Tuesday, May 31, 2011

Complete DHS Daily Report for May 31, 2011

Daily Report

Top Stories

• The Atlanta Journal-Constitution reports fierce storms hit the metro Atlanta, Georgia area, knocking out power to 240,000 customers and causing flash flooding that closed down numerous streets. (See item 1)

1. May 27, Atlanta Journal-Constitution – (Georgia) Flood warning lifted for DeKalb, Fulton. The fierce storms that left 3 people dead and nearly 200,000 utility customers without power moved out of Atlanta, Georgia, early May 27, but not before dumping enough rain to prompt flash flood warnings for Fulton and DeKalb counties. The National Weather Service issued flash flood warnings just before 5 a.m. for areas of central Fulton and DeKalb counties where as much as 3 inches of rain fell overnight, but lifted the warning about an hour later. Numerous interstate ramps and surface streets remained flooded before daybreak May 27. Georgia Power spokesman said about 49,000 customers statewide were without power at 7 a.m., with 42,000 of those in metro Atlanta. At the peak of the outages May 26, about 200,000 metro Atlanta customers and 240,000 across the state were in the dark, a spokesman said. Georgia Power was bringing in crews from across the state to help restore power. Source: http://www.ajc.com/news/metro-atlanta-weather-flood-957576.html?cxtype=rss_news

• According to CNN, nearly 700 patients and 100 employees at Emory University Hospital in Atlanta, Georgia have been exposed to tuberculosis. (See item 40)

40. May 27, CNN – (Georgia) Atlanta hospital notifies nearly 700 patients about TB exposure. Nearly 700 patients and 100 employees at Emory University Hospital in Atlanta, Georgia have been exposed to tuberculosis (TB) after coming in contact with a hospital employee carrying the disease, a hospital spokesman said May 26. The Georgia Department of Community Health and the hospital have identified 680 patients who were exposed to TB between November and February, a hospital spokesman said. Patients will begin getting tested for TB the week of May 30, he said. To date, no patients or employees have reported symptoms, he said. The hospital and the department began notifying people about the exposure this month, after an Emory employee was diagnosed in April with the infectious disease, he said. The employee did not know he had TB when he came in contact with employees and patients, the hospital said. The hospital took extra precautions by contacting patients who were in the hospital for 90 days before the day the employee is known to have developed the disease, he said. All hospital employees are screened for the disease and must receive screenings each year, it added. A hospital statement did not say whether the employee who developed TB had been screened. Source: http://edition.cnn.com/2011/HEALTH/05/26/georgia.tuberculosis.scare/

Details

Banking and Finance Sector

16. May 27, The Tennessean – (National) Fake bomb used to rob Music Row bank. Investigators are trying to identify a man who used a fake bomb to rob the Bank of America on Music Row in Nashville, Tennessee, May 26. The bank robber walked in at 11:20 a.m. and put the device on a teller’s counter, said it was a bomb and demanded money, according to police. The robber, a suspect in two other incidents, left the bank with an undisclosed amount of money and left the device behind. The police department hazardous devices nit later determined it was not a bomb. The man is also a suspect in the attempted robbery of the U.S. post office at 1109 Woodland Street less than an hour before the bank heist. He is also considered a suspect in a recent Goodlettsville, Tennessee bank robbery. Source: http://www.tennessean.com/article/20110527/NEWS/305270074/Fake-bomb-used-rob-Music-Row-bank?odyssey=nav|head

17. May 27, Charlotte Observer – (Missouri) Charlotte armored car robber sought. Local and federal authorities are offering a reward and asking the public’s help in finding the man they said robbed an armored car driver at gunpoint May 19 in Charlotte, North Carolina’s University City area. The FBI office in Charlotte said the robbery happened at 9 a.m. at a Bank of America ATM. According to the FBI, an armed man pointed the gun at a Loomis armored car driver who was servicing the ATM. The gunman grabbed a courier bag of money and ran down Technology Drive. The gunman is described as a black male, about 5 feet 7 inchess tall with medium build. He was wearing black clothing. A reward of up to $20,000 is being offered for information helping solve this case. Source: http://www.charlotteobserver.com/2011/05/27/2331332/charlotte-armored-car-robber-sought.html

18. May 27, Miami Herald – (Florida) Four of Scott Rothstein’s colleagues charged with fraud. A former attorney in a convicted con man’s Fort Lauderdale, Florida law firm — along with two other ex-employees and a one-time night club owner – were charged May 27 with conspiracy offenses related to the man’s $1.2 billion Ponzi scheme. All four Broward County men face one count of conspiring to commit wire fraud, which carries a potential maximum penalty of 5 years in prison. All the defendants are being charged by information, not by indictment. That means they are cooperating with the U.S. attorney’s office and are expected to plead guilty to the single conspiracy count. The scheme’s perpetrator was arrested in 2009, charged with racketeering, money laundering, and fraud stemming from the sale of phony legal settlements involving purported sexual harassment, discrimination, and whistle-blow lawsuits over the previous 4 years. He pleaded guilty in January 2010 and was sentenced to 50 years in prison and ordered to repay $363 million to about 320 victims from South Florida, the Northeast, and elsewhere. Source: http://www.miamiherald.com/2011/05/27/v-fullstory/2238217/four-of-scott-rothsteins-colleagues.html

19. May 27, NJtoday.net – (New Jersey) Three men indicted in bank robbery, shootout with police. A grand jury in Middlesex County, New Jersey, indicted three men on charges of robbing a bank in Franklin Township and then shooting at police officers while fleeing through North Brunswick and New Brunswick, where they were apprehended, a Middlesex County prosecutor announced May 26. The 24-count indictment charges the trio with counts of attempted murder of three New Brunswick police officers, armed robbery, conspiracy, theft, eluding police, the theft of two getaway vehicles, receiving stolen property, and weapons offenses for carrying five guns, including semi-automatic weapons and a sawed-off shotgun, during the March 12, 2009 robbery. Also, the grand jury handed up three separate indictments charging each of the defendants with five counts of illegally possessing weapons, as each had previously served prison terms for various offenses, and were banned by law from having weapons. Source: http://njtoday.net/2011/05/27/three-men-indicted-in-bank-robbery-shootout-with-police/

20. May 27, San Francisco Chronicle – (California) ATM repairman accused of loading fake money. An employee of an ATM servicing company has been charged with swapping $200,000 in fake bills for real cash at machines in Daly City and San Francisco, California, a prosecutor said May 26. The 64-year-old suspect was wanted on a warrant when he was arrested during a traffic stop in Phoenix, Arizona May 11, 10 months after the thefts, a San Mateo County District Attorney (DA) said. The man was an employee of Diebold, which services ATMs for Bank of America. On July 4, 2010, officials said he went to six bank branches in San Francisco and one in Daly City and stole about $200,000 by replacing cash in the machine trays with counterfeit or photocopied $20 bills, the DA said. He used his work card key to access the ATMs and was captured on video at all seven locations, authorities said. The next day, he “abandoned his wife and disappeared,” the DA said. His wife reported him missing and angry Bank of America customers contacted the bank to complain about the fake money, authorities said. He pleaded not guilty in San Mateo County Superior Court to charges of burglary, embezzlement, forgery, and possession of counterfeiting apparatus, and faces similar charges in San Francisco. Source: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2011/05/27/BANQ1JLBKP.DTL

21. May 26, Eliicot City Patch – (Maryland) Arrests made in armored car robberies in Ellicott City, Silver Spring. Two men accused of robbing armored car employees in Howard County and Montgomery County, Maryland were arrested May 26. Police said the men robbed an armored car in Ellicott City December 27, 2010, and an armored car in front of a bank in Silver Spring April 4, 2011. Both have been charged in the Howard County case with one count each of armed robbery, robbery, first-degree assault, second-degree assault, theft, and using a handgun to commit a felony, according to police. They are also facing charges from the Montgomery County case: one count of armed robbery, and one count of conspiracy to commit armed robbery, police said. Their arrests stemmed from the investigation of the Silver Spring case where a Dunbar armored car guard was robbed at a Bank of America on the 11400 block of Old Columbia Pike, according to police. Source: http://ellicottcity.patch.com/articles/arrests-made-in-armored-car-robberies-in-ellicott-city-silver-spring

22. May 26, Associated Press – (New Jersey) NY man admits ‘skimming’ ATMS for nearly $300K. A Bulgarian native has admitted scanning personal information from an ATM in northern New Jersey and stealing nearly $300,000. The man pleaded guilty May 26 in federal court in Newark, New Jersey, to bank fraud conspiracy, and aggravated identity theft. The man was arrested last fall. He was accused of using an electronic device to skim identity and account information from Valley National Bank branches in Nutley, and Belleville. The Queens, New York, resident and others allegedly withdrew nearly $300,000 using the stolen personal identification numbers. The bank fraud conspiracy charge carries a maximum potential penalty of 30 years in prison. Aggravated identity theft carries a mandatory consecutive 2-year prison term. Source: http://online.wsj.com/article/AP55d27bec47994e1e84d5640d74b58f4b.html

Information Technology

52. May 27, IDG News Service – (International) Jury convicts two for selling counterfeit Cisco gear. A U.S. federal jury convicted two people the week of May 23 over a scheme to import and sell counterfeit Cisco-branded networking equipment, the U.S. Department of Justice (DOJ) said May 26. The jury found a woman from Virginia guilty of conspiracy and 15 other counts related to import fraud and counterfeit labeling, the DOJ said. She ran the U.S. headquarters of a Chinese company that stole intellectual property and defrauded customers, the DOJ statement said, citing a U.S. attorney. The woman took millions of dollars from unsuspecting U.S. consumers and businesses, the attorney said. The jury’s May 24 verdict also convicted a second suspect, a man from Maryland, of conspiracy, the statement said. The man from Maryland, and the woman from Virginia, and family members in China had operated a “large-scale counterfeit computer networking equipment business” under the name Han Tong Technology (Hong Kong), the DOJ said. The woman from Virginia and others working with her had defrauded U.S. buyers through a company in Virginia called JDC Networking. JDC Networking used pirated software to alter Cisco products and falsify labels, the DOC said. The woman used different names and addresses on import documents, and hid millions of dollars of counterfeit proceeds through bank accounts and property under the names of family members in China, the statement said. Source: http://www.computerworld.com/s/article/9217106/Jury_convicts_two_for_selling_counterfeit_Cisco_gear

53. May 27, Softpedia – (International) Pharma spam campaign distributes fake Apple AppStore emails. Security researchers from Finnish antivirus vendor F-Secure warn about a wave of pharma spam e-mails masquerading as official communications from Apple’s AppStore. The e-mails bear a subject of “ID:[random number] Apple AppStore Order Cancellation” and come with spoofed headers to appear as if they from an AppStore@apple(dot)com address. The messages were created using a real Apple AppStore e-mails template, but all links inside have been replaced with ones leading to rogue online pharmacies. There are two links, one on the random ID number and one on “order information.” The e-mails are designed to make recipients ask themselves questions like why was his order canceled or why was there an order in the first place. In both cases, users will likely click on the links to obtain more information, only to find themselves taken to a rogue pharmacy Web site selling prescription drugs. Source: http://news.softpedia.com/news/Pharma-Spam-Campaign-Distributes-Fake-Apple-AppStore-Emails-202746.shtml

54. May 27, H Security – (International) DNSSEC signature can crash Bind name servers. Where a Bind name server is set up as a caching resolver, it is vulnerable to DoS attacks which could cause it to crash. The Internet Systems Consortium (ISC) describes the issue in its advisory Large RRSIG RRsets and Negative Caching can crash named and categorises the problem, which can be triggered remotely, as “high” severity. The DNSSEC extension plays a key role in the latest security problem to hit the widely used name server. It appears the internal memory manager can become confused when it has to cache signed entries for non-existent domains. A member of ISC confirmed to H Security’s associates at heise Security that servers which do not themselves offer DNSSEC functionality are also vulnerable. According to ISC, to exploit the bug an attacker must be running a DNSSEC-signed authority server for a domain. He would then be able to induce DNS lookups for non-existent names on that domain (for example by sending out spam), which would trigger the bug on the vulnerable name server. Versions 9.4-ESV-R3, 9.6-ESV-R2, 9.6.3, 9.7.1, 9.8.0 and earlier are all affected. ISC has released updates that should fix the problem. Source: http://www.h-online.com/security/news/item/DNSSEC-signature-can-crash-Bind-name-servers-1251729.html

55. May 26, The Register – (International) Google Web Store quietly purged of nosy apps. Google’s Chrome Web Store has quietly been purged of at least two games after a blogger revealed the Flash-based browser extensions had unfettered access to all Web site data, browsing history, and bookmarks stored on users’ computers. The removal of Super Mario World and Super Mario World 2 came without explanation following a post published May 26 a by mobile-security blogger who read the fine print in Google’s Chrome application store. The most troubling caveat: “This item can read every page that you visit –- your bank, your web email, your Facebook page, and so on. Often, this kind of item needs to see all pages so that it can perform a limited task such as looking for RSS feeds that you might want to subscribe to. Caution: Besides seeing all your pages, this item could use your credentials (cookies) to request your data from websites.” “It’s pretty obvious how potentially bad the Mario extension could be, particularly when this is supposed to be just a Flash game,” the blogger wrote. “What really irks me though is the ‘permissions by default’ installation. You click one button and it’s there, almost immediately with no prompt.” Source: http://www.theregister.co.uk/2011/05/26/google_web_store_privacy_threats/

56. May 26, Softpedia – (International) Trend Micro joins Sophos in criticizing Microsoft SmartScreen stats. Trend Micro researchers are backing up anti-malware experts from Sophos in claiming Microsoft’s recently published SmartScreen numbers might lead to a false sense of security. Starting with Internet Explorer (IE) 9, Microsoft has added an application reputation component to the browser’s SmartScreen filter. The SmartScreen technology was introduced in Internet Explorer 7 as a malicious URL blocking feature and, according to the browser vendor, it has blocked 160 million phishing pages and 1.5 billion malware distribution sites. Microsoft claims IE’s new app reputation filter kicks in immediately when a new attack is launched, unlike traditional antivirus signatures that start appearing much later. The company said SmartScreen warnings only appear for 1 in 10 downloads, and that 1 in 14 downloaded files ultimately confirmed as malware. The week of May 16, a senior security advisor at Sophos expressed concerns about the numbers released by Microsoft. He said the statistics lack comparison with other, more prevalent, Web infection vectors such as drive-by downloads. Drive-by download attacks occur when Web sites exploit vulnerabilities in plug-ins such as Java, Flash, or Adobe Reader to install malware on computers. In these cases, the browser has no control over the downloads. Source: http://news.softpedia.com/news/Trend-Micro-Joins-Sophos-in-Criticizing-Microsoft-SmartScreen-Stats-202516.shtml

57. May 26, Softpedia – (International) Fake YouTube emails lead to rogue pharma sites. A wave of spam e-mails purporting to come from YouTube direct users to rogue online pharmacies through compromised legitimate Web sites. According to Belgian e-mail security vendor MX Lab, the new spam campaign generates e-mails that bear a subject of “YouTube Administration sent you a message: Your video on the TOP of YouTube.” The fake communications have their header spoofed to appear as if they originate from a service@youtube(dot)com e-mail address and are built based on a YouTube template. There are several links inside the message, including the youtube(dot)com one, one on the word “inbox,” one on “YouTube Administration,” as well as three in top right menu, “help center,” “e-mail options” and,”report spam.” All links point to redirect scripts hosted on legitimate compromised Web sites that further take users to sites pushing unregulated drugs under the Canadian Family Pharmacy brand. Passing spam e-mails as official communications from social media Web sites is not a new technique, but YouTube is not a regular target for such campaigns. Source: http://news.softpedia.com/news/Fake-YouTube-Emails-Lead-to-Pharma-Spam-202571.shtml

58. May 25, Softpedia – (International) Mariposa is making a comeback. Security researchers from Trend Micro warn that Mariposa, once one of the largest botnets in the world, is slowly, but steadily, growing back to its former self. Mariposa was the name given to a particular botnet, which at its peak, was made up of as many as 12 million infected computers spread across 190 countries. The Mariposa botnet was based on a variant of a worm called Palevo or Rimecud, which is capable of spreading using a variety of methods, including exploiting Windows vulnerabilities, copying itself to removable storage devices and network shares, as well as sending itself over instant messaging and p2p file sharing programs. Mariposa was dismantled in March 2010 and another big arrest was made in July. Following these events, the worm’s activity registered a steep decline. But Trend Micro researchers said the malware started gaining traction again in Q4 of 2010. In fact, the worm is almost as active now as in Q1 2010 when it was taken down. According to abuse tracking Web site abuse.ch, there are currently 118 Palevo command and control servers being tracked. Source: http://news.softpedia.com/news/Mariposa-Is-Making-a-Comeback-202386.shtml

Communications Sector

59. May 27, Binghamton Press – (New York) 669 phone exchange out of service. The 669 telephone exchange, which serves the Town of Binghamton, New York, was out of service May 27, the Broome County Office of Emergency Services said. Frontier Telecom is responding, although there was no time estimate for repairs. Residents affected by the outage can call 911 on their cell phones in the event of an emergency, or visit Town of Binghamton Fire Station 1 at 967 Hawleyton Road, where crews are waiting to assist. Source: http://www.pressconnects.com/article/20110527/NEWS01/110527005/669-phone-exchange-out-service?odyssey=nav|head

60. May 26, Bradenton Herald – (Florida) Verizon looks to have phone lines fixed by 4 a.m. A major line break of Verizon fiber lines disrupted land line and cell phone service May 26 for an estimated 3,600 customers in Myakka and East Manatee in Brandenton, Florida. Crews were working to restore the lines and expected them to be running by 4 a.m. May 27, according to the media relations manager with Verizon. Manatee County Public Safety Department advised that anyone who could not dial 911 with an emergency should seek help at the Myakka Fire Department. Customers with a 322 exchange were told to call the fire department for assistance. The media relations manager with Verizon said the fiber was cut by a crew working 6 to 7 miles east of Interstate 75 on Fruitville Road. He added that it was not a Verizon crew. Source: http://business-video.tmcnet.com/news/2011/05/26/5538327.htm

Friday, May 27, 2011

Complete DHS Daily Report for May 27, 2011

Daily Report

Top Stories

• Citing a May 24 Los Angeles Times article, IDG news reports a Bank of America (BoA) insider sold customer data to criminals, costing the bank at least $10 million. See item 16 below in Banking and Finance.

• According to the Associated Press, a California high school chemistry teacher accused of helping students ingest chloroform, was arrested again, after investigators learned she kept nitroglycerin in her classroom. (See item 39)

39. May 25, Associated Press – (California) Calif. teacher re-arrested after explosives found. A 34-year-old chemistry teacher accused of helping students ingest chloroform was arrested again May 25 in Atwater, California, after investigators learned she might be storing an explosive-making material in her classroom. She was arrested at her home on suspicion of possessing an explosive device. Police took her to her classroom at Livingston High School, where she cooperated with detectives to find a small amount of nitroglycerin, a Livingston police sergeant said. Nitroglycerin is used as an active ingredient in the manufacture of explosives, especially dynamite. The teacher had been out on bail after she was arrested earlier the week of May 23 on suspicion of child endangerment. Authorities had accused her of helping three students at the school inhale chloroform during after-school study hall sessions. The three male students — ages 16, 17, and 18 — told investigators that they fell asleep or passed out after ingesting the chloroform, an anesthetic that can cause feelings of euphoria but in high levels can cause unconsciousness or even death. Police re-arrested the teacher after interviewing her and the students and finding documents in her classroom showing she might be storing explosive materials, the police sergeant said. When the nitroglycerin was found at about 2 p.m., about 1,100 students were evacuated for the day, and a hazardous material team and bomb squad were sent into the school. Investigators detonated the material in a field behind the school. Source: http://www.miamiherald.com/2011/05/25/2235042/calif-cops-probe-if-teacher-was.html

Details

Banking and Finance Sector

14. May 25, Reuters – (Ohio) FBI says mullet bandit holds up another bank. The Ohio bank robber dubbed the “mullet bandit” by federal authorities appears to have struck again May 25. The latest heist took place at a Key Bank branch on Stringtown Road in Grove City. The FBI said a man matching the physical description of the mullet-wearing suspect sought in two previous holdups walked into the bank and handed a teller a note, saying he was robbing the bank, had a gun, and would hurt the teller if she did not cooperate. The robber was dressed in the mullet bandit’s garb, including Seattle Mariners baseball cap, and large dark sunglasses. He is wanted in connection with two previous bank robberies May 18 and May 5 in Columbus. Source: http://www.reuters.com/article/2011/05/26/us-mullet-bandit-idUSTRE74P02A20110526

15. May 25, Associated Press – (Idaho) Broker reaches plea deal in E. Idaho fraud case. Federal prosecutors reached a plea agreement May 25 with a former Idaho Falls, Idaho investor accused of duping clients out of millions of dollars in a Ponzi scheme. KPVI 6 Pocatello reported the man agreed to plead guilty to one count of wire fraud and one count of money laundering. Prosecutors filed the charges against the man during the week of May 16, culminating a 2-year FBI investigation. The man has already been ordered to pay about $90 million in restitution and fines. Investigators accused him of operating a Ponzi scheme through his company Trigon Group that fraudulently took more than $76 million from 68 separate investors. Source: http://www.stamfordadvocate.com/default/article/Broker-reaches-plea-deal-in-E-Idaho-fraud-case-1396152.php

16. May 25, IDG News – (National) Insider data theft costs Bank of America $10 million. A Bank of America (BoA) insider who sold customer data to criminals cost the bank at least $10 million in losses, the Los Angeles Times reported May 24. BoA began notifying customers of the incident recently, but is not providing many details of the case which is still under investigation. The theft, “involved a now former associate who provided customer information to people outside the bank, who then used the information to commit fraud against our customers,” said a BoA spokeswoman in an e-mail message. About 95 members of the loosely affiliated criminal gang behind the alleged fraud, including the bank employee, were swept up in a February 2011 law enforcement action, a special agent with U.S. Secret Service in Los Angeles, California, said. The scammers stole “names, addresses, Social Security numbers, phone numbers, bank account numbers, driver’s license numbers, birth dates, e-mail addresses, mother’s maiden names, PINs and account balances.” It is not clear how many bank customers were actually affected by the fraud. Los Angeles Times quoted a BoA spokeswoman as saying there were “about 300” victims, located in the western United States. She would not confirm that this number was accurate May 25, and she would not say how many notification letters BoA sent out. Source: http://www.pcworld.com/businesscenter/article/228705/insider_data_theft_costs_bank_of_america_10_million.html

17. May 25, Federal Bureau of Investigation – (Florida; Connecticut) Stratford man admits structuring more than $943,000 in cash transactions. A 54-year-old Stratford, Connecticut man pleaded guilty May 25 in Bridgeport to one count of illegally structuring cash transactions. Structuring involves the repeated depositing or withdrawal of amounts of cash less than the $10,000 limit, or the splitting of a cash transaction that exceeds $10,000 into smaller cash transactions to avoid federal reporting requirements. According to court documents and statements, the man made more than 70 large cash deposits into his savings account, and more than 30 large cash payments to his personal line of credit account between May 2006 and October 2009. The vast majority of the cash transactions were in the amount of $9,000, and none exceeded $10,000. In total, the man structured about $943,000 in cash deposits and line of credit payments. He used the funds to buy properties in Connecticut and Florida. He also used more than $270,000 to settle a business dispute with his former partner. He faces a maximum term of imprisonment of 10 years, and a fine of up to $500,000. He also has agreed to forfeit about $388,540 to the government. Source: http://newhaven.fbi.gov/dojpressrel/pressrel11/nh052511.htm

18. May 25, San Luis Obispo Tribune – (California) A.G. woman stole $110,000 from bank, prosecutors say. FBI agents May 24 arrested an Arroyo Grande, California woman accused of stealing $110,000 from the local bank branch where she worked, according to federal prosecutors. The indictment accuses the suspect of stealing the money while working in 2010 at a branch of U.S. Bank in Arroyo Grande. It alleges she stole nearly $100,000 from two customers’ accounts, as well as $10,000 in cash from the bank’s vault. The investigation revealed she secretly accessed the bank’s computer system and changed the contact information for the accounts of two elderly customers at the bank, according to prosecutors. After changing the contact information, she then allegedly closed the accounts and took out cashier’s checks for the balance of each account. When one of the customers went to the bank and learned his account had been closed, she allegedly went into the bank’s vault and took $10,000 in cash. The indictment alleges she stole $50,907 February 24, 2010, $48,163 February 26, 2010, and $10,000 in cash from the bank vault June 7, 2010. Each count of theft by a bank employee carries a maximum penalty of 30 years in federal prison, and a fine of up to $1 million. Source: http://www.sanluisobispo.com/2011/05/24/1613844/us-bank-stolen-money.html

19. May 23, eWeek – (International) Virus attack on Dow Jones network raises suspicion of insider malice. A computer virus hit Dow Jones’ corporate networks May 12, 2 days after 34 employees represented by the Independent Association of Publishers’ Employees (IAPE) were laid off, Adweek reported May 20. Most of the laid-off staff were part of the IT department. Dow Jones has not informed the union whether it suspects any “current or former employee” of any involvement in the malware incident, an IAPE spokesperson told eWeek. However, the IAPE president said that was not likely as the virus was “complicated and intricate enough” that there was not enough time between when the layoffs occurred and when the infection began for the virus to be loaded. Dow Jones employees were informed via a companywide e-mail that its servers, network, and data were not compromised by the virus, but that it had slowed down infected computers, Adweek said. Employees also received numerous voicemail and e-mail messages to power down the computers until they could be cleaned. The virus had “morphed,” making antivirus software ineffective in detecting the infection. By May 18, the company had determined the virus was designed to steal credentials from banking sites, and directed employees not to use any banking sites for the time being. Source: http://www.eweek.com/c/a/Security/Virus-Attack-on-Dow-Jones-Network-Raises-Suspicion-of-Insider-Malice-171727/

Information Technology

45. May 26, Softpedia – (International) Google patches Android session hijacking vulnerability server-side. Google has patched a security hole in its ClientLogin authentication protocol that allowed potential attackers to steal authentication tokens for several services. The week of May 16, researchers from the University of Ulm in Germany published a research paper that revealed that over 99 percent of Android smartphones were vulnerable to session hijacking attacks. This was because Google Calendar and Contacts sync operations were being performed over unencrypted connections. Just like with browsers and session cookies, sending authentication tokens over plain HTTP connections poses a lot of risks, especially when connected over open Wi-Fi hotspots. Attackers can capture the unecrypted traffic by mounting a so called evil twin attack where they duplicate the wireless network SSID, and extract the ClientLogin authentication tokens. The tokens remain valid for 14 days and allow attackers to download the victim’s calendar information and contact book. To mitigate this, Google made server-side changes that force all Android devices to use HTTPS connections when syncing calendar and contacts. Source: http://news.softpedia.com/news/Google-Patches-Android-Session-Hijacking-Vulnerability-Server-Side-202607.shtml

46. May 26, Softpedia – (International) WordPress 3.1.3 contains security fixes and clickjacking protection. The WordPress development team has released version 3.1.3 of the popular blog publishing platform which fixes several security issues and introduces clickjacking protection. A moderately critical vulnerability that allows attackers to execute rogue PHP code on servers with certain configurations has been patched. The flaw, disclosed earlier in May, allows users with “Author” permission to upload and execute php files with extra media extensions (.jpg or .gif) on Web servers that are not configured to handle them. A separate php code execution flaw that does not require any special Web server configuration has also been patched, but no exploit or details have been made public. Other changes in this release address cross-site scripting (XSS) weaknesses and a privacy issue with WordPress backups. The taxonomy querying has also been hardened against attacks, and an information disclosure flaw that can result in the exposure of non-author user names was patched. Two Microsoft researchers contributed media security fixes, and the security of the file upload process was improved. A cleanup routine for unfinished imports was also added. Source: http://news.softpedia.com/news/WordPress-3-1-3-Contains-Security-Fixes-and-Clickjacking-Protection-202462.shtml

47. May 25, Computerworld – (International) Newest MacDefender scareware installs without a password. Hours after Apple owned up to a fake security software scam campaign, the “scareware” gang released a new variant, with a new name, MacGuard, and a streamlined installation process that does not prompt victims for their password, a French antivirus firm said May 25. “Given the timing, and the new name, it does seem like this was their reaction to Apple’s support document,” said a spokesman for Intego, a maker of Mac-specific security software. Apple May 24 acknowledged the threat. The cyber criminals also changed the way they distribute the fake security program, breaking it into two parts: a small downloader, dubbed “avRunner,” which once on a Mac reaches out to a hacker-controlled site to download the phony MacGuard security software. “Unlike the previous variants, no administrator password is required to install the downloader,” the Intego researcher said. “People will still see an installer screen — [the attackers] haven’t gotten to the point where they’re completely avoiding that yet — but all one needs to do to install is click ‘OK’ a couple of times. So it’s one less hurdle.” avRunner sidesteps the need for an administrator password by putting itself directly in the Applications folder. avRunner then grabs MacGuard from a remote server. Source: http://www.computerworld.com/s/article/9217061/Newest_MacDefender_scareware_installs_without_a_password

48. May 25, The Register – (International) 35m Google Profiles dumped into private database. Proving that information posted online is indelible and trivial to mine, an academic researcher has dumped names, e-mail addresses, and biographical information made available in 35 million Google Profiles into a massive database that took just 1 month to assemble. The University of Amsterdam Ph.D. student said he compiled the database as an experiment to see how easy it would be for private detectives, spear phishers, and others to mine the vast amount of personal information stored in Google Profiles. The verdict: It was not hard at all. Unlike Facebook policies that strictly forbid the practice, the permissions file for the Google Profiles URL makes no prohibitions against indexing the list. Also, Google engineers did not impose any technical limitations in accessing the data, which is made available in an extensible markup language file called profiles-sitemap.xml. Source: http://www.theregister.co.uk/2011/05/25/google_profiles_database_dump/

49. May 25, H Security – (International) ElcomSoft cracks iOS encryption system. Security researchers from Elcomsoft have discovered a method that allows them to copy and decrypt the memory of iPhones that have built-in hardware encryptionPDF (3GS and 4); iPod Touch (3rd generation or later); and all iPad models. They apparently read the memory directly, which, for instance, even enabled them to restore deleted data. ElcomSoft said this is particularly relevant for forensic investigations. The researchers explained that a custom kernel with a special RAMDisk driver first must be loaded into the iPhone in Device Firmware Upgrade mode – which works in a similar way to booting a PC from an external hard disk. Then, the Flash memory can be read without the need to access the iOS file system drivers, and an exact copy can be obtained. ElcomSoft uses various keys to decrypt the image; these keys are extracted by special tools that can be run on the iPhone or calculated at run-time.

Source: http://www.h-online.com/security/news/item/ElcomSoft-cracks-iOS-encryption-system-1250526.html

50. May 25, The Register – (International) Unpatched IE bug exposes sensitive Facebook creds. An independent security researcher has devised an attack that remotely steals digital credentials used to access user accounts on Facebook and other Web sites by exploiting a flaw in Microsoft’s Internet Explorer (IE) browser. The researcher demonstrated his “cookiejacking” proof of concept the week of May 16 at the Hack in the Box security conference in the Netherlands. It exploits a flaw present in all current versions of IE to steal session cookies that Facebook and other Web sites issue once a user has entered a valid password and corresponding user name. The cookie acts as a digital credential that allows the user to access a specific account. The proof of concept code targets cookies issued by Facebook, Twitter, and Google Mail, but the researcher said the technique can be used on virtually any Web site and affects all versions of Windows. The attack exploits a vulnerability in the IE security zones feature that allows users to segregate trustworthy Web sites from those they do not know or do not ever want to access. By embedding a special iframe tag in a malicious Web site, an attacker can circumvent this cross zone interaction and cause the browser to expose cookies stored on the victim’s computer. Source: http://www.theregister.co.uk/2011/05/25/microsoft_internet_explorer_cookiejacking/

51. May 25, Softpedia – (International) Rogue VirusTotal Website distributes Java malware. Security researchers from antivirus vendor Kaspersky Lab have come across a fake VirusTotal Web site that is being used to distribute malware via a Java-based downloader. VirusTotal is a popular service that allows users to scan files with many antivirus engines. The site is used by hundreds of thousands of professionals and regular users on a daily basis. The spoofed site discovered by Kaspersky looks exactly like the real one and prompts users to run a Java applet. Because the applet is not signed with a valid certificate, users are asked to confirm its execution. The applet is actually a Java-based trojan downloader that distributes a piece of malware detected by Kaspersky as Worm(dot)MSIL.Arcdoor.ov. The botnet is controlled through a commercial Web-based DDoS framework known as N0ise. It accepts commands to initiate several types of DDoS, report the hostname of the victim machine, type, and version of the operation system, as well as the version of the malware itself. Source: http://news.softpedia.com/news/Rogue-VirusTotal-Website-Distributes-Java-Malware-202387.shtml

For another story, see item 19 above in Banking and Finance

Communications Sector

See items 45 and 49 above in Information Technology