Tuesday, May 15, 2012

Complete DHS Daily Report for May 15, 2012

Daily Report

Top Stories

• Three former General Electric Co. bankers were convicted May 11 of defrauding cities and the U.S. Internal Revenue Service in a bid-rigging scheme involving hundreds of millions of dollars in municipal bonds. – Bloomberg See item 10 below in the Banking and Finance Sector

• Police arrested three high school students accused of setting a massive fire that destroyed part of a high school in Woodburn, Oregon. – Associated Press

38. May 12, Associated Press – (Oregon) Fire damages Oregon high school. Three Oregon high school students, accused of setting a fire that destroyed part of Woodburn High School in Woodburn, May 11, were arrested, police said. The three were arrested for investigation of first-degree arson, reckless burning, and reckless endangering, a police sergeant said. Students and staff members evacuated the 1,400-student high school May 11 as fire crews responded. As many as 60 firefighters from a dozen agencies fought the blaze, a Woodburn Fire District official said. Source: http://www.registerguard.com/web/newslocalnews/28058612-41/fire-students-woodburn-friday-police.html.csp

• DHS issued a bulletin May 10 warning about a previously undisclosed, critical vulnerability in Movicon 11, software used to manage machines used in the manufacturing, energy, and water sectors. – Threatpost See item 52 below in the Information Technology Sector

• Sheriff’s detectives in Fresno County, California, arrested a man they believe is responsible for stealing miles of phone wire that caused phone service to cut out for many customers. – KSFN 30 Fresno See item 54 below in the Communications Sector

• Authorities were trying to trace the source of a food-borne outbreak that sickened up to 150 people who attended a party and food fair at a Buddhist monastery in Carmel, New York. – Melville Newsday

56. May 14, Melville Newsday – (New York) Chuang Yen Monastery illnesses might be linked to rice balls. Law enforcement and health investigators were trying to trace the source of a food-borne outbreak that sickened dozens of people who attended a Mother’s Day garden party and food fair at a Buddhist monastery in Carmel, New York, May 13. Sticky rice balls were suspected as a possible culprit, a Town of Kent police detective said May 14. About 700 people, most of them arriving on tour buses from New York City, came to the annual event where dishes were prepared by volunteers, a spokeswoman for the Chuang Yen Monastery said. An official with the Putnam County Bureau of Emergency Services said about 150 people overall became sick and about 80 of those had boarded buses to go shopping at an outlet. The detective said his department confirmed fewer than 30 sick, but he said the number could go as high as 150 or more. The Chuang Yen Monastery will be working with health officials on the investigation, the spokeswoman said. Though an estimated 100 people went to hospitals in 3 counties, there were no reports of patients who remained overnight. Source: http://newyork.newsday.com/news/health/chuang-yen-monastery-illnesses-might-be-linked-to-rice-balls-1.3716379

• Seven businesses in downtown Mariposa, California, burned to the ground the weekend of May 12 in a fire that caused about $1 million in structural damage. – Bellingham Herald

60. May 12, Bellingham Herald – (California) Fire destroys 7 downtown businesses in historic Mariposa, Calif. Seven businesses in downtown Mariposa, California, burned to the ground the weekend of May 12. The fire caused an estimated $1 million in structural damage. “This is probably the most devastating fire they’ve had in Mariposa in over 30 years,” the CalFire battalion chief said. A pizza parlor was packed May 11 when the fire began. By May 12, nothing was left of the pizza parlor or the adjacent businesses. California Highway 140 was detoured around the fire May 11, and that stretch of highway was not reopened until May 12. About 75 firefighters from Mariposa, Madera, and Merced counties and CalFire teamed to stop the flames from spreading to the nearby Mariposa Christian Fellowship Church or elsewhere. All of the destroyed businesses were in an approximately 9,000-square-foot building. The one- and two-story building had a full basement and attic, making the fire tough to extinguish. Source: http://www.bellinghamherald.com/2012/05/12/2519769/fire-destroys-7-downtown-businesses.html

• Firefighters battled several wildfires in Arizona, May 14, including one that was human-caused, more than 4.5 square miles in size, and forced residents from their homes. – Associated Press

61. May 14, Associated Press – (Arizona) Northern AZ wildfire grows, prompts evacuations. Firefighters battled a growing wildfire May 14 in northern Arizona that forced residents from their homes in a historic mining town. The fire in Crown King began on private land May 13 and grew to more than 4.5 square miles, destroying two buildings and one trailer, said a Prescott National Forest spokeswoman. The fire started at a “structure” and was human-caused, she said. The area remained under a mandatory evacuation order, though a Yavapai County sheriff’s spokesman said in a news release that most of the town’s 350 residents chose to stay in the community of mostly summer homes. The American Red Cross reported five evacuees at a shelter in Mayer. Five wildfires in the State charred more than 9 square miles by late May 13. Billowing smoke from the fire and another one to the west near Crown King could be seen in Phoenix, more than 50 miles south. The fire overtook part of Crown King Road, making the road to the town inaccessible, a sheriff’s office statement said. The State’s other large fire, in an area 120 miles east of Phoenix, was spotted in Tonto National Forest, where it burned about 4 square miles. That blaze was about 20 miles south of Payson, a gateway town to mountains popular among Arizona campers. The fire was moving northeast toward a wilderness area, a Tonto National Forest spokesman said. Crews were also at a blaze believed to be sparked by lightning on the Fort Apache Indian Reservation in eastern Arizona, which charred more than 480 acres. Source: http://www.foxnews.com/us/2012/05/14/arizona-wildfires-keeping-crews-busy/


Banking and Finance Sector

7. May 14, Krebs on Security – (National) Global Payments Breach fueled prepaid card fraud. Debit card accounts stolen in a recent hacker break-in at card processor Global Payments were showing up in fraud incidents at retailers in Las Vegas and elsewhere, according to officials from one bank impacted by the fraud. At the beginning of March, Danbury, Connecticut-based Union Savings Bank (USB) began seeing an unusual pattern of fraud on a dozen or so debit cards it had issued. When the bank determined the facility where the purchases took place was a customer of Global Payments, it contacted Visa to alert the card association of a possible breach, according to USB’s chief risk officer. That is when USB heard from a fraud investigator at Vons, a grocery chain in southern California and Nevada. According to the chief risk officer, the investigator said the fraudsters were coming to the stores to buy low-denomination prepaid cards, and then encoding debit card accounts issued by USB onto them. The thieves then used those cards to purchase additional prepaid cards with much higher values. The risk officer said Visa alerted USB that about 1,000 debit accounts it issued were compromised in the Global Payments breach — including the dozen or so card accounts that initially prompted USB to investigate. USB officials said the bank suffered about $75,000 in fraudulent charges, and that it has so far spent close to $10,000 reissuing customer cards. Source: http://krebsonsecurity.com/2012/05/global-payments-breach-fueled-prepaid-card-fraud/

8. May 14, WMC 5 Memphis – (Tennessee) 1,000 phony money orders land women in jail. Narcotics officers were called to investigate a suspicious package at a FedEx facility in Cordova, Tennessee, the week of May 7, but investigators did not find drugs when they opened the package. Instead, deputies with the Shelby County Sheriff’s Office Narcotics Unit found almost 1,000 counterfeit U.S. Postal Service money orders in the package. Each money order was written for $870, for a total of more than $835,000. Investigators delivered the package to a home and arrested the woman who accepted the package. However, she was not the woman who the package was addressed to, but she agreed to arrange for another woman to pick up the counterfeit money orders. Shortly after she picked up the package, the second woman was arrested during a traffic stop. Deputies said they also found stolen mail, credit cards, and state ID’s inside the house. Both women have been charged with criminal simulation, identity theft, and forgery. Source: http://cordova.wmctv.com/news/news/74851-1000-phony-money-orders-land-women-jail

9. May 14, U.S. Securities and Exchange Commission – (National) SEC microcap fraud-fighting initiative expels 379 dormant shell companies to protect investors from potential scams. The U.S. Securities and Exchange Commission (SEC) May 14 suspended trading in the securities of 379 dormant companies before they could be hijacked by fraudsters and used to harm investors through reverse mergers or pump-and-dump schemes. The trading suspension marks the most companies ever suspended in a single day by the agency as it ramps up its crackdown against fraud involving microcap shell companies that are dormant and delinquent in public disclosures. An initiative tabbed Operation Shell-Expel by the SEC’s Microcap Fraud Working Group used various agency resources, including the enhanced intelligence technology of the Enforcement Division’s Office of Market Intelligence to scrutinize microcap stocks in markets nationwide and identify clearly dormant shell companies in 32 states and 6 foreign countries that were ripe for fraud. The existence of empty shell companies can be a financial boon to stock manipulators who will pay as much as $750,000 to assume control of the firm to pump and dump the stock for illegal proceeds to the detriment of investors. Source: http://www.sec.gov/news/press/2012/2012-91.htm

10. May 12, Bloomberg – (National) Ex-GE bankers convicted of municipal bond bid-rig scheme. Three former General Electric Co. (GE) bankers were convicted of defrauding cities and the U.S. Internal Revenue Service in a bid-rigging scheme involving municipal bonds. The three were found guilty by a federal jury in New York City May 11 of conspiracy to commit fraud by manipulating auctions for municipal bond investment contracts. The government claimed from August 1999 to November 2006 the men gave kickbacks to brokers hired by local governments to solicit bids, to win auctions, and to increase profits. The charges grew out of a 5-year investigation by federal antitrust prosecutors into the $3.7 trillion municipal bond market. In December 2011, GE agreed to pay $70.4 million to resolve its part of the investigation. Bank of America Corp., JPMorgan Chase & Co., UBS AG, and Wells Fargo & Co. acknowledged illegal activities by former employees and paid more than $670 million in restitution and penalties. The jury convicted the defendants of all the counts they faced, of conspiracy to commit wire fraud and to defraud the United States. The case against the three former GE bankers focused on guaranteed investment contracts, which cities buy with money raised from selling bonds. This allows cities to earn money on the funds until they are used for projects such as nursing homes, hospitals, and roads. A former CDR Financial Products Inc. employee who pleaded guilty and is cooperating with the government, testified about helping GE win bids in exchange for later fees on swap transactions. Source: http://www.businessweek.com/news/2012-05-11/ex-ge-bankers-convicted-of-municipal-bond-bid-rig-scheme

11. May 11, Orange County Register – (California) Police: ‘Plaid’ bandit leaves bank on skateboard with no money. Police seek a serial bank robber believed to have skateboarded from the scene of an unsuccessful holdup in Orange County, California, May 11. Officers responded to reports of an attempted bank robbery at a Wells Fargo branch, a police lieutenant said. A man handed an employee a demand note, he said, and then fled when the teller ducked behind a counter. No money was stolen. The would-be robber was last seen fleeing the bank on a skateboard. Authorities believe he is the “Gone Plaid Bandit,” who is responsible for seven previous bank robberies in Orange County, including holdups in Yorba Linda, Irvine, Anaheim Hills, and Mission Viejo. The “Gone Plaid Bandit,” who earned his nickname by wearing plaid during some of the robberies, used notes during the previous incidents, although he was seen armed with a knife during at least one Irvine robbery and once claimed to have been armed with a gun. Source: http://www.ocregister.com/news/bank-353879-plaid-robbery.html

12. May 11, Associated Press – (Illinois; National) Money manager pleads guilty to investment scam. A former investments manager pleaded guilty to pulling a multimillion-dollar Ponzi scheme that hurt more than 300 victims across the country. The Illinois attorney general announced May 11 the former manager was ordered to pay more than $10 million in restitution to victims. Prosecutors said he bilked investors by promising that a software program he developed could get them 20 percent returns. He then paid clients using money from new clients. Source: http://www.cbsnews.com/8301-505245_162-57432907/money-manager-pleads-guilty-to-investment-scam/

13. May 11, Ars Technica – (International) Bitcoins worth $87,000 plundered in brazen server breach. More than $87,000 worth of the virtual currency known as Bitcoin (BTC) was stolen after online bandits penetrated servers belonging to Bitcoinica, prompting its operators to temporarily shutter the trading platform to contain the damage. The May 11 theft came after hackers accessed Bitcoinica’s production servers and depleted its online wallet of 18,547 BTC, company officials said in a blog post. It said the heist affected only a small fraction of Bitcoinica’s overall bitcoin deposits and that all withdrawal requests will be honored once the platform reopens. It was at least the second time in 10 weeks Bitcoinica has been stung by a computer intrusion. The post went on to warn that a database storing user names, e-mail addresses, and account histories was also accessed, and it also suggested cryptographically hashed passwords may have been compromised. It advised customers who reused their Bitcoinica passwords on other sites to change them. Documents used to legally verify users’ identities are stored on separate servers at a separate data center with a different encryption regimen. According to comments left by Bitcoin’s chief executive in an online forum, hackers penetrated a Web server hosted by Rackspace after they managed to reset a password, most likely through an automated e-mail. Source: http://arstechnica.com/uncategorized/2012/05/bitcoins-worth-87000-plundered/

For another story, see item 46 below in the Information Technology Sector

Information Technology

46. May 14, Help Net Security – (International) Fuzz-o-Matic finds critical flaw in OpenSSL. Codenomicon helped identify a critical flaw in widely used encryption software. A flaw in the OpenSSL handling of CBC mode ciphersuites in TLS 1.1, 1.2, and DTLS can be exploited in a denial-of-service attack on both client and server software. The flaw was found with Fuzz-o-Matic, a cloud-based testing platform. The TLS security protocol is the current Internet standard for encrypting and authenticating application traffic. TLS is used by millions of people every day in online banking, e-commerce, e-mail, and Voice-over-IP applications. The OpenSSL is an open-source implementation of TLS and is employed in standard operating systems, Web browsers, e-mail clients, and network devices ranging from WiFi access points and DSL modems to industrial-strength core routers. Source: http://www.net-security.org/secworld.php?id=12916&utm

47. May 14, H Security – (International) Notepad++ web site compromised. Unknown attackers breached the Web site of the popular open source text editor Notepad++ and tried to trick visitors to the site into handing over the credentials to their Facebook accounts. It is currently believed the software downloads were not affected. later, the rest of the Web site appeared to be fixed. When accessed at the end of the week of May 7, the Web site of the project showed defacements by the attackers and also a second window appeared asking for a Facebook login. It appears the hackers were using the official Facebook API in an attempt to gain access to account credentials from visitors to the site. Users who actually entered their Facebook credentials could potentially have provided the attackers with persistant access to all functions on their account such as personal information and the ability to post status messages. In this case, users would have to visit their Facebook account settings to revoke these permissions. Simply changing the account password is not sufficient. Source: http://www.h-online.com/security/news/item/Notepad-web-site-compromised-1575263.html

48. May 14, Softpedia – (International) Avast warns about “FakeInst” and alternative Android markets. The large number of malicious Web sites designed to infect Android devices with the Android:FakeInst SMS trojan made Avast security experts issue another warning to alert users. They advise smartphone owners to beware of fake-looking alternative Android application markets. Researchers found several domains, such as t2file(dot)net and uote(dot)net, which store at least 25 new apps that mask the piece of malware. After users are lured onto these Web sites, they are presented with a phony Downloader program. This app tells the victim the operation may cost money, but the Quit button does not work. Once the installation process begins, there is nothing a user can do except click on the Agree or OK buttons. Once one of these options is selected, an SMS to a premium rate number is sent out. The trojan contains premium numbers for about 60 different countries worldwide. In order to prevent experts from analyzing the malware, its creators used AES encryption to make the file inaccessible. Source: http://news.softpedia.com/news/Avast-Warns-About-FakeInst-and-Alternative-Android-Markets-269380.shtml

49. May 14, Softpedia – (International) Fake Android antivirus served via Twitter spam. Security researchers warn that Twitter is being flooded with shady-looking posts that contain links to Web sites hosted on .tk domains. These sites hide malicious elements that target not only PC users, but also Android owners. GFI Labs experts report that while PC users are served broken .jar files, Android customers are tricked into installing a fake antivirus application whose icon replicates a product provided by Kaspersky. First, the cybercriminals post tweets in Russian or English that advertise all sorts of materials, mainly adult content. All the tweets contain a link to a site such as good-graft(dot)tk. Once clicked, the links open a Russian site designed for smartphone and computer owners. Depending on the device from which the Web site is accessed, the victim is served a file called VirusScanner.jar (for PC), or VirusScanner.apk (for Android). Experts revealed the .jar file appears to be broken, since an error is displayed when it is executed. However, this may change at any time, so users should be cautious when presented with such an element. VirusScanner.apk is a rogue antivirus application that displays the Kaspersky logo when it is installed. Identified as Trojan.Android.Generic.a by GFI’s VIPRE Mobile Security, the piece of malware reveals its true purpose during the installation process when it asks permission to access phone calls, messages, and services that cost money. Source: http://news.softpedia.com/news/Fake-Android-Antivirus-Served-Via-Twitter-Spam-269361.shtml

50. May 14, H Security – (International) Skype for Linux hotfix plugs security hole. Skype issued a hotfix release for its closed source VoIP, video, and text chat software for Linux, nearly 1 year after the last update arrived. The new version of Skype for Linux, labelled, is a minor update that includes an upgraded version of the libpng PNG reference library, which closes a security hole. While specific details are not provided by Skype, this is likely to be the same integer overflow vulnerability that prompted Mozilla to release unscheduled updates for the Firefox Web browser and the Thunderbird news and e-mail client earlier in 2012. According to its developers, the security problem only affects the static package of Skype for Linux downloaded directly from the company; other versions such as those supplied by the Ubuntu Software Centre are not affected by the issue. Source: http://www.h-online.com/security/news/item/Skype-for-Linux-hotfix-plugs-security-hole-1575232.html

51. May 12, CNET – (International) Adobe will issue free security fixes for CS5 apps after all. Adobe reversed its policy that required customers to pay to acquire recent security patches for its Photoshop, Illustrator, and Flash Professional products. The patches cover vulnerabilities that could let a remote user execute malicious code and take control of computers running the products. Adobe originally said customers would need to pay to upgrade to the CS6 versions of the products to receive the fix. Source: http://news.cnet.com/8301-1009_3-57433231-83/adobe-will-issue-free-security-fixes-for-cs5-apps-after-all/

52. May 11, Threatpost – (International) CERT warns on critical hole in SCADA software by Italian firm Progea. The DHS issued a bulletin May 10 warning about a previously undisclosed, critical vulnerability in Movicon 11, a product used to manage critical infrastructure including the manufacturing, energy, and water sectors. The Industrial Control Systems Cyber Emergency Response Team posted an advisory that warned customers of Progea Srl that a memory corruption vulnerability in the Movicon Human Machine Interface software could allow a remote attacker to knock Movicon devices offline using a specially crafted HTTP POST request sent to the Movicon OPC server component. Progea issued a fix for the problem. Source: http://threatpost.com/en_us/blogs/cert-warns-critical-hole-scada-software-italian-firm-progea-051112

For more stories, see items 7 and 13 above in the Banking and Finance Sector

Communications Sector

53. May 16, WAVE 3 Louisvillke – (Indiana) Cut fiber optic line disrupts phone service in 3 Indiana counties. A cut fiber optic line in Salem, Indiana, was causing phone outages across parts of at least three Indiana counties May 14, according to the Lawrence County Sheriff’s Department. Landline service and Verizon and AT&T cell phone service was out in some areas of Washington, Lawrence, and Orange Counties. 9-1-1 calls were being rerouted to Crawford County dispatchers. As of May 14, there was no word on how the fiber optic line was cut and crews were uncertain when it would be repaired. Source: http://www.wave3.com/story/18375145/cut-fiber-optic-line-disrupts-phone-service-in-3-indiana-counties

54. May 12, KSFN 30 Fresno – (California) Copper wire theft suspect arrested at recycling center. Fresno County, California sheriff’s detectives arrested a man they believe is responsible for stealing miles of phone wire, KFSN 30 Fresno reported May 12. The theft cut off home phone service to AT&T customers and left the company with thousands of dollars in losses. Investigators believe the 220-pound load was stolen May 6-7. A sergeant said the suspect brought his first load into the recycling center yard May 10. Since the utility wire looked suspicious, employees called the Fresno County Sheriff’s Office. May 11, after deputies arrived to check it out, the suspect showed up. “While they were in the process of identifying the wire, the same suspect returned for a third time and was contacted with an additional lot of the wire and was subsequently arrested,” the sergeant said. Since the beginning of 2012, AT&T has reported 13 telecommunications wire thefts in the Fresno County area. AT&T officials reported the local losses at more than $200,000. Source: http://abclocal.go.com/kfsn/story?section=news/local&id=8658527

For more stories, see items 46, 48, 49, and 50 above in the Information Technology Sector