Friday, October 28, 2011

Complete DHS Daily Report for October 28, 2011

Daily Report

Top Stories

• The Chemical Safety Board said in a new report that 26 incidents since 1983 that killed 44 people near oil and gas facilities could have been prevented with basic security measures, warning signs, and safer storage tanks. – EHS Today (See item 2)

2. October 27, EHS Today – (National) Chemical Safety Board: oil and gas exploration and production sites are hazardous to the public. On October 27, the Chemical Safety Board (CSB) issued recommendations to the U.S. Environmental Protection Agency, state regulators, the National Fire Protection Association (NFPA), and the American Petroleum Institute (API) aimed at reducing fires and explosions at oil and gas exploration and production facilities. A new report from CSB identifies 26 incidents since 1983 that killed 44 people and injured 25 others under the age of 25. Three of the explosions included in the report occurred at oil and gas production facilities in Mississippi, Oklahoma and Texas that killed and injured members of the public between October 2009 and April 2010. The report found children and young adults frequently socialize at oil sites in rural areas, unaware of the explosion hazards from storage tanks that contain flammable hydrocarbons like crude oil and natural gas condensate. The unintentional introduction of an ignition source (such as a match, lighter, cigarette or static electricity) near tank hatches or vents can trigger an internal tank explosion, often launching the tank into the air, killing or injuring people nearby. "After reviewing the work of our investigators I believe that these incidents were entirely preventable," said the CSB Chairman. "Basic security measures and warning signs –- as well as more safely designed storage tanks -– will essentially prevent kids from being killed in tank explosions at these sites." Source: http://ehstoday.com/standards/concensus/csb_oil_production_hazardous_1027/

• Eleven people, including two doctors, were charged in a major fraud scheme in which hundreds of workers for Long Island Railroad made false disability claims that may have cost a federal pension agency as much as $1 billion. – New York Times (See item 44)

44. October 27, New York Times – (New York) 10 arrested in $1 billion L.I.R.R. disability scheme. Eleven people, including two doctors and a former union president, were charged October 27 in a major fraud scheme in which hundreds of workers for Long Island Rail Road (LIRR) in New York made false disability pension claims that may have cost a federal pension agency $1 billion, according to court papers. A total of 10 of the defendants — seven former railroad workers charged with making false pension claims, the former union president, a former federal railroad pension agency employee who helped the workers file the claims, and one of the doctors — were taken into custody in the early morning hours at their homes by FBI agents and state investigators, officials said. The other doctor was expected to surrender in the coming days. All were charged with mail fraud and conspiracy to commit health care fraud, according to a criminal complaint filed in the case. The defendants in custody were expected to be arraigned October 27 in federal court in Manhattan. The federal investigation followed reporting by The New York Times for a series of articles published in 2008 that revealed systematic abuses of Railroad Retirement Board pensions by LIRR workers. The Times articles reported that virtually every career employee of the railroad was applying for and receiving disability payments, giving the LIRR a disability rate of three to four times that of the average railroad. The two doctors, board-certified orthopedists, were paid between $800 to $1,200 for each fake assessment and narrative, in addition to millions in health insurance payments they received for unnecessary medical treatments and fees for preparing false medical records to support the disability claims, the complaint said. Source: http://cityroom.blogs.nytimes.com/2011/10/27/ten-arrested-in-1-billion-l-i-r-r-disability-scheme/?smid=tw-nytimes&seid=auto

Details

Banking and Finance Sector

21. October 26, Reuters – (Massachusetts) Massachusetts charges BNY Mellon with forex fraud. Massachusetts' top securities regulator charged Bank of New York (BNY) Mellon October 25 with fraud for having allegedly overcharged the state's pension fund on currency trades for more than a decade. In an administrative complaint, the secretary of the commonwealth said the bank had applied undisclosed markups in currency trading while acting as a custodian for the state's $46 billion pension fund. "In reality, BNY Mellon's Standing Instruction Service was a hidden scheme that rigged the pricing of non-negotiated foreign exchange transactions while maximizing profits for the bank," the secretary said in the complaint. Massachusetts has now joined a handful of states aking action against companies like BNY Mellon and Boston-based State Street Corp., saying they cheated public pension funds on currency transactions by failing to charge the funds the rates the banks paid, and instead forcing them to pay the day's highest rates, and pocketing the difference. An audit by Massachusetts shows BNY Mellon, the world's biggest custodial bank, overcharged Massachusetts by $30.5 million since 2000. The state's treasurer said earlier this year that Massachusetts had paid nearly eight times as much as other customers did for certain transactions. Source: http://www.reuters.com/article/2011/10/26/massachusetts-mellon-idUSN1E79P12Z20111026

22. October 26, Bloomberg – (New York; New Jersey) Securities trader Kupersmith indicted for $60 million fraud. A stock trader and five alleged shell companies were charged October 26 with taking part in $60 million in allegedly illegal stock trades. The trader used assumed identities to create the companies, defrauding at least six broker-dealers of more than $830,000, a Manhattan district attorney said. He told the dealers the companies were well-financed and had relationships with reputable banks, when in fact they had no such relationships, the district attorney said. The district attorney’s investigation, coinciding with probes by the U.S. attorney’s office in New Jersey and the U.S. Securities and Exchange Commission, covered trades from 2008 to 2010 through New York-based Antibe Arbitrage Group Inc. and Northbrae Capital Group Inc. and New Jersey-based Atlantic Southern Capital Group Inc., Fullerton Capital Group Inc.,and Oxford Smith Advisors LLC, authorities said. The trader faces charges of first- and second-degree grand larceny, scheming to defraud, and violating general business law. Source: http://www.businessweek.com/news/2011-10-26/securities-trader-kupersmith-indicted-for-60-million-fraud.html

Information Technology Sector

51. October 27, V3.co.uk – (International) Cisco warns of remote code flaw in Security Agent software. Cisco is advising administrators to update systems following the discovery of a remote code execution vulnerability in Security Agent 6.0, V3.co.uk reported October 27. The flaw could allow an attacker to remotely target the Oracle Outside component for the Fusion Middleware platform to access the Cisco software on Windows systems. Cisco said in a security advisory successful exploitation would allow the attacker to execute code and control the targeted system with administrator rights. Cisco has released a free patch and is advising customers to obtain the Cisco Security Agent 6.0.2.151 fix through their service provider or hardware retailer. No other mitigations for the vulnerability are known. Proof-of-concept code for the flaw has been posted, but Cisco has not received any reports of the vulnerability being exploited in the wild. No other products or components are believed to be affected. Source: http://www.v3.co.uk/v3-uk/news/2120369/cisco-warns-remote-code-flaw-security-agent-software

52. October 27, Help Net Security – (International) Fake DHL delivery notification carries info-stealer Trojan. Malware peddlers have once again started a spam run that consists of e-mails purportedly sent by DHL, Help Net Security reported October 27. They spoofed the sender information, making it look like the e-mail was sent from "DHL Express International Support," and the subject line says it is a "DHL Express Notification for shipment for 26 Oct 2011," said MX Lab. Apart from the usual (legitimate) information about the company, the e-mail contains a request not to reply to the e-mail as it is used by an automated application, and an invite to open the attached file for more details about the shipment: When unzipped, the attached file reveals an executable — DHL-Delivery-Notification-Message-102611(dot)exe. Users are advised to be on the lookout for this spam e-mail and to delete it without opening, because the attached executable seems to be a Zbot Trojan variant currently detected only by a few AV solutions. It is also likely the date in the subject line will probably be changed if the campaign continues for a few days, so slight variations of the e-mail can be expected. Source: http://www.net-security.org/malware_news.php?id=1888

53. October 27, Help Net Security – (International) Cisco WebEx Player WRF file processing vulnerabilities. Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) player, Help Net Security reported October 27. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system with the privileges of a targeted user. The Cisco WebEx Players are applications that are used to play back WebEx meeting recordings that have been recorded on a WebEx meeting site or on the computer of an online meeting attendee. The players can be automatically installed when the user accesses a recording file that is hosted on a WebEx meeting site. The Microsoft Windows, Apple Mac OS X, and Linux versions of the players are all affected. Affected versions of the players are those prior to client build T26 SP49 EP40 and T27 SP28. If the WRF player was automatically installed, it will be automatically upgraded to the latest, nonvulnerable version when users access a recording file hosted on a WebEx meeting site. If the WRF player was manually installed, users will need to manually install a new version of the player after downloading the latest version. Cisco has released free software updates that address these vulnerabilities. Source: http://www.net-security.org/secworld.php?id=11851

54. October 26, TG Daily – (International) Tsunami-A OS X trojan spotted in the wild. Security researchers have identified a new backdoor trojan targeting systems running Mac OS X, TG Daily reported October 26. Tsunami appears to be a port of Troj/Kaiten, a Linux Trojan that embeds itself on a computer system and monitors an IRC channel for further instructions. As a Sophos Security researcher noted, trojans like Tsunami/Kaiten are typically used to drag infected computers into coordinated DDoS (distributed denial-of-service) attacks, which flood a targeted Web site server with a massive amounts of traffic. "It's not just a DDoS tool though," the researcher said. As evidenced by the portion of OSX/Tsunami's source code, "the bash script can be given a variety of different instructions and can be used to remotely access an affected computer." Source: http://www.tgdaily.com/security-features/59283-tsunami-a-os-x-trojan-spotted-in-the-wild

For more stories, see items 55 and 56 below in the Communications Sector

Communications Sector

55. October 27, Santa Cruz Sentinel – (California) AT&T fixes SLV Internet service outage. AT&T made good on a promise to San Lorenzo Valley, California customers to resume Internet service October 26 after service was interrupted October 25. A fiber cable was accidentally cut the afternoon of October 25 by a Granite Construction crew working on Graham Hill Road in Felton, an AT&T spokesman said. The Graham Hill Road work was a project being done under contract for the county department of public works, according to the department's assistant director. A University of California Santa Cruz employee reported AT&T internet service was out in Ben Lomond and Felton. Some customers in the Pasatiempo area reported a 4-day outage in the first week of October, but a spokesman said he was unaware of that issue. Source: http://www.santacruzsentinel.com/business/ci_19203549

56. October 26, Associated Press – (Washington) CenturyLink cable cut for second time near Pasco. A contractor doing some plowing south of Pasco, Washington, October 26 accidentally hit a CenturyLink fiber optic cable — the second time in as many days that the cable has been cut, causing outages. It happened about 13 miles south of Pasco. A spokeswoman said it was unclear how the cable was cut twice in the same area since it is well-marked. The cable was cut October 26 by a contractor unrelated to CenturyLink. The 6-hour outage October 25 was caused by a different crew. It affected 911 service in Columbia County and long distance and Internet service in Pasco and Walla Walla for about 20,000 customers. CenturyLink expected repairs to go more quickly October 26. Source: http://www.theolympian.com/2011/10/26/1853119/centurylink-cable-cut-for-second.html

57. October 26, Radio Survivor – (California) FCC issues $10,000 forfeiture order to Pirate Cat Radio founder. On October 21, the Federal Communications Commission (FCC) posted a notice a forfeiture order for $10,000 was issued to the founder of Pirate Cat Radio for “willfully and repeatedly violating section 301 of the Communications Act of 1934 รข€¦ by operating an unlicensed radio broadcast station” in San Francisco. The letter is a follow-up to an earlier Notice of Apparent Liability for Forfeiture that was issued to the man August 31, 2009. He responded to that notice October 23, 2009, and claimed he was not involved with the broadcast transmissions of Pirate Cat Radio and that he additionally was ”financially unable” to pay the $10,000 fine. The October 21 forfeiture letter from the FCC discounts his arguments and reiterates the FCC’s finding that Pirate Cat Radio “operated a radio broadcast station without a license issued by the FCC on 87.9 MHz in San Francisco, California.” Source: http://www.radiosurvivor.com/2011/10/26/fcc-issues-10000-forfeiture-order-to-pirate-cat-radio-founder/

Thursday, October 27, 2011

Complete DHS Daily Report for October 27, 2011

Daily Report

Top Stories

• A federal audit released October 24 found 32 computer network vulnerabilities at Department of Energy facilities, and that security problems had increased by 60 percent in 2011. – eWeek.com (See item 33)

33. October 26, eWeek.com – (National) U.S. Energy Department networks' weak security invite cyber-attacks: audit. According to an inspector general report released October 24, the U.S. Department of Energy (DoE) continued to have serious network security issues for the second year in a row and is regularly hit by cyber-attackers, costing the federal government over $2 million. An annual review of the Department of Energy's unclassified networks revealed a number of security issues, including weak access controls, improper patching strategy, and poor employee training, according to a report from the department's inspector general. Tests at 25 DoE facilities, including headquarters, revealed 32 previously unidentified vulnerabilities. The audit also found that security problems had increased by 60 percent in 2011 on DoE computer networks, compared to the number found during the 2010 audit. Only 11 out of the 35 issues identified in the 2010 report had been addressed, the report found. Source: http://www.eweek.com/c/a/Security/US-Energy-Department-Networks-Weak-Security-Invite-CyberAttacks-Audit-358273/?kc=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+RSS/eweeksecurity+(eWEEK+Security)&utm_content=Google+Reader

• Five active and three retired officers of the New York City Police Department were charged October 25 with conspiring to transport and distribute firearms and other stolen and counterfeit goods, according to federal authorities. – CNN (See item 40)

40. October 25, CNN – (New York) Feds: Current, former NYPD officers among 12 charged in criminal conspiracy. Five active and three retired officers of the New York City Police Department (NYPD) were among 12 people charged October 25 with conspiring to transport and distribute firearms and stolen goods, according to federal authorities. The defendants were charged in an alleged conspiracy to transport and distribute untraceable firearms across state lines and conspiracy to transport supposedly stolen and counterfeit goods, including cigarettes from Virginia and slot machines from Atlantic City, New Jersey. The criminal complaint accuses the defendants of participating in the illegal transportation of goods with a street value estimated at more than $1 million. The charges stem from an extensive undercover investigation that began in 2009, conducted by FBI and investigators from the NYPD's internal affairs bureau, a U.S. attorney said October 25. The investigation included a confidential informant, undercover law enforcement officers, surveillance, and telephone taps, according to court documents. The criminal complaint alleges the lead defendant met the confidential informant in 2009 and brought several of his fellow officers into the conspiracy to pull off various illegal schemes. According to the charges filed October 25, the defendants were engaged in the theft and transport of more than 200 cases of cigarettes from tractor-trailers in Virginia. The cigarettes were valued at over $500,000. Some defendants, authorities allege, helped undercover agents break into the trailers, some transported the illegal goods, and some helped sell them in New York. Authorities said undercover agents contacted the lead defendant on two separate occasions about the transport of purportedly stolen slot machines from Atlantic City to Port Chester, New York. Defendants traveled to pick up the stolen goods and drove the vans carrying the slot machines or acted as a security entourage. In the case of the firearms, court documents say defendants drove the guns, and cigarettes, in rented vans and personal vehicles into New York form New Jersey. Many oeapons had the serial numbers altered or scraped off, rendering them untraceable. According to the complaint, as the lead defendant drove his personal vehicle into New York with two bags full of firearms, his NYPD jacket was displayed in the window of his vehicle. Source: http://www.cnn.com/2011/10/25/justice/new-york-cops-charged/index.html?hpt=ju_c2

Details

Banking and Finance Sector

13. October 26, Washington Post – (International) U.S. trying to seize more than $70M from dictator’s son over alleged corruption. U.S. Department of Justice (DOJ) officials announced October 25 they are trying to seize more than $70 million in assets — including a Malibu, California mansion — owned by the playboy son of the dictator of Equatorial Guinea. Prosecutors filed civil forfeiture complaints and moved to seize valuables, including a 2011 Ferrari 599 GTO worth $533,000, collectibles and clothing valued at $1.8 million, a $38.5 million Gulfstream G-V business jet, and a house purchased for $30 million on 12 acres of property. In complaints filed or unsealed October 25, prosecutors alleged the dictator's son used his position as a government minister to plunder more than $100 million from the African nation through “extortion, misappropriation, embezzlement, or theft of public funds.” The action is the largest effort to date by the DOJ’s Kleptocracy Asset Recovery Initiative, created this year to target and recover the proceeds of foreign corruption laundered through the United States. The Equatorial Guinea matter was exposed by the U.S. Senate Permanent Subcommittee on Investigations, which in 2004 found Riggs Bank in Washington D.C. held millions of dollars in laundered Equatorial Guinea assets. Riggs pleaded guilty in 2005 to failing to report suspicious transactions and was fined $16 million. Source: http://www.washingtonpost.com/politics/us-trying-to-seize-more-than-70m-from-dictators-son-over-alleged-corruption/2011/10/25/gIQAYknmIM_story.html

14. October 26, Sacramento Bee – (California) Prosecutors target dozens in Sacramento-area mortgage fraud probe. Federal law enforcement officials are conducting a wide-ranging mortgage fraud investigation targeting dozens of members of the local Russian-American community in the Sacramento, California area. Since May, federal grand juries have charged 19 Sacramento-area residents in three separate indictments for allegedly defrauding lenders of more than $12 million. The latest round of indictments was unsealed October 25, and federal prosecutors said they expect to seek many more in the coming months. The U.S. attorney's office has been working with the FBI and the Internal Revenue Service's criminal division for more than a year. One of the targets has been indicted twice since May 2011. In a seven-count indictment unsealed October 25, a federal grand jury charged that woman, a 41-year-old of Rancho Cordova, a 40-year-old of Sacramento, and a 32-year-old of Sacramento on mail fraud and bank fraud charges. All four pleaded not guilty. The indictment alleges one of the defendants, a loan officer with a local mortgage lender, recruited one of the co-defendants to purchase two homes in Antelope in 2006 by using false information about the co-defendant's occupation and income. Another of the co-defendants, meanwhile, received $100,000 to pay off a phony second mortgage on one of the Antelope homes, the indictment said. If convicted, the defendants face up to 20 years in prison for each mail fraud charge and 30 years for each bank fraud charge. One of the defendants faces similar fraud charges stemming from a May federal grand jury indictment that alleged his sisters were part of a mortgage fraud ring that obtained more than $16.3 million to purchase 14 properties in the Sacramento area between 2006 and 2007. The homes later went into foreclosure, resulting in losses of about $9.6 million by several lenders, the grand jury said. Source: http://www.sacbee.com/2011/10/26/4006938/hed-here.html

15. October 26, U.S. Securities and Exchange Commission – (National) SEC files insider trading charges against Rajat Gupta. The Securities and Exchange Commission (SEC) October 26 charged the former McKinsey & Co. global head with insider trading for illegally tipping a convicted hedge fund manager while serving on the boards of Goldman Sachs and Procter & Gamble (P&G). The SEC first charging the hedge fund manager with insider trading in October 2009. According to the SEC’s complaint filed in federal court in Manhattan, the defendant illegally tipped the hedge fund manager with insider information about the quarterly earnings of Goldman Sachs and P&G as well as an impending $5 billion investment in Goldman by Berkshire Hathaway at the height of the financial crisis. The hedge fund manager, the founder of Galleon Management who was recently convicted of multiple counts of insider trading in other securities stemming from unrelated insider trading schemes, allegedly caused various Galleon funds to trade based on the inside information, generating illicit profits or loss avoidance of more than $23 million. The SEC’s complaint alleges the defendant provided his friend and business associate with confidential information learned during board calls and in other communications and meetings relating to his official duties as a director of Goldman and P&G. The hedge fund manager used the inside data to trade on behalf of certain Galleon funds, or shared the information with others at his firm who caused other Galleon funds to trade on it ahead of public announcements by the firms. The SEC had instituted an administrative proceeding against the defendant for the conduct alleged in the October 26 enforcement action, but later dismissed those proceedings while reserving the right to file an action against him in federal court. The SEC has now charged 29 defendants in its Galleon-related enforcement actions, which have alleged widespread and repeated insider trading at numerous hedge funds, including Galleon, and by other professional traders and corporate insiders in the securities of more than 15 companies. The insider trading generated illicit profits totaling more than $90 million. Source: http://www.sec.gov/news/press/2011/2011-223.htm

16. October 25, The Guardian – (International) Real IRA admits bomb attacks on Northern Ireland banks. The Real IRA has admitted bombing two banks in Northern Ireland as well as the UK City of Culture office in Derry, and has warned that it will continue to target economic interests. In a statement sent October 25 to the Guardian and laced with anti-capitalist rhetoric, the Real IRA said the bombings and future targeting of the banking system were its response to bankers' "greed" and were meant "to send out the message that while the Irish national and class struggles are distinct, they are not separate". The attacks and the language used to justify them appeared designed to tap into the widespread public loathing of banks on both sides of the Irish border. The republican dissident group was unapologetic about bombing the office of the UK City of Culture 2013 in Derry the week of October 17. In its most bellicose warning yet, the Real IRA said: "The IRA has recently carried out a number of bomb attacks on the banking establishment. Such attacks are an integral part of our strategy of targeting the financial infrastructure that supports the British government's capitalist colonial system in Ireland. The impetus to carry out this type of attack is directly linked to pressure from working-class communities in Ireland as a whole." In May 2011, masked men threw a bag containing a device into Santander's branch in Derry. In August 2011, a bomb was thrown into a Santander branch in Hill Street, Newry. A Real IRA bomb caused major damage to a branch of the Ulster Bank in Derry in 2010. The terror group attempted to link the banks to the Police Service of Northern Ireland. In September 2010, the Real IRA had issued a warning that banks and bankers could be targeted. Source: http://www.guardian.co.uk/uk/2011/oct/25/real-ira-admits-attacks-banks

17. October 25, United Nations Office on Drugs and Crime – (International) Illicit money: how much is out there. Criminals, especially drug traffickers, may have laundered around $1.6 trillion, or 2.7 percent of global gross domestic product, in 2009, according to a new report by the United Nations Office on Drugs and Crime. This figure is consistent with the 2 to 5 percent range previously established by the International Monetary Fund to estimate the scale of money-laundering. Source: http://www.unodc.org/unodc/en/frontpage/2011/October/illicit-money_-how-much-is-out-there.html?ref=fs1

18. October 25, Champaign-Urbana News-Gazette – (Illinois) Ex-financial adviser pleads guilty to mail fraud, money laundering. A former Urbana, Illinois investment adviser pleaded guilty October 25 to mail fraud and money laundering in connection with a fraud scheme that cost clients about $16 million. Appearing before a U.S. district judge in Peoria, the defendant admitted defrauding 11 victims, including companies and individuals, of about $16 million. Mail fraud carries a maximum penalty of 20 years in prison, while money laundering carries a maximum penalty of 10 years in prison. He could also be ordered to pay restitution to the victims. According to court documents and statements during the October 25 hearing, the defendant admitted he fraudulently transferred, liquidated, and removed mutual fund shares from clients' accounts for his own business and personal use. The actions took place between August 2006 and March 2011, when a telephone inquiry from an investment advisory company to the Champaign Police Department triggered an investigation. That investigation ended up involving the FBI, the Internal Revenue Service, the U.S. Postal Inspection Service, the Securities Department of the Illinois secretary of state's office, and the Champaign Police Department. The U.S. Securities and Exchange Commission filed civil charges against the former investment adviser in federal court earlier in 2011. Source: http://www.news-gazette.com/news/courts-police-and-fire/2011-10-25/ex-financial-adviser-pleads-guilty-mail-fraud-money-launderin

Information Technology Sector

43. October 26, Softpedia – (International) Report: spammers utilize more public URL shortening sites. The use of public URL shortening services makes it more difficult for anti-spam countermeasures to detect and block malicious messages sent by cyber masterminds in their effort to take over digital assets, according to a Symantec Intelligence Report cited by Softpedia October 26. Even though the report's figures show a decrease in spam, the messages are more sophisticated because of spammers use of shortened URLs. “Spammers are using a free, open source URL shortening scripts to operate these sites," the report stated. "After creating many shortened URLs with their own service, the spammers then send spam including these URLs. These particular spammers use subjects designed to attract attention, like 'It's a long time since I saw you last!', 'It's a good thing you came' and so on." Source: http://news.softpedia.com/news/Report-Spammers-Utilize-More-Public-URL-Shortening-Sites-230074.shtml

44. October 26, The Register – (International) Worm wriggles through year-old flaw, builds zombie-net. A new worm is turning servers running older versions of the JBoss Application Server into botnet drones, The Register reported October 26. The malware behind the attack is significant because it targets servers rather than PCs, and because it relies on exploiting a vulnerability that is more than a year old – a flaw in JBoss Application Server patched by Red Hat in April 2010 –- to attack new machines. The worm's payload includes a variety of Perl scripts, including one that builds a back door on compromised machines. Source: http://www.theregister.co.uk/2011/10/26/jboss_worm/

45. October 26, Softpedia – (International) Andromeda bot hides behind Facebook comments. A code fragment of a threat discovered as starting its mission on social media networks is suspected to be a new bot called Andromeda that is very similar to ZeuS and SpyEye, Softpedia reported October 26. The infection process begins where an innocent looking comment hides a page that urges the user to click on another link. Once the second link is clicked, the victim is directed to malicious content that loads an iframe that references a server that hosts a variant of the BlackHole exploit kit. The exploit server then probes the browser for vulnerabilities until it can find a way to get in. The final payload is represented by a worm known as Worm:Win32/Gamarue.A that is suspected to be part of Andromeda. Gamarue.A is known to easily spread by copying itself to removable or network drives. Source: http://news.softpedia.com/news/Andromeda-Bot-Hides-Behind-Facebook-Comments-230195.shtml

46. October 25, IDG News Service – (International) Exploit-powered Android Trojan uses update attack. IDG News Service reported October 25 a new variant of the DroidKungFu Android Trojan is posing as a legitimate application update to infect handsets, according to security researchers from F-Secure. Distributing Android malware as updates is a new tactic first seen in July. The primary method of infecting handsets continues to be bundling of Trojans with legitimate applications; however, the resulting apps are easy to spot because of the extensive permissions they request at installation time. According to security researchers, the new update-based attacks can have a higher success rate than "Trojanizing" apps, because users don't tend to question the legitimacy of updates for already-installed software. Source: http://www.networkworld.com/news/2011/102511-exploit-powered-android-trojan-uses-update-252374.html?source=nww_rss

47. October 24, Help Net Security – (International) New mass SQL injection attack making rounds. Help Net Security reported October 24 there is another mass SQL injection attack making its rounds on the Web called "jjghui", referring to the Web site it redirects traffic to. The latest attack is yet another play on using SQL injection to inject malicious JavaScript in ASP.NET Web sites. So far, a Google search shows 180,000 pages have already been infiltrated. The attack appears to be targeting smaller sites that lack personnel with the skills and security awareness of larger and more well-known sites. The attack methodology is the same type that has been used many times before on a massive scale, according to researchers. Legitimate Web sites execute malicious script code from jjghui.com and infect a user's machine with malware that recruits it into a botnet. Attackers can also load payloads such as keyloggers and trojans onto compromised computers. Source: http://www.net-security.org/article.php?id=1641&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+HelpNetSecurity+(Help+Net+Security)&utm_content=Google+Reader

For more stories, see items 33 above in the Top Stories and 48 & 49 below in the Communications Sector

Communications Sector

48. October 26, Bangor Daily News – (Northeast) Time Warner service restored after outages hit New England. An outage October 26 disrupted Time Warner’s high-speed Internet and digital telephone service throughout the Northeast during the morning, but service was restored in an hour. A Time Warner spokesman said the outage, which occurred at 8:40 a.m., affected service in the Northeast, including all phone and Internet customers in New England. He said service was restored at 9:40 a.m. Time Warner engineers were investigating the cause of the outage. Source: http://bangordailynews.com/2011/10/26/business/time-warner-customers-seeing-outages-throughout-new-england/

49. October 26, CNET – (National) Anonymous threatens Fox News Web site over Occupy coverage. Anonymous plans to take down the Fox News Web site on November 5, according to a new video apparently released by the hacker group. The group said it is targeting the network for what it called biased news coverage of the Occupy Wall Street protests occurring in cities across the country. The group had earlier vowed to take down Facebook November 5 as well, although there was some question about the credibility of that threat within Anonymous. Hackers aligned with the group have succeeded in releasing personal information about a former Citigroup and Goldman Sachs executive, as well as the CEOs of Citigroup, JP Morgan Chase, and Goldman Sachs. They also released information on a New York police officer accused of unprovoked and excessive use of pepper spray on people at the protests, which began September 17 in New York. Source: http://news.cnet.com/8301-1009_3-20125628-83/anonymous-threatens-fox-news-web-site-over-occupy-coverage/?part=rss&subj=news&tag=2547-1_3-0-20

50. October 25, Charleston Gazette – (West Virginia) Six arrested in Logan County copper thefts. West Virginia State Police arrested six people October 25 after an investigation found they allegedly stole copper from Frontier Communications in Logan County, West Virginia. They were each charged with 14 counts of grand larceny, 14 counts of transferring and receiving stolen property, 14 counts of destruction of property, 14 counts of destruction of public utility property, and 14 counts of conspiracy. Police are looking for two other people in connection with the thefts, a news release said. The thefts caused more than $100,000 worth of damage and outages for Frontier customers, police said. Source: http://wvgazette.com/News/201110250224

51. October 25, Radio World – (Florida) Two alleged pirates in Florida are fined. The Federal Communications Commission (FCC) announced two fines October 25 in cases involving illegal radio operators in Florida. It issued a $10,000 notice of apparent liability (NAL) to a man for running a transmitter on 90.7 MHz in Miami. Agents detected signals on three separate occasions this winter and spring. In April, it inspected the station after Miami police executed a search warrant and secured the residence. The commission said the man was actively marketing “Lady Luck Radio,” using it to cross-promote other businesses including a club called the ”Lady Luck Social Club” and providing commercial spots under the guise of a legitimate commercial radio station. In a separate case, the FCC issued a NAL for $15,000 to another man for allegedly running an unlicensed transmitter on 95.1 MHz in Lake Park, Florida. In that case, the commission sourced signals in December 2010 and July 2011 to his residence. It said that when agents visited in July, he admitted to operating the station. The commission increased the usual fine here, it said, because its Miami office had hand-delivered a Notice of Unlicensed Operation to him for operation on the same frequency in the spring of 2007. Source: http://www.rwonline.com/article/two-alleged-pirates-in-florida-are-fined/24669

For another story, see item 46 above in the Information Technology Sector

ober 27, 2011

Daily Report

Top Stories

• A federal audit released October 24 found 32 computer network vulnerabilities at Department of Energy facilities, and that security problems had increased by 60 percent in 2011. – eWeek.com (See item 33)

33. October 26, eWeek.com – (National) U.S. Energy Department networks' weak security invite cyber-attacks: audit. According to an inspector general report released October 24, the U.S. Department of Energy (DoE) continued to have serious network security issues for the second year in a row and is regularly hit by cyber-attackers, costing the federal government over $2 million. An annual review of the Department of Energy's unclassified networks revealed a number of security issues, including weak access controls, improper patching strategy, and poor employee training, according to a report from the department's inspector general. Tests at 25 DoE facilities, including headquarters, revealed 32 previously unidentified vulnerabilities. The audit also found that security problems had increased by 60 percent in 2011 on DoE computer networks, compared to the number found during the 2010 audit. Only 11 out of the 35 issues identified in the 2010 report had been addressed, the report found. Source: http://www.eweek.com/c/a/Security/US-Energy-Department-Networks-Weak-Security-Invite-CyberAttacks-Audit-358273/?kc=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+RSS/eweeksecurity+(eWEEK+Security)&utm_content=Google+Reader

• Five active and three retired officers of the New York City Police Department were charged October 25 with conspiring to transport and distribute firearms and other stolen and counterfeit goods, according to federal authorities. – CNN (See item 40)

40. October 25, CNN – (New York) Feds: Current, former NYPD officers among 12 charged in criminal conspiracy. Five active and three retired officers of the New York City Police Department (NYPD) were among 12 people charged October 25 with conspiring to transport and distribute firearms and stolen goods, according to federal authorities. The defendants were charged in an alleged conspiracy to transport and distribute untraceable firearms across state lines and conspiracy to transport supposedly stolen and counterfeit goods, including cigarettes from Virginia and slot machines from Atlantic City, New Jersey. The criminal complaint accuses the defendants of participating in the illegal transportation of goods with a street value estimated at more than $1 million. The charges stem from an extensive undercover investigation that began in 2009, conducted by FBI and investigators from the NYPD's internal affairs bureau, a U.S. attorney said October 25. The investigation included a confidential informant, undercover law enforcement officers, surveillance, and telephone taps, according to court documents. The criminal complaint alleges the lead defendant met the confidential informant in 2009 and brought several of his fellow officers into the conspiracy to pull off various illegal schemes. According to the charges filed October 25, the defendants were engaged in the theft and transport of more than 200 cases of cigarettes from tractor-trailers in Virginia. The cigarettes were valued at over $500,000. Some defendants, authorities allege, helped undercover agents break into the trailers, some transported the illegal goods, and some helped sell them in New York. Authorities said undercover agents contacted the lead defendant on two separate occasions about the transport of purportedly stolen slot machines from Atlantic City to Port Chester, New York. Defendants traveled to pick up the stolen goods and drove the vans carrying the slot machines or acted as a security entourage. In the case of the firearms, court documents say defendants drove the guns, and cigarettes, in rented vans and personal vehicles into New York form New Jersey. Many oeapons had the serial numbers altered or scraped off, rendering them untraceable. According to the complaint, as the lead defendant drove his personal vehicle into New York with two bags full of firearms, his NYPD jacket was displayed in the window of his vehicle. Source: http://www.cnn.com/2011/10/25/justice/new-york-cops-charged/index.html?hpt=ju_c2

Details

Banking and Finance Sector

13. October 26, Washington Post – (International) U.S. trying to seize more than $70M from dictator’s son over alleged corruption. U.S. Department of Justice (DOJ) officials announced October 25 they are trying to seize more than $70 million in assets — including a Malibu, California mansion — owned by the playboy son of the dictator of Equatorial Guinea. Prosecutors filed civil forfeiture complaints and moved to seize valuables, including a 2011 Ferrari 599 GTO worth $533,000, collectibles and clothing valued at $1.8 million, a $38.5 million Gulfstream G-V business jet, and a house purchased for $30 million on 12 acres of property. In complaints filed or unsealed October 25, prosecutors alleged the dictator's son used his position as a government minister to plunder more than $100 million from the African nation through “extortion, misappropriation, embezzlement, or theft of public funds.” The action is the largest effort to date by the DOJ’s Kleptocracy Asset Recovery Initiative, created this year to target and recover the proceeds of foreign corruption laundered through the United States. The Equatorial Guinea matter was exposed by the U.S. Senate Permanent Subcommittee on Investigations, which in 2004 found Riggs Bank in Washington D.C. held millions of dollars in laundered Equatorial Guinea assets. Riggs pleaded guilty in 2005 to failing to report suspicious transactions and was fined $16 million. Source: http://www.washingtonpost.com/politics/us-trying-to-seize-more-than-70m-from-dictators-son-over-alleged-corruption/2011/10/25/gIQAYknmIM_story.html

14. October 26, Sacramento Bee – (California) Prosecutors target dozens in Sacramento-area mortgage fraud probe. Federal law enforcement officials are conducting a wide-ranging mortgage fraud investigation targeting dozens of members of the local Russian-American community in the Sacramento, California area. Since May, federal grand juries have charged 19 Sacramento-area residents in three separate indictments for allegedly defrauding lenders of more than $12 million. The latest round of indictments was unsealed October 25, and federal prosecutors said they expect to seek many more in the coming months. The U.S. attorney's office has been working with the FBI and the Internal Revenue Service's criminal division for more than a year. One of the targets has been indicted twice since May 2011. In a seven-count indictment unsealed October 25, a federal grand jury charged that woman, a 41-year-old of Rancho Cordova, a 40-year-old of Sacramento, and a 32-year-old of Sacramento on mail fraud and bank fraud charges. All four pleaded not guilty. The indictment alleges one of the defendants, a loan officer with a local mortgage lender, recruited one of the co-defendants to purchase two homes in Antelope in 2006 by using false information about the co-defendant's occupation and income. Another of the co-defendants, meanwhile, received $100,000 to pay off a phony second mortgage on one of the Antelope homes, the indictment said. If convicted, the defendants face up to 20 years in prison for each mail fraud charge and 30 years for each bank fraud charge. One of the defendants faces similar fraud charges stemming from a May federal grand jury indictment that alleged his sisters were part of a mortgage fraud ring that obtained more than $16.3 million to purchase 14 properties in the Sacramento area between 2006 and 2007. The homes later went into foreclosure, resulting in losses of about $9.6 million by several lenders, the grand jury said. Source: http://www.sacbee.com/2011/10/26/4006938/hed-here.html

15. October 26, U.S. Securities and Exchange Commission – (National) SEC files insider trading charges against Rajat Gupta. The Securities and Exchange Commission (SEC) October 26 charged the former McKinsey & Co. global head with insider trading for illegally tipping a convicted hedge fund manager while serving on the boards of Goldman Sachs and Procter & Gamble (P&G). The SEC first charging the hedge fund manager with insider trading in October 2009. According to the SEC’s complaint filed in federal court in Manhattan, the defendant illegally tipped the hedge fund manager with insider information about the quarterly earnings of Goldman Sachs and P&G as well as an impending $5 billion investment in Goldman by Berkshire Hathaway at the height of the financial crisis. The hedge fund manager, the founder of Galleon Management who was recently convicted of multiple counts of insider trading in other securities stemming from unrelated insider trading schemes, allegedly caused various Galleon funds to trade based on the inside information, generating illicit profits or loss avoidance of more than $23 million. The SEC’s complaint alleges the defendant provided his friend and business associate with confidential information learned during board calls and in other communications and meetings relating to his official duties as a director of Goldman and P&G. The hedge fund manager used the inside data to trade on behalf of certain Galleon funds, or shared the information with others at his firm who caused other Galleon funds to trade on it ahead of public announcements by the firms. The SEC had instituted an administrative proceeding against the defendant for the conduct alleged in the October 26 enforcement action, but later dismissed those proceedings while reserving the right to file an action against him in federal court. The SEC has now charged 29 defendants in its Galleon-related enforcement actions, which have alleged widespread and repeated insider trading at numerous hedge funds, including Galleon, and by other professional traders and corporate insiders in the securities of more than 15 companies. The insider trading generated illicit profits totaling more than $90 million. Source: http://www.sec.gov/news/press/2011/2011-223.htm

16. October 25, The Guardian – (International) Real IRA admits bomb attacks on Northern Ireland banks. The Real IRA has admitted bombing two banks in Northern Ireland as well as the UK City of Culture office in Derry, and has warned that it will continue to target economic interests. In a statement sent October 25 to the Guardian and laced with anti-capitalist rhetoric, the Real IRA said the bombings and future targeting of the banking system were its response to bankers' "greed" and were meant "to send out the message that while the Irish national and class struggles are distinct, they are not separate". The attacks and the language used to justify them appeared designed to tap into the widespread public loathing of banks on both sides of the Irish border. The republican dissident group was unapologetic about bombing the office of the UK City of Culture 2013 in Derry the week of October 17. In its most bellicose warning yet, the Real IRA said: "The IRA has recently carried out a number of bomb attacks on the banking establishment. Such attacks are an integral part of our strategy of targeting the financial infrastructure that supports the British government's capitalist colonial system in Ireland. The impetus to carry out this type of attack is directly linked to pressure from working-class communities in Ireland as a whole." In May 2011, masked men threw a bag containing a device into Santander's branch in Derry. In August 2011, a bomb was thrown into a Santander branch in Hill Street, Newry. A Real IRA bomb caused major damage to a branch of the Ulster Bank in Derry in 2010. The terror group attempted to link the banks to the Police Service of Northern Ireland. In September 2010, the Real IRA had issued a warning that banks and bankers could be targeted. Source: http://www.guardian.co.uk/uk/2011/oct/25/real-ira-admits-attacks-banks

17. October 25, United Nations Office on Drugs and Crime – (International) Illicit money: how much is out there. Criminals, especially drug traffickers, may have laundered around $1.6 trillion, or 2.7 percent of global gross domestic product, in 2009, according to a new report by the United Nations Office on Drugs and Crime. This figure is consistent with the 2 to 5 percent range previously established by the International Monetary Fund to estimate the scale of money-laundering. Source: http://www.unodc.org/unodc/en/frontpage/2011/October/illicit-money_-how-much-is-out-there.html?ref=fs1

18. October 25, Champaign-Urbana News-Gazette – (Illinois) Ex-financial adviser pleads guilty to mail fraud, money laundering. A former Urbana, Illinois investment adviser pleaded guilty October 25 to mail fraud and money laundering in connection with a fraud scheme that cost clients about $16 million. Appearing before a U.S. district judge in Peoria, the defendant admitted defrauding 11 victims, including companies and individuals, of about $16 million. Mail fraud carries a maximum penalty of 20 years in prison, while money laundering carries a maximum penalty of 10 years in prison. He could also be ordered to pay restitution to the victims. According to court documents and statements during the October 25 hearing, the defendant admitted he fraudulently transferred, liquidated, and removed mutual fund shares from clients' accounts for his own business and personal use. The actions took place between August 2006 and March 2011, when a telephone inquiry from an investment advisory company to the Champaign Police Department triggered an investigation. That investigation ended up involving the FBI, the Internal Revenue Service, the U.S. Postal Inspection Service, the Securities Department of the Illinois secretary of state's office, and the Champaign Police Department. The U.S. Securities and Exchange Commission filed civil charges against the former investment adviser in federal court earlier in 2011. Source: http://www.news-gazette.com/news/courts-police-and-fire/2011-10-25/ex-financial-adviser-pleads-guilty-mail-fraud-money-launderin

Information Technology Sector

43. October 26, Softpedia – (International) Report: spammers utilize more public URL shortening sites. The use of public URL shortening services makes it more difficult for anti-spam countermeasures to detect and block malicious messages sent by cyber masterminds in their effort to take over digital assets, according to a Symantec Intelligence Report cited by Softpedia October 26. Even though the report's figures show a decrease in spam, the messages are more sophisticated because of spammers use of shortened URLs. “Spammers are using a free, open source URL shortening scripts to operate these sites," the report stated. "After creating many shortened URLs with their own service, the spammers then send spam including these URLs. These particular spammers use subjects designed to attract attention, like 'It's a long time since I saw you last!', 'It's a good thing you came' and so on." Source: http://news.softpedia.com/news/Report-Spammers-Utilize-More-Public-URL-Shortening-Sites-230074.shtml

44. October 26, The Register – (International) Worm wriggles through year-old flaw, builds zombie-net. A new worm is turning servers running older versions of the JBoss Application Server into botnet drones, The Register reported October 26. The malware behind the attack is significant because it targets servers rather than PCs, and because it relies on exploiting a vulnerability that is more than a year old – a flaw in JBoss Application Server patched by Red Hat in April 2010 –- to attack new machines. The worm's payload includes a variety of Perl scripts, including one that builds a back door on compromised machines. Source: http://www.theregister.co.uk/2011/10/26/jboss_worm/

45. October 26, Softpedia – (International) Andromeda bot hides behind Facebook comments. A code fragment of a threat discovered as starting its mission on social media networks is suspected to be a new bot called Andromeda that is very similar to ZeuS and SpyEye, Softpedia reported October 26. The infection process begins where an innocent looking comment hides a page that urges the user to click on another link. Once the second link is clicked, the victim is directed to malicious content that loads an iframe that references a server that hosts a variant of the BlackHole exploit kit. The exploit server then probes the browser for vulnerabilities until it can find a way to get in. The final payload is represented by a worm known as Worm:Win32/Gamarue.A that is suspected to be part of Andromeda. Gamarue.A is known to easily spread by copying itself to removable or network drives. Source: http://news.softpedia.com/news/Andromeda-Bot-Hides-Behind-Facebook-Comments-230195.shtml

46. October 25, IDG News Service – (International) Exploit-powered Android Trojan uses update attack. IDG News Service reported October 25 a new variant of the DroidKungFu Android Trojan is posing as a legitimate application update to infect handsets, according to security researchers from F-Secure. Distributing Android malware as updates is a new tactic first seen in July. The primary method of infecting handsets continues to be bundling of Trojans with legitimate applications; however, the resulting apps are easy to spot because of the extensive permissions they request at installation time. According to security researchers, the new update-based attacks can have a higher success rate than "Trojanizing" apps, because users don't tend to question the legitimacy of updates for already-installed software. Source: http://www.networkworld.com/news/2011/102511-exploit-powered-android-trojan-uses-update-252374.html?source=nww_rss

47. October 24, Help Net Security – (International) New mass SQL injection attack making rounds. Help Net Security reported October 24 there is another mass SQL injection attack making its rounds on the Web called "jjghui", referring to the Web site it redirects traffic to. The latest attack is yet another play on using SQL injection to inject malicious JavaScript in ASP.NET Web sites. So far, a Google search shows 180,000 pages have already been infiltrated. The attack appears to be targeting smaller sites that lack personnel with the skills and security awareness of larger and more well-known sites. The attack methodology is the same type that has been used many times before on a massive scale, according to researchers. Legitimate Web sites execute malicious script code from jjghui.com and infect a user's machine with malware that recruits it into a botnet. Attackers can also load payloads such as keyloggers and trojans onto compromised computers. Source: http://www.net-security.org/article.php?id=1641&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+HelpNetSecurity+(Help+Net+Security)&utm_content=Google+Reader

For more stories, see items 33 above in the Top Stories and 48 & 49 below in the Communications Sector

Communications Sector

48. October 26, Bangor Daily News – (Northeast) Time Warner service restored after outages hit New England. An outage October 26 disrupted Time Warner’s high-speed Internet and digital telephone service throughout the Northeast during the morning, but service was restored in an hour. A Time Warner spokesman said the outage, which occurred at 8:40 a.m., affected service in the Northeast, including all phone and Internet customers in New England. He said service was restored at 9:40 a.m. Time Warner engineers were investigating the cause of the outage. Source: http://bangordailynews.com/2011/10/26/business/time-warner-customers-seeing-outages-throughout-new-england/

49. October 26, CNET – (National) Anonymous threatens Fox News Web site over Occupy coverage. Anonymous plans to take down the Fox News Web site on November 5, according to a new video apparently released by the hacker group. The group said it is targeting the network for what it called biased news coverage of the Occupy Wall Street protests occurring in cities across the country. The group had earlier vowed to take down Facebook November 5 as well, although there was some question about the credibility of that threat within Anonymous. Hackers aligned with the group have succeeded in releasing personal information about a former Citigroup and Goldman Sachs executive, as well as the CEOs of Citigroup, JP Morgan Chase, and Goldman Sachs. They also released information on a New York police officer accused of unprovoked and excessive use of pepper spray on people at the protests, which began September 17 in New York. Source: http://news.cnet.com/8301-1009_3-20125628-83/anonymous-threatens-fox-news-web-site-over-occupy-coverage/?part=rss&subj=news&tag=2547-1_3-0-20

50. October 25, Charleston Gazette – (West Virginia) Six arrested in Logan County copper thefts. West Virginia State Police arrested six people October 25 after an investigation found they allegedly stole copper from Frontier Communications in Logan County, West Virginia. They were each charged with 14 counts of grand larceny, 14 counts of transferring and receiving stolen property, 14 counts of destruction of property, 14 counts of destruction of public utility property, and 14 counts of conspiracy. Police are looking for two other people in connection with the thefts, a news release said. The thefts caused more than $100,000 worth of damage and outages for Frontier customers, police said. Source: http://wvgazette.com/News/201110250224

51. October 25, Radio World – (Florida) Two alleged pirates in Florida are fined. The Federal Communications Commission (FCC) announced two fines October 25 in cases involving illegal radio operators in Florida. It issued a $10,000 notice of apparent liability (NAL) to a man for running a transmitter on 90.7 MHz in Miami. Agents detected signals on three separate occasions this winter and spring. In April, it inspected the station after Miami police executed a search warrant and secured the residence. The commission said the man was actively marketing “Lady Luck Radio,” using it to cross-promote other businesses including a club called the ”Lady Luck Social Club” and providing commercial spots under the guise of a legitimate commercial radio station. In a separate case, the FCC issued a NAL for $15,000 to another man for allegedly running an unlicensed transmitter on 95.1 MHz in Lake Park, Florida. In that case, the commission sourced signals in December 2010 and July 2011 to his residence. It said that when agents visited in July, he admitted to operating the station. The commission increased the usual fine here, it said, because its Miami office had hand-delivered a Notice of Unlicensed Operation to him for operation on the same frequency in the spring of 2007. Source: http://www.rwonline.com/article/two-alleged-pirates-in-florida-are-fined/24669

For another story, see item 46 above in the Information Technology Sector