DHS Daily Open Source Infrastructure Report

2012-01-27T05:14:00.000-05:00

Friday, January 27, 2012

Complete DHS Daily Report for January 27, 2012

Daily Report

Top Stories

• A Kentucky mine was shut down after federal inspectors found two unsecured cases of explosives near a burning pile of coal, loose coal near ignition sources, and inches-thick piles of explosive dust. – Associated Press (See item 2)

2. January 25, Associated Press – (Kentucky) MSHA shuts Ky. mine over coal fire, other hazards. A Kentucky mine was shut down after federal inspectors found two unsecured cases of explosives near a burning pile of coal, as the government issued 174 citations and 19 orders at troubled coal mines during December. The Mine Safety and Health Administration (MSHA) said January 25 it issued 32 citations and 12 orders against Coal Creek Mining LLC’s No. 2 Mine in Floyd County, Kentucky. Inspectors found a 5- by 10-foot coal pile on fire about 23 feet from two cases of explosives outside the mine and issued an imminent danger order. The key to the explosives cache was lying on top. Inspectors said they also found a 5-gallon oil bucket full of burning coal and other materials near a portal in the mine, and loose coal up to 30 inches deep under conveyor belts and near ignition sources. The mine was inadequately dusted with pulverized limestone to prevent explosions, and the MSHA said the operator also failed to use approved ventilation plans. Explosive coal dust was 2 to 4 inches deep in places. More unwarrantable failure orders were issued for inadequate hazard examinations, including on-shift conveyor belt examinations and weekly inspections of the return air course and electrical equipment. After the December inspection, the MSHA issued two more orders against Coal Creek for failing to fully correct the problems. The agency also issued 53 citations and five orders in December against Clark Mining Inc.’s No. 3 mine, and 25 citations and two orders against Bell County Coal Corp’s Jellico No. 1, both in Kentucky. Source: http://www.cbsnews.com/8301-505245_162-57366077/msha-shuts-ky-mine-over-coal-fire-other-hazards/

• A prominent Miami businessman pleaded guilty January 25 to fraud in a $135 million real estate scheme that fleeced hundreds of investors in Florida, New York, and several South American countries. – Associated Press. See item 13 below in the Banking and Finance Sector.

Details

Banking and Finance Sector

10. January 25, KPHO 5 Phoenix – (Arizona) Guilty plea from ‘Black Binder Bandit’. A man who confessed to a dozen bank robberies in the East Valley area of Arizona pleaded guilty in federal court January 24. The defendant faces a maximum of life in prison and a $250,000 fine. Investigators dubbed the man the “Black Binder Bandit” because he frequently carried a black binder that contained a note and sometimes a gun. He would also place the money in the binder before leaving the bank. He admitted to robbing 12 banks starting September 2, 2010, until he was arrested July 20, 2011. He said he made off with more than $49,000 in those robberies. Source: http://www.kpho.com/story/16600659/guilty-plea-from-black-binder-bandit

11. January 25, St. Louis Post-Dispatch – (Missouri) St. Louis County police arrest suspect in ‘Logo Bandit’ bank robbery. A man from Mexico, Missouri, was charged January 25 in a bank robbery earlier this month blamed on a man authorities dubbed the “Logo Bandit,” police said. He was charged with robbery for the January 17 holdup of Jefferson Bank and Trust. The suspect in the Jefferson Bank robbery implied he was armed but never displayed a weapon. According to court documents, he said he went into the bank and gave a teller a note with the word “robbery” on it. Police said he kept a hand inside his jacket and implied he had a gun. He ordered the teller to give him $100 and $50 bills from the drawer and “not to attempt any funny stuff and nothing will happen.” After the teller put $3,670 on the counter, he took the money and left, court documents say. Police arrested the suspect in Richmond Heights with help from the FBI and the Richmond Heights Police Department. He could be charged in other municipalities where he is suspected in bank robberies, police said. Police and the FBI have suspected the “Logo Bandit” in at least seven other bank robberies over the past 4 months. He was given the nickname because he wore hats and sweatshirts featuring brand-name or athletic logos each time he robbed a bank. Source: http://www.stltoday.com/news/local/crime-and-courts/st-louis-county-police-arrest-suspect-in-logo-bandit-bank/article_c1f07f36-4790-11e1-b9b2-001a4bcf6878.html

12. January 25, KOVR 13 Sacramento – (California; Nevada) ‘Fedora Bandit’ charged with 7 Northern California bank robberies. The suspect dubbed the ‘Fedora Bandit” was charged with seven counts of armed bank robbery in California January 24, a U.S. attorney announced. According to court documents, the suspect also committed the April 12, 2010 armed robbery of the Bank of the West’s Carson City, Nevada branch. He is currently in federal custody in Lompoc on a drug trafficking conviction after being stopped in a motor home in Kansas in December 2010 with more than 40 pounds of cocaine, and more than 160 pounds of marijuana. According to the FBI criminal complaint, he confessed to the bank robberies while being interviewed at the federal penitentiary January 19. He faces up to 25 years in federal prison for each armed bank robbery. The suspect, who earned the nickname because of the fedora-style hat he wore during alleged heists, made off with a reported $56,000 in cash from the California bank robberies. Source: http://sacramento.cbslocal.com/2012/01/25/fedora-bandit-charged-with-7-northern-california-bank-robberies/

13. January 25, Associated Press – (Florida; New York; International) Prominent Fla. businessman guilty in $135M fraud; investors include Roman Catholic prep school. A prominent Miami businessman pleaded guilty January 25 to fraud in a $135 million real estate scheme that fleeced hundreds of investors, including the Roman Catholic prep school he once attended. He faces up to 5 years behind bars after pleading guilty to a single count of wire and mail fraud conspiracy. He also lured investors from Miami’s close-knit Cuban-American community, many of them elderly and some Roman Catholic priests. Federal prosecutors said the man operated his company, Royal West Properties Inc., like a Ponzi scheme in which he paid older investors with money raised from newer ones. The company sold real estate investments in southwest Florida since 1993, but fell on hard times beginning in 2002 and was eventually forced into bankruptcy in 2009, according to court documents. Before it crashed, Royal West promised rates of return as high as 16 percent for investors who bought properties that were marketed nationally on Spanish-language networks and through offices in Florida, New York, Colombia, Ecuador, Peru and Venezuela. The chief of the Securities and Exchange Commission field office in Miami, called it a typical “affinity” scam where the perpetrator uses a position of trust to prey on members of a specific group. In all, prosecutors said more than 150 investors lost about $47 million between 2003 and 2008. Of the total, investigators said the man and his wife skimmed about $20 million for other business ventures, to pay themselves more than $5 million in salaries, and to pay children and grandchildren $1 million in “consulting fees” even though they did no work for Royal West. He could be ordered to pay millions of dollars in restitution. Source: http://www.washingtonpost.com/business/prominent-fla-businessman-guilty-in-135m-fraud-investors-include-roman-catholic-prep-school/2012/01/25/gIQApE8aQQ_story.html

14. January 25, U.S. Department of Justice – (Florida) Former executive of Miami-based ocean bank pleads guilty to participating in bribery scheme and to fliing false tax returns. A former executive of Miami-based Ocean Bank pleaded guilty January 25 in a U.S. district court in Miami to participating in a scheme to accept bribes and to failing to report the income on federal income tax returns, the Department of Justice announced. The charges against the former vice president stemmed from his accepting nearly $500,000 in cash and other items from unnamed co-conspirators in connection with his supervision of certain unnamed customer business with the bank. According to court documents, the vice president generally oversaw Ocean Bank’s lending relationships with corporate customers. The department said that beginning in or about February 2001 and continuing thereafter through on or about April 25, 2007, he accepted bribes, including payments for expensive watches, Super Bowl tickets, and other items for his personal use, as well as substantial amounts of cash. He accepted the payments intending to be rewarded and influenced in connection with his role in approving Ocean Bank’s issuance of letters of credit, loans, and overdraft privileges to co-conspirators. The court documents also show he failed to report income from the bribes for the tax years 2005, 2006 and 2007, resulting in lost tax revenue of about $91,000 to the federal government. He was charged with one count of conspiracy to solicit or demand money and other things of value to influence an employee of a financial institution and three counts of tax offenses. The conspiracy count carries a maximum sentence of 5 years in prison and a $250,000 criminal fine. The tax charges each carry a maximum sentence of 3 years in prison and $250,000 fine. Source: http://www.justice.gov/opa/pr/2012/January/12-at-102.html

Information Technology

35. January 26, V3.co.uk – (International) Symantec advises users to turn off pcAnywhere in hack aftermath. Symantec has advised customers to take their copies of pcAnywhere offline as the company continues to struggle with the aftermath of a major data breach. The company issued a whitepaper addressing new vulnerabilities in its remote access tool that were exploited by a recently publicized attack which allowed attackers to gain access to the application’s source code. The 2006 hack was recently brought to light by an Indian hacking team that is seeking to publicly distribute the code. Symantec has now determined a major update is necessary to protect users from any flaws revealed in the compromised source code. The company is advising users of pcAnywhere 12.5 to disable the remote management tool until an update is released. If users do not take their copies of the tool offline, the company warned attackers could possibly compromise systems and perform “man-in-the-middle” attacks that could result in the theft of user credentials and other network traffic. Source: http://www.v3.co.uk/v3-uk/news/2141452/symantec-advises-users-pcanywhere-hack-aftermath

36. January 26, Computerworld – (International) Google stirs up privacy hornet’s nest. Google announced the company is rewriting its privacy policy, consolidating user information across its services. The company, however, is not offering users an opt-out option. If a user does not want their information from Gmail, YouTube, and Google searches combined into one personal data store that can paint a detailed picture of them, the only option is to cease using Google’s services. Source: http://www.computerworld.com/s/article/9223719/Google_stirs_up_privacy_hornet_s_nest?taxonomyId=17

37. January 25, Threatpost – (International) Poison Ivy variant changes benign code to malicious after download. Researchers found there are now some pieces of malware downloading not explicitly malicious pieces of code, but small bits of code benign on their face that are then transformed into malicious instructions once they are on the target machine. The code was found by Microsoft researcherst when investigating a file calling out to the site of a restaurant. They expected the file to be a standard downloader that would pull down a malicious executable hosted on the compromised server and then run that locally. Instead, the file was downloading a piece of code that did not do much at first. Further analysis showed the initial VisualBasic application was doing many things. “Once the application was run on a machine with a simulated Internet connection, it got the contents of the HTML page of the restaurant website mentioned previously. The application copied itself to the Windows system folder as ‘misys.exe’, and started keylogging, although the static analysis did not indicate this kind of functionality,” Microsoft researchers wrote in an analysis. “So the VB Application is extending its functionality dynamically by downloading and executing x86 instructions in the context of its own process. The ‘downloader’ becomes malware by executing this downloaded blob of x86 instructions. And the downloaded instructions will be not injected to a different process and not dropped to disc, they will be executed in the process context of the ‘downloader’, thus the ‘downloader’ inherits the malware functionality.” What the victim ends up is a version of the Poison Ivy backdoor. Source: http://threatpost.com/en_us/blogs/poison-ivy-variant-changes-benign-code-malicious-after-download-012512

38. January 25, Softpedia – (International) Amateur programmer: SMS spoofing for malicious purposes is easy. SMS spoofing is not new, researchers having proved in 2010 for BBC’s Watchdog it could be done. While most telecommunications companies are aware of the risks, few have actually done something to prevent it. Now, an amateur programmer came forward with a simple app to prove SMS spoofing for malicious purposes is something widely available, and if measures are not taken, a lot of individuals may be exposed to cybercriminal operations. A self-described “completely amateur programmer” with less than 2 years’ experience, managed to develop a simple program that could allow anyone to launch social engineering attacks with the purpose of obtaining valuable information and maybe even money. Source: http://news.softpedia.com/news/Amateur-Programmer-SMS-Spoofing-for-Malicious-Purposes-Is-Easy-248669.shtml

For another story, see item 39 below in the Communications Sector

Communications Sector

39. January 26, Dark Reading – (International) Hacktivists turn to DNS hijacking. Hacktivists have added a new tactic to their arsenal: redirecting all traffic from a target company’s Web site, Dark Reading reported January 26. According to a blog written by a security expert from Internet Identity (IID), politically motivated attackers are now using DNS hijacks, which redirect all traffic from a victim’s legitimate Web site (and often all the e-mail and back-end transactions, too) to a destination of the attacker’s choosing. “A determined criminal can set up a fake look-alike destination site to dupe customers into revealing credentials or downloading malware,” the expert stated. Many companies pay little, if any, attention to securing their domain registrations, and most do not continuously monitor their DNSes to make sure they’re resolving properly around the world, making them vulnerable to attack, the blog said. “The first indication most victims have of a DNS hijack is that their website traffic slows to a trickle,” it noted. “Then they have to figure out why, and DNS is rarely the first thing they think of, which lengthens the time to mitigate the attack.” On January 22, the domain name UFC.com was hijacked by a hacktivist group, IID reported. On January 23, that same group, called UGNazi, hijacked two domain names, coach.com and coachfactory.com, belonging to luxury goods maker Coach Inc. Both Coach and UFC registered their domains at Network Solutions, IID reports. “The criminals hijacked the domains by accessing the companies’ domain management accounts at Network Solutions,” the blog stated. “It’s currently unclear how they did so. In such cases, the cause is usually weak or compromised user passwords, or a website vulnerability at the registrar.” Source: http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/232500513/hacktivists-turn-to-dns-hijacking.html

40. January 25, KRBD 105.3 FM Ketchikan – (Alaska) KPU phone experiences outages. About 50 percent of Ketchikan Public Utilities (KPU) telecommunications customers in Alaska experienced a telephone outage January 25. At about 8:45 a.m., some KPU residential and business customers began experiencing fast busy signals, could not get a dial tone, or reached “call cannot be completed” recordings when attempting to place calls. There were periods of time when KPU customers were able to make and receive calls, only to have the call terminated. The outage also affected some cellular customers and those serviced by other phone carriers trying to call KPU customers. KPU’s Internet and TV services were not affected. The source of the outage was located in KPU’s central computerized switching network. KPU technicians worked with the manufacturer of the switching network to restore service. Service was restored to all customers at about 2 p.m. January 25. Source: http://www.krbd.org/2012/01/25/kpu-phone-experiences-outages/

2012-01-26T05:15:00.000-05:00

Thursday, January 26, 2012

Complete DHS Daily Report for January 26, 2012

Daily Report

Top Stories

Stories

• Viruses are accidentally infecting worms on victims’ computers, creating super-powered strains of hybrids that experts say pose a greater risk than standard malware. – The Register. See item 35 below in the Information Technology Sector.

• Police arrested a teenager and charged him with attempted murder and aggravated arson in connection with firebombing attacks on two New Jersey temples. – WPIX 11 New York City (See item 40)

40. January 25, WPIX 11 New York City – (New Jersey) Teen arrested in firebombing attacks on NJ temples. Police arrested a teenager in connection with firebombing attacks on New Jersey temples, WPIX 11 New York City reported January 24. According to officials, the Lodi, New Jersey teen has been arrested and charged with the January 11 attempted murder of a rabbi and his family, and the associated firebombing of the Rutherford synagogue. He was also charged in the arson and firebombing of the Temple K’Hal Adath Jeshrun in Paramus January 3, officials said. Investigators are crediting the arrest with the release of surveillance video and photographs the week of January 16 that captured the suspect purchasing many components of the incendiary device used in the Rutherford temple attack. Evidence connecting the suspect to the crime was reportedly discovered at his home, after authorities executed a search warrant. He was charged with nine counts of first degree attempted murder, one count of first degree bias intimidation, and one count of first degree aggravated arson for the Rutherford incident. He was charged with first degree aggravated arson, first degree bias intimidation, and third degree arson for the Paramus incident. Source: http://www.wpix.com/news/wpix-arrest-made-nj-temple-fire-bombings,0,3171515.story

Details

Banking and Finance Sector

9. January 25, Daytona Beach News-Journal – (Florida) Workers at 3 Daytona convenience stores accused of food card scams. A multi-agency investigation in Florida nabbed three convenience store workers accused of defrauding the state and federal government out of more than $2 million through Electronic Benefit Transfer (EBT) purchases, authorities said January 24. Investigators with the Daytona Beach Police Department as well as agents with the U.S. Secret Service and other agencies served search warrants at three convenience stores, the Daytona Beach police chief said. He said one of the suspects would purchase EBT cards from customers for cash at about a third of the value of their cards, which generally can only be used to buy groceries through the federal Supplemental Nutrition Assistance Program (SNAP). The suspect would then purchase goods at area stores for her own benefit. Authorities said she also made fictitious purchases at her store and got reimbursed the following month. In total, she made about $1.1 million in fraudulent purchases, the chief said. She was charged with five counts each of racketeering, social welfare fraud, and fraudulent use of a credit card, and one count of carrying a concealed weapon. At the other two locations, two suspects would allow EBT customers to make ineligible beer and cigarette purchases with their cards, but grossly inflate the prices, police said. Each would then pocket the difference. The two men were charged with five counts each of racketeering, social welfare fraud, and fraudulent use of a credit card. The police chief said the three businesses would typically only report $4,000 of SNAP purchases in 1 month, but during the 6 months the fraud occurred, they were redeeming about 10 times that amount. Source: http://www.news-journalonline.com/news/local/east-volusia/2012/01/25/workers-at-3-daytona-convenience-stores-accused-of-food-card-scams.html

10. January 24, Bloomberg – (District of Columbia; Virginia) Army Corps official to plead guilty to bribery, U.S. says. A U.S. Army Corps of Engineers contracting official will plead guilty to bribery and conspiracy charges brought in connection with an alleged $20 million false billing scheme, prosecutors said. The U.S. attorney’s office in Washington D.C., in a federal court filing January 24, said the official will admit to taking bribes and conspiring to launder money. The official was accused along with a colleague of funneling more than $45 million through a contract he was in charge of to a company that kicked back $20 million generated by overbilling. Also charged were the colleague’s son, the director of contracts for Eyak Technology LLC in Dulles, Virginia. Prosecutors call the case one of the “most brazen” frauds in federal contracting history. Source: http://www.bloomberg.com/news/2012-01-24/army-corps-official-to-plead-guilty-to-bribery-u-s-says-1-.html

11. January 24, Associated Press – (Puerto Rico) FDIC files lawsuit against former Westerbank officials; cites $176M in damages. U.S. regulators are seeking $176 million in damages from officials at what used to be Puerto Rico’s second-largest bank, the Associated Press reported January 24. The Federal Deposit Insurance Corp. (FDIC) accused six former Westernbank officials and directors of gross negligence, violating loan policy, and ignoring auditor warnings in a suit filed last week. Regulators shut down the bank and its 45 branches in April 2010, citing a $4.25 billion loss. The FDIC, which took over the bank, said the damages it seeks represent the total loss of 10 construction loans, seven asset-based loans, and four commercial real estate loans that the bank approved from January 2004 to July 2009. The FDIC accused Westernbank officials of approving loans to make a quick profit through an “aggressive and reckless growth strategy.” The agency also accused the bank’s former director of not disclosing a personal financial interest in a $12 million loan before it was approved. Source: http://www.washingtonpost.com/business/fdic-files-lawsuit-against-former-westerbank-officials-cites-176m-in-damages/2012/01/24/gIQAuaD7NQ_story.html

12. January 24, Associated Press – (Arizona; International) Feds find $500K hidden in BMW at Nogales entry. Federal officers in Nogales, Arizona, recovered more than $500,000 in undeclared money hidden in a BMW that an Arizona man was allegedly trying to drive into Mexico January 20. The Nogales International reported that U.S. Customs and Border Protection officers conducting outbound inspections at the Dennis DeConcini Port of Entry selected the man for additional inspection. Agents placed the man’s car on a vehicle lift and discovered a non-factory compartment containing 21 packages of undeclared U.S. currency. The funds were confiscated and the man was arrested and turned over to U.S. Immigration and Customs Enforcement’s Homeland Security Investigations. Source: http://ktar.com/6/1492171/Feds-find-500K-hidden-in-BMW-at-Nogales-entry

13. January 23, Houston Chronicle – (Texas; Louisiana) League City man admits using fake ID, stolen credit cards to buy electronics. A League City, Texas man on supervised release in a $1 million credit card fraud case pleaded guilty January 23 to new charges accusing him of using stolen credit cards and fake IDs to buy electronics worth $10,000. He was using stolen credit card numbers when he tried to buy iPads, iPhones and other products at the Apple store in Memorial City Mall in August, authorities said. When asked for identification, the man presented a fake Florida driver’s license with his photo but a different name. The name on the cards was linked to more than $200,000 worth of fraudulent Apple product purchases in Louisiana and Texas, officials said. The suspect was arrested at the store. When arrested, the suspect had 38 fraudulent credit cards, officials said, as well as four iPads and four iPhones bought the same day from Apple stores in the Galleria and Sugar Land area. All items, valued at $6,000, were bought using the same fraudulent credit cards, officials said. The suspect admitted in court he was serving a term of supervised release from a 2007 credit card fraud case when he was arrested. In the prior case, the suspect and his wife were charged for using more than 2,000 stolen credit card numbers to buy merchandise totaling more than $1 million, according to court records. Source: http://www.chron.com/news/houston-texas/article/League-City-man-admits-using-fake-ID-stolen-2678581.php

14. January 22, Salem Today’s Sunbeam – (New Jersey) Computer hackers tap into Salem County bank account holding $13 million, steal $19,000. Computer hackers have broken in and stolen about $19,000 by way of an illegal wire transfer from a Salem County, New Jersey bank account that held over $13 million, Salem Today’s Sumbeam reported January 22. The illegal transaction happened in mid-December and as of late the week of January 16, the Salem County chief finance officer (CFO) said the county has yet to recoup the money. He said the county is working with law enforcement officials, who believe the county system was attacked by a computer virus called a “Zeus,” a trojan horse computer virus that steals banking information by keystroke logging and form grabbing. The CFO said the hacker was able to access the county’s online banking system through the Microsoft Exchange server. “They were able to jump in our account and essentially blocked us from logging on,” the CFO said. “When they were logged in, they wired out $19,000 to an account with JP Morgan Chase out in California.” In all, the account that was entered held more than $13 million in county funds. The CFO said the Information Technology Department at the county was unable to trace the virus back to its origins. As a precautionary measure, the county is no longer using its online banking system, CashLink, which is run by Fulton Bank of New Jersey. The CFO said the computer that was attacked with the virus has also been removed and sent to a crime lab for analysis. The county will also be setting up a new secure computer solely for bank transactions. This computer will have no e-mail, public Internet access, and no disk drive or USB ports. Source: http://www.nj.com/salem/index.ssf/2012/01/computer_hackers_tap_into_sale.html

Information Technology

34. January 25, H Security – (International) Opera 11.61 fixes XSS vulnerability. Version 11.61 of Opera has been released. According to its developers, the maintenance update fixes bugs found in the existing builds and closes two security holes in the Web browser. Opera 11.61 addresses a “high” severity cross-site scripting vulnerability that could be exploited by an attacker to bypass the same origin policy. A second issue, rated as “low” severity, in which remote pages could detect what local files a user has on their local machine, was also fixed. Changes not related to security include an update to the default Speed Dials as well as fixes for the built-in e-mail client, and a number of bugs that caused the application to crash. Source: http://www.h-online.com/security/news/item/Opera-11-61-fixes-XSS-vulnerability-1421248.html

35. January 25, The Register – (International) Super-powered ‘frankenmalware’ strains detected in the wild. Viruses are accidentally infecting worms on victims’ computers, creating super-powered strains of hybrid software nasties. The monster malware spreads quicker than before, screws up systems worse than ever, and exposes private data in a way not even envisioned by the original virus writers. A study by antivirus outfit BitDefender found 40,000 such “Frankenmalware samples” in a study of 10 million infected files in early January, or 0.4 percent of malware strains sampled. These cybercrime chimeras pose a greater risk to infected users than standard malware, the antivirus firm warns. “If you get one of these hybrids on your system, you could be facing financial troubles, computer problems, identity theft, and a wave of spam thrown in as a random bonus,” said the BitDefender analyst who carried out the study. “The advent of malware sandwiches throws a new twist into the world of malware. They spread more efficiently, and will become increasingly difficult to predict.” BitDefender does not have historical data to go on. Even so, it posits that frankenmalware is likely to grow at the same rate as regular computer viruses, or about 17 percent per year. All of the malware hybrids analyzed by BitDefender so far have been created accidentally. However, the risk posed by these combinations could increase dramatically as criminals latch onto the idea. Source: http://www.theregister.co.uk/2012/01/25/frankenmalware/

36. January 25, H Security – (International) Critical flaw discovered in Symantec’s pcAnywhere. Symantec issued a warning about a critical vulnerability in pcAnywhere, the remote control application for PCs. The vulnerability could allow an attacker to remotely inject code into a system running pcAnywhere and then run it with system privileges. This attack works because a service on TCP port 5631 allows user input during the authentication process that is not adequately checked. According to Symantec, this port should, under normal conditions, only be reachable by authorized network users, so an attacker would have to first gain access to the network or another computer on the network to compromise other systems. In practice though, overly lax firewall configurations mean such ports are always available on the Internet. Symantec is also correcting a vulnerability that meant that files installed during pcAnywhere’s installation process were marked as writable by everyone. This would allow an unprivileged user with local access to overwrite these files, possibly with code that could grant elevated privileges. Further details of the two holes are still being kept secret by Symantec, and exploits are reportedly not in circulation. As the flaws were reported by security researchers of NGS Secure, it is probable the discovery of the flaws is not related to the recent theft of source code for an older version of pcAnywhere. pcAnywhere 12.5.x is vulnerable to the flaws, as are versions 7.0 and 7.1 of the company’s IT Management Suite Solution. Symantec released a hotfix that can be installed either manually or automatically with Symantec’s LiveUpdate system. Source: http://www.h-online.com/security/news/item/Critical-flaw-discovered-in-Symantec-s-pcAnywhere-1421261.html

37. January 24, H Security – (International) Joomla! 2.5 adds new features, closes holes. The Joomla! Project announced the arrival of version 2.5.0 of its open source PHP-based content management system. The successor to the 1.7 release from July 2011 is a long term support version that will be supported for “at least 18 months” and adds several new features. The update addresses two medium-priority, cross-site scripting vulnerabilities and two low-priority, information disclosure holes. Source: http://www.h-online.com/security/news/item/Joomla-2-5-adds-new-features-closes-holes-1420866.html

For more stories, see items 14 above in the Banking and Finance Sector and 39 below in the Communications Sector.

Communications Sector

38. January 24, Radio World – (Florida) FCC fines Florida pirate $10,000. The Federal Communications Commission (FCC) has fined a man $10,000 for operating an unlicensed radio transmitter on 98.7 MHz in Miami, Radio World reported January 24. Following up on a complaint in July, Miami Enforcement Bureau agents traced the unauthorized signal to an FM transmitting antenna mounted in a tree. The station was also transmitting an RDS display of “98.7 FM Energy,” according to the commission. The agents also found an Internet Web site for the station, www.energyfm987.com. The man told agents he would turn off the station, but did not admit he was the operator or unauthorized station owner. The agents left and the transmissions resumed. The agents again traced the illegal transmissions to the same home. Agents from the Miami office identified the man by comparing his Florida driver’s license photograph to pictures posted on the Internet. In assessing the penalty, the FCC stated in its decision the man can be said to have “operated” the unlicensed radio station on 98.7 MHz because he demonstrated control over the general conduct or management of the station, according to the agency’s rules. The station continues to be streamed online. Source: http://www.rwonline.com/article/fcc-fines-florida-pirate-/211476

39. January 24, Dark Reading – (International) IP D-Day: Major providers, vendors to go IPv6 June 6. It has been in the works for more than a decade, but the next-generation IPv6 protocol will officially go live in some major corners of the Internet in 2012, Dark Reading reported January 24. The Internet Society has deemed June 6 as World IPv6 Day, when Google, AT&T, Facebook, Comcast, Cisco, and others plan to flip the switch to the new IP protocol. IPv6 has been available in most products for some time, and various organizations and government agencies have test-run the protocol. Other nations, such as Japan and France, have already broadly rolled out IPv6. Meanwhile, IPv4 has outlasted some predictions it would have run out of address space by now, and IPv6 has exponentially more address space that can better accommodate the explosion of IP devices. Like any new technology rollout, security experts say the transition to IPv6 could introduce new bugs into the ecosystem. Among the companies participating in the IPv6 cutover June 6 are Google, Facebook, Microsoft Bing, Yahoo!, AT&T, Comcast, Free Telecom, Internode, KDDI, Time Warner Cable, XS4All, Cisco, and D-Link. The ISPs going to IPv6 — AT&T, Comcast, Free Telecom, Internode, KDDI, Time Warner Cable, and XS4ALL — will roll out the new protocol in their networks so that at least 1 percent of their wireline residential subscribers who visit other IPv6-enabled Web sites will get there via IPv6. They plan to make IPv6 a big part of their services, while new home routers from Cisco and D-Link will enable IPv6 by default. Source: http://www.darkreading.com/security-monitoring/167901086/security/perimeter-security/232500387/

2012-01-25T05:28:00.000-05:00

Wednesday, January 25, 2012

Complete DHS Daily Report for January 25, 2012

Daily Report

Top Stories

• A burst of radiation on the sun’s surface triggered a geomagnetic storm on Earth January 24 that caused rerouting of flight routes, may have disrupted satellite communications and the Global Positioning System. – San Francisco Chronicle (See item 31)

31. January 24, San Francisco Chronicle – (International) Solar flare may hit satellite communications, GPS. A burst of radiation on the sun’s surface may trigger a geomagnetic storm on Earth January 24 that could disrupt satellite communications and the Global Positioning System by mid-morning, scientists at the Space Weather Prediction Center said January 23. The eruption — called a solar flare — has also sent billions of tons of matter streaming toward Earth from the sun’s surface at millions of miles per hour in what scientists call a coronal mass ejection, according to a physicist at the center in Boulder, Colorado. The radiation storm could create unusually intense flares of the aurora borealis — the northern lights — and has caused some international airlines to divert planes from polar routes to courses where radio communication is less likely to be affected, the physicist said. A new National Aeronautics and Space Administration satellite called the Solar Dynamics Observatory is vastly improving the ability of scientists to predict the violent magnetic storms that threaten Earth and to understand the mysterious nature of solar physics, the physicist said. Source: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2012/01/24/MNJJ1MTCTM.DTL

• A researcher located and mapped more than 10,000 industrial control systems hooked up to the public Internet, and found many were open to easy hack attacks because of lax security. – Wired. See item 37 below in the Information Technology Sector.

Details

Banking and Finance Sector

6. January 24, Charlotte Observer – (North Carolina) 6 charged in Charlotte-area mortgage scheme. Federal prosecutors filed charges against six Charlotte, North Carolina-area defendants over mortgage fraud-related offenses and a “builder kickback” scheme, the latest fallout from the housing market bust, the Charlotte Observer reported January 24. The defendants are accused of working with Charlotte home builder Tara Properties to sell houses by offering kickbacks to straw buyers. The kickbacks were not disclosed to lenders or included on loan applications, according to documents filed last week in federal court. The scheme resulted in hundreds of sales between January 2005 and February 2008, with Tara paying more than $5 million in kickbacks, the filings say. The conspirators fraudulently caused lenders to provide more than $42 million in loans, prosecutors allege. Tara specialized in building homes priced between $100,000 and $200,000 and the company offered kickbacks of 15 percent of the sales price. Defendants lied on loan applications about income and assets, employment, debts, and anticipated debts, and intent to occupy the home as a primary residence, court documents say. Some applications also contained false or forged documents such as bogus payroll stubs and bank statements. The straw buyers recruited by the promoters and mortgage brokers generally were unqualified to obtain the loans, and the “vast majority” of homes lapsed into foreclosure, according to prosecutors. The six defendants indicted the week of January 16 in connection with the builder-kickback scheme have been charged with mortgage fraud conspiracy, and money laundering conspiracy. Source: http://www.wcnc.com/news/local/6-charged-in-Charlotte-area-mortgage-scheme-137949413.html

7. January 23, Birmingham Business Journal – (Alabama) Wells Fargo, Regions branches among businesses damaged in Center Point. Banks and several other businesses in Center Point, Alabama, were damaged by storms that swept through Jefferson County January 23. The Wells Fargo and BBVA Compass branches on Center Point Parkway were heavily damaged and were closed the morning of January 23. Representatives from Wells Fargo said the downtown branch would open at 10:30 a.m. A spokesperson from BBVA Compass said the bank sustained only minor damage and was expected to reopen January 24. Regions Bank ‘s Center Point branch was also closed due to minor damage. Regions’ Deerfoot Parkway and Pinson branch locations were closed due to road and power issues in those areas. A Regions representative said there were power outages in market areas outside of Birmingham that have been impacted by the severe weather, and that isolated branch closings would be possible. Source: http://www.bizjournals.com/birmingham/news/2012/01/23/wells-fargo-branch-other-businesses.html

8. January 23, U.S. Department of Treasury – (International) Treasury designates major Iranian state-owned bank. The U.S. Department of the Treasury January 23 designated Iran’s third-largest bank, Bank Tejarat, for providing financial services to several Iranian banks and firms already subject to international sanctions for involvement in Iran’s weapons of mass destruction (WMD) proliferation activities. With the January 23 action, 23 Iranian-linked financial institutions, including all of Iran’s largest state-owned banks, have been sanctioned by the United States based on their involvement in Iran’s illicit activities. Bank Tejarat was designated pursuant to Executive Order (E.O.) 13382 (Blocking Property of WMD Proliferators and Their Supporters) for providing financial services to Bank Mellat, the Export Development Bank of Iran (EDBI), the Islamic Republic of Iran Shipping Lines (IRISL), and the Ministry of Defense for Armed Forces Logistics (MODAFL), all of which were previously designated by Treasury or the Department of State for involvement in Iran’s WMD proliferation activities. Trade Capital Bank also was designated January 23 for providing financial services to EDBI, and for being owned or controlled by Bank Tejarat. Bank Tejarat has nearly 2,000 branches throughout Iran, as well as foreign branches in France and Tajikistan. Trade Capital Bank is a Belarus-based bank owned by Bank Tejarat. Bank Tejarat has directly facilitated Iran’s illicit nuclear efforts. For example, in 2011, Bank Tejarat facilitated the movement of tens-of-millions of dollars in an effort to assist the Atomic Energy Organization of Iran’s ongoing effort to acquire uranium. Source: http://www.treasury.gov/press-center/press-releases/Pages/tg1397.aspx

9. January 23, WCMH 4 Dublin – (Arizona; Ohio) 2 plead guilty to $15 million mortgage fraud scheme. Two central Ohio men pleaded guilty in connection with a $15 million mortgage fraud scheme that cost lenders more than $6 million, WCMH 4 Columbus reported January 23. The men pleaded guilty to fraudulently obtaining about $15 million in mortgage loans to finance the purchase of 26 real estate properties in Maricopa County, Arizona. The guilty pleas were entered January 17 and January 20. Officials said that between August 2006 and May 2007, the two men applied for loans using false income, assets, and occupancy statements on the applications. The loans were inflated to allow the man to use the excess mortgage proceeds to generate cash kickbacks payable to co-conspirators that were undisclosed to the lenders. The co-conspirators then provided the money to the men via interstate wire transfers, investigators said. They said the men used a mortgage brokerage company they co-owned, Vanguard Mortgage, in Westerville, to finance the purchases of the properties. Each man inflated his income, minimized his assets, failed to disclose his ownership of several other properties on which he held loans, and concealed the fact he intended to receive substantial cash kickbacks after the closing of three properties. All 26 of the Arizona properties were subsequently sold short or foreclosed upon due to borrowers being unable to pay the monthly payments. Each man pleaded guilty to one count of money laundering, which is punishable by up to 10 years in prison, a fine of up to $250,000 or twice the value of the property involved, whichever is greater, and restitution to the victims. Source: http://www2.nbc4i.com/news/2012/jan/23/two-plead-guilty-15-million-mortgage-fraud-scheme-ar-907064/

10. January 23, Kansas City Business Journal – (International) Euronet faces first criminal computer breach of secure payment data. Euronet Worldwide Inc., a Leawood, Kansas company that provides secure payment services, has reported a criminal computer security breach. Euronet said the breach targeted a “small portion” of its European business in late 2011, according to a January 23 filing with the Securities and Exchange Commission. The event marks the global electronic payments provider’s first data breach, the company’s chief executive officer (CEO) said. “(We), like hundreds of thousands of other companies, have been hacked into, but we were able to find it early, plug the hole ... and our breach has been contained for well over a month,” the CEO said. He said the breach affected card data in Euronet’s electronic fund transfer division, a European unit that makes up 17 percent of its business. Third-party forensic investigators confirmed the breach did not affect Euronet’s other business units, including its epay division, ATM networks, or money-transfer operations, the company reported in the filing. The CEO said that of the electronic fund transfer division, 90 percent of the data on card transactions remained protected. He partially credited a highly secure microchip that appears on most European debit and credit cards. The chip requires a verification PIN for access. The 10 percent of data that became exposed stemmed from older cards that had not yet been updated with the chip, he said. Source: http://www.bizjournals.com/kansascity/news/2012/01/23/euronet-faces-first-criminal-computer.html?page=all

11. January 23, Sacramento Bee – (California) Three Sacramento women arrested in false tax return scheme. Three Sacramento, California women were arrested January 23, accused of stealing taxpayers’ identities and their tax refunds. According to federal court documents, the women have been charged in a conspiracy to defraud the United States through the filing of false tax returns using TurboTax, an income tax preparation software and filing service. The women are charged with executing a mail fraud scheme to obtain Green Dot debit cards, a service offered through the TurboTax software, loaded with the tax return money of taxpayer victims. In addition to the conspiracy, one of the women is charged with 15 counts of filing false tax returns, 20 counts of mail fraud, and eight counts of aggravated identity theft. Another is charged with five counts of filing false tax returns, 15 counts of mail fraud, and one count of aggravated identity theft, according to a federal Department of Justice news release. The alleged fraudulent tax return claims filed by the three women amount to more than $1,366,427, with an actual paid Internal Revenue Service (IRS) loss of about $962,079. The scheme involved more than 280 false tax returns and numerous victim taxpayers, officials said. Source: http://blogs.sacbee.com/crime/archives/2012/01/three-sacramento-women-arrested-in-false-tax-return-scheme.html

12. January 23, Computerworld Australia – (International) Researcher traces ‘Gameover’ malware to maker of Zeus. The “Gameover” malware that the FBI warned users about earlier in January 2012 is a preview of the next version of the even-more-notorious Zeus money-stealing trojan, a security researcher said January 23. “Gameover represents the latest and greatest source code package from the Zeus author,” a senior security researcher with Dell SecureWorks’ counter-threat unit said. “[New features] in Gameover will be rolled into the final Zeus version 3, which is in beta and will wrap up soon if it hasn’t already.” Two weeks ago, the FBI warned of increased action by Gameover, including rounds of spam that tried to dupe recipients into infecting their PCs with the malware, which like Zeus, is designed to pillage individuals’ and companies’ bank accounts. The security researcher, who has been tracking the Zeus malware and its developer for years, said Gameover posed a new and more dangerous threat because it had been created by the maker of Zeus specifically at the behest of one of his biggest clients. “The crew using Gameover has requested a lot of changes in the Zeus functionality,” he said, adding the hacker crew using Gameover has direct access to Zeus’ maker because it pays him well and often for support. “The Zeus author now has only three or four major clients,” he said. The criminal coder abandoned all his “small fish” to focus on supporting a handful of customers who pay top dollar for his work. The additions demanded by the Gameover gang, which the Zeus developer quickly created, included a new, more distributed form of command-and-control (C&C) that uses a peer-to-peer function to update infected machines when or if a botnet’s single C&C server is discovered by authorities and taken offline. Gameover also supports the use of complex Web injections that allow criminals to bypass multi-factor authentication now used by many financial institutions to stymie account plundering. And the crew apparently asked for changes to Zeus that would let the gang rent third-party botnets that specialize in conducting distributed denial-of-service (DDoS) attacks, the researcher added. Source: http://www.computerworld.com/s/article/9223642/Researcher_traces_Gameover_malware_to_maker_of_Zeus?taxonomyId=17

For another story, see item 40 below in the Information Technology Sector.

Information Technology

37. January 24, Wired – (International) 10K reasons to worry about critical infrastructure. A security researcher was able to locate and map more than 10,000 industrial control systems hooked up to the public Internet, including water and sewage plants, and found many could be open to easy hack attacks, due to lax security practices. Infrastructure software vendors and critical infrastructure owners have long maintained industrial control systems — even if rife with security vulnerabilities — are not at risk of penetration by outsiders because they are not online. However, a computer science doctoral student from Cambridge University developed a tool that matches information about industrial control systems connected to the Internet with information about known vulnerabilities to show how easy it could be for an attacker to locate and target them. To debunk the myth industrial control systems are never connected to the Internet, the student used the SHODAN search engine, which allows users to find Internet-connected devices using simple search terms. He then matched that data to information from vulnerability databases to find known security holes and exploits that could be used to hijack the systems or crash them. He used Timemap to chart the information on Google maps, along with red markers noting brand devices that are known to have security holes in them. The student found 10,358 devices connected through a search of 2 years worth of data in the SHODAN database. However, he was unable to determine how many of the devices uncovered were actually working systems, nor was he able to determine in all cases whether the systems were critical infrastructure systems installed at power plants and other significant facilities. The student also found only 17 percent of the systems he found online asked him for authorization to connect, suggesting administrators either were not aware their systems were online or had simply failed to install secure gateways to keep out intruders. Source: http://www.wired.com/threatlevel/2012/01/10000-control-systems-online/

38. January 24, Help Net Security – (International) Researchers discover network of 7,000 typo squatting domains. A network of some 7,000 typo squatting domains is being used by scammers to effectively drive traffic towards their sites, some of which get so much traffic that they managed to enter Alexa’s top 250 list of sites with the largest Web traffic, according to Websense researchers. The typo squatting domains take advantage of visitors to popular Web sites such as Google, Twitter, Gmail, YouTube, Wikipedia, Victoria’s Secret, Craigslist, and many more, and redirect them to spam survey sites. From there, the users are taken to sites with spam advertisements and greyware masquerading as free downloads of legitimate software such as movie downloaders. Websense researchers said currently these sites are not offering malware for download. “However, if these networks are resold to underground groups, then the potential outcome could be even more damaging than the 0-day exploit security attacks,” they point out. Users are mostly in danger of handing over their private information and other sensitive data when completing the surveys. Source: http://www.net-security.org/secworld.php?id=12275

39. January 24, H Security – (International) Chrome 16 update closes security holes. Google released version 16.0.912.77 of Chrome which closes several security holes in the WebKit-based Web browser. The update addresses a total of four vulnerabilities, all of which are rated as “high severity.” These include use-after-free holes in DOM selections and DOM handling, an uninitialized value in the Skia 2D graphics library, and a buffer overflow in tree builder. Four bugs that were detected using AddressSanitizer were also been fixed. The developers note a critical use-after-free issue in Safe Browsing navigation was corrected in version 16.0.912.75 but was “accidentally excluded from the release notes.” Additional details of the vulnerability are being withheld until “a majority of users are up-to-date with the fix.” Source: http://www.h-online.com/security/news/item/Chrome-16-update-closes-security-holes-1420506.html

40. January 23, Wired – (International) I spy your company’s boardroom. Researchers from Rapid7 discovered they could remotely infiltrate conference rooms in some of the top venture capital and law firms across the country, as well as pharmaceutical and oil companies and even the boardroom of Goldman Sachs — all by calling in to unsecured videoconferencing systems they found by doing a scan of the Internet. One of the researchers found he was able to listen in on meetings, remotely steer a camera around rooms, as well as zoom in on items to discern paint flecks on a wall or read proprietary information on documents. Despite the fact the most expensive systems offer encryption, password protection, and the ability to lock down the movement of cameras, the researchers found administrators were setting them up outside firewalls and failing to configure security features to keep out intruders. Some systems, for example, were set up to automatically accept inbound calls so users did not need to press an “accept” button when a caller dialed into a videoconference, opening the way for anyone to call in and eavesdrop. Using a program the researchers wrote, they found the conference rooms by scanning the Internet for videoconference systems set up outside firewalls and configured to automatically answer calls. In less than 2 hours, they found systems installed in 5,000 conference rooms, including an attorney-inmate meeting room at a prison, an operating room at a university medical center, and a venture capital company where prospects were pitching their companies while laying out their financial details on a screen in the room. Companies sometimes set up systems outside firewalls so other companies can easily call into the videoconferencing system without having to set up complex, but safer configurations. As a result, the researchers found they could easily hijack systems, and also access systems they otherwise could not find through an Internet scan. Source: http://www.wired.com/threatlevel/2012/01/videoconferencing-hijacked/

41. January 23, IDG News Service – (International) HP pays $425,000 to settle claims over hazardous laptop batteries. Hewlett-Packard (HP) will pay $425,000 to settle a claim that it knowingly sold laptops with hazardous batteries that could overheat or catch fire, the U.S. Consumer Product Safety Commission announced January 23. HP learned of about 22 incidents involving the batteries by September 2007, but it failed to report the problem until 10 months later, according to the Commission. The lithium-ion battery packs were shipped in new HP laptops or sold as accessories and spare parts. Because of the defect, they could overheat, posing fire and burn hazards, the Commission said. Soon after it reported the problem, HP and the Commission recalled about 32,000 lithium-ion battery packs. Around the same time, Dell and Toshiba also recalled lithium-ion battery packs, which were manufactured by Sony. In agreeing to the settlement, HP denied the batteries posed an unreasonable risk or that it violated federal reporting requirements. With respect to the recall, it acted “in accordance with the CPSA and in its customers’ best interests,” HP said in the agreement. Source: http://www.computerworld.com/s/article/9223650/HP_pays_425_000_to_settle_claims_over_hazardous_laptop_batteries?taxonomyId=17

For more stories, see items 10 and 12 above in the Banking and Finance Sector, 31 above in Top Stories, and 44 below in the Communications Sector.

Communications Sector

42. January 23, Charlotte Observer – (North Carolina) Power glitch hushes radio stations. A power failure followed by a generator malfunction knocked five Charlotte, North Carolina radio stations off the air for about 4 hours January 21. An operations manager for Clear Channel Radio’s five local stations said January 23 that the stations went silent at 11:23 a.m. January 21 when electricity went out in the studios’ neighborhood. An emergency generator to power the stations kicked on, but then shut down, he said. Three company engineers came in, backed up a truck used for remote broadcasts to the door of the building and were able to power up key broadcast components from it. By 3 p.m., they had the five stations — WKKT-FM 96.9, WHQC-FM 96.1, WLYT-FM 102.9, WEND-FM 106.5, and WRFX-FM 99.7 — back on the air. Source: http://www.charlotteobserver.com/2012/01/23/2952639/power-glitch-hushes-radio-stations.html

43. January 23, KARK 4 Little Rock – (Arkansas; Texas; Oklahoma) AT&T wireless service temporarily disrupted in AR, TX & OK. Some AT&T wireless customers in Arkansas and two neighboring states were affected by a service disruption January 23. It happened for at least a couple of hours during the morning, but all appeared to be back to normal by around 9 a.m. During the disruption, some customers were unable to send or receive text messages. The company released the following statement about the problems: “Earlier today, some customers in North Texas and parts of Oklahoma and Arkansas may have experienced a service disruption with wireless data service. AT&T technicians quickly worked to address the issue, and service is currently running normally.” Source: http://arkansasmatters.com/fulltext?nxd_id=501592

44. January 22, Santa Fe New Mexican – (New Mexico) Damaged cable disrupts Internet service. Many CenturyLink customers in Santa Fe and other parts of New Mexico were without Internet service for several hours January 23 while Sprint and Virgin Mobile customers across the state were hit by service disruptions through the weekend due to a cut fiber optics cable. Reports of Internet loss began as early as midnight in parts of Santa Fe. CenturyLink reported electrical equipment failure at the Santa Fe office that affected service at 12:45 a.m. January 23, according to CenturyLink’s market development manager for Northern New Mexico. By 9 a.m., the system was rebooted, and by 10 a.m. most customers were able to access the Internet again. Sprint and Virgin Mobile customers in Santa Fe, Albuquerque, Farmington, and Los Alamos also were frustrated by interrupted service January 21 through January 22. The culprit was a cut interstate fiber optics cable that affected CenturyLink, according to a regional Sprint communications representative. She said Sprint leases cable space from the cable line in some areas to link service. She confirmed an interstate fiber optics line was cut in Texas, affecting New Mexico. “It impacted the entire state,” she said. Source: http://www.santafenewmexican.com/Local News/Damaged-cable-disrupts-Internet-service

For more stories, see item 31 above in Top Stories and item 38 above in the Information Technology Sector

2012-01-24T05:41:00.001-05:00

Tuesday, January 24, 2012

Complete DHS Daily Report for January 24, 2012

Daily Report

Top Stories

• A new review published in Clinical Infectious Diseases stated that shortages of key drugs used to fight infections represent a public health emergency and can put patients at risk. – Infectious Diseases Society of America (See item 31)

31. January 22, Infectious Diseases Society of America – (National) Anti-infective drug shortages pose threat to public health and patient care. A review published in Clinical Infectious Diseases stated that shortages of key drugs used to fight infections represent a public health emergency and can put patients at risk, the Infectious Diseases Society of America stated in a January 20 news release. Frequent anti-infective shortages can substantially alter clinical care and may lead to worse outcomes for patients, particularly as the development of new anti-infectives has slowed and the prevalence of multidrug-resistant pathogens is increasing. First-line treatments for herpes encephalitis, neurosyphilis, tuberculosis, and enterococcal infections, among others, have been hit by shortages, forcing physicians to use other drugs that may not work as well, the authors found. Of the 193 medications unavailable in the United States at the time of the analysis, 13 percent were anti-infective drugs, the authors found. “Anti-infectives often represent irreplaceable life-saving treatments,” the authors noted, and hospitalized patients are particularly vulnerable in an era when such shortages often last months and are occurring more frequently. Source: http://esciencenews.com/articles/2012/01/22/anti.infective.drug.shortages.pose.threat.public.health.and.patient.care

• Severe weather tore across the Southeast January 23, killing at least two people, injuring hundreds, knocking out power to tens of thousands, and damaging hundreds of homes and buildings. – CNN (See item 47)

47. January 23, CNN – (Alabama; Arkansas; Mississippi) Severe weather rakes Southeast; 2 dead in Alabama. Severe weather tore across the Southeast January 23, killing at least two people, injuring more than 100 and spreading damage through several states, emergency officials said. The two fatalities reported were near Birmingham, Alabama, according to a Jefferson County sheriff’s official. At least 100 injuries were reported, from cuts and bruises to broken bones. At least 211 homes were destroyed and 218 suffered major damage in Jefferson County. That number is expected to rise. Emergency crews were working to locate people who may be trapped or injured, and clear roads, several of which were impassable, the sheriff’s office said. Video from the Center Point area showed numerous downed trees, some on top of homes. A photo from one Clay, Alabama subdivision showed many homes heavily damaged or destroyed, with debris strewn across the neighborhood and trees snapped in half. Damage was also reported in Perry and Chilton counties. Damage was reported in Maplesville, according to the Chilton County emergency management agency. A radio studio and transmission tower was reported toppled in Chilton County by a possible tornado, the National Weather Service said. The Alabama governor declared a state of emergency. Seven Alabama counties reported storm damage, with most in Jefferson and Chilton counties. As of 2 p.m. January 23, fewer than 15,000 customers statewide were without power, Alabama Power said on Twitter. The outages peaked at 45,400 about 5 a.m., an Alabama Power spokeswoman said. Several school systems closed for the day. In Arkansas, at least one person was hurt January 23 when a tornado touched down in Fordyce, said an official with the Dallas County emergency management office. About 40 homes were damaged, with 10 of those destroyed, said a spokesman for the Arkansas Department of Emergency management. Power outages, which peaked at 3,700, were down to about 1,300 just before daybreak. An airport in Dewitt, about 90 miles northeast of Fordyce, saw some damage to several buildings, said the airport manager. Possible tornadoes were also reported in Mississippi and Tennessee, according to the National Weather Service. The Mississippi Emergency Management Agency said one person was injured in Bolivar County, several homes were damaged in Bolivar and Quitman counties, and several farm buildings were damaged in Coahoma County. Source: http://www.cnn.com/2012/01/23/us/severe-weather/index.html?hpt=hp_t1

Details

Banking and Finance Sector

10. January 23, U.S. Securities and Exchange Commission – (Connecticut; New York) Diamondback Capital agrees to settle SEC insider trading charges. The Securities and Exchange Commission (SEC) January 23 announced that Diamondback Capital Management LLC agreed to pay more than $9 million to settle insider-trading charges brought by the Commission January 18. The proposed settlement is subject to the approval of a U.S. district court judge in New York. As part of the proposed settlement, the Stamford, Connecticut-based hedge fund adviser also has submitted a statement of facts to the SEC and federal prosecutors, and entered into a non-prosecution agreement with the the U.S. attorney’s office for New York. Under the proposed settlement, Diamondback will give up more than $6 million of allegedly ill-gotten gains and pay a $3 million civil penalty. In addition, Diamondback consented to a judgment that permanently enjoins it from future violations of federal anti-fraud laws. The proposed settlement would resolve charges of insider trading by Diamondback in shares of Dell Inc. and Nvidia Corp. in 2008 and 2009. The week of January 16, the SEC filed insider-trading charges against Diamondback, a second hedge fund advisory firm, and seven individuals, including a former Diamondback analyst and a former Diamondback portfolio manager. Source: http://www.sec.gov/news/press/2012/2012-16.htm

11. January 23, Softpedia – (International) New ZeuS variant ‘Citadel’ comes with customer support. During his expeditions in the hacking underground, a security researcher came across a new variant of the bank-account-stealing ZeuS Trojan called Citadel. Citadel’s developers mainly address customers not satisfied with the support offered by other malware providers. The fact that malware developers rarely make sure bugs in their products are patched up is seen as a business opportunity for Citadel’s owners. This is why they offer a bug reporting and suggestions mechanism via a ticketing system, allowing customers to file as many complaints as they want without having to contact the developer on instant messaging channels. Clients can also submit their own applications in what appears to be a social network. For $2,400 plus a monthly fee, cybercriminals can purchase a Citadel package comprised of a bot builder and a botnet administration panel. Among other features and add-ons that the trojan’s creators offer, there is one that detects if the victim’s keyboard is Russian or Ukrainian. It is known that hackers fear Russian authorities more than anything else because they are known to track down and prosecute those who commit crimes in the virtual environment. This is why this particular variant of ZeuS shuts itself down as soon as it detects the aforementioned keyboards. Source: http://news.softpedia.com/news/New-ZeuS-Variant-Citadel-Comes-with-Customer-Support-248032.shtml

12. January 22, KNSD 7 San Diego – (California) Carlsbad man arrested for. A Carlsbad, California, man was arrested January 21 in connection with a robbery series that spanned over 3 months, according to officials with the FBI. He was taken into custody after Carlsbad police SWAT teams surrounded his home, a special agent with the FBI said. He said the suspect was arrested after a multi-jurisdictional investigation into the ‘Dying Son Bandit’ bank robberies, a series that involved 10 banks. He added that a recent tip helped lead investigators to the suspect. The ‘Dying Son’ name came about because the suspect told bank tellers he was in need of money for his dying son. The suspect followed that up by telling the victims he was armed with a handgun and would shoot them if they did not comply with his demands. Seven robberies were completed and three were attempted, according to the special agent. The most recent robbery was at a Citibank branch in Laguna Hills January 20. Investigators determined the suspect’s claims of a dying son were false. Source: http://www.nbcsandiego.com/news/local/Arrest-Made-in-Dying-Son-Robbery-Series-FBI-137855818.html

13. January 21, Knoxvlle News Sentinel – (Tennessee) FBI allege ‘Ball Cap Bandit’ is meat salesman from North Knox. The FBI identified a meat salesman as a serial robber authorities said robbed three Tennessee banks since August 2011, the Knoxville News Sentinel reported January 21. His wife said he admitted in 2007 to robbing yet another bank using the same method as the man who authorities dubbed the ‘Ball Cap Bandit’ during the recent spree. He was arrested January 20 and charged with three counts of bank robbery. He is being held without bond at the Blount County Jail, the FBI said. Authorities said he robbed Home Federal Bank in Pigeon Forge August 24, Tennessee Bank in Oak Ridge November 14, and Tennessee National Bank in Jefferson City January 4. In each case, FBI agents allege the meat and seafood salesman used only a note demanding cash — usually between $2,500 and $3,000. Officials said when an image of the ball cap-wearing bank robber flashed on electronic billboards around Knoxville January 11, four of the man’s business associates identified him as the man. An FBI task force officer reported the suspect’s wife said that in the fall of 2007, her husband told her he had robbed a West Knoxville SunTrust Bank by using a note that demanded $3,000. Source: http://www.knoxnews.com/news/2012/jan/21/fbi-allege-ball-cap-bandit-is-meat-salesman-from/

14. January 20, Internet Crime Complaint Center; FBI; Financial Services-Information Sharing and Analysis Center – (International) Fraud alert involving e-mail intrusions to facilitate wire transfers overseas. The FBI observed a trend in which cyber criminals are compromising the e-mail accounts of U.S. individuals and businesses and using variations of the legitimate e-mail addresses associated with the victim accounts to request and authorize overseas transactions, according to a January 20 alert. The wire transfers are being sent to bank accounts of individuals typically located domestically or in Australia, and the funds are being sent directly to Malaysia. Investigations found some of the money mules in the United States and Australia are victims of a romance scam and are asked to further transfer the funds to Malaysia. As of December 2011, the attempted fraud amounts were about $23 million; with actual victim losses about $6 million. This type of fraud has affected banks, broker/dealers, credit unions, and other institutions. In a typical scenario, the cyber criminal will send an e-mail to a financial institution, brokerage firm employee, or the victim’s financial adviser pretending to be the victim and request the balance of the victim’s account. When the request is successful, the cyber criminal then sends another e-mail providing a reason why they can only communicate via e-mail and asks that a wire transfer be initiated on their behalf. The excuse is typically based on an illness or death in the family that prevents the account holder from conducting business as usual. Source: http://www.ic3.gov/media/2012/EmailFraudWireTransferAlert.pdf

15. January 20, Credit Union Times – (Florida) SEC charges Florida bank, CEO with CRE portfolio fraud. The Securities and Exchange Commission (SEC) charged the holding company for one of Florida’s largest banks and its chief executive officer (CEO) with misleading investors about growing problems in a loan portfolio, the Credit Union Times reported January 20. The SEC alleged BankAtlantic Bancorp and its CEO and chairman made misleading statements in public filings and earnings calls to hide the declining state of a large portion of the bank’s commercial real estate land acquisition and development portfolio (CRE) in 2007. BankAtlantic and the CEO then allegedly committed accounting fraud when they minimized the bank’s losses by improperly recording loans they were trying to sell from this portfolio in late 2007. According to the SEC’s complaint, BankAtlantic and the CEO knew a large portion of the loan portfolio was deteriorating in early 2007 because many loans required extensions due to borrowers’ inability to meet their obligations. Some loans were kept current only by extending the loan terms or replenishing the interest reserves from an increase in the loan principal, the SEC said. The CEO allegedly knew this negative information in part from participating in the bank’s major loan committee that approved the extensions and principal increases. As a result, BankAtlantic experienced a net loss of more than $45 million in its CRE portfolio. In 2007, the bank had about $1.5 billion in CRE loans. The SEC said BankAtlantic and the CEO also were aware that many of the loans had been internally downgraded to non-passing status, indicating the bank was deeply concerned about them. The SEC alleged that despite this knowledge, BankAtlantic’s public filings in the first two quarters of 2007 made only generic warnings of what may occur in the future if Florida’s real estate downturn continued. The CEO later allegedly made misleading statement to investors during the bank’s earnings calls, according to the SEC. BankAtlantic finally acknowledged the problems in the third quarter of 2007 by announcing “a large unexpected loss.” The SEC’s complaint seeks financial penalties and permanent injunctive relief against BankAtlantic and the CEO to enjoin them from future violations of the federal securities laws. The complaint also seeks an officer and director bar against the CEO. Source: http://www.cutimes.com/2012/01/20/sec-charges-florida-bank-ceo-with-cre-portfolio-fr

16. January 19, Orangeburg Times and Democrat – (South Carolina) Bank ordeal suspect: ‘Fulfilling my destiny’. A man accused of holding more than a dozen people hostage January 17 in an Orangeburg, South Carolina, bank said he was fulfilling his destiny for the Lord, the Orangeburg Times and Democrat reported January 19. He told the court January 18 he needed a platform for attention to fulfill a religious calling. The bank was that platform. He stopped short, however, of explaining precisely what those certain purposes were. Investigators charged the suspect with 13 counts of kidnapping, one count of attempted murder, and one count of resisting arrest with a deadly weapon. He informed the court he had no intention of harming anyone during his stand-off with police. The warrants were served on the suspect a day after police said he held multiple employees and customers hostage at a South Carolina Bank and Trust. More charges are possible, police said. Investigators are still trying to determine why the suspect allegedly entered the bank with several knives. He never demanded money, investigators said. On January 17, someone in the bank tripped a robbery alarm that sent dozens of officers to the 3-story bank. Three police negotiators spent 45 minutes trying to determine what the subject barricaded inside wanted. Negotiators were given no demands, however. Officers moved in through the bank’s doors, including the front door, which was barricaded with chairs. The subject was then tased into submission. Source: http://thetandd.com/news/bank-ordeal-suspect-fulfilling-my-destiny/article_c2a6a0aa-4262-11e1-be19-0019bb2963f4.html

Information Technology

41. January 23, IDG News Service – (International) DreamHost resets passwords after database breach. Los Angeles-based Web hosting firm DreamHost reset the FTP and shell access passwords for all of its customers January 20 after detecting unauthorized activity within a database. “One of DreamHost’s database servers was illegally accessed using an exploit that was not previously known or prevented by our layered security systems in place,” said DreamHost’s CEO. Even though it could not be blocked, the unauthorized access was detected by one of the firm’s intrusion detection systems, allowing its security team to react quickly and take necessary mitigation steps. The company notified its customers about the security breach via e-mail and informed them only passwords used for FTP and shell access were affected. Billing or personal information was not exposed, DreamHost said. Source: http://www.computerworld.com/s/article/9223625/DreamHost_resets_passwords_after_database_breach?taxonomyId=17

42. January 23, Softpedia – (International) Hackers prove EA, IGN, ImageShack, NY Times, Verizon vulnerable. A new hacking collective, TeamHav0k, launched an operation called “#OP XSS” in which they try to find cross-site scripting (XSS) vulnerabilities in major Web sites. The first results of the operation came in and reveals many important sites contain XSS flaws. A Pastebin document reveals Web sites such as the ones belonging to Verizon, Huffington Post, European Organization for Nuclear Research, Electronic Arts (EA), IGN, and New York Times contain design flaws. Some educational institutions were also found to contain XSS security holes, including University of Illinois, Harvard, Yale, and Rockefeller University. Telecoms company Verizon, media hosting company ImageShack, value calculator and traffic estimator tool StatShow, Major League Gaming, and Dr. Pepper complete the list. Even though XSS vulnerabilities are among the most common ones found in commercial Web sites, this does not mean they are not dangerous. Cybercriminals can rely on these weaknesses to execute their own malicious codes and cause damage to the virtual assets of unsuspecting Internet users. Source: http://news.softpedia.com/news/Hackers-Prove-EA-IGN-ImageShack-NY-Times-Verizon-Vulnerable-247952.shtml

43. January 23, H Security – (International) Critical hole in Apache Struts 2 closed. The developers of the Apache Struts 2 Java Web framework released version 2.3.1.2. This closes a critical hole in versions of Struts from 2.0.0 to 2.3.1.1 that allowed for remote command execution. The vulnerability makes it possible for the protection around OGNL, an expression language used for getting and setting properties of Java objects, to be bypassed and arbitrary expressions to be evaluated. Source: http://www.h-online.com/security/news/item/Critical-hole-in-Apache-Struts-2-closed-1419498.html

44. January 20, Computerworld – (International) Anonymous dupes users into joining Megaupload attack. In a message on Twitter and in a blog post, Anonymous claimed its January 20 distributed denial of service (DDoS) attacks against the Web sites of the Department of Justice, the Recording Industry Association of America, the Motion Picture Association of America, and others were its largest ever, and 5,600 people collaborated in the assaults. However, some of the 5,600 who participated may have done so unwittingly, said a senior technology consultant with Sophos. He said members of Anonymous distributed links via Twitter and elsewhere that when clicked, automatically launched a Web version of Anonymous’s DDoS tool, the Low Orbit Ion Cannon (LOIC). The links pointed to a page on PasteHTML.com, a free HTML code-hosting site, which in turn executed some JavaScript to fire LOIC at Anonymous-designated targets. Many of those messages said nothing about LOIC or that clicking the link tricked the user into the DDoS attack, the consultant said. Anonymous is still recruiting people to its campaign. A search of Twitter using a string published on Gawker.com indicated the link was being shared January 20 at the rate of about 10 to 18 times per minute. Source: http://www.computerworld.com/s/article/9223601/Anonymous_dupes_users_into_joining_Megaupload_attack?taxonomyId=17

For more stories, see items 10, 11, and 14, above in the Banking and Finance Sector.

Communications Sector

45. January 21, WCMH 4 Columbus – (Ohio) Verizon customers without service for a time Saturday night. Some Ohioans in the Columbus, Ohio area without landline phone service found themselves isolated when an apparent outage affecting Verizon customers hit January 21. Franklin County Sheriff’s Office personnel confirmed a widespread outage. Columbus police told the communications center the outage was expected to be corrected in about 2 hours. Telephone and text service appeared to have been affected, but Internet access did not appear to have been interrupted. Law enforcement and emergency officials were unaware of any accident that may have precipitated the situation during the outage. Some Verizon customers said they were in the process of talking to the company’s service department, which was treating their problems as specific to the customer’s own service. Source: http://www2.nbc4i.com/news/2012/jan/21/columbus-cell-users-cut-ar-905311/

46. January 20, KTVB 7 Boise – (Idaho) Power outages in Boise County knocks out KTVB signal. KTVB 7 in Boise, Idaho, was back on the air the night of January 20 after a power outage at Bogus Basin knocked it off the air for most of the day. Heavy ice and snow damaged powerlines in the areas of Placerville, Idaho City, and Boise. Idaho Power said the power outage affected more than 500 customers, including Bogus Basin. The KTVB transmitter is located at the top of the mountain, which caused the station to be one of those affected customers. Crews were battling deep snow as they responded to downed power lines, and in many cases they were finding more problems along the way. Source: http://www.ktvb.com/news/KTVB-experiencing-technical-difficulties-137746713.html

For another story see item 47 above in Top Stories.

2012-01-23T05:23:00.001-05:00

Monday, January 23, 2012

Complete DHS Daily Report for January 23, 2012

Daily Report

Top Stories

• A monster Pacific Northwest storm brought much of Washington state to a standstill January 19, shutting down roads, railways, and airports, and knocking out power to hundreds of thousands. – Associated Press (See item 22)

22. January 20, Associated Press – (Washington; Oregon) Deadly storm grips Northwest in ice, snow. A monster Pacific Northwest storm coated the Seattle area in a thick layer of ice January 19 and brought much of the state to a standstill, sending hundreds of cars spinning out of control, temporarily shutting down the airport and knocking down so many trees that members of the Washington State Patrol brought chain saws to work. Amtrak suspended train service January 19 between Seattle and Portland, Oregon. Officials in Spokane declared a snow emergency, banning parking along arterials and bus routes beginning that evening. Freezing rain and ice pellets caused numerous accidents in the Seattle area. The state patrol said it had responded to about 2,300 accidents in a 24-hour period ending at 9 a.m. January 19. The state transportation department closed one highway because of falling trees that also took out power lines. Ice closed Sea-Tac Airport completely in the early morning before one runway was reopened. Washington’s governor declared a state of emergency, authorizing the use of National Guard troops if necessary. Authorities also worried about flooding in the coming days as temperatures warm up. Source: http://www.google.com/hostednews/ap/article/ALeqM5iEUQVqCD98ykHu-Vf3YULsam3qOg?docId=162906a20f5d4087827020f92f749b55

• A group of researchers found serious security holes in six top industrial control systems used in critical infrastructure and released exploit modules in the hopes they would be patched before they are attacked. – Wired. See item 44 below in the Information Technology Sector.

Details

Banking and Finance Sector

15. January 20, Associated Press – (Texas) Dallas: conviction over $14M investment scheme. A federal jury in Dallas has convicted a man of deceiving more than 200 people in a $14 million investment scheme, federal prosecutors announced January 19. He was convicted of seven counts of wire fraud and one count of securities fraud. Prosecutors said the man tricked investors into putting money into a company he created called Sardaukar Holdings. Investigators said he then squandered most of the money on cars, entertainment, and jewelry. Each count of wire fraud carries a maximum sentence of 20 years in prison and a $250,000 fine. The securities fraud count carries a maximum sentence of 5 years in prison and a $250,000 fine. Source: http://www.chron.com/news/article/Dallas-conviction-over-14M-investment-scheme-2643601.php

16. January 20, Fort Collins Coloradoan – (Colorado) Windsor man guilty of securities fraud. A jury January 19 convicted a former Windsor, Colorado investment adviser on securities fraud and theft charges in connection with what prosecutors said was a $5.7 million scam with dozens of Fort Collins-area victims. He was convicted on six of the seven felony counts he faced. He remains free on bond pending his sentencing in a case that prosecutors said victimized more than 70 people. He was convicted on four counts of securities fraud, one count of securities fraud as a course of business, and one count of theft. He was acquitted on one count of securities fraud. The U.S. Securities and Exchange Commission, also is seeking a $10 million fine on behalf of 64 investors, many of whom lost their life savings. An assistant attorney general said in trial the adviser told investors their money would remain safe, but instead it was used either to fund risky schemes or pay back earlier investors. Each charge against the adviser is a Class 3 felony punishable by 4 to 12 years in prison and fines up to $750,000. The adviser’s two former co-defendants each pleaded guilty to securities fraud in March and received 1-year deferred sentences. As part of the sentences, they agreed to pay about $1.2 million in restitution. Source: http://www.coloradoan.com/article/20120120/NEWS01/201200330/Windsor-Man-guilty-securities-fraud?odyssey=mod|newswell|text|News|s

17. January 20, Associated Press – (International) Feds shut down popular file-sharing website Megaupload. One of the world’s most popular file-sharing sites was shut down January 19, and its founder and several company officials were accused of facilitating millions of illegal downloads of films, music, and other content. A federal indictment accused Megaupload.com of costing copyright holders at least $500 million in lost revenue. Megaupload is based in Hong Kong, but some of the alleged pirated content was hosted on leased servers in Ashburn, Virginia, which gave federal authorities jurisdiction, the indictment said. The Justice Department said in a statement that Megaupload’s founder and three other employees were arrested January 19 in New Zealand at the request of U.S. officials. Three other defendants are at large. The indictment said Megaupload was estimated at one point to be the 13th most frequently visited Web site on the Internet. Current estimates by companies that monitor Web traffic place it in the top 100. The five-count indictment, which alleges copyright infringement, as well as conspiracy to commit money laundering and racketeering, described a site designed to reward users who uploaded pirated content for sharing, and turned a blind eye to requests from copyright holders to remove copyright-protected files. For instance, users received cash bonuses if they uploaded content popular enough to generate massive numbers of downloads, the indictment said. Such content was almost always copyright protected. The site boasted 150 million registered users and about 50 million hits daily. Megaupload is considered a “cyberlocker,” in which users can upload and transfer files too large to send by e-mail. The Web site allowed users to download content for free, but made money by charging subscriptions to people who wanted access to faster download speeds or extra content. The Web site also sold advertising. Several sister sites were also shut down, including one dedicated to sharing pornography files. Source: http://www.msnbc.msn.com/id/46070076/ns/technology_and_science-tech_and_gadgets/#.TxmmEYH-5YR

18. January 19, Orange County Register – (California) Another ‘Market Duo Bandit’ arrested, police say. A man suspected of being one of the “Market Duo Bandits” was arrested in California January 18, nearly 2 weeks after another suspected member of the robbery team was shot by a deputy at the end of a high-speed pursuit. The suspect was arrested in a traffic stop near his La Mirada home after La Habra detectives and FBI Robbery Task Force members identified him as a suspected member of a group believed to be tied to at least five Orange County bank robberies, a police spokeswoman said. The “Market Duo Bandits,” believed to have struck in La Habra, Seal Beach, Lake Forest, and Placentia, earned their nickname for targeting bank branches in supermarkets. The last holdup took place January 5, when the two returned to a Wells Fargo in a Stater Bros. market on Imperial Highway that police say they had previously robbed. A Brea police officer saw the robbers leaving the scene and a freeway chase ensued. The two fled from the vehicle in Paramount. A deputy confronted and shot one of the men. FBI officials say a third suspect was arrested several days after the shooting. Source: http://www.ocregister.com/news/market-336328-duo-police.html

19. January 19, Minneapolis Star Tribune – (Minnesota) More plead guilty to Cloud 9 fraud scheme. Two real estate professionals have pleaded guilty in connection with kickbacks at the troubled Cloud 9 Sky Flats development in Minnetonka, Minnesota, a scheme prosecutors say defrauded lenders out of $7 million to $20 million. The pair pleaded guilty in federal court January 18 to conspiracy to commit mail and wire fraud. They face a maximum of 20 years in prison. One defendant was the owner and loan officer of the mortgage brokerage company Team Access. The other defendant owned the business Trend Title and closed residential real estate transactions. The pair admitted that from 2007 to 2008, they obtained mortgage loan proceeds under false pretenses on behalf of home buyers associated with an unnamed investment group. The owner of Team Access admitted he lied on those applications, including inflating incomes of buyers and failing to disclose that buyers would receive cash kickbacks from mortgage loan proceeds. He secured loans for the purchase of about 108 properties in all. The owner of Trend Title admitted she closed about 88 fraudulent transactions for the investment group, concealing from mortgage lenders that the purchasers got kickbacks from mortgage loan proceeds and that the buyers were often not the source of the “cash to close.” The kickbacks were disguised as prepaid management fees and facilitator fees. She also closed eight to 10 transactions involving undisclosed Cloud 9 buyers. Four others have already pleaded guilty in the scheme. The number of condo units involved in the overall kickback arrangement has topped 100 at Cloud 9 and elsewhere. Kickbacks from the loan proceeds exceeded $8 million, according to federal prosecutors. Source: http://www.startribune.com/business/137678373.html

20. January 19, Berkshire Eagle – (Massachusetts; National; International) Fraudulent buys made with stolen debit, credit card info. Fraudulent purchases have been made with dozens of people’s debit and credit card information because sales records were stolen from a local retail business in the Pittsfield, Massachusetts area, the Berkshire Eagle reported January 19. Because the breach sprang from a retailer, it is impacting a host of local and regional banks whose customers shopped at the store over the last 2 months. Information from hundreds of debit and credit cards may have been obtained by those who stole the retailer’s records, though the number of customers whose data was used to make purchases is much less. At Greylock Federal Credit Union, purchases were made with information from 19 cards. The data obtained from the retailer was used to make impostor credit or debit cards, according to bank officials. Great Barrington police are investigating. The vice president of retail banking and marketing for the Pittsfield Cooperative Bank said his office became aware of the problem late the week of January 9 with fraudulent purchases being made in Canada, specifically at pharmacies and gas stations. It later spread to the United States, in places such as New Jersey and Florida. Berkshire Bank and Greylock have not sent out blanket notifications to customers, but they are working with individuals directly affected. Information from as many as 70 cards from Pittsfield Cooperative may have been compromised. Source: http://www.berkshireeagle.com/ci_19777441?source=most_viewed

21. January 19, PC Magazine – (International) Israeli hackers target UAE, Arab Bank sites. In the wake of recent hacks that targeted Israeli Web sites, a group known as IDF Team January 19 went after the Web sites for two major Arab banks. As of 1:30 p.m. Eastern Time, the Web sites for the Central Bank of the United Arab Emirates and Arab Bank were both offline. In a note posted to Pastebin, IDF Team said its attacks were in retaliation for a January 18 hack of Israel’s Anti-Drug Authority Web site, which IDF called terrorist activity and “attempts to disrupt the normal course of life in Israel.” If the attacks on Israeli sites don’t stop, IDF Team pledged to also target stock market and government Web sites, such as the Arab Emirates Web portal at government.ae, as well as “sites related to the country’s economy and even security.” According to the Financial Times, the January 19 bank attacks were likely distributed denial of service (DDoS) attacks. Source: http://www.pcmag.com/article2/0,2817,2399095,00.asp

Information Technology

44. January 19, Wired – (International) Hoping to teach a lesson, researchers release exploits for critical infrastructure software. A group of researchers discovered serious security holes in six top industrial control systems used in critical infrastructure and manufacturing facilities and, thanks to exploit modules they released January 19, have also made it easy for hackers to attack the systems before they are patched or taken offline. The vulnerabilities were found in widely used programmable logic controllers (PLCs) made by General Electric, Rockwell Automation, Schneider Modicon, Koyo Electronics, and Schweitzer Engineering Laboratories. PLCs are used in industrial control systems to control functions in critical infrastructure such as water, power, and chemical plants; gas pipelines and nuclear facilities; as well as in manufacturing facilities such as food processing plants and automobile and aircraft assembly lines. The vulnerabilities, which vary among the products examined, include backdoors, lack of authentication and encryption, and weak password storage that would allow attackers to gain access to the systems. The security weaknesses also make it possible to send malicious commands to the devices to crash or halt them, and to interfere with specific critical processes controlled by them, such as the opening and closing of valves. As part of the project, the researchers worked with Rapid7 to release Metasploit exploit modules to attack some of the vulnerabilities. Metasploit is a tool used by computer security professionals to test if their networks contain specific vulnerabilities. Hackers also use the same exploit tool to find and gain access to vulnerable systems. Source: http://www.wired.com/threatlevel/2012/01/scada-exploits/

45. January 19, H Security – (International) OpenSSL fixes DoS bug in recent bug fix. The OpenSSL developers have released versions 1.0.0g and 0.9.8t to address a denial of service (DoS) issue introduced by one of the six fixes included in the version they released earlier in January. The problem was created by the fix for a critical vulnerability in the CBC (“Cipher block chaining”) encryption mode which enabled plaintext recovery of OpenSSL’s implementation of DTLS (Datagram TLS). Accordingly, the advisory notes the DoS flaw only affects users using DTLS applications that use OpenSSL 1.0.0f and 0.9.8s. The developers credit a researcher from Cisco Systems for discovering the bug and preparing the fix for it. Source: http://www.h-online.com/security/news/item/OpenSSL-fixes-DoS-bug-in-recent-bug-fix-1417352.html

For more stories, see items 17 and 21 above in the Banking and Finance Sector and item 46 below in the Communications Sector.

Communications Sector

46. January 19, KVOA 4 Tuscon – (Arizona) Copper thieves target Century Link. A $1,000 reward is being offered for information leading to an arrest in the case of copper theft from Century Link, KVOA 4 Tucson reported January 19. The phone, Internet, and TV company said copper was stolen from more than 80 sites in Pima County, Arizona, and the Phoenix area. Forty-three of those sites are in Tucson alone. The vice president and general manager of Century Link said the theft has cost the company hundreds of thousands of dollars, but has really impacted its customers. “[W]e’re most concerned about the outages this causes for people that rely on the service day in and day out.” Each theft causes hours of service outage for thousands of customers and takes crews several hours to repair. Authorities from throughout Pima County are investigating. A deputy said the Pima County’s Sheriff’s Office is looking at 11 cases from Century Link alone. Century Link believes citizens may not contact authorities because, in some instances, the thieves are driving utility type trucks posing as landscapers. “The thieves typically target areas that are a little bit more rural. Where they probably stand a better chance of doing this and some of the theft has actually taken place in the middle of the day,” the vice president said. Source: http://www.kvoa.com/news/copper-thieves-target-century-link/

2012-01-20T05:09:00.000-05:00

Friday, January 20, 2012

Complete DHS Daily Report for January 20, 2012

Daily Report

Top Stories

• U.S. prosecutors arrested a Chinese computer programmer January 18 on charges that he stole software code valued at nearly $10 million from the Federal Reserve Bank of New York. – Reuters (See item 19)

19. January 18, Reuters – (New York; National) U.S. charges Chinese man with NY Fed software theft. U.S. prosecutors arrested a Chinese computer programmer January 18 on charges that he stole software code valued at nearly $10 million from the Federal Reserve Bank of New York. The man was a contract programmer. He was accused of illegally copying software to an external hard drive, according to a criminal complaint filed in U.S. district court in Manhattan. Authorities said the software, owned by the U.S. Treasury Department, cost about $9.5 million to develop. A New York Fed spokesman said in a statement the bank immediately investigated the breach when it was uncovered and promptly notified authorities. The programmer was charged with one count of stealing U.S. government property, which carries a maximum 10-year prison term. The complaint, signed by an FBI agent, said the man admitted to copying the code onto a drive and taking it home. He told investigators he took the code “for private use and in order to ensure that it was available to him in the event that he lost his job,” the complaint said. While U.S. intelligence officials have become increasingly worried about economic espionage, cybercrime experts said the case appeared to be one of simple theft. The programmer was hired as a contract employee in May by an unnamed technology consulting company used by the Fed to work on its computers, the complaint said. The code, called the Government-wide Accounting and Reporting Program (GWA), was developed to track the billions the U.S. government transfers daily. The GWA provides federal agencies with a statement of their account balance, the complaint said. Investigators uncovered the suspected breach only after one of the programmer’s colleagues told a supervisor the programmer had claimed to have lost a hard drive containing the code, the complaint said. Source: http://www.reuters.com/article/2012/01/19/us-nyfed-theft-idUSTRE80H27L20120119

• A researcher found multiple denial of service vulnerabilities in Rockwell Automation’s FactoryTalk supervisory control and data acquisition product, the Industrial Control Systems Cyber Emergency Response Team announced. – Infosecurity. See item 45 below in the Information Technology Sector

Details

Banking and Finance Sector

12. January 19, Associated Press – (Connecticut) Naugatuck man pleads guilty to mortgage fraud scheme over a decade, costing lenders $7 million. A Naugatuck, Connecticut man has pleaded guilty to charges of participating in a mortgage fraud scheme that lasted a decade and cost lenders $7 million, the Associated Press reported January 19. A U.S. attorney said the man and two New York residents obtained fraudulent mortgages to buy more than 40 multi-family properties in Bridgeport. Authorities said the loan applications contained false information about the buyers’ finances and property ownership, and false documents such as letters from fictitious employers, earnings statements, and fraudulent bank records. The man pleaded guilty January 18 in federal court in Hartford to conspiracy to commit wire fraud and conspiracy to commit money laundering. He faces a maximum prison term of 40 years. The two New York residents have pleaded guilty to the same charges and await sentencing. Source: http://www.therepublic.com/view/story/b59831244a104c399800d9d7d2fbb97a/CT--Mortgage-Fraud-Plea/

13. January 18, Help Net Security – (International) Bogus Western Union notice leads to phishing. A fake Western Union notice is hitting inboxes around the world and scaring people into following the offered link to a phishing page, Help Net Security reported January 18. “Failure in updating your profile will result in limiting your account access,” the spam e-mail says, signed by an “IT Assistant.” Users who fall for the trick are taken to a log-in page mimicking the Western Union one. Once they have entered the log-in credentials and pressed the “Sign In” button, they are asked to share information such as date of birth and answers to typical security questions such as their mother’s maiden name or favorite pet’s name. According to Hoax-Slayer: “Once they have this information, the scammers can then login to the victim’s real Western Union account and use it for nefarious purposes such as money laundering. The scammers may be able to use the stolen ‘Test Question’ details to collect payments without having the user’s proper identification documents.” Once the victims have done all that has been asked of them, they are redirected to the legitimate Western Union page. Source: http://www.net-security.org/secworld.php?id=12237

14. January 18, Venice Patch – (California) ‘Explosives Threat’ Bandit linked to robbery of Venice bank. The so-called “Explosives Threat” bandit has been linked to a January 17 robbery of a Chase Bank in Venice, California, authorities said January 18. He also hit a bank January 17 in the Palms area, a spokeswoman for the FBI’s Los Angeles field office said. The robber, who is wanted for multiple heists in Los Angeles County, got his name because he leaves a device in the bank that requires a bomb squad response to render it safe, she said. In a December 2011 press release, the FBI said the robber stuck up a Bank of America November 15 in West Covina and a Bank of America November 28 in West Hollywood. The suspect has left a device made up of electronic components and wiring during each robbery and stated someone outside the bank would detonate it. The suspect made an oral demand and handed a note to the teller in both robberies and demanded as much as $20,000 in cash, the December release said. The FBI said the suspect’s notes indicated he had a friend monitoring a police frequency outside the bank and he would make a call telling his friend to “press a button”, and one note said once his friend was contacted the “establishment will not exist,” the release said. Source: http://venice.patch.com/articles/explosives-threat-bandit-linked-to-robbery-of-venice-bank

15. January 18, Chicago Tribune – (Illinois) FBI searches for bank robber dubbed ‘Wicker Park Bandit’. The FBI is asking for help identifying a man dubbed the “Wicker Park Bandit” who officials believe was responsible for at least seven bank robberies on Chicago’s north side, the Chicago Tribune reported January 18. In all of the robberies, the man entered the bank and approached a teller with a handwritten demand note, the FBI said. The most recent robbery took place January 16 at a North Community Bank branch, officials said. The same robber was also suspected of hitting two other North Community Bank branches January 9 and January 6, officials said. On December 13, the bandit made off with an undisclosed amount of money from the Chase Bank, then later robbed another Chase branch December 30. On December 22, the bandit traveled to the Uptown neighborhood and robbed a PNC Bank branch, officials said. Source: http://articles.chicagotribune.com/2012-01-18/news/chi-fbi-searches-for-bank-robber-dubbed-wicker-park-bandit-20120118_1_fbi-searches-wicker-park-bandit-chase-bank

16. January 18, Huffington Post – (National) Municipal securities market lacks oversight, says GAO. Government oversight of the $3.7 trillion market for municipal securities, wracked by several high-profile cases of fraud and bid-rigging, is inadequate, according to a report by the Government Accountability Office (GAO) released January 17. The securities, used by state and local governments to finance transportation projects and the construction of housing, hospitals, and schools, have been the subject of a 5-year federal investigation into the reinvestment of proceeds of municipal bond sales. The Securities and Exchange Commission (SEC) enforces the rules written by two self-regulatory organizations with oversight of the market — the Municipal Securities Rulemaking Board (MSRB) and the Financial Industry Regulatory Authority (FINRA). But because of huge staff cuts at the SEC inspection arm — from 62 inspectors in 2005 to 38 in 2011 — it has checked neither the MSRB nor FINRA’s fixed-income surveillance programs since 2005. The SEC’s last inspection “predated the financial crisis — and its ensuing volatility in the municipal market,” the report says. Without such oversight, “the SEC may be unable to identify and act on regulatory problems in a timely manner.” The SEC recently began to look at FINRA’s program, including municipal trade reporting and markup reviews. It has not begun a fresh review of the MSRB. In addition, the report found the market favors institutional investors over individuals with better information and prices. Source: http://www.huffingtonpost.com/2012/01/18/municipal-securities-mark_n_1214418.html

17. January 18, Bloomberg – (New Jersey) Ex-Columbus Hill Capital CFO admits embezzling $10.4 million. The former chief financial officer (CFO) of Columbus Hill Capital Management LP, an investment management firm based in Short Hills, New Jersey, pleaded guilty January 18 to embezzling more than $10.4 million. He admitted in federal court in Newark he created a phony account to collect deposits he stole from the company. The CFO, who pleaded guilty to wire fraud and tax evasion, agreed to forfeit the entire amount he stole. He faces as many as 20 years in prison on the fraud charge, and 5 years on the tax evasion count. Source: http://www.businessweek.com/news/2012-01-18/ex-columbus-hill-capital-cfo-admits-embezzling-10-4-million.html

18. January 18, Bloomberg – (Florida) TD Bank loses $67 million verdict over Rothstein fraud role. Toronto-Dominion Bank (TD Bank) January 18 lost a $67 million jury verdict over claims it helped a disbarred Florida attorney who admitted running a $1.2 billion Ponzi scheme, by telling victims their money was safe as he depleted accounts. A jury in federal court in Miami returned the verdict in a lawsuit brought by Coquina Investments, based in Corpus Christi, Texas. Coquina’s lawyer January 17 urged the jury to award $32 million in compensatory damages, and $140 million in punitive damages. The January 18 verdict was for $32 million in compensatory damages and $35 million in punitive damages. In its complaint, Coquina said officers of the bank “played an active role in the scheme and facilitated its continued existence” by meeting with victims to create the appearance of a legitimate enterprise. While operating the fraud, the lawyer told his victims they were buying stakes in settlements of cases about which his Fort Lauderdale, Florida law firm, Rothstein Rosenfeldt Adler PA, had amassed evidence and confronted potential defendants in sexual and employment discrimination cases. The settlements were fictional, as were the cases. He used the bank to make payments to investors that supposedly came from settlements, and to provide documents “to conceal the truth from the investors, to keep the investors and encourage them to re-invest, and to attract additional investors,” according to the complaint. Investors regularly met with the bank’s vice president, contributing to the “aura of legitimacy,” Coquina said. The bank is facing three other suits by groups of investors claiming it helped keep the fraud afloat by providing the lawyer with documents he used to convince investors their money was safe and could be disbursed only to him, when he actually was siphoning money out of accounts. Source: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2012/01/18/bloomberg_articlesLY09PI6JTSE801-LY0ED.DTL

20. January 17, St. Louis Post-Dispatch – (Missouri) SEC alleges Clayton-based Acartha Group CEO committed fraud. The Securities and Exchange Commission (SEC) has alleged that Clayton, Missouri-based Acartha Group and its owner fraudulently used $9.1 million in investor funds over several years for the owner’s personal use. The SEC filed a federal lawsuit in a St. Louis court January 17 detailing its fraud charges against Acartha, its owner, MIC VII LLC, Acartha Technology Partners LP (ATP), and Gryphon Investments III LLC. The owner is the chief executive officer (CEO) and chairman of Acartha Group, a private equity fund management company. MIC VII and ATP are private equity funds, and Gryphon is a general partner of ATP. The CEO and the related investment entities raised $88 million from 97 investors from 2003 until last year, according to the SEC’s complaint. However, without the investors’ knowledge, the CEO misappropriated more than $9 million for his personal use, including to pay alimony, buy luxury automobiles, lease a private airplane and helicopter, and take expensive vacations, the SEC alleged. Source: http://www.stltoday.com/business/local/sec-alleges-acartha-group-ceo-committed-fraud/article_0f00cb42-412d-11e1-bfbe-001a4bcf6878.html

Information Technology

43. January 19, H Security – (International) Koobface C&C goes silent after alleged controllers exposed. The Koobface network is apparently down, according to Facebook. A Facebook security official told Reuters the company’s decision to expose the five men alleged to be behind the malware had an effect within 24 hours: “The thing that we are most excited about is that the botnet is down.” On January 18, Facebook decided to publish the names of alleged gang members based on details of research carried out in 2009-2010 by two German researchers. One of the researchers works for Security company Sophos. A Sophos researcher told H Security the command and control servers are not down, they just have not sent out any new commands since 08:40 GMT January 17. “Now they just reply with 404 errors” he said. He did note though the five men identified by the investigation “appear to have been busy deleting their social networking accounts.” Source: http://www.h-online.com/security/news/item/Koobface-C-C-goes-silent-after-alleged-controllers-exposed-1416869.html

44. January 19, Softpedia – (International) Scanned documents from Xerox devices hide Blackhole exploit kits. The malicious technique where cybercriminals send e-mails pretending to come from a scanner inside an office building has been seen again, targeting e-mail accounts of company staff members. This time, an e-mail bearing the subject “Re: Scan from a Xerox W. Pro #XXXXXXX,” informs the recipient a document was sent to her from a Xerox device, Websense informs. Confused users, who may not know an employee named MAMIE that sent the e-mail, might rush to click on the link that allegedly points to five image files. Instead, once clicked, the link redirects the user to a Web site that hosts the malevolent Blackhole exploit kit. Hiding in an iframe, the kit looks for vulnerable software and once it finds it, executes a shellcode that triggers the execution and download of other pieces of malware. More than 3,000 of these messages have been discovered so far, but since this variant of the Blackhole kit is more advanced, allowing cybercriminals to tweak the malware, the number may increase. Blackhole is often rented by users and this latest version offers many improvements, such as administration options for smartphones, and an option for the kit to utilize underground audio and video scanners for malware. Source: http://news.softpedia.com/news/Scanned-Documents-from-Xerox-Devices-Hide-Blackhole-Exploit-Kits-247417.shtml

45. January 18, Infosecurity – (International) SCADA-logical: DoS vulnerabilities in Rockwell Automation FactoryTalk disclosed. A researcher uncovered multiple denial of service (DoS) vulnerabilities in Rockwell Automation’s FactoryTalk supervisory control and data acquisition (SCADA) product, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) announced January 17. The vulnerabilities are exploitable by sending specially crafted packets to the server, which can result in a DoS attack, according to an ICS-CERT advisory. According to a company brochure, the FactoryTalk product extends the Rockwell Integrated Architecture by providing an information tier of software applications and services for production and performance management. Integration with the Rockwell Logix control platform, as well as connectivity to third-party and legacy systems enables FactoryTalk to deliver high-fidelity data flow across the enterprise. ICS-CERT said it notified Rockwell about the vulnerabilities, which were disclosed by the researcher without coordination with ICS-CERT or the vendor. As it has in past advisories, ICS-CERT recommends users take the following defensive measures to minimize the risk of exploitation of these vulnerabilities: minimize network exposure for all control system device; locate control system networks and devices behind firewalls and isolate them from the business network; and if remote access is required, employ secure methods, such as virtual private networks. Source: http://www.infosecurity-magazine.com/view/23317/

46. January 18, TechEye – (International) Oracle database has huge flaw. Oracle’s flagship database software has a major flaw that could create serious outages. The hole was found by InfoWorld hacks. It came about because of a collection of problems within the database. Normally, when bugs result in a database outage, the system can be recovered from backups. However, these flaws create such a problem it will take a long time to fix. Oracle said the problem is real and it is spending considerable time and money to fix it. The company released a fix as part of its Oracle Critical Patch Update for January 2012. While an Unpatched Oracle Database customer is vulnerable to malicious attack, the flaw is a special risk to large customers with interconnected databases. The flaws exist in a mechanism deep in the database engine, one most Oracle database administrators seldom see, called the System Change Number (SCN). This is a number that increments sequentially with every database commit: inserts, updates, and deletes, and it is crucial to normal Oracle database operation. Oracle knew SCN needed to be a massive number, so it used a 48-bit number. It should take a long time for an Oracle database to eclipse that number of transactions and pack a sad. However, the number is worked out to a point in time 24 years ago. The problem is, it is unlikely a database has been running constantly since January 1, 1988, processing 16,384 transactions per second. There are many flaws that can force a database to go over this number and hackers could exploit it. Source: http://news.techeye.net/security/oracle-database-has-huge-flaw

47. January 18, CNET News – (International) McAfee to plug ‘spammer’ hole this week. McAfee plans to release a fix soon for a bug in its SaaS for Total Protection anti-malware service that scammers were using to distribute spam, the company said January 18. The problem came to light after McAfee customers reported in blog posts and forum sites that spammers were using a hole in McAfee’s RumorServer relay service to secretly send spam from their machines. The customers said they noticed the problem after their e-mails were blocked by e-mail providers, and their IP addresses appeared on blacklists. The problem is isolated to the SaaS Total Protection service, according to the director of security research at McAfee Labs. There is no evidence that any customer data has been lost or compromised as a result of the problem, he said. “The patch will be released on January 18 or 19, as soon as we have finished testing,” he wrote. “Because this is a managed product, all affected customers will automatically receive the patch when it is released. There are two issues with the software. One vulnerability could allow an attacker to misuse an ActiveX control to execute code on the victim’s computer. The second one, which is the issue the customers complained about, allows an attacker to misuse the “open relay” technology in the software. Source: http://news.cnet.com/8301-1009_3-57361542-83/mcafee-to-plug-spammer-hole-this-week/

For another story, see item 19 in the Banking and Finance Sector

Communications Sector

48. January 19, StateCollege.com – (Pennsylvania) WTAJ transmitting again after earlier equipment failure. WTAJ 32 Altoona, Pennsylvania, was transmitting again January 19 at least via local cable systems. The station posted online links to a few programs that viewers may have missed during an outage on the evening of January 18. A technical problem kicked the station off the air January 18, WTAJ reported on its Web site. It referred to the problem as an equipment failure. Source: http://www.statecollege.com/news/local-news/update-wtaj-transmitting-again-after-earlier-equipment-failure-985021/

For more stories, see item 43 above in the Information Technology Sector

2012-01-19T05:22:00.000-05:00

Thursday, January 19, 2012

Complete DHS Daily Report for January 19, 2012

Daily Report

Top Stories

• A January 13 report from the Pentagon’s top tester said the U.S. Air Force grounded its F-22 Raptors in 2011 “due to suspected contamination problems” associated with the environmental control system and onboard oxygen generation system. – Defense News (See item 9)

9. January 13, Defense News – (National) DoD tester: Toxins suspected in 2011 Raptor grounding. A January 13 report from the Pentagon’s top tester said the U.S. Air Force grounded its F-22 Raptors in 2011 “due to suspected contamination problems associated with the aircraft environmental control system and associated onboard oxygen generation system form later April through late September 2011 (sic).” Compiled by the Pentagon’s chief operational tester, the review confirms Defense News’ July 25, report that toxins entering the cockpit of the Raptor caused more than a dozen incidents that resembled hypoxia. Since the grounding was lifted in September, the Raptor has flown more than 6,000 times. More incidents have occurred, despite Air Force precautions that include installing charcoal-based filters and having pilots wear pulse-oximeters to alert them of problems. A scientific advisory board quick-look study ordered in 2011 by the Air Force secretary should be finalizing its report either in late January or early February. Sources indicate the service investigators have not found any single explanation for the Raptor’s woes. The problem cannot be duplicated on the ground, nor do the hypoxia-like incidents occur during any consistent altitude or phase of flight — if in fact the cause happens in the air. Source: http://www.defensenews.com/article/20120113/DEFREG02/301130007/DoD-Tester-Toxins-Suspected-2011-Raptor-Grounding

• Symantec Corp said a 2006 breach led to the theft and January 2012 publication of the source code to its flagship Norton security software. The company reversed its previous position that it was not hacked. – Reuters. See item 47 below in the Information Technology Sector

Details

Banking and Finance Sector

11. January 18, Associated Press – (New York) Bank of New York Mellon in partial settlement of fraud charges tied to currency trades. Bank of New York Mellon and the Justice Department (DOJ) have reached a partial settlement regarding charges the bank defrauded customers by offering them unfavorable rates on currency transactions. Under the settlement, announced January 17 by the top federal prosecutor in Manhattan, the bank must disclose how it comes up with currency exchange rates for customers who buy and sell foreign securities or receive foreign dividends. A federal lawsuit filed in October alleged the bank provided customers exchange rates at the outer margins of what banks offer to each other and made money on the difference. Bank of New York Mellon agreed to stop telling customers they were getting “best execution” prices. Federal prosecutors have sought hundreds of millions of dollars in civil penalties against the bank. The DOJ and the bank will continue contesting that part of the lawsuit. Source: http://www.washingtonpost.com/business/bank-of-new-york-mellon-in-partial-settlement-of-fraud-charges-tied-to-currency-trades/2012/01/18/gIQAn8g87P_story.html

12. January 18, Associated Press – (New York; Massachusetts) 7 charged in $61M single-trade stock fraud case. A hedge fund co-founder, four financial analysts, and a Dell Inc. employee teamed up in a record-setting insider trading scheme that netted more than $61.8 million in illegal profits based on trades of a single stock from 2008 through 2009, authorities said January 18 as they described a network of friends in finance who made the most of their connections with corrupt employees of technology companies. The scheme was described in a criminal complaint in a U.S. district court that charged four of the men with conspiracy to commit securities fraud and securities fraud, among other charges. Three analysts have already pleaded guilty and are cooperating with the government, according to the court papers. The insider trading plot as authorities described it would be noteworthy for its size. A co-founder at former hedge fund group Level Global Investors LP was among three men arrested January 18. He surrendered to the FBI. An analyst at Sigma Capital Management, an affiliate of hedge fund SAC Capital Advisors in Manhattan, was arrested at his New York City home, while a hedge fund portfolio manager, was arrested in Needham, Massachusetts. It was not immediately clear if the fourth man charged in the complaint was in custody. The illegal profits in the case were made after tips were shared among co-conspirators about upcoming earnings announcements regarding Dell and Nvidia Corp., according to court papers. Source: http://www.foxnews.com/us/2012/01/18/7-charged-in-61m-single-trade-stock-fraud-case-2118666991/

13. January 18, The Register – (International) New stealthy botnet Trojan holds Facebook users hostage. A new strain of cybercrime trojan is targeting Facebook users by taking over their machines and shaking them down for cash, The Register reported January 18. Carberp, like its predecessors Zeus and SpyEye, infects machines by tricking users into opening PDFs and Excel documents loaded with malicious code, or attacks computers in drive-by downloads. The hidden malware is designed to steal account information and harvest credentials for e-mail and social-networking sites. A new configuration of the Carberp trojan targets Facebook users to ultimately steal e-cash vouchers. Previous malware attacks on Facebook have been designed purely to steal log-in info, so this latest trojan, spotted by security firm Trusteer, can be considered an escalation. The Carberp variant replaces any Facebook page the user navigates to with a fake page notifying the victim their Facebook account is temporarily locked. The page asks the mark for their first name, last name, e-mail, date of birth, password, and a Ukash 20 euro ($25) voucher number to verify their identity and unlock the account. The use of anti-debugging and rootkit techniques make Carberp trojan difficult to detect, warns security consultancy Context Information Security. Context said: “Carberp is also part of a botnet that can take full control over infected hosts, while its complicated infection mechanisms and extensive functionality make it a prime candidate for more targeted attacks.” Context adds Carberp, which creates a backdoor on infected machines, can be controlled from a central administrator control panel, allowing botnet herders to more easily mine stolen data. Trusteer said it has reported the attack to Facebook. Source: http://www.theregister.co.uk/2012/01/18/carberp_steals_e_cash_facebook/

14. January 17, WAPT 16 Jackson – (Mississippi) Bank evacuated after smoke fills building. The Trustmark Bank at Metrocenter Mall in Jackson, Mississippi, was evacuated January 17 after smoke filled the building. Firefighters had to tear the roof to get to the source of the smoke. Witnesses said the smoke started in the attic and then spread into the building, forcing everyone outside. The source appeared to be an electrical short, bank officials said. The bank is expected to remain closed until at least January 20. Source: http://www.wapt.com/r/30234655/detail.html

15. January 17, Bloomberg – (International) Russian father-son team accused of online fraud by U.S. A Russian father and son from Moscow have been charged by federal prosecutors in New York with taking part in a scheme to gain illegal computer access to U.S. bank accounts through bogus e-commerce Web sites. The pair was named in an indictment unsealed January 17 in federal court that alleges they and others controlled U.S.-registered companies and operated a business that bought and sold securities. The defendants took unauthorized charges on customers’ credit cards by buying the numbers illegally or by malware they surreptitiously installed on victims’ computers. The father, arrested last March, arrived in New York January 16 following his extradition by Swiss authorities, the Manhattan U.S. attorney’s office said. His son remains at large. The pair held out U.S.-registered firms Sofeco LLC, Pintado LLC, and Tallit LLC as legitimate Internet merchants with Web sites that appeared to offer goods and services. They also engaged in a scheme from June 2004 to February 2005 to gain access to accounts of U.S. victims, and attempted to transfer hundreds of thousands of dollars into bank accounts they controlled at JPMorgan Chase & Co. and a company identified as Asia Europe America’s Bank, prosecutors said. The defendants, through Rim Investment Management Ltd., maintained an account at Ameritrade Inc. and bought and sold securities in publicly traded companies. The two men are accused of committing securities fraud by buying and selling thousands of shares of companies by trading in the accounts of U.S. victims, prosecutors said. The indictment describes July 2004 meetings between the pair and unidentified others in Cyprus. Unnamed co-conspirators transferred almost $300,000 from the financial services account of a person in the U.S. to a bank account controlled by the pair. Source: http://www.businessweek.com/news/2012-01-17/russian-father-son-team-accused-of-online-fraud-by-u-s-.html

16. January 17, Arizona Republic – (National) Chandler man Edward Purvis admits huge Ponzi scam. For more than 6 years, a con man maintained his innocence in a fraud that bilked millions from churchgoers in Arizona and 12 other states. But January 17, the man pleaded guilty to orchestrating a Ponzi scheme that involved fake gold mines, phony businesses, and a bogus promise to fund Christian causes with investor money. The man, who has served more than 2 years in state prison for bribery and harassment, was on the verge of going to trial on fraud charges when he withdrew his not guilty plea. As part of a deal with state prosecutors, he admitted illegally controlling an enterprise and fraud, which carries a minimum prison term of 42 months. Authorities said hundreds of victims across the country were duped into giving money to a Christian non-profit owned by the defendant called Nakami Chi Group Ministries International. A partner in 2009 turned state’s evidence against the defendant and admitted Nakami was a fraud. The pair promised investors they would receive 24 percent annual returns, and that their money would be used to support Christian causes around the globe. Instead, the defendant used their money for personal investments and expenses. In 2008, the men and their wives were ordered by a civil-court judge to pay $11 million to investors. The chief investigator for the Arizona Corporation Commission testified in 2010 that the defendant and his wife were also tied to an international money-laundering operation involving Caribbean, Swiss, Chinese, and Australian corporations. He said the accounts of one company had been used to pay the wife $5,000 a month since it was opened in 2008. Money was also being sent to Vanuatu Project Limited and a company called California Ore Processing, both of which involve a purported gold mine in the South Pacific. One of Nakami’s key investment plans involved gold ore the defendant told investors was worth $120 billion, but in reality was worthless. Source: http://www.azcentral.com/arizonarepublic/business/articles/2012/01/17/20120117chandler-man-admits-huge-ponzi-scam.html

17. January 17, WBOC 16 Salisbury – (Delaware; Pennsylvania) Police in Del. seeking fraud suspects. Delaware State Police (DSP) detectives are asking for the public’s help in identifying three suspects wanted in connection with a credit card fraud investigation involving more than 100 victims, WBOC 16 Salisbury reported January 17. The investigation began in April after a man contacted DSP Financial Crimes Unit detectives to report someone had made several unauthorized transactions in Philadelphia using his credit card number. Police said that since the initial report was taken, there have been more than 100 victims of the same type of fraud. Detectives have learned the suspects were able to obtain the victim’s credit card numbers and then produced new credit cards. The method the suspects used to obtain the stolen number is still under investigation, according to police. Source: http://www.wboc.com/story/16536378/police-in-del-seeking-fraud-suspects

18. January 17, Newark Star-Ledger – (National) Newark-based Prudential reaches settlement over death benefits. Prudential Financial has agreed to improve its practices for identifying deceased life insurance policyholders and pay beneficiaries as part of a settlement reached January 13 with 20 state governments. The life insurer said in a Securities and Exchange Commission (SEC) filing January 13 that it increased its death benefit reserves by $139 million to make payments on potential claims. The settlement, announced by Massachusetts and California officials, was the result of a 2008 probe into 21 insurance companies’ compliance with state laws on unclaimed property. State governments were concerned insurance firms sometimes failed to pay death benefits in a timely manner or pay them at all if beneficiaries were not aware of the policies’ existence. As part of the settlement, Prudential will review life insurance policies and contracts that were active between 1992 and 2010 using an expanded set of criteria for identifying deceased policyholders and finding their beneficiaries. The criteria includes searching for beneficiaries whose identifying information may be incorrect or incomplete, such as transposed Social Security numbers or misspelled names, a Prudential spokesman said. The settlement could pay up to $20 million to the families of deceased California policyholders alone, the California controller said. So far more than 1,000 Prudential policies, with an average value of $2,000, have been found for individuals in California who have been dead for more than 15 years, he said. Source: http://www.nj.com/business/index.ssf/2012/01/prudential_to_revamp_policies.html

19. January 17, Reuters – (National) UBS unit pays $300,000 to settle SEC charges. An investment advisory arm of Swiss bank UBS will pay $300,000 to settle charges it misled investors by incorrectly pricing certain securities in three of its mutual funds, the Securities and Exchange Commission (SEC) said January 17. The SEC’s administrative action against UBS Global Asset Management came on the heels of a referral from SEC examiners who were conducting a routine inspection of the firm. The SEC alleged UBS’s failure to properly price securities resulted in a misstatement to investors of the net asset values of those funds. The SEC also claimed UBS did not follow the mutual funds’ fair valuation procedures in pricing certain fixed-income securities. In 2008, the UBS unit purchased around $22 million worth of fixed-income securities, most of which were risky mortgage-backed securities not guaranteed by Fannie Mae or Freddie Mac, according to the SEC’s order. UBS then valued most of the securities “substantially” higher than what it paid — 100 percent higher in some cases, the government said. The unit had relied on pricing data from third-parties rather than the purchase prices, a violation of the funds’ own valuation procedures, the SEC said. UBS did not correct the mistake until more than 2 weeks later, which led the funds’ values to be off during part of that time period between 1 cent and 10 cents per share, according to the government. Source: http://www.reuters.com/article/2012/01/17/us-ubs-settlement-idUSTRE80G1W920120117

20. January 16, WMAZ 13 Macon – (National) Man accused of over $1.5 million financial fraud in Baldwin jail. A man facing dozens of financial fraud charges in five states has been booked in to the Baldwin County, Georgia jail, WMAZ 13 Macon reported January 16. A Baldwin County Sheriff’s Office captain said the man faces financial card transaction fraud and theft charges after the debit card information of a person living in Baldwin County was stolen and used in the Atlanta area. The captain said photos at the bank where the fraudulent transaction was made identified the suspect. He also faces 60 similar counts in Cobb county and 30 in Cherokee, the captain said. He said the suspect is also accused of about $1.5 million in credit card fraud in California. Source: http://www.13wmaz.com/news/article/162274/153/Man-Accused-of-Over-15-Million-Financial-Fraud-in-Baldwin-Jail

Information Technology

43. January 18, H Security – (International) Oracle updates close 78 holes. Oracle released 78 security patches in its January Critical Patch Updates. The company said these patch day updates address vulnerabilities in “hundreds of Oracle products.” Sixteen of the vulnerabilities patched are remotely exploitable without authentication. Affected products include Oracle Database 10g and 11g, Fusion Middleware 11g, Application Server 10g, Outside In Technology, WebLogic Server, versions 11i and 12 of its E-Business Suite, Oracle Transportation Management, JD Edwards, Sun Ray, VM Virtualbox, Virtual Desktop Infrastructure, MySQL Server, and PeopleSoft Enterprise CRM, HCM, and PeopleTools. A vulnerability in Solaris 9, 10, and 11 Express’s TCP/IP is the highest rated of these with a CVSS score of 7.8 out of 10.0. The company advises users to install the patches as soon as they become available, because of “the threat posed by a successful attack.” Executive summaries of the vulnerabilities can be found in the security advisory. Source: http://www.h-online.com/security/news/item/Oracle-updates-close-78-holes-1414741.html

44. January 18, IDG News Service – (International) Secunia sets six-month deadline for vulnerability disclosures. Vulnerability research firm Secunia announced, effective from the beginning of 2012, software vendors will have a 6-month deadline to fix vulnerabilities reported through its Vulnerability Coordination Reward Program. Secunia’s previous deadline established in 2003 was 1 year. The decision to reduce it came after studying the history of the company’s vulnerability coordination efforts. Source: http://www.computerworld.com/s/article/9223513/Secunia_sets_six_month_deadline_for_vulnerability_disclosures?taxonomyId=17

45. January 18, Help Net Security – (International) Facebook ‘free mobile recharge’ scam hijacks accounts. A phishing and survey scam rolled into one is currently targeting Facebook users and ends up hijacking their accounts and makes it difficult for users to get them back, warns a McAfee researcher. The victims are lured with messages seemingly posted by friends claiming they received a “100rs free recharge.” Following the offered link, users connect to a page asking them to enter Facebook log-in credentials to receive it. Once the account details are entered and the “Log In” button is pressed, the page redirects users to a page mimicking a Facebook one, which asks the user to complete a survey to unlock the recharge option. In the background, the page sends the recorded log-in credentials — in clear text via a HTTP POST request — to a remote server operated by the scammers. The scammers then use the credentials to access the victims’ Facebook accounts, change information contained in them (including the password and the e-mail address), and post the same message that lured in the victims in the first place. The affected users are unable to immediately do anything about it. “Even if the victims try to reset their passwords, they will never get the password reset email from Facebook,” said the researcher. Source: http://www.net-security.org/secworld.php?id=12234

46. January 17, CNET News – (International) McAfee software lets scammers hijack PCs to send spam. McAfee is looking into a problem with a service in its SaaS Endpoint Protection software that appears to be allowing computers to serve as open proxies for sending spam, the company told CNET January 17. “We are aware of the issue and have both threat analytics and development teams diligently analyzing the problem and possible solutions,” the company said in a statement. “We will have more information on the issue shortly. “The problem was reported by McAfee customers on the Web who complained their e-mails were being blocked by e-mail providers and their IP addresses were being blacklisted for sending spam. The problem appears to be in the RumorServer Service myAgtSvc.exe, McAfee Peer Distribution Service, which is part of McAfee SaaS Endpoint Protection Suite, previously known as Total Protection Service, according to the Kaamar Blog. The technology, used for delivering updates to computers without a direct Internet connection, serves as an Open Proxy on Port 6515, which effectively opens the computer up to being used to send spam to other sites that looks like it is coming from that IP address, the blog post said. Source: http://news.cnet.com/8301-1009_3-57360694-83/mcafee-software-lets-scammers-hijack-pcs-to-send-spam/

47. January 17, Reuters – (International) Symantec says hackers stole source code in 2006. Symantec Corp said a 2006 breach led to the theft of the source code to its flagship Norton security software, reversing its previous position that it had not been hacked. The world’s biggest maker of security software previously said hackers stole the code from a third party, but corrected that statement January 17 after an investigation found Symantec’s own networks were infiltrated. The unknown hackers obtained the source code to Norton Antivirus Corporate Edition, Norton Internet Security, Norton Utilities, Norton GoBack, and pcAnywhere, a Symantec spokesman said. The week of January 9, the hackers released the code to a 2006 version of Norton Utilities and said they planned to release code to its antivirus software January 17. It was unclear why the source code was being released 6 years after the theft. The spokesman said the 2006 attack presented no threat to customers using the most recent versions of Symantec’s software. Yet, an analyst with ITIC who helps companies evaluate security software, said Symantec’s customers should be concerned about the potential for hackers to use the stolen source code to figure out how to defeat some protections in Symantec’s software. Symantec said earlier in January its own network was not breached when the source code was taken. However, the spokesman said January 17 an investigation into the matter revealed the company’s networks were compromised. He also said customers of pcAnywhere, a program that facilitates remote access of PCs, may face “a slightly increased security risk” as a result of the exposure. Source: http://www.reuters.com/article/2012/01/17/us-symantec-hackers-idUSTRE80G1DX20120117

48. January 11, Cisco – (International) Cisco security response: Wi-Fi protected setup PIN brute force vulnerability. On December 27, the U.S. Computer Emergency Readiness Team released Vulnerability Note #723755, describing a vulnerability that exists in the Wi-Fi Alliance Wi-Fi Protected Setup (WPS) protocol, also known as Wi-Fi Simple Config, when devices are operating in PIN External Registrar (PIN-ER) mode. Devices operating in PIN-ER mode allow a WPS capable client to supply only the correct WPS PIN to configure their client on a properly secured network. A weakness in the protocol affects all devices that operate in the PIN-ER mode, and may allow an unauthenticated, remote attacker to brute force the WPS configuration PIN in a short amount of time. Now, Cisco announced exploit code and functional attack tools that exploit the weakness within the WPS protocol have been released. The vulnerability is due to a flaw that allows an attacker to determine when the first 4-digits of the 8-digit PIN are known. The eighth digit of the PIN is utilized as a checksum of the first 7 digits and does not contribute to the available PIN space. Because the PIN space has been significantly reduced, an attacker could brute force the WPS pin in as little as a few hours. While the affected devices implement the WPS 1.0 standard that requires that a 60-second lockout be implemented after three unsuccessful attempts to authenticate to the device, this does not substantially mitigate this issue as it only increases the time to exploit the protocol weakness from a few hours to at most several days. It is Cisco’s recommendation to disable the WPS feature to prevent exploitation of this vulnerability. Source: https://tools.cisco.com/security/center/content/CiscoSecurityResponse/cisco-sr-20120111-wps

For more stories, see items 12, 13, and 15, above in the Banking and Finance Sector, and 51 below in the Communications Sector

Communications Sector

49. January 18, Green Bay Press-Gazette – (Wisconsin) WYDR The Drive back on the air after power failure. The frequency for radio station WYDR The Drive in Neenah, Wisconsin, went dead January 18 for several hours after a power failure at its transmitter site resulting from the cold weather. The classic rock station that broadcasts to the Fox Cities was silent at about 6:15 a.m. but was live again at around 11 a.m. Its sister stations in Green Bay, 99.7 and 101.9, and the online stream were unaffected. The power outage resulted from freezing temperatures in the transmitter building, according to the station. Source: http://www.greenbaypressgazette.com/article/20120118/GPG0101/120118067/WYDR-Drive-off-air-because-power-outage?odyssey=mod|defcon|text|GPG-News

50. January 18, Raleigh News & Observer – (North Carolina) Time Warner Internet blackout not SOPA related. A major Internet outage kept Time Warner customers across North Carolina offline the morning of January 18. Internet services were restored, as of 9:09 a.m., a Time Warner spokesman said. “We did some maintenance overnight. An issue affected both Internet and TV services. The outage began around 6 a.m.,” the Time Warner spokesman said. Source: http://www.newsobserver.com/2012/01/18/1787136/time-warner-internet-blackout.html

51. January 18, Chillicothe Gazette – (Ohio) Weather, water disrupt TV, Internet services. Storms January 17 resulted in Horizon warning Ohio customers about service outages. A power outage in Columbus caused WCMH-TV (Channel 4, NBC) and WBNS-TV (Channel 10, CBS) to lose power at their transmission towers. Horizon customers January 17 lost those two channels until power could be restored at the tower location, which was expected to happen by the morning of January 18. The channel outages also impacted DirectTV subscribers. Internet service also could be affected because of a broken water line in a Columbus building that houses Internet connection equipment for several Internet service providers around Ohio. A Horizon spokesman said January 17 that power to that building had to be shut off until the water line could be fixed. Auxiliary power had to be used, but had the potential to shut off and cause Internet service interruptions. Source: http://www.chillicothegazette.com/article/20120118/NEWS01/201180325

52. January 17, Rochester Democrat and Chronicle – (New York) WXXI radio tower damaged. Repairs to the damaged WXXI radio tower in Rochester, New York, took the AM station off the air for several hours January 17. WRUR-FM (88.5) remained on the air while WXXI-AM (1370) was off, a spokeswoman for the public radio station said. She gave no specifics on the damage to the tower. A statement on the station’s Web site shortly before 1 p.m. said, “AM 1370 is now back on the air. We will continue broadcasting on FM 88.5 today, through the end of All Things Considered. At 6 p.m., WRUR will resume its regular programming.” Source: http://www.democratandchronicle.com/article/20120117/NEWS01/120117014/WXXI-radio-tower-damaged?odyssey=nav|head

53. January 17, WHNS 21 Greenville – (South Carolina) Weather radio transmitter broadcasting again. The weather radio transmitter in South Carolina that was damaged the week of January 9 was back on the air January 17, according to the National Weather Service (NWS). Officials said the transmitter on Paris Mountain in Greenville County, which broadcasts on a frequency of 162.55 megahertz, experienced a major hardware failure. On January 17, the NWS said a temporary antenna was brought in to provide service until the main antenna can be replaced. They said the temporary transmitter was broadcasting, but only at half the power. The NWS said the main antenna will be replaced sometime late this winter. Source: http://www.foxcarolina.com/story/16539751/weather-radio-transmitter-broadcasting-again

For more stories, see item 13 above in the Banking and Finance Sector and 45 above in the Information Technology Sector

2012-01-18T05:31:00.000-05:00

Wednesday, January 18, 2012

Complete DHS Daily Report for January 18, 2012

Daily Report

Top Stories

• Many of the 146 people sickened with norovirus in Wheeling, Illinois, may have been exposed at Bob Chinn’s Crab House, the Cook County Health Department said. – Food Safety News (See item 25)

25. January 14, Food Safety News – (Illinois) 146 norovirus cases linked to Illinois restaurant. Many of 146 people sickened with norovirus in Wheeling, Illinois, may have been exposed at Bob Chinn’s Crab House, the Cook County Health Department said January 13. Bob Chinn’s, which bills itself as the nation’s fourth busiest restaurant, closed its doors January 10, after receiving complaints from customers who said they had become sick, and then reopened January 11. “We worked with the [Cook County Department of] Public Health to clean and sanitize the restaurant,” said a restaurant spokesman. “We’ve satisfied all of the requirements, and they’ve allowed us to reopen.” A health department spokeswoman said her agency received dozens of calls from people who said they became sick after eating at the restaurant, but that it is unclear whether the eatery is the source of illness in all of those cases. Source: http://www.foodsafetynews.com/2012/01/146-norovirus-cases-linked-to-illinois-restaurant/

• Popular online shoe retailer Zappos.com said January 15 that hackers accessed its network and stole account information from as many as 24 million customers. – Fox News (See item 52)

52. January 16, Fox News – (International) Hackers zap Zappos: Info from 24 million users stolen. Popular online shoe retailer Zappos.com said January 15 that hackers accessed its network and stole account information from as many as 24 million customers. Credit card information was not stolen, the company CEO said in a statement sent to users, but e-mail addresses, billing, and shipping addresses, phone numbers, the last four digits from credit cards — and more — may have been compromised. The company said it already reset the passwords for existing customers to prevent abuse of the stolen data. Source: http://www.foxnews.com/scitech/2012/01/16/zappos-zapped-hackers-steal-info-from-24-million-users/?test=latestnews

Details

Banking and Finance Sector

9. January 16, Reuters – (International) Israel rattled as hackers hit bourse, banks, El Al. Hackers disrupted online access to the Tel Aviv Stock Exchange (TASE), El Al Airlines, and three banks January 16 in what the government described as a cyber-offensive against Israel. The attacks came just days after an unidentified hacker, proclaiming Palestinian sympathies, posted the details of thousands of Israeli credit card holders and other personal information on the Internet in a mass theft. Stock trading and El Al flights operated normally despite the disruption, which occurred as Israeli media reported pro-Palestinian hackers had threatened to shut down the TASE stock exchange and airline Web sites. While apparently confined to areas causing only limited inconvenience, the attacks caused particular alarm in a country that depends on high-tech systems for much of its defense against hostile neighbors. Officials insisted, however, that they pose no immediate security threat. The First International Bank of Israel (FIBI) and two subsidiary banks, Massad and Otzar Hahayal, said their marketing sites had been hacked but that sites providing online services to clients were unaffected. Israel’s third-largest bank, Discount, said it had been spared attack, but that it was temporarily shutting down foreign access to its Web site as a precaution. The Tel Aviv bourse Web site could only be accessed intermittently, but screen-based trading was not hit. There was no claim of responsibility for the incidents. Source: http://www.reuters.com/article/2012/01/16/israel-hackers-idUSL6E8CG26X20120116

10. January 16, NJtoday.net – (New Jersey) PSE&G warns about payment scam targeted to Spanish-speaking customers. Public Service Electric and Gas Company (PSE&G) is alerting its customers not to be defrauded by a scam in which individuals misrepresenting themselves as PSE&G employees threaten to turn off electric and gas service if payment is not made to them that day, NJtoday.net reported January 16. The scam involves payments using Green Dot MoneyPaks and seems to be targeting Hispanic neighborhoods in PSE&G’s service territory. A Spanish-speaking individual pretending to be a PSE&G employee calls customers saying they “work for PSE&G in the disconnect collection department.” They tell customers their account is in arrears and their utility service will be discontinued unless they make a payment using a prepaid debit card. Customers are told to purchase a Green Dot MoneyPak at any convenience store, use cash to put money onto the card, and then provide the number on the card to the person who called them. Customers are advised that if they do not immediately call back and provide the MoneyPak information, their service will be turned off that day. Typically, after the customer provides that MoneyPak number, the scammer transfers the funds to a prepaid card, and cashes it in at an ATM. PSE&G is working with law enforcement to investigate the matter, and is also reaching out to its contacts at local community service agencies asking them to spread the word to their clients. The Better Business Bureau also is warning customers to be on guard for a rising tide of scams involving MoneyPaks, which can be used to fund PayPal accounts and to pay phone, cable, or other utility bills, or credit card bills. Source: http://njtoday.net/2012/01/16/pseg-warns-about-payment-scam-targeted-to-spanish-speaking-customers/

11. January 13, Courthouse News Service – (Texas) Oilman pleads guilty to securities fraud. An oil company executive pleaded guilty in a Dallas court to felonies in his operation of Western Pipeline Corp., federal prosecutors said the week of January 9. The defendant was the fifth defendant convicted in the case. He pleaded guilty to conspiracy to commit securities fraud and securities fraud. He faces up to 5 years in prison and a $250,000 fine on each count. He was majority owner of Western Pipeline from October 2006 to July 2007. He raised money from investors by selling and causing others, including four co-conspirators to sell investments in purported oil and gas development projects, the U.S. attorney’s office said in a statement announcing the plea. Prosecutors said the owner and his co-conspirators misled, deceived, and defrauded investors by misrepresenting and failing to disclose material facts. The co-conspirators assumed false identities when communicating with prospective investors and posed as investors in past Western Pipeline oil and gas development projects that supposedly had been successful. The co-conspirators have all pleaded guilty to securities fraud or conspiracy charges, the U.S. attorney’s office said. In 2008, investors sued Western Pipeline and several of the co-defendants in Dallas County Court, claiming they had been swindled out of $18 million. Source: http://www.courthousenews.com/2012/01/13/43013.htm

12. January 13, New York Times – (National) Ex-S.E.C. official settles conflict-of-interest case. A former enforcement official for the Securities and Exchange Commission (SEC) who was accused of blocking or closing at least three investigations into the activities of the Stanford Financial Group, which authorities claim was a $7 billion Ponzi scheme, has settled civil charges brought by the Justice Department accusing him of violating conflict-of-interest rules by later representing Stanford before the commission, the New York Times reported January 13. A U.S. attorney in Texas announced January 13 that the former official, who from 1998 to 2005 served as the enforcement director for the SEC’s Fort Worth, Texas regional office, had agreed to a civil settlement that would result in payment of a $50,000 fine. That is the maximum fine for a violation of federal conflict-of-interest rules. A separate civil case involving the employee continues at the SEC. Government officials said at a Congressional hearing last May the official was the subject of a criminal investigation into his work for Stanford, which was also the subject of much of a 150-page report by the SEC’s inspector general issued in March 2010. That report found he frequently discouraged or halted further investigation into Stanford Financial by SEC staff, and that he subsequently represented the firm in talks with SEC officials about other or continuing investigations. Source: http://www.nytimes.com/2012/01/14/business/ex-sec-official-settles-conflict-case.html?_r=1

13. January 13, U.S. Department of Justice – (Florida) Altamonte Springs man convicted of bank fraud. A U.S. attorney announced January 13 that a federal jury in Florida January 11, found a man guilty of one count of conspiracy to commit bank fraud, six counts of bank fraud, and one count of making a false statement. He faces a maximum penalty of 30 years in prison. According to evidence, the members of the conspiracy set up bank accounts over the Internet using stolen identities. Those accounts were then funded by unauthorized wire transfers made from accounts at other banks. Before the banks could detect the scheme, the conspirators sent the fraud proceeds to accounts in central Florida either by wire transfer or a check that would be deposited. The defendant participated in the scheme by withdrawing some of the fraud proceeds into a central Florida bank account. He also recruited other individuals in central Florida to provide their bank accounts to be used for receipt of the proceeds from the scheme. After funds were transferred to those accounts, he took the individuals he recruited to multiple bank locations, and over the course of several days, supervised them in the withdrawal of thousands of dollars in fraudulent proceeds. The six bank fraud counts represent more than $396,000 in fraudulent transactions. Two men connected to the scheme have each pled guilty to one count of conspiracy to commit wire and bank fraud, and one count of aggravated identity theft. Source: http://www.justice.gov/usao/flm/press/2012/jan/2012011_Prophete.html

For more stories, see items 46 below in the Information Technology Sector and 52 above in Top Stories

Information Technology

43. January 17, H Security – (International) Apache Tomcat developers advise updates to avoid DoS. The Apache Tomcat developers are advising users of the 7.0.x, 6.0.x, and 5.5.x branches of the Java servlet and JSP container to update to the latest released versions 7.0.23, 6.0.35, and 5.5.35. Recent investigations revealed inefficiencies in how large numbers of parameters and parameter values were handled by Tomcat. Analysis of the recent hash collision denial-of-service vulnerability allowed the developers to identify “unrelated inefficiencies” which could be exploited by a specially crafted request, causing large amounts of CPU to be consumed. To address the issue, the developers modified the code to efficiently process large numbers of parameters and values. Source: http://www.h-online.com/security/news/item/Apache-Tomcat-developers-advise-updates-to-avoid-DoS-1414580.html

44. January 16, H Security – (International) Critical hole in McAfee products still open after more than 180 days. Zero Day Initiative (ZDI) released information on a security problem in McAfee’s Security-as-a-Service products (SaaS). The vulnerability broker said it told McAfee about the hole in April 2011, and it now decided to publicly release the information because the vendor still has not provided a patch. The flaw is contained in the myCIOScn.dll program library. In this library, the MyCioScan.Scan.ShowReport() method insufficiently filters user input and executes embedded commands within the context of the browser. The flaw can be exploited when a user opens a specially crafted file or Web page. ZDI rates the issue as very severe and has given it a CVSS score of 9 –- maximum severity is 10. ZDI’s advisory does not state exactly which products are affected. McAfee’s range of SaaS products includes “SaaS Email Encryption” for encrypting e-mails, and “Vulnerability Assessment SaaS,” which checks software for potential vulnerabilities. Source: http://www.h-online.com/security/news/item/Critical-hole-in-McAfee-products-still-open-after-more-than-180-days-1413775.html

45. January 16, H Security – (International) Linux developers fix a homemade network problem. Linux kernels 3.0.17, 3.1.9, and 3.2.1 fix a problem with the handling of IGMP packets that was introduced with updates in Linux 2.6.36. An IGMPv3 protocol packet being processed soon after the processing of an IGMPv2 packet could lead to a system crash caused by a kernel panic. On January 6, a researcher reported strange crashes of his Linux notebook in the Debian bug database. A Debian developer found the problem was caused by a division by 0 that can occur with IGMP packets that have a Maximum Response Time of 0. As a result, Linux systems running a kernel version from 2.6.36 or later, up until the patched versions, can be crashed remotely using certain IGMP packets if a program has registered to receive multicast packets from the network. Typical examples for such programs include the avahi mDNS server or media players, such as VLC, that support RTP. Active attacks should technically only be possible within local networks, because IGMP broadcasts are usually not routed beyond network boundaries. However, the Debian developer pointed out particular unicast packets may serve for attacks via the Internet unless they are blocked by a firewall. As a fix was released, distributors should soon offer updated kernel packages that no longer contain the vulnerability. Source: http://www.h-online.com/security/news/item/Linux-developers-fix-a-homemade-network-problem-1414033.html

46. January 13, IDG News Service – (International) Facebook chat phishing attack impersonates Facebook security team. A new phishing attack spreading through Facebook chat modifies hijacked accounts to impersonate the social network’s security team. The attackers replace the profile picture of compromised accounts with the Facebook logo and change their names to a variation of “Facebook Security” written with special Unicode characters, said a Kaspersky Lab expert. Facebook claims changing the profile name can take up to 24 hours and is subject to confirmation. However, in the expert’s tests the change occurred almost instantly and required only the password. This was also confirmed by a victim whose profile name was modified within 5 minutes of their account being compromised, he said. After the victim’s profile name and picture get changed, the attackers send out a chat message to all of their contacts informing them their accounts will be suspended unless they re-confirm their information. The rogue messages appear to be signed by “The Facebook Team” and contain a link to a phishing page hosted on an external domain. The Web page mimics Facebook’s design and asks for name, e-mail, password, security question, country, birth date, and other information needed to hijack the account. However, the attack does not stop there. According to the expert, a second form asks users for their credit card details and billing address. This is unusual for Facebook phishing attacks, the majority of which target only social networking account information. Source: http://www.computerworld.com/s/article/9223432/Facebook_chat_phishing_attack_impersonates_Facebook_security_team?taxonomyId=17

47. January 13, Infosecurity – (International) Open Automation Software plugs DoS flaw in ICS application. Open Automation Software issued a patch for a vulnerability to its OPC Systems.NET industrial control system application that could be used for a denial of service attack. The vulnerability is remotely exploitable by sending a malformed .NET remote procedural call packet to cause a denial of service through Port 58723/TCP, explained the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in an advisory. All versions of OPC Systems.NET prior to version 5.0 are affected. There are public exploits that target this vulnerability, which requires a moderate skill level to exploit, the advisory said. OPC Systems.NET is a human-machine interface application deployed across several sectors, including manufacturing, information technology, energy, water and wastewater, defense, and others. A researcher publicly reported the vulnerability in OPC Systems.NET along with proof-of-concept exploit code. This report was released without coordination with Open Automation Software, ICS-CERT, or any other coordinating entity known to ICS-CERT, the advisory noted. ICS-CERT worked with Open Automation Software to fix the security hole, a fix which the researcher confirmed is effective, the advisory said. Source: http://www.infosecurity-magazine.com/view/23217/

48. January 13, msnbc.com – (International) Popular live-blogging site says data files were breached. CoveritLive, a popular, Web-based live-blogging program used worldwide, said January 13 it discovered “certain proprietary data files” of its users “were accessed without authorization,” but “no financial account information has been compromised. We have not yet determined if, or to what extent, CoveritLive account information (i.e., user names, email addresses and/or passwords) was accessed,” Demand Media, which bought CoveritLive in 2011, said in an e-mail to its users. Those users include bloggers, journalists, and mainstream media organizations, including msnbc.com, FoxNews.com, ESPN, and the BBC. Many people use CoveritLive’s free services, but there are premium accounts. Live-blogged events hosted by CoveritLive draw more than 60 million people every month, the company says, 60 percent of whom are from outside the United States. CoveritLive said the files were breached “starting on or about” January 7, and an investigation is “ongoing.” In the meantime, as a “precautionary measure,” all users were asked to re-set their passwords January 14. Source: http://technolog.msnbc.msn.com/_news/2012/01/13/10152434-popular-live-blogging-site-says-data-files-were-breached

49. January 13, Threatpost – (International) Smashing the Linux heap. A researcher found there is a heap allocator in the Linux kernel that is extremely exploitable. The security consultant at Virtual Security Research, who does work on Linux kernel research, investigated heap allocators in the operating system’s kernel. There are three main allocators: SLUB, SLAB, and SLOB. The researcher focused on SLOB, mainly because there has not been as much research done on it. In a talk at the Infiltrate conference, the researcher said he found virtually nothing in the way of methods to mitigate exploit attempts. SLOB is mainly used in embedded systems, favored there because of its small footprint, he said. Any given system will only have one allocator, and SLOB is used in Linux systems on many routers and switches and also in some firmware systems. In his talk, he presented several possible overflow scenarios that could be exploitable, ranging from the simple to the highly complex. Source: http://threatpost.com/en_us/blogs/smashing-linux-heap-011312

For more stories, see items 9 above in the Banking and Finance Sector, 50 below in the Communications Sector and 52 above in Top Stories

Communications Sector

50. January 17, H Security – (International) T-Mobile USA hacked. A group of hackers that goes by the name “TeaMp0isoN” claims to have obtained access credentials belonging to staff at US Deutsche Telekom subsidiary T-Mobile USA, H Security reported January 17. To back up their claim, the hackers posted data to the Pastebin anonymous text hosting service. One member of the group told Softpedia the hack involved exploiting SQL injection vulnerabilities on the t-mobile.com and newsroom.t-mobile.com Web sites. According to T-Mobile, the problem was limited to the T-Mobile USA newsroom. This would limit the scale of any problems arising as a result –- the intruders may be able to publish fake press releases. Based on the information provided, private customer data was never at risk. Most of the passwords consist of a simple six-digit number composed of two numbers repeated such as “112112.” T-Mobile USA said it has now fixed the vulnerabilities. Source: http://www.h-online.com/security/news/item/T-Mobile-USA-hacked-1414307.html

51. January 13, IDG News Service – (National) Federal body concludes LightSquared can’t work with GPS. A key federal agency involved in testing the proposed LightSquared Long-Term Evolution (LTE) network has concluded there is no practical way to solve interference between that network and the Global Positioning System (GPS), possibly dealing a crippling blow to the startup carrier’s hopes for a terrestrial mobile network. In a memo released January 13, the National Space-Based Positioning, Navigation, and Timing Executive Committee (PNT ExComm) said the nine federal agencies that make up the body had concluded unanimously that none of LightSquared’s proposals would overcome significant interference with GPS. LightSquared in 2010 received a waiver from the Federal Communications Commission (FCC) allowing it to operate a terrestrial LTE network on frequencies that have until now been devoted to much weaker satellite signals. The PNT ExComm has been involved in testing and results analysis at the request of the FCC and the National Telecommunications and Information Administration (NTIA). Both the original and modified proposals by LightSquared would cause harmful interference to many GPS receivers, the PNT ExComm chairs said in the memo. The agency also said a Federal Aviation Administration analysis had concluded the network would be incompatible with aircraft safety systems. Source: http://www.computerworld.com/s/article/9223447/Federal_body_concludes_LightSquared_can_t_work_with_GPS

For another story, see item 46 above in the Information Technology Sector