Thursday, October 20, 2011

Complete DHS Daily Report for October 20, 2011

Daily Report

Top Stories

• Five foreign men were arrested during a courthouse break-in in San Antonio, October 19, and police said they found photographs of public buildings, water systems, and malls from various U.S. cities in their van. – Reuters (See item 29)

29. October 19, Reuters – (Texas) San Antonio break-in sparks FBI involvement: police. Five foreign men were arrested during a courthouse break-in October 19, and police said they found photographs of public buildings, water systems, and malls from various U.S. cities in their van in San Antonio. The men, at least three of whom were in their 20s, will be questioned by a joint terrorism task force including the FBI and immigration authorities, officials said. The Bexar County spokeswoman said three men were found inside the 120-year-old Bexar County Courthouse, a landmark in downtown San Antonio, and two in a large recreational vehicle parked in front of the building. She said all five were Moroccans. Inside the RV, officials said they found "photographs of infrastructure" including shopping malls, water systems, courthouses, and other public buildings that they say were taken in cities across the United States. "They got travel documents, parking passes, they have been all over the country," a police captain said. "A lot of photographic equipment, a lot of documentation equipment (was) inside their vehicle. They are going to be held for interrogation by the FBI, Immigration and Customs Enforcement, and the joint terrorism task force," the captain said. San Antonio is home to three major military bases, and officials have notified them of the incident, and have told them to be on the lookout for any suspicious activity and vehicles. A military intelligence convention is underway at the city's convention center several blocks away, with top intelligence officials including White House officials set to speak, but investigators did not say whether there was any connection. Source:

• A powerful new computer virus that shares the same source code as the notorious Stuxnet virus has infected critical infrastructure computers around the world, said Symantec Corp. researchers. – (See item 35 below in the Information Technology Sector


Banking and Finance Sector

8. October 19, Associated Press – (National) 2 Maryland men plead guilty to identity theft charges; ring involved more than 250 victims. Prosecutors said two Maryland men pleaded guilty October 18 to being involved in an identity theft ring involving more than 250 victims in the Washington D.C. area. The two pleaded guilty to conspiring to commit access device fraud and aggravated identity theft. Prosecutors said the two men recruited, trained, and paid restaurant servers to swipe customer credit cards through a skimmer that would record the credit card numbers. They would then use the stolen numbers to re-encode cards to make purchases. Prosecutors said the pair made thousands of fraudulent transactions between January 2010 and June of this year throughout Virginia, Maryland, and Pennsylvania. Source:

9. October 19, U.S. Securities and Exchange Commission – (National) Citigroup to pay $285 million to settle SEC charges for misleading investors about CDO tied to housing market. The Securities and Exchange Commission (SEC) October 19 charged Citigroup’s principal U.S. broker-dealer subsidiary with misleading investors about a $1 billion collateralized debt obligation (CDO) tied to the U.S. housing market in which Citigroup bet against investors as the housing market showed signs of distress. The CDO defaulted within months, leaving investors with losses while Citigroup made $160 million in fees and trading profits. The SEC alleged Citigroup Global Markets structured and marketed a CDO called Class V Funding III and exercised significant influence over the selection of $500 million of the assets included in the CDO portfolio. Citigroup then took a proprietary short position against those mortgage-related assets from which it would profit if the assets declined in value. Citigroup did not disclose to investors its role in the asset selection process, or that it took a short position against the assets it helped select. Citigroup has agreed to settle the SEC’s charges by paying $285 million, which will be returned to investors. The SEC also charged the Citigroup employee primarily responsible for structuring the CDO transaction. The agency brought separate settled charges against Credit Suisse’s asset management unit, which served as the collateral manager for the CDO transaction, as well as the Credit Suisse portfolio manager primarily responsible for the transaction. The settlement is subject to court approval. Citigroup consented to the entry of a final judgment that enjoins it from violating these provisions. The settlement requires Citigroup to pay $160 million in disgorgement, plus $30 million in prejudgment interest and a $95 million penalty for a total of $285 million that will be returned to investors through a Fair Fund distribution. The settlement also requires remedial action by Citigroup in its review and approval of offerings of certain mortgage-related securities. Source:

10. October 19, Bloomberg – (Texas; International) BNP Paribas sued by U.S. over alleged commodities payment guarantee scheme. BNP Paribas SA was sued October 18 by the United States over allegations the Paris-based bank aided a grain export fraud scheme involving commodity payment guarantees provided by the U.S. Department of Agriculture. A corporate banker in BNP’s Houston office allegedly helped a scheme that defrauded the Agriculture Department of at least $78 million through deals he made with four U.S. grain exporters, according to a complaint filed in federal court in Houston. The banker knew the exporters were secretly controlled by the same foreign businessman who owned the companies importing the shipments into Mexico, according to the complaint. Source:

11. October 19, Bay City News Service – (California; Nevada) 'Mr. Magoo Bandit' suspect surrenders to FBI. An arrest was made October 18 in connection with a series of bank robberies throughout California committed by a man law enforcement officials have dubbed the "Mr. Magoo Bandit." The suspect voluntarily surrendered to FBI agents in San Diego after he was advised he was being sought by law enforcement in connection with a series of bank robberies, FBI officials said October 18. FBI officials said the suspect confessed to robbing a U.S. Bank in San Diego September 7. The U.S. Bank robbery is one of 12 heists FBI officials believe were committed by the Mr. Magoo Bandit. The bandit was linked to three bank robberies in the Bay Area. The first occurred at a U.S. Bank in Novato August 29, followed by a heist at a Chase Bank in South San Francisco September 17, and a Chase Bank in San Francisco, FBI officials said. Six of the robberies occurred in San Diego, and one each occurred in Camarillo, Thousand Oaks, and Henderson, Nevada. The bandit made no attempt to disguise himself and had a calm demeanor, according to the FBI. The suspect used a note to demand cash from tellers and, in some instances, even thanked his victims, law officials said. Source:

12. October 18, Jersey City Jersey Journal – (New Jersey; New York) Jersey City man pleads guilty in $33M life insurance scheme. A Jersey City, New Jersey, man who was a New York City insurance producer pleaded guilty October 17 to defrauding three insurance companies in a $33 million life insurance policy scheme, officials said. He pleaded guilty to insurance fraud, and two counts of theft by deception. The man, who was licensed in New York and New Jersey, admitted that between November 12, 2006 and June 4, 2008, he made fraudulent or misleading statements including fraudulent financial and medical documentation to support seven life insurance policy applications, officials said. The applications were for three $3 million life insurance policies, two $5 million policies, and two $7 million policies, officials said. He also admitted that between May 17, 2007 and June 20, 2007, he fraudulently obtained a $7 million life insurance policy and $280,230 from one of the companies as commission for that policy, officials said. Finally, he admitted that between October 16, 2007 and December 4, 2007, he fraudulently obtained a $61,898 premium reimbursement and a $150,000 unsecured loan from another policy provider, official said. On June 7, 2010, the man was sentenced to 3 years in state prison, ordered to forfeit his New Jersey insurance producer's license, and to pay a $10,000 fine after pleading guilty to two counts of insurance fraud April 12, 2010, officials said. In this earlier case, the man admitted that between May 22, 2008 and July 27, 2009, he submitted applications containing fraudulent information to secure two $7 million life insurance policies, officials said. Source:

13. October 18, Bloomberg – (Texas) SEC wins asset freeze in alleged mortgage restructuring scheme. The U.S. Securities and Exchange Commission (SEC) October 18 won a court order to freeze the assets of a Texas man and his company, claiming he raised at least $35 million by falsely telling investors he was using their money to buy and restructure pools of non-performing home mortgages. The man, who raised the money since 2008 through his firm Stewardship Fund LP, created false documents, made unauthorized financial transactions, and used new customers’ funds to pay off earlier investors, the SEC said in an complaint unsealed in U.S. district court. In several instances, he claimed to own mortgages he never acquired or purported to transfer the same pool of mortgages to multiple sets of investors. He has been the subject of at least one state court asset freeze and private lawsuits filed by different investor groups, the SEC said. He ignored the other asset freeze, and raised money from new investors to settle suits filed by earlier investors, according to the SEC. “[He] took advantage of investors who believed their investments were helping homeowners restructure their mortgages,” the head of the SEC’s regional office in Fort Worth, Texas, said in a statement. ”In many instances, it appears [he] was just pocketing the investments and using the proceeds for his own illicit purposes.” The SEC is seeking unspecified financial penalties and disgorgement of ill-gotten profits. Source:

Information Technology Sector

34. October 19, The H Security – (International) Kaspersky discovers new version of German state-sponsored trojan. Virus analysts at Kaspersky Labs discovered a new version of a trojan written for the German government by Digitask, The H Security reported October 19. It supports 64-bit versions of Windows and is able to monitor many more applications. The "big brother" of the trojan analyzed by the Chaos Computer Club (CCC) is made up of five files. They were found in an installation program by the name of scuinst.exe (Skype CaptureUnit Installer), recently detected by F-Secure. In addition to Skype, the list of processes monitored by the trojan includes other voice over Internet Protocol (VoIP) applications, browsers, and e-mail and instant messaging clients. The researchers also discovered a 64-bit driver signed using a certificate issued by fictitious CA Goose Cert; 64-bit versions of Windows will not load unsigned drivers. A normal copy of Windows will not accept the fake certificate, meaning the installation process also has to modify Windows' certificate store –- how it does this is not yet known. The Digitask development team also seems to have cribbed additional rootkit techniques and, in addition to the familiar AppInit technique, appears to have implemented a new method of activating the trojan library with the target process' privileges. Source:

35. October 18, – (International) 'Son of Stuxnet' virus could be used to attack critical computers worldwide. A powerful new computer virus that some are calling the "Son of Stuxnet" has infected critical infrastructure computers around the world, reported October 17. The new worm, dubbed Duqu, does not have the narrow focus of Stuxnet. But it shares so much code with the original virus that researchers at Symantec Corp. said it must either have been created by the same group that authored Stuxnet, or by a group that somehow managed to obtain Stuxnet's source code. "There is a common trait among the (computers) being attacked," a Symantec researcher said. "They involve industrial command and control systems." Symantec speculates that Duqu is gathering intelligence as a precursor to a future attacks. At the moment, Duqu only creates a back door into infected systems, connecting them to a command computer somewhere in India. No marching orders have yet been given, the researcher said. Duqu is so similar to Stuxnet that F-Secure's antivirus program initially identified it as Stuxnet, according to F-Secure's chief research officer. The virus is designed to leave the back door open for precisely 36 days, and then self-destruct. Symantec was first alerted to the existence of Duqu October 14, when an unnamed security firm that had already worked with a Europe-based victim shared its research with the firm. Symantec researchers worked through the weekend of October 15 and 16 trying to understand the virus. Their analysis shows Duqu may have been used to surveil computers around the world as far back as December 2010. McAfee researchers said in a blog post that both Stuxnet and Duqu utilize fraudulent "stolen" digital certificates that had been issued to companies in Taiwan. The use of what appear to be real digital certificate keys make both programs particularly deceptive. Source:

36. October 18, Infosecurity – (International) DDoS attacks against e-commerce sites last 40% longer, says VeriSign. Verisign noted that since January 1, 2011, DDoS attacks mitigated by the company for its e-commerce customers lasted significantly longer than the DDoS attacks it mitigated for all other customer verticals combined, Infosecurity reported October 18. The longer time for DDoS attacks targeting e-commerce sites is the result of the complexity of the attacks, the value of the sites, and the persistence of the attackers, according to the vice president of technology with VeriSign’s Network Intelligence and Availability Group. In a report issued in the spring of 2011, Verisign noted that successful DDoS attacks can bring down sites for hours or even days, causing businesses to suffer losses in the millions and damaging a company's brand and customer relationships. In addition, attacks against the Domain Name System (DNS) result in significant downtime for top-ranked e-commerce sites, according to Verisign’s State of DNS Availability Report for the second quarter of 2011. The report was prepared by ThousandEyes, which calculated the minimum, maximum, and average DNS availability of 1,000 Web sites during the second quarter. Source:

For another story, see item 38 below in the Communications Sector

Communications Sector

37. October 18, WBIR 10 Knoxville – (Tennessee) Service should be restored after outage in several counties. According to a statement by AT&T officials at 10:10 p.m. October 18, service should be restored to AT&T customers in parts of East Tennessee after customer's experienced outages earlier in the day. The company was investigating the cause of the problem. Dispatchers at 911 centers in Roane, Morgan, and Fentress counties said service was back up and running. Dispatchers in Scott County said service was "spotty." For several hours they had to find other ways to cover emergency calls. Emergency calls from Roane county were routed to Loudon County, while calls originating from Morgan County were routed to Anderson County during the outage. The lines went dead around 4 p.m. October 18. The director of the 911 operations center in Roane County said 911 service was disrupted for about 15 minutes while the calls were re-routed to Loudon County. He said there were no problems during that time. According to the 911 director for Roane County, officials believe a fiber optic line was cut along Highway 70 in Roane County. There is road construction going on in that area, but the director was not sure exactly where the line may have been damaged. Source: 38. October 18, Williamson Daily News – (Kentucky) Ky. house fire causes fiber network outage. A fire blazed its way through a Warfield, Kentucky, house October 14 and left far more reaching problems for thousands of residents in a four-county area, Williamson Daily News reported October 18. According to the Warfield Volunteer Fire Department chief, the fire leveled the non-occupied dwelling in very little time. However, he said, the impact was widespread, as about 300 feet of a main fiber

- 18 -

network cable for Sudden Link Cable was burned. Residents in Logan, Martin, Mingo, and Pike counties who subscribe to various services offered by Sudden Link were without telephone, television, and Internet for 12 or more hours. Sudden Link crews arrived at the fire scene early October 15 and worked into the afternoon to restore services. The fire chief, who is also an employee of Sudden Link, said the burned cable carried 165 fiber optic lines. This particular line travels through Kermit and Warfield. Farther down, the line branches out to serve businesses and households in the affected areas. Source: