Friday, May 27, 2011

Complete DHS Daily Report for May 27, 2011

Daily Report

Top Stories

• Citing a May 24 Los Angeles Times article, IDG news reports a Bank of America (BoA) insider sold customer data to criminals, costing the bank at least $10 million. See item 16 below in Banking and Finance.

• According to the Associated Press, a California high school chemistry teacher accused of helping students ingest chloroform, was arrested again, after investigators learned she kept nitroglycerin in her classroom. (See item 39)

39. May 25, Associated Press – (California) Calif. teacher re-arrested after explosives found. A 34-year-old chemistry teacher accused of helping students ingest chloroform was arrested again May 25 in Atwater, California, after investigators learned she might be storing an explosive-making material in her classroom. She was arrested at her home on suspicion of possessing an explosive device. Police took her to her classroom at Livingston High School, where she cooperated with detectives to find a small amount of nitroglycerin, a Livingston police sergeant said. Nitroglycerin is used as an active ingredient in the manufacture of explosives, especially dynamite. The teacher had been out on bail after she was arrested earlier the week of May 23 on suspicion of child endangerment. Authorities had accused her of helping three students at the school inhale chloroform during after-school study hall sessions. The three male students — ages 16, 17, and 18 — told investigators that they fell asleep or passed out after ingesting the chloroform, an anesthetic that can cause feelings of euphoria but in high levels can cause unconsciousness or even death. Police re-arrested the teacher after interviewing her and the students and finding documents in her classroom showing she might be storing explosive materials, the police sergeant said. When the nitroglycerin was found at about 2 p.m., about 1,100 students were evacuated for the day, and a hazardous material team and bomb squad were sent into the school. Investigators detonated the material in a field behind the school. Source:


Banking and Finance Sector

14. May 25, Reuters – (Ohio) FBI says mullet bandit holds up another bank. The Ohio bank robber dubbed the “mullet bandit” by federal authorities appears to have struck again May 25. The latest heist took place at a Key Bank branch on Stringtown Road in Grove City. The FBI said a man matching the physical description of the mullet-wearing suspect sought in two previous holdups walked into the bank and handed a teller a note, saying he was robbing the bank, had a gun, and would hurt the teller if she did not cooperate. The robber was dressed in the mullet bandit’s garb, including Seattle Mariners baseball cap, and large dark sunglasses. He is wanted in connection with two previous bank robberies May 18 and May 5 in Columbus. Source:

15. May 25, Associated Press – (Idaho) Broker reaches plea deal in E. Idaho fraud case. Federal prosecutors reached a plea agreement May 25 with a former Idaho Falls, Idaho investor accused of duping clients out of millions of dollars in a Ponzi scheme. KPVI 6 Pocatello reported the man agreed to plead guilty to one count of wire fraud and one count of money laundering. Prosecutors filed the charges against the man during the week of May 16, culminating a 2-year FBI investigation. The man has already been ordered to pay about $90 million in restitution and fines. Investigators accused him of operating a Ponzi scheme through his company Trigon Group that fraudulently took more than $76 million from 68 separate investors. Source:

16. May 25, IDG News – (National) Insider data theft costs Bank of America $10 million. A Bank of America (BoA) insider who sold customer data to criminals cost the bank at least $10 million in losses, the Los Angeles Times reported May 24. BoA began notifying customers of the incident recently, but is not providing many details of the case which is still under investigation. The theft, “involved a now former associate who provided customer information to people outside the bank, who then used the information to commit fraud against our customers,” said a BoA spokeswoman in an e-mail message. About 95 members of the loosely affiliated criminal gang behind the alleged fraud, including the bank employee, were swept up in a February 2011 law enforcement action, a special agent with U.S. Secret Service in Los Angeles, California, said. The scammers stole “names, addresses, Social Security numbers, phone numbers, bank account numbers, driver’s license numbers, birth dates, e-mail addresses, mother’s maiden names, PINs and account balances.” It is not clear how many bank customers were actually affected by the fraud. Los Angeles Times quoted a BoA spokeswoman as saying there were “about 300” victims, located in the western United States. She would not confirm that this number was accurate May 25, and she would not say how many notification letters BoA sent out. Source:

17. May 25, Federal Bureau of Investigation – (Florida; Connecticut) Stratford man admits structuring more than $943,000 in cash transactions. A 54-year-old Stratford, Connecticut man pleaded guilty May 25 in Bridgeport to one count of illegally structuring cash transactions. Structuring involves the repeated depositing or withdrawal of amounts of cash less than the $10,000 limit, or the splitting of a cash transaction that exceeds $10,000 into smaller cash transactions to avoid federal reporting requirements. According to court documents and statements, the man made more than 70 large cash deposits into his savings account, and more than 30 large cash payments to his personal line of credit account between May 2006 and October 2009. The vast majority of the cash transactions were in the amount of $9,000, and none exceeded $10,000. In total, the man structured about $943,000 in cash deposits and line of credit payments. He used the funds to buy properties in Connecticut and Florida. He also used more than $270,000 to settle a business dispute with his former partner. He faces a maximum term of imprisonment of 10 years, and a fine of up to $500,000. He also has agreed to forfeit about $388,540 to the government. Source:

18. May 25, San Luis Obispo Tribune – (California) A.G. woman stole $110,000 from bank, prosecutors say. FBI agents May 24 arrested an Arroyo Grande, California woman accused of stealing $110,000 from the local bank branch where she worked, according to federal prosecutors. The indictment accuses the suspect of stealing the money while working in 2010 at a branch of U.S. Bank in Arroyo Grande. It alleges she stole nearly $100,000 from two customers’ accounts, as well as $10,000 in cash from the bank’s vault. The investigation revealed she secretly accessed the bank’s computer system and changed the contact information for the accounts of two elderly customers at the bank, according to prosecutors. After changing the contact information, she then allegedly closed the accounts and took out cashier’s checks for the balance of each account. When one of the customers went to the bank and learned his account had been closed, she allegedly went into the bank’s vault and took $10,000 in cash. The indictment alleges she stole $50,907 February 24, 2010, $48,163 February 26, 2010, and $10,000 in cash from the bank vault June 7, 2010. Each count of theft by a bank employee carries a maximum penalty of 30 years in federal prison, and a fine of up to $1 million. Source:

19. May 23, eWeek – (International) Virus attack on Dow Jones network raises suspicion of insider malice. A computer virus hit Dow Jones’ corporate networks May 12, 2 days after 34 employees represented by the Independent Association of Publishers’ Employees (IAPE) were laid off, Adweek reported May 20. Most of the laid-off staff were part of the IT department. Dow Jones has not informed the union whether it suspects any “current or former employee” of any involvement in the malware incident, an IAPE spokesperson told eWeek. However, the IAPE president said that was not likely as the virus was “complicated and intricate enough” that there was not enough time between when the layoffs occurred and when the infection began for the virus to be loaded. Dow Jones employees were informed via a companywide e-mail that its servers, network, and data were not compromised by the virus, but that it had slowed down infected computers, Adweek said. Employees also received numerous voicemail and e-mail messages to power down the computers until they could be cleaned. The virus had “morphed,” making antivirus software ineffective in detecting the infection. By May 18, the company had determined the virus was designed to steal credentials from banking sites, and directed employees not to use any banking sites for the time being. Source:

Information Technology

45. May 26, Softpedia – (International) Google patches Android session hijacking vulnerability server-side. Google has patched a security hole in its ClientLogin authentication protocol that allowed potential attackers to steal authentication tokens for several services. The week of May 16, researchers from the University of Ulm in Germany published a research paper that revealed that over 99 percent of Android smartphones were vulnerable to session hijacking attacks. This was because Google Calendar and Contacts sync operations were being performed over unencrypted connections. Just like with browsers and session cookies, sending authentication tokens over plain HTTP connections poses a lot of risks, especially when connected over open Wi-Fi hotspots. Attackers can capture the unecrypted traffic by mounting a so called evil twin attack where they duplicate the wireless network SSID, and extract the ClientLogin authentication tokens. The tokens remain valid for 14 days and allow attackers to download the victim’s calendar information and contact book. To mitigate this, Google made server-side changes that force all Android devices to use HTTPS connections when syncing calendar and contacts. Source:

46. May 26, Softpedia – (International) WordPress 3.1.3 contains security fixes and clickjacking protection. The WordPress development team has released version 3.1.3 of the popular blog publishing platform which fixes several security issues and introduces clickjacking protection. A moderately critical vulnerability that allows attackers to execute rogue PHP code on servers with certain configurations has been patched. The flaw, disclosed earlier in May, allows users with “Author” permission to upload and execute php files with extra media extensions (.jpg or .gif) on Web servers that are not configured to handle them. A separate php code execution flaw that does not require any special Web server configuration has also been patched, but no exploit or details have been made public. Other changes in this release address cross-site scripting (XSS) weaknesses and a privacy issue with WordPress backups. The taxonomy querying has also been hardened against attacks, and an information disclosure flaw that can result in the exposure of non-author user names was patched. Two Microsoft researchers contributed media security fixes, and the security of the file upload process was improved. A cleanup routine for unfinished imports was also added. Source:

47. May 25, Computerworld – (International) Newest MacDefender scareware installs without a password. Hours after Apple owned up to a fake security software scam campaign, the “scareware” gang released a new variant, with a new name, MacGuard, and a streamlined installation process that does not prompt victims for their password, a French antivirus firm said May 25. “Given the timing, and the new name, it does seem like this was their reaction to Apple’s support document,” said a spokesman for Intego, a maker of Mac-specific security software. Apple May 24 acknowledged the threat. The cyber criminals also changed the way they distribute the fake security program, breaking it into two parts: a small downloader, dubbed “avRunner,” which once on a Mac reaches out to a hacker-controlled site to download the phony MacGuard security software. “Unlike the previous variants, no administrator password is required to install the downloader,” the Intego researcher said. “People will still see an installer screen — [the attackers] haven’t gotten to the point where they’re completely avoiding that yet — but all one needs to do to install is click ‘OK’ a couple of times. So it’s one less hurdle.” avRunner sidesteps the need for an administrator password by putting itself directly in the Applications folder. avRunner then grabs MacGuard from a remote server. Source:

48. May 25, The Register – (International) 35m Google Profiles dumped into private database. Proving that information posted online is indelible and trivial to mine, an academic researcher has dumped names, e-mail addresses, and biographical information made available in 35 million Google Profiles into a massive database that took just 1 month to assemble. The University of Amsterdam Ph.D. student said he compiled the database as an experiment to see how easy it would be for private detectives, spear phishers, and others to mine the vast amount of personal information stored in Google Profiles. The verdict: It was not hard at all. Unlike Facebook policies that strictly forbid the practice, the permissions file for the Google Profiles URL makes no prohibitions against indexing the list. Also, Google engineers did not impose any technical limitations in accessing the data, which is made available in an extensible markup language file called profiles-sitemap.xml. Source:

49. May 25, H Security – (International) ElcomSoft cracks iOS encryption system. Security researchers from Elcomsoft have discovered a method that allows them to copy and decrypt the memory of iPhones that have built-in hardware encryptionPDF (3GS and 4); iPod Touch (3rd generation or later); and all iPad models. They apparently read the memory directly, which, for instance, even enabled them to restore deleted data. ElcomSoft said this is particularly relevant for forensic investigations. The researchers explained that a custom kernel with a special RAMDisk driver first must be loaded into the iPhone in Device Firmware Upgrade mode – which works in a similar way to booting a PC from an external hard disk. Then, the Flash memory can be read without the need to access the iOS file system drivers, and an exact copy can be obtained. ElcomSoft uses various keys to decrypt the image; these keys are extracted by special tools that can be run on the iPhone or calculated at run-time.


50. May 25, The Register – (International) Unpatched IE bug exposes sensitive Facebook creds. An independent security researcher has devised an attack that remotely steals digital credentials used to access user accounts on Facebook and other Web sites by exploiting a flaw in Microsoft’s Internet Explorer (IE) browser. The researcher demonstrated his “cookiejacking” proof of concept the week of May 16 at the Hack in the Box security conference in the Netherlands. It exploits a flaw present in all current versions of IE to steal session cookies that Facebook and other Web sites issue once a user has entered a valid password and corresponding user name. The cookie acts as a digital credential that allows the user to access a specific account. The proof of concept code targets cookies issued by Facebook, Twitter, and Google Mail, but the researcher said the technique can be used on virtually any Web site and affects all versions of Windows. The attack exploits a vulnerability in the IE security zones feature that allows users to segregate trustworthy Web sites from those they do not know or do not ever want to access. By embedding a special iframe tag in a malicious Web site, an attacker can circumvent this cross zone interaction and cause the browser to expose cookies stored on the victim’s computer. Source:

51. May 25, Softpedia – (International) Rogue VirusTotal Website distributes Java malware. Security researchers from antivirus vendor Kaspersky Lab have come across a fake VirusTotal Web site that is being used to distribute malware via a Java-based downloader. VirusTotal is a popular service that allows users to scan files with many antivirus engines. The site is used by hundreds of thousands of professionals and regular users on a daily basis. The spoofed site discovered by Kaspersky looks exactly like the real one and prompts users to run a Java applet. Because the applet is not signed with a valid certificate, users are asked to confirm its execution. The applet is actually a Java-based trojan downloader that distributes a piece of malware detected by Kaspersky as Worm(dot)MSIL.Arcdoor.ov. The botnet is controlled through a commercial Web-based DDoS framework known as N0ise. It accepts commands to initiate several types of DDoS, report the hostname of the victim machine, type, and version of the operation system, as well as the version of the malware itself. Source:

For another story, see item 19 above in Banking and Finance

Communications Sector

See items 45 and 49 above in Information Technology