DHS Daily Open Source Infrastructure Report

2012-02-01T05:38:00.001-05:00

Wednesday, February 1, 2012

Complete DHS Daily Report for February 1, 2012

Daily Report

Top Stories

• A new report found that most ships involved in reported cases of sanctions-busting or illicit transfers of arms, drugs, and equipment that could be used in the development of missiles and weapons of mass destruction are owned by companies based in the world’s richest countries, including the United States. – London Guardian (See item 17)

17. January 29, London Guardian – (International) Sea trafficking report reveals how ships move guns and drugs. Most ships involved in reported cases of sanctions-busting or illicit transfers of arms, drugs, and equipment that could be used in the development of missiles and weapons of mass destruction are owned by companies based in the world’s richest countries, according to the first comprehensive study of maritime trafficking. The ships are primarily commercial lines based in Germany, Greece, and the United States, according to the report, released January 30 by the Stockholm International Peace Research Institute. “This doesn’t mean the ship owners, or even the captains, know what they are carrying. But it is relatively easy for traffickers to hide arms and drugs in among legitimate cargoes,” said the report’s co-author. The report shows the methods adopted by arms trafficking networks in response to United Nations embargoes on Iran and North Korea were pioneered by drug traffickers. They included hiding goods in sealed shipping containers that claim to carry legitimate items; sending the goods on foreign-owned ships engaged in legitimate trade; and using circuitous routes to make the shipments harder for surveillance operations to track. The report shows that in cases where the ship owners, operators, and captains appear to have been directly involved in the trafficking attempt, the ships tended to be older and to be sailing under “flags of convenience.” They regularly performed badly in safety and pollution inspections when they entered ports. Source: http://www.guardian.co.uk/world/2012/jan/30/sea-trafficking-report-guns-drugs

• Tanker trucks loaded with water have become the lifeline for a Texas village that came close to becoming the state’s first community to run out of drinking water during a historic drought. – Associated Press (See item 23)

23. January 31, Associated Press – (Texas) Texas town relying on tanker trucks for water after wells nearly run dry amid drought. Tanker trucks loaded with water have become the lifeline for a Texas lakefront village that came close to becoming the state’s first community to run out of drinking water during a historic drought. Spicewood received its first 8,000-gallon water delivery January 30, after it became clear wells could no longer produce enough water to meet the needs of the community’s 1,100 residents and elementary school, a spokeswoman of the Lower Colorado River Authority said. The manager of water operations for the authority said it plans to truck water into the central Texas town for several more weeks while exploring alternatives, including drilling a new well or piping water from Lake Travis. But the agency does not want to rush into any project, and prefers for now to pay $200 per truckload of water while ensuring the tens of thousands of dollars it will cost to find a permanent solution are well spent. Several towns and villages in Texas have come close to running out of water during the driest year in state history, but until now none has had to truck in water. The Lower Colorado River Authority realized the week of January 23 how dire the situation was, and informed a commissioner in Burnet County January 30. By the next day, the well had dropped an additional 1.3 feet overnight. The severest forms of water restrictions have been put in place, and the authority said there would be no new hookups to the town’s water supply. Trucks, including at least one 6,000 gallon tanker, will make about four or five deliveries a day, officials said. Source: http://www.newser.com/article/d9sjtidg1/texas-town-relying-on-tanker-trucks-for-water-after-wells-nearly-run-dry-amid-drought.html

Details

Banking and Finance Sector

11. January 31, Fort Wayne Journal-Gazette – (Indiana; International) Ex-Symmetry execs accused in books fraud. The U.S. Securities and Exchange Commission (SEC) January 30 charged four former executives at a British subsidiary of Warsaw, Indiana’s Symmetry Medical with accounting fraud and ordered current executives to pay back profits based on earnings from before the alleged fraud was discovered. The complaint filed in a South Bend, Indiana district court charged four people with years of fraud. The current Symmetry president of business development also agreed to reimburse Symmetry for bonuses, incentive pay, and stock profits he garnered during the time of the fraud. That agreement, subject to approval, will result in $450,000 in reimbursements, the SEC said. Symmetry’s chief financial officer agreed to pay a $25,000 penalty and reimburse $185,000 for failing to provide an internal audit status report. According to court documents, the scheme at Thornton Precision Components began in 1999, 4 years before it was acquired by Symmetry. Those named generated premature invoices for products not complete, recorded fictional sales, created fake documentation, and manipulated inventories. In 2003, Thornton Precision passed the phony information on to Symmetry. When Symmetry restated its earnings from that period, the numbers dropped from 39 percent to 421 percent. In the fiscal year 2005, Symmetry initially reported $31.8 million in income, but in reality lost $9.9 million, court documents said. “The fraud caused Symmetry’s share price to be fraudulently inflated by as much as 20.4 percent, with a corresponding loss to Symmetry and its investors â¦ of as much as $120 million in market capitalization,” SEC attorneys allege. Two auditors at the British branch of the accounting firm Ernst & Young were found to have engaged in improper professional conduct by failing to properly audit Thornton Precision. The two have been barred from practicing before the SEC for at least 2 years. Source: http://www.journalgazette.net/article/20120131/LOCAL03/301319970/1002/LOCAL

12. January 31, Associated Press – (California; Missouri) Calif. man pleads guilty in $8.5M mortgage fraud. A California man pleaded guilty January 30 in federal court in Kansas City, Missouri, to his role in a mortgage scheme that defrauded a western Missouri bank of more than $8.5 million. He admitted defrauding American Sterling Bank in Sugar Creek in a scheme that ran from October 2006 to January 2007, about 18 months before the suburban Kansas City bank was closed. Prosecutors said the defendant submitted fraudulent loan applications for borrowers on behalf of a California mortgage broker. American Sterling approved nearly $8.6 million in loans for 19 properties in California. He could be sentenced to up to 30 years in prison without parole and fined up to $1 million. Source: http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2012/01/31/state/n020134S43.DTL

13. January 31, Cleveland Plain Dealer – (Ohio; International) ‘Koljo the American’ pleads guilty in federal court for his role in St. Paul Croatian Credit Union collapse. A man described in Macedonian newspapers as an organized crime figure pleaded guilty to 18 counts of bribery, bank fraud, and money laundering January 30 in a federal court in Cleveland for his role in the collapse of the St. Paul Croatian Federal Credit Union in Eastlake, Ohio, a U.S. Department of Justice spokesman said. The spokesman said that between 2003 and 2009, the man, working with the credit union’s chief operating officer (COO), fraudulently obtained loans of $5.6 million that were never repaid. Federal law enforcement officials called it one of the largest credit union failures in American history. It cost the National Credit Union Share Insurance Fund $170 million. Of the $5.6 million the man obtained for himself and family members, the spokesman said, $2 million was sent to bank accounts in the Balkan Republic of Macedonia. The spokesman said officials recovered about $850,000 of the $2 million. Source: http://blog.cleveland.com/metro/2012/01/koljo_the_american_pleads_guil.html

14. January 30, Atlanta Journal-Constitution – (Georgia; Hawaii) DeKalb woman admits scamming U.S. Senator in credit card fraud. A DeKalb County, Georgia woman pleaded guilty January 30 to her part in a credit card fraud ring that victimized, among other people, a U.S. Senator. The defendant was indicted in May on identity fraud and financial transaction card fraud for helping two other people purchase $12,000 in Wal-Mart gift cards and other merchandise with bogus credit cards encoded with real account numbers on the magnetic strip. The woman was an accomplice in a credit card skimming scam for which authorities are seeking the mastermind, court officials said. The mastermind was arrested in March 2010 and released on bond with the promise he would cooperate with the Secret Service. But he instead fled and is being sought by authorities. The mastermind’s involvement stretched farther than the store where the woman worked. First Hawaiian Bank officials told police the U.S. Senator’s Mastercard account was used at other Wal-Mart locations. Also, when police searched the man’s hotel room before he was arrested, they found documentation showing he had just deposited two checks worth more than $100,000 into a bank account, the district attorney said in court. The checks were counterfeited from a New York-based non-profit, she said. Also in the hotel room were a computer, a re-encoding machine for making counterfeit credit cards, Wal-Mart and American Express gift cards, and stolen debit cards. Source: http://www.ajc.com/news/dekalb/dekalb-woman-admits-scamming-1323949.html

For another story, see item 42 below in the Information Technology Sector

Information Technology

39. January 31, SC Magazine UK – (International) Symantec declares pcAnywhere safe to use. Symantec announced its pcAnywhere software is now safe to use, with free upgrades offered to users, SC Magazine UK reported January 31. According to Reuters, the company determined the current version of pcAnywhere is safe, provided it has been updated with a security patch released January 23. A Symantec spokesman said it is offering free upgrades to pcAnywhere 12.5 to all customers, even those using old editions. He also said that while Symantec is advising all users to upgrade, they can safely continue using versions 12.0 and 12.1 if they download a second software patch released January 27. Symantec advised users the week of January 23 to disable pcAnywhere as they were at increased risk of being hacked after the blueprints to the software were stolen. However, according to the chief security officer at Rapid7, more than 140,000 computers appear to remain configured to pcAnywhere to allow direct connections from the Internet, especially point-of-sale machines, putting them at risk. Source: http://www.scmagazineuk.com/symantec-declares-pcanywhere-safe-to-use/article/225425/

40. January 31, The Register – (International) Virus-slingers abuse WordPress vulns, dose punters with exploit. Malware-spreaders are hacking into vulnerable WordPress-powered sites to drive traffic towards pages loaded with exploits, The Register reported January 31. Hundreds of Web sites based on WordPress 3.2.1 have been compromised so that surfers directed to the Wordpress-built sites via e-mail links are exposed to the Phoenix exploit kit, M86 Security warned. To lure users to compromised pages, the attacker has spammed out thousands of malicious e-mails querying an unfamiliar bill and asking recipients to click on a link. The link points to a page on compromised WordPress sites (the sites appear legitimate to spam filters) that includes a hidden iFrame, which loads the Phoenix exploit kit from a Russian-hosted server. Arriving at the page puts surfers in the firing line of a page that attempts exploit multiple vulnerabilities in Microsoft Internet Explorer, Adobe PDF, Flash, and Oracle Java. The attack is ultimately designed to distribute a information-harvesting Trojan, dubbed Cridex-B. Source: http://www.theregister.co.uk/2012/01/31/wordpress_vuln_phoenix/

41. January 31, Softpedia – (International) Facebook Valentine’s Day Theme Leads to Trojan. Trend Micro researchers came across a Valentine’s Day-themed Facebook scam that attempts to dupe victims into downloading a malicious Trojan that later places itself in the browser with the purpose of helping crooks make money, Softpedia reported January 31. Facebook customers who fall for the phony advertisement and click it are taken to a Web site that displays a large Install button. Once clicked, the page prompts the user to download a file called FacebookChrome.crx, identified by the security firm as Troj.Fookbace.A. Upon execution, the Trojan executes a script that is capable of displaying ads from other sites, as well as installing itself on the browser as an extension named Facebook Improvement. After it is successfully installed, the malicious extension monitors Web activities, redirects sessions to survey pages that request sensitive data, performs like-jacking attacks, and posts ill-intended messages onbehalf of the victim. Experts believe these attacks are specially designed to target Chrome users, but note they also work with Mozilla Firefox. Facebook members that utilize Internet Explorer are directly taken to the survey site because the extension does not work that browser. Source: http://news.softpedia.com/news/Facebook-Valentine-s-Day-Theme-Leads-to-Trojan-249729.shtml

42. January 30, Softpedia – (International) Cidrex trojan breaks CAPTCHA to create Yahoo! email account. Security experts found a component of the ZeuS-like Cidrex trojan was able to break the security tests to create e-mail accounts, Softpedia reported January 30. Websense researchers came across a variant of Cidrex, a banking trojan, that not only infects computers with the purpose of stealing sensitive data from their owners, but it also manages to create Yahoo! e-mail accounts to spam others. This certain version of the malware spreads via e-mails containing a shortened link that points to the Blackhole exploit kit. If the exploit is successful, the trojan is downloaded to the infected machine. Normally, if CAPTCHAs were strong, automated tools would have a hard time creating accounts, but experts showed that with just six attempts, this malevolent element breaks the security test and creates a Yahoo e-mail account without much difficulty. This is done by harvesting the image that represents the CAPTCHA and sending it with an HTTP POST request to a CAPTCHA-breaking server that outputs a response in JSON format. Source: http://news.softpedia.com/news/Cidrex-Trojan-Breaks-CAPTCHA-to-Create-Yahoo-Email-Account-249437.shtml

43. January 30, The H – (International) Samba update closes DoS hole. The developers ofSamba released a security update to the Samba Windows interoperability suite for Unix, H Security reported January 30. Version 3.6.3 of Samba was published only 4 days after releasing the new stable version, Samba 3.6.2. The security update addressed a memory leak that consumes a small amount of memory when the smbd daemon is handling connection requests. If an attacker made repeated connection requests, this flaw could be exploited to cause a denial of service. Source: http://www.h-online.com/security/news/item/Samba-update-closes-DoS-hole-1424516.html

For another story, see item 45 below in the Communications Sector.

Communications Sector

44. January 31, Lynchburg News & Advance – (Virginia) Service outage strikes nTelos Wireless customers. A service outage lasting about three hours affected nTelos Wireless customers in western parts of Virginia January 31. The outage started at 7:04 a.m. due to an equipment failure, the director of public relations for the Waynesboro-based cell phone company said. The equipment failure took out three circuits that transport all calls or text messages. The outage affected customers from Lynchburg and Charlottesville to the western part of the state. All calls routed back to the Waynesboro area, where the equipment failure occurred. The equipment was repaired by 10 a.m. and the public relations director said customers should have restored service. There were no numbers on how many customers were affected. Source: http://www2.newsadvance.com/business/2012/jan/31/2/service-outage-strikes-ntelos-wireless-customers-ar-1652727/

45. January 30, KYTV 3 Springfield – (Missouri) Internet outage at Mediacom affects 30,000+ customers in southern MO. Mediacom said a problem connecting to another company caused an Internet service outage for 30,000 - 60,000 Mediacom customers January 30, including KY3 and KSPR. The outage started about 1:30 p.m. January 30 and was still ongoing 4 hours later. Mediacom said it did not know how long the problem would last. The outage affected customers in Springfield and other areas of southern Missouri. Source: http://www.kspr.com/news/ky3-internet-outage-at-mediacom-affects-30000-customers-in-southern-mo-20120130,0,575163.story

For more stories, see items 41 and 42 above in the Information Technology Sector

2012-01-31T04:55:00.001-05:00

Tuesday, January 31, 2012

Complete DHS Daily Report for January 31, 2012

Daily Report

Top Stories

• Heavy smoke from a wildfire caused a massive 19-car pileup on Interstate 75 near Gainesville, Florida, that killed 10 people and intermittently shut the highway down for several days. – Orlando Sentinel (See item 16)

16. January 30, Orlando Sentinel – (Florida) ‘Low visibility’ reported hours before Florida interstate pileup that killed 10. Troopers reopened Interstate 75 January 30 as the investigation continued into the massive pileup that killed 10 people on the highway near Gainesville, Florida the weekend of January 28. The Florida Highway Patrol (FHP) released an accident report January 30 showing there was a three-way crash at 11:55 p.m., involving a tractor-trailer and two SUVs, that preceded the massive pileup early January 29, according to the Associated Press. One person was seriously injured in the January 28 crash. A trooper noted in his report “there was heavy smoke in the area, causing low visibility.” The highway was closed to traffic a short time later. The 19-vehicle crash happened after the smoke- and fog-shrouded highway reopened at about 4 a.m. Besides the 10 people killed, 18 people were hospitalized. Wreckage, some of it burned and twisted, stretched for about a mile along the high-traffic road, the main transit route down the middle of the state. It was closed in both directions for hours. Troopers re-opened lanes the evening of January 29, but shut the interstate down again early January 30 because of smoke and visibility issues, a FHP spokesperson said. All lanes reopened at about 11 a.m. January 30. A 62-acre fire broke out January 28 in Paynes Prairie, a wildlife area that straddles the freeway just south of Gainesville, but a spokeswoman for the Florida Forest Service said it was not clear how it started. Source: http://www.chicagotribune.com/news/nationworld/os-florida-highway-deaths-killed-i-75-20120130,0,2598249.story

• The largest-ever Android malware campaign may have duped as many as 5 million users into downloading infected apps from Google’s Android Market, Symantec said. – Computerworld. See item 44 below in the Information Technology Sector.

Details

Banking and Finance Sector

10. January 30, Coeur d’Alene Press – (Idaho; Oregon) Car dealers face fraud charges. A Post Falls, Idaho man is among three suspects accused of more than $6 million in bank fraud as a former auto dealership owner, the Coeur d’Alene Press reported January 30. The man and his brother owned three now-closed D&R auto dealerships formerly located in Hermiston and Enterprise, Oregon. The indictment alleges that from January 2007 through August 2008, the men conspired to defraud KeyBank in connection with a Floorplan Line of Credit and Security Agreement, known in the auto industry as a “flooring loan.” KeyBank extended a line of credit to the dealerships to purchase new inventory, but the men allegedly failed to repay KeyBank after they sold the inventory. The indictment alleges the three deceived KeyBank into believing the dealerships had not yet sold inventory, including asking customers to return recently purchased vehicles to receive a free service on the day of an audit, and misrepresenting to KeyBank that automobiles not present on the lot were being used as rental cars. The indictment also alleges the defendants submitted false vehicle identification numbers (VINs) to KeyBank to receive funding for inventory the dealerships never purchased, and that defendants “double floored” vehicles with more than one financial institution. Source: http://www.cdapress.com/news/local_news/article_1f155dcb-146c-59e2-ac14-324f674981de.html

11. January 30, Bloomberg – (California) FDIC sues ex-officers of Merced’s County Bank over $42 million in loans. The Federal Deposit Insurance Corp. (FDIC) January 27 sued former officials of County Bank in Merced, California, part of Capital Corp. of the West, claiming their mismanagement caused $42 million in losses through bad loans. Named in the suit, filed in federal court in Fresno, were County Bank’s former chief executive officer, three former vice presidents, and the former chief operating officer and bank president. “[The d]efendants caused or allowed County to make imprudent real estate loans,” the FDIC said in the complaint. The bank ailed in 2009, according to the complaint. The FDIC is receiver for the bank. “Management repeatedly disregarded the bank’s credit policies and approved loans to borrowers who were not credit worthy” or lacked sufficient collateral, the FDIC alleged. Source: http://www.bloomberg.com/news/2012-01-30/fdic-sues-ex-officers-of-merced-s-county-bank-over-42-million-in-loans.html

12. January 30, WLS 7 Chicago – (Illinois) Wicker Park Bandit hits 9th bank. The bank robber dubbed the Wicker Park Bandit struck again in Chicago January 28. No one has been hurt in any of the robberies. Most recently, a Chase Bank was hit. Authorities said it is the ninth bank to be robbed by the Wicker Park Bandit, at least one robbery every week since December 20. The face of the suspect is visible in surveillance photos and with Area 3 police headquarters only 2 blocks away from the latest robbery, it shows just how bold the robber has become. Source: http://abclocal.go.com/wls/story?section=news/local&id=8523865

13. January 28, Associated Press – (Iowa) Bank robber threatens clerk with Molotov cocktail. Authorities in Crawford County, Iowa, are looking for a suspect who they said threatened a teller at the Westside State Bank in Vail with an explosive device before fleeing with an undisclosed amount of cash. The robbery occurred just after 9 a.m. January 28. The Crawford County sheriff said the man threatened a teller with a Molotov cocktail, but did not use the homemade bomb. The sheriff said the suspect took an undisclosed amount of cash and fled on foot. Source: http://www.kcci.com/r/30323507/detail.html

14. January 28, Norwalk Hour – (Connecticut) Stamford bank teller, N.Y. man plead guilty to tax fraud scheme. A Stamford, Connecticut bank teller and a New York City man pleaded guilty January 26 and 27, respectively, in a U.S. district court in Hartford to fraudulently obtaining and cashing dozens of tax return checks. The defendants both played roles in the conspiracy, which defrauded the Internal Revenue Service (IRS) of nearly $200,000. They both pleaded guilty to one count of conspiracy to defraud the IRS. The New York man and his co-conspirators, who were not named, obtained 35 tax return checks under false pretenses, and the employee cashed the checks while working as a teller at a bank in Stamford, prosecutors said. The scheme cost the IRS $120,195.77, according to an indictment. Members of the fraud scheme also cashed $19,000 in fraudulent tax return checks at other locations, according to court documents. Both defendants face 10 years in prison and $400,000 in fines. Source: http://www.thehour.com/story/518719/stamford-bank-teller-n-y-man-plead-guilty-to-tax-fraud-scheme

15. January 27, ABC News – (National) New Fed task force subpoenas 11 in mortgage fraud probe. A new federal and state task force was created January 27 to investigate mortgage fraud that contributed to the 2008 financial crisis, and the panel immediately subpoenaed 11 financial institutions. The U.S. attorney general said the new unit would consist of 55 Justice Department lawyers and analysts and 10 FBI agents to work with state attorney general’s offices to investigate how mortgage backed securities were created, sold, and valued by financial institutions. The creation of the unit was announced by the U.S. President in his State of the Union address January 24. Making the announcement the attorney general disclosed that the Justice Department has sent civil subponeas to 11 financial institutions as part of the investigation. They did not identify the targets of the subpoenas. Although the FBI, U.S. Securities and Exchange Commission, and Justice Department have been investigating numerous aspects of the financial crisis, officials hope the new group may be able to use New York State’s Martin Act, which gives investigators broad powers to investigate fraud. The act allows New York to bring criminal and civil fraud charges without needing to show intent to commit fraud. Source: http://abcnews.go.com/blogs/politics/2012/01/new-fed-task-force-subpoenas-11-in-mortgage-fraud-probe/

For more stories, see items 41 and 42 below in the Information Technology Sector.

Information Technology

41. January 30, BBC News – (International) Technology firms create DMarc to fight phishing. A crackdown on “phishing” scams has been announced by 15 of the top technology companies. E-mail providers such as Google and Microsoft will work with companies like Paypal and the Bank of America to improve authentication. The Domain-based Message Authentication, Reporting and Conformance (DMarc) coalition has released plans to produce a “feedback loop” between e-mail receivers and senders. The initiative is the first significant attempt to bring together e-mail and service providers along with key security organizations. DMarc said this industry-wide involvement — which covers the receivers, senders, and intermediaries of e-mail use — will mean e-mail providers will for the first time be able to reliably filter out unwanted e-mails, rather than use “complex and imperfect measurements” to determine threats. Source: http://www.bbc.co.uk/news/technology-16787503

42. January 28, Dark Reading – (International) New drive-by spam infects those who open email — no attachment needed. Attackers have developed a new way to infect a user’s PC through e-mail. According to researchers at eleven, a German security firm, the new drive-by spam automatically downloads malware when an e-mail is opened in the e-mail client. The user does not have to click on a link or open an attachment — just opening the e-mail is enough. The current wave of drive-by spam contains the subject “Banking security update” and has a sender address with the domain fdic.com. If the e-mail client allows HTML e-mails to be displayed, the HTML code is immediately activated. Source: http://www.darkreading.com/security/attacks-breaches/232500660/new-drive-by-spam-infects-those-who-open-email-no-attachment-needed.html

43. January 27, IDG News Service – (International) Drive-by-download attack exploits critical vulnerability in Windows Media Player. Security researchers from antivirus vendor Trend Micro have come across a Web-based attack that exploits a known vulnerability in Windows Media Player, a threat response engineer said in a blog post January 26. The security flaw can be exploited by tricking the victim into opening a specially crafted MIDI (Musical Instrument Digital Interface) file in Windows Media Player. Microsoft released a security fix for it January 10, as part of its monthly patch cycle. If successful, the exploit downloads and executes a computer Trojan on the targeted system, which Trend Micro detects as TROJ_DLOAD.QYUA. “[So] far we’ve been seeing some serious payload, including rootkit capabilities,” the Trend Micro engineer said. The attack is not widespread at the moment, but it is possible other attackers will start exploiting the same vulnerability in the near future, a senior antivirus researcher said. Source: http://www.computerworld.com/s/article/9223768/Drive_by_download_attack_exploits_critical_vulnerability_in_Windows_Media_Player

44. January 27, Computerworld – (International) Massive Android malware op may have infected 5 million users. The largest-ever Android malware campaign may have duped as many as 5 million users into downloading infected apps from Google’s Android Market, Symantec said January 27. Dubbed “Android.Counterclank” by Symantec, the malware was packaged in 13 different apps from three different publishers, with titles ranging from “Sexy Girls Puzzle” to “Counter Strike Ground Force.” “They don’t appear to be real publishers,” a director with Symantec’s security response team said in an interview. “These aren’t rebundled apps, as we’ve seen so many times before.” Symantec estimated the impact by combining the download totals of the 13 apps, arriving at a figure between 1 million on the low end and 5 million on the high. When installed on an Android smartphone, Android. Counterclank collects a wide range of information, including copies of the bookmarks and the handset maker. Italso modifies the browser’s home page. Source: http://www.computerworld.com/s/article/9223777/Massive_Android_malware_op_may_have_infected_5_million_users

45. January 27, H Security – (International) Cisco Security Appliances at risk from Telnet bug. Cisco has warned of a vulnerability in the telnet server used in its IronPort Email Security Appliances (ESA) and IronPort Security Management Appliances (SMA) monitoring solutions. The vulnerability could be exploited by an attacker to remotely execute code on a system by sending a specially crafted command to the telnet daemon (telnetd). A buffer overflow in the encrypt_keyid() function causes the server to execute the injected code with system privileges. Updates are available for many distributions, including Red Hat and Debian. Kerberos 5 (krb5-appl) up to and including version 1.0.2 and Heimdal up to and including version 1.5.1 are also affected.The vulnerability is already being actively exploited and an exploit for the vulnerabilityis freely available. Source: http://www.h-online.com/security/news/item/Cisco-Security-Appliances-at-risk-from-Telnet-bug-1423741.html

For another story, see item 48 below in the Communications Sector.

Communications Sector

46. January 30, KTBS 3 Shreveport – (Louisiana; Texas) Verizon customers experiencing outages. The work week was off to a bad start for many Verizon Wireless customers in northeast Texas and northwest Louisiana January 30. According to a Verizon Wireless spokeswoman, an outage was impacting both 3G and voice service customers in parts of the Arklatex. As of the afternoon of January 30, there was no word on how many customers were affected or when the problem might be resolved. Source: http://www.ktbs.com/news/30330961/detail.html

47. January 29, Hunterdon County Democrat – (New Jersey) CenturyLink landline telephone service restored to northern Hunterdon County after outage. Phone service in northern Hunterdon County, New Jersey, was back to normal around 11 p.m. January 28, according to a CenturyLink spokesman. At about 8:15 p.m., an electronic card failed, affecting customers in the Clinton, Califon, Hampton, and High Bridge exchanges, he said. Phone calls could be made within those exchanges, but there was no landline communication in or out of those exchanges. Affected exchanges were 537, 638, 238, 328, 735, 730, 713, and 832. Phone service at Hunterdon Medical Center in the Raritan Township-Flemington area had also been disrupted. Hunterdon County Office of Emergency Management officials were advising residents to use cell phones to call 911 if they had an emergency, and fire and rescue companies were advised to have crews standing by, apparently to keep response time low to compensate for any delays in receiving word of emergencies. Source: http://www.nj.com/hunterdon-county-democrat/index.ssf/2012/01/centurylink_landline_telephone.html

48. January 29, TechCrunch – (International) DreamHost’s unhappy January continues: First, a database breach, now an outage. DreamHost, the low-cost hosting provider and domain name registrar found some unauthorized activity in its databases January 20, which they later admitted were a series of attacks that may have led to the theft of some FTP passwords. The company required mandatory password resets for all their Shell/FTP accounts. Dreamhost’s problems continued January 29, as they have been reporting outages, as Web, SSH, and FTP services were down for many of the firm’s virtual private servers (VPS), shared, and dedicated machines. The outage was reported at 4 a.m. Pacific Standard Time January 29, and continued throughout the day. In the company’s initial blog post, the team said “the apache (web), SSH, and FTP services on a subset of our VPS and dedicated servers are currently down. FTP services on some shared servers are also experiencing downtime.” Furthermore, the post said the outage only affected Web VPS/dedicated and shared web server FTP services, while other services or servers were unaffected. Judging from the parade of comments and subsequent updates, users were experiencing problems with MySQL and Webmail services as well. The majority of the large problems seemed to have been addressed as of 6:30 p.m. DreamHost plays host to thousands of small Web sites and personal blogs across the Web. Most of the sites are back up, but from what these site owners have learned from DreamHost, the VPS server was damaged by new software they were installing the morning of January 29, leading to a sizable outage with ripple effects. Even though the outage lasted nearly 24 hours for some, many could not even access files to move to another host. Source: http://techcrunch.com/2012/01/29/dreamhosts-unhappy-january-continues-first-a-database-breach-now-an-outage/

49. January 27, KOSA 7 Odessa – (Texas) Downed power lines cause power, Internet outages. Cableone Internet service was restored to some customers in west Texas after outages January 27. A truck hauling an oil rig was hauling a bigger load than permitted, which downed power lines the morning of January 27. Power was out for several hours but has since been restored. However, a fiber line was also cut. Internet service was affected for Cableone, Grande, and AT&T customers. Source: http://www.cbs7.com/news/details.asp?ID=32137

For more stories, see items 41 and 44 above in the Information Technology Sector.

2012-01-28T15:07:00.000-05:00

Monday, January 30, 2012

Complete DHS Daily Report for January 30, 2012

Daily Report

Top Stories

• The Securities and Exchange Commission (SEC) claimed a trader in Latvia, as well as four U.S. trading firms and their executives, used an online account intrusion scheme to manipulate the prices of more than 100 U.S.-exchange listed securities, causing more than $2 million in harm. – U.S. Securities and Exchange Commission (See item 16)

16. January 26, U.S. Securities and Exchange Commission – (National; International) SEC charges Latvian trader in pervasive brokerage account hijacking scheme. The Securities and Exchange Commission (SEC) January 26 charged a trader in Latvia for conducting a widespread online account intrusion scheme in which he manipulated the prices of more than 100 New York Stock Exchange (NYSE) and Nasdaq securities and caused more than $2 million in harm to customers of U.S. brokerage firms. The SEC also instituted related administrative proceedings against four electronic trading firms and eight executives charged with enabling the trader’s scheme by allowing him anonymous and unfiltered access to U.S. markets. According to the complaint, the defendant broke into online brokerage accounts of customers at large U.S. broker-dealers and drove stock prices up or down by making unauthorized purchases or sales. This occurred on more than 150 occasions over 14 months. The defendant – using the direct, anonymous market access provided by various unregistered firms – traded those same securities at artificial prices and reaped more than $850,000 in illegal profits. According to the SEC, the four electronic trading firms allowed the defendant to trade through their electronic platforms without first registering as brokers. These firms gave the defendant a gateway to U.S. securities markets while circumventing the protections of federal securities law. The SEC’s complaint alleges the defendant violated the anti fraud provisions of federal securities law and seeks injunctive relief, disgorgement with prejudgment interest, and financial penalties. Source: http://www.sec.gov/news/press/2012/2012-17.htm

• Two spans of a heavily-traveled Benton, Kentucky bridge collapsed after being struck by a cargo ship carrying aviation parts. – Associated Press (See item 19)

19. January 27, Associated Press – (Kentucky) Officials: Portion of Kentucky bridge collapses. Two spans of a Benton, Kentucky bridge collapsed after being struck by a cargo ship that carried aviation parts. No injuries were immediately reported, state transportation officials said. The Delta Mariner struck the main span of the Eggner Ferry Bridge January 26 at U.S. Highway 68 and Kentucky Highway 80, said a spokesman for the Kentucky Transportation Cabinet. State inspectors are on their way to determine how much of the bridge, which opened to traffic in 1932, was damaged. Officials said the bridge was closed to traffic, causing vehicles needing to cross the Kentucky Lake reservoir and the Tennessee River to be detoured for dozens of miles. The U.S. Coast Guard also blocked access to boat traffic at the bridge site. Officials say about 2,800 vehicles travel daily on the bridge, which already was in the process of being replaced, although the new bridge has not been built yet. Motorists were advised to take alternate routes. Source: http://www.foxnews.com/us/2012/01/27/officials-portion-kentucky-bridge-collapses/

Details

Banking and Finance Sector

12. January 27, Buffalo News – (New York) 4 men charged after Black Money swindle goes awry. A West African currency scam arrived in Cheektowaga, New York, the weekend of January 21, landing three men in hot water along with their alleged victim, who later tried to take back his money at gunpoint, Cheektowaga police said January 26. Police said the incident began when three Liberian natives targeted a Buffalo man under what police call a Black Money Scam. The scam is a popular fraud in which the victim is presented with black construction paper reported to be real U.S. currency that had been dyed black through a chemical process. The con men told the victim they needed money to buy another chemical to wash away the black dye and make the currency usable. He turned over $21,000 to the three scammers in exchange for half of the black paper, police said. After he realized he had been scammed, the victim called the scammers and told them he had some friends who also wanted in on the “investment” in order to set up another meeting. At that meeting, which took place somewhere in Buffalo late January 21 or early January 22, the three con men were ambushed at gunpoint by the victim and up to three other men and forced into the basement of an unknown address. One of the men was taken back to his hotel room by the original victim, who demanded a return of his money. The three scammers were charged with fraudulent accosting and criminal possession of a forgery instrument. The original victim was charged with conspiracy and robbery. Source: http://www.buffalonews.com/city/communities/cheektowaga/article716451.ece

13. January 27, Somerset Courier News – (New Jersey) FBI nabs would-be Westfield bank robber. FBI agents arrested a TD Bank employee at his Elizabeth, New Jersey home January 26 on charges he conspired to commit bank robbery, according to authorities. According to the complaint, an individual entered a TD Bank in Westfield September 11, and passed a deposit slip across the counter to a bank teller. As the teller stepped back from the counter upon reading the note, the person reached across the counter and grabbed the money the teller had been counting, about $5,721. Between September and December, seven additional bank robberies occurred at TD Bank locations throughout New Jersey, a U.S. attorney said. According to the investigation, the alleged bank robber exchanged text messages in November and December with the arrested TD Bank employee. The two discussed when and how the vault of the Westfield branch could be robbed. During an interview with law enforcement, the employee acknowledged he discussed robbing the vault with the alleged bank robber and others, the U.S. attorney said. The employee said the robber agreed to give him up to $50,000 of the money from the vault. The charge of criminal conspiracy carries a maximum potential penalty of 5 years in prison and a fine of up to $250,000, officials said. Source: http://www.mycentraljersey.com/article/20120126/NJNEWS/301260036/FBI-nabs-would-Westfield-bank-robber?odyssey=nav|head

14. January 27, St. Augustine Record; Florida Times-Union – (Florida) Guilty verdict sparks relief, regret for victims. A jury in a U.S. district court in Jacksonville, Florida, January 26 convicted a woman on all 14 counts in a Ponzi scheme through which she defrauded investors of as much as $100 million. She faces up to 20 years on each of the 14 counts for which she was found guilty. A bankruptcy attorney said all of the investors are to be given stock in Integrity Auto Finance, the new company formed in Chapter 11 bankruptcy from the remains of the woman’s corporation. A cash disbursement is also coming on May 4, the first of an annual disbursement from a creditor trust. That trust is funded by whatever remained of the woman’s assets after the formation of Integrity. Source: http://staugustine.com/news/local-news/2012-01-26/cladeks-guilty-verdict-sparks-relief-regret-victims#.TyLNqIEhxI5

15. January 26, Minneapolis Star Tribune – (National) Bloomington duo accused of mortgage fraud. Two Bloomington residents were arraigned January 26 in Minneapolis on charges they ran an $8 million equity-stripping scheme under the guise of a nonprofit that claimed to help troubled homeowners avoid foreclosure. The residents were each charged January 19 in a sealed indictment with conspiracy, fraud, and money laundering involving transactions that took place from 2005 through October 2007. One of the defendants owned and operated Unified Home Solutions (UHS) and American Mortgage Lenders (AML), a mortgage brokerage that facilitated the transactions, the indictment says. It notes the UHS owner told homeowners facing foreclosure that he offered a rescue program backed by investors who would buy their homes and sell them back after they had regained their financial footing. The indictment says the mortgages were obtained with fraudulent financial information. Investors collected a “risk fee,” generally 3 percent of the purchase price, but most of the equity in the home went to UHS and AML, according to an affidavit filed in the case by an Internal Revenue Service (IRS) criminal investigator. She said UHS, AML, and their owner facilitated the sale of about 79 properties; fewer than five avoided foreclosure. Source: http://www.startribune.com/business/138169374.html

17. January 26, Costa Mesa Daily Pilot – (California) Couple pleads guilty to bank fraud. Two Newport Coast, California residents pleaded guilty January 26 to bank fraud in connection with seven different financial institutions. The couple gained a revolving line of credit from multiple banks, including Bank of America, in the amount of $130 million by falsifying their business revenue for Anaheim-based Galleria USA, according to a news release from the U.S. Department of Justice. The banks lost about $4.7 million because of the fraud between 2008 and 2009. They face a maximum of 40 years in federal prison. Source: http://articles.dailypilot.com/2012-01-26/news/tn-dpt-0127-fu-20120126_1_galleria-usa-thomas-chia-fu-bank-fraud

18. January 26, Associated Press – (International) US hits German-Moroccan brothers, German-Turk with terrorism sanctions. The U.S. Presidential administration is hitting two German-Moroccan brothers and a German-Turk man with financial sanctions for their involvement in terrorist activities in central Asia, the Middle East, and Europe, the Associated Press reported January 26. The State Department and Treasury Department said the brothers are identified as “specially designated global terrorists” along with the third man. The move freezes any assets they have in U.S. jurisdictions and bars Americans from financial dealings with them. The brothers are affiliated with the Islamic Movement of Uzbekistan, a designated foreign terrorist organization that claims responsibility for numerous attacks in Afghanistan. The third man is affiliated with the Islamic Jihad Union, another designated foreign terrorist organization, which was implicated in a 2007 bomb plot targeting U.S. military installations and American citizens in Germany. Source: http://www.washingtonpost.com/politics/us-hits-german-moroccan-brothers-german-turk-with-terrorism-sanctions/2012/01/26/gIQATzb0SQ_story.html

For another story, see item 50 below in the Information Technology Sector

Information Technology

46. January 27, Help Net Security – (International) Facebook scammers leverage the Amazon Cloud. Recently, spammers began using Amazon’s cloud services for hosting fake Facebook pages leading to surveys because it is cheap and because is less likely Facebook will block links from an Amazon domain. Users are usually reeled in with offers to see a funny/amazing/shocking video, and click on the offered URL (often a shortened one). In a recently spotted scam, users who click the link are taken to a fake Facebook page where those who use Chrome and Firefox are asked to install a fake YouTube plug-in to view the video. The offered plugin is not what it claims to be. “Upon installing the plugin, a redirector URL is generated by randomly selecting from the usernames, mo1tor to mo15tor, in the Amazon web service,” explain F-Secure researchers. “Then, the link generated is shortened through bitly.com via the use of any of the 5 hardcoded userID and API key-pairs. These key-pars gives a spammer the ability to auto-generate bit.ly URLs for the Amazon web service link. This ultimately leads to a redirection to the fake Facebook page.” These users are, therefore, responsible for propagating the scam further by unknowingly posting the scam message on their Facebook profiles, and are not asked to fill out surveys. Users who use other browsers are spared from inadvertently spamming their friends but are redirected to surveys provided by affiliate marketers. Source: http://www.net-security.org/secworld.php?id=12301

47. January 27, Help Net Security – (International) Unwanted apps on Android smartphones. Third-party Android Markets have always been the favorite means of malicious app dissemination, especially in regions where users do not have access to the official repository. This is also the case with the latest campaign laid out by cyber criminals to lure users into installing well-known applications on the genuine Android Market, but which have been tampered with to launch additional services along with the original app. Simply put, the original Android application downloaded from a third-party contains the legitimate app as well as a trojanized service (usually called “GoogleServicesFrameworkService”), which is launched with the host application. Identified by Bitdefender as Android.Trojan.FakeUpdates.A, this piece of malware connects to a command and control server and fetches a list of links to different Android application packages (APKs). After that, the malware downloads each APK from the list and then displays a notification in the status bar area, reading “In order to have access to the latest updates, click Install).” This approach confuses the user, as they do not know where the message came from. This trojan requires an extensive array of privileges upon installing, to make sure it can take full control over the smartphone whenever necessary. Depending on the APKs to be downloaded and installed, the application may require up to 10 privileges prior to installation. Most of the users will accept it without any second thoughts, since they believe what is to be installed is an update to one of the applications they already installed. Android applications posted on third-party Android Markets are not new; however, what is particularly important is the attackers’ modus operandi: they publish a legitimate application on the respective Market, let it live for a several days to get the positive ratings and gain users’ trust, and then change the APK with a trojanized one in order to fulfill their malicious goals. Most of the repackaged applications analyzed have low detection rates, which poses a danger even to smartphone users who run a mobile security solution. Android.Trojan.FakeUpdates.A poses a threat to the smartphone user as it can download and install anything, from trial versions of software in pay-per-install campaigns to spyware and other trojans. Source: http://www.net-security.org/malware_news.php?id=1976

48. January 27, Softpedia – (International) XSS vulnerability found in Google, Forbes, Myspace, MTV and Ferrari. A researcher from the Vulnerability Laboratory came across a cross-site scripting vulnerability in the Google Apps Web page, hosted on the google.com domain, but also in other popular Web sites. Longrifle0x found the flaw in Google Apps and reported it to Google. Even though the risk level is estimated as low, if unresolved, the security hole present in one of the search modules could allow a remote attacker to hijack cookies and even steal accounts. However, the attacker would have to social engineer the victim into performing certain tasks for the session hijacking to be successful. The vulnerability was reported January 21 and the vendor responded January 23, but as of January 27 the bug still exists on the Google page. This is not the only vulnerability found by longrifle0x in the past several days. The Forbes search page, Ferrari’s official online store, MTV, and MySpace also contain the same type of vulnerability. None of these pages are currently patched up and reports from XSSed reveal the domains were already cross-site scripted. Source: http://news.softpedia.com/news/XSS-Vulnerability-Found-in-Google-Forbes-Myspace-MTV-Ferrari-248996.shtml

49. January 27, Threatpost – (International) Attackers targeting Windows Media bug with malware. Security researchers saw attackers going after the newly patched CVE-2012-0003 vulnerability in the Windows Media Player. The flaw, which was patched earlier in January by Microsoft, is a critical one that can enable remote code execution, and it affects a wide range of Windows systems. When the patch was released, Microsoft officials recommended customers install it immediately as there was a decent chance of attackers leveraging it in the near future, which is exactly what happened. Researchers at the IBM ISS X-Force saw malicious attacks against the MIDI vulnerability going on in the wild in recent days, and said because exploitation of the flaw is not considered difficult, there may well be more on the horizon. To exploit this vulnerability, an attacker must entice a user into opening a specifically formatted media file. Once the exploit code executes, the attacker would then have full control of the system. There are now pieces of malware circulating online capable of exploiting this vulnerability. The specific attack Trend Micro’s researchers analyzed uses the shellcode to download an encrypted binary, which it then decrypts and executes. The payload in this attack includes some malware with rootkit capabilities, which is installed on the victim’s machine. That rootkit also then connects to a remote server and downloads another component, a backdoor. Source: http://threatpost.com/en_us/blogs/attackers-targeting-windows-media-bug-malware-012712

Communications Sector

50. January 26, WHIZ 40 Zanesville – (Ohio) 9-1-1 emergency service restored in New Concord. New Concord, Ohio, had problems January 25 after a barn fire cut service to 9-1-1 and thousands of cell phones. The New Concord fire chief said the early morning fire happened at 3739 Glenn Highway along U-S 40 in Guernsey County. The fire burned through the main trunk line. As a result, anyone with an 826 exchange was not able to call long distance, outside the village, or 9-1-1. Also, cell service was down to all providers, except Verizon. Due to the outages, Muskingum University, banks, and a number of other business were forced to shut down. Repair crews from Frontier Communications worked nearly all day to repair the damaged cables but the fire chief said the problem could have been prevented by having a back-up 9-1-1 connection — saving the county both money and potential lives. The Muskingum County Emergency Management Agency director said 9-1-1, and most of the other phone service were restored by the afternoon of January 25. Source: http://www.whiznews.com/content/news/local/2012/01/26/9-1-1-emergency-service-restored-in-new-concord-0

For more stories, see items 46, 47, and 48 above in the Information Technology Sector

2012-01-27T05:14:00.000-05:00

Friday, January 27, 2012

Complete DHS Daily Report for January 27, 2012

Daily Report

Top Stories

• A Kentucky mine was shut down after federal inspectors found two unsecured cases of explosives near a burning pile of coal, loose coal near ignition sources, and inches-thick piles of explosive dust. – Associated Press (See item 2)

2. January 25, Associated Press – (Kentucky) MSHA shuts Ky. mine over coal fire, other hazards. A Kentucky mine was shut down after federal inspectors found two unsecured cases of explosives near a burning pile of coal, as the government issued 174 citations and 19 orders at troubled coal mines during December. The Mine Safety and Health Administration (MSHA) said January 25 it issued 32 citations and 12 orders against Coal Creek Mining LLC’s No. 2 Mine in Floyd County, Kentucky. Inspectors found a 5- by 10-foot coal pile on fire about 23 feet from two cases of explosives outside the mine and issued an imminent danger order. The key to the explosives cache was lying on top. Inspectors said they also found a 5-gallon oil bucket full of burning coal and other materials near a portal in the mine, and loose coal up to 30 inches deep under conveyor belts and near ignition sources. The mine was inadequately dusted with pulverized limestone to prevent explosions, and the MSHA said the operator also failed to use approved ventilation plans. Explosive coal dust was 2 to 4 inches deep in places. More unwarrantable failure orders were issued for inadequate hazard examinations, including on-shift conveyor belt examinations and weekly inspections of the return air course and electrical equipment. After the December inspection, the MSHA issued two more orders against Coal Creek for failing to fully correct the problems. The agency also issued 53 citations and five orders in December against Clark Mining Inc.’s No. 3 mine, and 25 citations and two orders against Bell County Coal Corp’s Jellico No. 1, both in Kentucky. Source: http://www.cbsnews.com/8301-505245_162-57366077/msha-shuts-ky-mine-over-coal-fire-other-hazards/

• A prominent Miami businessman pleaded guilty January 25 to fraud in a $135 million real estate scheme that fleeced hundreds of investors in Florida, New York, and several South American countries. – Associated Press. See item 13 below in the Banking and Finance Sector.

Details

Banking and Finance Sector

10. January 25, KPHO 5 Phoenix – (Arizona) Guilty plea from ‘Black Binder Bandit’. A man who confessed to a dozen bank robberies in the East Valley area of Arizona pleaded guilty in federal court January 24. The defendant faces a maximum of life in prison and a $250,000 fine. Investigators dubbed the man the “Black Binder Bandit” because he frequently carried a black binder that contained a note and sometimes a gun. He would also place the money in the binder before leaving the bank. He admitted to robbing 12 banks starting September 2, 2010, until he was arrested July 20, 2011. He said he made off with more than $49,000 in those robberies. Source: http://www.kpho.com/story/16600659/guilty-plea-from-black-binder-bandit

11. January 25, St. Louis Post-Dispatch – (Missouri) St. Louis County police arrest suspect in ‘Logo Bandit’ bank robbery. A man from Mexico, Missouri, was charged January 25 in a bank robbery earlier this month blamed on a man authorities dubbed the “Logo Bandit,” police said. He was charged with robbery for the January 17 holdup of Jefferson Bank and Trust. The suspect in the Jefferson Bank robbery implied he was armed but never displayed a weapon. According to court documents, he said he went into the bank and gave a teller a note with the word “robbery” on it. Police said he kept a hand inside his jacket and implied he had a gun. He ordered the teller to give him $100 and $50 bills from the drawer and “not to attempt any funny stuff and nothing will happen.” After the teller put $3,670 on the counter, he took the money and left, court documents say. Police arrested the suspect in Richmond Heights with help from the FBI and the Richmond Heights Police Department. He could be charged in other municipalities where he is suspected in bank robberies, police said. Police and the FBI have suspected the “Logo Bandit” in at least seven other bank robberies over the past 4 months. He was given the nickname because he wore hats and sweatshirts featuring brand-name or athletic logos each time he robbed a bank. Source: http://www.stltoday.com/news/local/crime-and-courts/st-louis-county-police-arrest-suspect-in-logo-bandit-bank/article_c1f07f36-4790-11e1-b9b2-001a4bcf6878.html

12. January 25, KOVR 13 Sacramento – (California; Nevada) ‘Fedora Bandit’ charged with 7 Northern California bank robberies. The suspect dubbed the ‘Fedora Bandit” was charged with seven counts of armed bank robbery in California January 24, a U.S. attorney announced. According to court documents, the suspect also committed the April 12, 2010 armed robbery of the Bank of the West’s Carson City, Nevada branch. He is currently in federal custody in Lompoc on a drug trafficking conviction after being stopped in a motor home in Kansas in December 2010 with more than 40 pounds of cocaine, and more than 160 pounds of marijuana. According to the FBI criminal complaint, he confessed to the bank robberies while being interviewed at the federal penitentiary January 19. He faces up to 25 years in federal prison for each armed bank robbery. The suspect, who earned the nickname because of the fedora-style hat he wore during alleged heists, made off with a reported $56,000 in cash from the California bank robberies. Source: http://sacramento.cbslocal.com/2012/01/25/fedora-bandit-charged-with-7-northern-california-bank-robberies/

13. January 25, Associated Press – (Florida; New York; International) Prominent Fla. businessman guilty in $135M fraud; investors include Roman Catholic prep school. A prominent Miami businessman pleaded guilty January 25 to fraud in a $135 million real estate scheme that fleeced hundreds of investors, including the Roman Catholic prep school he once attended. He faces up to 5 years behind bars after pleading guilty to a single count of wire and mail fraud conspiracy. He also lured investors from Miami’s close-knit Cuban-American community, many of them elderly and some Roman Catholic priests. Federal prosecutors said the man operated his company, Royal West Properties Inc., like a Ponzi scheme in which he paid older investors with money raised from newer ones. The company sold real estate investments in southwest Florida since 1993, but fell on hard times beginning in 2002 and was eventually forced into bankruptcy in 2009, according to court documents. Before it crashed, Royal West promised rates of return as high as 16 percent for investors who bought properties that were marketed nationally on Spanish-language networks and through offices in Florida, New York, Colombia, Ecuador, Peru and Venezuela. The chief of the Securities and Exchange Commission field office in Miami, called it a typical “affinity” scam where the perpetrator uses a position of trust to prey on members of a specific group. In all, prosecutors said more than 150 investors lost about $47 million between 2003 and 2008. Of the total, investigators said the man and his wife skimmed about $20 million for other business ventures, to pay themselves more than $5 million in salaries, and to pay children and grandchildren $1 million in “consulting fees” even though they did no work for Royal West. He could be ordered to pay millions of dollars in restitution. Source: http://www.washingtonpost.com/business/prominent-fla-businessman-guilty-in-135m-fraud-investors-include-roman-catholic-prep-school/2012/01/25/gIQApE8aQQ_story.html

14. January 25, U.S. Department of Justice – (Florida) Former executive of Miami-based ocean bank pleads guilty to participating in bribery scheme and to fliing false tax returns. A former executive of Miami-based Ocean Bank pleaded guilty January 25 in a U.S. district court in Miami to participating in a scheme to accept bribes and to failing to report the income on federal income tax returns, the Department of Justice announced. The charges against the former vice president stemmed from his accepting nearly $500,000 in cash and other items from unnamed co-conspirators in connection with his supervision of certain unnamed customer business with the bank. According to court documents, the vice president generally oversaw Ocean Bank’s lending relationships with corporate customers. The department said that beginning in or about February 2001 and continuing thereafter through on or about April 25, 2007, he accepted bribes, including payments for expensive watches, Super Bowl tickets, and other items for his personal use, as well as substantial amounts of cash. He accepted the payments intending to be rewarded and influenced in connection with his role in approving Ocean Bank’s issuance of letters of credit, loans, and overdraft privileges to co-conspirators. The court documents also show he failed to report income from the bribes for the tax years 2005, 2006 and 2007, resulting in lost tax revenue of about $91,000 to the federal government. He was charged with one count of conspiracy to solicit or demand money and other things of value to influence an employee of a financial institution and three counts of tax offenses. The conspiracy count carries a maximum sentence of 5 years in prison and a $250,000 criminal fine. The tax charges each carry a maximum sentence of 3 years in prison and $250,000 fine. Source: http://www.justice.gov/opa/pr/2012/January/12-at-102.html

Information Technology

35. January 26, V3.co.uk – (International) Symantec advises users to turn off pcAnywhere in hack aftermath. Symantec has advised customers to take their copies of pcAnywhere offline as the company continues to struggle with the aftermath of a major data breach. The company issued a whitepaper addressing new vulnerabilities in its remote access tool that were exploited by a recently publicized attack which allowed attackers to gain access to the application’s source code. The 2006 hack was recently brought to light by an Indian hacking team that is seeking to publicly distribute the code. Symantec has now determined a major update is necessary to protect users from any flaws revealed in the compromised source code. The company is advising users of pcAnywhere 12.5 to disable the remote management tool until an update is released. If users do not take their copies of the tool offline, the company warned attackers could possibly compromise systems and perform “man-in-the-middle” attacks that could result in the theft of user credentials and other network traffic. Source: http://www.v3.co.uk/v3-uk/news/2141452/symantec-advises-users-pcanywhere-hack-aftermath

36. January 26, Computerworld – (International) Google stirs up privacy hornet’s nest. Google announced the company is rewriting its privacy policy, consolidating user information across its services. The company, however, is not offering users an opt-out option. If a user does not want their information from Gmail, YouTube, and Google searches combined into one personal data store that can paint a detailed picture of them, the only option is to cease using Google’s services. Source: http://www.computerworld.com/s/article/9223719/Google_stirs_up_privacy_hornet_s_nest?taxonomyId=17

37. January 25, Threatpost – (International) Poison Ivy variant changes benign code to malicious after download. Researchers found there are now some pieces of malware downloading not explicitly malicious pieces of code, but small bits of code benign on their face that are then transformed into malicious instructions once they are on the target machine. The code was found by Microsoft researcherst when investigating a file calling out to the site of a restaurant. They expected the file to be a standard downloader that would pull down a malicious executable hosted on the compromised server and then run that locally. Instead, the file was downloading a piece of code that did not do much at first. Further analysis showed the initial VisualBasic application was doing many things. “Once the application was run on a machine with a simulated Internet connection, it got the contents of the HTML page of the restaurant website mentioned previously. The application copied itself to the Windows system folder as ‘misys.exe’, and started keylogging, although the static analysis did not indicate this kind of functionality,” Microsoft researchers wrote in an analysis. “So the VB Application is extending its functionality dynamically by downloading and executing x86 instructions in the context of its own process. The ‘downloader’ becomes malware by executing this downloaded blob of x86 instructions. And the downloaded instructions will be not injected to a different process and not dropped to disc, they will be executed in the process context of the ‘downloader’, thus the ‘downloader’ inherits the malware functionality.” What the victim ends up is a version of the Poison Ivy backdoor. Source: http://threatpost.com/en_us/blogs/poison-ivy-variant-changes-benign-code-malicious-after-download-012512

38. January 25, Softpedia – (International) Amateur programmer: SMS spoofing for malicious purposes is easy. SMS spoofing is not new, researchers having proved in 2010 for BBC’s Watchdog it could be done. While most telecommunications companies are aware of the risks, few have actually done something to prevent it. Now, an amateur programmer came forward with a simple app to prove SMS spoofing for malicious purposes is something widely available, and if measures are not taken, a lot of individuals may be exposed to cybercriminal operations. A self-described “completely amateur programmer” with less than 2 years’ experience, managed to develop a simple program that could allow anyone to launch social engineering attacks with the purpose of obtaining valuable information and maybe even money. Source: http://news.softpedia.com/news/Amateur-Programmer-SMS-Spoofing-for-Malicious-Purposes-Is-Easy-248669.shtml

For another story, see item 39 below in the Communications Sector

Communications Sector

39. January 26, Dark Reading – (International) Hacktivists turn to DNS hijacking. Hacktivists have added a new tactic to their arsenal: redirecting all traffic from a target company’s Web site, Dark Reading reported January 26. According to a blog written by a security expert from Internet Identity (IID), politically motivated attackers are now using DNS hijacks, which redirect all traffic from a victim’s legitimate Web site (and often all the e-mail and back-end transactions, too) to a destination of the attacker’s choosing. “A determined criminal can set up a fake look-alike destination site to dupe customers into revealing credentials or downloading malware,” the expert stated. Many companies pay little, if any, attention to securing their domain registrations, and most do not continuously monitor their DNSes to make sure they’re resolving properly around the world, making them vulnerable to attack, the blog said. “The first indication most victims have of a DNS hijack is that their website traffic slows to a trickle,” it noted. “Then they have to figure out why, and DNS is rarely the first thing they think of, which lengthens the time to mitigate the attack.” On January 22, the domain name UFC.com was hijacked by a hacktivist group, IID reported. On January 23, that same group, called UGNazi, hijacked two domain names, coach.com and coachfactory.com, belonging to luxury goods maker Coach Inc. Both Coach and UFC registered their domains at Network Solutions, IID reports. “The criminals hijacked the domains by accessing the companies’ domain management accounts at Network Solutions,” the blog stated. “It’s currently unclear how they did so. In such cases, the cause is usually weak or compromised user passwords, or a website vulnerability at the registrar.” Source: http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/232500513/hacktivists-turn-to-dns-hijacking.html

40. January 25, KRBD 105.3 FM Ketchikan – (Alaska) KPU phone experiences outages. About 50 percent of Ketchikan Public Utilities (KPU) telecommunications customers in Alaska experienced a telephone outage January 25. At about 8:45 a.m., some KPU residential and business customers began experiencing fast busy signals, could not get a dial tone, or reached “call cannot be completed” recordings when attempting to place calls. There were periods of time when KPU customers were able to make and receive calls, only to have the call terminated. The outage also affected some cellular customers and those serviced by other phone carriers trying to call KPU customers. KPU’s Internet and TV services were not affected. The source of the outage was located in KPU’s central computerized switching network. KPU technicians worked with the manufacturer of the switching network to restore service. Service was restored to all customers at about 2 p.m. January 25. Source: http://www.krbd.org/2012/01/25/kpu-phone-experiences-outages/

2012-01-26T05:15:00.000-05:00

Thursday, January 26, 2012

Complete DHS Daily Report for January 26, 2012

Daily Report

Top Stories

Stories

• Viruses are accidentally infecting worms on victims’ computers, creating super-powered strains of hybrids that experts say pose a greater risk than standard malware. – The Register. See item 35 below in the Information Technology Sector.

• Police arrested a teenager and charged him with attempted murder and aggravated arson in connection with firebombing attacks on two New Jersey temples. – WPIX 11 New York City (See item 40)

40. January 25, WPIX 11 New York City – (New Jersey) Teen arrested in firebombing attacks on NJ temples. Police arrested a teenager in connection with firebombing attacks on New Jersey temples, WPIX 11 New York City reported January 24. According to officials, the Lodi, New Jersey teen has been arrested and charged with the January 11 attempted murder of a rabbi and his family, and the associated firebombing of the Rutherford synagogue. He was also charged in the arson and firebombing of the Temple K’Hal Adath Jeshrun in Paramus January 3, officials said. Investigators are crediting the arrest with the release of surveillance video and photographs the week of January 16 that captured the suspect purchasing many components of the incendiary device used in the Rutherford temple attack. Evidence connecting the suspect to the crime was reportedly discovered at his home, after authorities executed a search warrant. He was charged with nine counts of first degree attempted murder, one count of first degree bias intimidation, and one count of first degree aggravated arson for the Rutherford incident. He was charged with first degree aggravated arson, first degree bias intimidation, and third degree arson for the Paramus incident. Source: http://www.wpix.com/news/wpix-arrest-made-nj-temple-fire-bombings,0,3171515.story

Details

Banking and Finance Sector

9. January 25, Daytona Beach News-Journal – (Florida) Workers at 3 Daytona convenience stores accused of food card scams. A multi-agency investigation in Florida nabbed three convenience store workers accused of defrauding the state and federal government out of more than $2 million through Electronic Benefit Transfer (EBT) purchases, authorities said January 24. Investigators with the Daytona Beach Police Department as well as agents with the U.S. Secret Service and other agencies served search warrants at three convenience stores, the Daytona Beach police chief said. He said one of the suspects would purchase EBT cards from customers for cash at about a third of the value of their cards, which generally can only be used to buy groceries through the federal Supplemental Nutrition Assistance Program (SNAP). The suspect would then purchase goods at area stores for her own benefit. Authorities said she also made fictitious purchases at her store and got reimbursed the following month. In total, she made about $1.1 million in fraudulent purchases, the chief said. She was charged with five counts each of racketeering, social welfare fraud, and fraudulent use of a credit card, and one count of carrying a concealed weapon. At the other two locations, two suspects would allow EBT customers to make ineligible beer and cigarette purchases with their cards, but grossly inflate the prices, police said. Each would then pocket the difference. The two men were charged with five counts each of racketeering, social welfare fraud, and fraudulent use of a credit card. The police chief said the three businesses would typically only report $4,000 of SNAP purchases in 1 month, but during the 6 months the fraud occurred, they were redeeming about 10 times that amount. Source: http://www.news-journalonline.com/news/local/east-volusia/2012/01/25/workers-at-3-daytona-convenience-stores-accused-of-food-card-scams.html

10. January 24, Bloomberg – (District of Columbia; Virginia) Army Corps official to plead guilty to bribery, U.S. says. A U.S. Army Corps of Engineers contracting official will plead guilty to bribery and conspiracy charges brought in connection with an alleged $20 million false billing scheme, prosecutors said. The U.S. attorney’s office in Washington D.C., in a federal court filing January 24, said the official will admit to taking bribes and conspiring to launder money. The official was accused along with a colleague of funneling more than $45 million through a contract he was in charge of to a company that kicked back $20 million generated by overbilling. Also charged were the colleague’s son, the director of contracts for Eyak Technology LLC in Dulles, Virginia. Prosecutors call the case one of the “most brazen” frauds in federal contracting history. Source: http://www.bloomberg.com/news/2012-01-24/army-corps-official-to-plead-guilty-to-bribery-u-s-says-1-.html

11. January 24, Associated Press – (Puerto Rico) FDIC files lawsuit against former Westerbank officials; cites $176M in damages. U.S. regulators are seeking $176 million in damages from officials at what used to be Puerto Rico’s second-largest bank, the Associated Press reported January 24. The Federal Deposit Insurance Corp. (FDIC) accused six former Westernbank officials and directors of gross negligence, violating loan policy, and ignoring auditor warnings in a suit filed last week. Regulators shut down the bank and its 45 branches in April 2010, citing a $4.25 billion loss. The FDIC, which took over the bank, said the damages it seeks represent the total loss of 10 construction loans, seven asset-based loans, and four commercial real estate loans that the bank approved from January 2004 to July 2009. The FDIC accused Westernbank officials of approving loans to make a quick profit through an “aggressive and reckless growth strategy.” The agency also accused the bank’s former director of not disclosing a personal financial interest in a $12 million loan before it was approved. Source: http://www.washingtonpost.com/business/fdic-files-lawsuit-against-former-westerbank-officials-cites-176m-in-damages/2012/01/24/gIQAuaD7NQ_story.html

12. January 24, Associated Press – (Arizona; International) Feds find $500K hidden in BMW at Nogales entry. Federal officers in Nogales, Arizona, recovered more than $500,000 in undeclared money hidden in a BMW that an Arizona man was allegedly trying to drive into Mexico January 20. The Nogales International reported that U.S. Customs and Border Protection officers conducting outbound inspections at the Dennis DeConcini Port of Entry selected the man for additional inspection. Agents placed the man’s car on a vehicle lift and discovered a non-factory compartment containing 21 packages of undeclared U.S. currency. The funds were confiscated and the man was arrested and turned over to U.S. Immigration and Customs Enforcement’s Homeland Security Investigations. Source: http://ktar.com/6/1492171/Feds-find-500K-hidden-in-BMW-at-Nogales-entry

13. January 23, Houston Chronicle – (Texas; Louisiana) League City man admits using fake ID, stolen credit cards to buy electronics. A League City, Texas man on supervised release in a $1 million credit card fraud case pleaded guilty January 23 to new charges accusing him of using stolen credit cards and fake IDs to buy electronics worth $10,000. He was using stolen credit card numbers when he tried to buy iPads, iPhones and other products at the Apple store in Memorial City Mall in August, authorities said. When asked for identification, the man presented a fake Florida driver’s license with his photo but a different name. The name on the cards was linked to more than $200,000 worth of fraudulent Apple product purchases in Louisiana and Texas, officials said. The suspect was arrested at the store. When arrested, the suspect had 38 fraudulent credit cards, officials said, as well as four iPads and four iPhones bought the same day from Apple stores in the Galleria and Sugar Land area. All items, valued at $6,000, were bought using the same fraudulent credit cards, officials said. The suspect admitted in court he was serving a term of supervised release from a 2007 credit card fraud case when he was arrested. In the prior case, the suspect and his wife were charged for using more than 2,000 stolen credit card numbers to buy merchandise totaling more than $1 million, according to court records. Source: http://www.chron.com/news/houston-texas/article/League-City-man-admits-using-fake-ID-stolen-2678581.php

14. January 22, Salem Today’s Sunbeam – (New Jersey) Computer hackers tap into Salem County bank account holding $13 million, steal $19,000. Computer hackers have broken in and stolen about $19,000 by way of an illegal wire transfer from a Salem County, New Jersey bank account that held over $13 million, Salem Today’s Sumbeam reported January 22. The illegal transaction happened in mid-December and as of late the week of January 16, the Salem County chief finance officer (CFO) said the county has yet to recoup the money. He said the county is working with law enforcement officials, who believe the county system was attacked by a computer virus called a “Zeus,” a trojan horse computer virus that steals banking information by keystroke logging and form grabbing. The CFO said the hacker was able to access the county’s online banking system through the Microsoft Exchange server. “They were able to jump in our account and essentially blocked us from logging on,” the CFO said. “When they were logged in, they wired out $19,000 to an account with JP Morgan Chase out in California.” In all, the account that was entered held more than $13 million in county funds. The CFO said the Information Technology Department at the county was unable to trace the virus back to its origins. As a precautionary measure, the county is no longer using its online banking system, CashLink, which is run by Fulton Bank of New Jersey. The CFO said the computer that was attacked with the virus has also been removed and sent to a crime lab for analysis. The county will also be setting up a new secure computer solely for bank transactions. This computer will have no e-mail, public Internet access, and no disk drive or USB ports. Source: http://www.nj.com/salem/index.ssf/2012/01/computer_hackers_tap_into_sale.html

Information Technology

34. January 25, H Security – (International) Opera 11.61 fixes XSS vulnerability. Version 11.61 of Opera has been released. According to its developers, the maintenance update fixes bugs found in the existing builds and closes two security holes in the Web browser. Opera 11.61 addresses a “high” severity cross-site scripting vulnerability that could be exploited by an attacker to bypass the same origin policy. A second issue, rated as “low” severity, in which remote pages could detect what local files a user has on their local machine, was also fixed. Changes not related to security include an update to the default Speed Dials as well as fixes for the built-in e-mail client, and a number of bugs that caused the application to crash. Source: http://www.h-online.com/security/news/item/Opera-11-61-fixes-XSS-vulnerability-1421248.html

35. January 25, The Register – (International) Super-powered ‘frankenmalware’ strains detected in the wild. Viruses are accidentally infecting worms on victims’ computers, creating super-powered strains of hybrid software nasties. The monster malware spreads quicker than before, screws up systems worse than ever, and exposes private data in a way not even envisioned by the original virus writers. A study by antivirus outfit BitDefender found 40,000 such “Frankenmalware samples” in a study of 10 million infected files in early January, or 0.4 percent of malware strains sampled. These cybercrime chimeras pose a greater risk to infected users than standard malware, the antivirus firm warns. “If you get one of these hybrids on your system, you could be facing financial troubles, computer problems, identity theft, and a wave of spam thrown in as a random bonus,” said the BitDefender analyst who carried out the study. “The advent of malware sandwiches throws a new twist into the world of malware. They spread more efficiently, and will become increasingly difficult to predict.” BitDefender does not have historical data to go on. Even so, it posits that frankenmalware is likely to grow at the same rate as regular computer viruses, or about 17 percent per year. All of the malware hybrids analyzed by BitDefender so far have been created accidentally. However, the risk posed by these combinations could increase dramatically as criminals latch onto the idea. Source: http://www.theregister.co.uk/2012/01/25/frankenmalware/

36. January 25, H Security – (International) Critical flaw discovered in Symantec’s pcAnywhere. Symantec issued a warning about a critical vulnerability in pcAnywhere, the remote control application for PCs. The vulnerability could allow an attacker to remotely inject code into a system running pcAnywhere and then run it with system privileges. This attack works because a service on TCP port 5631 allows user input during the authentication process that is not adequately checked. According to Symantec, this port should, under normal conditions, only be reachable by authorized network users, so an attacker would have to first gain access to the network or another computer on the network to compromise other systems. In practice though, overly lax firewall configurations mean such ports are always available on the Internet. Symantec is also correcting a vulnerability that meant that files installed during pcAnywhere’s installation process were marked as writable by everyone. This would allow an unprivileged user with local access to overwrite these files, possibly with code that could grant elevated privileges. Further details of the two holes are still being kept secret by Symantec, and exploits are reportedly not in circulation. As the flaws were reported by security researchers of NGS Secure, it is probable the discovery of the flaws is not related to the recent theft of source code for an older version of pcAnywhere. pcAnywhere 12.5.x is vulnerable to the flaws, as are versions 7.0 and 7.1 of the company’s IT Management Suite Solution. Symantec released a hotfix that can be installed either manually or automatically with Symantec’s LiveUpdate system. Source: http://www.h-online.com/security/news/item/Critical-flaw-discovered-in-Symantec-s-pcAnywhere-1421261.html

37. January 24, H Security – (International) Joomla! 2.5 adds new features, closes holes. The Joomla! Project announced the arrival of version 2.5.0 of its open source PHP-based content management system. The successor to the 1.7 release from July 2011 is a long term support version that will be supported for “at least 18 months” and adds several new features. The update addresses two medium-priority, cross-site scripting vulnerabilities and two low-priority, information disclosure holes. Source: http://www.h-online.com/security/news/item/Joomla-2-5-adds-new-features-closes-holes-1420866.html

For more stories, see items 14 above in the Banking and Finance Sector and 39 below in the Communications Sector.

Communications Sector

38. January 24, Radio World – (Florida) FCC fines Florida pirate $10,000. The Federal Communications Commission (FCC) has fined a man $10,000 for operating an unlicensed radio transmitter on 98.7 MHz in Miami, Radio World reported January 24. Following up on a complaint in July, Miami Enforcement Bureau agents traced the unauthorized signal to an FM transmitting antenna mounted in a tree. The station was also transmitting an RDS display of “98.7 FM Energy,” according to the commission. The agents also found an Internet Web site for the station, www.energyfm987.com. The man told agents he would turn off the station, but did not admit he was the operator or unauthorized station owner. The agents left and the transmissions resumed. The agents again traced the illegal transmissions to the same home. Agents from the Miami office identified the man by comparing his Florida driver’s license photograph to pictures posted on the Internet. In assessing the penalty, the FCC stated in its decision the man can be said to have “operated” the unlicensed radio station on 98.7 MHz because he demonstrated control over the general conduct or management of the station, according to the agency’s rules. The station continues to be streamed online. Source: http://www.rwonline.com/article/fcc-fines-florida-pirate-/211476

39. January 24, Dark Reading – (International) IP D-Day: Major providers, vendors to go IPv6 June 6. It has been in the works for more than a decade, but the next-generation IPv6 protocol will officially go live in some major corners of the Internet in 2012, Dark Reading reported January 24. The Internet Society has deemed June 6 as World IPv6 Day, when Google, AT&T, Facebook, Comcast, Cisco, and others plan to flip the switch to the new IP protocol. IPv6 has been available in most products for some time, and various organizations and government agencies have test-run the protocol. Other nations, such as Japan and France, have already broadly rolled out IPv6. Meanwhile, IPv4 has outlasted some predictions it would have run out of address space by now, and IPv6 has exponentially more address space that can better accommodate the explosion of IP devices. Like any new technology rollout, security experts say the transition to IPv6 could introduce new bugs into the ecosystem. Among the companies participating in the IPv6 cutover June 6 are Google, Facebook, Microsoft Bing, Yahoo!, AT&T, Comcast, Free Telecom, Internode, KDDI, Time Warner Cable, XS4All, Cisco, and D-Link. The ISPs going to IPv6 — AT&T, Comcast, Free Telecom, Internode, KDDI, Time Warner Cable, and XS4ALL — will roll out the new protocol in their networks so that at least 1 percent of their wireline residential subscribers who visit other IPv6-enabled Web sites will get there via IPv6. They plan to make IPv6 a big part of their services, while new home routers from Cisco and D-Link will enable IPv6 by default. Source: http://www.darkreading.com/security-monitoring/167901086/security/perimeter-security/232500387/

2012-01-25T05:28:00.000-05:00

Wednesday, January 25, 2012

Complete DHS Daily Report for January 25, 2012

Daily Report

Top Stories

• A burst of radiation on the sun’s surface triggered a geomagnetic storm on Earth January 24 that caused rerouting of flight routes, may have disrupted satellite communications and the Global Positioning System. – San Francisco Chronicle (See item 31)

31. January 24, San Francisco Chronicle – (International) Solar flare may hit satellite communications, GPS. A burst of radiation on the sun’s surface may trigger a geomagnetic storm on Earth January 24 that could disrupt satellite communications and the Global Positioning System by mid-morning, scientists at the Space Weather Prediction Center said January 23. The eruption — called a solar flare — has also sent billions of tons of matter streaming toward Earth from the sun’s surface at millions of miles per hour in what scientists call a coronal mass ejection, according to a physicist at the center in Boulder, Colorado. The radiation storm could create unusually intense flares of the aurora borealis — the northern lights — and has caused some international airlines to divert planes from polar routes to courses where radio communication is less likely to be affected, the physicist said. A new National Aeronautics and Space Administration satellite called the Solar Dynamics Observatory is vastly improving the ability of scientists to predict the violent magnetic storms that threaten Earth and to understand the mysterious nature of solar physics, the physicist said. Source: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2012/01/24/MNJJ1MTCTM.DTL

• A researcher located and mapped more than 10,000 industrial control systems hooked up to the public Internet, and found many were open to easy hack attacks because of lax security. – Wired. See item 37 below in the Information Technology Sector.

Details

Banking and Finance Sector

6. January 24, Charlotte Observer – (North Carolina) 6 charged in Charlotte-area mortgage scheme. Federal prosecutors filed charges against six Charlotte, North Carolina-area defendants over mortgage fraud-related offenses and a “builder kickback” scheme, the latest fallout from the housing market bust, the Charlotte Observer reported January 24. The defendants are accused of working with Charlotte home builder Tara Properties to sell houses by offering kickbacks to straw buyers. The kickbacks were not disclosed to lenders or included on loan applications, according to documents filed last week in federal court. The scheme resulted in hundreds of sales between January 2005 and February 2008, with Tara paying more than $5 million in kickbacks, the filings say. The conspirators fraudulently caused lenders to provide more than $42 million in loans, prosecutors allege. Tara specialized in building homes priced between $100,000 and $200,000 and the company offered kickbacks of 15 percent of the sales price. Defendants lied on loan applications about income and assets, employment, debts, and anticipated debts, and intent to occupy the home as a primary residence, court documents say. Some applications also contained false or forged documents such as bogus payroll stubs and bank statements. The straw buyers recruited by the promoters and mortgage brokers generally were unqualified to obtain the loans, and the “vast majority” of homes lapsed into foreclosure, according to prosecutors. The six defendants indicted the week of January 16 in connection with the builder-kickback scheme have been charged with mortgage fraud conspiracy, and money laundering conspiracy. Source: http://www.wcnc.com/news/local/6-charged-in-Charlotte-area-mortgage-scheme-137949413.html

7. January 23, Birmingham Business Journal – (Alabama) Wells Fargo, Regions branches among businesses damaged in Center Point. Banks and several other businesses in Center Point, Alabama, were damaged by storms that swept through Jefferson County January 23. The Wells Fargo and BBVA Compass branches on Center Point Parkway were heavily damaged and were closed the morning of January 23. Representatives from Wells Fargo said the downtown branch would open at 10:30 a.m. A spokesperson from BBVA Compass said the bank sustained only minor damage and was expected to reopen January 24. Regions Bank ‘s Center Point branch was also closed due to minor damage. Regions’ Deerfoot Parkway and Pinson branch locations were closed due to road and power issues in those areas. A Regions representative said there were power outages in market areas outside of Birmingham that have been impacted by the severe weather, and that isolated branch closings would be possible. Source: http://www.bizjournals.com/birmingham/news/2012/01/23/wells-fargo-branch-other-businesses.html

8. January 23, U.S. Department of Treasury – (International) Treasury designates major Iranian state-owned bank. The U.S. Department of the Treasury January 23 designated Iran’s third-largest bank, Bank Tejarat, for providing financial services to several Iranian banks and firms already subject to international sanctions for involvement in Iran’s weapons of mass destruction (WMD) proliferation activities. With the January 23 action, 23 Iranian-linked financial institutions, including all of Iran’s largest state-owned banks, have been sanctioned by the United States based on their involvement in Iran’s illicit activities. Bank Tejarat was designated pursuant to Executive Order (E.O.) 13382 (Blocking Property of WMD Proliferators and Their Supporters) for providing financial services to Bank Mellat, the Export Development Bank of Iran (EDBI), the Islamic Republic of Iran Shipping Lines (IRISL), and the Ministry of Defense for Armed Forces Logistics (MODAFL), all of which were previously designated by Treasury or the Department of State for involvement in Iran’s WMD proliferation activities. Trade Capital Bank also was designated January 23 for providing financial services to EDBI, and for being owned or controlled by Bank Tejarat. Bank Tejarat has nearly 2,000 branches throughout Iran, as well as foreign branches in France and Tajikistan. Trade Capital Bank is a Belarus-based bank owned by Bank Tejarat. Bank Tejarat has directly facilitated Iran’s illicit nuclear efforts. For example, in 2011, Bank Tejarat facilitated the movement of tens-of-millions of dollars in an effort to assist the Atomic Energy Organization of Iran’s ongoing effort to acquire uranium. Source: http://www.treasury.gov/press-center/press-releases/Pages/tg1397.aspx

9. January 23, WCMH 4 Dublin – (Arizona; Ohio) 2 plead guilty to $15 million mortgage fraud scheme. Two central Ohio men pleaded guilty in connection with a $15 million mortgage fraud scheme that cost lenders more than $6 million, WCMH 4 Columbus reported January 23. The men pleaded guilty to fraudulently obtaining about $15 million in mortgage loans to finance the purchase of 26 real estate properties in Maricopa County, Arizona. The guilty pleas were entered January 17 and January 20. Officials said that between August 2006 and May 2007, the two men applied for loans using false income, assets, and occupancy statements on the applications. The loans were inflated to allow the man to use the excess mortgage proceeds to generate cash kickbacks payable to co-conspirators that were undisclosed to the lenders. The co-conspirators then provided the money to the men via interstate wire transfers, investigators said. They said the men used a mortgage brokerage company they co-owned, Vanguard Mortgage, in Westerville, to finance the purchases of the properties. Each man inflated his income, minimized his assets, failed to disclose his ownership of several other properties on which he held loans, and concealed the fact he intended to receive substantial cash kickbacks after the closing of three properties. All 26 of the Arizona properties were subsequently sold short or foreclosed upon due to borrowers being unable to pay the monthly payments. Each man pleaded guilty to one count of money laundering, which is punishable by up to 10 years in prison, a fine of up to $250,000 or twice the value of the property involved, whichever is greater, and restitution to the victims. Source: http://www2.nbc4i.com/news/2012/jan/23/two-plead-guilty-15-million-mortgage-fraud-scheme-ar-907064/

10. January 23, Kansas City Business Journal – (International) Euronet faces first criminal computer breach of secure payment data. Euronet Worldwide Inc., a Leawood, Kansas company that provides secure payment services, has reported a criminal computer security breach. Euronet said the breach targeted a “small portion” of its European business in late 2011, according to a January 23 filing with the Securities and Exchange Commission. The event marks the global electronic payments provider’s first data breach, the company’s chief executive officer (CEO) said. “(We), like hundreds of thousands of other companies, have been hacked into, but we were able to find it early, plug the hole ... and our breach has been contained for well over a month,” the CEO said. He said the breach affected card data in Euronet’s electronic fund transfer division, a European unit that makes up 17 percent of its business. Third-party forensic investigators confirmed the breach did not affect Euronet’s other business units, including its epay division, ATM networks, or money-transfer operations, the company reported in the filing. The CEO said that of the electronic fund transfer division, 90 percent of the data on card transactions remained protected. He partially credited a highly secure microchip that appears on most European debit and credit cards. The chip requires a verification PIN for access. The 10 percent of data that became exposed stemmed from older cards that had not yet been updated with the chip, he said. Source: http://www.bizjournals.com/kansascity/news/2012/01/23/euronet-faces-first-criminal-computer.html?page=all

11. January 23, Sacramento Bee – (California) Three Sacramento women arrested in false tax return scheme. Three Sacramento, California women were arrested January 23, accused of stealing taxpayers’ identities and their tax refunds. According to federal court documents, the women have been charged in a conspiracy to defraud the United States through the filing of false tax returns using TurboTax, an income tax preparation software and filing service. The women are charged with executing a mail fraud scheme to obtain Green Dot debit cards, a service offered through the TurboTax software, loaded with the tax return money of taxpayer victims. In addition to the conspiracy, one of the women is charged with 15 counts of filing false tax returns, 20 counts of mail fraud, and eight counts of aggravated identity theft. Another is charged with five counts of filing false tax returns, 15 counts of mail fraud, and one count of aggravated identity theft, according to a federal Department of Justice news release. The alleged fraudulent tax return claims filed by the three women amount to more than $1,366,427, with an actual paid Internal Revenue Service (IRS) loss of about $962,079. The scheme involved more than 280 false tax returns and numerous victim taxpayers, officials said. Source: http://blogs.sacbee.com/crime/archives/2012/01/three-sacramento-women-arrested-in-false-tax-return-scheme.html

12. January 23, Computerworld Australia – (International) Researcher traces ‘Gameover’ malware to maker of Zeus. The “Gameover” malware that the FBI warned users about earlier in January 2012 is a preview of the next version of the even-more-notorious Zeus money-stealing trojan, a security researcher said January 23. “Gameover represents the latest and greatest source code package from the Zeus author,” a senior security researcher with Dell SecureWorks’ counter-threat unit said. “[New features] in Gameover will be rolled into the final Zeus version 3, which is in beta and will wrap up soon if it hasn’t already.” Two weeks ago, the FBI warned of increased action by Gameover, including rounds of spam that tried to dupe recipients into infecting their PCs with the malware, which like Zeus, is designed to pillage individuals’ and companies’ bank accounts. The security researcher, who has been tracking the Zeus malware and its developer for years, said Gameover posed a new and more dangerous threat because it had been created by the maker of Zeus specifically at the behest of one of his biggest clients. “The crew using Gameover has requested a lot of changes in the Zeus functionality,” he said, adding the hacker crew using Gameover has direct access to Zeus’ maker because it pays him well and often for support. “The Zeus author now has only three or four major clients,” he said. The criminal coder abandoned all his “small fish” to focus on supporting a handful of customers who pay top dollar for his work. The additions demanded by the Gameover gang, which the Zeus developer quickly created, included a new, more distributed form of command-and-control (C&C) that uses a peer-to-peer function to update infected machines when or if a botnet’s single C&C server is discovered by authorities and taken offline. Gameover also supports the use of complex Web injections that allow criminals to bypass multi-factor authentication now used by many financial institutions to stymie account plundering. And the crew apparently asked for changes to Zeus that would let the gang rent third-party botnets that specialize in conducting distributed denial-of-service (DDoS) attacks, the researcher added. Source: http://www.computerworld.com/s/article/9223642/Researcher_traces_Gameover_malware_to_maker_of_Zeus?taxonomyId=17

For another story, see item 40 below in the Information Technology Sector.

Information Technology

37. January 24, Wired – (International) 10K reasons to worry about critical infrastructure. A security researcher was able to locate and map more than 10,000 industrial control systems hooked up to the public Internet, including water and sewage plants, and found many could be open to easy hack attacks, due to lax security practices. Infrastructure software vendors and critical infrastructure owners have long maintained industrial control systems — even if rife with security vulnerabilities — are not at risk of penetration by outsiders because they are not online. However, a computer science doctoral student from Cambridge University developed a tool that matches information about industrial control systems connected to the Internet with information about known vulnerabilities to show how easy it could be for an attacker to locate and target them. To debunk the myth industrial control systems are never connected to the Internet, the student used the SHODAN search engine, which allows users to find Internet-connected devices using simple search terms. He then matched that data to information from vulnerability databases to find known security holes and exploits that could be used to hijack the systems or crash them. He used Timemap to chart the information on Google maps, along with red markers noting brand devices that are known to have security holes in them. The student found 10,358 devices connected through a search of 2 years worth of data in the SHODAN database. However, he was unable to determine how many of the devices uncovered were actually working systems, nor was he able to determine in all cases whether the systems were critical infrastructure systems installed at power plants and other significant facilities. The student also found only 17 percent of the systems he found online asked him for authorization to connect, suggesting administrators either were not aware their systems were online or had simply failed to install secure gateways to keep out intruders. Source: http://www.wired.com/threatlevel/2012/01/10000-control-systems-online/

38. January 24, Help Net Security – (International) Researchers discover network of 7,000 typo squatting domains. A network of some 7,000 typo squatting domains is being used by scammers to effectively drive traffic towards their sites, some of which get so much traffic that they managed to enter Alexa’s top 250 list of sites with the largest Web traffic, according to Websense researchers. The typo squatting domains take advantage of visitors to popular Web sites such as Google, Twitter, Gmail, YouTube, Wikipedia, Victoria’s Secret, Craigslist, and many more, and redirect them to spam survey sites. From there, the users are taken to sites with spam advertisements and greyware masquerading as free downloads of legitimate software such as movie downloaders. Websense researchers said currently these sites are not offering malware for download. “However, if these networks are resold to underground groups, then the potential outcome could be even more damaging than the 0-day exploit security attacks,” they point out. Users are mostly in danger of handing over their private information and other sensitive data when completing the surveys. Source: http://www.net-security.org/secworld.php?id=12275

39. January 24, H Security – (International) Chrome 16 update closes security holes. Google released version 16.0.912.77 of Chrome which closes several security holes in the WebKit-based Web browser. The update addresses a total of four vulnerabilities, all of which are rated as “high severity.” These include use-after-free holes in DOM selections and DOM handling, an uninitialized value in the Skia 2D graphics library, and a buffer overflow in tree builder. Four bugs that were detected using AddressSanitizer were also been fixed. The developers note a critical use-after-free issue in Safe Browsing navigation was corrected in version 16.0.912.75 but was “accidentally excluded from the release notes.” Additional details of the vulnerability are being withheld until “a majority of users are up-to-date with the fix.” Source: http://www.h-online.com/security/news/item/Chrome-16-update-closes-security-holes-1420506.html

40. January 23, Wired – (International) I spy your company’s boardroom. Researchers from Rapid7 discovered they could remotely infiltrate conference rooms in some of the top venture capital and law firms across the country, as well as pharmaceutical and oil companies and even the boardroom of Goldman Sachs — all by calling in to unsecured videoconferencing systems they found by doing a scan of the Internet. One of the researchers found he was able to listen in on meetings, remotely steer a camera around rooms, as well as zoom in on items to discern paint flecks on a wall or read proprietary information on documents. Despite the fact the most expensive systems offer encryption, password protection, and the ability to lock down the movement of cameras, the researchers found administrators were setting them up outside firewalls and failing to configure security features to keep out intruders. Some systems, for example, were set up to automatically accept inbound calls so users did not need to press an “accept” button when a caller dialed into a videoconference, opening the way for anyone to call in and eavesdrop. Using a program the researchers wrote, they found the conference rooms by scanning the Internet for videoconference systems set up outside firewalls and configured to automatically answer calls. In less than 2 hours, they found systems installed in 5,000 conference rooms, including an attorney-inmate meeting room at a prison, an operating room at a university medical center, and a venture capital company where prospects were pitching their companies while laying out their financial details on a screen in the room. Companies sometimes set up systems outside firewalls so other companies can easily call into the videoconferencing system without having to set up complex, but safer configurations. As a result, the researchers found they could easily hijack systems, and also access systems they otherwise could not find through an Internet scan. Source: http://www.wired.com/threatlevel/2012/01/videoconferencing-hijacked/

41. January 23, IDG News Service – (International) HP pays $425,000 to settle claims over hazardous laptop batteries. Hewlett-Packard (HP) will pay $425,000 to settle a claim that it knowingly sold laptops with hazardous batteries that could overheat or catch fire, the U.S. Consumer Product Safety Commission announced January 23. HP learned of about 22 incidents involving the batteries by September 2007, but it failed to report the problem until 10 months later, according to the Commission. The lithium-ion battery packs were shipped in new HP laptops or sold as accessories and spare parts. Because of the defect, they could overheat, posing fire and burn hazards, the Commission said. Soon after it reported the problem, HP and the Commission recalled about 32,000 lithium-ion battery packs. Around the same time, Dell and Toshiba also recalled lithium-ion battery packs, which were manufactured by Sony. In agreeing to the settlement, HP denied the batteries posed an unreasonable risk or that it violated federal reporting requirements. With respect to the recall, it acted “in accordance with the CPSA and in its customers’ best interests,” HP said in the agreement. Source: http://www.computerworld.com/s/article/9223650/HP_pays_425_000_to_settle_claims_over_hazardous_laptop_batteries?taxonomyId=17

For more stories, see items 10 and 12 above in the Banking and Finance Sector, 31 above in Top Stories, and 44 below in the Communications Sector.

Communications Sector

42. January 23, Charlotte Observer – (North Carolina) Power glitch hushes radio stations. A power failure followed by a generator malfunction knocked five Charlotte, North Carolina radio stations off the air for about 4 hours January 21. An operations manager for Clear Channel Radio’s five local stations said January 23 that the stations went silent at 11:23 a.m. January 21 when electricity went out in the studios’ neighborhood. An emergency generator to power the stations kicked on, but then shut down, he said. Three company engineers came in, backed up a truck used for remote broadcasts to the door of the building and were able to power up key broadcast components from it. By 3 p.m., they had the five stations — WKKT-FM 96.9, WHQC-FM 96.1, WLYT-FM 102.9, WEND-FM 106.5, and WRFX-FM 99.7 — back on the air. Source: http://www.charlotteobserver.com/2012/01/23/2952639/power-glitch-hushes-radio-stations.html

43. January 23, KARK 4 Little Rock – (Arkansas; Texas; Oklahoma) AT&T wireless service temporarily disrupted in AR, TX & OK. Some AT&T wireless customers in Arkansas and two neighboring states were affected by a service disruption January 23. It happened for at least a couple of hours during the morning, but all appeared to be back to normal by around 9 a.m. During the disruption, some customers were unable to send or receive text messages. The company released the following statement about the problems: “Earlier today, some customers in North Texas and parts of Oklahoma and Arkansas may have experienced a service disruption with wireless data service. AT&T technicians quickly worked to address the issue, and service is currently running normally.” Source: http://arkansasmatters.com/fulltext?nxd_id=501592

44. January 22, Santa Fe New Mexican – (New Mexico) Damaged cable disrupts Internet service. Many CenturyLink customers in Santa Fe and other parts of New Mexico were without Internet service for several hours January 23 while Sprint and Virgin Mobile customers across the state were hit by service disruptions through the weekend due to a cut fiber optics cable. Reports of Internet loss began as early as midnight in parts of Santa Fe. CenturyLink reported electrical equipment failure at the Santa Fe office that affected service at 12:45 a.m. January 23, according to CenturyLink’s market development manager for Northern New Mexico. By 9 a.m., the system was rebooted, and by 10 a.m. most customers were able to access the Internet again. Sprint and Virgin Mobile customers in Santa Fe, Albuquerque, Farmington, and Los Alamos also were frustrated by interrupted service January 21 through January 22. The culprit was a cut interstate fiber optics cable that affected CenturyLink, according to a regional Sprint communications representative. She said Sprint leases cable space from the cable line in some areas to link service. She confirmed an interstate fiber optics line was cut in Texas, affecting New Mexico. “It impacted the entire state,” she said. Source: http://www.santafenewmexican.com/Local News/Damaged-cable-disrupts-Internet-service

For more stories, see item 31 above in Top Stories and item 38 above in the Information Technology Sector

2012-01-24T05:41:00.001-05:00

Tuesday, January 24, 2012

Complete DHS Daily Report for January 24, 2012

Daily Report

Top Stories

• A new review published in Clinical Infectious Diseases stated that shortages of key drugs used to fight infections represent a public health emergency and can put patients at risk. – Infectious Diseases Society of America (See item 31)

31. January 22, Infectious Diseases Society of America – (National) Anti-infective drug shortages pose threat to public health and patient care. A review published in Clinical Infectious Diseases stated that shortages of key drugs used to fight infections represent a public health emergency and can put patients at risk, the Infectious Diseases Society of America stated in a January 20 news release. Frequent anti-infective shortages can substantially alter clinical care and may lead to worse outcomes for patients, particularly as the development of new anti-infectives has slowed and the prevalence of multidrug-resistant pathogens is increasing. First-line treatments for herpes encephalitis, neurosyphilis, tuberculosis, and enterococcal infections, among others, have been hit by shortages, forcing physicians to use other drugs that may not work as well, the authors found. Of the 193 medications unavailable in the United States at the time of the analysis, 13 percent were anti-infective drugs, the authors found. “Anti-infectives often represent irreplaceable life-saving treatments,” the authors noted, and hospitalized patients are particularly vulnerable in an era when such shortages often last months and are occurring more frequently. Source: http://esciencenews.com/articles/2012/01/22/anti.infective.drug.shortages.pose.threat.public.health.and.patient.care

• Severe weather tore across the Southeast January 23, killing at least two people, injuring hundreds, knocking out power to tens of thousands, and damaging hundreds of homes and buildings. – CNN (See item 47)

47. January 23, CNN – (Alabama; Arkansas; Mississippi) Severe weather rakes Southeast; 2 dead in Alabama. Severe weather tore across the Southeast January 23, killing at least two people, injuring more than 100 and spreading damage through several states, emergency officials said. The two fatalities reported were near Birmingham, Alabama, according to a Jefferson County sheriff’s official. At least 100 injuries were reported, from cuts and bruises to broken bones. At least 211 homes were destroyed and 218 suffered major damage in Jefferson County. That number is expected to rise. Emergency crews were working to locate people who may be trapped or injured, and clear roads, several of which were impassable, the sheriff’s office said. Video from the Center Point area showed numerous downed trees, some on top of homes. A photo from one Clay, Alabama subdivision showed many homes heavily damaged or destroyed, with debris strewn across the neighborhood and trees snapped in half. Damage was also reported in Perry and Chilton counties. Damage was reported in Maplesville, according to the Chilton County emergency management agency. A radio studio and transmission tower was reported toppled in Chilton County by a possible tornado, the National Weather Service said. The Alabama governor declared a state of emergency. Seven Alabama counties reported storm damage, with most in Jefferson and Chilton counties. As of 2 p.m. January 23, fewer than 15,000 customers statewide were without power, Alabama Power said on Twitter. The outages peaked at 45,400 about 5 a.m., an Alabama Power spokeswoman said. Several school systems closed for the day. In Arkansas, at least one person was hurt January 23 when a tornado touched down in Fordyce, said an official with the Dallas County emergency management office. About 40 homes were damaged, with 10 of those destroyed, said a spokesman for the Arkansas Department of Emergency management. Power outages, which peaked at 3,700, were down to about 1,300 just before daybreak. An airport in Dewitt, about 90 miles northeast of Fordyce, saw some damage to several buildings, said the airport manager. Possible tornadoes were also reported in Mississippi and Tennessee, according to the National Weather Service. The Mississippi Emergency Management Agency said one person was injured in Bolivar County, several homes were damaged in Bolivar and Quitman counties, and several farm buildings were damaged in Coahoma County. Source: http://www.cnn.com/2012/01/23/us/severe-weather/index.html?hpt=hp_t1

Details

Banking and Finance Sector

10. January 23, U.S. Securities and Exchange Commission – (Connecticut; New York) Diamondback Capital agrees to settle SEC insider trading charges. The Securities and Exchange Commission (SEC) January 23 announced that Diamondback Capital Management LLC agreed to pay more than $9 million to settle insider-trading charges brought by the Commission January 18. The proposed settlement is subject to the approval of a U.S. district court judge in New York. As part of the proposed settlement, the Stamford, Connecticut-based hedge fund adviser also has submitted a statement of facts to the SEC and federal prosecutors, and entered into a non-prosecution agreement with the the U.S. attorney’s office for New York. Under the proposed settlement, Diamondback will give up more than $6 million of allegedly ill-gotten gains and pay a $3 million civil penalty. In addition, Diamondback consented to a judgment that permanently enjoins it from future violations of federal anti-fraud laws. The proposed settlement would resolve charges of insider trading by Diamondback in shares of Dell Inc. and Nvidia Corp. in 2008 and 2009. The week of January 16, the SEC filed insider-trading charges against Diamondback, a second hedge fund advisory firm, and seven individuals, including a former Diamondback analyst and a former Diamondback portfolio manager. Source: http://www.sec.gov/news/press/2012/2012-16.htm

11. January 23, Softpedia – (International) New ZeuS variant ‘Citadel’ comes with customer support. During his expeditions in the hacking underground, a security researcher came across a new variant of the bank-account-stealing ZeuS Trojan called Citadel. Citadel’s developers mainly address customers not satisfied with the support offered by other malware providers. The fact that malware developers rarely make sure bugs in their products are patched up is seen as a business opportunity for Citadel’s owners. This is why they offer a bug reporting and suggestions mechanism via a ticketing system, allowing customers to file as many complaints as they want without having to contact the developer on instant messaging channels. Clients can also submit their own applications in what appears to be a social network. For $2,400 plus a monthly fee, cybercriminals can purchase a Citadel package comprised of a bot builder and a botnet administration panel. Among other features and add-ons that the trojan’s creators offer, there is one that detects if the victim’s keyboard is Russian or Ukrainian. It is known that hackers fear Russian authorities more than anything else because they are known to track down and prosecute those who commit crimes in the virtual environment. This is why this particular variant of ZeuS shuts itself down as soon as it detects the aforementioned keyboards. Source: http://news.softpedia.com/news/New-ZeuS-Variant-Citadel-Comes-with-Customer-Support-248032.shtml

12. January 22, KNSD 7 San Diego – (California) Carlsbad man arrested for. A Carlsbad, California, man was arrested January 21 in connection with a robbery series that spanned over 3 months, according to officials with the FBI. He was taken into custody after Carlsbad police SWAT teams surrounded his home, a special agent with the FBI said. He said the suspect was arrested after a multi-jurisdictional investigation into the ‘Dying Son Bandit’ bank robberies, a series that involved 10 banks. He added that a recent tip helped lead investigators to the suspect. The ‘Dying Son’ name came about because the suspect told bank tellers he was in need of money for his dying son. The suspect followed that up by telling the victims he was armed with a handgun and would shoot them if they did not comply with his demands. Seven robberies were completed and three were attempted, according to the special agent. The most recent robbery was at a Citibank branch in Laguna Hills January 20. Investigators determined the suspect’s claims of a dying son were false. Source: http://www.nbcsandiego.com/news/local/Arrest-Made-in-Dying-Son-Robbery-Series-FBI-137855818.html

13. January 21, Knoxvlle News Sentinel – (Tennessee) FBI allege ‘Ball Cap Bandit’ is meat salesman from North Knox. The FBI identified a meat salesman as a serial robber authorities said robbed three Tennessee banks since August 2011, the Knoxville News Sentinel reported January 21. His wife said he admitted in 2007 to robbing yet another bank using the same method as the man who authorities dubbed the ‘Ball Cap Bandit’ during the recent spree. He was arrested January 20 and charged with three counts of bank robbery. He is being held without bond at the Blount County Jail, the FBI said. Authorities said he robbed Home Federal Bank in Pigeon Forge August 24, Tennessee Bank in Oak Ridge November 14, and Tennessee National Bank in Jefferson City January 4. In each case, FBI agents allege the meat and seafood salesman used only a note demanding cash — usually between $2,500 and $3,000. Officials said when an image of the ball cap-wearing bank robber flashed on electronic billboards around Knoxville January 11, four of the man’s business associates identified him as the man. An FBI task force officer reported the suspect’s wife said that in the fall of 2007, her husband told her he had robbed a West Knoxville SunTrust Bank by using a note that demanded $3,000. Source: http://www.knoxnews.com/news/2012/jan/21/fbi-allege-ball-cap-bandit-is-meat-salesman-from/

14. January 20, Internet Crime Complaint Center; FBI; Financial Services-Information Sharing and Analysis Center – (International) Fraud alert involving e-mail intrusions to facilitate wire transfers overseas. The FBI observed a trend in which cyber criminals are compromising the e-mail accounts of U.S. individuals and businesses and using variations of the legitimate e-mail addresses associated with the victim accounts to request and authorize overseas transactions, according to a January 20 alert. The wire transfers are being sent to bank accounts of individuals typically located domestically or in Australia, and the funds are being sent directly to Malaysia. Investigations found some of the money mules in the United States and Australia are victims of a romance scam and are asked to further transfer the funds to Malaysia. As of December 2011, the attempted fraud amounts were about $23 million; with actual victim losses about $6 million. This type of fraud has affected banks, broker/dealers, credit unions, and other institutions. In a typical scenario, the cyber criminal will send an e-mail to a financial institution, brokerage firm employee, or the victim’s financial adviser pretending to be the victim and request the balance of the victim’s account. When the request is successful, the cyber criminal then sends another e-mail providing a reason why they can only communicate via e-mail and asks that a wire transfer be initiated on their behalf. The excuse is typically based on an illness or death in the family that prevents the account holder from conducting business as usual. Source: http://www.ic3.gov/media/2012/EmailFraudWireTransferAlert.pdf

15. January 20, Credit Union Times – (Florida) SEC charges Florida bank, CEO with CRE portfolio fraud. The Securities and Exchange Commission (SEC) charged the holding company for one of Florida’s largest banks and its chief executive officer (CEO) with misleading investors about growing problems in a loan portfolio, the Credit Union Times reported January 20. The SEC alleged BankAtlantic Bancorp and its CEO and chairman made misleading statements in public filings and earnings calls to hide the declining state of a large portion of the bank’s commercial real estate land acquisition and development portfolio (CRE) in 2007. BankAtlantic and the CEO then allegedly committed accounting fraud when they minimized the bank’s losses by improperly recording loans they were trying to sell from this portfolio in late 2007. According to the SEC’s complaint, BankAtlantic and the CEO knew a large portion of the loan portfolio was deteriorating in early 2007 because many loans required extensions due to borrowers’ inability to meet their obligations. Some loans were kept current only by extending the loan terms or replenishing the interest reserves from an increase in the loan principal, the SEC said. The CEO allegedly knew this negative information in part from participating in the bank’s major loan committee that approved the extensions and principal increases. As a result, BankAtlantic experienced a net loss of more than $45 million in its CRE portfolio. In 2007, the bank had about $1.5 billion in CRE loans. The SEC said BankAtlantic and the CEO also were aware that many of the loans had been internally downgraded to non-passing status, indicating the bank was deeply concerned about them. The SEC alleged that despite this knowledge, BankAtlantic’s public filings in the first two quarters of 2007 made only generic warnings of what may occur in the future if Florida’s real estate downturn continued. The CEO later allegedly made misleading statement to investors during the bank’s earnings calls, according to the SEC. BankAtlantic finally acknowledged the problems in the third quarter of 2007 by announcing “a large unexpected loss.” The SEC’s complaint seeks financial penalties and permanent injunctive relief against BankAtlantic and the CEO to enjoin them from future violations of the federal securities laws. The complaint also seeks an officer and director bar against the CEO. Source: http://www.cutimes.com/2012/01/20/sec-charges-florida-bank-ceo-with-cre-portfolio-fr

16. January 19, Orangeburg Times and Democrat – (South Carolina) Bank ordeal suspect: ‘Fulfilling my destiny’. A man accused of holding more than a dozen people hostage January 17 in an Orangeburg, South Carolina, bank said he was fulfilling his destiny for the Lord, the Orangeburg Times and Democrat reported January 19. He told the court January 18 he needed a platform for attention to fulfill a religious calling. The bank was that platform. He stopped short, however, of explaining precisely what those certain purposes were. Investigators charged the suspect with 13 counts of kidnapping, one count of attempted murder, and one count of resisting arrest with a deadly weapon. He informed the court he had no intention of harming anyone during his stand-off with police. The warrants were served on the suspect a day after police said he held multiple employees and customers hostage at a South Carolina Bank and Trust. More charges are possible, police said. Investigators are still trying to determine why the suspect allegedly entered the bank with several knives. He never demanded money, investigators said. On January 17, someone in the bank tripped a robbery alarm that sent dozens of officers to the 3-story bank. Three police negotiators spent 45 minutes trying to determine what the subject barricaded inside wanted. Negotiators were given no demands, however. Officers moved in through the bank’s doors, including the front door, which was barricaded with chairs. The subject was then tased into submission. Source: http://thetandd.com/news/bank-ordeal-suspect-fulfilling-my-destiny/article_c2a6a0aa-4262-11e1-be19-0019bb2963f4.html

Information Technology

41. January 23, IDG News Service – (International) DreamHost resets passwords after database breach. Los Angeles-based Web hosting firm DreamHost reset the FTP and shell access passwords for all of its customers January 20 after detecting unauthorized activity within a database. “One of DreamHost’s database servers was illegally accessed using an exploit that was not previously known or prevented by our layered security systems in place,” said DreamHost’s CEO. Even though it could not be blocked, the unauthorized access was detected by one of the firm’s intrusion detection systems, allowing its security team to react quickly and take necessary mitigation steps. The company notified its customers about the security breach via e-mail and informed them only passwords used for FTP and shell access were affected. Billing or personal information was not exposed, DreamHost said. Source: http://www.computerworld.com/s/article/9223625/DreamHost_resets_passwords_after_database_breach?taxonomyId=17

42. January 23, Softpedia – (International) Hackers prove EA, IGN, ImageShack, NY Times, Verizon vulnerable. A new hacking collective, TeamHav0k, launched an operation called “#OP XSS” in which they try to find cross-site scripting (XSS) vulnerabilities in major Web sites. The first results of the operation came in and reveals many important sites contain XSS flaws. A Pastebin document reveals Web sites such as the ones belonging to Verizon, Huffington Post, European Organization for Nuclear Research, Electronic Arts (EA), IGN, and New York Times contain design flaws. Some educational institutions were also found to contain XSS security holes, including University of Illinois, Harvard, Yale, and Rockefeller University. Telecoms company Verizon, media hosting company ImageShack, value calculator and traffic estimator tool StatShow, Major League Gaming, and Dr. Pepper complete the list. Even though XSS vulnerabilities are among the most common ones found in commercial Web sites, this does not mean they are not dangerous. Cybercriminals can rely on these weaknesses to execute their own malicious codes and cause damage to the virtual assets of unsuspecting Internet users. Source: http://news.softpedia.com/news/Hackers-Prove-EA-IGN-ImageShack-NY-Times-Verizon-Vulnerable-247952.shtml

43. January 23, H Security – (International) Critical hole in Apache Struts 2 closed. The developers of the Apache Struts 2 Java Web framework released version 2.3.1.2. This closes a critical hole in versions of Struts from 2.0.0 to 2.3.1.1 that allowed for remote command execution. The vulnerability makes it possible for the protection around OGNL, an expression language used for getting and setting properties of Java objects, to be bypassed and arbitrary expressions to be evaluated. Source: http://www.h-online.com/security/news/item/Critical-hole-in-Apache-Struts-2-closed-1419498.html

44. January 20, Computerworld – (International) Anonymous dupes users into joining Megaupload attack. In a message on Twitter and in a blog post, Anonymous claimed its January 20 distributed denial of service (DDoS) attacks against the Web sites of the Department of Justice, the Recording Industry Association of America, the Motion Picture Association of America, and others were its largest ever, and 5,600 people collaborated in the assaults. However, some of the 5,600 who participated may have done so unwittingly, said a senior technology consultant with Sophos. He said members of Anonymous distributed links via Twitter and elsewhere that when clicked, automatically launched a Web version of Anonymous’s DDoS tool, the Low Orbit Ion Cannon (LOIC). The links pointed to a page on PasteHTML.com, a free HTML code-hosting site, which in turn executed some JavaScript to fire LOIC at Anonymous-designated targets. Many of those messages said nothing about LOIC or that clicking the link tricked the user into the DDoS attack, the consultant said. Anonymous is still recruiting people to its campaign. A search of Twitter using a string published on Gawker.com indicated the link was being shared January 20 at the rate of about 10 to 18 times per minute. Source: http://www.computerworld.com/s/article/9223601/Anonymous_dupes_users_into_joining_Megaupload_attack?taxonomyId=17

For more stories, see items 10, 11, and 14, above in the Banking and Finance Sector.

Communications Sector

45. January 21, WCMH 4 Columbus – (Ohio) Verizon customers without service for a time Saturday night. Some Ohioans in the Columbus, Ohio area without landline phone service found themselves isolated when an apparent outage affecting Verizon customers hit January 21. Franklin County Sheriff’s Office personnel confirmed a widespread outage. Columbus police told the communications center the outage was expected to be corrected in about 2 hours. Telephone and text service appeared to have been affected, but Internet access did not appear to have been interrupted. Law enforcement and emergency officials were unaware of any accident that may have precipitated the situation during the outage. Some Verizon customers said they were in the process of talking to the company’s service department, which was treating their problems as specific to the customer’s own service. Source: http://www2.nbc4i.com/news/2012/jan/21/columbus-cell-users-cut-ar-905311/

46. January 20, KTVB 7 Boise – (Idaho) Power outages in Boise County knocks out KTVB signal. KTVB 7 in Boise, Idaho, was back on the air the night of January 20 after a power outage at Bogus Basin knocked it off the air for most of the day. Heavy ice and snow damaged powerlines in the areas of Placerville, Idaho City, and Boise. Idaho Power said the power outage affected more than 500 customers, including Bogus Basin. The KTVB transmitter is located at the top of the mountain, which caused the station to be one of those affected customers. Crews were battling deep snow as they responded to downed power lines, and in many cases they were finding more problems along the way. Source: http://www.ktvb.com/news/KTVB-experiencing-technical-difficulties-137746713.html

For another story see item 47 above in Top Stories.

2012-01-23T05:23:00.001-05:00

Monday, January 23, 2012

Complete DHS Daily Report for January 23, 2012

Daily Report

Top Stories

• A monster Pacific Northwest storm brought much of Washington state to a standstill January 19, shutting down roads, railways, and airports, and knocking out power to hundreds of thousands. – Associated Press (See item 22)

22. January 20, Associated Press – (Washington; Oregon) Deadly storm grips Northwest in ice, snow. A monster Pacific Northwest storm coated the Seattle area in a thick layer of ice January 19 and brought much of the state to a standstill, sending hundreds of cars spinning out of control, temporarily shutting down the airport and knocking down so many trees that members of the Washington State Patrol brought chain saws to work. Amtrak suspended train service January 19 between Seattle and Portland, Oregon. Officials in Spokane declared a snow emergency, banning parking along arterials and bus routes beginning that evening. Freezing rain and ice pellets caused numerous accidents in the Seattle area. The state patrol said it had responded to about 2,300 accidents in a 24-hour period ending at 9 a.m. January 19. The state transportation department closed one highway because of falling trees that also took out power lines. Ice closed Sea-Tac Airport completely in the early morning before one runway was reopened. Washington’s governor declared a state of emergency, authorizing the use of National Guard troops if necessary. Authorities also worried about flooding in the coming days as temperatures warm up. Source: http://www.google.com/hostednews/ap/article/ALeqM5iEUQVqCD98ykHu-Vf3YULsam3qOg?docId=162906a20f5d4087827020f92f749b55

• A group of researchers found serious security holes in six top industrial control systems used in critical infrastructure and released exploit modules in the hopes they would be patched before they are attacked. – Wired. See item 44 below in the Information Technology Sector.

Details

Banking and Finance Sector

15. January 20, Associated Press – (Texas) Dallas: conviction over $14M investment scheme. A federal jury in Dallas has convicted a man of deceiving more than 200 people in a $14 million investment scheme, federal prosecutors announced January 19. He was convicted of seven counts of wire fraud and one count of securities fraud. Prosecutors said the man tricked investors into putting money into a company he created called Sardaukar Holdings. Investigators said he then squandered most of the money on cars, entertainment, and jewelry. Each count of wire fraud carries a maximum sentence of 20 years in prison and a $250,000 fine. The securities fraud count carries a maximum sentence of 5 years in prison and a $250,000 fine. Source: http://www.chron.com/news/article/Dallas-conviction-over-14M-investment-scheme-2643601.php

16. January 20, Fort Collins Coloradoan – (Colorado) Windsor man guilty of securities fraud. A jury January 19 convicted a former Windsor, Colorado investment adviser on securities fraud and theft charges in connection with what prosecutors said was a $5.7 million scam with dozens of Fort Collins-area victims. He was convicted on six of the seven felony counts he faced. He remains free on bond pending his sentencing in a case that prosecutors said victimized more than 70 people. He was convicted on four counts of securities fraud, one count of securities fraud as a course of business, and one count of theft. He was acquitted on one count of securities fraud. The U.S. Securities and Exchange Commission, also is seeking a $10 million fine on behalf of 64 investors, many of whom lost their life savings. An assistant attorney general said in trial the adviser told investors their money would remain safe, but instead it was used either to fund risky schemes or pay back earlier investors. Each charge against the adviser is a Class 3 felony punishable by 4 to 12 years in prison and fines up to $750,000. The adviser’s two former co-defendants each pleaded guilty to securities fraud in March and received 1-year deferred sentences. As part of the sentences, they agreed to pay about $1.2 million in restitution. Source: http://www.coloradoan.com/article/20120120/NEWS01/201200330/Windsor-Man-guilty-securities-fraud?odyssey=mod|newswell|text|News|s

17. January 20, Associated Press – (International) Feds shut down popular file-sharing website Megaupload. One of the world’s most popular file-sharing sites was shut down January 19, and its founder and several company officials were accused of facilitating millions of illegal downloads of films, music, and other content. A federal indictment accused Megaupload.com of costing copyright holders at least $500 million in lost revenue. Megaupload is based in Hong Kong, but some of the alleged pirated content was hosted on leased servers in Ashburn, Virginia, which gave federal authorities jurisdiction, the indictment said. The Justice Department said in a statement that Megaupload’s founder and three other employees were arrested January 19 in New Zealand at the request of U.S. officials. Three other defendants are at large. The indictment said Megaupload was estimated at one point to be the 13th most frequently visited Web site on the Internet. Current estimates by companies that monitor Web traffic place it in the top 100. The five-count indictment, which alleges copyright infringement, as well as conspiracy to commit money laundering and racketeering, described a site designed to reward users who uploaded pirated content for sharing, and turned a blind eye to requests from copyright holders to remove copyright-protected files. For instance, users received cash bonuses if they uploaded content popular enough to generate massive numbers of downloads, the indictment said. Such content was almost always copyright protected. The site boasted 150 million registered users and about 50 million hits daily. Megaupload is considered a “cyberlocker,” in which users can upload and transfer files too large to send by e-mail. The Web site allowed users to download content for free, but made money by charging subscriptions to people who wanted access to faster download speeds or extra content. The Web site also sold advertising. Several sister sites were also shut down, including one dedicated to sharing pornography files. Source: http://www.msnbc.msn.com/id/46070076/ns/technology_and_science-tech_and_gadgets/#.TxmmEYH-5YR

18. January 19, Orange County Register – (California) Another ‘Market Duo Bandit’ arrested, police say. A man suspected of being one of the “Market Duo Bandits” was arrested in California January 18, nearly 2 weeks after another suspected member of the robbery team was shot by a deputy at the end of a high-speed pursuit. The suspect was arrested in a traffic stop near his La Mirada home after La Habra detectives and FBI Robbery Task Force members identified him as a suspected member of a group believed to be tied to at least five Orange County bank robberies, a police spokeswoman said. The “Market Duo Bandits,” believed to have struck in La Habra, Seal Beach, Lake Forest, and Placentia, earned their nickname for targeting bank branches in supermarkets. The last holdup took place January 5, when the two returned to a Wells Fargo in a Stater Bros. market on Imperial Highway that police say they had previously robbed. A Brea police officer saw the robbers leaving the scene and a freeway chase ensued. The two fled from the vehicle in Paramount. A deputy confronted and shot one of the men. FBI officials say a third suspect was arrested several days after the shooting. Source: http://www.ocregister.com/news/market-336328-duo-police.html

19. January 19, Minneapolis Star Tribune – (Minnesota) More plead guilty to Cloud 9 fraud scheme. Two real estate professionals have pleaded guilty in connection with kickbacks at the troubled Cloud 9 Sky Flats development in Minnetonka, Minnesota, a scheme prosecutors say defrauded lenders out of $7 million to $20 million. The pair pleaded guilty in federal court January 18 to conspiracy to commit mail and wire fraud. They face a maximum of 20 years in prison. One defendant was the owner and loan officer of the mortgage brokerage company Team Access. The other defendant owned the business Trend Title and closed residential real estate transactions. The pair admitted that from 2007 to 2008, they obtained mortgage loan proceeds under false pretenses on behalf of home buyers associated with an unnamed investment group. The owner of Team Access admitted he lied on those applications, including inflating incomes of buyers and failing to disclose that buyers would receive cash kickbacks from mortgage loan proceeds. He secured loans for the purchase of about 108 properties in all. The owner of Trend Title admitted she closed about 88 fraudulent transactions for the investment group, concealing from mortgage lenders that the purchasers got kickbacks from mortgage loan proceeds and that the buyers were often not the source of the “cash to close.” The kickbacks were disguised as prepaid management fees and facilitator fees. She also closed eight to 10 transactions involving undisclosed Cloud 9 buyers. Four others have already pleaded guilty in the scheme. The number of condo units involved in the overall kickback arrangement has topped 100 at Cloud 9 and elsewhere. Kickbacks from the loan proceeds exceeded $8 million, according to federal prosecutors. Source: http://www.startribune.com/business/137678373.html

20. January 19, Berkshire Eagle – (Massachusetts; National; International) Fraudulent buys made with stolen debit, credit card info. Fraudulent purchases have been made with dozens of people’s debit and credit card information because sales records were stolen from a local retail business in the Pittsfield, Massachusetts area, the Berkshire Eagle reported January 19. Because the breach sprang from a retailer, it is impacting a host of local and regional banks whose customers shopped at the store over the last 2 months. Information from hundreds of debit and credit cards may have been obtained by those who stole the retailer’s records, though the number of customers whose data was used to make purchases is much less. At Greylock Federal Credit Union, purchases were made with information from 19 cards. The data obtained from the retailer was used to make impostor credit or debit cards, according to bank officials. Great Barrington police are investigating. The vice president of retail banking and marketing for the Pittsfield Cooperative Bank said his office became aware of the problem late the week of January 9 with fraudulent purchases being made in Canada, specifically at pharmacies and gas stations. It later spread to the United States, in places such as New Jersey and Florida. Berkshire Bank and Greylock have not sent out blanket notifications to customers, but they are working with individuals directly affected. Information from as many as 70 cards from Pittsfield Cooperative may have been compromised. Source: http://www.berkshireeagle.com/ci_19777441?source=most_viewed

21. January 19, PC Magazine – (International) Israeli hackers target UAE, Arab Bank sites. In the wake of recent hacks that targeted Israeli Web sites, a group known as IDF Team January 19 went after the Web sites for two major Arab banks. As of 1:30 p.m. Eastern Time, the Web sites for the Central Bank of the United Arab Emirates and Arab Bank were both offline. In a note posted to Pastebin, IDF Team said its attacks were in retaliation for a January 18 hack of Israel’s Anti-Drug Authority Web site, which IDF called terrorist activity and “attempts to disrupt the normal course of life in Israel.” If the attacks on Israeli sites don’t stop, IDF Team pledged to also target stock market and government Web sites, such as the Arab Emirates Web portal at government.ae, as well as “sites related to the country’s economy and even security.” According to the Financial Times, the January 19 bank attacks were likely distributed denial of service (DDoS) attacks. Source: http://www.pcmag.com/article2/0,2817,2399095,00.asp

Information Technology

44. January 19, Wired – (International) Hoping to teach a lesson, researchers release exploits for critical infrastructure software. A group of researchers discovered serious security holes in six top industrial control systems used in critical infrastructure and manufacturing facilities and, thanks to exploit modules they released January 19, have also made it easy for hackers to attack the systems before they are patched or taken offline. The vulnerabilities were found in widely used programmable logic controllers (PLCs) made by General Electric, Rockwell Automation, Schneider Modicon, Koyo Electronics, and Schweitzer Engineering Laboratories. PLCs are used in industrial control systems to control functions in critical infrastructure such as water, power, and chemical plants; gas pipelines and nuclear facilities; as well as in manufacturing facilities such as food processing plants and automobile and aircraft assembly lines. The vulnerabilities, which vary among the products examined, include backdoors, lack of authentication and encryption, and weak password storage that would allow attackers to gain access to the systems. The security weaknesses also make it possible to send malicious commands to the devices to crash or halt them, and to interfere with specific critical processes controlled by them, such as the opening and closing of valves. As part of the project, the researchers worked with Rapid7 to release Metasploit exploit modules to attack some of the vulnerabilities. Metasploit is a tool used by computer security professionals to test if their networks contain specific vulnerabilities. Hackers also use the same exploit tool to find and gain access to vulnerable systems. Source: http://www.wired.com/threatlevel/2012/01/scada-exploits/

45. January 19, H Security – (International) OpenSSL fixes DoS bug in recent bug fix. The OpenSSL developers have released versions 1.0.0g and 0.9.8t to address a denial of service (DoS) issue introduced by one of the six fixes included in the version they released earlier in January. The problem was created by the fix for a critical vulnerability in the CBC (“Cipher block chaining”) encryption mode which enabled plaintext recovery of OpenSSL’s implementation of DTLS (Datagram TLS). Accordingly, the advisory notes the DoS flaw only affects users using DTLS applications that use OpenSSL 1.0.0f and 0.9.8s. The developers credit a researcher from Cisco Systems for discovering the bug and preparing the fix for it. Source: http://www.h-online.com/security/news/item/OpenSSL-fixes-DoS-bug-in-recent-bug-fix-1417352.html

For more stories, see items 17 and 21 above in the Banking and Finance Sector and item 46 below in the Communications Sector.

Communications Sector

46. January 19, KVOA 4 Tuscon – (Arizona) Copper thieves target Century Link. A $1,000 reward is being offered for information leading to an arrest in the case of copper theft from Century Link, KVOA 4 Tucson reported January 19. The phone, Internet, and TV company said copper was stolen from more than 80 sites in Pima County, Arizona, and the Phoenix area. Forty-three of those sites are in Tucson alone. The vice president and general manager of Century Link said the theft has cost the company hundreds of thousands of dollars, but has really impacted its customers. “[W]e’re most concerned about the outages this causes for people that rely on the service day in and day out.” Each theft causes hours of service outage for thousands of customers and takes crews several hours to repair. Authorities from throughout Pima County are investigating. A deputy said the Pima County’s Sheriff’s Office is looking at 11 cases from Century Link alone. Century Link believes citizens may not contact authorities because, in some instances, the thieves are driving utility type trucks posing as landscapers. “The thieves typically target areas that are a little bit more rural. Where they probably stand a better chance of doing this and some of the theft has actually taken place in the middle of the day,” the vice president said. Source: http://www.kvoa.com/news/copper-thieves-target-century-link/