Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, March 31, 2010

Complete DHS Daily Report for March 31, 2010

Daily Report

Top Stories

Details

 The Associated Press reports that an anhydrous ammonia leak possibly caused by methamphetamine makers led authorities to evacuate at least three Taylorsville, Indiana neighborhoods early Tuesday, delay schools, and close a major highway. (See item 6)


6. March 30, Associated Press – (Indiana) Ammonia leak causes evacuation. An anhydrous ammonia leak possibly caused by methamphetamine makers led authorities to evacuate at least three Taylorsville neighborhoods in the middle of the night, delay schools and close a major highway. One motorist who drove through the ammonia cloud early on March 29 sought medical attention, and medics were dispatched to some locations, said a lieutenant of the Bartholomew County Sheriff’s Department. The pre-dawn darkness and fog in the area made it difficult to determine whether the cloud was dissipating as it drifted southward toward Columbus, he said. Some schools delayed opening for two hours as a precaution. A passer-by reported a suspicious vehicle and a noticeable cloud and odor about 2:30 a.m. at a business south of Taylorsville, he said. A deputy in the area immediately arrested one woman, and investigators were searching for two other people possibly involved in making methamphetamine, he said. Authorities went door to door to immediately evacuate one neighborhood of about 75 homes and asked residents of at least two other subdivisions to evacuate. Some chose to remain in their homes but took precautions to reduce their exposure to the ammonia. About 60 evacuees went to the Edinburgh Separate Baptist Church, located north of the ammonia leak, a deacon at the church told the Columbus Republic. Source: http://www.wane.com/dpp/news/indiana/Amonia-leak-causes-evacuation


 CNN reports that a major rainstorm hit the Northeast Tuesday, threatening more flooding in the saturated region and prompting state authorities to close some roads and ready sandbags, trying to prevent rivers, lakes, reservoirs and dams from overflowing. According to the Associated Press, the Rhode Island Emergency Management Agency said officials feared Interstate 95 could end up under water in some sections. (See items 26 and 65)


26. March 30, Associated Press – (Northeast) Rhode Island expecting worst flooding in over century. The second major rainstorm of the month pounded the Northeast on Tuesday, pushing rivers over their banks, closing roads and schools, prompting evacuations, and shattering at least one rainfall record. The Rhode Island governor asked residents Tuesday afternoon to get home by dinnertime to avoid traveling in what officials expect to be the worst flooding to hit the state in more than 100 years. Standing water pooled on or rushed across roads in the region, making driving treacherous and forcing closures. A spokesman for the Rhode Island Emergency Management Agency said officials feared Interstate 95, a major East Coast thoroughfare, could end up under water in some sections. In Maine, a dam in Porter let loose Tuesday morning, sending a torrent of water down country roads. One road ended up covered with 2 feet of water, but no evacuations or injuries were reported. On Long Island, rain coupled with tides inundated a 20-mile stretch of oceanfront road in Southampton. Weather-related delays averaged three hours at Newark Liberty International Airport, and two hours at New York’s La Guardia Airport, according to the Port Authority of New York and New Jersey. In New York City, a mudslide caused some interruptions on a commuter rail line in the Bronx. Source: http://www.foxnews.com/us/2010/03/29/flooding-threatens-storm-weary-east-coast/


65. March 30, CNN – (Northeast) Northeast braces for new round of floods. A major rainstorm walloped the Northeast Tuesday, threatening more flooding in the saturated region and prompting state authorities to close some roads, ready sandbags, and prepare residents. For the past three days, 700 members of the Massachusetts National Guard have been filling sandbags around the clock, trying to prevent rivers, lakes, and reservoirs from overflowing, said the public information officer from the Massachusetts Emergency Management Agency. “We’re trying to get the pumps going and distribute the tens of thousands of sandbags we filled,” the officer said. “We haven’t fully recovered from the storm two weeks ago, and now this. It’s a challenge.” Clinton, in east-central Massachusetts, is hit particularly hard when there is severe rain, said the town administrator. The town is situated beside the Wachusett Reservoir, which serves as one of Boston’s major water suppliers. “The reservoir is overflowing,” he said. “And there’s just nowhere to put the water.” The state’s senior U.S. senator visited a nearby neighborhood on Sunday because a number of homes near the reservoir suffered major damages from previous storms. In Connecticut, the weather service placed the entire state under a flood watch through Tuesday, and an evacuation was under way in one part of Stonington. A Stonington First Selectman said water was close to overtopping a dam in Pawcatuck, one of the villages in Stonington, in southeastern Connecticut. City officials have opened a shelter, blocked off a number of roads and were also monitoring two dams, he said. Connecticut already has a stockpile of 180,000 sandbags, but the governor has directed the state Department of Emergency Management and Homeland Security to secure an additional 300,000 sandbags. Source: http://www.wibw.com/nationalnews/headlines/89525817.html


Banking and Finance Sector

17. March 30, IDG News Service – (National) JC Penney tried to block publication of data breach. Retailer JC Penney fought to keep its name secret during court proceedings related to the largest breach of credit card data on record, according to documents unsealed on March 29. JC Penney was among the retailers targeted by a ring of hackers, which managed to steal more than 130 million credit card numbers from payment processor Heartland Payment Systems and others. The mastermind was sentenced to 20 years in prison on Friday in U.S. District Court for the District of Massachusetts. In December, JC Penney — referred to as “Company A” in court documents — argued in a filing that the attacks occurred more than two years ago, and that disclosure would cause “confusion and alarm.” However, it was already suspected JC Penney was one of the retailers after the Web site StorefrontBacktalk was the first outlet to accurately report in August 2009 that JC Penney was among the retailers targeted by the mastermind’s group. Source: http://www.computerworld.com/s/article/9174363/JC_Penney_tried_to_block_publication_of_data_breach


18. March 30, Bank Info Security – (Virginia) VA bank merger creates security breach. A bad file that went awry during a bank merger caused a security breach at a community bank in Virginia. Some Union First Market Bank customers found that their bank account information was accessible to other customers after two banks, Union Bank and Trust Company and First Market Bank, merged on March 22 to become Union First Market Bank. The newly-merged bank is part of Union First Market Bankshares Corp., ($2.94 billion in assets) based in Richmond, Virginia. Bank officials say that when online bill-pay accounts were transferred from First Market Bank to Union First Market Bank over the weekend of the merger, a bad file containing information of around 1000 customers was sent. That data then was accessible to some other customers. The bank worked last week to fix the problem, and representatives say the institution will offer credit checks and identity theft protection to customers impacted by the glitch. According to the bank, its online banking portal — which was taken offline when the breach was discovered — is now restored and available to use for all “but a limited number” of customers still affected by the bad file. Source: http://www.bankinfosecurity.com/articles.php?art_id=2351


19. March 29, U.S. Department of Justice – (New Jersey) Pamrapo Savings Bank of New Jersey pleads guilty to conspiracy to commit Bank Secrecy Act violations and forfeits $5 million. Pamrapo Savings Bank S.L.A., a wholly-owned subsidiary of Pamrapo Bancorp Inc., based in Bayonne, New Jersey, pleaded guilty in U.S. District Court for the District of New Jersey to conspiracy to violate the Bank Secrecy Act and has agreed to forfeit $5 million to the United States. According to the criminal information filed on March 29 in U.S. District Court in Trenton, New Jersey, Pamrapo Savings Bank conspired with others to conceal its customers’ illegal or suspicious activities by failing to file currency transaction reports (CTRs) and suspicious activity reports (SARs) and by willfully failing to maintain adequate anti-money laundering programs. Pamrapo Savings Bank admitted that it willfully violated the Bank Secrecy Act to avoid the expenses associated with compliance, despite federal and state banking regulators telling Pamrapo Savings Bank as early as 2004 that its Bank Secrecy Act and anti-money laundering programs contained serious and systemic deficiencies in critical areas required under the law. Specifically, Pamrapo Savings Bank admitted during its guilty plea that it unlawfully failed to file CTRs and SARs related to approximately $35 million in illegal and suspicious financial transactions, including more than $5 million in structured currency transactions. The bank acknowledged that its willful failure to maintain adequate Bank Secrecy Act and anti-money laundering programs resulted in numerous and repeated violations of the law. Source: http://www.justice.gov/opa/pr/2010/March/10-crm-335.html


20. March 29, KTVB 7 Boise – (Idaho; Oregon) Phishing scam hits the Treasure Valley. A new phishing scam is hitting the Treasure Valley and now the Better Business Bureau is warning people before they fall victim. The scam comes in the form of a text message saying, “BOTC Alert: Your card starting with 4266 has been deactivated. Please contact us at (208) 473-2643 to reactivate your card.” “Technology makes it so easy for the scam artist to set up what looks like a local number,” said the president of Idaho Better Business Bureau, serving Southeast Idaho and Eastern Oregon. “It’s important for folks to realize the Bank of the Cascades, or any bank, is not going to send a text message saying ‘your account has been closed or deactivated and that you need to call in to reactivate it’.” Delete the message if received. A similar scam happened in January 2009 when a bogus text message was sent around the area that read, “unusual activity has happened on your Bank of the Cascades account.” Source: http://www.nwcn.com/news/idaho/Phishing-scam-hits-the-Treasure-Valley-89399837.html


21. March 29, Reuters – (International) Four charged in $60 million Ponzi scheme in Canada. Canadian police laid fraud and money laundering charges on Monday against four people accused of bilking 1,000 investors across North America in a $60 million Ponzi scheme. The Royal Canadian Mounted Police charged three men and a woman in connection with the business of a company called HMS Financial Inc, which allegedly promised investors returns of 8 percent to 12 percent between 2001 and 2004. The four are from Alberta, where RCMP commercial crime investigators arrested two men last year in connection with a separate scheme that allegedly fleeced investors out of as much as C$400 million ($392 million). The four suspects were charged with laundering the proceeds of crime. Source: http://ca.reuters.com/article/businessNews/idCATRE62S5ET20100329


22. March 29, Reuters – (Ohio) West Point grad charged in $30 mln US Ponzi scheme. A West Point graduate who claimed his knowledge of physics allowed him to predict “with an uncanny degree of certainty” trends in the futures market was accused on Monday in Ohio of perpetrating a $30 million Ponzi scheme. Federal prosecutors charged the 47 year old suspect with one count of wire fraud for allegedly scamming 26 investors out of $29.7 million through the sale and purchase of futures contracts. The suspect is accused of promising investors returns of 8 to 12 percent by using a “Money Market Plus” methodology and by combining his knowledge of physics with a unique “momentum filter,” prosecutors said. The complaint also charged that the suspect did not put promised “stop” orders in place to prevent excessive losses and that he diverted millions of dollars in investor money to fund Rico Latte coffee shops in Ohio, to purchase real estate and to make payments to some investors. Source: http://www.reuters.com/article/idUSN2910023520100329


23. March 29, WESH 2 Orlando – (Florida) Skimmer found on Daytona Beach ATM. It may not have looked different to bank customers, but an automated teller machine at a Daytona Beach bank was rigged to steal debit card information from customers. A Bank of America employee realized criminals were at work. The employee works at a branch in Flagler County but contacted authorities on Sunday when the device was found attached to the ATM. For nearly seven hours, authorities said any customer using the walk-up ATM at 1550 S. Clyde Morris Blvd. may have been vulnerable to the skimming device. Police said they have surveillance images of a crook attaching the device to the ATM. Another man put an out-of-order sign on the drive-through ATM, so customers would use the other one. Source: http://www.wesh.com/news/22992221/detail.html


Information Technology


50. March 29, Computerworld – (International) Apple delivers record monster security update. Apple today patched 92 vulnerabilities, a third of them critical, in a record update to its Leopard and Snow Leopard operating systems. Security Update 2010-002 plugged 92 holes in the client and server editions of Mac OS X 10.5 and Mac OS X 10.6, breaking a record that has stood since March 2008. The update dwarfed any released last year, when Apple’s largest patched 67 vulnerabilities. The March 29 security roll-up fixed flaws in 42 different applications or operating system components in Mac OS X, from AppKit and Application Firewall to unzip and X11, the Mac’s version of the X Window System. Eighteen of the vulnerabilities were specific to the older Leopard operating system, while 29 were specific to Snow Leopard. The remaining 45 affected both, which are the only editions that Apple currently supports. Users running Leopard will patch 63 vulnerabilities, while Snow Leopard users face a total of 74 flaws. Source: http://www.computerworld.com/s/article/9174337/Apple_delivers_record_monster_security_update


51. March 29, Help Net Security – (International) Office photocopiers brimming with corporate secrets. Most people fail to realize that modern, multi-purpose photocopiers contain hard drives that - if not erased when decommissioned - could prove to be a treasure trove of confidential information for a person who knows how to extract it. Hard copies of important documents are shred and computer disks are securely wiped, but it is rare when the same is done with the drive of the copy machine, because most people don’t think of it as of a computer - which it in fact is. “The whole system is controlled by a computer, it has a hard disk. It scans images and they are stored on the disc,” says a computer science professor with the University of Toronto. That also means that a hacker that knows the password can hack into the photocopier and collect all the data stored on the drive by simply connecting a laptop to the machine and downloading it. Copy machines that are part of an insecure network can be accessed online even by people who don’t know how to hack. But machines that are leased to companies and that are taken back after a few years can do some serious damage to their former “owners.” Source: http://www.net-security.org/secworld.php?id=9070


52. March 29, eWeek – (International) Microsoft to release IE security patch. Microsoft is planning to patch a zero-day bug in Internet Explorer in March 30 with an out-of-band emergency fix. The patch plugs a security hole Microsoft first warned about March 9 after attackers began targeting the vulnerability in IE 6 and 7. IE 8 is unaffected. The driving force behind the release is the zero-day, which is caused by an invalid pointer reference. Under certain conditions, the invalid pointer can be accessed after an object is deleted, and in attempting to access a freed object IE can open itself to remote code execution, Microsoft reported. According to the company’s advisory, attackers can exploit the situation by tricking a user into clicking on a malicious or compromised Web page. There are however some workarounds to mitigate the vulnerability, including changing Internet security zone settings to High. In addition, users can modify the access control list on iepeers.dll. Source: http://www.eweek.com/c/a/Security/Microsoft-to-Release-IE-Security-Patch-600179/


53. March 29, DarkReading – (International) Windows 7 less vulnerable without admin rights. Taking away the administrative rights from Microsoft Windows 7 users will lessen the risk posed by 90 percent of the critical Windows 7 vulnerabilities reported to date and 100 percent of the Microsoft Office vulnerabilities reported last year. It will also mitigate the risk of 94 percent of vulnerabilities reported in all versions of Internet Explorer in 2009 and 100 percent of the vulnerabilities reported in Internet Explorer 8 during the same time period. Finally, it will reduce the danger posed by 64 percent of all Microsoft vulnerabilities reported last year. These findings come from a study conducted by BeyondTrust, which perhaps unsurprisingly sells software that restricts administrative privileges. The company argues that companies need its software to protect themselves, particularly during the time between Microsoft’s publication of vulnerability information and the application of Microsoft’s fixes. Source: http://www.darkreading.com/insiderthreat/security/app-security/showArticle.jhtml?articleID=224200601&subSection=Application+Security


54. March 29, PRESCIENT-Project – (International) European Commission launches new privacy project. Emerging technologies offer significant benefits but also risks to our privacy. How to deal with these risks is the subject of a new three-year project funded by the European Commission. Called PRESCIENT, the project will be considering the privacy implications of emerging technologies such as new identification and surveillance technologies, biometrics, on-the-spot DNA sequencing and technologies for human enhancement. The project will identify and analyze ethical issues posed by new technologies and discuss them with interested stakeholders and, in due course, provide scientifically based recommendations to policy makers on how to address privacy issues of emerging technologies. The PRESCIENT project is being undertaken by a consortium of four partners. In addition to Fraunhofer ISI in Germany, the other partners are Trilateral Research & Consulting (UK), the Centre for Science, Society and Citizenship (Italy) and the research centre Law, Science, Technology & Society at the Vrije Universiteit Brussel (Belgium). Source: http://www.darkreading.com/security/privacy/showArticle.jhtml?articleID=224200678&subSection=Privacy


55. March 29, eSecurity Planet – (International) Facebook mulls privacy implications for location-based data. As it looks ahead to a new crop of products and features, Facebook has revised its privacy policy and governing document once again, and is now inviting its users to review and comment on the changes. Facebook’s deputy general counsel said the revisions clear the path for new features to the site, many of which are still in the concept or development stages, but will include more location-based data. Instead of simply including a piece of geographical information with a post, as the original privacy policy had envisioned, the deputy general counsel said the location-aware rules are being broadened to apply to include interactions with other Facebook pages, such as those of a local restaurant or business. He said that more details and explicit privacy controls for the location-based features and other updates will be announced as the products roll out. Many of the updates seek to expand or clarify language in the previous version of the privacy policy without altering its substance. Other changes contain stipulations revising the way data is shared and collected through activities on the third-party applications and Web sites tied to the Facebook Platform. For instance, the rules now assert Facebook’s right to automatically share general information, such as a user’s name and profile picture, to “pre-approved” third-party Web sites, but offer users mechanisms to opt out or block certain sites. Source: http://www.esecurityplanet.com/features/article.php/3873386/Facebook-Mulls-Privacy-Implications-for-Location-Based-Data.htm


56. March 26, DarkReading – (International) SaaS apps may leak data even when encrypted, study says. Applications delivered via the software-as-a-service (SaaS) model could be leaking data, according to a research paper published recently. The paper, which was prepared by researchers at Microsoft Research and Indiana University, offers a detailed look at the behavior of SaaS-delivered applications and how their use of networks can cause “side-channel” leaks that might enable attackers to glean even the most sensitive data — even when the SaaS offerings are encrypted. “Specifically, we found that surprisingly detailed sensitive information is being leaked out from a number of high-profile, top-of-the-line Web applications in healthcare, taxation, investment, and Web search,” the paper says. The leaks don’t happen in every SaaS application, the researchers say, and some are worse than others. But the network-oriented behavior of SaaS applications means that the side-channel flaw could be present even in environments that use strong encryption. Source: http://www.darkreading.com/securityservices/security/app-security/showArticle.jhtml?articleID=224200457


57. March 26, The H Security – (International) US-CERT: Broadcom NetXtreme network cards vulnerable. The US-CERT warns of a security hole in the firmware of certain Broadcom NetXtreme network cards. According to the relevant advisory, a buffer overflow can be triggered during the processing of Alert Standard Format (ASF) messages, which are exchanged when systems are managed remotely. The flaw allows attackers to take full control of the network interface and, for instance, disrupt or redirect network traffic. The security hole can only be exploited if remote management using the Remote Management and Control Protocol (RMCP) over the RMCP Security Extensions Protocol (RSP) has been enabled. Broadcom say that the vulnerability affects models BCM5751, BCM5752, BCM5753, BCM5754, BCM5755, BCM5756, BCM5764 and BCM5787 with firmware up to and including v8.04, BCM57760 with firmware up to and including v8.07, and BCM5761 with firmware up to and including v1.24.0.9. As a workaround, the vendor recommends that users disable ASF or restrict the access to the 623/udp and 664/udp management ports to trusted IPs. Updating to the Broadcom NetXtreme 14.0 software release upgrades the firmware to a corrected version. Source: http://www.h-online.com/security/news/item/US-CERT-Broadcom-NetXtreme-network-cards-vulnerable-965135.html


Communications Sector

58. March 30, Salisbury Daily Times – (Maryland) Ospreys disrupt Public Radio signal. Public Radio Delmarva is experiencing signal disruption as ospreys re-emerge to their prior perching place. The osprey, also known as the sea hawk, has taken flight back to Salisbury University’s campus for spring. The birds and their young are beginning to practice flight from the antenna that connects to Public Radio Delmarva’s signal, creating frequent interruptions for the station and its listeners. Residing on this particular antenna for several years, the birds have augmented the issue more this spring than ever before. Source: http://www.delmarvanow.com/article/20100330/NEWS01/3300344/1002/Ospreys-disrupt-Public-Radio-signal


59. March 29, Associated Press – (Florida) Miami-Dade inmates involved in collect call scheme. Inmates at Miami-Dade jails have been charging tens of thousands of dollars in collect calls to unsuspecting victims by forwarding calls from fax lines to friends. Corrections officials say the inmates forward the calls through AT&T from a victim’s fax line to friends and relatives who can accept the call and do not have to pay the bill. Victims include a South Florida federal judge and a Miami Herald columnist. The Alabama-based Global Tel Link has reimbursed customers nearly $200,000 over the last two years. Officials say there is little they can do, since the forwarding is done through AT&T. An AT&T spokeswoman says the company is investigating. Source: http://www.miamiherald.com/2010/03/29/1553051/miami-dade-inmates-involved-in.html

Department of Homeland Security Daily Open Source Infrastructure Report

Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, March 30, 2010

Complete DHS Daily Report for March 30, 2010

Daily Report

Top Stories

Details

 The Associated Press reports that nine suspects tied to Midwest Christian militia group Hutaree were charged on Monday with conspiring to kill police officers, then attack a funeral using homemade bombs in the hopes of killing more law enforcement personnel. The Detroit Examiner reports that the Joint Terrorism Task Force became interested in Hutaree when the group made threats of violence against certain Islamic organizations. (See items 55 and 70)

55. March 29, Associated Press – (National) 9 militia members charged in police-killing plot. Nine suspects tied to a Midwest Christian militia that was preparing for the Antichrist were charged with conspiring to kill police officers, then attack a funeral using homemade bombs in the hopes of killing more law enforcement personnel, federal prosecutors said Monday. The Michigan-based group, called Hutaree, planned to use the attack on police as a catalyst for a larger uprising against the government, according to newly unsealed court papers. A U.S. Attorney said agents moved on the group because its members were planning a violent mission sometime in April. Members of the group were charged following FBI raids over the weekend on locations in Michigan, Ohio, and Indiana. The idea of attacking a police funeral was one of numerous scenarios discussed as ways to go after law enforcement officers, the indictment said. Other scenarios included a fake 911 call to lure an officer to his or her death, or an attack on the family of a police officer. Once other officers gathered for a slain officer’s funeral, the group planned to detonate homemade bombs at the funeral, killing more. After such attacks, the group allegedly planned to retreat to “rally points” protected by trip-wired improvised explosive devices for what they expected would become a violent standoff with law enforcement personnel. Eight suspects have been arrested by the FBI, and one more is being sought. The charges against the eight include seditious conspiracy, possessing a firearm during a crime of violence, teaching the use of explosives, and attempting to use a weapon of mass destruction. Source: http://www.google.com/hostednews/ap/article/ALeqM5hGc00FR9o4OUr36gm80mOpG00ccwD9EOE9I80

70. March 29, Detroit Examiner – (National) FBI task force busts members of Christian militia, charges to be revealed today. At least seven members of the Hutaree, a militant Christian group based in Adrian, were taken into custody by the FBI-led Joint Terrorism Task Force over the weekend. The members, picked up in Michigan, Ohio, Indiana and Illinois, will learn their fate at the US district courthouse in Detroit Monday, when an indictment against them will be unsealed. The task force reportedly became interested in the Hutaree when the fringe group made threats of violence against certain Islamic organizations. The Michigan Militia has taken care to distance itself from the Hutaree. A militia spokesman referred to them as “too extreme or radical for us.” One source claims that among other activities, the members arrested had made pipe bombs for distribution in their respective states. Source: http://www.examiner.com/x-19336-Detroit-Crime-Examiner~y2010m3d29-FBI-task-force-busts-members-of-Christian-militia-charges-to-be-revealed-today

 The Associated Press reports that federal prosecutors charged a Chicago cab driver on March 26 with trying to provide funds to al-Qaeda, saying the man planned to send money to a terrorist leader in Pakistan who had said he needed cash to buy explosives. According to the criminal complaint, the cab driver also discussed a possible bomb attack on an unspecified U.S. stadium this summer. (See item 73)

73. March 27, Associated Press – (National) Chicago taxi driver accused of supporting al-Qaeda. Federal prosecutors have charged a Chicago cab driver with trying to provide funds to al-Qaeda, saying the man planned to send money to a terrorist leader in Pakistan who had said he needed cash to buy explosives. A 56-year-old naturalized U.S. citizen of Pakistani origin, was charged Friday with attempting to provide material support to a foreign terrorist organization. According to the criminal complaint, he also discussed a possible bomb attack on an unspecified U.S. stadium this summer. Speaking with a man identified only as Individual B, he allegedly said bags containing remote-controlled bombs could be placed in the stadium and then, “boom, boom, boom, boom,” prosecutors said. A U.S. attorney said there was no imminent danger to the Chicago area. Authorities say the cab driver claimed to have known another man for 15 years and the cab driver came to believe that this other man was receiving orders from al-Qaeda’s leader. Prosecutors have said that this other man does in fact maintain close ties with at least one al-Qaeda leader. According to the complaint, the cab driver sent $950 from a currency exchange in Chicago to “Lala,” a name meaning older brother that he used in speaking of the other man. It said the money was sent after the other man after the other man indicated that he needed cash to buy explosives. On March 17, the cab driver accepted $1,000 from the undercover agent and assured him that the money would be used to purchase weapons and possibly other supplies, the complaint said. Source: http://www.google.com/hostednews/ap/article/ALeqM5i8cDBcu_QALQpoeOTNk3X03l3L9AD9EMS17O0

Banking and Finance Sector

17. March 29, IDG News Service – (National) Company says 3.3M student loan records stolen. Data on 3.3 million borrowers was stolen from a nonprofit company that helps with student loan financing. The theft occurred on March 20 or 21 from the headquarters of Educational Credit Management Corp. (ECMC), which services loans when student borrowers enter bankruptcy. The data was contained on portable media, said the organization, which is a dedicated guaranty agency for Virginia, Oregon, and Connecticut. The data included names, addresses, birth dates and Social Security numbers but no financial information such as credit card numbers or bank account data, ECMC said in a news release. Law enforcement has been notified. “ECMC is cooperating fully with local, state and federal law enforcement agencies conducting the investigation,” it said in a statement. ECMC will send a written notification to affected borrowers “as soon as possible” and offer them free services from Experian, a credit monitoring agency. Source: http://www.computerworld.com/s/article/9174312/Company_says_3.3M_student_loan_records_stolen


18. March 27, Bank Info Security – (National) Four banks closed on March 26. Four banks were closed by state and federal regulators on Friday, March 26, raising to 46 the number of failed banks and credit unions so far in 2010. McIntosh Commercial Bank, Carrollton, Georgia, was closed by the Georgia Department of Banking and Finance, which appointed the Federal Deposit Insurance Corporation (FDIC) as receiver. The FDIC estimates that the cost to the Deposit Insurance Fund (DIF) will be $123.3 million. Key West Bank, Key West, Florida, was closed by the Office of Thrift Supervision, which appointed the FDIC as receiver. The FDIC estimates that the cost to the Deposit Insurance Fund (DIF) will be $23.1 million. Unity National Bank, Cartersville, Georgia, was closed by the Office of the Comptroller of the Currency, which appointed the FDIC as receiver. The FDIC estimates that the cost to the Deposit Insurance Fund (DIF) will be $67.2 million. Desert Hills Bank, Phoenix, Arizona, was closed by the Arizona Department of Financial Institutions, which appointed the FDIC as receiver. The FDIC estimates that the cost to the Deposit Insurance Fund (DIF) will be $106.7 million. Source: http://www.bankinfosecurity.com/articles.php?art_id=2346


19. March 26, U.S. Department of Justice – (National) Kentucky attorney pleads guilty for role in stock manipulation scheme and obstruction of justice. A Louisville, Kentucky, attorney pleaded guilty late March 26 in U.S. District Court in Tulsa for his role in a scheme to defraud investors through the manipulation of the publicly traded stocks of three companies, announced the Assistant Attorney General of the Criminal Division and the U.S. Attorney for the Northern District of Oklahoma. The defendant pleaded guilty to one count of conspiracy to commit wire fraud, securities fraud and money laundering, as charged in the indictment returned by a federal grand jury in Tulsa on January 15, 2009. He also pleaded guilty to one count of obstruction of justice, contained in a criminal information filed March 25, 2010. Specifically, he pleaded guilty to making false and misleading statements to the Internal Revenue Service (IRS) and to the Department of Justice regarding stock promotions and movement of stock proceeds. According to the indictment, between April 2004 and December 2006, the attorney and his co-conspirators devised and engaged in a scheme to defraud investors known as a “pump and dump,” in which they manipulated three publicly traded penny stocks. A penny stock is a common stock that trades for less than $5 per share in the over the counter market, rather than on national exchanges. According to the indictment, the scheme reaped from the defendants more than $41 million. Source: http://www.justice.gov/opa/pr/2010/March/10-crm-325.html


20. March 26, WRCB 3 Chattanooga – (Florida; Georgia) Pink haired bank robbery suspect linked to Florida heist. Officers have a man in custody after the robbery of a Catoosa County bank. Authorities say they found a cellphone with a suspicious device attached to it at the Capitol Bank on Highway 41. The bank was robbed at 9am. The suspect fled in a van but was later captured on Interstate 75. Our reporter says 25 law enforcement cars are on the scene. Members of a police bomb squad are sweeping the building. The suspect has been identified as as a suspect in a January 23rd bank robbery in Ft Myers, Florida. Authorities in Catoosa County, Georgia say around 9:05am the suspect entered Capitol Bank and handed a bank teller a note. He then allegedly took $10,000 from the teller and fled, leaving the suspicious cellphone. He was later captured on I-75. Source: http://www.wrcbtv.com/Global/story.asp?S=12209736


21. March 26, Tennessean – (Tennessee) Smyrna police investigating ATM theft. Police are searching for the person or persons responsible for stealing an ATM from a bank early on March 26. Dispatchers received a call from a Bank of America’s alarm company at 4:25 a.m. that someone had possibly attempted to break into the machine. The operator asked that officers check the Sam Ridley Parkway location for burn marks, smoke, damage to the exterior and to make sure the machine’s screen did not read “out of order,” a transcript of the call shows. About three minutes later, the operator called back and said the company had placed a tracking device on the ATM and that it had been moved to Sanford Road, near La Vergne city limits. When officers arrived at the bank, they found a forklift on the scene and determined it was used to move the ATM. Glass was also found in the area near the ATM, and it’s possible the suspect broke a window while loading the ATM, the report said. Source: http://www.tennessean.com/article/D4/20100326/NEWS01/100326010/Smyrna+police+investigating+ATM+theft


22. March 26, WLWT 5 Cincinnati – (Ohio) Thieves use skimmer to take $50,000 from ATM customers. Norwood police are looking for the men who used an ATM skimmer to steal money from dozens of bank accounts. Police said the skimmer device was placed on a US Bank ATM on the weekend of February 27 and removed before March 22. Investigators said more than 120 customer accounts were compromised, taking about $50,000 in all. A police detective said that the thieves waited until the last week or so to begin using the information at ATMs to take money from accounts. Police said they have video from the ATM’s camera that shows the men they believe installed and removed the device. The detective said there appear to be at least four men involved, some of whom were also captured on tape putting a skimmer on an ATM in Wisconsin. Source: http://www.wlwt.com/news/22965050/detail.html


Information Technology


60. March 29, SC Magazine – (International) Could blocking access to webmail save you from insider threat problems, and what are the ethics behind scanning sent emails. Companies should look to scan webmail activity for malicious activity, data loss and to control the insider threat. According to the chief marketing officer for Proofpoint, email companies should look to scan other email applications, or at least monitor use on it and then choose to block it or not. When asked if this would infringe privacy policies, the chief marketing officer said: “It depends on the organization and its policies, in a financial services company they are trying anything that secures the network. It does have an impact and it depends on the company, as an organization should be comfortable with monitoring, but the rule is do not use it. It is still a requirement to protect confidentiality of information in the organization.” A malware data analyst at Symantec Hosted Services claimed that traditionally, the vast majority of 419 scams are sent from webmail accounts and sending the scam via a webmail adds legitimacy to the mail, makes the email harder for security vendors to block, and helps to hide the identity of the scammers. Source: http://www.scmagazineuk.com/could-blocking-access-to-webmail-save-you-from-insider-threat-problems-and-what-are-the-ethics-behind-scanning-sent-emails/article/166790/


61. March 29, The Register – (International) Trojan poses as Adobe update utility. Miscreants have begun creating malware that overwrites software update applications from Adobe and others. Email malware that poses as security updates from trusted companies is a frequently used hacker ruse. Malware posing as update utilities, rather than individual updates, represents a new take on the ruse. Vietnam-based anti-virus firm Bkis said the tactic is a logical follow-on from earlier approaches where viruses replace system-files and startup-program files. The director of Bkis Security writes that the recently detected Fakeupver trojan establishes a backdoor on compromised systems while camouflaging its presence by posing as an Adobe update utility. The malware camouflages itself by using the same icons and version number as the official package. Source: http://www.theregister.co.uk/2010/03/29/software_update_trojan/


62. March 29, Computerworld – (International) Microsoft defends Windows 7 security after Pwn2Own hacks. Just days after a pair of researchers outwitted major Windows 7 defenses to exploit Internet Explorer (IE) and Firefox, Microsoft said the measures aren’t meant to “prevent every attack forever.” At the same time, it defended the security measures, saying they remained an effective way to hinder exploits. A product manager with IE’s developer division, stood up for DEP (data execution) and ASLR (address space layout randomization), the security features that two hackers sidestepped to win $10,000 each at the high-profile Pwn2Own hacking contest on March 24. “Defense in depth techniques aren’t designed to prevent every attack forever, but to instead make it significantly harder to exploit a vulnerability,” the product manager said, referring to DEP, ASLR and another feature specific to IE, called Protected Mode. DEP, which Microsoft introduced in 2004 with Windows XP SP2, is designed to prevent attack code from executing in memory not intended for code execution. ASLR, a feature that debuted with Windows Vista three years ago, randomly shuffles the positions of key memory areas, such as the stack, to make it more difficult for hackers to predict whether their attack code will run. Protected Mode, a sandbox-like technology in which IE runs with restricted rights, is designed to reduce the ability of attack code to “escape” from the browser to write, alter or delete data elsewhere on the PC. Source: http://www.computerworld.com/s/article/9174309/Microsoft_defends_Windows_7_security_after_Pwn2Own_hacks


63. March 28, Techworld – (International) Beware botnet’s return, security firms warn. The volume of spam being sent by the notorious Rustock botnet using TLS encryption has surged in recent weeks, establishing an important new trend in botnet behavior, security companies have said. Roughly the week of March 15, Symantec’s MessageLabs division reported noticing large volumes of spam using TLS (Transport Layer Security), an encryption protocol successor to the better-known SSL (Secure Sockets Layer), and normally a way of securing the contents of an email between server and client. At that point, the percentage of spam encrypted by Rustock using TLS was around the 35 percent mark, a figure the company says in its latest Intelligence Report this week has surged to as much as 77 percent of its activity during the month. The challenge is that TLS imposes higher processing demands on mail servers compared to non-TLS traffic, estimated to be around 1 kilobyte overhead for every spam email. Given that most email is now spam, the accumulated overhead on mail servers has the potential to be high whether the messages are detected as spam or not. Source: http://www.pcworld.com/article/192668/beware_botnets_return_security_firms_warn.html


64. March 26, The Register – (International) World Cup-themed PDF attack kicks off. Miscreants have booted a World Cup-themed email malware attack onto the web, taking advantage of existing material on the tournament. Booby-trapped emails are doing the rounds, posing as messages from African Safari organizer Greenlife. The emails contain an attached PDF file claiming to provide a guide to the first African edition of football’s most prestigious tournament. In reality, the attachment payload takes advantage of a recently patched Adobe Reader vulnerability (involving the handling of TIFF files and resolved with a patch on 16 February) to drop malware into machines running an unpatched version of Adobe reader. Hackers behind the attack have taken Greenlife’s genuine guide (available on its website) and inserted exploit code instead of content related to this June’s tournament and travel in South Africa. The poisoned version of the guide was sent to an unspecified “major international organization”, email filtering outfit MessageLabs reports. The Symantec-owned hosted security operation adds that successful execution of the attack drops a rootlet and a backdoor Trojan on compromised machines. Source: http://www.theregister.co.uk/2010/03/26/world_cup_malware/


65. March 26, The Register – (International) Kit attacks Microsoft keyboards (and a whole lot more). Security researchers on March 26 unveiled an open-source device that captures the traffic of a wide variety of wireless devices, including keyboards, medical devices, and remote controls. Keykeriki version 2 captures the entire data stream sent between wireless devices using a popular series of chips made by Norway-based Nordic Semiconductor. That includes the device addresses and the raw payload being sent between them. The open-source package was developed by researchers of Switzerland-based Dreamlab Technologies and includes complete software, firmware, and schematics for building the $100 sniffer. Keykeriki not only allows researchers or attackers to capture the entire layer 2 frames, it also allows them to send their own unauthorized payloads. That means devices that don’t encrypt communications - or don’t encrypt them properly - can be forced to cough up sensitive communications or be forced to execute rogue commands. Source: http://www.theregister.co.uk/2010/03/26/open_source_wireless_sniffer/


66. March 26, Homeland Security NewsWire – (International) iPhone, IE8, Firefox, and Safari easily hacked at Pwn2Own contest. Hackers gathered for an annual contest in Vancouver demonstrate easy hacking of iPhone and all major browsers; a non-jailbroken iPhone was also hacked and its SMS database stolen; security measures taken by Firefox, Safari, and IE8 no match for hackers. The annual Pwn2Own contest has seen the Apple iPhone and nearly all the major browsers hacked. At the contest, held at the CanSecWest show in Vancouver, interest has so far centered on the revelation of twenty zero-day flaws in Apple’s OS X by a security researcher. As attendants wait for his keynote address, the Pwn2Own content gave hackers and security experts a chance to demonstrate their ability and try to breach the security of various devices and software. Reporting from the event, Mashable claimed that Firefox, Safari, and IE8 were hacked at the contest. A non-jailbroken iPhone was also hacked and its SMS database stolen by two researchers, who were able to send an iPhone to a Web site they had set up, crashed its browser, and stole its SMS database — including some erased messages. Source: http://homelandsecuritynewswire.com/iphone-ie8-firefox-and-safari-easily-hacked-pwn2own-contest


For more stories, see items 68 and 69 below.


Communications Sector

67. March 27, V3.co.uk – (National) Google sheds new light on broadband plans. Google has posted an update concerning its planned high-speed fiber broadband network, and will announce the target market for the first tests by the end of the year. The initial trial will cover a group ranging from 50,000 to 500,000 people. The project, announced in February, will provide 1Gbit/s fiber networks in targeted markets as a way of testing open broadband networks. Google will also make its broadband cables open to other service providers. Interest in the project has been high since the announcement, and Google claims that some 600 community groups have expressed interest in participating, as well as more than 190,000 individuals. Google will visit prospective sites and speak with local leaders and community groups before making a final decision later this year. Source: http://www.v3.co.uk/v3/news/2260346/google-sheds-light-broadband


68. March 26, Network World – (International) Yahoo proposes ‘really ugly hack’ to DNS. Network engineers from Yahoo are pitching what they admit is a “really ugly hack” to the Internet’s Domain Name System, but they say it is necessary for the popular Web content provider to support IPv6, the long-anticipated upgrade to the Internet’s main communications protocol. Major ‘Net players mulling IPv6 “whitelist” Yahoo outlined its proposal for changes to DNS recursive name resolvers at a meeting of the Internet Engineering Task Force (IETF) held in California recently. Yahoo says it needs a major change to the DNS — which matches IP addresses with corresponding domain names — in order to provide IPv6 service without inadvertently cutting off access to hundreds of thousands of visitors. Under Yahoo’s proposal, these visitors would continue accessing content via IPv4, the current version of the Internet Protocol. The reason Yahoo is seeking this change to the DNS is that a significant percentage of Internet users have broken IPv6 connectivity. Source: http://www.computerworld.com/s/article/9174230/Yahoo_proposes_really_ugly_hack_to_DNS


69. March 26, IDG News Service – (International) After DNS problem, Chinese root server is shut down. A China-based root DNS server associated with networking problems in Chile and the U.S. has been disconnected from the Internet. The action by the server’s operator, Netnod, appears to have resolved a problem that was causing some Internet sites to be inadvertently censored by a system set up in the People’s Republic of China. On March 24, operators at NIC Chile noticed that several ISPs (Internet service providers) were providing faulty DNS information, apparently derived from China. China uses the DNS system to enforce Internet censorship on its so-called Great Firewall of China, and the ISPs were using this incorrect DNS information. That meant that users of the network trying to visit Facebook, Twitter and YouTube were directed to Chinese computers instead. In Chile, ISPs VTR, Telmex and several others — all of them customers of upstream provider Global Crossing — were affected, NIC Chile said in a statement on March 26. The problem, first publicly reported on March 24, appears to have persisted for a few days before it was made public, the statement says. A NIC Chile server in California was also hit with the problem, NIC Chile said. While it’s not clear how this server was getting the bad DNS information, it came via either Network Solutions or Equinix, according to NIC Chile. Source: http://www.computerworld.com/s/article/9174278/After_DNS_problem_Chinese_root_server_is_shut_down