Friday, April 13, 2012

Complete DHS Daily Report for April 13, 2012

Daily Report

Top Stories

The financial services industry saw nearly triple the number of distributed denial-of-service attacks during the first 3 months of 2012 compared to the same period in 2011, a new report found. – IDG News Service. See item 19 below in the Banking and Finance Sector

A multistate outbreak of Salmonella Bareilly expanded to include at least 116 victims across 20 states, according to new data. – Food Safety News

28. April 12, Food Safety News – (National) Outbreak potentially linked to sushi expands to 116 cases. A multistate outbreak of Salmonella Bareilly that previously sickened 100 expanded to include at least 116 victims across 20 states, according to new data from the Centers for Disease Control and Prevention (CDC). In this latest outbreak report, released April 11, CDC reported, “The investigation has not conclusively identified a food source,” however evidence suggests sushi may be the contaminated product. Cases are largely centered in states on the Eastern Seaboard and the Gulf of Mexico, but also extend to the Midwest. The number of sickened individuals in each state is as follows: Alabama (2), Arkansas (1), Connecticut (5), District of Columbia (2), Florida (1), Georgia (5), Illinois (10), Louisiana (2), Maryland (11), Massachusetts (8), Mississippi (1), Missouri (2), New Jersey (7), New York (24), North Carolina (2), Pennsylvania (5), Rhode Island (5), South Carolina (3), Texas (3), Virginia (5), and Wisconsin (12). Among those infected, 12 are reported to have been hospitalized. Illnesses related to the outbreak were first reported January 28, and current case counts are accurate as of March 31. Source:

The Food and Drug Administration called on drug companies to help limit the use of antibiotics in farm animals, a decades-old practice scientists say contributed to a surge in dangerous, drug-resistant bacteria. – Associated Press

39. April 12, Associated Press – (National) Animal antibiotics: FDA asks drug companies to limit overuse amid health concerns. April 11, the U.S. Food and Drug Administration (FDA) called on drug companies to help limit the use of antibiotics in farm animals, a decades-old practice that scientists say contributed to a surge in dangerous, drug-resistant bacteria. Antibiotic drugs like penicillin are routinely mixed with animal feed and water to help livestock, pigs, and chickens put on weight and stay healthy in crowded feeding lots. Scientists warned such use leads to the growth of antibiotic-resistant germs that can be passed on to humans. Under the new FDA guidelines, the agency recommends antibiotics be used “judiciously,” or only when necessary to keep animals healthy. It also wants to require a veterinarian to prescribe the drugs. They can currently be purchased over-the-counter by farmers. The draft recommendations by the FDA are not binding, and the agency is asking drug manufacturers’ to voluntarily put the proposed limits in place. Drug companies would need to adjust the labeling of their antibiotics to remove so-called production uses of the drugs. Production uses include increased weight gain and accelerated growth, whichhelps farmers save money by reducing feed costs. The FDA hopes drugmakers will phase out language promoting non-medical uses within 3 years. Source:

A fire atop English Mountain, in Sevierville, Tennessee, that destroyed four dozen condominiums was being fought with a helicopter ferrying loads of water. – Knoxville News Sentinel

57. April 11, Knoxville News Sentinel – (Tennessee) Officials dousing English Mountain fire with water from helicopter. A fire atop English Mountain, in Sevierville, Tennessee, which started April 10 and destroyed four dozen condominiums was being fought with a helicopter ferrying loads of water from local ponds and lakes. As of April 11, 48 condos reduced to ashes in Sevier County continued to smolder due to hot embers under the debris. Firefighters also remained on scene in the event anticipated would kick up remaining embers and turn them into flames. The fire appeared to be spreading northeast into Cocke County, a public information officer for the Sevierville Police Department said, but no homes were in imminent danger. Source:


Banking and Finance Sector

14. April 12, Help Net Security – (International) HSBC customers under phishing attack. Customers of HSBC, one of the largest banking and financial services organizations in the world, are being targeted with a fake warning of account suspension, Help Net Security reported April 12. The e-mail claims someone tried to access the user’s account and failed, and that the bank suspended the account to protect the customer. Unfortunately, the offered link takes the victims to a phishing site made to look like the bank’s legitimate Internet banking log-in page, where they are asked to input their user ID, name, date of birth, Social Security number, sort code, account number, and ATM PIN code to prove their identity. Once the information is submitted by pressing on the “Continue” button, it is immediately sent to the phishers and the victims are redirected to the bank’s legitimate page. Source:

15. April 12, Chicago Sun-Times – (Illinois; International) International crew busted looting Chicago ATMs with stolen info. Two suspects were busted earlier the week of April 9 after Chase Bank tipped police to suspicious activity at ATMs in the Chicago area. Authorities say they suspect the men are part of a Romanian financial-crime cell — one of a few dozen such cells looting ATMs in Chicago and draining customers’ bank accounts with an elaborate rip-off system. First, the crews steal personal banking information from ATM customers by secretly attaching a “skimmer” to ATM machines. The crews also hide a camera near the ATM to catch the customer keying in a password. Using that data, the crews create duplicate debit cards and “cash-out” guys fan out to ATMs to withdraw the maximum amount allowed on each card. Some of the alleged “cash-out” guys got nabbed April 9, police said. The men, who are Romanian, were charged with felony identity fraud. So far, 16 victims have been identified and $7,000 recovered from the men, prosecutors said. But sources said the theft total could reach $50,000 based on cash recovered from a vehicle the men were riding in. Sources said Chicago police officers seized more than 200 gift cards converted to debit cards. Source:

16. April 12, Financial Industry Regulatory Authority – (National) Goldman, Sachs & Co. fined $22 million for supervisory failures relating to trading and equity research. The Financial Industry Regulatory Authority (FINRA) announced April 12 that it has fined Goldman, Sachs & Co. $22 million for failing to supervise equity research analyst communications with traders and clients and for failing to adequately monitor trading in advance of published research changes to detect and prevent possible information breaches by its research analysts. The U.S. Securities and Exchange Commission (SEC) also announced a related settlement with Goldman. Pursuant to the settlements, Goldman will pay $11 million each to FINRA and the SEC. In 2006, Goldman established a business process known as “trading huddles” to allow research analysts to meet on a weekly basis to share trading ideas with traders, who interfaced with clients, and, on occasion, equity salespersons. Analysts would also discuss specific securities during huddles while they were considering changing the published research rating or the conviction list status of the security. Clients were not restricted from participating directly in the trading huddles and had access to huddle data through research analysts’ calls to certain of the firm’s high priority clients. These calls included discussions of the analysts’ “most interesting and actionable ideas.” Trading huddles created the significant risk analysts would disclose material non-public information, including, among other things, previews of ratings changes or changes to conviction list status. Despite this risk, Goldman did not have adequate controls in place to monitor communications in trading huddles and by analysts after the huddles. Source:

17. April 12, U.S. Securities and Exchange Commission – (National) SEC charges Ponzi schemer targeting church congregations. The U.S. Securities and Exchange Commission (SEC) charged a man April 12 with running a Ponzi scheme that targeted socially-conscious investors in church congregations nationwide. The SEC alleges the man made numerous false statements to lure investors into two investment programs being offered through City Capital Corporation, where he was the chief executive officer (CEO). The SEC also charged City Capital and its former chief operating officer. According to the complaint, the man cultivated an image of a highly successful and socially conscious entrepreneur and promoted investments through live presentations, Internet advertisements, and radio ads. The SEC alleges the CEO and City Capital offered two primary investments: promissory notes supposedly funding various small firms, and interests in “sweepstakes” machines. In addition to promising high rates of return, he assured investors he had a long track record of success and that funds would be used to support businesses in economically disadvantaged areas. A portion of profits were to go to charity. According to the complaint, more than $11 million the CEO and City Capital raised from hundreds of investors nationwide from 2008 to 2010 was instead used to operate a Ponzi scheme. Money was misused to pay other investors, finance personal expenses, and fund City Capital’s payroll, rent, and other costs. City Capital’s business ventures were unprofitable, and no meaningful amounts of investor money were ever sent to charities. Source:

18. April 12, Reuters – (New York) Novelty grenade prompts bomb scare near New York’s ‘Ground Zero’. A novelty hand grenade briefly prompted the evacuation of one of the buildings near the site where New York City’s World Trade Center towers stood until they were brought down in the September 11th attacks, police said April 12. The evacuation of 2 World Financial Center in Manhattan was triggered around 11 a.m. after an X-ray of a package at the building appeared to reveal an explosive device inside, a New York City Police Department (NYPD) spokesman said. It was actually a novelty hand grenade on a plaque that read “complaint department, pull the pin” that had been sent to one of the tenants, Nomura Holdings, the NYPD spokesman said. Police have given the all-clear, allowing employees to return to the building, which houses a number of financial services firms. Source:

19. April 11, IDG News Service – (International) DDOS attacks on financial services firms explode. The financial services industry saw nearly triple the number of distributed denial-of-service (DDoS) attacks during the first 3 months of 2012 compared to the same period in 2011, according to a report released April 11. The new data comes from security vendor Prolexic, which counts 10 of the world’s major banks as clients for its DDoS mitigation services. In its report, the company said DDoS attacks also rose in intensity, with increases in bandwidth and packet-per-second rates. The average attack bandwidth rose from 5.2G bits per second (bps) in the last 3 months of 2011 to 6.1G bps in the first quarter of 2012. However, the average attack length dropped from 34 hours to 28.5 hours, Prolexic said. “The reduction in attack campaign duration, combined with an increase in mitigated bytes and packets, indicates that attackers are using shorter, stronger bursts of traffic to conduct DDoS campaigns,” the company said. More than 70 percent of the malicious attack traffic came from China. Source:

20. April 11, Worthington Daily Globe – (Minnesota) Jackson woman faces embezzlement charge in U.S. district court. A former banker charged with allegedly embezzling more than $100,000 while employed as the retail operations manager at United Prairie Bank of Mankato, in Jackson, Minnesota, is scheduled to make her first appearance in federal court the week of April 16. Court documents state between January 2005 and August 2011, the former manager, with intent to defraud United Prairie Bank, willfully misapplied and embezzled the sum of approximately $108,039. She allegedly took funds from customer accounts for her personal use, and used some of the money to pay down a loan balance for a family member. Because bank deposits are insured by the Federal Deposit Insurance Corporation, the case will be handled through the federal court system. The court will pursue forfeiture of any property, real or personal, which was derived from proceeds traceable to the embezzled funds. Source:

21. April 11, Biloxi Sun Herald – (Mississippi; Louisiana; Texas) 2 women indicted in armed bank robbery in Gulfport. Court papers show a retired postal worker from Texas is accused of threatening to shoot a Gulfport, Mississippi bank teller in the face March 26 in what officials believe to be the last of a mother-daughter crime spree at four banks in three states, the Biloxi-Gulfport Sun Herald reported April 11. They were also being held on warrants from Texas and Louisiana. A state charge filed by Gulfport police alleged the mother wore a disguise when she robbed a Regions Bank bank at gunpoint with a demand note, and threatened to shoot a teller in the face if she didn’t give her money. She allegedly left the bank with $12,651 and fled in a getaway car driven by her daughter. The pair have been held since their arrests minutes after the holdup. The woman’s alleged disguise appears to fit a pattern in other robberies. The women are suspected in similar holdups February 13 at an Iberia Bank in Kinder, Louisiana, February 29 at a Citizens National Bank in Henderson, Texas, and March 15 at a MidSouth Bank in Sulphur, Louisiana. Source:

22. April 11, Federal Bureau of Investigation – (New York) Three mortgage loan officers plead guilty in Manhattan federal court to orchestrating $9 million mortgage fraud scheme. Three mortgage loan officers each pleaded guilty April 11 in New York City for their roles in a $9 million mortgage fraud scheme, a U.S. attorney announced. According to the indictment, the men along with nine other individuals, engaged in an illegal scheme to defraud various lending institutions by using fictitious and fraudulent “straw identities” to apply for mortgage loans. Through the scheme, the defendants were able to obtain more than $9 million in mortgage loans for the purchase of dozens of residential properties throughout the New York City metropolitan area and Long Island. Most of these loans quickly went into default. The men each acted as loan officers who processed the fraudulent mortgage applications. Source:

Information Technology

48. April 12, Help Net Security – (International) Trojanized Angry Birds offered for download. The extreme popularity of Rovio’s Angry Birds mobile game has made it and its special editions ideal for luring unsuspecting users into downloading malware. A trojanized version of the latest addition — Angry Birds Space — has recently recently been spotted by Sophos researchers being offered on a number of unofficial Android app stores. Users who download it may not even realize that they have downloaded a malicious app, as the packet appears to be a fully-functional version of the game, and the name and the icon of the app correspond with the ones used by the legitimate app. However, the bundled GingerBreak exploit works in the background to gain root access to the device and to use it to download and install additional malware from a remote Web site. The compromised device is then at the mercy of the criminals behind the malware and is now effectively part of a botnet. The criminals can force the device to download any additional packet they want or make the browser go to any Web page they choose. Source:

49. April 12, H Security – (International) Python updates for hash collison DoS problems. The Python developers released updates for Python 2.7 and 3.2 with changes that address several security issues. These include two fixes for hash collision problems which were brought into the spotlight at the Chaos Communications Congress (28C3) in December 2011. The flaw allows attackers to create key/value data crafted so the hashes for the keys are more likely to collide. This forces the system to spend much more time when creating key/value hash tables and can be used in a denial-of-service (DoS) attack. The issue is avoided by using a randomized hash function, which has now been implemented in the four versions of currently supported Python. One fix corrects Python’s own hashing, while another fix corrects the same issue in the C-based Expat XML parsing library embedded in Python. An unrelated DoS issue in the Simple XML-RPC Server with Python, where excessive CPU could be consumed if requests were begun but the connection closed before the request body was completely sent, was also fixed. Finally, a countermeasure against the CBC IV attacks on SSL 3.0 and TLS 1.0 which was incorporated into OpenSSL was turned back on in Python, after it was found the coders inadvertently disabled the countermeasure when setting options. Source:

50. April 12, Help Net Security – (International) 0-day in Backtrack Linux found, patched. A zero-day vulnerability affecting the last version of Backtrack Linux was spotted by a student during an Ethical Hacking class organized by the InfoSec Institute. The discovery was made public on InfoSec’s Web site and detailed by the student himself, who said the Wireless Interface Connection Daemon (WICD) Backtrack components has several design flaws that can be misused to execute a privilege escalation exploit. “Improper sanitization of the inputs in the WICD’s DBUS interfaces allows an attacker to (semi)arbitrarily write configuration options in WICD’s ‘wireless-settings.conf’ file, including but not limited to defining scripts (executables actually) to execute upon various internal events (for instance upon connecting to a wireless network),” he explained. “These scripts execute as the root user, this leads to arbitrary code/command execution by an attacker with access to the WICD DBUS interface as the root user.” The student and the InfoSec team immediately started on working on a proof-of-concept exploit and the patch for the vulnerability, all of which is provided on the group’s site. Backtrack is a Linux distribution popular with penetration testers all over the world because it comes preloaded with hundreds of useful security tools. The vulnerability affects the latest version — Backtrack 5 R2. Users can use the patch offered by the group or update WICD to the new version (1.7.2) which fixes the vulnerability. Source:

51. April 12, H Security – (International) Security vulnerability in NVIDIA’s proprietary Linux drivers fixed. A new version of NVIDIA’s proprietary UNIX graphics drivers for Linux, Solaris, and FreeBSD fixes a security vulnerability (CVE-2012-0946) that allowed attackers to read and write arbitrary system memory in order to, for example, obtain root privileges. To take advantage of the vulnerability, an attacker must have access permission for some device files — which, for systems with these drivers, is typically the case for users who can launch a graphical interface as 3D acceleration and some other features cannot be used otherwise. Version 295.40 of the driver corrects this problem. For older drivers whose version numbers start with 195, 256 to 285, or 290 to 295, NVIDIA made patches available that change the vulnerable part of the kernel module belonging to the driver. Users who update the driver with this patch and use the CUDA debugger will also need to update the CUDA library before the debugger can work again. NVIDIA categorized the security hole as “high risk” and recommends users update to the new version if they use the drivers with GeForce 8, G80 Quadro graphics cards, or newer models from those lines. The company has not confirmed whether the problem also exists for older graphics card models or legacy drivers (such as the 173 line). Source:

52. April 10, Help Net Security – (International) Fake account verification email phishes for Google credentials. Google users are being targeted with e-mails purportedly coming from the Google Team confirming a bogus recovery e-mail update. Hosted on a compromised Web site, the destination is a page made to look like Gmail’s login page, set up to harvest the users’ login credentials for their Gmail, and consequently, for all their other Google accounts. Source:

For more stories, see items 14 and 19 above in the Banking and Finance Sector

Communications Sector

53. April 11, KTVM 6 Butte – (Montana) Update on KTVM technical issues. KTVM 6 Butte, Montana, updated its viewers April 11 on some of the technical problems the station had been experiencing with its on-air signal. Several major power outages took the Green Mountain transmitters off the air. The transmitter was damaged, and the station has been working to repair it over the last few weeks. It has now been repaired and KTVM was back up to normal operations as of April 11. Source: 54. April 11, Portland Oregonian – (Oregon) Phone service out for almost 1,000 in Washington County. A telephone outage April 11 left 990 phone lines in Washington County, Oregon, without service. The carrier, Frontier Communications, was working to restore service. The cause of the outage was equipment failure, said a spokesman for the Washington County Consolidated Communications Agency. He said those without service who needed to call 9-1-1 were advised to use a wireless phone. As of the afternoon of April 11, there was no word on what time service would be restored. Source: