Monday, April 11, 2011

Complete DHS Daily Report for April 11, 2011

Daily Report

Top Stories

• KMOX 1120 reports two bank robbers and a police officer ended up being shot following a running gun battle that began after the suspects fired shots and left a bomb at a bank before fleeing. See item 10 below in the Banking and Finance Sector.

• According to Darkreading, personal information, including Social Security numbers and passport information, of thousands of US Airways pilots was leaked in a data breach. (See item 15)

15. April 7, Darkreading – (National) Thousands of US Airways pilots victims of possible insider data breach. The U.S. Airline Pilots Association (USAPA) said it has been working with the FBI for several months in the wake of a leak of personal information of 3,000 of the airline union’s pilots. A spokesman for US Airways April 7 declined to comment on specifics of the case, but confirmed that two-thirds of the airline’s pilots — 3,000 of its employees — were affected by the breach. US Airways is offering 12 months of LifeLock’s identity theft watch services to the pilots, he said. The USAPA, a union that represents 5,200 US Airways pilots, April 6 publicly expressed its frustration with the airline’s handling of the case. The USAPA said the airline recently revealed a management-level pilot leaked a database of US Airways pilot names, addresses, Social Security numbers, and possibly passport information to a third-party pilot group. A former chief pilot at the airline reportedly handed over the information in an Excel document in October 2009 to the group, called Leonidas, which represents pilots from what was once America West, now part of US Airways, according to a published report. The leak appears to be associated with a long-running labor dispute and bad blood between former America West pilots and their counterparts at US Airways. According to the USAPA, the group “has acted to disrupt the ongoing negotiations between USAPA and US Airways currently under the auspices of the National Mediation Board and undermine USAPA’s bargaining objectives.” Source:


Banking and Finance Sector

9. April 7, Bloomberg – (National) Ex-bond trader pleads guilty in $9 million trading scheme. A former bond trader pleaded guilty in New Jersey April 7, admitting he manipulated the prices of collateralized mortgage obligations (CMOs) to conceal trading losses, a U.S. attorney said in a statement. He worked at Crocker Securities, a broker-dealer that used the clearing services of Pershing LLC in Jersey City. He managed an account that “suffered significant trading losses” in 2004 that worsened through 2008, the U.S. attorney said. To conceal the losses, he entered fraudulent transactions to boost the price of CMOs to correspond to increasing losses in the Crocker trading accounts, the statement said. As a result of hiss fraudulent trading activity, the price of CMOs was inflated, and he lost more than $9 million when it had to liquidate positions in the Crocker account, the statement said. He faces as many as 20 years in prison, and is scheduled to be sentenced July 22. Source:

10. April 7, KMOX 1120 AM St. Louis – (Missouri) Police chase/gun battle leads to bomb scare in St. Louis. Two would-be bank robbers disguised as construction workers were shot by city police April 7, in a running gun battle that stretched from south St. Louis, Missouri, to the north side and ended with a bomb threat and controlled detonation of an explosive device the suspects were carrying. Authorities said one suspect was shot in the head and the neck and is hospitalized in critical condition –- the other was hit in the hand. A police officer was also wounded, but his injuries are considered minor. The first bullet fired was inside the Pulaski Bank around 9:30 a.m. That is when police said the two suspects –- dressed in construction gear including hard hats –- entered the bank, pulled a weapon, and shot once into the ceiling to intimidate customers and staff. They also placed a grenade like-device on the teller counter and demanded money. Following the robbery of an undisclosed amount of cash, police said the suspects exited the bank, taking the device with them, driving off in a green pickup truck. Officers spotted them and began a pursuit, during which the suspects fired at police from their vehicle. The chase ended in North St. Louis when the suspects hit a slower moving car. Police officers rammed the suspects’ truck from behind, disabling the vehicle. At that point, a hail of gunfire erupted, involving the suspects and the police officers on the scene –- ending with the suspects’ wounded and a police officer hit in the leg. The injured were extracted from the scene and taken to local hospitals –- but a bomb and arson squad was called in to examine that grenade-like device used in the robbery, which was later detonated as a precaution. While there is no official confirmation yet, the suspects’ description matches the two men who robbed the Pulaski Bank Branch at 10 Maryland Plaza in March. Source:

11. April 7, eWeek – (International) Chase Bank phish emails may be first post-Epsilon scam. The Better Business Bureau (BBB) warned April 6 that the first post-Epsilon phishing e-mails have been spotted. In this case, cyber-crooks are targeting bank customers with a phony warning and a malicious link. An e-mail purporting to be from Chase Bank that tells users their account will be deleted unless prompt action is taken is currently making the rounds. Users are encouraged to click on the link provided to get to the “profile page” to update their information. JPMorgan Chase was one of the companies affected by the recent Epsilon data breach. Epsilon, a large e-mail marketing services company, disclosed April 1 attackers had stolen customer e-mail addresses belonging to some of its clients. If the “Chase Bank” phish is really related to the Epsilon breach, and not just one of the many fake Chase e-mails seen in the past, it proves the attack on Epsilon was a well-thought-out attack, said the chief technology officer of Application Security. The attackers knew precisely who to go after and what the payoff would be. “Based on the BBB warning, they now appear to be acting very swiftly to carry out their specific phishing attempts,” he said. Source:

Information Technology

41. April 8, Reuters – (International) Power cuts halt north Japan plants following aftershock. Sony Corp., chip-maker Renesas ,and Elpida Memory said April 8 production at some plants in northern Japan had been halted again after a major aftershock April 7 triggered power cuts. The stoppages are the latest blow to manufacturers, who had hoped to quickly restore supply chains after the devastating March 11 earthquake and tsunami savaged the region and halted distribution. Renesas, the world’s largest maker of microcontroller chips and a supplier to the auto industry, said four plants in northern Japan, including two microcontroller factories, were halted by the power blackout. A spokeswoman said it was not clear when manufacturing would resume, although power had been restored to one plant. Sony said production had been suspended at two plants in Miyagi prefecture. The two sites, which make optical devices and IC cards, resumed partial production at the end of March after the disaster. Elpida, the world’s number three maker of DRAM chips, said one factory in the northern prefecture of Akita had been halted by the outage. There had been no injuries or damage to equipment ,and the plant would restart when power was restored, the company said on its Web site. Electronics conglomerate Toshiba said the power blackout affected a microcontroller chip plant in the northern prefecture of Iwate. It was not clear whether the quake would delay restart of this plant, which is scheduled for April 11, a company spokeswoman said. Electronics firm Panasonic Corp said it was reviewing the status of its northern Japan plants, all but one of which had resumed operations following the March disaster. Source:

42. April 8, Softpedia – (International) Anonymous suspends attacks against PlayStation Network. The Anonymous collective has suspended the distributed denial-of-service (DDoS) attacks against the PlayStation Network and other Sony online properties whose downtime might inconvenience gamers, Softpedia reported April 8. Anonymous launched a DDoS campaign against Sony in response to the company’s recent actions that involved suing two PlayStation 3 hackers. After an initial warning that slammed Sony for victimizing its own customers and violating the privacy of thousands, the group began attacking the company’s Web sites, including the PlayStation Network (PSN) and the PlayStation Store. Following complaints from gamers who could no longer play on official servers, the group has suspended the attacks and is re-evaluating its strategy. It may be difficult to find a method that only affects Sony and not its customers, but Anonymous claims to have plenty of options. The people who wrote the statement warn, however, that Anonymous is formed from smaller groups of people that can act together or separately, based on principles that are not necessarily accepted by the majority. This means that even if attacks against PSN have stopped for now, some Anonymous members who do not agree with this decision might take it upon themselves to continue them. Source:

43. April 8, Softpedia – (International) New Japan earthquake scams pop up. Security researchers warn about scams leveraging news of the earthquake that hit the northeast coast of Japan April 7, leading to renewed fears about the unstable situation at the Fukushima Daiichi nuclear plant. Cybercriminals did not miss the chance to capitalize on interest in the incident. Symantec reported Portuguese-language scam e-mails originating in Brazil were detected soon after the quake struck. Clicking on it prompted users to download an executable file called XAR485849834(dot)exe, a banking trojan installer. Another rogue e-mail contained a link to a malware-spreading site. Relief scams where people are asked to donate money for victims of the disaster have been going around since after the March 11 earthquake and tsunami. However, toward the end of these messages, the scammer requests a donation in the form of a wire transfer payment through a popular service. Source:

44. April 7, Computerworld – (International) Epsilon a victim of spear-phishing attack, says report. The massive data breach at e-mail service provider Epsilon may have been caused by a targeted spear-phishing campaign the company should have known about for at least 4 months, Australian newspaper ITNews reported April 7. According to the Haymarket Media publication, Epsilon and Atlanta, Georgia-based Silverpop, another e-mail service provider that recently disclosed a breach, were victims of a series of social-engineering attacks directed specifically against e-mail service providers. ITNews reported Epsilon should have known about the threat at least since November 24, when Return Path, a company it uses for services such as tracking e-mail delivery, issued an alert about phishing attacks. The alert, issued by Return Path’s senior director of security strategy, warned of a “serious phishing attack” directed at e-mail service providers, direct mailers, and gaming sites. According to the note, phishing e-mails were targeted “100% at staff responsible for email operations” at more than 100 service providers. “These targets have received emails typically with content that mentions the staffer by name, and purports to be from a couple, presumably friends or co-workers,” he wrote in the alert. The phishing attacks were sent to targets from several different systems, including online greeting card sites, and via a botnet, he warned. The spam messages contained a link that took users to a malicious site from where malware would be downloaded to the user’s system. The malware associated with the phishing campaign included Win32(dot)BlkIC(dot)IMG that disabled anti-virus software, a trojan keylogger called iStealer, which was used to steal passwords, and an administration tool called CyberGate, which is used to gain gain complete remote control of compromised systems, he said in the alert. Source:

45. April 7, Softpedia – (International) EFF reveals more bad digital certificate signing practices. The Electronic Frontier Foundation (EFF) warned that certification authorities (CAs) have signed tens of thousands of digital certificates for unqualified names, some of which even passed extended validation. The EFF, one of the leading digital rights watchdogs, reached this conclusion after analyzing data from its SSL Observatory project that looks for weaknesses in the public key infrastructure (PKI). Digital certificates are used to establish encrypted connections and trust on the Internet, which makes them a vital part of security. The EFF warned that aside from hardcoding usernames and passwords in tools used by resellers and failing to perform proper checks for certificate requests received from them, CAs also sign unqualified names. In practice, there should be a single certificate per domain or subdomain. However, it turns out some CAs have signed certificates for names like “exchange”, “mail” or “wiki,” which cannot be accessed over the Internet and are sometimes used on local networks. Another name for which there are thousands of valid certificates in existence is “exchange” and variations of it, like “exchange01”, “exchange02” etc. But not only have CAs signed certificates for unqualified names, many of them signed multiple ones for the same host. In total, the EFF has counted 37,244 valid certificates that should not exist. A separate investigation performed in January uncovered 10 EV certificates of the same type. This represents a very serious abuse of trust, because EV stands for extended validation and these certificates are supposed to be issued after extensive identity checks. The main concern is that if any of these certs falls in the hands of attackers, they can be used to impersonate mail and other types of servers on networks that use those names internally. Source:

46. April 7, Softpedia – (International) Serious vulnerability patched in popular DHCP software. The Internet Systems Consortium (ISC) has released an updated version of its Dynamic Host Configuration Protocol (DHCP) implementation to resolve a vulnerability that could allow attackers to execute arbitrary code remotely. ISC DHCP is the most widely used open source implementation of the Dynamic Host Configuration Protocols and is included by default in many Linux distributions. The vulnerability patched in the newly released ISC DHCP 3.1-ESV-R1, 4.1-ESV-R2, and 4.2.1-P1, affects the DHCP client component, dhclient. It is the result of failure to escape certain meta-characters encountered in DHCP responses. An attacker with control of the DHCP server could send malicious responses that would lead to remote code execution on the client. Identified as CVE-2011-0997, the vulnerability has a CVSS base score of 6.8 out of 10. ISC credits two researchers from the SUSE Security Team with reporting it. Source:

For another story, see item 11 above in the Banking and Finance Sector

Communications Sector

47. April 7, PC Magazine – (International) Elderly woman single-handedly shuts down Armenian internet. A 75-year-old woman from the Republic of Georgia shut down the Internet in neighboring Armenia for more than 12 hours last month when she sliced through a fiber optic cable while looking for scrap metal, according to Georgian officials. Nearly all of Armenia was without Internet access March 28, and customers of one of the largest Georgian Internet service providers, Caucasus Online, also lost access for nearly 5 hours, according to Bloomberg. The woman was arrested by Georgian authorities and charged with property damage, the news agency reported April 6. She was “temporarily released due to her old age” on the day of the incident, Bloomberg quoted the Georgian interior ministry spokesman as saying. The incident affected tens of thousands of residents and businesses in the two countries. Armenia’s three main ISPs — ArmenTel, FiberNet Communication, and GNC-Alfa — were all unable to provide service for hours, according to reports. Caucasus Online launched its $76 million fiber-optic link to Western European ISPs in 2008. A monitoring station in Western Europe detected the damage on the day of the incident, and immediately dispatched a security team to Georgia, where the woman was arrested, The Guardian reported April 7. Source:,2817,2383278,00.asp