant homes for sale. In the case of the mansion, a 36-year-old and a 45-year-old suspect had created a phony quitclaim deed and moved into a foreclosed house, police said. They posted phony deeds in the window and used them to persuade utility workers to turn on the electricity and water. Investigators began pulling the bogus deeds, which had been filed with the superior court clerks in each county. They quickly saw that many of the deeds listed the same contract address. Investigators said the suspects had used fraudulent deeds to turn the properties over to themselves, and then filed them with court clerks throughout north Georgia. On the majority of the deeds, the price is listed as 21 silver dollars, which is consistent with other sovereign citizen schemes nationwide, prosecutors said. On others, the price is listed at “zero dollars.” The banks that owned the homes were unaware of the deed changes. Source:

Information Technology

46. August 23, ComputerWorld – (International) Researcher told Microsoft of Windows apps zero-day bugs 6 months ago. Microsoft has known since at least February that dozens of Windows applications, including many of its own, harbor bugs that hackers can exploit to seize control of computers, an academic researcher said August 22. At least 19 of the bugs can be exploited remotely, a Ph.D. candidate at the University of California Davis said in a paper he published in February and presented last month at an international conference. The candidate added his voice to a growing chorus of researchers who claim that a large number of Windows programs are vulnerable to attack because of the way they load components. Recently, a U.S. researcher said he had found at least 40 vulnerable applications, including the Windows shell. Shortly thereafter, Slovenian security firm Acros announced its homegrown tool had uncovered more than 200 flawed Windows programs in an investigation that began 4 months ago. Source:

47. August 23, Krebs on Security – (International) Anti-virus products struggle against exploits. Most anti-virus products designed for use in businesses do a poor job of detecting exploits that hacked and malicious Web use to foist malware, a new report concludes. Independent testing firm NSS Labs looked at the performance of 10 commercial anti-virus products to see how well they detected 123 client-side exploits, those typically used to attack vulnerabilities in Web browsers including Internet Explorer and Firefox, as well as common desktop applications, such as Adobe Flash, Reader, and Apple QuickTime. Roughly half of the exploits tested were exact copies of the first exploit code to be made public against the vulnerability. NSS also tested detection for an equal number of exploit variants, those which exploit the same vulnerability but use slightly different entry points in the targeted system’s memory. None of the exploits used evasion techniques commonly employed by real-life exploits to disguise themselves or hide from intrusion detection systems. Among all 10 products, NSS found that the average detection rate against original exploits was 76 percent, and that only 3 out of 10 products stopped all of the original exploits. The average detection against exploits variants was even lower, at 58 percent, NSS found. Source:

48. August 23, Nextgov – (International) Intel’s purchase of McAfee not a game changer for security. Intel Corp.’s acquisition of antivirus software company McAfee Inc. will provide the computer chip manufacturer with real-time data about cyber threats that could influence how security is managed at the processor level, but it will have little direct impact on product development, according to security experts. Intel announced August 20 that it had agreed to pay $7.68 billion in cash for McAfee, which will function as a wholly owned subsidiary of the leading chip producer. McAfee’s existing software portfolio, which focuses on intrusion detection, antivirus, and firewall technology, offers little opportunity to enhance security features of the microprocessor, said the chairman and chief executive officer of security software company NetWitness and former director of the Homeland Security Department’s National Cybersecurity Division. Source:

49. August 23, SC Magazine – (International) Blogger identifies privacy flaw in Facebook Places, as Foursquare co-founder calls the tool ‘boring’. The Facebook Places application has been accused of falling short when it comes to protecting its user’s locational privacy. A information security blogger and assistant professor at the school of information studies at the University of Wisconsin claimed Facebook Places falls short on privacy as non-authorized check-ins by friends are visible. He said Facebook has tried to do a better job addressing privacy with Places compared to some previous launches of new “features.” However, he noted that as he has played around with the service, he claimed to have uncovered a problem with Facebook’s assertion that “no one can be checked in to a location without their explicit permission.” He said: “While Places is largely an opt-in service — one needs to install and use it on a mobile device — anyone can be ‘checked-in’ to any place by a friend. This can happen regardless of whether you use the service yourself. If you get checked into a place by someone, and you haven’t already authorized the service or these kinds of check-ins, you’ll receive an e-mail asking if you want to allow check-ins by friends.” He said that his wife had been “checked in” despite not authorizing use of the feature. If any of his friends looks at his Facebook feed, they will see the status update of his check-in at the store, with his wife’s name there. Her name also appears with his check-in on the location’s page, which is automatically generated by the places service. Source:

50. August 23, Help Net Security – (International) Trojan simulates MS Security Essentials Alert, peddles fake AV. A Trojan imitating a Microsoft Security Essentials Alert has been spotted trying to convince users their computer is infected and that the only thing to do is to pay for one of the five fake antivirus solutions offered. Whether a user clicks on the “Clean computer” or the “Apply actions” button, she is told that the program cannot clean the computer and is prompted to use an online scanner, reports a researcher of Bleeping Computer. The computer is purportedly scanned by 35 antivirus solutions — 30 legitimate and 5 fake — but only the fake ones (Red Cross Antivirus, Peak Protection 2010, Pest Detector 4.1, Major Defense Kit, AntiSpySafeguard) “detect” the Trojan. In fact, all of these fake solutions are one and the same, but with different names and graphical user interfaces. Whichever one choose to install, it will reboot one’s computer, run automatically and begin a fake scan. The result is always the same: the computer is full of malware. The fake AV has managed to clean some of it, but there are still numerous infected files that only the full (paid) version can remove. The program also terminates some of the other programs a user may attempt to start, saying that they are also infected. Source:

51. August 16, Help Net Security – (International) Who is the typical Russian hacker? A security analyst and a senior researcher from security firm Coseinc that calls himself “Le Grugq” have spent 6 months on various Russian Web forums in order to discover just what kind of threat Russian hackers present to the world at large. Both of them fluent in the language, they managed to get more than just a glimpse into this underground culture and shared their knowledge with the attendees of the Hack in the Box conference, ENP reports. And according to them, businesses have little to worry about, since Russian hackers are usually attracted by money they can get their hands on simply and fast. Corporate secrets hold no appeal to them. The hackers often go for the easiest potential victims, such as careless individual users. This is because the typical Russian hacker is a student looking for some pocket money. His targets are individual users in the Western world and he has no qualms about fleecing them since he believes everybody is rich outside Russia — claims the analyst. Russian hackers are geeks, not gangsters. There is an entire underground economy that caters to these unprofessional criminals: they can buy or rent malware, use the services of supporting partners who will drive Internet traffic to the malicious sites, use the services of botnet masters who can execute DDoS attacks on rival Web sites and Twitter accounts. These hackers are interested in infecting individual computers and stealing the users’ credit card numbers, and using them in various ways. They usually refrain from ordering physical stuff online, since the delivery address would point to them. Source:

Communications Sector

52. August 23, The H Security – (International) Police confiscate hardware from VPN provider. VPN provider Perfect Privacy is reporting that August 20, police searched a house occupied by a Perfect Privacy network provider. The search warrant was reportedly issued on suspicion that unknown perpetrators may have routed potentially criminal communications via the servers in the German city of Erfurt. Perfect Privacy is an association of private individuals from all over the world who operate VPN servers and offer the service via a common interface. Users can pay to route their entire Web traffic in encrypted form through Perfect Privacy servers, thus reducing traceability. Perfect Privacy claims not to keep log files. Five PCs, including storage media, were confiscated, resulting in losses totalling 6000 to 6500 euros. The company is at pains to point out that computers used in connection with the VPN service are completely encrypted. According to Perfect Privacy, police did not confiscate the actual VPN servers, “Perfect Privacy’s servers in Erfurt are [...] still online, can be pinged, and Perfect Privacy continues to be in the possession of the root access and all administrative rights.” The company has nevertheless temporarily suspended the Erfurt servers to give members with “elevated security needs” time to be made aware of the ongoing police investigation. Why the police confiscated the administrator’s computers rather than the VPN servers and whether the police are implementing other measures such as eavesdropping on telecommunications are both unknown. Perfect Privacy is applying, through a lawyer, for leave to view the files relating to the case. Source:

53. August 22, Canadian Press – (International) Ontario quake rattled websites more than the ground. The June earthquake that shook parts of Quebec and Ontario rattled more than just the ground. Within minutes of the 5.0-magnitude quake, people were furiously posting accounts on social media sites like Twitter, but official information was impossible to access online. Natural Resources Canada’s earthquake information site was paralyzed by demand, documents released under access to information show. The agency was so overwhelmed with people trying to access the site that it had to enlist the help of the U.S. Geological Survey to get the information out to Canadians. The crash sent staffers scrambling for more than 2 hours to find a temporary solution and it took 4 hours before the whole site was back in full working order. An official with Natural Resources Canada admitted the crash raised questions about how well prepared the agency was to communicate with Canadians online in the event of a sudden natural disaster like an earthquake or tsunami. The first thing officials did was strip out all the unnecessary features on the site and disable anything like graphics that ate up bandwidth as they raced to double the capacity of their servers. Four hours later, the site was back up and working. The department is talking to commercial providers who specialize in providing back-up capacity for major events and whose services would only kick in when needed. Source:

54. August 20, Associated Press – (Missouri) Phone outage in part of southwest Missouri’s Polk County blamed on copper thieves. Authorities in Polk County in a southwestern Missouri county said copper thieves were to blame for a loss of telephone service in some towns. KYTV reports that phone company crews worked August 20 to restore land-line service in the towns of Morrisville, Brighton and Pleasant Hope. Thieves had been cutting phone lines to sell the copper wire for several weeks in neighboring Greene County. Source:,0,6480317.story