Thursday, October 18, 2012
 

Daily Report

Top Stories

 • Capital One Bank confirmed that its Web site was hit by another distributed denial-of- service (DDoS) attack October 16. The incident was the second attack allegedly waged by a hacktivist group against the bank, with the group threatening new attacks on banks October 16-18. – BankInfoSecurity See item 11 below in the Banking and Finance Sector

 • Distributed denial-of-service (DDoS) attacks with an average bandwidth over 20Gbps have become commonplace in 2012, a 230 percent increase over 2011, according to new security research. High bandwidth attacks were previously isolated incidents, and few organizations have the infrastructure to handle such attacks. – IDG News Service See item 33 below in the Information Technology Sector

 • Five people were found dead in a bar outside Denver where a fire broke out October 17. Police believe the blaze was set to cover up the murders. – Associated Press

38. October 17, Associated Press – (Colorado) 5 dead in apparent arson-homicide at Denver bar. Five people were found dead in a bar outside Denver where a fire broke out October 17, and police believed the blaze was set to cover up the murders. The fire at Fero’s Bar & Grill was reported around closing time, the police chief said. Firefighters found four women and one man dead inside the bar. Police do not think they died in the fire. “The business has obviously been set on fire, an arson, I’m guessing, to mask the homicide that occurred inside,” said a police commander. “There is just trauma, enough information to believe that we have a homicide that occurred here. They didn’t perish in the fire,” he said. The fire did not appear to be a very large one. No damage to the bar was visible from the street or aerial news coverage. The bar is located in a strip mall about five miles south of downtown Denver just outside of the Cherry Creek North shopping district on one of the city’s busiest streets, Colorado Boulevard. Autopsies were expected to be conducted October 17. Source: http://www.seattlepi.com/news/article/5-dead-in-apparent-arson-homicide-at- Denver-bar-3956039.php

 • A study released by the U.S. Army Corps of Engineers October 15 said the agency did what it could to manage the historic 2011 flooding on the Missouri River, but more repairs, research, and monitoring are needed to mitigate damage in future high flow years. – Associated Press

42. October 16, Associated Press – (National) Corps study cites vulnerabilities in wake of Missouri River flooding. A study released by the U.S. Army Corps of Engineers October 15, said the agency did what it could to manage the historic 2011 flooding on the Missouri River but that more repairs, research, and monitoring are needed to mitigate damage in future high flow years. The flooding began after the Corps released massive amounts of water from upstream reservoirs that had been filled with melting snow and heavy rains. The onslaught lasted for more than 100 days, busting levees, carving gouges up to 50 feet deep, and dumping debris on farmers’ fields. The Corps said about $400 million would be spent to fix damage along the Missouri River caused by the 2011 flooding. Most levee fixes are expected to be done before spring of 2013, with work on the dams expected to take longer. More funding might be required for the repairs, but the Corps said it was still evaluating the amount. The study also said more water gauges are needed on the Missouri River. It notes that between 1990 and 2010, 387 gauges that once were monitored by the U.S. Geological Survey were discontinued. Seventeen other gauges now provide less information. Source: http://www.columbiatribune.com/news/2012/oct/16/corps-study-cites- vulnerabilities-in-wake-of/

Details

Banking and Finance Sector

6. October 17, Naperville Sun – (Illinois; California) Men from Naperville, Lisle accused in $28 million scam. Two men were scheduled to be arraigned October 18 in U.S. District Court in Chicago on charges of running a $28 million Ponzi-type scheme targeting investors primarily in Illinois and California, according to a statement from the U.S. attorney’s office. One man was a principal of USA Retirement Management Services, which had offices in Oakbrook Terrace, Illinois, and southern California. The other was a company salesman who conducted seminars attended by victims of the alleged scam. A third man also conducted estate planning seminars targeting primarily retirees. According to the indictment, the men between 2005 and 2010 offered and sold promissory notes, in which USA Retirement “absolutely and unconditionally” guaranteed investors rates of 4.75 to 11 percent annually. Two of the men “falsely claimed that the interest would be generated from investments in Turkish bonds,” the statement declared. Instead they used the money to pay some investors and themselves. The men falsely claimed that they had years of investment banking experience and had profited in investing in Turkish bonds. The men had no banking experience and did not make any investments. The company principal and salesman are charged with five counts of wire fraud and four counts of mail fraud. The man who conducted seminars is charged with three counts of wire fraud and three counts of mail fraud. - 5 -

7. October 16, Atlanta Journal Constitution – (Georgia) Husband, wife convicted in tax scheme. A Lawrenceville, Georgia couple was convicted for a tax defiance scheme after claiming that they were “American citizens” and not subject to federal income tax laws, the U.S. Attorney’s Office announced October 16. The husband and wife were found guilty by a federal jury of conspiring to defraud the United States and making false claims upon the Internal Revenue Service (IRS) by a federal jury. According to the information presented in court, the couple, who owned a yard furnishing store and general contracting business in Duluth, conspired to avoid taxes from 1999 to 2009 and submitted false claims for refunds. The couple stopped filing federal income tax returns in the 1990s, then hired the now-defunct American Rights Litigators (ARL) to fight the IRS on their behalf. ARL sold and promoted tax defiance schemes, authorities said. The husband and wife’s ploys to avoid taxes included sending “obstructive, frivolous, and harassing documents” to the IRS and Department of the Treasury, and establishing business bank accounts using fake tax identification numbers to hide money. In 2009, the couple submitted two fraudulent tax returns claiming more than $420,000 in refunds. They also sent the government a bogus $100 billion, private registered bond to pay off their debts. Source: http://www.ajc.com/news/news/local/husband-wife-convicted-in-tax- scheme/nSfTY/

8. October 16, Imperial Valley News – (Idaho; California) Former Elk Grove man arrested in Idaho for $20 million investment fraud. A California man was arrested October 15 on federal investment fraud and bankruptcy fraud charges in Caldwell, Idaho, involving a $20 million investment fraud scheme. The man was charged in a 24- count indictment with wire fraud, false statements in bankruptcy, and bankruptcy bribery. The indictment alleges that he carried out an investment fraud through an entity known as the Perfect Financial Group. According to the indictment, he targeted 190 members of the ethnic Indian Fijian community. He told investors that he was using their money for hard money lending, but actually, he put it to other purposes. The indictment alleges that he lost $12 million through gambling; diverted more than $2 million to personal bank accounts and withdrew much of that in cash; spent $880,000 on a film project; and spent more than $1 million on other business ventures. He also used the money to pay other victims, falsely representing that the payments were profits from the short-term hard money lending business. According to court documents August 19, 2010, the man declared bankruptcy and committed fraud crimes in the bankruptcy. In the bankruptcy, he allegedly failed to disclose bank accounts and tried to induce his victims not to participate in the bankruptcy proceedings. Source: http://www.imperialvalleynews.com/index.php/news/latest-news/2000-former- elk-grove-man-arrested-in-idaho-for-20-million-investment-fraud.html

9. October 16, Boulder Daily Camera – (Colorado) Boulder ‘Face-Off Bandit,’ pleads guilty to aggravated robbery. The “Face-Off Bandit” accused of robbing four banks in Boulder, Colorado, pleaded guilty to one count of aggravated robbery October 16. The robber was originally charged with four counts of aggravated robbery but had three charges dropped as part of the plea deal. He was accused in bank robberies dating back to December 16, 2011 at a Great Western Bank; January 19 at a First Bank; February 15 at a Chase Bank; and March 8 at a First National Bank in Louisville. He also robbed a bank in Jefferson County. Authorities called him the “Face-Off Bandit” because he wore fake beards as disguises and left them as he fled. Source: http://www.denverpost.com/opinion/ci_21783048/mark-edwards-boulder-face- off-bandit-pleads-guilty

10. October 16, The H – (International) Santander’s online banking keeps passwords in cookies. The retail Web site for Santander bank has been discovered to be keeping customer passwords in plain text in cookies held while the user is logged in, The H reported October 16. The discovery was revealed on the Full Disclosure mailing list when an anonymous user posted details of how credit card numbers and other information was stored in session cookies. According to the report, the “NewUniversalCookie” is base64 decoded to reveal an XML document which contains a name, alias, and user ID. In fact, the cookie contains multiple fields; the base64 encoded XML document was just one of them. The H found that, in at least one case, upon decoding an account the innocuously named “alias” field in fact contained a plain text version of the user’s password. The password alone is not sufficient to access a Santander account as there is another registration number that needs to be used with it, but the presence of a plain text password does raise questions about the security practices of the bank’s online site. A Santander spokesperson told The H: “The data items stored within our cookies, if compromised, would not allow access to our online services on their own and our primary login processes do not rely on cookie data.” Source: http://www.h-online.com/security/news/item/Santander-s-online-banking- keeps-passwords-in-cookies-Update-1730364.html

11. October 16, BankInfoSecurity – (International) CapOne takes second DDoS hit. Capital One confirmed that its Web site was hit by another distributed denial of service (DDoS) attack, October 16. The incident was the second attack allegedly waged in October by a hacktivist group against the bank. “Capital One is experiencing intermittent access to some online systems due to a denial of service attack,” a bank spokeswoman said. “There was minimal impact to the majority of our customers.” The same day, a post claiming to be from the hacktivist group appeared on Pastebin claiming new attacks against U.S. banks would be waged between October 16 and October 18. The group noted that this new wave of DDoS attacks is being initiated without advance warning. In earlier Pastebin posts, the group named the eight banks it eventually attacked. A financial fraud and security consultant with CEB TowerGroup said the October 9 attack against Capital One, appeared to be one of the most damaging. “With CapOne, they seemed to take a bigger hit than the others,” he said. “Other banks seemed to handle the attacks better.” Source: http://www.bankinfosecurity.com/capone-takes-second-ddos-hit-a-5203

Information Technology Sector

33. October 17, IDG News Service – (International) High bandwidth DDoS attacks are now common, researcher says. Distributed denial-of-service (DDoS) attacks with an average bandwidth over 20Gbps have become commonplace in 2012, according to researchers from DDoS mitigation vendor Prolexic. In 2011, such high-bandwidth attacks were isolated incidents, Prolexic’s president said October 16. Very few companies or organizations have the network infrastructure to handle such attacks. Prolexic released its global DDoS attack report for the third quarter October 17. According to the report, there is an 88 percent increase of attacks from the same quarter of 2011. However, compared to the second quarter of 2012, the number of attacks actually declined by 14 percent. The average attack bandwidth during the third quarter of 2012 was 4.9Gbps, which represents a 230 percent increase compared to 2011, and an 11 percent increase compared to the previous quarter. The average attack during the third quarter of 2012 lasted 19 hours, slightly longer than in the second quarter. The majority of attacks — over 81 percent — targeted the infrastructure layer, while 18.6 percent of attacks targeted the application layer. The top three countries where DDoS attacks originated were China with 35 percent of attacks, the United States with 28 percent, and India with 8 percent. Source: http://www.computerworld.com/s/article/9232487/High_bandwidth_DDoS_attacks_are_now_common_researcher_says

34. October 16, Softpedia – (International) Blackhole/Zeus threat comes via ‘You have blocked your Facebook account’ spam. Malicious emails entitled “Verify your account” were spotted by security experts. The alerts are part of a cybercriminal campaign whose main goal is to lure users to Blackhole-infested, Zeus-serving Web sites. Fake Facebook notifications are becoming more and more interesting. Recently, instead of informing potential victims that their accounts were suspended by Facebook, spammers tell users they somehow blocked their own accounts. “You have blocked your Facebook account. You can reactivate your account whenever you wish by logging into Facebook with your former login email address and password” the shady emails read. GFI Labs experts indicate that the links from these messages are designed to take Internet users to compromised Web sites that further redirect them to fake Adobe Flash Player update sites. Source: http://news.softpedia.com/news/BlackHole-Zeus-Threat-Comes-Via-You- Have-Blocked-Your-Facebook-Account-Spam-299745.shtml

35. October 16, Threatpost – (International) Zero-day attacks thrive for months before disclosure. Zero-day vulnerabilities and exploits dominate headlines and most heated information security discussions. However, there are relatively few of these attacks hitting a small number of hosts, according to new research on the subject. Zero days get so much attention because of their effectiveness in compromising targets and avoiding detection. Two researchers from Symantec Research Labs examined a period of malware activity on a host of Symantec detection platforms from 2008 to 2011 and quantified the window of exposure organizations face from attacks that are active before vulnerabilities are publicly disclosed. The 18 attacks they discovered in that 3- year timespan lasted anywhere between 19 days and 30 months, an average of 312 days, or 10 months. That means organizations targeted by zero-day malware were likely compromised by a variety of malware attacking undisclosed vulnerabilities on a number of platforms. “For cyber criminals, unpatched vulnerabilities in popular software such as Microsoft Office or Adobe Flash represent a free pass to any target they might wish to attack, from Fortune 500 companies to millions of consumer PCs around the world,” the researchers wrote in a paper. Once zero-day vulnerabilities are publicly disclosed, attacks spike up, the researchers said, and most within 30 days of disclosure. “Cyber criminals watch closely the disclosure of new vulnerabilities in order to start exploiting them which causes a significant risk for end users,” the paper said. Source: http://threatpost.com/en_us/blogs/zero-day-attacks-thrive-months-disclosure- 101612

Communications Sector

Nothing to report.


Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport

Contact Information

Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to support@govdelivery.com.


Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at  nicc@dhs.gov or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at  soc@us-cert.gov or visit their Web page at  www.us-cert.go v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.