Friday, March 25, 2011

Complete DHS Daily Report for March 25, 2011

Daily Report

Top Stories

· According to WINK-TV, 4 Colombian men were indicted by a federal grand jury in Miami, Florida, for trying to export 22 F-5 jet fighter engines to Iran. (See item 11)

11. March 23, WINK 9 Fort Myers – (International) Undercover agent thwarts conspiracy to export jet engines from Miami to Iran. Four Colombian men were indicted by a federal grand jury in Miami, Florida, for illegally trying to export 22 F-5 jet fighter engines to Iran, WINK-TV reported March 23. It was an online ad that caught the attention of Homeland Security Investigations. For sale: J-85-CAN-15 aircraft engines used primarily in F-5 fighter jets. F-5s are currently only used in two countries — Venezuela and Iran. An undercover agent responded to the ad, posing as a broker January 20. The undercover agent said Iranian buyers were willing to purchase the 22 engines for $320,000. Arrangements were made to ship them from Miami to Panama to Iran, a violation of the International Emergency Economic Powers Act banning exports to Iran. The four men were charged in the conspiracy March 8, and the 22 engines were seized. Source:

· The Miami Herald reports at least 169 flights were canceled at Miami International Airport in Florida, March 24, after a massive overnight fuel tank farm fire. (See item 19)

19. March 24, Miami Herald – (Florida) Fuel fire cancels dozens of flights at Miami International Airport. At least 169 flights were canceled at Miami International Airport (MIA) in Miami, Florida, March 24, after a massive overnight fuel tank farm fire that has created a major disruption for American Airlines, the airport’s biggest carrier, and stranded or delayed thousands of passengers. Firefighters worked through the night to extinguish the fire, which started late March 23 and was under control early March 24. In addition to American — which makes up about 70 percent of MIA’s traffic — other airlines also reported flight delays. The fire, on the airport’s fuel farm on the southeast corner of the airport, near LeJeune Road, cut off at least 40 percent of the airport’s fuel supply, an airport spokesman said. Airport authorities are still investigating the cause. An American Airlines spokesman said the afternoon of March 24, the airline doesn’t know how long it will take for the flight schedule to return to normal. In addition to cancelling flights, he said American was “trying to do some creative things” such as landing airplanes with a little more fuel than normal so they can avoid refueling at Miami and then stop at nearby airports –- including Tampa, Orlando, San Juan and Fort Lauderdale –- to fuel up there. A Miami-Dade Fire Rescue captain said the fuel tank farm exploded on the southeast corner of the airport, near LeJeune Road. The fire was not near runways or terminals and no one was hurt, he said. Also, it began when few flights were scheduled to land. The captain said fire rescue initially had 20 units on scene, all working to contain the blaze. Their strategy, he said, was to let the tanks already on fire burn off. Source:


Banking and Finance Sector

12. March 24, WSAU 550 AM Wausau – (Wisconsin) Guilty plea in Manson insurance fraud case. A woman who kept the books at the Manson Insurance offices in Tomahawk and Minocqua, Wisconsin, pled guilty March 23 to being part of a multi-million dollar fraud scheme. The 60-year-old admitted the company kept insurance payments that were intended for clients. She’s being charged separately from the company president. The woman was in federal court in Madison, and pled guilty to concealing a felony. She’ll be sentenced June 22, where she could get up to 3 years in prison and a $250,000 fine. The president of the company is also expected to plead guilty next month. Prosecutors believe he stole more than $9 million from more than 800 Manson customers. Source:

13. March 24, Associated Press – (California) Calif man facing 25 years in $6M Ponzi scheme. A southern California investment adviser has pleaded guilty to securities fraud for bilking elderly residents in a $6 million Ponzi scheme. Federal prosecutors in Orange County said the 58-year-old man is facing a 25-year prison term when he’s sentenced August 8. The owner of Santa Ana’s Innovative Advisory Services pleaded guilty March 23 to a count of mail fraud and a count of securities fraud, both felonies. The man placed advertisements in Orange and Los Angeles newspapers promising safe investments for a minimum $50,000 investment. But prosecutors said he took investor money and paid off prior customers or traded in securities not authorized by the investors. Investigators estimate victims lost more than $6 million. Source:

14. March 23, Indianapolis Star – (Indiana) Police arrest bank robbery suspect on Northeast side. The FBI said it captured a serial bank robber after a foiled heist on Indianapolis, Indiana’s Northeastside March 23. A 45-year-old Indianapolis man was arrested outside Huntington National Bank, 6930 Lake Plaza Drive at 11:21 a.m. FBI Safe Streets Task Force agents arrested the suspect after he robbed the bank of an undisclosed amount of cash. The suspect had the money in his pocket when he was nabbed, agents said. The FBI said the man is a suspect in several robberies in Marion County going back a year. Five banks on the Northeast side have been robbed in 10 days, but police did not disclose whether he was a suspect in those robberies. The suspect in the March 23 robbery, however, didn’t show a gun. None of the other suspects on the Northeastside showed a gun either, but one of them was a white man and the suspect arrested by the FBI March 23 is black. FBI agents took the suspect to the Indianapolis Metropolitan Police Department’s North District substation for interviewing. Source:

15. March 23, U.S. Department of Justice – (National) Founder of A&O Entities convicted in $100 million fraud scheme. A 39-year-old Houston, Texas man was convicted by a federal jury March 23 for his role in a $100 million fraud scheme with more than 800 victims across the United States and Canada. The conviction was announced March 23 by the U.S. Attorney for the Eastern District of Virginia and an Assistant Attorney General of the Criminal Division. On Sept. 7, 2010, a federal grand jury returned an 18-count indictment against the man and two other principals of A&O Resource Management Ltd. and various related entities that acquired and marketed life settlements to investors. The man was convicted on one count of conspiracy to commit mail fraud, two counts of mail fraud, one count of conspiracy to commit money laundering, two counts of money laundering, and one count of securities fraud. At sentencing he faces up to 20 years in prison on each count except the securities fraud count, on which he faces up to 5 years in prison. Evidence at the trial established that during the man’s involvement with the company, A&O obtained about $80 million from approximately 500 investors. The indictment alleged the A&O fraud scheme as a whole exceeds $100 million and affected more than 800 investors, many of whom were

elderly. Evidence at trial showed the man routinely used investor funds for personal enrichment, including a $2 million home, a Lamborghini Spyder, and a 15-carat diamond ring, among other property. In total, five individuals have pleaded guilty in connection with the A&O fraud scheme. Source:

For another story, see item 48

Information Technology

44. March 24, The Register – (International) Hackers make off with TripAdvisor’s membership list. Travel site TripAdvisor warned subscribers to expect more spam following the theft of its member database. The travel review and information Web site said an unspecified vulnerability allowed miscreants to make off with a portion of its e-mail database. TripAdvisor does not collect members’ credit card or financial information, and no passwords were obtained as a result of the breach. TripAdvisor has promised to tighten its security in the wake of the incident, which is under investigation internally. The U.S.-based Web site, which serves an international client base, has also reported the matter to police. No malware campaigns have been seen as a result of the TripAdvisor breach. Source:

45. March 23, IDG News Service – (International) SCADA vulnerabilities prompt U.S. government warning. Software vulnerabilities found in a variety of industrial control systems have prompted vendors to begin developing patches, following a warning by the U.S. government’s Computer Emergency Readiness Team (CERT). The security problems were found in SCADA (supervisory control and data acquisition) systems made by Siemens, Iconics, 7-Technologies, and Datac by a researcher whose findings appeared on his Web site and the vulnerability site Bugtraq. The U.S. CERT’s Industrial Control Systems Cyber Emergency Response Team issued four alerts March 21 regarding the researcher’s findings. All of the products have remotely exploitable vulnerabilities, the most dangerous kind. If the systems are connected to the Internet, hackers could find ways to exploit them from afar and get inside the systems to steal or manipulate data. The systems affected are Siemens’ Tecnomatix FactoryLink, which is used in the food, pharmaceutical, and metals industries, among many others. Siemens said in 2007 that it would pull FactoryLink from the market in October 2012 and help customer migrate to its WinCC product. According to material published by Siemens in 2008, more than 80,000 FactoryLink systems have been installed worldwide. Other companies hit by the disclosure include Iconics, whose Genesis32 and Genesis64 software is used in industries such as oil and gas and pharmaceuticals, and Datac, which makes RealWin. Source:

46. March 23, Softpedia – (International) Harnig botnet abandoned after Rustock takedown. A large botnet acting as distribution platform for Rustock and other malware seems to have been abandoned by its creators in an attempt to erase their tracks. Dubbed Harnig, the botnet has been part of Rustock’s propagation scheme for around 2 years. This means the bot client might exist on many of the 1 million Rustock-infected computers. The Rustock botnet, one of the world’s primary sources of e-mail spam, was taken down in a coordinated effort that saw the participation of Microsoft’s Digital Crimes Unit (DCU) and the U.S. Marshals Service. Authorities seized hard drives from hosting providers in seven U.S. cities, which were providing resources for the Rustock operation. Soon after the take down action, all Harnig command and control (C&C) servers were wiped out by the botnet’s masters in a surprising move. This is even more surprising since unlike Rustock, which hosted most of its C&C servers in the United States, Harnig’s infrastructure was much more widespread. In addition, Harnig’s client list extended well beyond Rustock. According to FireEye, the botnet was seen distributing trojans like SpyEye, Zbot, or Ertfor. The fact Harnig’s owners chose to delete everything and gave up on their entire pay-per-install operation, enforces the idea they are close to the Rustock gang, or are part of it. Source:

47. March 23, CNET News – (International) Google, Yahoo, Skype targeted in attack linked to Iran. A malicious attacker that appears to be the Iranian government managed to obtain supposedly secure digital certificates that can be used to impersonate Google, Yahoo, Skype, and other major Web sites, the security company affected by the breach said March 23. Comodo, a Jersey City, New Jersey-based firm that issues digital certificates, said the nine certificates that were fraudulently obtained, including one for Microsoft’s, have already been revoked. A fraudulent certificate allows someone to impersonate the secure versions of those Web sites — the ones that are used when encrypted connections are enabled — in some circumstances. The Internet Protocol addresses used in the attack are in Tehran, Iran, said Comodo, which believes that because of the focus and speed of the attack, it was “state-driven.” Spoofing those Web sites would allow the Iranian government to use what is known as a man-in-the-middle attack to impersonate the legitimate sites and grab passwords, read e-mail messages, and monitor any other activities its citizens performed, even if the connections were protected with SSL (Secure Sockets Layer) encryption. Source:;txt

48. March 23, The Register – (International) ZeuS cybercrime cookbook on sale in underground forums. Cybercrooks are offering what purports to be source code for the ZeuS cybercrime toolkit through underground forums. The would-be seller, nicknamed IOO, has lent credibility to the offer by including screenshots of what appears to be portions of the source code for ZeuS to his sales pitch. IOO offers to discuss the sale to prospective buyers via either Jabber or ICQ. He is prepared to accept payment via any escrow service. The screenshots make reference to peinfector.cpp, a project of ZeuS known as “Murofet”. Security researchers — while unable to verify the sale is genuine — are taking the potential offer seriously. “Prior to this there were several rumors that the Zeus/Zbot code was sold to the creator of SpyEye,” writes an eCrime specialist who works for Danish security consultancy CSIS Security. “This is also currently unconfirmed — however what is certain is the fact that someone besides the author of the ZeuS/Zbot has access to the code.” Whether the specific sale by IOO is genuine or not, the eCrime specialist is sure that the secret recipe of ZeuS has become accessible to more people over recent weeks. “We have also seen compile logs confirming that ZeuS/Zbot code is available to broader audiences,” he told The Register. Source:

Communications Sector

Nothing to report