Friday, March 11, 2011

Complete DHS Daily Report for March 11, 2011

Daily Report

Top Stories

• The Wall Street Journal reports U.S. prosecutors charged a Pakistani man with running a smuggling operation that shipped materials and equipment to agencies operating Pakistan’s nuclear program. (See item 6)

6. March 9, Wall Street Journal – (International) Pakistani man charged over shipments to Pakistan’s nuclear program. U.S. prosecutors March 9 charged a Pakistani man with running a smuggling operation that shipped materials and equipment to the agencies operating Pakistan’s nuclear program. A grand-jury indictment in Baltimore, Maryland, accuses the 45-year-old man, who operated an export firm in Maryland, of obtaining the items from U.S. companies in North Dakota and Massachusetts and illegally exporting them to agencies on a U.S. Commerce Department blacklist. Prosecutors said the materials included radiation-detection devices, calibration equipment, and nuclear-grade resins that can be used “directly or indirectly in activities related to nuclear reactors and the processing and production of nuclear-related materials.” The suspect made a first appearance in court March 9 and was ordered detained pending a hearing March 10. The indictment alleged the suspect worked with another man, not identified in the indictment. This man directed the suspect with a shopping list and told him how to conceal where items were being shipped, the indictment said. The unidentified man, also charged, is believed to be in Pakistan and out of reach of U.S. authorities, according to court papers. The indictment said the men paid U.S. suppliers with funds transferred from Pakistan via Dubai to U.S. bank accounts, including the suspect’s personal accounts. The Pakistani agencies receiving the equipment include the space and upper atmosphere research commission and the Chasma Nuclear Power Plant, the U.S. alleged. Both are banned from receiving certain items from the United States for national-security reasons. Source:

• According to Reuters, a Colville, Washington, man was arrested and charged with attempting to place a bomb along the parade route of a Martin Luther King Jr. holiday celebration in Spokane. (See item 54)

54. March 9, Reuters – (Washington) U.S. arrests man in Martin Luther King Day bomb plot. A Colville, Washington, man was arrested and charged with attempting to place a bomb along the parade route of a Martin Luther King Jr. holiday celebration in Spokane January 17, the U.S. Justice Department said March 10. The 36-year-old man was charged with one count of attempting to use a weapon of mass destruction, which carries a maximum penalty of life in prison. The other count charges him with illegally possessing an explosive device, which carries up to 10 years in prison. He appeared in federal court in Spokane March 9, and is being held in the Spokane County Jail until an arraignment, tentatively scheduled for March 23, authorities told Reuters. A grand jury is set to meet to consider the charges March 22. A federal law enforcement official said authorities were investigating whether the suspect had ties to white supremacists. Officials from the Southern Poverty Law Center, an Alabama-based civil rights group, said the suspect had been a member of the neo-Nazi National Alliance in 2004. A spokesman for Joint Base Lewis-McChord, the U.S. Army/Air Force base in Washington state, confirmed he served at the former Fort Lewis Army base from 1996 to 1999 as a fire support specialist. The MLK day parade, attended by about 1,500 people, was quickly rerouted while the city’s bomb disposal unit was summoned and safely “neutralized the device,” the FBI said at the time. Chemical analysis of the homemade bomb remains “ongoing,” the FBI supervisory resident agent told Reuters, declining to confirm reports the bomb contained a white powder anticoagulant chemical similar to rat poison. Source:


Banking and Finance Sector

16. March 10, WFXT 25 Boston – (Massachusetts) ‘Copycat bank robber’ caught in the act. The man federal agents said is the “copycat bank robber” has been caught in the act. The FBI was tailing the two suspects when they learned the pair were allegedly about to rob another bank in Massachusetts. Agents arrested the men March 9, just feet from the Bank of America on Canal Street in Boston. In court documents, one suspect admitted to agents he was the man caught by security cameras robbing banks in Everett and Winthrop the week of February 28. During the arrest, agents reportedly found a fake pipe bomb on him. Similar devices were shown at both bank robberies the week of February 28. Source:

17. March 9, Minneapolis Star Tribune – (Minnesota) Cologne bank robber is suspect in recent Orono heist, FBI says. A man who robbed a bank March 9 in Cologne, Minnesota, is suspected in a February 17 bank robbery in Orono and possibly as many as four others, the FBI said. A masked man waited in the foyer of Kline Branch Bank and surprised an employee when she arrived to open the office for business, the FBI said. The suspect threatened her with a knife and demanded that she bring him to the vault. He showed a gun and said he would shoot her if she did not cooperate, the FBI said. The robber took an undisclosed amount of money and fled on foot. Based on suspect descriptions and robbery methods, investigators are “fairly certain” that the suspect also robbed the First National Bank of the Lakes branch in Orono February 17, said a Minneapolis FBI spokesman. The suspect also may be linked to three or four other metro-area bank robberies in the past 2 months, he said. The suspect in the Cologne robbery was described as about 6 feet tall, 200 pounds, in his late 30s or early 40s. He wore a tan- or wheat-colored coat, black pants, gloves, and a black mask, the FBI said. Source:

18. March 9, Associated Press – (Minnesota) 12 indicted in Minn. in alleged $10M bank fraud ring. Twelve people have been charged in a $10 million bank fraud conspiracy that authorities said depended on identity theft by employees in some of America’s largest banks, according to a federal indictment unsealed March 9. The indictment accused the defendants of buying and selling identifications and using them to create phony bank and credit card accounts, apply for loans, and get cash. Authorities said the network operated in many states, and bank employees in Minnesota and elsewhere were recruited to obtain customer information and conduct phony transactions. One defendant, the manager of a Wells Fargo branch, had bank account information for several people in her car and at her home when she was arrested March 9, authorities said. “There’s a severe risk to the community regarding the buying and selling of people’s personal information,” an assistant U.S. attorney said. Source:

19. March 9, Federal Bureau of Investigation – (Connecticut) Man charged in Connecticut with operating credit ‘bust-out’ scheme. The United States Attorney for the District of Connecticut, and the special agent in charge of the New Haven Division of the FBI announced March 9 a suspect was arrested March 7, on a federal criminal complaint charging him with engaging in a credit card “bust-out” scheme. According to the allegations set forth in the criminal complaint, the suspect, for a fee, assisted individuals in obtaining money from their credit cards and credit accounts far beyond their credit limits. It is alleged the suspect instructed individuals to charge all of their credit accounts up to or over their available credit limit and then provide their account information to him. He then assisted individuals with the submission of fraudulent or insufficiently funded checks to the credit issuers. Once received by the credit issuers, and the payments were posted to the individuals’ accounts, their credit balance was temporarily reduced, thereby allowing the individuals to draw on the credit lines further before credit issuers discovered the posted payments were fraudulent. After the individuals’ credit was fully “busted out,” the individuals often fled the country. It is alleged credit providers have lost approximately $465,000 as a result of this scheme. If convicted of the charges, the suspect faces a maximum term of imprisonment of 20 years. Source:

Information Technology

46. March 10, The Register – (International) Apple security update leaves iPhone 3G users unprotected. Apple is leaving some of its older mobile devices unprotected with its latest patch batch. An iOS 4.3 update, which includes a number of critical security fixes, is incompatible with the widely used iPhone 3G, and older versions of the iPod Touch. The latest version of Apple’s mobile software can only be applied on the iPhone 3GSs and later models; the iPod Touch 3rd generation and later models; as well as all versions of the iPad. Security firm Sophos warned the omission of the fixes leaves users of older iPhone and iPod Touches at heightened risk of drive-by download attacks from harmful Web sites. Source:

47. March 10, IDG News Service – (International) Symantec finds fake Google Android update. Google’s latest update for its Android mobile OS appears to already have been subverted by hackers, according to the security vendor Symantec. Symantec found an application called the “Android Market Security Tool” that is a repackaged version of the legitimate update by the same name that removed the DroidDream malware from infected devices. The fake security tool sends SMSes to a command-and-control server, wrote a Symantec representative. The company is still analyzing the code, which it found on a third-party application market targeted at Chinese users. “What is shocking is that the threat’s code seems to be based on a project hosted on Google Code and licensed under the Apache License,” the Symantec representative wrote. Source:

48. March 10, H Security – (International) Apple’s iOS 4.3 fixes security holes. Apple has released version 4.3 of its iOS mobile operating system, an update that adds several new features to its mobile devices and closes a number of security holes. According to Apple, the iOS update corrects multiple vulnerabilities in the FreeType rendering library for TrueType and PostScript fonts used by CoreGraphics, buffer overflow issues in ImageIO, and a remote code execution hole in the libxml library, as well as a bug in iOS networking that could allow a server to identify a device across connections. Other fixes correct problems in the mobile version of the Safari Web browser that could, for example, cause it to exit on launch or prevent cookies from being cleared via the Safari settings. Source:

49. March 10, The Register – (International) Router-rooting malware pawns Linux-based network devices. Security researchers have discovered a rare strain of router-rooting malware that targets network devices running either Linux or Unix. The malware, which poses as an Executable and Linkable Format (ELF) file, carries out a brute-force attack on router user name-password pairs from compromised PCs. If successful, the malware sets up an IRC backdoor onto compromised systems. Early tests by net security firm Trend Micro have confirmed the malware works on routers from D-Link. Other systems may also be affected. Trend reported the malware (dubbed ELF_Tsunami-R) is circulating in Latin America. While incidents of the malware are low, the damage potential is high, Trend Micro warned. Source:

50. March 9, Softpedia – (International) New ‘open source’ exploit toolkit identified. Researchers from security vendor M86 Security have identified a new exploit toolkit being distributed on the underground market for free and being worked on as a community effort. Called k0desploit, the new toolkit is based on the notorious Eleonore exploit pack commonly used in drive-by download attacks. The k0desploit admin panel log-in page displays the text “K0de(dot)org Open Source Exploits.” M86 researchers found forum posts by the original author explaining the toolkit is an improved version of the Eleonore mod posted by Blackdevil. He said preliminary tests done on 1,000 computers revealed an infection rate of 9.6 percent, significantly more than the original 3.5 percent the Eleonore mod had. The developer also noted most successful attacks were for the Microsoft Data Access Components and Internet Explorer vulnerabilities, not Java as previous research suggested. He also claimed he got the exploits to partially work via Firefox and Chrome. Source:

51. March 9, The Register – (International) DDoS malware comes with self-destruct payload. Attacks that have wreaked havoc on dozens of South Korean government Web sites over the past week include a malicious payload that causes the infected machines recruited to carry out the assaults to spontaneously self-destruct. The distributed denial-of-service (DDoS) attacks were first spotted March 4 hitting Web sites including South Korea’s president, national intelligence service, and foreign ministry. A McAfee researcher reported the infected computers used in the attacks are programmed to destroy sensitive system files, a blow that can incapacitate machines. He wrote “[The malware] uses resilience techniques to avoid a takedown and even has destructive capabilities.” Resilience techniques refers to a multi-stage command-and-control (C&C) structure, which spreads malicious instructions into two layers to make it harder for white hats to reverse engineer the system. The first stage contains an encrypted list of servers to a second set of C&C machines, which issue attack commands. Also, the first layer of servers are physically distributed in dozens of countries, providing backup in the event some are taken down. Once infected bots reach the second stage, they receive the list of sites to attack. But they also receive commands to self-destruct by overwriting master boot records of primary hard drives. Source:

52. March 9, Computerworld – (International) Apple patches 62 bugs in massive Safari update. Apple March 9 patched a record 62 vulnerabilities in Safari 5, updating the Mac and Windows browser to version 5.0.4. All but 6 of the 62 vulnerabilities patched were accompanied by the phrase “arbitrary code execution,” Apple’s term for rating the flaws as “critical.” According to Apple’s advisory, 57 of the 62 bugs can be exploited by “drive-by” attacks that execute as soon as a victim browses to a malicious Web site with an unpatched edition of Safari. Most of the vulnerabilities patched were in WebKit. Source:

Communications Sector

53. March 9, Mount Vernon News – (Ohio) FCC to look at city’s satellite dish ban. The city of Mount Vernon, Ohio’s recent announcement it would begin enforcing a ban on satellite dish antennae in front yards of properties within the city might get a close look from the Federal Communications Commission (FCC), Mount Vernon News reported March 9. City ordinance Chapter 1177 regulates the location and construction of dish-type satellite signal receiving antennae within the city. The stated purpose of the regulation is to protect the public health, safety, and welfare of residents. It points specifically to the maintenance of utility easements, fire safety access, prevention of accumulation of noxious weeds and debris, and the reasonable aesthetic concerns of neighborhood property owners. The FCC has rules in place governing what a local governmental group can and cannot do as far as regulating the installation of these types of dish antennae. The FCC Web site on the subject states the commission was directed by Congress in section 207 of the Telecommunications Act of 1996 to regulate installations of video-receiving antennae. The commission enforces the law through its Over-the-Air Reception Devices rule that has been in effect since October 1996. Source:

For more stories, see items 46 and 47 above in the Information Technology Sector