Thursday, October 6, 2011

Complete DHS Daily Report for October 6, 2011

Daily Report

Top Stories

• The Veterans Affairs department may have issued more than 157,000 identification credentials without authenticating the identity of the individuals who received them, a new report found. – Federal Computer Week (See item 28)

28. October 4, Federal Computer Week – (National) VA errors compromise identity verification credentials. The U.S. Veterans Affairs department (VA) may have issued more than 157,000 personal identification credentials without authenticating the identity of the individuals who received them, according to a new report from the Office of Inspector General. Overall, the VA may have issued at least 147,000 credentials without determining whether applicants are known or suspected terrorists, and presented genuine and unaltered identity source documents, the assistant inspector general wrote in a September 30 report. Also, VA may have issued at least 5,100 credentials without verifying applicants’ background investigations, and 5,600 credentials where staff circumvented separation of duty control requirements. The assistant inspector general for audits and evaluations recommended the department immediately direct the VA Enrollment Centers to stop issuing new credentials until the control deficiencies are addressed. VA officials said they had taken immediate action to mitigate the risks uncovered in the report by reviewing the questionable credentials. The assistant inspector general estimated the cost to correct the deficiencies at approximately $6.7 million, and said costs would continue to increase if additional credentials were issued. Source:

• Authorities were searching door to door the afternoon of October 5 in a neighborhood about 5 miles from a Cupertino, California quarry where a gunman killed two and wounded six that morning. –; Associated Press (See item 44)

44. October 5,; Associated Press – (California) Manhunt after 2 die in Calif. workplace shooting. Authorities were searching door to door with guns drawn in a neighborhood about 5 miles from the Cupertino, California quarry where a gunman killed two and wounded six at a morning meeting October 5. Schools were on lockdown or closed in Cupertino as SWAT teams sought the 47-year-old suspect. He also is suspected of wounding a woman in an attempted carjacking in Cupertino more than 2 hours later. A Santa Clary County sheriff’s lieutenant said the suspect was at the routine safety meeting at 4:30 a.m., became disgruntled and left. He said he then returned with a 9 mm handgun and a rifle and started shooting people. In the early afternoon October 5, authorities were searching the quarry for possible victims. About 15 workers were evacuated and being kept at a safe location. The suspect is a San Jose resident who was a truck operator at the Permanente Cement Plant, and also produced and hosted a public access television show for CreaTV in San Jose. After leaving the quarry, the suspect attempted a carjacking at a nearby Hewlett-Packard parking lot, shooting a female driver in the leg. He did not get the car from her. Three of the victims were taken to Santa Clara Valley Medical Center, including the woman shot in the carjacking, a hospital spokeswoman said. One victim was treated and released, while the other two were in fair condition, she said. In nearby Sunnyvale, another injured person was found in a parking lot, reported KNTV 11 San Jose, but it was not clear if that was connected to the workplace shooting. The suspect is described as African American, 5’11’’, and 260 pounds, with numerous tattoos, according to KNTV. Permanente Cement Plant, owned by Lehigh Hanson, Inc., is a limestone and aggregate mining operation and cement plant. Source:


Banking and Finance Sector

10. October 5, Help Net Security – (International) SpyEye Trojan hijacks mobile SMS security for online fraud. A stealth new attack carried out by the SpyEye Trojan circumvents mobile SMS security measures implemented by many banks, Help Net Security reported October 5. Using captured code, Trusteer found a two-step, Web-based attack that allows fraudsters to change the mobile phone number in a victim’s online banking account and reroute SMS confirmation codes used to verify online transactions. This attack, when successful, enables the thieves to make transactions on the user’s account and confirm them without the user’s knowledge. In the first step of the attack, SpyEye steals online banking log-in details. This allows fraudsters to access the account without raising red flags. In the second step, SpyEye changes the victim’s phone number of record in the online application to one of several random, attacker-controlled numbers. To complete the operation, the attacker needs the confirmation code sent by the bank to the customer’s original phone number. To steal this code, SpyEye injects a fraudulent page in the customer’s browser that appears to be from the online banking application. The fake page purports to introduce a new security system “required” by the bank and for which customers must register. The page explains the customer will be assigned a unique telephone number and will receive a special SIM card via mail. Next, the user is told to enter the confirmation number they receive on their mobile telephone into the fake Web page to complete the registration process for the new security system. This allows the criminals to steal the confirmation code they need to authorize changing the customer’s mobile number. Now the fraudsters can receive all future SMS transaction verification codes for the hijacked account via their own telephone network. This latest SpyEye configuration shows that out-of-band authentication (OOBA) systems, including SMS-based solutions, are not fool-proof. Using a combination of man-in-the-browser injection technology and social engineering, fraudsters can bypass OOBA, and buy themselves more time since the transactions have been verified. Source:

11. October 4, Reuters – (International) Banks losing ground on card security. U.S. banks are losing ground in the battle to combat credit and debit card fraud, a new report shows, underscoring the growing threat thieves and hackers pose for the financial system. Globally, security is improving in the payment industry, according to data released the week of October 3 by the Nilson Report, a California trade publication. For every $100 worth of credit and debit card transactions last year, 4.46 cents were lost to fraud worldwide in 2010, down from 4.71 cents in 2009. But many of the security gains were at banks in Europe and Asia, which have adopted stricter security procedures such as issuing cards with computerized chips to help verify purchases, said the publisher of the Nilson Report. Meanwhile, U.S. banks and merchants have balked at the expense of conversion. As a result, fraud in the United States accounted for 47 percent of global fraud losses last year — up from about 46.5 percent in 2009, and 44 percent in the middle of the last decade, he said. Total fraud losses worldwide were $7.6 billion in 2010, up 10 percent from 2009, the report found. Source:

12. October 4, Associated Press – (New York; International) NY attorney general files suit claiming currency exchange fraud by Mellon, seeking $2 billion. New York’s Attorney General (AG) sued Bank of New York Mellon (BNY Mellon) for $2 billion October 4, claiming it earned that amount over 10 years by defrauding clients in foreign currency exchange transactions. According to the AG’s office, BNY Mellon misrepresented rates it would give currency transactions, providing nearly the worst rates of the trading day instead of the best. The case began with a 2009 whistle-blower complaint followed by an investigation. Clients include public pension funds. New York City joined in the lawsuit. On the same day, the U.S. Attorney for the Southern District of New York also announced it had filed a civil fraud lawsuit in Manhattan federal court against the bank, alleging BNY Mellon engaged in a scheme to defraud custodial clients who used the bank’s foreign exchange services from at least 2000 to the present. The suit seeks injunctive relief and hundreds of millions of dollars in civil penalties under the Institutional Reform, Recovery and Enforcement Act of 1989, according to the U.S. attorney’s office. Source:

13. October 4, KREM 2 Spokane – (Northwest) Bad hair bandit admits to 20 bank robberies. Court documents, newly filed October 4, said the “Bad Hair Bandit” admitted to almost all of the 21 bank robberies she is accused of committing throughout the Northwest. The bandit was arrested in California in August. She previously worked as a nurse at the Kootenai County Jail, and she and her husband are from Hayden, Idaho. Federal investigators said she robbed 21 banks while wearing different wigs as disguises. They said the string of robberies began in December 2010 at a U.S. Bank in Tacoma, Washington. Investigators said the woman and her husband then hit banks in Spokane and Moses Lake. She was caught in California during a traffic stop after another bank robbery. Authorities said she had $8,000 in her car, and bystanders took down the make and model of her car as well as partial plate numbers. She has admitted involvement with at least 20 of the robberies In total, investigators said the couple stole almost $49,000. She is charged by the criminal complaint filed in Sacramento, California. Her first court appearance in U.S. district court has not yet been set. Source:

14. October 4, WCTI 12 New Bern – (North Carolina) Two Bank of America bomb threats within 15 minutes. Two Bank of America branches reported bomb threats within 15 minutes of each other October 3, according to Greenville, North Carolina, police case reports. A police report showed the first bomb threat was reported at 11:10 a.m. from the Bank of America on 1908 S.E. Greenville Boulevard. A second bomb threat was reported at 11:24 a.m. from the Bank of America on 2000 Stantonsburg Road, according to another report. Both bomb threats, which are felonies in North Carolina, turned out to be false, stated the reports. They list the first threat as “inactive”, while the second one is listed as still under investigation. Source:

Information Technology Sector

37. October 5, H Security – (International) Chrome 14 update brings Flash 11, closes security holes. Google has released version 14.0.835.202 of Chrome, a maintenance and security update for all supported platforms. This stable channel update includes the new Flash Player 11 release and addresses a total of 9 vulnerabilities. Rated as “critical” by Google, a memory corruption problem has been fixed in the shader translator. Other holes closed include eight “high-risk” bugs ranging from a use-after-free error in text line box handling and stale fonts in text handling, to a cross-origin problem, lifetime and threading issues in audio-node handling, and use-after-free and memory corruption exploits in V8, the browser’s JavaScript engine. However, Google’s fix for the SSL/TLS vulnerability has yet to make it from the development version to the stable branch. Source:

38. October 5, H Security – (International) Firefox and SeaMonkey users warned to disable McAfee ScriptScan. A major incompatibility between Mozilla’s browsers Firefox and SeaMonkey, and McAfee’s ScriptScan plug-in has caused “a high volume of crashes,” according to Mozilla. The problem first came to light in September, when members of the McAfee forum began reporting problems with version 14.4.0 of ScriptScan, a tool that checks Web pages, as they are loaded into the browser, for malicious code. This is the first time since July that Mozilla has found it necessary to block a plug-in. All versions of Firefox and SeaMonkey are affected by the problem, as are all current versions of McAfee ScriptScan. Mozilla recommends ScriptScan users disable the browser plug-in. The issue only affects version 7 of the browsers, according to a McAfee spokesperson. Source:

39. October 4, H Security – (International) Cisco patch day closes critical vulnerabilities. Cisco has published 10 security advisories as part of its bi-annual patch day. The advisories resolve a number of security vulnerabilities. The most serious vulnerability (CVSS 10) addressed was in Catalyst switches running the company’s iOS network operating system software. A bug in the Smart Install remote maintenance feature allowed remote attackers to execute arbitrary code on affected switches. The other advisories fix denial-of-service vulnerabilities in iOS, Unified Communications Manager, and 1000 series routers. Cisco has released updates that fix these vulnerabilities; workarounds exist for some of the problems. Cisco has also fixed the backdoor vulnerability in its Identity Services Engine identity-management software. Source:

40. October 4, IDG News Service – (International) XSS Web attacks could live forever, researcher warns. Web sites that accidentally distribute rogue code could find it harder to undo the damage if attackers exploit widespread browser support for HTML5 local storage, and an increasing tendency for heavy users of Web apps never to close their browsers. If browsers do not provide a mechanism for Web sites to recover from certain cross-site scripting attacks, the attacks could become invincible and the site at the origin of the attack remain compromised indefinitely, a vulnerability researcher and Google security engineer warned October 1. The scope of client-side programming languages such as JavaScript within browsers is limited by a critical security concept known as the same-origin policy. This prevents scripts running on certain Web pages from interfering with Web sites opened in separate tabs or windows. In the case of cross-site scripting (XSS), attackers manage to insert rogue JavaScript code in targeted pages, where it is then executed in the context of their origin, defined by the domain, the protocol, and the port number. JavaScript is very powerful and is used in most Web-based attacks. Despite this, browsers do not currently provide a mechanism to invalidate such code, something that would provide compromised Web sites with a way to request a clean slate once they had resolved the problem. A normal response to XSS attacks is to patch the vulnerability, invalidate session cookies so that everyone is forced to re-authenticate, and optionally force a password change. But this is not enough, because, according to the researcher, once compromised a Web origin can stay tainted indefinitely. Source:

41. October 4, The Register – (International) Facebook to scrub itself clean of filthy malware links. Facebook has recruited Websense to scan its social network for links to malicious sites. Scammers are increasingly using Facebook as a means to drive traffic towards malware and exploit portals or Internet scam sites. In response, Facebook is tapping Websense for technology that will analyze the jump off points to links. Cloudy technology will assign a security classification to sites, presenting users with a warning if the location is considered dangerous. This warning page will explain why a site might be considered malicious. Users can still proceed, at their own risk, to potentially dodgy sites. Before, individual users had the option to add additional security filtering apps, such as Bitdefender Safego, to their profiles as a means to scan for spam and malicious links. Facebook is now offering this type of technology by default as an extension of its previous relationship with Websense. Source:

42. October 4, The Register – (International) Check your machines for malware, Linux developers told. Following a series of intrusions that hit the servers used to maintain and distribute the Linux operating system, project elders have advised all developers to check their Linux machines for signs of compromise. E-mails sent September 30 by Linux kernel’s lead developers arrived as volunteers with the open-source project worked to bring,, and back online following attacks that gained root access to the multiple servers that host the sites. Among other things, project leaders are requiring all developers to regenerate the cryptographic keys used to upload source code to the site, and to ensure their systems are free of rootkits and other types of malware. Source:

For another story see item 10 above in the Banking and Finance Sector

Communications Sector

See items 10 above in the Banking and Finance Sector and 41 above in the Information Technology Sector