Monday, February 28, 2011

Complete DHS Daily Report for February 28, 2011

Daily Report

Top Stories

• Oil industry documents filed with the federal government reveal that an accidental release of a lethal chemical used in 50 aging refineries across the country could prove devastating, with 16 million Americans living within range of toxic plumes that could spread for miles, ABC News and Center for Public Integrity reported February 24. (See item 2)

2. February 24, ABC News and Center for Public Integrity – (National) Hydrofluoric acid risk at oil refineries. Oil industry documents filed with the federal government reveal that an accidental release of a lethal chemical used in 50 aging refineries across the country could prove devastating, with 16 million Americans living within range of toxic plumes that could spread for miles. Los Angeles, Philadelphia, Minneapolis, New Orleans, and the stretch of Texas coastline known as “Refinery Row” are among the at-risk areas cited in the documents. Citing homeland security concerns, the government keeps the industry filings under close guard in Washington, D.C. They were reviewed as part of a joint investigation by ABC News and the Center for Public Integrity. According to the industry’s worst-case scenario documents, a release of the chemical could endanger entire communities. Even though one-third of the oil refineries in the United States are using the chemical, a spokesman told ABC News that the industry has long avoided demands from safety advocates and from the union that represents refinery workers that it explore safer options. Officials at the U.S. Chemical Safety Board have warned that while the refinery industry has been painting a rosy picture of the conditions at their facilities, it has compiled a disconcerting track record. As the nation’s 150 refineries have aged, there have been an increasing number of fatal, or near-fatal, incidents. Source: http://abcnews.go.com/Blotter/hydrofluoric-acid-risk-oil-refineries/story?id=12985686

• According to Killeen Daily Herald, the city of Killeen, Texas, advised its residents to avoid Nolan Creek until February 28 because a mechanical failure at a lift station February 22 sent about 298,000 gallons of wastewater pouring into the creek. (See item 32)

32. February 24, Killeen Daily Herald – (Texas) Residents told to avoid part of contaminated Nolan Creek. A mechanical failure at lift station 1 sent about 298,000 gallons of wastewater pouring into the Nolan Creek, in Killeen, Texas, February 22. Two days later, the city advised its residents to avoid the creek until February 28. The Drainage Utility Project engineer said a large buildup of grease was found in the lift station and has been a problem in the past, but did not confirm the cause of the spill. Four manholes also discharged sewage, affecting one business at the intersection of 38th and Water streets. Source: http://www.kdhnews.com/news/story.aspx?s=51549

Details

Banking and Finance Sector

16. February 24, Softpedia – (National) FTC files complaint against SMS spammer. The Federal Trade Commission filed a complaint against a man from Huntington Beach, California, alleging that he is responsible for sending millions of SMS spam messages. According to the complaint, during a 40-day period alone, defendant sent over 5.5 million unsolicited commercial text messages at a rate of 85 per minute. The FTC claims the messages deceptively advertised loan modification assistance, debt relief and other services. In one instance, recipients were directed to loanmod-gov.net, a site claiming to provide “Official Home Loan Modification and Audit Assistance Information.” This type of activity can cost people money because some wireless carriers charge fees for receiving text messages. In addition, the suspect is accused of selling the contact information of consumers to marketers claiming they are debt settlement leads. The alleged spammer is also said to have sent unsolicited email messages that promoted his SMS spamming services. The FTC charges the suspect with violations under the FTC Act and the CAN-SPAM Act, the law that governs the sending of commercial emails. He also failed to include an “opt-out” option. Source: http://news.softpedia.com/news/FTC-Files-Complaint-Against-SMS-Spammer-186219.shtml

17. February 23, Contra Costa Times – (California) Orinda robbery suspect arrested in San Francisco. A man suspected in a February 4 armed robbery of an Orinda, California, bank has been arrested in San Francisco, police said February 22. San Francisco police arrested the 51-year-old February 8 on a drug charge. He is one of two men suspected of robbing the First Republic Bank on Brookwood Road. The men left the bank with an undisclosed amount of cash, a police official said, and their getaway car was later found abandoned. Orinda police officers interviewed Smith in San Francisco, and the FBI has taken over the case because of his possible involvement in other robberies. Source: http://www.mercurynews.com/breaking-news/ci_17455166

18. February 22, Federal Bureau of Investigation – (New York) Business owner pleads guilty to securities fraud. A 46-year-old New York man pleaded guilty February 22 to one count of securities fraud. The guilty plea was entered in United States District Court in Syracuse, New York. Sentencing is set for July 7, 2011 in Albany, New York. The man faces a maximum term of up to 20 years in prison. As part of his guilty plea the man admitted that, from 2002 through 2010 he was the founder, owner, and sole managing member of Prime Rate and Return, LLC and American Integrity Financial Co. Neither Prime Rate nor American Integrity was registered in any capacity with the Securities and Exchange Commission (SEC). He also admitted that he solicited and received money from investors as a representative of American Integrity. He offered and sold investors contracts with American Integrity, which American Integrity promised to pay a “guaranteed” fixed rate of interest on the initial investment. These contracts were for a fixed term, usually three years, after which the investor could either withdraw his or her investment or roll the investment over into another fixed term with a fixed rate of return. He offered rates of return that varied from investor to investor and ranged from 3.85 percent to 9.35 percent annually. Source: http://www.fbi.gov/albany/press-releases/2011/business-owner-pleads-guilty-to-securities-fraud

Information Technology

45. February 25, Softpedia – (International) Removal of NIC-hijacking malware leads to network connection problems. Researchers from security vendor Bkis warn that removal of a trojan which intercepts network traffic can leave the computer isolated from the network and Internet. The reason for this lies in the trojan’s routine, which involves creating virtual network adapters using the names of existent ones and adding the “-” character at the end. Bkis detects this threat W32.Ndisvan.Trojan and says its purpose is to filter data passing through network controllers, download additional malware and evade antivirus detection. The rogue network adapters created by the trojans use a driver called “ndisvvan.sys,” which tries to pose as the Windows NDISWAN Miniport Driver, ndiswan.sys. A Bkis senior malware researcher notes that by removing the rogue ndisvvan.sys, the network filter driver chain is broken and data can no longer reach the real network adapter. Because of this the computer will appear to have no network connection and attempting a normal local area connection repair will not resolve the problem. Source: http://news.softpedia.com/news/NIC-Hijacking-Malware-Removal-Leads-to-Broken-Network-Connection-186287.shtml

46. February 25, Help Net Security – (International) Failure to invest in secure software a major risk. Failure to take software security seriously is putting organizations, brands and people at risk, according to a report by Creative Intellect Consulting. Key highlights from the report included: key software security and quality processes are not being followed; managers are jeopardizing secure software delivery, but they are not alone; there is a clear mandate for better education and training that cannot be ignored; a mentality exists to invest in what people already know; and compliance and regulation is a key driver. Source: http://www.net-security.org/secworld.php?id=10663

47. February 24, The Register – (International) Thunderbolt: A new way to hack Macs. The 10Gbit/s interconnect Apple introduced February 24 in a new line of Macbook Pros may contain the same security weakness that for years has accompanied another Mac innovation: the Firewire port. Like Firewire, the Intel-designed Thunderbolt is based on a peer-to-peer design that assigns blind trust to any device that connects through the bi-directional, dual channel interface. According to CEO of security consultancy Errata Security, that gives attackers yet another weakness to exploit when targeting machines that offer the interconnect. “Imagine that you are at a conference,” the security expert writes. “You innocently attach your DisplayPort to a projector to show your presentation on the big screen. Unknown to you, while giving your presentation, the projector is downloading the entire contents of your hard disk.” Such attacks rarely work on USB ports because they are based on a “master-slave” design. That means the computer has full access to the attached device but the attached device has limited access to the computer. Firewire and now Thunderbolt, by contrast, have full access to a Mac’s entire memory. Source: http://www.theregister.co.uk/2011/02/24/thunderbolt_mac_threat/

48. February 22, The Register – (International) Site to highlight social networks’ security soft spots. Security researchers have set up a site designed to prod social networking Web sites into practicing what they preach about web security. Socialnetworksecurity.org, which aims to publish details of security vulnerabilities on Web 2.0 sites such as Xing or Facebook, was set up the weekend of February 19 by security researchers frustrated with a lack of response from sites about the problems they discovered. Many of the vulnerabilities unearthed fall into the category of cross-site scripting vulnerabilities, some of which (in the case of bugs on Xing and Jappy.de, for example) have already been fixed. Separately, an insecure script on Facebook creates a mechanism to make more convincing phishing attacks. This bug remains live, Socialnetworksecurity.org warns. The German-based team behind the website, who wish to remain anonymous, want to push vendors into becoming more responsible about security bugs. At a first step they want Web 2.0 to establish a security-related contact form, and to allow submission of confidential security-related problems via encrypted e-mail. Source: http://www.theregister.co.uk/2011/02/22/social_network_insecurity/

Communications Sector

Nothing to report

Friday, February 25, 2011

Complete DHS Daily Report for February 25, 2011

Daily Report

Top Stories

• According to Bloomberg, computer hackers working through Internet servers in China broke into and stole proprietary data from the networks of six U.S. and European energy companies, including Exxon Mobil Corp., Royal Dutch Shell Plc and BP Plc. (See item 3)

3. February 24, Bloomberg – (National) Exxon, Shell, BP said to have been hacked through Chinese internet servers. Computer hackers working through Internet servers in China broke into and stole proprietary information from the networks of six U.S. and European energy companies, February 10, including Exxon Mobil Corp., Royal Dutch Shell Plc and BP Plc, according to one of the companies and investigators who spoke about the incident February 23. The attacks, dubbed “Night Dragon,” originated “primarily in China” and occurred during the past 3 years. The list of companies hit also include Marathon Oil, ConocoPhillips, and Baker Hughes Inc. In some of the cases, hackers had undetected access to company networks for more than 1 year, said a chief executive officer of HBGary Inc., a cyber-security company that investigated some of the security breaches. “Legal information, information on deals and financial information are all things that appear to be targeted,” the CEO said, summing up conclusions his firm made from the types of documents and persons targeted by the hackers. “This is straight up industrial espionage.” Hackers targeted computerized topographical maps worth “millions of dollars” that show locations of potential oil reserves, said an InGuardians Inc. employee, whose company investigated two recent breaches of U.S. oil companies’ networks. McAfee Inc., a cyber-security firm, reported February 10 that such attacks had resulted in the loss of “project-financing information with regard to oil and gas field bids and operations.” The McAfee report described the techniques used to get into the computers as “unsophisticated” and commonly used by Chinese hackers. The attacks began in November 2009, McAfee said. Two cyber investigators familiar with the probes said the attacks began even earlier, in 2008, and involved several well-financed groups. A former head of U.S. counterintelligence during the Bush and Obama administrations said the thefts of oil company data like those in the McAfee report match the profile of industrial espionage operations that have the backing or consent of the Chinese government. Source: http://www.bloomberg.com/news/2011-02-24/exxon-shell-bp-said-to-have-been-hacked-through-chinese-internet-servers.html

• The Dallas Morning News reports a 20-year-old Saudi Arabian national was arrested by theFBI in Lubbock, Texas for plotting to carry out terrorist attacks against dams, nuclear power plants, and the home of a former U.S. President. (See item 28)

28. February 24, Dallas Morning News – (Texas; Colorado; California) FBI: Lubbock college student from Saudi Arabia targeted Bush’s Dallas home in bombing plot. A 20-year-old Saudi Arabian national arrested by the FBI in Lubbock, Texas, for allegedly plotting to carry out terrorist attacks, also allegedly targeted the Dallas home of the 43rd U.S. President, documents show. The Saudi citizen was arrested February 23 and was scheduled to appear before a federal judge in Lubbock February 25. Agents also found lists of various targets, including reservoir dams in Colorado and California, and nuclear power plants. According to an arrest warrant affidavit, FBI agents learned of the man’s alleged plotting February 1, when a chemical supplier reported a suspicious attempted purchase of concentrated phenol. Phenol can be used to make explosives. The suspect had successfully purchased concentrated nitric and sulfuric acids in December. He also allegedly purchased many other items, including a gas mask, a haz-mat suit, a soldering iron kit, glass beakers and flasks, wiring, a stun gun, clocks, and a battery tester. A spokesman said the terrorism investigation is ongoing, but “the federal complaint contains no allegations that he received direction from or was under the control of a foreign terrorist organization. We are confident that we have eliminated the alleged threat by [the accused],” he said. The suspect was lawfully admitted into the United States in 2008 on a student visa, and is enrolled at South Plains College near Lubbock. In online blog entries agents found, the man allegedly wrote of his plans to carry out violent jihad, or holy war, in the United States. The affidavit also alleged he conducted research indicating he considered using infant dolls to conceal explosives, and considered targeting of a nightclub with an explosive concealed in a backpack. A search of his Lubbock residence revealed a journal, which showed he had been allegedly plotting for years. Source: http://www.dallasnews.com/news/state/headlines/20110224-fbi-lubbock-college-student-from-saudi-arabia-targeted-bushs-dallas-home-in-terror-plot.ece

Details

Banking and Finance Sector

10. February 24, WGHP 8 Sophia – (North Carolina) ‘Ball cap bandit’ wanted in 3 Triad bank robberies. Detectives in High Point and Thomasville in North Carolina believe a man labeled the “Ball Cap Bandit” by the FBI is responsible for robbing 3 local banks over the past 2 weeks. Detectives with High Point Police Department and Thomasville Police Department believe the suspect who robbed the High Point Bank and Trust on Eastchester Drive might be the same suspect that robbed the BB&T on Randolph Street in Thomasville, and the State Employees’ Credit Union in Asheboro. The suspect in all three robberies is described as a white male, approximately 50 years old, short, about 150 lbs and with a “scruffy” beard. The suspect was reportedly wearing blue jeans, a light green or blue jacket, tan colored camouflage hat, and sunglasses. Source: http://www.myfox8.com/news/wghp-story-ball-cap-bandit-110224,0,2436322.story

11. February 24, Bucks County Courier Times – (Pennsylvania) Man charged in bank robberies. A Bensalem, Pennsylvania man is in jail on a $1 million bail, accused of robbing two Bucks County banks February 18 and February 19, netting him more than $26,000. The suspect was arraigned February 23 in connection with the robberies at the TD Bank at 624 S. Oxford Valley Road in Bristol Township February 18, and the Bank of America at 381 Easton Road in Warrington February 19, according to court documents. In both robberies, investigators said the suspect asked for a withdrawal slip and wrote on it that he wanted money, then he handed the note to the teller. Source: http://www.phillyburbs.com/news/local/courier_times/courier_times_news_details/article/28/2011/february/24/man-charged-in-bank-robberies.html

12. February 23, H Security – (International) Online banking trojan attacks Windows Mobile smartphones. According to reports from F-Secure and Kaspersky, fraudsters are using a special trojan for smartphones to target users who use mTANs for online banking. As well as a Symbian version, there is now a version which specifically targets Windows Mobile. It uses the same trick as the September 2010 wave of trojans which targeted Symbian mobiles. After infecting a PC, the Zeus trojan displays additional fields on online banking Web sites, into which the victim is requested to enter the number and make of his or her mobile phone. The victim then receives a text containing a URL for what claims to be a certificate update. After installation, this turns out to be a trojan which secretly forwards texts containing mTANs to a phone number in the United Kingdom. Source: http://www.h-online.com/security/news/item/Online-banking-trojan-attacks-Windows-Mobile-smartphones-1195623.html

13. February 23, New Orleans Times-Picayune – (Louisiana) Credit card fraud investigation leads to four arrests. An organized group of 16 suspects illegally acquired more than $250,000 in goods by taking credit cards from more than 100 people, a Louisiana State Police (LSP) superintendent said February 23. Individuals in the French Quarter and Central Business District of New Orleans have been the primary target of the bandits whose reach extended far beyond the area, a LSP spokesman said. Four of the 16 suspects have been arrested. Warrants have been issued for the others. Two of the people arrested are charged with access device fraud. The other two arrested are charged with attempted device fraud. All four suspects live in New Orleans. A task force of the members of the LSP, the New Orleans Police Department, and the U.S. Secret Service have been investigating the organized group. Police said the 16 suspects shared stolen cards with each other. Source: http://www.nola.com/crime/index.ssf/2011/02/law-enforement_team_goes_after.html

14. February 23, IDG News – (International) Belarus man pleads guilty to running identity theft site. A 26-year-old Belarusian man entered a guilty plea February 23 to running an identity theft Web site designed to thwart the antifraud measures used by many banks. Until he was arrested in April 2010, the man had been the mastermind behind CallService(dot)biz, a Web site that helped more than 2,000 identity thieves commit fraud. CallService employed a network of English and German speakers who would call up banks, pretending to be ID theft victims, and confirm fraudulent transactions rung up by the criminals. This enabled them to skirt antifraud measures put in place by many U.S. banks, which often ask cardholders to phone in to confirm suspicious transactions. The man would make sure his callers were the correct gender, and then tell them exactly what to say to ensure the bogus purchases went through. He’d give his callers a dossier on the victim, including the name, e-mail address, Social Security number and answers to security questions such as “What city were you married in?” and “What is the name of your oldest sibling?” In online advertisements, CallService(dot)biz claimed to have done over 5,400 of these confirmation calls. The suspect faces a maximum sentence of nearly 38 years in prison on wire and credit card fraud charges, and is set to be sentenced May 26. Source: http://www.pcworld.com/businesscenter/article/220506/belarus_man_pleads_guilty_to_running_identity_theft_site.html

Information Technology

37. February 24, The Register – (International) Man admits hacking into NASA, e-commerce servers. A man from Houston, Texas, has admitted hacking into servers owned by an e-commerce company and making off with about $275,000. The man also admitted to charges of breaking into servers maintained by NASA’s Goddard Space Flight Center in Maryland and causing $43,000 in damages. The hacking spree spanned a 10-month stretch starting in December 2008 with the breach of systems owned by SWReg. A subsidiary of Digital River of Minnesota, the company manages royalties for independent software developers. “[The man] hacked into SWReg’s system, created the money by crediting the SWReg accounts, and then caused that money to be wire transferred to his bank account instead of the accounts of several developers,” a press release issued by the U.S. Attorney’s office in Minnesota said. The NASA servers the man hacked gave paying members of the scientific community access to oceanic data being sent to Earth from satellites. Eventually, the data was made available to everyone. Source: http://www.theregister.co.uk/2011/02/24/nasa_hacker_guilty/

38. February 24, H Security – (International) The unintended kill switch in Bind. The developers of the Bind server software have warned of a security problem that could prevent DNS servers from responding to requests. This is a serious problem, as many of the central DNS servers on the Internet use Bind, and hardly anything works without domain name resolution. However, the developers said no public exploits have so far been found. A domain’s master servers are vulnerable while they are performing an incremental zone transfer –- a type of DNS zone transfer – or a dynamic update. The relevant security advisory lists versions 9.7.1-9.7.2-P3 as being affected. Source: http://www.h-online.com/security/news/item/The-unintended-kill-switch-in-Bind-1196567.html

39. February 24, Help Net Security – (International) Malware-driven pervasive memory scraping. Reports are coming in of a new trend in hacking techniques. Known as “pervasive memory scraping,” the technique relies on the fact certain areas of Windows memory are only occasionally overwritten, meaning data from software that has been closed down on the PC can still remain for some time after. “The SANS Institute is reported to have spotted evidence of this type of attack methodology on an increasing basis. This means that, where a Windows PC user loads a secure application to view data, views that data and then closes the application, there is a chance that the data may continue to reside in the computer’s memory for some time after,” the CEO of Lieberman Software said. “Put simply, this means that, even if the secure software checks for the presence of trojans and similar credential scanning malware — and locks down the malware whilst it is loaded - once the application is closed, the contents of the computer memory can still be subsequently lifted by a remote scanning piece of malcode,” he added. Source: http://www.net-security.org/malware_news.php?id=1641

40. February 24, The Register – (International) Security shocker: Android apps send private data in clear. Cellphones running the Android operating system fail to encrypt data sent to and from Facebook and Google Calendar, shortcomings that could jeopardize hundreds of millions of users’ privacy, a computer scientist said. In a simple exercise for his security class, a professor at Rice University in Houston, Texas connected a packet sniffer to his network and observed the traffic sent to and from his Android handset when he used various apps available for Google’s mobile platform. The official Facebook app transmitted everything except for the password in the clear, the professor blogged February 22. This meant that all private messages, photo uploads, and other transactions were visible to eavesdroppers, even though the account had been configured to use Facebook’s recently unveiled always-on SSL encryption setting to prevent snooping over insecure networks. Google Calendar showed a similar carelessness in the experiment by also sending and receiving data in the clear. That makes it possible for hackers to see users’ schedules when the service is accessed on unsecured networks. Source: http://www.theregister.co.uk/2011/02/24/android_phone_privacy_shocker/

41. February 24, Softpedia – (International) Fake YouTube pages serve trojan via malicious Java applets. Security researchers from antivirus vendor BitDefender warn of scams that make use of fake YouTube pages to install trojans via a malicious Java applet. The scammers worked to make the pages look as close as possible to the real YouTube Web site. When visitors land on these rogue sites, a Java applet is launched automatically and they are prompted to run it. The dialog appears because the applet is unsigned and since Java is rarely used for mainstream Web services, users unfamiliar with it might be tempted to hit “run” to see the video they have been promised. The applet uses the OpenConnection Java method to download and executes a trojan. The malware has botnet capabilities and connects to an IRC server from where it receives commands. It is mainly used as a distribution platform for additional threats. Among those seen by BitDefender is a trojan that can use the Facebook accounts of its victims to send spam and record conversations from the most popular IM clients. There is also a worm with DDoS capabilities that can spread via removable USB drives, and a click fraud trojan that hijacks searches performed in Firefox, Internet Explorer, and Chrome on Google or Bing. Source: http://news.softpedia.com/news/Fake-YouTube-Pages-Serve-Trojan-via-Malicious-Java-Applets-186033.shtml

42. February 23, IDG News Service – (International) Microsoft fixes a security bug in its virus-scanner. Microsoft has patched a bug in its malware scanning engine that could be used as a stepping stone for an attacker looking to seize control of a Windows box. The bug is fixed in an update to the Microsoft Malware Protection Engine that was pushed out to users of Microsoft’s security products February 23. The bug is classified as an elevation of privilege vulnerability — something that could be used by an attacker who already has access to the Windows system to gain complete administrative control. Microsoft has not seen anyone take advantage of the bug yet, but the company thinks hackers could develop code that reliably exploits the issue. Source: http://www.computerworld.com/s/article/9211059/Microsoft_fixes_a_security_bug_in_its_virus_scanner

Communications Sector

44. February 24, OzarksFirst.com – (Missouri) Apartments evacuated when active meth lab found. Several families in Springfield, Missouri, were evacuated February 24 after an active meth lab was discovered outside their apartments. A police spokesman said officers were called about 1 a.m. to the 600 block of South Jefferson, just west of the Missouri State University campus. They found the components of a working meth lab behind a garage in the yard of the apartments. People living in several apartments were evacuated as haz-mat crews and the fire department arrived. They said the lab was reacting and there was a high risk of explosion. Springfield police said they did not have any suspects yet. Source: http://ozarksfirst.com/fulltext?nxd_id=410606

45. February 23, Associated Press – (Florida) Officer shoots man reportedly wielding knife. A police officer in South Florida shot a man reportedly wielding a knife inside Luther Memorial Lutheran Church February 23. Someone in the church called authorities for help saying a man with a knife was inside a classroom. Authorities said an officer who feared for his life shot the man once in the torso. The man was taken to a hospital. His condition was not known. Source: http://www.miamiherald.com/2011/02/23/2081609/officer-shoots-man-reportedly.html

46. February 23, New England Cable News – (Massachusetts) Police search for suspects in Lynn home-made bomb plot. Four home-made bombs went off in Lynn, Massachusetts, February 21, and now police are looking for those responsible. The one bomb police did manage to recover was 5 inches long, and had the strength of a stick of dynamite. Police believe as many as three other bombs have yet to be found. All the bombs went off within a span of about 15 minutes of each other. Lynn police and fire departments are working on the case along with the state fire marshal’s office. Source: http://www.necn.com/02/23/11/Police-search-for-suspects-in-Lynn-home-/landing_newengland.html?blockID=416265&feedID=4206

47. February 23, Computerworld – (Kansas) Hacker claims credit for knocking church’s site offline. A Twitter message February 21 suggested a self-proclaimed “hacktivist” using the handle The Jester may have been responsible for knocking the Topeka, Kansas-based Westboro Baptist Church (WBC) offline. In the message, the hacker claimed to have temporarily taken down the public Web site of the church “for celebrating the death of U.S. troops.” The message, however, made no direct mention if The Jester (atth3j35t3r on Twitter) was also responsible for the unavailability February 23 of several other Web sites affiliated to the WBC. The week of February 14, someone purporting to be from the hacking collective known as Anonymous, posted a letter on an Anonymous site, warning WBC members of attacks against their church public Web sites if they did not stop their protests. That letter was later dismissed as a hoax by Anonymous. All of the church’s sites were unavailable February 23. Source: http://www.computerworld.com/s/article/9211038/Hacker_claims_credit_for_knocking_church_s_site_offline

48. February 22, Orange County Register – (California) Object used in GPS treasure hunt closes Downtown Disney. Downtown Disney in Anaheim, California, was reopened after about 90 minutes February 22 following a report of a suspicious object that turned out to be part of a high-tech treasure-hunt. An Anaheim police sergeant said police received a call of a suspicious object in Downtown Disney at 11:07 a.m. Assisted by Disney security, the object was located on a box on a walking bridge east of the ESPN Zone and west of the House of Blues, and the Orange County Sheriff’s Department Bomb Squad was called. A Disneyland Resort spokeswoman said about half of the shops and restaurants in Downtown Disney were evacuated at 11:30 a.m. At 12:38 p.m., the sergeant said the object was discovered to be a “geocaching” site –- a location for high-tech scavenger hunters, who use GPS devices to find objects left at specific locations. Source: http://www.ocregister.com/news/suspicious-289321-object-downtown.html

Thursday, February 24, 2011

Complete DHS Daily Report for February 24, 2011

Daily Report

Top Stories

• Reuters reports that Ford Motor Co., facing government pressure after 77 injuries, announced plans to recall nearly 150,000 F-150 pickup trucks to fix air bags that could deploy without warning, a fraction of the vehicles the government contends should be called back and repaired. (See item 13)

13. February 23, Reuters – (National) Ford to recall F-150 pickups over air bags. Under government pressure, Ford Motor Co. said February 23 it will recall nearly 150,000 F-150 pickup trucks to fix air bags that could deploy without warning, a fraction of the vehicles the government contends should be called back and repaired. The recall covers trucks from the 2005-2006 model years in the United States and Canada for what Ford calls a “relatively low risk” of the air bag deploying inadvertently. The government, however, has urged the company to recall 1.3 million F-150s from the 2004-2006 model years, citing 77 injuries from air bags deploying accidentally. The recall is being closely watched because Ford’s F-Series pickup truck is the best-selling vehicle in America. The National Highway Traffic Safety Administration (NHTSA) has been investigating the air bag issues for more than a year. In May 2010, Ford told the government that the problems did not “present an unreasonable risk to vehicle safety” because there was a low rate of alleged injuries and the air bag warning lamp provided an “obvious warning” to drivers. Ford told NHTSA in May that some drivers reported injuries that included burns from contact with the air bag, bruises, neck and back pain, and minor cuts. “Two customers reported broken or chipped teeth and two reported fractures of the extremities (elbow or arm),” wrote the director of Ford’s automotive safety office. The NHTSA’s acting director of defect investigations, wrote in a memo November 24, 2010 that the agency knew of 238 cases in which the air bags deployed inadvertently and noted that Ford made production changes to the trucks in 2006 and 2007 to fix the air bag wiring and other issues. The memo said that Ford did not believe the issue “warrants any corrective action” because the number of reports and incidents were low, owners received “adequate warning” from the air bag warning light and the “resulting injuries are minor in nature.” The government said Ford should conduct a recall “to remedy this defective condition.” Source: http://www.msnbc.msn.com/id/41733165/ns/business-autos/

• According to the Associated Press, the U.S. State Department said officials are processing thousands of dual U.S.-Libyan nationals, private U.S. citizens, and nonessential embassy staffers for a ferry trip out of Libya where hundreds have died in protests. (See item 32)

32. February 23, Associated Press – (International) Evacuation effort for Americans begins. The U.S. State Department said officials are processing U.S. citizens for a ferry trip out of Libya. The government arranged the trip to evacuate Americans from Libya to the Mediterranean island of Malta. The State Department believes there are several thousand dual U.S.-Libyan nationals, and about 600 private U.S. citizens in Libya. Officials have been trying to get 35 nonessential embassy staff members and family members of embassy personnel out of the country. The U.S. President’s administration has not yet outlined any steps to take against the Libyan regime for its violent crackdown on protesters that has seen hundreds of people killed. Source: http://www.kspr.com/sns-ap-us-libyaupdate,0,1397849.story

Details

Banking and Finance Sector

14. February 23, Associated Press – (National) ‘Burly Bandit’ gets 10 years. A bank-robbing bus driver who hit banks in six northeastern states is going to prison for 10 years. A judge in Bangor, Maine, also ordered the 48-year-old to pay $81,059 in restitution to the banks he hit during a 3-month spree last summer. Nicknamed the “Burly Bandit” by the FBI, the convict — a driver for Greyhound — pleaded guilty to 11 counts of robbery for the heists at banks and credit unions, which started April 9, 2010 in Buffalo, New York, continued in Vermont, Massachusetts, New Hampshire and Rhode Island, and ended with a July 13 job at Bangor Savings Bank in Orono, Maine. He was arrested the day after that heist following tips from people who recognized him from surveillance photos. Source: http://www.wcsh6.com/news/local/story.aspx?storyid=149041&catid=2

15. February 23, Associated Press – (Arizona) Former loan officer charged in federal fraud case. A former Phoenix, Arizona, loan officer charged in a $40 million mortgage fraud scheme is facing additional charges. The U.S. Attorney’s Office said the 42-year-old was arrested by the FBI February 18. The suspect was being charged with bankruptcy fraud after prosecutors alleged she changed her name in May 2010. Prosecutors said the suspect tried to hide assets and income from bankruptcy court by filing them under her previous name. The suspect’s other trial, related to her alleged role in a nearly $40 million mortgage fraud scheme is set to begin in August. Source: http://www.kswt.com/Global/story.asp?S=14081488

16. February 22, Federal Information & News Dispatch, Inc. – (Massachusetts) Man accused of $4M fake life settlement fraud. A Massachusetts man, also living in Florida, was charged February 17 in federal court with mail and wire fraud in connection with a 6-year scheme involving purported investments in “life settlements,” in which it is he defrauded about 20 victims of approximately $4 million. The 67-year-old suspect, of Winthrop, and Jupiter, Florida, was indicted on 5 counts of wire fraud and 13 counts of mail fraud. The indictment alleged that from 2002-2008, the suspect engaged in a scheme to defraud investors by misrepresenting to people how those funds would be used, invested and repaid. He instead diverted the funds for his own personal and business purposes. Source: http://insurancenewsnet.com/article.aspx?id=248845

17. February 19, Reuters – (Colorado) Tied-up teller arrested in Colorado bank robbery. A Colorado bank teller who claimed he was robbed at knifepoint and tied up inside a bank vault was arrested February 19 along with his alleged accomplice after police said the crime was an inside job. The 22-year-old male was taken into custody after detectives determined “something was just not right” with his harrowing story, a spokesman with the Longmont, Colorado police department told Reuters. “This bank is inside an open, busy Wal-Mart,” the spokesman said. “A bank robber is not going to take the time to go to all that work.” He said police and FBI agents responded February 18 to reports of an armed robbery at the Academy Bank in Longmont. A bank employee said she discovered the teller bound with duct tape inside the bank vault when she reported for work, according to the police report. The teller told police “an Asian or Hispanic man with a chubby face” wearing an Army jacket and wielding a knife robbed him shortly after the bank opened, the spokesman said. Bank surveillance cameras captured images of a man matching the teller’s description fleeing the bank with an undisclosed amount of cash. Investigators identified the robber as a 22-year-old male, and from there the scheme unraveled, police said. On February 19, police searched the teller’s home and found “money and other evidence related to the crime,” the spokesman said. The robber and teller were arrested and charged with aggravated robbery and conspiracy to commit a theft of over $20,000. The teller also faces a false reporting charge. Source: http://www.reuters.com/article/2011/02/19/us-bank-robbery-idUSTRE71I3S220110219

For another story, see item 43 below in the Information Technology Sector

Information Technology

39. February 23, Help Net Security – (International) 41% of organizations not aware of security risks. Forty-one percent of organizations are not well aware of or protected against IT security risks, according to McAfee. Another 40 percent are not completely confident they can accurately deploy countermeasure products thus leaving them at risk. The McAfee report found that to address these concerns, nearly half of all companies plan to spend an average of 21 percent more in 2011 on risk and compliance solutions. Overall, the survey indicated strong growth for risk and compliance products in 2011 with the majority of decision-making executives demanding integrated and automated solutions rather than point products. Source: http://www.net-security.org/secworld.php?id=10653

40. February 23, Softpedia – (International) Phishing on the rise again after holiday decline. German antivirus vendor Avira warnedt the number of phishing attacks is again on the rise after a significant decline in December 2010. “While the numbers for Phishing in December were almost all red, showing a dramatic drop for the (dot)org (-151 percent), (dot)com(-76 percent), and (dot)net(-24 percent) domains, we now have seen the exact opposite development in January 2011,” according to Avira. “Phishing was definitely on the rise and even if the malware URLs still show mostly as red numbers, some of them have also increased,” an Avira data security expert said. PayPal remains the most phished brand, having been targeted in almost 37 percent of attacks in January, an increase of 53 percent since December. eBay, was also among the favorite phishing targets, with attacks against the Web site almost doubling since December and accounting for 27 percent of the total. Source: http://news.softpedia.com/news/Phishing-on-the-Rise-Again-After-Holiday-Decline-185762.shtml

41. February 22, The Register – (International) Facebook users subjected to more clickjacking. Facebook users have been subjected to another round of clickjacking attacks that force them to authorize actions they had no intention of approving. The latest episode in this continuing saga, according to Sophos researchers, is a set of campaigns aimed at Italian-speaking users of the social network. The come-ons promise shocking videos about such things as the real ingredients of Coca Cola. Instead, they are forced into registering their approval of the videos using Facebook’s “Like” button. Clickjacking is a term that was coined in 2008. It describes attacks that allow malicious Web site publishers, or their users, to control the links visitors click on. They are typically pulled off by superimposing an invisible iframe over a button or link. Virtually every browser is vulnerable, although many come with safeguards that can make exploitation harder. Source: http://www.theregister.co.uk/2011/02/22/facebook_clickjacking_attacks/

42. February 22, Softpedia – (International) US spam levels begin to recover. U.S. spam levels began recovering in January, which pushed the country back into the list of top 20 spam sources after 2 months of absence. According to data from security vendor Kaspersky Lab, the overall amount of spam slightly increased in January by 0.5 percentage points and averaged 77.6 percent of all e-mail traffic. Meanwhile, e-mail phishing levels remained low. This type of rogue traffic comprised 0.03 percent of all e-mails sent in January, a decrease of 0.1 percent compared to December. The percentage of e-mail messages carrying malicious attachments remained significant at 2.75 percent, representing an increase of 1 percent over the last month of 2010. Source: http://news.softpedia.com/news/Spam-Recovers-in-USA-185593.shtml

43. February 21, The Register – (International) Flash drives dangerously hard to purge of sensitive data. In research that has important findings for banks, businesses, and security experts, scientists have found computer files stored on solid state drives are sometimes impossible to delete using traditional disk-erasure techniques. Even when the next-generation storage devices show files have been deleted, as much as 75 percent of the data contained in them may still reside on the flash-based drives, according to the research, which was presented the week of February 21 at the Usenix FAST 11 conference in California. In some cases, the SSDs, or sold-state drives, incorrectly indicate the files have been “securely erased” even though duplicate files remain in secondary locations. The difficulty of reliably wiping SSDs stems from their radically different internal design. Traditional ATA and SCSI hard drives employ magnetizing materials to write contents to a physical location that’s known as the LBA, or logical block address. SSDs, by contrast, use computer chips to store data digitally and employ an FTL, or flash translation layer, to manage the contents. When data is modified, the FTL frequently writes new files to a different location and updates its map to reflect the change. In the process, left-over data from the old file, which the authors refer to as digital remnants, remain. Source: http://www.theregister.co.uk/2011/02/21/flash_drive_erasing_peril/

For another story, see item 44 below in the Communications Sector

Communications Sector

44. February 23, Help Net Security – (International) Spyware compromises 150,000+ Symbian devices. A new variant of spyware “Spy(dot)Felxispy” on Symbian devices causing privacy leakage has recently been captured by the National Computer Virus Emergency Response Center of China. According to NetQin Mobile, there are more than a dozen variants of the spyware since it first was spotted, and the latest has affected more than 150,000 devices. Symbian is an open source system and software platform designed for smartphones and maintained by Nokia. Once installed, the spyware turns on the conference call feature without users’ awareness. When users are making phone calls, the spyware automatically adds itself to the call to monitor the conversation. NetQin Cloud Security Center detects the spyware can remotely turn on the speaker on the phone to monitor sounds around users without the users’ awareness. It is also capable of synchronizing the messages the user received and delivered to the monitoring phone. Source: http://www.net-security.org/malware_news.php?id=1640

45. February 22, KXTV 10 Sacramento – (California) State Capitol vigil foe claims union web attack. A Conservative radio talk show host who announced plans on his Web site to infiltrate a union solidarity vigil at the California capitol said his site had been shut down by a union cyberattack. “It was a massive denial-of-service attack that crashed the server,” said the host, 55, who had posted plans on his site to disrupt a candlelight vigil on the west steps of the capitol February 22. He said the computer attack began February 21. The site was still down early February 22, although the talk show host said February 22 it would be restored shortly. The vigil was organized by a number of labor groups to express solidarity for union supporters in Wisconsin fighting a Republican-led effort to strip collective bargaining rights. The Web site, cached by Google before it went down, encouraged anti-union activists to wear Service Employees International Union (SEIU) t-shirts concealing anti-union protest signs that would be brought out during the vigil: We will approach the cameras to make good pictures ... signs under our shirts that say things like “screw the taxpayer!” and “you OWE me!” to be pulled out for the camera (timing is important because the signs will be taken away from us). In a brief conversation with News10, the talk show host said he was never serious about the infiltration plan, and simply posted it on his Web site to bait his opponents. Source: http://www.news10.net/news/article.aspx?storyid=124287&provider=top&catid=188