Tuesday, August 9, 2011

Complete DHS Daily Report for August 9, 2011

Daily Report

Top Stories

 A federal report said a natural gas pipeline in New York poses a public safety risk due to defective welds that could lead to a rupture, Elmira Star-Gazette reports. (See item 6)

6. August 6, Elmira Star-Gazette – (New York) Millenium Pipeline unsafe, according to a federal report. The Southern Tier’s major natural gas pipeline in New York poses a public safety risk due to defective welds that could lead to a rupture, according to a recent federal report. The Millennium Pipeline, which runs more than 180 miles from Steuben County to Rockland County, has been under investigation since a leak was detected January 11 near Schneider Road in the Town of Owego. The New York State Department of Public Service conducted a five-month investigation, and determined that an 1/8-inch leak caused by a faulty weld released 1.3 million cubic feet of natural gas from the pipeline. The federal Pipeline and Hazardous Materials Safety Administration (PHMSA) received the results of the state investigation in May, and on July 6 released a document that raises concerns about the integrity of the pipeline. According to the report, the section of pipeline that failed in January did not pass a visual inspection due to a faulty weld, and was set aside. Later, the weld was inadvertently picked up and installed. The PHMSA report indicates that investigators identified other ―suspect‖ welds along the length of the pipeline, and that pipeline employees could not produce records to demonstrate the welds had been tested properly. The Millennium, which includes 24- and 30-inch-diameter sections, was constructed in 2007 and 2008 and went into service in December 2008. It is co-owned by NiSource Inc. of Merrillville, Indiana, Detroit-based DTE Energy and National Grid of Waltham, Massachusetts. Source: http://www.stargazette.com/article/20110806/NEWS01/108060348/Millenium-Pipeline-unsafe-according-federal-report?odyssey=tab|topnews|text|FRONTPAGE

 The group known as Anonymous said August 6 it hacked into about 70 law enforcement Web sites across the southern and central United States, and the group claimed to have stolen 10 gigabytes of data, including emails, credit card details, and other information from local law enforcement bodies, Associated Press reports. See item 41 below in the Information Technology Sector


Banking and Finance Sector

17. August 7, Japan Times – (International) Citi Cards suffers massive info leak. Citi Cards Japan Inc. said August 5 that personal information about some 92,400 customers, including names, addresses, and credit card numbers, may have leaked, but no unauthorized use of the cards has been reported. A person involved in a company to which Citi Cards outsourced part of its business illicitly obtained the information and sold it to a third party, the unit of Citigroup. The case has been reported to the police. Citi Cards said unauthorized use of the cards is unlikely because security codes, such as personal identification numbers, were not included in the leaked information. Customers will be exempt from paying bills resulting from unauthorized use of the cards, Citi said. The incident came to light in July after a cardholder reported that he had noticed that his information had been leaked. Source: http://search.japantimes.co.jp/cgi-bin/nn20110807a8.html

18. August 6, WWL-TV 4 New Orleans – (Louisiana) Paw-paw bandit could be in custody after Friday bank robbery in Metairie. The Jefferson Parish Sheriff’s Office in Louisiana is trying to figure out if a 57-year-old man who robbed a Veteran’s Boulevard bank August 5 is the ―Paw Paw‖ bandit who is wanted in connection with four other robberies. The sheriff said the suspect was arrested and charged with three counts of first-degree robbery and two counts of simple robbery – he also fits the description of the 60-something, white male who was being sought in four recent bank hold-ups. On August 5, the sheriff said the suspect approached a teller at the Whitney Bank at 4845 Veteran’s Boulevard and demanded money. After the teller surrendered the cash, the suspect fled in a white Ford Focus. Following the broadcast of the robbery, a patrol officer spotted the vehicle at the intersection of Veterans Boulevard and Power Boulevard. The officer ordered the suspect from the car and arrested the man. Source: http://www.wwltv.com/news/crime/Paw-paw-bandit-could-be-in-custody-after-Friday-bank-robbery-in-Metairie-127072718.html

19. August 6, CNET News – (International) Android could allow mobile ad or phishing pop-ups. Researchers have discovered what they say is a design flaw in Android that could be used by criminals to steal data via phishing or by advertisers to bring annoying pop-up ads to phones. Developers can create apps that appear to be innocuous but which can display a fake bank app log-in page, for instance, when the user is using the legitimate bank app, the senior vice president and head of SpiderLabs at Trustwave said ahead of his presentation on the research at the DefCon hacker conference August 6. Currently, apps that want to communicate with the user while a different app is being viewed just push an alert to the notification bar on the top of the screen. But there is an application programming interface in Android’s Software Development Kit that can be used to push a particular app to the foreground, he said. ―Because of that, the app is able to steal the focus and you’re not able to hit the back button to exit out,‖ he said. The tool installs itself as part of a payload inside a legitimate app and registers as a service so it comes back up after the phone reboots, he said. With this design flaw, game or app developers can create targeted pop-up ads, he said. The functionality would not raise any red flags in the permissions displayed when the user downloads the app because it is a legitimate function for apps to check the phone state in what is called the Activity Service. He said the researchers spoke to someone at Google about their findings a few weeks ago and that the individual acknowledged that there was an issue and said the company was trying to figure out how to address it without breaking any functionality of legitimate apps that may be using it. Source: http://news.cnet.com/8301-27080_3-20089123-245/android-could-allow-mobile-ad-or-phishing-pop-ups/

20. August 5, InformationWeek – (International) iPad credit card reader hacked as skimmer. Security researchers have used the Square dongle to transform an iPad into a credit card skimmer. Square turns iPads, iPhones, or iPod Touches into mobile payment hubs via a small, plastic dongle that enables credit cards to be swiped after a user plugs it into the device’s headphone jack. In conjunction with a free iOS Square application, the dongle enables people to accept in-person credit card payments. But speaking August 4 at Black Hat, a UBM TechWeb event in Las Vegas, security researchers from Aperture Labs demonstrated a hack that criminals could use to convert skimmed cards into cash, via Square. It turns out that Square’s dongle converts credit card magstripe data into audio, which the iOS application then listens to and translates back into credit card numbers. A director at Aperture said converting Square into a platform able to read stolen credit card data took him 15 minutes. The hack, demonstrated at Black Hat on an iPad, works by plugging one end of a 3.5mm audio cable into the iPad, and the other into the audio output port of a laptop, and running software called Makstripe. The software, which can be used with a card skimmer to capture swiped cards’ magstripe data, can also be used to play card data as audio. Someone can input an arbitrary card number into Makstripe, and then play the number back into Square, to then charge that credit card for any amount. Instead of needing to manually capture credit card numbers using a skimmer, a criminal could also purchase credit card data on the black market for as little as $2 per card, or less when purchased in bulk. ―You just start injecting these credit card numbers into the [Square] application, and making charges to it. Then you clear out the account on a daily basis, and when you get rumbled, you move on,‖ the Aperture director said. The director said that he notified Square about the hack in February. Source: http://www.informationweek.com/news/security/vulnerabilities/231300283

21. August 5, Fresno Bee – (California) Fresnans found liable in Ponzi scheme suit. Two senior officers of a defunct northwest Fresno, California business must pay $46.5 million to more than 1,200 victims of an alleged Ponzi scheme, a jury ruled August 5 in Fresno County Superior Court. But the victims – many of them from Fresno’s Armenian-American community – will not get full restitution. The defendants likely do not have that much cash or could be hiding their assets, a lawyer for the victims said. Jurors deliberated two days before finding the president of HL Leasing Inc. and the company’s chief financial officer (CFO) liable. The jury verdict in the class-action suit came three days after a judge found HL Leasing Inc., Heritage Pacific Leasing, and Air Fred LLC also liable for defrauding the victims. The three companies were created by the alleged mastermind of the Ponzi scheme, but he committed suicide in 2009, leaving his wife and his two top employees to defend themselves during a three-week trial. The jury found the president of HL Leasing Inc. liable under the theory of fraudulent concealment and aiding and abetting the fraud. The CFO aided and abetted in the fraud, the panel concluded. Over the years, the deceased mastermind and his employees fraudulently enticed investors to lend HL Leasing money by telling them that he was buying American Express lease agreements at a discount. In return, the investors would get monthly payments on their loans, he said. Prosecutors said the president used longtime investors to vouch for the company’s success to prospective clients. He falsely told the prospects that the company was registered with the California Department of Corporations, they said. The president made nearly $5 million between 2004 and 2008, the prosecutor told the jury. The CFO made as much as $126,000 per year plus bonuses as CFO, he said. Source: http://www.fresnobee.com/2011/08/05/2490461/fresnans-found-liable-in-ponzi.html

22. August 5, Seattle Post-Intelligencer – (Washington) Chief mortgage lender at Tacoma bank charged with fraud. The former head of a defunct Tacoma, Washington bank’s home loans unit and another Pierce Commercial Bank executive were indicted August 5 on bank fraud charges. The 39-year-old ex-senior vice president and loan officer for Pierce Commercial Bank is accused of conspiring with others to issue loans to unqualified borrowers. In an indictment unsealed August 5, federal prosecutors in Tacoma also claim a former senior vice president for residential lending at the bank worked with the ex-senior vice president in perpetrating the fraud. The ex-executive is accused of prompting others at Pierce Commercial Bank to falsify mortgage applications while raking in bonuses and embezzling from his employer. The loans issued to unqualified borrowers through the bank’s mortgage division, PC Bank Home Loans, played a part in the bank’s collapse. The former executive appears to have been the main target of a federal investigation launched months before the bank’s closure. According to a U.S. Attorney’s office statement, prosecutors claim the co-conspirators caused more than 270 loans that contained false and fraudulent documents and information to be funded by Pierce Commercial Bank, representing in excess of $45 million in loan proceeds. More than 100 of these loan files have defaulted, causing in excess of $10 million in loss to the bank, secondary investors, and federal housing authorities. So far, at least eight low-level employees have been charged with fraud. Many of the loans were resold to other lenders, including Countrywide, Wells Fargo and JP Morgan Chase, with Pierce Commercial Bank receiving a fee from the secondary lender. The former executive was the loan officer on 5,253 loans, amounting to nearly $1 billion in lent money, and about 46 percent of the home loans issued by the bank, the federal prosecutor told the court. Source: http://www.seattlepi.com/local/article/Chief-mortgage-lender-at-Tacoma-bank-charged-with-1741543.php#page-1

23. August 5, Bloomberg – (National) Ex-Mariner Energy director admits passing Apache Corp. merger tip to son. A former Mariner Energy Inc. director pleaded guilty August 5 to passing inside information about the company’s planned acquisition by Apache Corp. to his son. The 65-year-old Denver, Colorado man, a retired former accounting firm partner who also serves on the boards of Re/Max International Inc. and Lone Pine Resources Inc., pleaded guilty to conspiracy and securities fraud in Manhattan federal court. His son, a 35-year-old a financial adviser from Denver, also pleaded guilty to the same charges. The 65-year-old, who was appointed to Mariner’s board in March 2006, said he passed information about the planned transaction in April 2010 to his son. The son said he bought shares of Mariner stock based on the tip and passed on the information to another unidentified person who also traded on it. Apache, the largest U.S. independent oil and natural-gas producer by market value, on April 15, 2010, announced that it had agreed to buy Houston-based Mariner Energy for in a deal valued at the time at $2.7 billion in cash and stock to boost production and reserves in deep waters off the Gulf of Mexico. The SEC August 5 sued the father and son in federal court in Manhattan, claiming that the son, his relatives, friends, and clients made more than $5.2 million from trading on the information. Of that amount, $5 million was made by the portfolio manager of an unidentified Denver hedge fund. The father and son face as much as 20 years in prison for securities fraud and 5 years for conspiracy. Source: http://www.bloomberg.com/news/2011-08-05/former-mariner-energy-director-admits-to-passing-apache-merger-tip-to-son.html

24. August 4, Echo Park Patch – (California) Suspect in ‘All Ears Bandit’ bank robberies pleads not guilty. A bank robbery suspect pleaded not guilty in U.S. district court August 4 on two charges of attempted bank robbery and one charge of bank robbery in connection with a series of crimes in California attributed to the ―All Ears Bandit.‖ The man is the primary suspect in the robberies, which include an attempted robbery March 19 at the Bank of America in Echo Park. According to a spokesperson in the FBI’s Los Angeles Field Office, the 25-year-old was taken into custody August 1 ―without incident.‖ The suspect was indicted July 22 on charges including the attempted bank robbery at the Bank of America in Echo Park. He was also indicted on another charge of attempted bank robbery, and for a bank robbery March 12 in Bell Gardens. The FBI allegedly identified the suspect from evidence left at one of the banks. They also linked him to several bank robberies based on witnesses’ descriptions who referred to him as having big ears — thus, the moniker ―All Ears Bandit.‖ Source: http://echopark.patch.com/articles/suspect-in-all-ears-bandit-bank-robberies-arrested-pleads-not-guilty

25. August 4, New York Daily News – (New York) Con man charged with stealing $1M by seducing bank tellers to steal identities of account holders. A Bronx, New York man with a criminal past was taken to court August 4 on charges he swiped $1 million from JPMorgan Chase by seducing bank tellers. The man and five others were named in a 148-count indictment charging they stole the identities of 80 victims in a scheme that ran from 2009 to 2011. Among his co-conspirators are two tellers, who claimed to be in love with him. Prosecutors in the Manhattan District Attorney’s office said at least one of the teller’s knew what she was doing and stole the identities of 16 victims from her work computer - and the man paid her for the information. Two male bank employees were recruited to mine bank computers for dates of births, social security numbers, and other personal data of victims. The corrupt employees also copied account holders’ bank signature cards so ring members could imitate a victim’s signature as they opened new accounts. The Bronx man and two other men were charged with using the data to open credit card and eTrade accounts and make cash withdrawals. They also pick pocketed victims to steal their identities, officials said. They each face up to 25 years in prison. Source: http://www.nydailynews.com/news/ny_crime/2011/08/04/2011-08-04_con_man_charged_with_stealing_1m_by_seducing_bank_tellers_to_steal_identities_of.html

Information Technology Sector

43. August 8, Softpedia – (International) Fake firefox update emails carry malware. Security researchers from Sophos warned of fake emails purporting to be Firefox update notifications and directing recipients to a password-stealing trojan. The emails bear a subject of ―New version released‖ and have their header spoofed to appear as if they were sent from a @firefox.com email address. The contained message is copied from the legit Firefox Update page and reads: ―A Firefox software update is a quick download of small amounts of new code to your existing Firefox browser. These small patches can contain security fixes or other little changes to the browser to ensure that you are using the best version of Firefox available. The email ends with a recommendation reading ―For security reasons please update your firefox version now [LINK],‖ however, it is clear that the link does not lead to a location on mozilla.com. The URL points to a file hosted on btopenworld dot come, the Web hosting service offered by BT to its broadband customers. The executable is actually an installer for Mozilla Firefox 5.0.1 with a password stealer attached. Bundling the trojan with a legit Firefox installer instead of serving it directly is an attempt to divert the victim’s attention from what is happening in the background. Users are always advised to download programs directly from the vendor Web sites or trusted download portals. Source: http://news.softpedia.com/news/Fake-Firefox-Update-Emails-Carry-Malware-215720.shtml

44. August 8, H Security – (International) Major security hole in SAP’s NetWeaver. A Russian security expert of ERPScan has presented a security hole in SAP’s J2EE engine, NetWeaver, which allows an attacker to create new administrator accounts remotely. He first searched, using Google, for a particular string that was typically an indicator of the Management Portal for SAP systems. Then, using the URL from the search, he used a Perl script which executed the actual attack in two stages. First, the script would create a new user. Then it would promote the new user to administrator. Using the freshly created user, it was then possible to log into the vulnerable system. According to the expert, the attack works even if the system’s two factor authentication (password+secret key) is enabled. The script will be released by the researcher three months after the publication of an update by SAP, giving enough time for SAP’s customers to patch their systems. According to his calculations, around 50 percent of all SAP installations are affected by the bug in the J2EE Engine; NetWeaver is the foundation upon which many of SAP’s products are built. The researcher would give no other details while SAP has not eliminated the vulnerability with a software update. Source: http://www.h-online.com/security/news/item/Major-security-hole-in-SAP-s-NetWeaver-1319808.html

Communications Sector

45. August 8, Associated Press – (National) 45,000 Verizon landline workers strike. Stalled contract negotiations led thousands of workers in Verizon Communication Inc.’s wireline division to go on strike August 8, potentially affecting landline operations as well as installation of services like FiOS, its fiber-optic television and Internet lines. The contract for the 45,000 employees from Massachusetts to the District of Columbia expired at midnight August 7 with the company and the workers unable to come to terms on issues including health care costs and pensions. Verizon offers landline service in Connecticut, California, Delaware, the District of Columbia, Florida, Maryland, Massachusetts, New Jersey, New York, Pennsylvania, Rhode Island, Texas, and Virginia. The dispute does not affect the company’s wireless division. The affected workers are responsible for maintaining and repairing traditional landlines, as well as installing FiOS, a union spokesman said. He said the strike could impact customers looking for installations or repairs to their service, but a Verizon spokesperson said the company had taken steps like training managers and retirees. Source: http://news.yahoo.com/45-000-verizon-landline-workers-strike-220340248.html

46. August 8, The Register – (International) Lightning strikes cloud: Amazon, MS downed. Microsoft has been left reeling after another BPOS crash, and Amazon’s EC2 Web services were also downed by lightning August 7 in Europe. A bolt struck a transformer at a power utility provider in Dublin, Ireland, causing an explosion that took down the back-systems last night for the region. Amazon admitted to having issues at 7 p.m. August 7 and told users via its service health dashboard that under such circumstances, a power cut would usually be ―seamlessly picked up by backup generators.‖ ―The transient electric deviation caused by the explosion was large enough that it propagated to a portion of the phase control system that synchronizes the backup generator plant, disabling some of them,‖ it stated. Power sources needed to be ―phase synchronized‖ before being brought online to load, which needed to be done manually, causing delays to the resumption of services in Amazon’s Elastic Cloud Compute and Relational Database Service. ―Due to the scale of the power disruption, a large number of EBS servers lost power and require manual operations before volumes can be restored. Restoring these volumes requires that we make an extra copy of all data, which has consumed most spare capacity and slowed our recovery process,‖ said Amazon. Amazon added that it was installing extra capacity onsite and from other data centers, but added: ―While many volumes will be restored over the next several hours, we anticipate that it will take 24-48 hours until the process is completed.‖ Source: http://www.theregister.co.uk/2011/08/08/bpos_amazon_power_outages/