Friday, November 23, 2012
Daily Report
Top Stories
• A complaint in U.S. District Court November
20 alleges that a portfolio manager at an unregistered investment advisor made
$276 million by trading on insider information from a neurology professor
conducting a clinical trial of an Alzheimer’s drug. – Forbes See item 10 below in the Banking and Finance Sector
• Authorities said Interstate 20 was closed in
Darlington County, South Carolina, for several hours after deputies found half
a dozen containers of a flammable liquid in the car of an Army deserter during
a traffic stop. – Associated Press
16. November
20, Associated Press – (South Carolina) I-20 closed near Florence for possible
explosives. Authorities said Interstate 20 was closed in Darlington County,
South Carolina, for several hours after deputies found half a dozen containers
of a flammable liquid in the car of an Army deserter during a traffic stop.
Deputies said they first found drugs in the car during the stop November 20 on
I-20 westbound about 5 miles west of Interstate 95, but a further search found
a liquid that can be used in explosives in the truck. Authorities shut down the
interstate in both directions so a bomb squad could get rid of what the
deputies discovered. Eastbound lanes were reopened after about 3 hours.
Deputies said the driver was wanted for leaving Fort Eustis near Newport News,
Virginia, without permission. Source: http://www.myrtlebeachonline.com/2012/11/20/3181678/i-20-closed-near-florence-for.html
• More than 60,000 gallons of raw sewage
spilled from a manhole over a two-day period the week of November 12 due to
vandalism of Rockdale, Georgia’s sewer system, according to Rockdale Water
Resources (RWR). – Rockdale Citizen
24.
November 20, Rockdale Citizen –
(Georgia) Major sewage spill caused by vandalism. More than 60,000
gallons of raw sewage spilled from a manhole over a two-day period the week of
November 12 due to vandalism of Rockdale, Georgia’s sewer system, according to
Rockdale Water Resources (RWR). The RWR Deputy Director said it appeared that
large rocks or boulders had been thrown into the manhole where the spill
occurred or in a manhole upstream from the Scott Creek Wastewater Treatment
Plant and then made their way down the sewer line. RWR was notified of the
spill November 16 by a customer who called and said it appeared that sewage was
overflowing from the manhole near a house. The deputy director said the spill
flowed into a private pond on a nearby property. The department was notified of
the spill and the sewer line problem was cleared the same day, stated Water
Resources. The spill, which totaled 63,000 gallons, was classified as a major
spill by the Georgia Environmental Protection Division (EPD). The deputy
director said EPD had been notified that the spill was caused by vandalism,
which could mean that only 12 months of monitoring of the spill site would be
required. Source: http://www.rockdalecitizen.com/news/2012/nov/20/major-sewage-spill-caused-by-vandalism/
• State
and federal officials issued a new alarm in the ongoing outbreak of disease
caused by tainted steroids from a Massachusetts drug compounder. The Tennessee
Health Department will begin a new round of contact calls to 1,009 patients who
could be affected. – Nashville Tennessean
28.
November 21, Nashville Tennessean –
(Tennesee; National) Meningitis outbreak: Officials warn of new fungal
infections. State and federal officials are issuing a new alarm in the
ongoing outbreak of disease caused by tainted steroids from a Massachusetts drug
compounder - and the warning applies to those who may have thought they had
dodged serious illness, health officials said November 20. The Tennessee Health
Department will begin a new round of contact calls to 1,009 patients November
26 who received injections in Tennessee from three tainted lots of
methylprednisolone acetate from the New England Compounding Center. Patients
who were already contacted once will be contacted again and warned to be on the
lookout for signs of an infection, said a doctor from Vanderbilt University,
who participated in a briefing on the new alert November 21. Steroids from the
Massachusetts compounding pharmacy have been linked to 490 illnesses and 34
deaths nationwide. In Tennessee, 82 people have been sickened and 13 have died.
Source: http://www.wbir.com/news/article/242346/2/Meningitis-outbreak-Officials-warn-of-new-fungal-infections
Details
Banking and Finance Sector
5. November
21, ATM Marketplace – (International) EAST releases ATM fraud update; U.S. still
attracts most fraud. The European ATM Security Team (EAST) published its
third European Fraud Update for 2012, ATM Marketplace reported November 21. It
reveals that the U.S. still ranks first for skimming fraud, and also finds that
fraudsters are shifting their attention from markets where EMV is used to those
where it is not — meaning that the U.S. is likely to retain its dubious
distinction for some time. The update is based on crime reports from
representatives of 18 countries in the single euro payments area (SEPA), as
well as representatives of three non-SEPA countries. All but four countries
reported continued skimming attacks at ATMs. In addition to ATMs, skimming was
reported at unattended payment terminals at petrol stations, and at parking
ticket machines, railway ticket machines, and point of sale (POS) terminals.
Fraud losses continue to migrate away from EMV liability shift areas. The U.S.
remains the top location for such losses, followed by Mexico, the Dominican
Republic, and Brazil. Card issuers are continuing to take measures to block the
use of payment cards outside of designated EMV liability shift areas. Eight
countries now report the use of some form of geo-blocking. Fifteen countries
reported cash-trapping incidents, but such attacks seem to be stabilizing or
falling in most countries. Eight countries reported ram raids and ATM burglary
— in many cases these were unsuccessful, but still caused significant
collateral damage. Source: http://www.atmmarketplace.com/article/204097/EAST-releases-ATM-fraud-update-US-still-attracts-most-fraud
6. November
21, The H – (International) Professional trojan targets SEPA
transactions. Cyber-criminals are targeting the European SEPA payments
network, according to a report from security specialist McAfee, The H reported
November 21. Within the E.U., SEPA transactions are uncomplicated because they
make no distinction between domestic and cross-border transactions. In this
case, that also benefits the online crooks who usually transfer money from the
victim’s account to foreign bank accounts. The report says the malware involved
is part of “Operation High Roller” where criminals extracted large sums from
business accounts. The malware acts in a remarkably similar manner to how ZeuS
and others work: after infection it inserts itself into the system’s browser
and waits for a user to access their bank’s Web site. Once there, the pest adds
its own JavaScript code, called Web Injects, to perform the fraudulent
withdrawals. The malware takes its instructions from a command and control
server which is, McAfee says, located in Moscow. The software is hard-coded to
withdraw amounts ranging between 1,000 Euros to 100,000 Euros depending on the
balance of the account. Source: http://www.h-online.com/security/news/item/Professional-trojan-targets-SEPA-transactions-1754446.html
7. November
20, CNNMoney – (New York) New York sues Credit Suisse in latest mortgage
lawsuit. The New York Attorney General filed a lawsuit November 20 against
Credit Suisse, alleging that the bank repeatedly defrauded investors in sales
of mortgage-backed-securities. The attorney general alleges that in 2006 and
2007, Credit Suisse sponsored mortgage-backed-securities worth $93.8 billion
that, as of August, had suffered $11.2 billion in losses. The lawsuit seeks
damages to recoup these losses, as well as additional relief, meaning Credit
Suisse could be on the hook for a massive penalty compared with most financial
crisis-related cases. New York’s suit claims Credit Suisse deceived investors
by leading them to believe that the loans in its mortgage-backed-securities
“had been carefully evaluated and would be continuously monitored.” The
attorney general alleges, the bank “systematically failed to adequately
evaluate the loans, ignored defects that its limited review did uncover, and
kept its investors in the dark about the inadequacy of its review procedures
and defects in the loans.” Credit Suisse said it planned to fight the lawsuit
in court. Source: http://money.cnn.com/2012/11/20/investing/credit-suisse-new-york/
8. November
20, KTVK 3 Phoenix – (Arizona) FBI seeks public’s help to identify ‘Thou Shalt Not
Steal Bandit’. The FBI’s Bank Robbery Task Force is asking for the public’s
help in identifying the “Thou Shalt Not Steal Bandit,” KTVK 3 Phoenix reported
November 20. The FBI said the suspect is responsible for 7 bank robberies in
Arizona’s Phoenix metropolitan area over the past 3 years. In the first two
robberies, the suspect forced entry into the businesses adjacent to the banks
prior to opening and then cut holes in the adjoining drywall to enter the
banks, according to investigators. During the third robbery, the suspect
entered the bank through a hole he cut in the exterior wall, and in the fourth
robbery he accessed the bank through a hole he cut in the roof. Investigators
said the suspect waits in the bank until employees arrive for work then
confronts them with a black, semi-automatic handgun or a silver revolver and
forces them to access the money. He restrains the employees with blindfolds and
flex ties before fleeing with the money. During a July 3 robbery, the suspect
accessed the Chase Bank through a hole in the roof and left a phone taped to a
device resembling sticks of dynamite inside the bank. The suspect threatened to
blow up the bank if the employees did not place money in a nearby desert wash
area. Investigators believe the suspect is conducting prior surveillance and
detailed planning before each of the robberies. He may have previous military
experience and familiarity with bank security systems. Source: http://www.azfamily.com/news/FBI-seeks-publics-help-to-identify-Thou-Shalt-Not-Steal-Bandit-180232091.html
9. November
20, New York Times – (National) DocX founder pleads guilty in foreclosure fraud. The
founder and former president of DocX, once one of the nation’s largest
foreclosure-processing companies, pleaded guilty November 20 to fraud in one of
the few criminal cases to have arisen out of the housing crisis. The executive
entered a guilty plea in federal court in Florida and a plea agreement in State
court in Missouri related to DocX’s preparation of improper documents used to
evict troubled borrowers from their homes. She admitted to directing DocX
employees, beginning in 2005, to sign other peoples’ names on crucial mortgage
documents. Many of the documents, like assignments of mortgages and affidavits
claiming that a borrower’s i.o.u. had been lost, were used by banks and their
representatives to foreclose on homeowners. DocX also filed falsely notarized
documents with county clerks across the country. She admitted in her plea to
participating in the falsification of more than a million documents. Source: http://www.nytimes.com/2012/11/21/business/docx-founder-pleads-guilty-in-foreclosure-fraud.html?_r=0
10. November
20, Forbes – (National) ‘Most lucrative insider trading scheme ever’:
Trader charged with illicit $276 million score. A complaint filed in U.S.
District Court in Manhattan November 20 alleges that a portfolio manager at an
unregistered investment advisor made a $276 million score by trading on insider
information from a neurology professor conducting a clinical trial of an
Alzheimer’s drug. The complaint says the manager, while working at CR Intrinsic
Investors, received material nonpublic information from a professor at the
University of Michigan’s Medical School, who was in charge of a committee
overseeing the trial of a drug being developed by Elan Pharmaceuticals and
Wyeth in 2008. The professor — also named as a defendant along with the manager
and CR Intrinsic — allegedly gave the manager information about the clinical
trial and at some point around July 17, 2008 provided the full results of the
study before its July 29 release. That led to the manager causing CR Intrinsic
and affiliated portfolios of an unnamed investment advisor to sell long
positions in Elan and Wyeth worth more than $700 million and take substantial
short positions. All told, the U.S. Securities and Exchange Commission claims
the manager and the affiliated funds sold more than $960 million worth of the
two stocks’ in just over a week, reaping a $276 million windfall. In a separate
criminal complaint, prosecutors allege that the manager recommended the owner
of the unnamed hedge fund sell its Wyeth and Elan holdings, and that the hedge
fund owner then instructed a trader to begin selling its position. The
relationship between the professor and the manager was facilitated by an expert
network firm, an industry that has been at the heart of a number of insider
trading cases in recent years. The manager is also facing criminal charges for
conspiracy to commit securities fraud. Source: http://www.forbes.com/sites/steveschaefer/2012/11/20/matthew-martoma-charged-with-most-lucrative-insider-trading-scheme-ever-after-276-million-windfall/
11. November
20, Bloomberg News – (National) The housing scam that’s targeting vets and
seniors. The housing market is bouncing back, and so are deceptive
marketing practices. That has prompted the U.S. Consumer Financial Protection
Bureau (CFPB) and the U.S. Federal Trade Commission to launch investigations
into six mortgage lenders and brokers that allegedly target veterans and senior
citizens with misleading advertising, Bloomberg News reported November 20. The
regulators also sent warning letters to a dozen more companies, urging them to
review their marketing materials and be sure they are not breaking federal law.
The lenders appeared to be trying to dupe consumers into thinking loans were
government-backed, according to the CFPB. Some of the ads sent to the elderly
included a return address line that read “Government Loan Department,” used a
logo that resembled the seal of the U.S. Department of Housing and Urban
Development, and displayed a Web URL bearing the initials of the Federal
Housing Administration, the CFPB said. Veterans received ads that appeared to
come from the U.S. Department of Veteran’s Affairs (VA) and offered rates under
a special “economic stimulus plan” said to be expiring soon, according to the
CFPB. The ads began with the phrase, “The VA is offering you,” and used logos
similar to the VA’s. The ads also promised a “fixed” rate for a 30-year loan
even though the fine print indicated that the rates were adjustable, according
to the CFPB. Source: http://www.businessweek.com/articles/2012-11-20/holly-petraeuss-crackdown-on-alleged-mortgage-swindlers
12. November
20, Albany Herald – (Georgia) Family members, minister indicted in farm loan
scheme. An indictment issued by a federal grand jury in Macon, Georgia,
names a family and a minister in what prosecutors contend is a conspiracy to
defraud the U.S. Farm Credit Administration of more than $10 million. The four
men were each named in an indictment handed down November 15 and were due in
court November 20. The four men were allegedly connected to the former chief
lending officer at Southwest Georgia Farm Credit (SWGFC) in Bainbridge, who
previously pleaded guilty to fraud. According to the indictment, one of the
men, who owned Backwoods Outdoors in Leesburg, borrowed roughly $5 million from
SWGFC to purchase real estate in southwest Georgia and north Florida. His
father also borrowed roughly $5 million from SWGFC and allegedly acted as a
“straw borrower”. The minister is alleged in the indictment to have borrowed
nearly $817,000 from SWGFC, also on behalf of the son. The indictment also
charges that he borrowed $195,000 from the program to purchase a home for
himself. The son’s uncle is accused in the indictment of borrowing $1.7 million
from the SWGFC on behalf of his nephew. In exchange for rubber-stamping the
loans, the former chief lending officer and family members reportedly received
thousands of dollars in kickbacks from the borrowing family, the indictment
contends. The son and the minister were also indicted on charges of concealing
assets in a bankruptcy, and of making false statements, respectively. Source: http://www.albanyherald.com/news/2012/nov/20/heards-minister-indicted-farm-loan-scheme/
13. November
19, Reuters – (International) Shadow banking hits $67 trillion globally:
task force. The shadow banking system - blamed for aggravating the
financial crisis - grew to a new high of $67 trillion globally in 2011, a top
regulatory group said, calling for tighter control of the sector. A report by
the Financial Stability Board (FSB) November 18 appeared to confirm fears among
policymakers that the so-called shadow banking system of non-bank
intermediaries continues to harbor risks to the financial system. The FSB, a
task force from the world’s top 20 economies, also called for greater control
of shadow banking, a corner of the financial universe made up of entities such
as money market funds that has so far escaped the web of rules that is tightening
around traditional banks. The European Commission is expected to propose
E.U.-wide rules for shadow banking in 2013. The United States is already
rolling out a framework of new rules for the $2.5 trillion money market
industry. The FSB said shadow banking around the world more than doubled to $62
trillion in the 5 years to 2007, and had grown to $67 trillion in 2011 - more
than the total economic output of all the countries in the study. America had
the largest shadow banking system, said the FSB, with assets of $23 trillion in
2011, followed by the Euro area with $22 trillion, and the United Kingdom at $9
trillion. The U.S. share of the global shadow banking system has declined in
recent years, the FSB said, while the shares of the United Kingdom and the euro
area have increased. Source: http://www.chicagotribune.com/business/sns-rt-us-shadow-banking-regulationbre8ai0sl-20121119,0,7490614.story
Information Technology Sector
34. November
21, The H – (International) HTTP Strict Transport Security becomes
Internet Standard. The Internet Engineering Task Force (IETF) published RFC
6797, formally declaring the HTTP Strict Transport Security (HSTS) security
mechanism for HTTPS as an Internet Standard. HSTS is designed to allow HTTP
servers to ensure that any services offered can only be accessed via secure
connections that are encrypted using mechanisms such as Transport Layer
Security (TLS). From a client perspective, HSTS forces applications (User
Agents) to only use encrypted connections when communicating with Web sites.
The primary aim of HSTS is to counteract the attacks on SSL-encrypted Web sites
that were described by a security researcher in 2009. The attacks take
advantage of the fact that users do not generally use https:// to access a page
but rather tend to visit the unencrypted URL and then trust that they will be
redirected to the HTTPS version in due course. The attacks prevent this redirection
without triggering alerts. Source: http://www.h-online.com/security/news/item/HTTP-Strict-Transport-Security-becomes-Internet-Standard-1754549.html
35. November
21, Softpedia – (International) Mozilla addresses 6 critical vulnerabilities
with the release of Firefox 17. A number of six critical-, nine high-, and
one moderate-impact vulnerabilities were fixed by Mozilla with the release of
Firefox 17. The critical flaws, which can be leveraged by an attacker to run
arbitrary code and install malicious software without any user interaction,
refer to use-after-free, buffer overflow, and memory corruption issues
identified with the aid of Address Sanitizer. Other critical security holes
include a CSS and HTML injection issue through Style Inspector, miscellaneous
memory safety hazards, a buffer overflow when rendering GIF images, and a crash
when combining SVG text on path with CSS. The high-impact vulnerabilities
addressed in Firefox 17 were caused by the improper security filtering for
cross-origin wrappers, installer DLL hijacking, the fact that the evalInSanbox
location context was incorrectly applied, and a memory corruption issue in
str_unescape. Source: http://news.softpedia.com/news/Mozilla-Addresses-6-Critical-Vulnerabilities-with-the-Release-of-Firefox-17-308628.shtml
36. November
21, Softpedia – (Softpedia) Password-stealing malware Passteal distributed
via file sharing sites. Experts warn that Passteal, the piece of malware
that steals sensitive information stored in Web browsers by relying on password
recovery tools, is being distributed through file sharing Web sites. Trend
Micro researchers identified Passteal versions disguised as e-books, key
generators, and even bundled with installer applications. While older variants
relied on PasswordFox to gain access to sensitive browser data, a new version
(TSPY_PASSTEAL.B) has been found to use WebBrowserPassView instead. This
enables the attackers to steal information from Internet Explorer, Firefox,
Chrome, and Safari. Source: http://news.softpedia.com/news/Password-Stealing-Malware-Passteal-Distributed-Via-File-Sharing-Sites-308650.shtml
37. November 21, The H – (International) Rootkit
infects Linux web servers. A previously unknown rootkit is infecting Linux
Web servers and injecting malicious code into Web pages served by infected
servers. The rootkit was discovered by a user of security mailing list Full
Disclosure, who posted his observations, including the suspicious kernel
module, to the mailing list. The malware adds an iframe to every Web page
served by the infected system via the nginx proxy – including error pages.
Anyone who visits a Web page on the server is then attacked by a specially
crafted web page which is loaded in an iframe. Once an exploitable hole is
identified, it is used to install malware on the visitor’s system. The Web
server is ultimately being used to redirect users to another Web server which
can then infect their system, such as poorly maintained Windows systems, with
malware. Kaspersky Lab analysed the malware and dubbed it
Rootkit.Linux.Snakso.a. The rootkit is designed to target 64-bit systems and
has been compiled for kernel version 2.6.32-5, used in Debian Squeeze. After
booting, it determines the memory address of a number of kernel functions,
which it then hooks into. The rootkit obtains deployment instructions from a
command and control server. According to Kaspersky, the rootkit may still be
under development, as it has been compiled with debug information in situ.
Source: http://www.h-online.com/security/news/item/Rootkit-infects-Linux-web-servers-1753969.html
38. November 20, Wired.com – (National) Hacker found
guilty of breaching AT&T site to obtain iPad customer data. A hacker
charged with federal crimes for obtaining the personal data of more than
100,000 iPad owners from AT&T’s Web site was found guilty November 20. The
man was found guilty in federal court in New Jersey of one count of identity
fraud and one count of conspiracy to access a computer without authorization.
The hacker and another man were charged in 2011 after the two discovered a hole
in AT&T’s Web site in 2010 that allowed anyone to obtain the email address
and ICC-ID of iPad users. The ICC-ID is a unique identifier that is used to
authenticate the SIM card in a customer’s iPad to AT&T’s network. The two
men discovered that the site would leak email addresses to anyone who provided
it with a ICC-ID. So the two wrote a script to mimic the behavior of numerous
iPads contacting the Web site in order to harvest the email addresses of iPad
users. According to authorities, they obtained the ICC-ID and e-mail address
for about 120,000 iPad users. The two contacted the Gawker Web site to report
the hole and provided the Web site with harvested data as proof of the
vulnerability. Gawker reported at the time that the vulnerability was
discovered by a group calling itself Goatse Security. AT&T maintained that
the two did not contact it directly about the vulnerability and learned about
the problem only from a “business customer.” Source: http://www.wired.com/threatlevel/2012/11/att-hacker-found-guilty/
Communications Sector
Nothing to
report
Department of Homeland Security
(DHS)
DHS Daily Open Source Infrastructure Report Contact Information
About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday]
summary of open-source published
information
concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on
the
Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport
Contact Information
Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS
Daily Report Team at (703)387-2314
Subscribe to
the
Distribution List: Visit the
DHS Daily Open Source Infrastructure Report and follow
instructions to
Get e-mail updates when this information
changes.
Contact DHS
To report physical infrastructure incidents or to request information, please contact the National Infrastructure
To report cyber infrastructure incidents or to
request information,
please contact US-CERT at soc@us-cert.gov or visit their Web
page at www.us-cert.go v.
Department of Homeland Security Disclaimer
The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to
educate and
inform personnel engaged
in infrastructure protection. Further reproduction
or redistribution is subject to original copyright
restrictions. DHS provides no
warranty of ownership of the copyright,
or accuracy with respect to
the
original
source material.