Monday, June 20, 2011

Complete DHS Daily Report for June 20, 2011

Daily Report

Top Stories

• According to the Associated Press, thieves have stolen almost 1 million barrels of oil worth about $250 million from Mexico’s state-owned oil company in the first 4 months of 2011, often selling it to U.S. refineries. (See item 4)

4. June 16, Associated Press – (International) Mexico oil theft adds up to $250 million stolen in 4 months. Thieves stole thousands of barrels per day of oil products from Mexico’s state-owned oil company in the first 4 months of 2011, thefts worth about $250 million, the company’s director said June 16. The thefts amounted to 1 million barrels, a level almost 50 percent more than what thieves stole in the same period of 2010, according to Pemex. The firm’s director said the stolen fuel was the equivalent of 100 tanker trucks per day. Mexican officials said drug cartels have been involved in the thefts, often by tapping into state-owned pipelines. The thieves will sometimes inject water into pipelines to cover up the drop in pressure caused by thefts, or drill a second tap near the first to continue siphoning off oil if the first is detected. Drilling into pipelines is dangerous because of the high pressure and combustibility of the fuel; while illegal taps have caused explosions, fires, and spills in the past, authorities still find hundreds of successful taps each year. A spokesman said 556 illegal taps had been detected so far in 2011, compared to 710 in all of 2010. About 390 of the taps involved refined fuel pipelines, while about 135 were at ducts carrying crude. Because there is little market in Mexico for unrefined oil products stolen from pipelines, the thieves often sell the oil to U.S. refineries. Pemex filed lawsuits in May against nine U.S. companies for alleged involvement in buying or processing Mexican oil products. Source:

• CBS News reports a U.S Marine reservist picked up after hours in Arlington National Cemetery, was detained for possibly having explosives and weapons on his person, and in his car parked near the Pentagon. (See item 31)

31. June 17, CBS; Associated Press – (Virginia) Pentagon scare suspect ID’d as Marine reservist. A source told CBS News that the man detained in the discovery of a suspicious vehicle outside the Pentagon in Arlington, Virginia June 17 has been identified as a lance corporal in the U.S. Marine Corps Reserve. The man told authorities during questioning June 17 that he was carrying explosive materials, the source told CBS News. Previously, an FBI Special Agent who heads the bureau’s counterterrorism division in its Washington, D.C. field office, told reporters a non-explosive material was found in a backpack the suspect was carrying at the time of his arrest. A law enforcement official speaking on the condition of anonymity said officials found what appeared to be an unknown quantity of ammonium nitrate. The official, who was not authorized to release the information, said nothing else was found that would have enabled an explosion. The official said tests were being done to determine the substance and the exact concentration. A law enforcement source said the suspect was carrying a notebook that contained the phrases “al Qaeda,” “Taliban rules,” and “Mujahid defeated croatian forces” when he was detained. The law enforcement source said the backpack also contained 20 spent 9 mm shell casings and 3 cans of black spray paint. The suspect was detained after the U.S. Park Police came across him early June 17 in Arlington National Cemetery, when it was closed, triggering the investigation. The Park Police then launched a search for a vehicle, which was found near the Pentagon. The 2011 red Nissan prompted the Arlington County Fire Department’s bomb disposal unit to follow protocols, including the use of a water cannon, to render the vehicle safe, an Arlington Police spokeswoman told reporters. CBS News reports the Marine Corps Memorial is open to the public. Arlington National Cemetery was briefly closed, but has since reopened. A DHS spokesman said federal agencies were involved with the investigation. “DHS is monitoring a suspicious vehicle incident causing road closures around the Pentagon,” he said. “This is a law enforcement matter at this time, with the U.S. Park Police and the Arlington County Police Department as leads and other federal agencies on the scene.” Source:


Banking and Finance Sector

13. June 17, WSVN 7 Miami – (Florida) Suspected serial bank bandit caught. Police have arrested a suspected serial bank robber in Florida, they said June 17. Police arrested the man in connection to at least three robberies in Miami-Dade and Broward counties. Investigators said the 35-year-old is believed to be behind the robbery of a Bank of America along Northeast 36th Street and North Federal Highway in Fort Lauderdale June 15. Authorities believe he also robbed another bank in Fort Lauderdale and one in North Miami Beach, the week of June 6. Source:

14. June 16, KY3 Springfield – (Missouri) Man pleads guilty for robbing bank in Springfield, using manager’s car to get away. A man from Fort Smith, Arkansas, pleaded guilty in federal court June 16 for two armed bank robberies in Springfield and Joplin, Missouri. Under the terms of a plea agreement, the man will be sentenced to 30 years in prison without chance of parole. A grand jury indicted the man April 7, 2010. By pleading guilty, the man admitted he robbed Liberty Bank in Springfield March 29, 2010, and Great Southern Bank in Joplin September 16, 2010. He also admitted he used a loaded handgun, which he carried in a shoulder holster, to steal $80,000 from Liberty Bank. He used a loaded Springfield Armory 9mm handgun to steal $404,350 from Great Southern Bank. He also pleaded guilty to brandishing a firearm in furtherance of the Great Southern Bank robbery. Source:

15. June 16, Birmingham Business Journal – (National) Taylor Bean exec Farkas charged with securities fraud, scamming TARP. The Securities and Exchange Commission (SEC) charged the former chairman and majority owner of Taylor Bean and Whitaker Mortgage Corporation (TBW) June 16 with orchestrating a large-scale securities fraud scheme and attempting to scam the U.S. Treasury’s Troubled Asset Relief Program, according to a news release on the SEC’s Web site. The man was one of several people involved in a fraud scheme that brought down Montgomery, Alabama’s Colonial Bank. The SEC alleged the group conspired together to sell more than $1.5 billion worth of fabricated or impaired mortgage loans and securities from TBW to Colonial Bank. The chairman and TBW’s former treasurer were also responsible for a bogus equity investment that caused Colonial Bank to misrepresent that it had satisfied a prerequisite necessary to qualify for TARP funds, according to the SEC. Source:

16. June 16, Oklahoma City Oklahoman – (Oklahoma) Troopers kill two, arrest one after Wright City bank robbery. Oklahoma Highway Patrol troopers shot two men to death and took a woman into custody June 16 after a suspect vehicle ran a roadblock following a bank robbery in southeast Oklahoma. Troopers set up the roadblock along State Highway 3 near Rattan in Pushmataha County after the 1 p.m. bank robbery in Wright City in nearby McCurtain County. A spokesman for the patrol said troopers spotted the suspect vehicle. The driver refused to stop and ran the roadblock. Shots were fired, and two men in the fleeing vehicle were hit, troopers said. They later died from their injuries. A woman in the car was being held for questioning by the Pushmataha County sheriff’s office. She was not injured in the incident. The spokesman said the FBI, Oklahoma State Bureau of Investigation, Pushmataha County sheriff’s office, and the patrol are jointly investigating the incident. He said no troopers were injured. Source:

Information Technology Sector

41. June 17, IDG News Service – (International) U.S. warns of problems in Chinese SCADA software. Two vulnerabilities found in industrial control system software made in China but used worldwide could be remotely exploited by attackers, according to a warning issued June 16 by the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). The vulnerabilities were found in two products from Sunway ForceControl Technology, a Beijing-based company that develops supervisory control and data acquisition (SCADA) software for many industries, including defense, petrochemical, energy, water, and manufacturing, the agency said. Sunway’s products are mostly used in China but also in Europe, the Americas, Asia and Africa, according to the agency’s advisory. The problems could cause a denial of service issue or remote code exploitation in Sunway’s ForceControl 6.1 WebServer and its pNetPower AngelServer products. Both issues were found by a researcher from security testing company NSS Labs. Sunway issued patches for the vulnerabilities May 20. ICS-CERT said there are no known exploits for the vulnerabilities, but computer security experts generally recommend patching software as soon as possible. ICS-CERT added that its unlikely someone could create consistent exploit code for the two vulnerabilities, and that an attacker would need to have “intermediate” skills to exploit the problems. Source:

42. June 17, H Security – (International) Malware targets custom Android ROMs. Malware designed to exploit a flaw that granted extra permissions to applications on devices with custom Android ROMs has been identified by Lookout Mobile Security. A CyanogenMod developer confirmed the vulnerability was closed in version 7.0.3 of CyanogenMod in May, when the popular ROM was updated for a mystery “important security fix.” The problem is if applications are signed with the same private key as the operating system, Android grants them permission to install and uninstall applications without user intervention. Normally, this would not be an issue as the private key would be secret, but many custom ROMs are built from the Android Open Source Project (AOSP) source code that includes publicly available private keys. Lookout found malware, which it dubbed jSMSHider, in several applications in alternative Chinese app markets. jSMSHider is signed with the “private key” from AOSP and uses the permissions flaw to install a secondary payload onto the system that could read, send, and process SMS messages, download and install more applications, communicate with a C&C remote server, and open URLs silently. Source:

43. June 17, – (International) Google looks to lock down unsecured scripts on Chromium. Google confirmed the latest versions of the Chromium platform will protect against “mixed scripting” vulnerabilities that might be hiding within secure http (https) pages. Google Chrome security team members said vulnerabilities can arise from a gap between https pages and embedded components in the page itself. In some cases, a page may be using a secure connection to encrypt data, while a component may be using an unsecure connection. Data traveling to and from the component could be intercepted by a man-in-the-middle attack. “A man-in-the-middle attacker (such as someone on the same wireless network) can typically intercept the http resource load and gain full access to the Web site loading the resource,” said the researchers. Google is updating Chromium to alter the address bar for risky pages to help guard against mixed scripting and less-severe “mixed display” flaws, which allow an attacker to use an unsecure script to alter the look of a page. Source:

44. June 16, IDG News Service – (International) Fraud starts after LulzSec group releases email, passwords. More than 62,000 users must now change passwords and closely monitor their online accounts after LulzSec posted their e-mail addresses and passwords to the Internet June 16 and some were used to make purchases not authorized by the accountholders. It is unclear where all of the LulzSec e-mail addresses and passwords came from. At least 12,000 of them were gathered from, a discussion forum for readers and writers of mystery and romance novels. The site’s technical staff is trying to figure out how they were stolen, and is in the process of contacting victims, according to Writerspace’s owner. The 62,000 e-mail addresses and passwords belong to victims at large companies such as IBM, as well as in state and federal government. Affected agencies include the U.S. Army, Navy, and Air Force, the U.S. Federal Communications Commission, the U.S. National Highway Traffic Safety Administration, the U.S. Department of Veterans Affairs, and the U.S. Coast Guard. Source:

45. June 16, Help Net Security – (International) Free Web hosting is a boon to phishers. According to a Zscaler researcher, free hosting services are a boon for scammers, since they need a place to set up malicious sites as quickly as they get pulled down. There are many such services on the Web, and among them is a free anonymous Web hosting. Although the intentions of the people behind the service are honorable, the site has proven very handy for phishers. “Try searches on the site for terms such as ‘site:pastehtml(dot)com facebook login’ or ‘site:pastehtml(dot)com paypal’,” points out a the researcher. “Most of the pages are malicious.” While the service tries to keep the pace and take down or block the pages in question — or sets up warnings for users to see when they try to view it — it is a constant race against the clock, not to mention a drain on its resources. Unfortunately, there is no easy solution for them, and until there is one, users must become accustomed to checking the URL in the address bar to be sure they have landed on the right pages. Source:

46. June 16, The Register – (International) Firefox Web 3D engine fosters image theft bug. An industry standard graphics engine recently added to Mozilla’s Firefox browser allows attackers to surreptitiously steal any image displayed on a Windows or Mac computer by visiting a booby-trapped Web site, security researchers have warned. The vulnerability, reported June 16 by England-based Context Information Security, is unique to Mozilla’s implementation of the 3D-acceleration API known as WebGL, but researchers with the firm said it is related to serious design flaws in the cross-platform technology. The report comes 5 weeks after Context first warned of data-theft and denial-of-service threats in WebGL, which is also built into Google Chrome, and developer versions of Opera and Apple’s Safari. Source:

Communications Sector

47. June 17, KCCI 8 Des Moines – (Iowa) New attacks on cellphone towers impacting service. According to police in Des Moines, Iowa, two cellphone towers were hit by vandals June 16 in the 3500 block of East Douglas. Police said the towers service Sprint, AT&T, T-Mobile, and U.S. Cellular. In the middle of the night, the phone companies were alerted of a power failure by alarms going off. They found the power meters pulled off and taken, the ground wires cut, and all the copper gone. The same night, another AT&T tower was stripped on Indiana Street, according to police. About 2 weeks ago, thieves using the same method struck a different AT&T and Erikson service tower on the 1800 block of County Line Road. Police said at one tower alone, they took at least 150 feet of thick copper wire. Scrap dealers said copper is now selling for between $3 and $4 per pound, and they pay cash. They said there is no way to tell if something is stolen because so many demolition and construction crews bring in scrap metal. Police said they have never seen theft from these targets before in Des Moines, but copper thieves are targeting these towers in other parts of the country. Workers who are making repairs to the towers said the thieves were not amateurs, and that they knew what they were doing. Des Moines police are now searching for the suspect(s). Source:

48. June 16, Washington Post – (International) NSA allies with Internet carriers to thwart cyber attacks against defense firms. The Washington Post reported June 16 the National Security Agency (NSA) was working with Internet service providers to deploy a new generation of tools to scan e-mail and other digital traffic with the goal of thwarting cyberattacks against defense firms by foreign adversaries, according to senior defense and industry officials. The novel program, which began in May on a voluntary, trial basis, relies on sophisticated NSA data sets to identify malicious programs slipped into the vast stream of Internet data flowing to the nation’s largest defense firms. Such attacks, including in May against Lockheed Martin, are nearly constant as rival nations and terrorist groups seek access to U.S. military secrets. Officials said the pilot program does not involve direct monitoring of the contractors’ networks by the government. The program uses NSA-developed “signatures,” or fingerprints of malicious code, and sequences of suspicious network behavior to filter the Internet traffic flowing to major defense contractors. That allows the Internet providers to disable the threats before an attack can penetrate a contractor’s servers. The trial is testing two particular sets of signatures and behavior patterns that the NSA has detected as threats. The Internet carriers are AT&T, Verizon, and CenturyLink. Together they are seeking to filter the traffic of 15 defense contractors, including Lockheed Martin, Computer Science Corporation (CSC), Science Applications International Corporation (SAIC), and Northrop Grumman. Source:

For more stories, see items 42 and 44 above in the Information Technology Sector