Monday, December 5, 2011

Complete DHS Daily Report for December 5, 2011

Daily Report

Top Stories

• Power restoration was slowed to 400,000 customers in California, as continuing severe winds in that state and many neighboring states closed schools and flipped dozens of semi-trucks. – United Press International (See item 1)

1. December 2, United Press International – (California; Southwest) Strong winds keep 400,000 without power. Severe winds and fallen trees slowed power restoration to 400,000 customers as abnormally high Santa Ana winds blasted the Los Angeles area a third day December 2. The winds, gusting around 60 mph, were forecast to continue through midday in Los Angeles and Ventura counties in California, after reaching 97 mph December 1, the National Weather Service said. In many cities, schools were expected to be canceled for a second day December 1 due to the fierce winds, which gusted to more than 80 mph overnight. The storm, which produced some of the strongest wind gusts in the region in more than a decade, was caused by a highly unusual weather system. The blustery conditions extended across the Southwest, including Utah, Nevada, Wyoming, Arizona, and New Mexico. In some places, wind gusts topped 100 mph. Source:

• A Baltimore County, Maryland man pleaded guilty to possessions of firearms and explosives, after police found C-4, chemicals and items used to build improvised explosive devices, and several guns in his apartment. – Baltimore Sun (See item 36)

36. December 2, Baltimore Sun – (Maryland) Baltimore County man pleads guilty to hoarding explosives. Police in Baltimore County, Maryland, who investigated a man who shot a child in the leg with a pellet gun in February found a pile of guns, ammunition, bombs, fuses, and metal pipes when they searched the man's apartment, the Baltimore Sun reported December 2. The man pleaded guilty in federal court December 1 to possession of firearms and explosives, and faces up to 20 years in prison when he is sentenced March 1. Police said they found the following items in his apartment: the BB gun used in the assault, a loaded 9mm handgun, a 12-gauge shotgun, 3 boxes of ammunition, handcuffs, brass knuckles, other BB guns and airsoft pistols, and a stun gun. Police also observed "several improvised explosive devices, including: C-4 explosive material; and a clear plastic container with gray powder and a M-800 pyrotechnic device inside, secured with a white lid with a burnt hole in the center." Authorities searched the apartment a second time and said they found "items commonly used in the production of illegal improvised explosives, including, among other things: containers of potassium nitrate and potassium chlorate, smokeless shotgun powder, model rocket igniters and motors, pool chemicals, various fuse materials, PVC and metal pipe of varying lengths and pipe fittings." Source:


Banking and Finance Sector

9. December 2, WYMT 12 Hazard – (Kentucky; Tennessee) Police: 'Bad Hair Bandit' strikes again. Police said a man came into the L&N Credit Union inside a Walmart in Williamsburg, Kentucky and robbed it at gunpoint December 1. Now, police think the so-called "Bad Hair Bandit" is responsible, a man already tied to six bank robberies in Kentucky, and Tennessee. Police said the suspect showed a semi-automatic weapon and walked away with an undisclosed amount of money. Since June, the "Bad Hair Bandit" has hit two banks in Barbourville, two in Tennessee, one in McCreary County, and one in Corbin. A police assistant chief said the department had guarded against a possible strike by the "Bad Hair Bandit," at other locations, but did not expect the suspect to target this bank inside a busy Walmart store. "This was high risk with several people around," he said. Source:

10. December 1, U.S. Securities and Exchange Commission – (National) SEC charges multiple hedge fund managers with fraud in inquiry targeting suspicious investment returns. As part of an initiative to combat hedge fund fraud by identifying abnormal investment performance, the Securities and Exchange Commission (SEC) December 1 announced enforcement actions against three separate advisory firms and six individuals for various misconduct, including improper use of fund assets, fraudulent valuations, and misrepresenting fund returns. In particular, the SEC alleges the firms and managers engaged in a wide variety of illegal practices in the management of hedge funds or private pooled investment vehicles, including fraudulent valuation of portfolio holdings, misuse of fund assets, and misrepresentations to investors about critical attributes such as performance, assets, liquidity, investment strategy, valuation procedures, and conflicts of interest. In one case, the SEC charged two individuals for engaging in a fraudulent scheme to overvalue the reported returns and net asset value of the Millennium Global Emerging Credit Fund. The complaint alleges the fund’s former portfolio manager schemed with two European-based brokers to inflate the fund’s reported monthly returns and net asset value by manipulating its supposedly independent valuation process. The scheme caused the fund to drastically overvalue security holdings by as much as $163 million in August 2008. By overstating the fund’s returns and overall net asset value, the manager was able to attract at least $410 million in new investments, deter about $230 million in eligible redemptions, and generate millions of dollars in inflated management and performance fees. The other actions were brought against ThinkStrategy Capital Management and its sole director, Solaris Management LLC and its owner, and LeadDog Capital Markets LLC and its general partners and owners. Source:

11. December 1, U.S. Securities and Exchange Commission – (National) SEC, U.S. attorney and FBI announce 13 charged in connection with securities kickback schemes. The Securities and Exchange Commission (SEC), U.S. Attorney for the District of Massachusetts, and FBI December 1 announced parallel cases filed in federal court against many corporate officers, lawyers, and a stock promoter alleging they used kickbacks and other schemes to trigger investments in various thinly traded stocks. The case charged 13 defendants who engaged in criminal activity in the midst of an undercover FBI operation. According to the charges, the schemes involved secret kickbacks to an investment fund representative in exchange for having the fund buy stock in certain companies; the kickbacks were to be concealed through the use of sham consulting agreements. What the insiders and promoters did not know was the purported investment fund representative was actually an undercover agent. The defendants include two individuals who were in the business of finding capital for emerging companies. The civil case names some of the individuals who were charged criminally, and the SEC also issued trading suspensions in the stocks of many of the companies involved. The charges follow a year-long investigation focusing on preventing fraud in micro-cap stock markets. The SEC suspended trading in seven microcap firms: 1st Global Financial Inc., Augrid Global Holdings Corp., ComCam International, Inc., MicroHoldings US, Inc., Outfront Companies, Symbollon Corp./Symbollon Pharmaceuticals, Inc., and ZipGlobal Holdings Inc. MicroHoldings and ZipGlobal are also charged civilly by the SEC with fraud. The SEC also filed civil charges of securities fraud against four of the defendants alleging they defrauded investors through the use of kickbacks in financing transactions. Source:

12. December 1, Miami Herald – (Florida) Two more Scott Rothstein associates charged in massive scam. Two employees of a convicted Ponzi schemer's Fort Lauderdale, Florida law firm were charged December 1 with offenses related to his $1.2 billion investment scam that collapsed 2 years ago, according to the U.S. attorney’s office. One employee was charged in federal court with conspiring with the Ponzi schemer by falsifying the law firm’s trust account records that it held at Toronto Dominion Bank. The second employee was charged with conspiring with the head of the firm and other employees in an election scheme to donate more than $1 million to a presidential campaign and Republican political committees in 2008. The charges against the two administrative assistants bring the total number of employees and others prosecuted in the massive scheme to eight, including the head of the firm. He is serving a 50-year sentence on racketeering, fraud, and money-laundering convictions. Source:

For another story, see item 34 below in the Information Technology Sector

Information Technology

30. December 2, IDG News Service – (International) Yahoo Messenger flaw enables spamming through other people's status messages. An unpatched Yahoo Messenger vulnerability that allows attackers to change people's status messages and possibly perform other unauthorized actions can be exploited to spam malicious links to a large number of users, IDG News Service reported December 2. The vulnerability was discovered in the wild by security researchers from antivirus vendor BitDefender while investigating a customer's report about unusual Yahoo Messenger behavior. The flaw appears to be located in the application's file transfer API (application programming interface) and allows attackers to send malformed requests that result in the execution of commands without any interaction from victims. Source:

31. December 2, Softpedia – (International) Cutwail botnet expands via Facebook notification spam. Security experts noticed the botnet known as Pushdo or Cutwail, that has been making rounds since 2007, is now launching a spam campaign in search of new devices to infect, Softpedia reported December 2. Airline ticket orders, ACH alerts, Facebook notifications, or even e-mails that claim to represent scanned documents can actually hide malicious links that redirect users to malware hosted on various Web locations, M86 Security Labs reported. The most dangerous variant is the one that replicates a Facebook friend request. The e-mail only contains the name of a user and two links, Confirm Friend Request, and See all Requests. When one of the links is selected, the victim is taken to a rogue Web site that hosts malicious code. The phony messages that claim an airplane ticket was purchased using the recipient’s credit card are also utilized in this spam campaign. Again, when the More details link is clicked, the user is taken to another malevolent site. The number of malicious sites is very large and security solutions providers have a hard time making sure their products block all of them. In some cases, the sites may even be legitimate, but forcefully taken over by the cybercriminals and plagued with the same pieces of malware. None of the e-mails contains attachments. Instead, they all contain a link that points to a malware infested site. Source:

32. December 1, Computerworld – (International) AT&T, Sprint confirm use of Carrier IQ software on handsets. AT&T, Sprint, HTC, and Samsung confirmed December 1 their mobile phones integrate a controversial piece of tracking software from a company called Carrier IQ. Wireless carriers AT&T and Sprint insisted the software is being used solely to improve wireless network performance, while phone makers HTC and Samsung said they were integrating the software into their handsets only because their carrier customers were asking for it. Meanwhile, several large carriers and handset makers, including Verizon, Research In Motion, and Nokia, distanced themselves from the software and insisted that reports about their devices integrating the tool are false. The controversy began the week of November 21 when an independent security researcher published a report disclosing how Carrier IQ's software could be used by carriers and device makers to conduct surreptitious and highly intrusive tracking of Android and other smartphone users. Source:

33. December 1, Infosecurity – (International) One-quarter of firms hit by cybercrime, survey finds. Nearly a quarter of organizations around the world were victims of cybercrime in the last 12 months, according to PricewaterhouseCooper’s (PwC) 2011 Global Economic Crime Survey. Cybercrime now ranks as one of the top four economic crimes, according to the survey. The perception of cybercrime as a predominantly external threat is changing, and organizations are now recognizing the risk of cybercrime coming from inside as well. PwC surveyed 3,877 respondents from 78 countries for its annual economic crime survey. The director of PwC’s UK cyber and information security practice noted that 40 percent of the organizations surveyed cited damage to reputation as a major concern from cybercrime, and this concern is triggering increased spending on preventative measures. Respondents said the IT department was the most likely source of cybercrime internally. IT was cited by 53 percent of respondents, followed by operations (39 percent), sales and marketing (34 percent), and finance (33 percent). While half of all respondents noted increased awareness of the cybercrime threat, the majority of respondents said they do not have a cybercrime crisis response plan in place or are not aware of having one. Sixty percent said their organization does not monitor social media sites. Source:

34. November 30, Infosecurity – (International) Trusteer warns that cybercriminals are moving into fresh one-stop crime areas. Research published November 30 by Trusteer claims to show cybercriminals have widened the services they provide as a one-stop-shop to third-party fraudsters. According to the in-browser security specialist’s chief technology officer, these one-stop shops are where criminals can buy everything they need to meet demand from fraudsters. Trusteer has come across a new fraud group that — as well as offering infection services for prices between 0.5 and 4.5 cents for each upload, depending on geography — also provides polymorphic encryption, and AV checkers. This new one-stop-shop approach for malicious services, he asserts, is a natural evolution of the market: if the customers need to infect, then they also need to evade AV. For polymorphic encryption of malware, he said, the fraudsters are charging from $25 to $50 — and for prevention of malware detection by anti-virus systems (AV checking) they charge $20 for 1 week, and $100 for 1 month of service. The chief technology officer said it is now a buyer’s market, with his firm’s research operation having also come across advertisements published by prospective buyers of infection services. The ad, he noted, basically presets the buying price, how it is charged, and the scope of the service, with the advertiser only paying for unique uploads, with the price calculations being conducted according to the advertiser's own Black Hole exploit kit stats module. In addition, Trusteer said the advertiser will pay in advance to the sellers with recommendations, that is, those that have 1-10 "fresh" forum messages, otherwise the sellers are paid afterwards. Source:

Communications Sector

35. December 1, – (California) Metal thieves take KVCR-TV off the air. A metal theft at a Riverside County, California mountaintop antenna site knocked KVCR 24 San Bernadino off the air until repairs are completed. The theft was the second incident since the weekend of November 26 and 27. Both thefts hit the station’s remote-controlled transmitter on Box Springs Mountain that overlooks Moreno Valley, and the San Bernardino Valley. The station president said December 1, "The cost of the repairs will exceed รข€¦ $20,000," and added, 'We hope to be back up by this evening." The initial theft damaged three air conditioners and a transmitter cooling system that was not in use. The station was able to continue broadcasting after the first incident. But in the November 30 incident, the thieves damaged the remaining cooling system for the TV transmitter, which caused an automatic shutdown to prevent major transmitter damage. "They had to have a big truck the second time, because they took the coolant assembly. It’s like a (vehicle) radiator, and it’s full of copper tubing," the station president said. The KVCR site is protected primarily by a locked gate across the access road. There was no obvious damage to the gate or the locks, he said. But many people have access to the mountaintop because it also serves as an antenna site for Riverside County government agencies and several broadcast companies, he said. KVCR has almost 1 million viewers and its antenna shoots a broadcast signal as far as Catalina Island. The thefts did not affect KVCR’s FM radio station, nor its six microwave dishes also located at the site. "We’ll have a security system in place before the weekend is out," the station president said. He also said it would include surveillance cameras. Source:

For another story, see item 32 above in the Information Technology Sector