Friday, November 23, 2012

Daily Report

Top Stories

 • A complaint in U.S. District Court November 20 alleges that a portfolio manager at an unregistered investment advisor made $276 million by trading on insider information from a neurology professor conducting a clinical trial of an Alzheimer’s drug. – Forbes See item 10 below in the Banking and Finance Sector

 • Authorities said Interstate 20 was closed in Darlington County, South Carolina, for several hours after deputies found half a dozen containers of a flammable liquid in the car of an Army deserter during a traffic stop. – Associated Press

16. November 20, Associated Press – (South Carolina) I-20 closed near Florence for possible explosives. Authorities said Interstate 20 was closed in Darlington County, South Carolina, for several hours after deputies found half a dozen containers of a flammable liquid in the car of an Army deserter during a traffic stop. Deputies said they first found drugs in the car during the stop November 20 on I-20 westbound about 5 miles west of Interstate 95, but a further search found a liquid that can be used in explosives in the truck. Authorities shut down the interstate in both directions so a bomb squad could get rid of what the deputies discovered. Eastbound lanes were reopened after about 3 hours. Deputies said the driver was wanted for leaving Fort Eustis near Newport News, Virginia, without permission. Source:

 • More than 60,000 gallons of raw sewage spilled from a manhole over a two-day period the week of November 12 due to vandalism of Rockdale, Georgia’s sewer system, according to Rockdale Water Resources (RWR). – Rockdale Citizen
24. November 20, Rockdale Citizen – (Georgia) Major sewage spill caused by vandalism. More than 60,000 gallons of raw sewage spilled from a manhole over a two-day period the week of November 12 due to vandalism of Rockdale, Georgia’s sewer system, according to Rockdale Water Resources (RWR). The RWR Deputy Director said it appeared that large rocks or boulders had been thrown into the manhole where the spill occurred or in a manhole upstream from the Scott Creek Wastewater Treatment Plant and then made their way down the sewer line. RWR was notified of the spill November 16 by a customer who called and said it appeared that sewage was overflowing from the manhole near a house. The deputy director said the spill flowed into a private pond on a nearby property. The department was notified of the spill and the sewer line problem was cleared the same day, stated Water Resources. The spill, which totaled 63,000 gallons, was classified as a major spill by the Georgia Environmental Protection Division (EPD). The deputy director said EPD had been notified that the spill was caused by vandalism, which could mean that only 12 months of monitoring of the spill site would be required. Source:

  • State and federal officials issued a new alarm in the ongoing outbreak of disease caused by tainted steroids from a Massachusetts drug compounder. The Tennessee Health Department will begin a new round of contact calls to 1,009 patients who could be affected. – Nashville Tennessean

28. November 21, Nashville Tennessean – (Tennesee; National) Meningitis outbreak: Officials warn of new fungal infections. State and federal officials are issuing a new alarm in the ongoing outbreak of disease caused by tainted steroids from a Massachusetts drug compounder - and the warning applies to those who may have thought they had dodged serious illness, health officials said November 20. The Tennessee Health Department will begin a new round of contact calls to 1,009 patients November 26 who received injections in Tennessee from three tainted lots of methylprednisolone acetate from the New England Compounding Center. Patients who were already contacted once will be contacted again and warned to be on the lookout for signs of an infection, said a doctor from Vanderbilt University, who participated in a briefing on the new alert November 21. Steroids from the Massachusetts compounding pharmacy have been linked to 490 illnesses and 34 deaths nationwide. In Tennessee, 82 people have been sickened and 13 have died. Source:


Banking and Finance Sector

5. November 21, ATM Marketplace – (International) EAST releases ATM fraud update; U.S. still attracts most fraud. The European ATM Security Team (EAST) published its third European Fraud Update for 2012, ATM Marketplace reported November 21. It reveals that the U.S. still ranks first for skimming fraud, and also finds that fraudsters are shifting their attention from markets where EMV is used to those where it is not — meaning that the U.S. is likely to retain its dubious distinction for some time. The update is based on crime reports from representatives of 18 countries in the single euro payments area (SEPA), as well as representatives of three non-SEPA countries. All but four countries reported continued skimming attacks at ATMs. In addition to ATMs, skimming was reported at unattended payment terminals at petrol stations, and at parking ticket machines, railway ticket machines, and point of sale (POS) terminals. Fraud losses continue to migrate away from EMV liability shift areas. The U.S. remains the top location for such losses, followed by Mexico, the Dominican Republic, and Brazil. Card issuers are continuing to take measures to block the use of payment cards outside of designated EMV liability shift areas. Eight countries now report the use of some form of geo-blocking. Fifteen countries reported cash-trapping incidents, but such attacks seem to be stabilizing or falling in most countries. Eight countries reported ram raids and ATM burglary — in many cases these were unsuccessful, but still caused significant collateral damage. Source:

6. November 21, The H – (International) Professional trojan targets SEPA transactions. Cyber-criminals are targeting the European SEPA payments network, according to a report from security specialist McAfee, The H reported November 21. Within the E.U., SEPA transactions are uncomplicated because they make no distinction between domestic and cross-border transactions. In this case, that also benefits the online crooks who usually transfer money from the victim’s account to foreign bank accounts. The report says the malware involved is part of “Operation High Roller” where criminals extracted large sums from business accounts. The malware acts in a remarkably similar manner to how ZeuS and others work: after infection it inserts itself into the system’s browser and waits for a user to access their bank’s Web site. Once there, the pest adds its own JavaScript code, called Web Injects, to perform the fraudulent withdrawals. The malware takes its instructions from a command and control server which is, McAfee says, located in Moscow. The software is hard-coded to withdraw amounts ranging between 1,000 Euros to 100,000 Euros depending on the balance of the account. Source:

7. November 20, CNNMoney – (New York) New York sues Credit Suisse in latest mortgage lawsuit. The New York Attorney General filed a lawsuit November 20 against Credit Suisse, alleging that the bank repeatedly defrauded investors in sales of mortgage-backed-securities. The attorney general alleges that in 2006 and 2007, Credit Suisse sponsored mortgage-backed-securities worth $93.8 billion that, as of August, had suffered $11.2 billion in losses. The lawsuit seeks damages to recoup these losses, as well as additional relief, meaning Credit Suisse could be on the hook for a massive penalty compared with most financial crisis-related cases. New York’s suit claims Credit Suisse deceived investors by leading them to believe that the loans in its mortgage-backed-securities “had been carefully evaluated and would be continuously monitored.” The attorney general alleges, the bank “systematically failed to adequately evaluate the loans, ignored defects that its limited review did uncover, and kept its investors in the dark about the inadequacy of its review procedures and defects in the loans.” Credit Suisse said it planned to fight the lawsuit in court. Source:

8. November 20, KTVK 3 Phoenix – (Arizona) FBI seeks public’s help to identify ‘Thou Shalt Not Steal Bandit’. The FBI’s Bank Robbery Task Force is asking for the public’s help in identifying the “Thou Shalt Not Steal Bandit,” KTVK 3 Phoenix reported November 20. The FBI said the suspect is responsible for 7 bank robberies in Arizona’s Phoenix metropolitan area over the past 3 years. In the first two robberies, the suspect forced entry into the businesses adjacent to the banks prior to opening and then cut holes in the adjoining drywall to enter the banks, according to investigators. During the third robbery, the suspect entered the bank through a hole he cut in the exterior wall, and in the fourth robbery he accessed the bank through a hole he cut in the roof. Investigators said the suspect waits in the bank until employees arrive for work then confronts them with a black, semi-automatic handgun or a silver revolver and forces them to access the money. He restrains the employees with blindfolds and flex ties before fleeing with the money. During a July 3 robbery, the suspect accessed the Chase Bank through a hole in the roof and left a phone taped to a device resembling sticks of dynamite inside the bank. The suspect threatened to blow up the bank if the employees did not place money in a nearby desert wash area. Investigators believe the suspect is conducting prior surveillance and detailed planning before each of the robberies. He may have previous military experience and familiarity with bank security systems. Source:

9. November 20, New York Times – (National) DocX founder pleads guilty in foreclosure fraud. The founder and former president of DocX, once one of the nation’s largest foreclosure-processing companies, pleaded guilty November 20 to fraud in one of the few criminal cases to have arisen out of the housing crisis. The executive entered a guilty plea in federal court in Florida and a plea agreement in State court in Missouri related to DocX’s preparation of improper documents used to evict troubled borrowers from their homes. She admitted to directing DocX employees, beginning in 2005, to sign other peoples’ names on crucial mortgage documents. Many of the documents, like assignments of mortgages and affidavits claiming that a borrower’s i.o.u. had been lost, were used by banks and their representatives to foreclose on homeowners. DocX also filed falsely notarized documents with county clerks across the country. She admitted in her plea to participating in the falsification of more than a million documents. Source:

10. November 20, Forbes – (National) ‘Most lucrative insider trading scheme ever’: Trader charged with illicit $276 million score. A complaint filed in U.S. District Court in Manhattan November 20 alleges that a portfolio manager at an unregistered investment advisor made a $276 million score by trading on insider information from a neurology professor conducting a clinical trial of an Alzheimer’s drug. The complaint says the manager, while working at CR Intrinsic Investors, received material nonpublic information from a professor at the University of Michigan’s Medical School, who was in charge of a committee overseeing the trial of a drug being developed by Elan Pharmaceuticals and Wyeth in 2008. The professor — also named as a defendant along with the manager and CR Intrinsic — allegedly gave the manager information about the clinical trial and at some point around July 17, 2008 provided the full results of the study before its July 29 release. That led to the manager causing CR Intrinsic and affiliated portfolios of an unnamed investment advisor to sell long positions in Elan and Wyeth worth more than $700 million and take substantial short positions. All told, the U.S. Securities and Exchange Commission claims the manager and the affiliated funds sold more than $960 million worth of the two stocks’ in just over a week, reaping a $276 million windfall. In a separate criminal complaint, prosecutors allege that the manager recommended the owner of the unnamed hedge fund sell its Wyeth and Elan holdings, and that the hedge fund owner then instructed a trader to begin selling its position. The relationship between the professor and the manager was facilitated by an expert network firm, an industry that has been at the heart of a number of insider trading cases in recent years. The manager is also facing criminal charges for conspiracy to commit securities fraud. Source:

11. November 20, Bloomberg News – (National) The housing scam that’s targeting vets and seniors. The housing market is bouncing back, and so are deceptive marketing practices. That has prompted the U.S. Consumer Financial Protection Bureau (CFPB) and the U.S. Federal Trade Commission to launch investigations into six mortgage lenders and brokers that allegedly target veterans and senior citizens with misleading advertising, Bloomberg News reported November 20. The regulators also sent warning letters to a dozen more companies, urging them to review their marketing materials and be sure they are not breaking federal law. The lenders appeared to be trying to dupe consumers into thinking loans were government-backed, according to the CFPB. Some of the ads sent to the elderly included a return address line that read “Government Loan Department,” used a logo that resembled the seal of the U.S. Department of Housing and Urban Development, and displayed a Web URL bearing the initials of the Federal Housing Administration, the CFPB said. Veterans received ads that appeared to come from the U.S. Department of Veteran’s Affairs (VA) and offered rates under a special “economic stimulus plan” said to be expiring soon, according to the CFPB. The ads began with the phrase, “The VA is offering you,” and used logos similar to the VA’s. The ads also promised a “fixed” rate for a 30-year loan even though the fine print indicated that the rates were adjustable, according to the CFPB. Source:

12. November 20, Albany Herald – (Georgia) Family members, minister indicted in farm loan scheme. An indictment issued by a federal grand jury in Macon, Georgia, names a family and a minister in what prosecutors contend is a conspiracy to defraud the U.S. Farm Credit Administration of more than $10 million. The four men were each named in an indictment handed down November 15 and were due in court November 20. The four men were allegedly connected to the former chief lending officer at Southwest Georgia Farm Credit (SWGFC) in Bainbridge, who previously pleaded guilty to fraud. According to the indictment, one of the men, who owned Backwoods Outdoors in Leesburg, borrowed roughly $5 million from SWGFC to purchase real estate in southwest Georgia and north Florida. His father also borrowed roughly $5 million from SWGFC and allegedly acted as a “straw borrower”. The minister is alleged in the indictment to have borrowed nearly $817,000 from SWGFC, also on behalf of the son. The indictment also charges that he borrowed $195,000 from the program to purchase a home for himself. The son’s uncle is accused in the indictment of borrowing $1.7 million from the SWGFC on behalf of his nephew. In exchange for rubber-stamping the loans, the former chief lending officer and family members reportedly received thousands of dollars in kickbacks from the borrowing family, the indictment contends. The son and the minister were also indicted on charges of concealing assets in a bankruptcy, and of making false statements, respectively. Source:

13. November 19, Reuters – (International) Shadow banking hits $67 trillion globally: task force. The shadow banking system - blamed for aggravating the financial crisis - grew to a new high of $67 trillion globally in 2011, a top regulatory group said, calling for tighter control of the sector. A report by the Financial Stability Board (FSB) November 18 appeared to confirm fears among policymakers that the so-called shadow banking system of non-bank intermediaries continues to harbor risks to the financial system. The FSB, a task force from the world’s top 20 economies, also called for greater control of shadow banking, a corner of the financial universe made up of entities such as money market funds that has so far escaped the web of rules that is tightening around traditional banks. The European Commission is expected to propose E.U.-wide rules for shadow banking in 2013. The United States is already rolling out a framework of new rules for the $2.5 trillion money market industry. The FSB said shadow banking around the world more than doubled to $62 trillion in the 5 years to 2007, and had grown to $67 trillion in 2011 - more than the total economic output of all the countries in the study. America had the largest shadow banking system, said the FSB, with assets of $23 trillion in 2011, followed by the Euro area with $22 trillion, and the United Kingdom at $9 trillion. The U.S. share of the global shadow banking system has declined in recent years, the FSB said, while the shares of the United Kingdom and the euro area have increased. Source:,0,7490614.story

Information Technology Sector

34. November 21, The H – (International) HTTP Strict Transport Security becomes Internet Standard. The Internet Engineering Task Force (IETF) published RFC 6797, formally declaring the HTTP Strict Transport Security (HSTS) security mechanism for HTTPS as an Internet Standard. HSTS is designed to allow HTTP servers to ensure that any services offered can only be accessed via secure connections that are encrypted using mechanisms such as Transport Layer Security (TLS). From a client perspective, HSTS forces applications (User Agents) to only use encrypted connections when communicating with Web sites. The primary aim of HSTS is to counteract the attacks on SSL-encrypted Web sites that were described by a security researcher in 2009. The attacks take advantage of the fact that users do not generally use https:// to access a page but rather tend to visit the unencrypted URL and then trust that they will be redirected to the HTTPS version in due course. The attacks prevent this redirection without triggering alerts. Source:

35. November 21, Softpedia – (International) Mozilla addresses 6 critical vulnerabilities with the release of Firefox 17. A number of six critical-, nine high-, and one moderate-impact vulnerabilities were fixed by Mozilla with the release of Firefox 17. The critical flaws, which can be leveraged by an attacker to run arbitrary code and install malicious software without any user interaction, refer to use-after-free, buffer overflow, and memory corruption issues identified with the aid of Address Sanitizer. Other critical security holes include a CSS and HTML injection issue through Style Inspector, miscellaneous memory safety hazards, a buffer overflow when rendering GIF images, and a crash when combining SVG text on path with CSS. The high-impact vulnerabilities addressed in Firefox 17 were caused by the improper security filtering for cross-origin wrappers, installer DLL hijacking, the fact that the evalInSanbox location context was incorrectly applied, and a memory corruption issue in str_unescape. Source:

36. November 21, Softpedia – (Softpedia) Password-stealing malware Passteal distributed via file sharing sites. Experts warn that Passteal, the piece of malware that steals sensitive information stored in Web browsers by relying on password recovery tools, is being distributed through file sharing Web sites. Trend Micro researchers identified Passteal versions disguised as e-books, key generators, and even bundled with installer applications. While older variants relied on PasswordFox to gain access to sensitive browser data, a new version (TSPY_PASSTEAL.B) has been found to use WebBrowserPassView instead. This enables the attackers to steal information from Internet Explorer, Firefox, Chrome, and Safari. Source:

37. November 21, The H – (International) Rootkit infects Linux web servers. A previously unknown rootkit is infecting Linux Web servers and injecting malicious code into Web pages served by infected servers. The rootkit was discovered by a user of security mailing list Full Disclosure, who posted his observations, including the suspicious kernel module, to the mailing list. The malware adds an iframe to every Web page served by the infected system via the nginx proxy – including error pages. Anyone who visits a Web page on the server is then attacked by a specially crafted web page which is loaded in an iframe. Once an exploitable hole is identified, it is used to install malware on the visitor’s system. The Web server is ultimately being used to redirect users to another Web server which can then infect their system, such as poorly maintained Windows systems, with malware. Kaspersky Lab analysed the malware and dubbed it Rootkit.Linux.Snakso.a. The rootkit is designed to target 64-bit systems and has been compiled for kernel version 2.6.32-5, used in Debian Squeeze. After booting, it determines the memory address of a number of kernel functions, which it then hooks into. The rootkit obtains deployment instructions from a command and control server. According to Kaspersky, the rootkit may still be under development, as it has been compiled with debug information in situ. Source:

38. November 20, – (National) Hacker found guilty of breaching AT&T site to obtain iPad customer data. A hacker charged with federal crimes for obtaining the personal data of more than 100,000 iPad owners from AT&T’s Web site was found guilty November 20. The man was found guilty in federal court in New Jersey of one count of identity fraud and one count of conspiracy to access a computer without authorization. The hacker and another man were charged in 2011 after the two discovered a hole in AT&T’s Web site in 2010 that allowed anyone to obtain the email address and ICC-ID of iPad users. The ICC-ID is a unique identifier that is used to authenticate the SIM card in a customer’s iPad to AT&T’s network. The two men discovered that the site would leak email addresses to anyone who provided it with a ICC-ID. So the two wrote a script to mimic the behavior of numerous iPads contacting the Web site in order to harvest the email addresses of iPad users. According to authorities, they obtained the ICC-ID and e-mail address for about 120,000 iPad users. The two contacted the Gawker Web site to report the hole and provided the Web site with harvested data as proof of the vulnerability. Gawker reported at the time that the vulnerability was discovered by a group calling itself Goatse Security. AT&T maintained that the two did not contact it directly about the vulnerability and learned about the problem only from a “business customer.” Source:

Communications Sector

Nothing to report

Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site:

Contact Information

Content and Suggestions: Send mail to or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to

Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at or visit their Web page at v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.