Friday, January 27, 2012

Complete DHS Daily Report for January 27, 2012

Daily Report

Top Stories

• A Kentucky mine was shut down after federal inspectors found two unsecured cases of explosives near a burning pile of coal, loose coal near ignition sources, and inches-thick piles of explosive dust. – Associated Press (See item 2)

2. January 25, Associated Press – (Kentucky) MSHA shuts Ky. mine over coal fire, other hazards. A Kentucky mine was shut down after federal inspectors found two unsecured cases of explosives near a burning pile of coal, as the government issued 174 citations and 19 orders at troubled coal mines during December. The Mine Safety and Health Administration (MSHA) said January 25 it issued 32 citations and 12 orders against Coal Creek Mining LLC’s No. 2 Mine in Floyd County, Kentucky. Inspectors found a 5- by 10-foot coal pile on fire about 23 feet from two cases of explosives outside the mine and issued an imminent danger order. The key to the explosives cache was lying on top. Inspectors said they also found a 5-gallon oil bucket full of burning coal and other materials near a portal in the mine, and loose coal up to 30 inches deep under conveyor belts and near ignition sources. The mine was inadequately dusted with pulverized limestone to prevent explosions, and the MSHA said the operator also failed to use approved ventilation plans. Explosive coal dust was 2 to 4 inches deep in places. More unwarrantable failure orders were issued for inadequate hazard examinations, including on-shift conveyor belt examinations and weekly inspections of the return air course and electrical equipment. After the December inspection, the MSHA issued two more orders against Coal Creek for failing to fully correct the problems. The agency also issued 53 citations and five orders in December against Clark Mining Inc.’s No. 3 mine, and 25 citations and two orders against Bell County Coal Corp’s Jellico No. 1, both in Kentucky. Source:

• A prominent Miami businessman pleaded guilty January 25 to fraud in a $135 million real estate scheme that fleeced hundreds of investors in Florida, New York, and several South American countries. – Associated Press. See item 13 below in the Banking and Finance Sector.


Banking and Finance Sector

10. January 25, KPHO 5 Phoenix – (Arizona) Guilty plea from ‘Black Binder Bandit’. A man who confessed to a dozen bank robberies in the East Valley area of Arizona pleaded guilty in federal court January 24. The defendant faces a maximum of life in prison and a $250,000 fine. Investigators dubbed the man the “Black Binder Bandit” because he frequently carried a black binder that contained a note and sometimes a gun. He would also place the money in the binder before leaving the bank. He admitted to robbing 12 banks starting September 2, 2010, until he was arrested July 20, 2011. He said he made off with more than $49,000 in those robberies. Source:

11. January 25, St. Louis Post-Dispatch – (Missouri) St. Louis County police arrest suspect in ‘Logo Bandit’ bank robbery. A man from Mexico, Missouri, was charged January 25 in a bank robbery earlier this month blamed on a man authorities dubbed the “Logo Bandit,” police said. He was charged with robbery for the January 17 holdup of Jefferson Bank and Trust. The suspect in the Jefferson Bank robbery implied he was armed but never displayed a weapon. According to court documents, he said he went into the bank and gave a teller a note with the word “robbery” on it. Police said he kept a hand inside his jacket and implied he had a gun. He ordered the teller to give him $100 and $50 bills from the drawer and “not to attempt any funny stuff and nothing will happen.” After the teller put $3,670 on the counter, he took the money and left, court documents say. Police arrested the suspect in Richmond Heights with help from the FBI and the Richmond Heights Police Department. He could be charged in other municipalities where he is suspected in bank robberies, police said. Police and the FBI have suspected the “Logo Bandit” in at least seven other bank robberies over the past 4 months. He was given the nickname because he wore hats and sweatshirts featuring brand-name or athletic logos each time he robbed a bank. Source:

12. January 25, KOVR 13 Sacramento – (California; Nevada) ‘Fedora Bandit’ charged with 7 Northern California bank robberies. The suspect dubbed the ‘Fedora Bandit” was charged with seven counts of armed bank robbery in California January 24, a U.S. attorney announced. According to court documents, the suspect also committed the April 12, 2010 armed robbery of the Bank of the West’s Carson City, Nevada branch. He is currently in federal custody in Lompoc on a drug trafficking conviction after being stopped in a motor home in Kansas in December 2010 with more than 40 pounds of cocaine, and more than 160 pounds of marijuana. According to the FBI criminal complaint, he confessed to the bank robberies while being interviewed at the federal penitentiary January 19. He faces up to 25 years in federal prison for each armed bank robbery. The suspect, who earned the nickname because of the fedora-style hat he wore during alleged heists, made off with a reported $56,000 in cash from the California bank robberies. Source:

13. January 25, Associated Press – (Florida; New York; International) Prominent Fla. businessman guilty in $135M fraud; investors include Roman Catholic prep school. A prominent Miami businessman pleaded guilty January 25 to fraud in a $135 million real estate scheme that fleeced hundreds of investors, including the Roman Catholic prep school he once attended. He faces up to 5 years behind bars after pleading guilty to a single count of wire and mail fraud conspiracy. He also lured investors from Miami’s close-knit Cuban-American community, many of them elderly and some Roman Catholic priests. Federal prosecutors said the man operated his company, Royal West Properties Inc., like a Ponzi scheme in which he paid older investors with money raised from newer ones. The company sold real estate investments in southwest Florida since 1993, but fell on hard times beginning in 2002 and was eventually forced into bankruptcy in 2009, according to court documents. Before it crashed, Royal West promised rates of return as high as 16 percent for investors who bought properties that were marketed nationally on Spanish-language networks and through offices in Florida, New York, Colombia, Ecuador, Peru and Venezuela. The chief of the Securities and Exchange Commission field office in Miami, called it a typical “affinity” scam where the perpetrator uses a position of trust to prey on members of a specific group. In all, prosecutors said more than 150 investors lost about $47 million between 2003 and 2008. Of the total, investigators said the man and his wife skimmed about $20 million for other business ventures, to pay themselves more than $5 million in salaries, and to pay children and grandchildren $1 million in “consulting fees” even though they did no work for Royal West. He could be ordered to pay millions of dollars in restitution. Source:

14. January 25, U.S. Department of Justice – (Florida) Former executive of Miami-based ocean bank pleads guilty to participating in bribery scheme and to fliing false tax returns. A former executive of Miami-based Ocean Bank pleaded guilty January 25 in a U.S. district court in Miami to participating in a scheme to accept bribes and to failing to report the income on federal income tax returns, the Department of Justice announced. The charges against the former vice president stemmed from his accepting nearly $500,000 in cash and other items from unnamed co-conspirators in connection with his supervision of certain unnamed customer business with the bank. According to court documents, the vice president generally oversaw Ocean Bank’s lending relationships with corporate customers. The department said that beginning in or about February 2001 and continuing thereafter through on or about April 25, 2007, he accepted bribes, including payments for expensive watches, Super Bowl tickets, and other items for his personal use, as well as substantial amounts of cash. He accepted the payments intending to be rewarded and influenced in connection with his role in approving Ocean Bank’s issuance of letters of credit, loans, and overdraft privileges to co-conspirators. The court documents also show he failed to report income from the bribes for the tax years 2005, 2006 and 2007, resulting in lost tax revenue of about $91,000 to the federal government. He was charged with one count of conspiracy to solicit or demand money and other things of value to influence an employee of a financial institution and three counts of tax offenses. The conspiracy count carries a maximum sentence of 5 years in prison and a $250,000 criminal fine. The tax charges each carry a maximum sentence of 3 years in prison and $250,000 fine. Source:

Information Technology

35. January 26, – (International) Symantec advises users to turn off pcAnywhere in hack aftermath. Symantec has advised customers to take their copies of pcAnywhere offline as the company continues to struggle with the aftermath of a major data breach. The company issued a whitepaper addressing new vulnerabilities in its remote access tool that were exploited by a recently publicized attack which allowed attackers to gain access to the application’s source code. The 2006 hack was recently brought to light by an Indian hacking team that is seeking to publicly distribute the code. Symantec has now determined a major update is necessary to protect users from any flaws revealed in the compromised source code. The company is advising users of pcAnywhere 12.5 to disable the remote management tool until an update is released. If users do not take their copies of the tool offline, the company warned attackers could possibly compromise systems and perform “man-in-the-middle” attacks that could result in the theft of user credentials and other network traffic. Source:

36. January 26, Computerworld – (International) Google stirs up privacy hornet’s nest. Google announced the company is rewriting its privacy policy, consolidating user information across its services. The company, however, is not offering users an opt-out option. If a user does not want their information from Gmail, YouTube, and Google searches combined into one personal data store that can paint a detailed picture of them, the only option is to cease using Google’s services. Source:

37. January 25, Threatpost – (International) Poison Ivy variant changes benign code to malicious after download. Researchers found there are now some pieces of malware downloading not explicitly malicious pieces of code, but small bits of code benign on their face that are then transformed into malicious instructions once they are on the target machine. The code was found by Microsoft researcherst when investigating a file calling out to the site of a restaurant. They expected the file to be a standard downloader that would pull down a malicious executable hosted on the compromised server and then run that locally. Instead, the file was downloading a piece of code that did not do much at first. Further analysis showed the initial VisualBasic application was doing many things. “Once the application was run on a machine with a simulated Internet connection, it got the contents of the HTML page of the restaurant website mentioned previously. The application copied itself to the Windows system folder as ‘misys.exe’, and started keylogging, although the static analysis did not indicate this kind of functionality,” Microsoft researchers wrote in an analysis. “So the VB Application is extending its functionality dynamically by downloading and executing x86 instructions in the context of its own process. The ‘downloader’ becomes malware by executing this downloaded blob of x86 instructions. And the downloaded instructions will be not injected to a different process and not dropped to disc, they will be executed in the process context of the ‘downloader’, thus the ‘downloader’ inherits the malware functionality.” What the victim ends up is a version of the Poison Ivy backdoor. Source:

38. January 25, Softpedia – (International) Amateur programmer: SMS spoofing for malicious purposes is easy. SMS spoofing is not new, researchers having proved in 2010 for BBC’s Watchdog it could be done. While most telecommunications companies are aware of the risks, few have actually done something to prevent it. Now, an amateur programmer came forward with a simple app to prove SMS spoofing for malicious purposes is something widely available, and if measures are not taken, a lot of individuals may be exposed to cybercriminal operations. A self-described “completely amateur programmer” with less than 2 years’ experience, managed to develop a simple program that could allow anyone to launch social engineering attacks with the purpose of obtaining valuable information and maybe even money. Source:

For another story, see item 39 below in the Communications Sector

Communications Sector

39. January 26, Dark Reading – (International) Hacktivists turn to DNS hijacking. Hacktivists have added a new tactic to their arsenal: redirecting all traffic from a target company’s Web site, Dark Reading reported January 26. According to a blog written by a security expert from Internet Identity (IID), politically motivated attackers are now using DNS hijacks, which redirect all traffic from a victim’s legitimate Web site (and often all the e-mail and back-end transactions, too) to a destination of the attacker’s choosing. “A determined criminal can set up a fake look-alike destination site to dupe customers into revealing credentials or downloading malware,” the expert stated. Many companies pay little, if any, attention to securing their domain registrations, and most do not continuously monitor their DNSes to make sure they’re resolving properly around the world, making them vulnerable to attack, the blog said. “The first indication most victims have of a DNS hijack is that their website traffic slows to a trickle,” it noted. “Then they have to figure out why, and DNS is rarely the first thing they think of, which lengthens the time to mitigate the attack.” On January 22, the domain name was hijacked by a hacktivist group, IID reported. On January 23, that same group, called UGNazi, hijacked two domain names, and, belonging to luxury goods maker Coach Inc. Both Coach and UFC registered their domains at Network Solutions, IID reports. “The criminals hijacked the domains by accessing the companies’ domain management accounts at Network Solutions,” the blog stated. “It’s currently unclear how they did so. In such cases, the cause is usually weak or compromised user passwords, or a website vulnerability at the registrar.” Source:

40. January 25, KRBD 105.3 FM Ketchikan – (Alaska) KPU phone experiences outages. About 50 percent of Ketchikan Public Utilities (KPU) telecommunications customers in Alaska experienced a telephone outage January 25. At about 8:45 a.m., some KPU residential and business customers began experiencing fast busy signals, could not get a dial tone, or reached “call cannot be completed” recordings when attempting to place calls. There were periods of time when KPU customers were able to make and receive calls, only to have the call terminated. The outage also affected some cellular customers and those serviced by other phone carriers trying to call KPU customers. KPU’s Internet and TV services were not affected. The source of the outage was located in KPU’s central computerized switching network. KPU technicians worked with the manufacturer of the switching network to restore service. Service was restored to all customers at about 2 p.m. January 25. Source: