Friday, January 20, 2012

Complete DHS Daily Report for January 20, 2012

Daily Report

Top Stories

• U.S. prosecutors arrested a Chinese computer programmer January 18 on charges that he stole software code valued at nearly $10 million from the Federal Reserve Bank of New York. – Reuters (See item 19)

19. January 18, Reuters – (New York; National) U.S. charges Chinese man with NY Fed software theft. U.S. prosecutors arrested a Chinese computer programmer January 18 on charges that he stole software code valued at nearly $10 million from the Federal Reserve Bank of New York. The man was a contract programmer. He was accused of illegally copying software to an external hard drive, according to a criminal complaint filed in U.S. district court in Manhattan. Authorities said the software, owned by the U.S. Treasury Department, cost about $9.5 million to develop. A New York Fed spokesman said in a statement the bank immediately investigated the breach when it was uncovered and promptly notified authorities. The programmer was charged with one count of stealing U.S. government property, which carries a maximum 10-year prison term. The complaint, signed by an FBI agent, said the man admitted to copying the code onto a drive and taking it home. He told investigators he took the code “for private use and in order to ensure that it was available to him in the event that he lost his job,” the complaint said. While U.S. intelligence officials have become increasingly worried about economic espionage, cybercrime experts said the case appeared to be one of simple theft. The programmer was hired as a contract employee in May by an unnamed technology consulting company used by the Fed to work on its computers, the complaint said. The code, called the Government-wide Accounting and Reporting Program (GWA), was developed to track the billions the U.S. government transfers daily. The GWA provides federal agencies with a statement of their account balance, the complaint said. Investigators uncovered the suspected breach only after one of the programmer’s colleagues told a supervisor the programmer had claimed to have lost a hard drive containing the code, the complaint said. Source: http://www.reuters.com/article/2012/01/19/us-nyfed-theft-idUSTRE80H27L20120119

• A researcher found multiple denial of service vulnerabilities in Rockwell Automation’s FactoryTalk supervisory control and data acquisition product, the Industrial Control Systems Cyber Emergency Response Team announced. – Infosecurity. See item 45 below in the Information Technology Sector

Details

Banking and Finance Sector

12. January 19, Associated Press – (Connecticut) Naugatuck man pleads guilty to mortgage fraud scheme over a decade, costing lenders $7 million. A Naugatuck, Connecticut man has pleaded guilty to charges of participating in a mortgage fraud scheme that lasted a decade and cost lenders $7 million, the Associated Press reported January 19. A U.S. attorney said the man and two New York residents obtained fraudulent mortgages to buy more than 40 multi-family properties in Bridgeport. Authorities said the loan applications contained false information about the buyers’ finances and property ownership, and false documents such as letters from fictitious employers, earnings statements, and fraudulent bank records. The man pleaded guilty January 18 in federal court in Hartford to conspiracy to commit wire fraud and conspiracy to commit money laundering. He faces a maximum prison term of 40 years. The two New York residents have pleaded guilty to the same charges and await sentencing. Source: http://www.therepublic.com/view/story/b59831244a104c399800d9d7d2fbb97a/CT--Mortgage-Fraud-Plea/

13. January 18, Help Net Security – (International) Bogus Western Union notice leads to phishing. A fake Western Union notice is hitting inboxes around the world and scaring people into following the offered link to a phishing page, Help Net Security reported January 18. “Failure in updating your profile will result in limiting your account access,” the spam e-mail says, signed by an “IT Assistant.” Users who fall for the trick are taken to a log-in page mimicking the Western Union one. Once they have entered the log-in credentials and pressed the “Sign In” button, they are asked to share information such as date of birth and answers to typical security questions such as their mother’s maiden name or favorite pet’s name. According to Hoax-Slayer: “Once they have this information, the scammers can then login to the victim’s real Western Union account and use it for nefarious purposes such as money laundering. The scammers may be able to use the stolen ‘Test Question’ details to collect payments without having the user’s proper identification documents.” Once the victims have done all that has been asked of them, they are redirected to the legitimate Western Union page. Source: http://www.net-security.org/secworld.php?id=12237

14. January 18, Venice Patch – (California) ‘Explosives Threat’ Bandit linked to robbery of Venice bank. The so-called “Explosives Threat” bandit has been linked to a January 17 robbery of a Chase Bank in Venice, California, authorities said January 18. He also hit a bank January 17 in the Palms area, a spokeswoman for the FBI’s Los Angeles field office said. The robber, who is wanted for multiple heists in Los Angeles County, got his name because he leaves a device in the bank that requires a bomb squad response to render it safe, she said. In a December 2011 press release, the FBI said the robber stuck up a Bank of America November 15 in West Covina and a Bank of America November 28 in West Hollywood. The suspect has left a device made up of electronic components and wiring during each robbery and stated someone outside the bank would detonate it. The suspect made an oral demand and handed a note to the teller in both robberies and demanded as much as $20,000 in cash, the December release said. The FBI said the suspect’s notes indicated he had a friend monitoring a police frequency outside the bank and he would make a call telling his friend to “press a button”, and one note said once his friend was contacted the “establishment will not exist,” the release said. Source: http://venice.patch.com/articles/explosives-threat-bandit-linked-to-robbery-of-venice-bank

15. January 18, Chicago Tribune – (Illinois) FBI searches for bank robber dubbed ‘Wicker Park Bandit’. The FBI is asking for help identifying a man dubbed the “Wicker Park Bandit” who officials believe was responsible for at least seven bank robberies on Chicago’s north side, the Chicago Tribune reported January 18. In all of the robberies, the man entered the bank and approached a teller with a handwritten demand note, the FBI said. The most recent robbery took place January 16 at a North Community Bank branch, officials said. The same robber was also suspected of hitting two other North Community Bank branches January 9 and January 6, officials said. On December 13, the bandit made off with an undisclosed amount of money from the Chase Bank, then later robbed another Chase branch December 30. On December 22, the bandit traveled to the Uptown neighborhood and robbed a PNC Bank branch, officials said. Source: http://articles.chicagotribune.com/2012-01-18/news/chi-fbi-searches-for-bank-robber-dubbed-wicker-park-bandit-20120118_1_fbi-searches-wicker-park-bandit-chase-bank

16. January 18, Huffington Post – (National) Municipal securities market lacks oversight, says GAO. Government oversight of the $3.7 trillion market for municipal securities, wracked by several high-profile cases of fraud and bid-rigging, is inadequate, according to a report by the Government Accountability Office (GAO) released January 17. The securities, used by state and local governments to finance transportation projects and the construction of housing, hospitals, and schools, have been the subject of a 5-year federal investigation into the reinvestment of proceeds of municipal bond sales. The Securities and Exchange Commission (SEC) enforces the rules written by two self-regulatory organizations with oversight of the market — the Municipal Securities Rulemaking Board (MSRB) and the Financial Industry Regulatory Authority (FINRA). But because of huge staff cuts at the SEC inspection arm — from 62 inspectors in 2005 to 38 in 2011 — it has checked neither the MSRB nor FINRA’s fixed-income surveillance programs since 2005. The SEC’s last inspection “predated the financial crisis — and its ensuing volatility in the municipal market,” the report says. Without such oversight, “the SEC may be unable to identify and act on regulatory problems in a timely manner.” The SEC recently began to look at FINRA’s program, including municipal trade reporting and markup reviews. It has not begun a fresh review of the MSRB. In addition, the report found the market favors institutional investors over individuals with better information and prices. Source: http://www.huffingtonpost.com/2012/01/18/municipal-securities-mark_n_1214418.html

17. January 18, Bloomberg – (New Jersey) Ex-Columbus Hill Capital CFO admits embezzling $10.4 million. The former chief financial officer (CFO) of Columbus Hill Capital Management LP, an investment management firm based in Short Hills, New Jersey, pleaded guilty January 18 to embezzling more than $10.4 million. He admitted in federal court in Newark he created a phony account to collect deposits he stole from the company. The CFO, who pleaded guilty to wire fraud and tax evasion, agreed to forfeit the entire amount he stole. He faces as many as 20 years in prison on the fraud charge, and 5 years on the tax evasion count. Source: http://www.businessweek.com/news/2012-01-18/ex-columbus-hill-capital-cfo-admits-embezzling-10-4-million.html

18. January 18, Bloomberg – (Florida) TD Bank loses $67 million verdict over Rothstein fraud role. Toronto-Dominion Bank (TD Bank) January 18 lost a $67 million jury verdict over claims it helped a disbarred Florida attorney who admitted running a $1.2 billion Ponzi scheme, by telling victims their money was safe as he depleted accounts. A jury in federal court in Miami returned the verdict in a lawsuit brought by Coquina Investments, based in Corpus Christi, Texas. Coquina’s lawyer January 17 urged the jury to award $32 million in compensatory damages, and $140 million in punitive damages. The January 18 verdict was for $32 million in compensatory damages and $35 million in punitive damages. In its complaint, Coquina said officers of the bank “played an active role in the scheme and facilitated its continued existence” by meeting with victims to create the appearance of a legitimate enterprise. While operating the fraud, the lawyer told his victims they were buying stakes in settlements of cases about which his Fort Lauderdale, Florida law firm, Rothstein Rosenfeldt Adler PA, had amassed evidence and confronted potential defendants in sexual and employment discrimination cases. The settlements were fictional, as were the cases. He used the bank to make payments to investors that supposedly came from settlements, and to provide documents “to conceal the truth from the investors, to keep the investors and encourage them to re-invest, and to attract additional investors,” according to the complaint. Investors regularly met with the bank’s vice president, contributing to the “aura of legitimacy,” Coquina said. The bank is facing three other suits by groups of investors claiming it helped keep the fraud afloat by providing the lawyer with documents he used to convince investors their money was safe and could be disbursed only to him, when he actually was siphoning money out of accounts. Source: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2012/01/18/bloomberg_articlesLY09PI6JTSE801-LY0ED.DTL

19. January 18, Reuters – (New York; National) U.S. charges Chinese man with NY Fed software theft. U.S. prosecutors arrested a Chinese computer programmer January 18 on charges that he stole software code valued at nearly $10 million from the Federal Reserve Bank of New York. The man was a contract programmer. He was accused of illegally copying software to an external hard drive, according to a criminal complaint filed in U.S. district court in Manhattan. Authorities said the software, owned by the U.S. Treasury Department, cost about $9.5 million to develop. A New York Fed spokesman said in a statement the bank immediately investigated the breach when it was uncovered and promptly notified authorities. The programmer was charged with one count of stealing U.S. government property, which carries a maximum 10-year prison term. The complaint, signed by an FBI agent, said the man admitted to copying the code onto a drive and taking it home. He told investigators he took the code “for private use and in order to ensure that it was available to him in the event that he lost his job,” the complaint said. While U.S. intelligence officials have become increasingly worried about economic espionage, cybercrime experts said the case appeared to be one of simple theft. The programmer was hired as a contract employee in May by an unnamed technology consulting company used by the Fed to work on its computers, the complaint said. The code, called the Government-wide Accounting and Reporting Program (GWA), was developed to track the billions the U.S. government transfers daily. The GWA provides federal agencies with a statement of their account balance, the complaint said. Investigators uncovered the suspected breach only after one of the programmer’s colleagues told a supervisor the programmer had claimed to have lost a hard drive containing the code, the complaint said. Source: http://www.reuters.com/article/2012/01/19/us-nyfed-theft-idUSTRE80H27L20120119

20. January 17, St. Louis Post-Dispatch – (Missouri) SEC alleges Clayton-based Acartha Group CEO committed fraud. The Securities and Exchange Commission (SEC) has alleged that Clayton, Missouri-based Acartha Group and its owner fraudulently used $9.1 million in investor funds over several years for the owner’s personal use. The SEC filed a federal lawsuit in a St. Louis court January 17 detailing its fraud charges against Acartha, its owner, MIC VII LLC, Acartha Technology Partners LP (ATP), and Gryphon Investments III LLC. The owner is the chief executive officer (CEO) and chairman of Acartha Group, a private equity fund management company. MIC VII and ATP are private equity funds, and Gryphon is a general partner of ATP. The CEO and the related investment entities raised $88 million from 97 investors from 2003 until last year, according to the SEC’s complaint. However, without the investors’ knowledge, the CEO misappropriated more than $9 million for his personal use, including to pay alimony, buy luxury automobiles, lease a private airplane and helicopter, and take expensive vacations, the SEC alleged. Source: http://www.stltoday.com/business/local/sec-alleges-acartha-group-ceo-committed-fraud/article_0f00cb42-412d-11e1-bfbe-001a4bcf6878.html

Information Technology

43. January 19, H Security – (International) Koobface C&C goes silent after alleged controllers exposed. The Koobface network is apparently down, according to Facebook. A Facebook security official told Reuters the company’s decision to expose the five men alleged to be behind the malware had an effect within 24 hours: “The thing that we are most excited about is that the botnet is down.” On January 18, Facebook decided to publish the names of alleged gang members based on details of research carried out in 2009-2010 by two German researchers. One of the researchers works for Security company Sophos. A Sophos researcher told H Security the command and control servers are not down, they just have not sent out any new commands since 08:40 GMT January 17. “Now they just reply with 404 errors” he said. He did note though the five men identified by the investigation “appear to have been busy deleting their social networking accounts.” Source: http://www.h-online.com/security/news/item/Koobface-C-C-goes-silent-after-alleged-controllers-exposed-1416869.html

44. January 19, Softpedia – (International) Scanned documents from Xerox devices hide Blackhole exploit kits. The malicious technique where cybercriminals send e-mails pretending to come from a scanner inside an office building has been seen again, targeting e-mail accounts of company staff members. This time, an e-mail bearing the subject “Re: Scan from a Xerox W. Pro #XXXXXXX,” informs the recipient a document was sent to her from a Xerox device, Websense informs. Confused users, who may not know an employee named MAMIE that sent the e-mail, might rush to click on the link that allegedly points to five image files. Instead, once clicked, the link redirects the user to a Web site that hosts the malevolent Blackhole exploit kit. Hiding in an iframe, the kit looks for vulnerable software and once it finds it, executes a shellcode that triggers the execution and download of other pieces of malware. More than 3,000 of these messages have been discovered so far, but since this variant of the Blackhole kit is more advanced, allowing cybercriminals to tweak the malware, the number may increase. Blackhole is often rented by users and this latest version offers many improvements, such as administration options for smartphones, and an option for the kit to utilize underground audio and video scanners for malware. Source: http://news.softpedia.com/news/Scanned-Documents-from-Xerox-Devices-Hide-Blackhole-Exploit-Kits-247417.shtml

45. January 18, Infosecurity – (International) SCADA-logical: DoS vulnerabilities in Rockwell Automation FactoryTalk disclosed. A researcher uncovered multiple denial of service (DoS) vulnerabilities in Rockwell Automation’s FactoryTalk supervisory control and data acquisition (SCADA) product, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) announced January 17. The vulnerabilities are exploitable by sending specially crafted packets to the server, which can result in a DoS attack, according to an ICS-CERT advisory. According to a company brochure, the FactoryTalk product extends the Rockwell Integrated Architecture by providing an information tier of software applications and services for production and performance management. Integration with the Rockwell Logix control platform, as well as connectivity to third-party and legacy systems enables FactoryTalk to deliver high-fidelity data flow across the enterprise. ICS-CERT said it notified Rockwell about the vulnerabilities, which were disclosed by the researcher without coordination with ICS-CERT or the vendor. As it has in past advisories, ICS-CERT recommends users take the following defensive measures to minimize the risk of exploitation of these vulnerabilities: minimize network exposure for all control system device; locate control system networks and devices behind firewalls and isolate them from the business network; and if remote access is required, employ secure methods, such as virtual private networks. Source: http://www.infosecurity-magazine.com/view/23317/

46. January 18, TechEye – (International) Oracle database has huge flaw. Oracle’s flagship database software has a major flaw that could create serious outages. The hole was found by InfoWorld hacks. It came about because of a collection of problems within the database. Normally, when bugs result in a database outage, the system can be recovered from backups. However, these flaws create such a problem it will take a long time to fix. Oracle said the problem is real and it is spending considerable time and money to fix it. The company released a fix as part of its Oracle Critical Patch Update for January 2012. While an Unpatched Oracle Database customer is vulnerable to malicious attack, the flaw is a special risk to large customers with interconnected databases. The flaws exist in a mechanism deep in the database engine, one most Oracle database administrators seldom see, called the System Change Number (SCN). This is a number that increments sequentially with every database commit: inserts, updates, and deletes, and it is crucial to normal Oracle database operation. Oracle knew SCN needed to be a massive number, so it used a 48-bit number. It should take a long time for an Oracle database to eclipse that number of transactions and pack a sad. However, the number is worked out to a point in time 24 years ago. The problem is, it is unlikely a database has been running constantly since January 1, 1988, processing 16,384 transactions per second. There are many flaws that can force a database to go over this number and hackers could exploit it. Source: http://news.techeye.net/security/oracle-database-has-huge-flaw

47. January 18, CNET News – (International) McAfee to plug ‘spammer’ hole this week. McAfee plans to release a fix soon for a bug in its SaaS for Total Protection anti-malware service that scammers were using to distribute spam, the company said January 18. The problem came to light after McAfee customers reported in blog posts and forum sites that spammers were using a hole in McAfee’s RumorServer relay service to secretly send spam from their machines. The customers said they noticed the problem after their e-mails were blocked by e-mail providers, and their IP addresses appeared on blacklists. The problem is isolated to the SaaS Total Protection service, according to the director of security research at McAfee Labs. There is no evidence that any customer data has been lost or compromised as a result of the problem, he said. “The patch will be released on January 18 or 19, as soon as we have finished testing,” he wrote. “Because this is a managed product, all affected customers will automatically receive the patch when it is released. There are two issues with the software. One vulnerability could allow an attacker to misuse an ActiveX control to execute code on the victim’s computer. The second one, which is the issue the customers complained about, allows an attacker to misuse the “open relay” technology in the software. Source: http://news.cnet.com/8301-1009_3-57361542-83/mcafee-to-plug-spammer-hole-this-week/

For another story, see item 19 in the Banking and Finance Sector

Communications Sector

48. January 19, StateCollege.com – (Pennsylvania) WTAJ transmitting again after earlier equipment failure. WTAJ 32 Altoona, Pennsylvania, was transmitting again January 19 at least via local cable systems. The station posted online links to a few programs that viewers may have missed during an outage on the evening of January 18. A technical problem kicked the station off the air January 18, WTAJ reported on its Web site. It referred to the problem as an equipment failure. Source: http://www.statecollege.com/news/local-news/update-wtaj-transmitting-again-after-earlier-equipment-failure-985021/

For more stories, see item 43 above in the Information Technology Sector