Thursday, August 11, 2011

Complete DHS Daily Report for August 11, 2011

Daily Report

Top Stories

• Speedy repairs after a pump failure at Toledo, Ohio's water treatment plant prevented a catastrophe that would have seen a 1-year boil-water advisory for 500,000 customers, the city's mayor said. – WUPW 46 Toledo (See item 27)

27. August 9, WUPW 46 Toledo – (Ohio) Near catastrophe at Toledo water treatment plant. According to information released after Toledo, Ohio's city council meeting August 9, there was a near catastrophe at Toledo's water treatment plant the night of August 5 after four pumps had to be shut down. "This would have created a boil advisory for over 500,000 customers," the mayor told council members. "That could have taken up to a year of a boil advisory throughout the entire Northwest Ohio region. One year to get the system back and wholly up to speed." Just before 7 p.m. August 5, a seal break caused four pumps bringing water from Lake Erie to be totally shut down. The pumping station had been delivering 85 million gallons of treated water at the time of the shutdown. "Friday night we lost service to our low service pump station which basically supplies all the water to our system," said the director of public utilities. "At that point we had no water. We go right into the reserves." Water treatment facility operators manually shut down the plant and switched to a below ground storage reserve that kept delivering potable water to customers. From that point, operators had a 7-hour window to fix the problem. According to a letter from the city's utility department to the city council and the mayor, crews were able to examine, repair, and restart the pumps in about 3 hours. Had they not, city residents and every customer that Toledo provides water for would have had had to boil their water for up to a year. Source:

• A cryptographer has devised a way to monitor cell phone conversations by exploiting security weaknesses in the technology that is used by most mobile operators. – The Register. See item 39 below in the Communications Sector


Banking and Finance Sector

11. August 10, Reuters – (International) Hong Kong exchange trading disrupted as hackers target website. The Hong Kong stock exchange was forced to suspend trading in stocks after hackers broke into its Web site August 10, preventing investors from accessing company announcements made during the midday break. "Our current assessment is this is a result of a malicious attack by outside hacking," the chief executive of Hong Kong Exchanges & Clearing (HKEx) told reporters after the company announced interim results. In a statement released earlier, HKEx said it adopted a half-day (one trading session) suspension policy for issuers that announce price-sensitive information during the lunch hour. Other systems at the exchange were not affected, and trading in its securities and derivatives markets operated normally, the exchange said. If the Web site remains unstable August 11, the exchange's bulletin board will be used for dissemination of information, but the stocks will be not suspended, said the head of listing at HKEx. He added the move to suspend trading was part of a contingency plan approved by the territory's stock regulator. "It was the first time for a suspension due to such a kind of technical problem and one involving so many companies," said the chief dealer at Cheer Pearl Investment in Hong Kong. Source:

12. August 10, Associated Press – (Florida; Massachusetts) 4 Fla. men charged in $3m loan scam. Four Florida men were indicted in a $3 million scam in which they allegedly charged struggling homeowners for free home loan modification applications, U.S. prosecutors in Boston disclosed August 9. The indictment alleged their firm, Home Owners Protection Economics Inc., virtually guaranteed clients a federally funded home loan modification and charged thousands of customers a $400 to $900 upfront fee. The firm then allegedly sent clients an application package nearly identical to a free federal application. The indictment said most clients’ applications were denied. The men face several charges, including 9 counts each of wire and mail fraud. Source:

13. August 10, KUAM 8 Hagatna – (Guam) Former chamber staffer indicted for bank fraud. The Guam Chamber of Commerce responded August 9 to the indictment of one of its former employees who was charged with embezzling more than $200,000 from the organization. The chamber's former bookkeeper was indicted by a federal grand jury charged with 90 counts of bank fraud. She is accused of altering chamber checks and embezzling more than $200,000 from November 2006 through October 2010. According to a memorandum issued to the chamber membership from its chairman, the organization became aware of the suspect's "sophisticated system of fraud" and reported the matter to the FBI, which recently concluded its investigation. The indictment alleges the suspect would have a check properly signed for the amount she was entitled to as wages, and then allegedly altered the check for a much larger amount and deposited the check into her personal bank account. Ten checks were altered on the Chamber's Armed Forces Committee Account totaling more than $22,000, and 80 checks were altered from the Chamber's Operating Account totaling $174,000. Source:

14. August 9, Financial Industry Regulatory Authority – (National) FINRA fines Citigroup $500,000 for failing to supervise sales assistant who misappropriated customer funds. The Financial Industry Regulatory Authority (FINRA) announced August 9 it fined Citigroup Global Markets, Inc. $500,000 for failing to supervise a former registered sales assistant at the firm's branch office in Palo Alto, California. Over an 8-year period, she misappropriated $749,978 from 22 customers, falsified account records, and engaged in unauthorized trades in customer accounts. She took advantage of Citigroup's supervisory lapses at the branch and targeted elderly, ill, or otherwise vulnerable customers whom she believed were unable to monitor their accounts. FINRA previously barred the associate for her actions, and is continuing to investigate other individuals involved in her supervision. FINRA found Citigroup failed to detect or investigate a series of "red flags" that upon further inquiry should have alerted the firm to the suspect's improper use of customer funds. The red flags included exception reports highlighting conflicting information in new account applications, and customer account records reflecting suspicious transfers of funds between unrelated accounts. Citigroup also failed to implement reasonable systems and controls regarding the supervisory review of customer accounts, thus enabling the associate to falsify new account applications and other records. Citigroup also failed to detect suspicious activity involving transfers and disbursements in the accounts she used to misappropriate customer funds. In concluding these settlements, the firm neither admitted nor denied the charges, but consented to the entry of FINRA's findings. Source:

15. August 9, Greenwich Time – (Connecticut; New York) 3rd woman pleads guilty in Greenwich ATM-skimming scheme. Another member of a group from Queens, New York, who participated in an ATM-skimming scheme that targeted Fairfield County, Connecticut banks, pleaded guilty August 9 in U.S. district court in Bridgeport to one count of conspiracy to commit bank fraud. The 32-year-old Romanian citizen living in New York, entered the plea before a U.S. magistrate judge, and faces up to 30 years in prison, and a fine of up to $1 million. Federal officials said the woman and others conspired to install "skimming" devices on automated teller machines and on card swipe-access devices used by banks to control access to ATM lobby doors. They also placed hidden cameras on the machines to record bank customers keying in personal identification numbers, and used the stolen data to create counterfeit bank cards that allowed them to withdraw funds from the customers' accounts. The group specifically targeted People's United Bank locations in Greenwich, Stamford, and Darien. The woman and her conspirators were arrested by the Connecticut Financial Crimes Task Force April 22, 2010, outside a Darien shopping center, where they allegedly were attempting to make withdrawals using bank account information they obtained from skimming operations set up throughout the region. At the time of their arrests, the women were carrying $2,000 in cash, handwritten notes with addresses of People's bank locations, ATM-skimming tools, and other items used in the scheme. The man believed to be at the center of the plot was indicted in March for his part in the scheme. He was charged with one count of conspiracy to commit bank fraud, four counts of bank fraud, and four counts of aggravated identity theft. Source:

16. August 9, Inside Tucson Business – (Arizona) Real estate agent pleads guilty in mortgage fraud case. A Phoenix real estate agent pleaded guilty August 8 to charges he participated in a mortgage fraud scheme. The 36-year-old was accused of representing buyers who purchased multiple homes with loan applications containing false information, and concealing from the lenders “kick backs” to the buyers. He pleaded guilty to conspiracy to commit wire fraud. He has been connected to at least 44 home foreclosures that resulted in $2.5 million in losses to lending agencies. The case was based on an investigation by the Internal Revenue Service, Criminal Investigation Division, which found that from September 2005 to August 2006, the agent found sellers of distressed properties and offered more than the asking price. He obtained inflated appraisals to support the loan amounts, and recruited buyers he knew would not be qualified to purchase multiple homes. He facilitated the submission of loan applications containing false data. When the sales closed, the realtor instructed escrow officers to disburse monies back to the borrower. In many of the sales, he received both commissions and cash bonuses for the sales. Source:

For another story, see item 39 in the Communications Sector

Information Technology Sector

37. August 9, Help Net Security – (International) Microsoft releases 13 security bulletins, fixes 22 vulnerabilities. Microsoft released 13 security bulletins August 9, two rated Critical, nine Important, and two Moderate. These bulletins address 22 unique vulnerabilities in Internet Explorer, Microsoft .NET Framework, Microsoft Developer Tools, Microsoft Office, Microsoft Windows. The two critical updates: MS11-057 (Internet Explorer). This security update resolves five privately reported vulnerabilities and two publicly disclosed vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Microsoft is not aware of any attacks leveraging the vulnerabilities addressed in this bulletin. MS11-058 (DNS Server). This security update resolves two privately reported vulnerabilities in Windows DNS server. The more severe of these vulnerabilities could allow remote code execution if an attacker sends a specially crafted Naming Authority Pointer (NAPTR) query to a DNS server. Servers that do not have the DNS role enabled are not at risk. Qualys CTO comments: "Top priority should be given to a 'critical' bulletin that affects Internet Explorer 6 through 9 on Windows 7, XP, Vista, 2003 and 2008. If left unpatched, attackers could use this vulnerability to remotely take control of victims' systems." Source:

For another story see item 39 below in the Communications Sector

Communications Sector

38. August 10, Fayetteville Observer – (North Carolina) Phone, Internet outage affects downtown Fayetteville. A severed cable knocked out CenturyLink services across Fayetteville, North Carolina, and beyond on August 8, and into August 9. Someone working on a railroad inadvertently hit a conduit and chopped off the service, according to a CenturyLink spokeswoman. It was not clear how many customers were affected, but not all places within that area were without services. Those affected started noticing problems shortly after 3 p.m. August 8. The outage closed the Wachovia bank on Green Street August 9. Phones were also out at the post office. All Cumberland County offices except the health department, social services, child support, and animal control were affected, according to a county spokeswoman. Nonemergency phones at the sheriff's office were down until about 7:30 p.m. August 8, but 911 lines remained in use, the county spokeswoman said. Source:

39. August 10, The Register – (International) Hackers crack crypto for GPRS mobile networks. A cryptographer devised a way to monitor cellphone conversations by exploiting security weaknesses in the technology that forms the backbone used by most mobile operators. The chief scientist of Berlin-based Security Research Labs said the attack works because virtually all of the world's cellular networks deploy insecure implementations of general packet radio service (GPRS). Some, such as those operated by Italy's Wind or Telecom Italia, use no encryption at all, while Germany's T-Mobile, O2 Germany, Vodafone, and E-Plus use crypto so weak it can easily be read by unauthorized parties. He plans to release software August 10 at the Chaos Communication Camp 2011 that allows hobbyist hackers to snoop on GPRS calls that use no encryption. He will also demonstrate ways to use cryptanalysis to decrypt GPRS traffic that's protected by weaker ciphers. He characterized most of the cryptographic protection offered by GPRS as “hopelessly out-dated.” What is more, virtually all of the world's networks that use GPRS use no encryption at all, or use weak encryption. That makes it possible to passively monitor calls with a modified phone or to crack the encrypted traffic they capture using a method they recently refined. The attacks to be demonstrated August 10 generally work by passively intercepting unencrypted traffic, by using a fake base station to force encrypted traffic to be downgraded into an unencrypted state, or to be cracked using rainbow tables. Mobile operators vulnerable to the GPRS attacks told The New York Times they planned to monitor the August 10 presentation. Source:

40. August 9, FierceCable – (National) Verizon alleges network sabotage as strike turns ugly. As 45,000 Verizon employees remain on strike, the company reported that it has seen at least 12 acts of sabotage to communications facilities in four states, FierceCable reported August 9. Some of the damage to its network has resulted in outages for its FiOS TV, Internet, and phone services. Verizon said it has seen 10 incidents of fiber-optic lines being cut in the Bronx, Pomona, Farmingdale, and Guilderland in New York, in addition to incidents in Tewksbury, Massachusetts, Bel Air, Maryland, and East Dover, Oakland, and Plainfield, New Jersey. The company blamed one outage on electronic equipment that was stolen from a Cedar Grove, New Jersey facility, and it said the heating system at its central office in Manhattan was tampered with. Some violence has also been reported at the picket lines being organized by Verizon employee unions. Employees at a picket line in Amherst, New York, accused one replacement worker of driving his car through a picket line, resulting in injuries. Source:

41. August 9, Christian Science Monitor – (National) American Muslim pleads guilty to using the Internet to solicit terrorism. A 22-year-old American Muslim from New Bethlehem, Pennsylvania, pleaded guilty August 9 to using an Internet Web site to urge Muslim radicals within the United States to engage in a wide range of terror attacks. He pleaded guilty in federal court in Pittsburgh to a single charge of solicitation to commit a crime of violence. The solicitations including urging like-minded individuals to sabotage train tracks; destroy phone lines, power lines, and cell phone towers; start forest fires; and engage in isolated attacks against Americans civilians, police, and military officials. The man was an active moderator on the English-language version of the militant Islamic Web discussion forum, Ansar al-Mujahideen Forum. The second count of his indictment charges that he posted and distributed on the Internet a 101-page explosives course written by a professor who was once al-Qa'ida’s top chemical and biological weapons expert. “[He] placed a number of postings รข€¦ encouraging attacks within the United States,” the indictment said. ”He suggested the use of firearms, explosives, and propane tanks against targets such as police stations, post offices, synagogues, military facilities, train lines, bridges, cell phone towers, and water plants.” He suggested militant Muslims in the United States should attack civilian aircraft, banks, military installations, Jewish schools, and daycare centers, according to the indictment. After posting the “Explosives Course” online in late December 2010, agents with the FBI sought to question him. When two agents approached the man January 4, the encounter turned into a physical struggle. During a scuffle, he allegedly bit both agents, drawing blood, as he attempted to retrieve a loaded 9 mm handgun from his jacket pocket. He faces up to 10 years in prison, and a $125,000 fine. Source:

42. August 9, – (North Carolina) Phone, internet restored after MI-Connection outage. Phone and internet service was disrupted for a few hours for some Davidson, North Carolina, customers of MI-Connection Communications System August 9. A spokesman said technicians were working on “two different fiber optic nodes in Davidson” that were experiencing electronic signal problems. It was not clear how many customers were affected. But one node typically serves several hundred customers. The outage began around 9:30 a.m. for customers near downtown. It was restored after midday. Source:

Wednesday, August 10, 2011

Complete DHS Daily Report for August 10, 2011

Daily Report

Top Stories

• A malware injection that targets e-commerce Web pages called willysy, has ballooned from 90,000 infected pages to more than 6 million, in less than 2 weeks. – PC World. See item 38 below in the Information Technology Sector

• Verizon Communications Inc. reported multiple incidents of sabotage to cables cut in the wake of a massive strike, disrupted service for customers in Massachusetts and New York. – Boston Business Journal. See item 39 below in the Communications Sector


Banking and Finance Sector

10. August 9, Associated Press – (New York; Ohio) NY fund announces proposed fraud settlement. The New York State Common Retirement Fund announced August 8, a proposed $168 million settlement of its securities fraud class-action lawsuit against National City Corp. alleging misrepresentations to investors. The New York State Comptroller, the trustee of the $146.5 billion fund and lead plaintiff, said the defendants agreed to the settlement but admitted no wrongdoing. PNC Financial Services Group Inc., which bought Cleveland-based National City in 2008, declined to comment. The suit alleges National City misrepresented the quality of its mortgages and home equity loans, and the severity of its losses. The settlement is expected to go before a U.S. district judge in the Northern District of Ohio for preliminary approval in the next few weeks, with all class members notified after that. Source:

11. August 8, Reuters – (International) Ex-Citi senior trader fined $1.5 mln for fraud-CFTC. A former trader and vice president for Citigroup was ordered by a federal court to pay over $1.49 million for unlawful trading, misappropriation, and fraud, the U.S. Commodities Futures Trading Commission (CFTC) said August 8. The Moroccan national engaged in a series of “fictitious trades” starting on November 23, 2010 to steal money from Citibank and deposit it into his own account, according to the court order. The man worked for Citigroup Global Markets Limited in the United Kingdom. The former Citi trader engaged in noncompetitive palladium and platinum futures transactions on the New York Mercantile Exchange’s Globex trading platform that moved $373,860 from the Citi account to his own. The court order, which was entered July 29 in the U.S. District Court for the Southern District of New York, requires the former trader to pay $373,860 in restitution, and a $1,121,580 civil monetary penalty. The order also imposes permanent trading and registration bans against the man. Source:

12. August 8, KSAZ 10 and KUTP 45 Phoenix – (Arizona) FBI: ‘Billfold Bandit’ strikes again. The FBI said August 8 the “Billfold Bandit” struck again in Phoenix, Arizona. He robbed the Desert Schools Federal Credit Union near Tatum and Cactus Road. When he approached the teller, he showed a demand note that was concealed in his wallet, indicating a robbery. A weapon was not shown. The teller complied and the suspect fled with an unknown amount of money on foot. Police said he is now responsible for 7 robberies in the past 2 months. He is described as a white man in his 20s, 5’ 9” to 5’ 10” tall, with short brown hair, and a trimmed beard. He was wearing a black baseball cap with a white design on it, dark sunglasses on top of the hat, a long sleeved black t-shirt, and dark-colored pants. Source:

13. August 8, United Press International – (International) U.S. lawmakers to target Iran’s bank. The U.S. President has been asked to take dramatic steps against Iran’s central bank as part of an effort to sideline the regime, lawmakers said August 8. A letter, put together by two U.S. Senators said more economic action is needed against Iran. “In our view, the United States should embark on a comprehensive strategy to pressure Iran’s financial system by imposing sanctions on the Central Bank of Iran,” a copy of the letter, part of which was published by The Wall Street Journal, stated. “If our allies are willing to join, we believe this step can be even more effective.” The letter was expected to arrive on the President’s desk August 9, the Journal noted. More than 90 Senators signed the letter. The report said that if sanctions against Bank Markazi, the central bank, are adopted, it would nearly lock Iran out of the international market. U.S. officials say Tehran is using the bank to hide activity involving sanctioned goods, and to funnel money to U.S. adversaries in Lebanon and the Palestinian territories. One of the Senators, a Republican from Illinois, told the Journal he would introduce a measure to effectively force the President’s hand on the issue. Source:

14. August 8, CBS St. Loius and KMOX 1120 AM St. Louis – (Missouri; Hawaii) Wentzville woman indicted for credit repair scam. The U.S. attorney’s office in St. Louis reported August 8 a woman allegedly falsely represented she operated a “mortgage rescue” or “foreclosure rescue” service. According to the indictment, the woman owned and operated both 1st Financial Resource, LLC, (First Financial) and 1st Federal Resource, LLC, (First Federal). She created and operated First Financial from September 2008 until March 2009, at which time the business became known as 1st Federal Resource, LLC (First Federal). She registered the business as 1939 Wentzville Parkway, Suite 178, in Wentzville, Missouri, which is actually a UPS store that provides commercial mailbox services. The indictment alleges she researched and identified groups of homeowners in the state of Hawaii that were one or more mortgage payments behind, or were in imminent risk of home foreclosure. She then targeted that group of vulnerable home owners, and sent out a large number of unsolicited mailings to prospective clients representing she operated a “mortgage rescue” or foreclosure rescue” service. More than 80 clients responded to her mailings and wired funds to First Financial and to First Federal. The suspect converted these funds to her own use. None of the client funds were ever sent to lenders. The 41-year-old woman was indicted by a federal grand jury on four felony counts of wire fraud and one felony counts of mail fraud. If convicted, each count carries a maximum penalty of 20 years in prison and/or fines of up to $250,000. Source:

Information Technology Sector

38. August 6, PC World – (International) Speedy malware infects more than 6 million Web pages. In less than 2 weeks, a malware injection that targets e-commerce Web pages, called willysy, has ballooned from 90,000 infected pages to more than 6 million. The malware exploits a vulnerability in a popular online merchant platform, osCommerce, according to Web application security provider Armorize of San Francisco. Although Arorize could not identitfy the attack perpetrators, it did trace the forays to eight IP addresses, all located in the Ukraine. Armorize said the attacks exploit three known vulnerabilities in version 2.2 of osCommerce. The exploits allow the attackers to place an invisible frame (iFrame) on the page and then inject malicious code (JavaScript) into the page, where it will infect visitors to the online store. Once the infection makes it to a shopper’s computer, it targets vulnerabilities in Java, Adobe Reader, Windows Help Center and Internet Explorer. Although the flaws in the programs targeted by the infection are known and have been patched, the attackers are betting that the user has not patched all the programs. Attacks such as this can be especially harmful to small and medium-size businesses (SMB), asserts a former Gartner analyst and vice president of Global Strategy at Ipswitch, a file transfer security company. SMBs typically don’t have the financial resources of larger firms so they’re attracted to open source programs such as osCommerce and use off-the-shelf software. “Whenever you use off-the-shelf software, you have to understand there are data issues and all types of security vulnerabilities that exist,” the analyst said. While the makers of off-the-shelf software patch programs often, he continued, the business still must invest in resources to insure proper patch work is done. “That requires an outlay of capital that SMBs are not willing to deal with or don’t have within their margins,” the analyst said. Source:

Communications Sector

39. August 8, Boston Business Journal – (Massachusetts; New York) Verizon: Sabotage hits service in Massachusetts. Verizon Communications Inc reported no Massachusetts rate payers without service as 6,000 Bay State workers entered their second day of a strike, August 8. However, the company reported multiple incidents of sabotage in Massachusetts, including one that cut service to some customers in Tewksbury, Billerica, and possibly in other communities. “We’ve discovered a number of cables have been cut, and it’s affecting service on our networks,” a Verizon spokesman said. A spokesman for Boston’s largest local chapter of the International Brotherhood of Electrical Workers (IBEW) –- one of two Verizon unions that called the strike –- dismissed the report, saying outages are occurring due to a lack of maintenance staff during the strike. The Verizon spokesman said other than isolated incidents of vandalism, Verizon continues to “operate as usual.” He said he was not yet able to determine “several hundred” customers were affected by 7 incidents of cables cut in Billerica and Tewksbury. An incident of sabotage was also reported in the New York town of Queensbury. The strike involves 45,000 workers in the IBEW and Communications Workers of America unions, who work on cable, Internet, and phone services. Source:

40. August 8, CNET – (International) Amazon cloud outage downs Netflix, Quora. Amazon Web Services’ (AWS) cloud-computing infrastructure experienced a brief network outage August 8 that knocked offline popular sites such as Netflix, Quora, Reddit, and Foursquare. The network connectivity issues struck Amazon’s Elastic Compute Cloud (EC2) at Amazon’s northern Virginia site, which handles AWS operations for the U.S. East Coast at 7:39 p.m. PDT, and were resolved about 25 minutes later, according to the Amazon Web Services Health Dashboard. AWS is a flagship example of one facet of cloud computing, a flexible collection of online computing services that can ramp up and down according to varying needs, with customers getting a flexible infrastructure, and paying only for what they consume. At the same time, though, when a widely used service goes down, many suffer. In April, the cloud storage service experienced a 2-day outage that brought many Web site operations to a halt. Source: