Friday, October 29, 2010

Complete DHS Daily Report for October 29, 2010

Daily Report

Top Stories

• The Lexington Herald-Leader reports that two teenage boys were charged with wanton endangerment and possession of an explosive device after they mixed rubbing alcohol and a bag of swimming-pool chemicals on a Lincoln County schoolbus, sending 37 people to the hospital. (See item 20)

20. October 28, Lexington Herald-Leader – (Kentucky) 37 people treated after prank on Lincoln County school bus. Thirty students from Lincoln County schools and a school bus driver were taken to a Kentucky hospital October 27, after the driver found that two high school boys were mixing rubbing alcohol and a bag of swimming-pool chemicals on the bus. The boys, ages 14 and 16, were charged with wanton endangerment and possession of an explosive device and sent to the Adair County Juvenile Detention Center, the Lincoln County sheriff said. In addition to the 30 students, doctors treated two bus drivers, four parents and a nurse from the hospital who first came into contact with the students. Source:

• Arrest warrants were issued for three Colorado men accused of stealing more than 20 miles of copper wire from telephone poles in eastern Uintah County, Utah, according to Deseret News. See item 56 below in the Communications Sector


Banking and Finance Sector

13. October 28, KARE 11 Minneapolis – (Minnesota) 4 Minneapolis men sentenced for robbing the same bank three times. The last of four Minneapolis, Minnesota men was sentenced October 27 in federal court for robbing the same U.S. Bank branch on three separate occasions last year. A U.S. District Court Judge sentenced one 24-year-old man to 110 months in prison on three counts of bank robbery and one count of carrying a firearm during the commission of a crime of violence. The man was indicted, along with three co-defendants, November 10, 2009, and pleaded guilty January 7, 2010. In his plea agreement, the man admitted stealing $5,710 from the bank, which is located at 4930 34th Ave. S. in Minneapolis, April 13, 2009. He also admitted brandishing a revolver during that robbery. In addition, he admitted stealing $4,371 from the same bank May 8, 2009, and another $5,341 from the bank July 28, 2009, while armed both times. Source:

14. October 28, Media Newswire – (New Jersey) Two New Jersey men charged with $7 million mortgage fraud scheme. A former mortgage broker and his purported co-conspirator in a mortgage fraud scheme were arrested October 28 on a criminal complaint which alleges they conspired to defraud various mortgage lenders of more than $7 million by conducting at least 50 fraudulent real estate transactions involving residential properties in New Jersey, the U.S. Attorney announced. The two men were arrested by special agents of the FBI and the U.S. Secret Service on a charge of conspiracy to commit wire fraud. Both defendants are expected to appear before the U.S. Magistrate Judge in Newark federal court. According to the complaint, one suspect, supposedly in the real estate business, and the second suspect, a former mortgage broker, engaged in a conspiracy to defraud mortgage lenders from January 2007 to December 2009. The first suspect, with the assistance of two attorneys, arranged to purchase properties owned by financial institutions — commonly referred to as real-estate-owned or REO properties. The second suspect recruited other individuals to purchase those same properties at around the same time, referred to in the complaint as the “borrowers.” Source:

15. October 28, The Register – (International) Did ZeuS’s daddy give hard Trojan love to rival cybercrook? The author of the infamous ZeuS crimeware toolkit may have handed over its development to a former rival in the banking Trojan development business. “Slavik” has handed over the ZeuS source code to SpyEye developer “Harderman”, according to an investigation by a security blogger and former Washington Post reporter — and based on posts on numerous Russian language underground cybercrime forums. Slavik’s apparent handover is surprising because SpyEye, a relative newcomer to the world of banking Trojans, was programmed to overwrite ZeuS installations on compromised PCs. Slavik may have decided to lay low as a result of a recent string of cybercrime prosecutions against ZeuS phishing mules in the United States and U.K. as well as the arrest of five alleged bot herders in the Ukraine. The arrest of crooks suspected of masterminding phishing operations using versions of ZeuS and controlling networks of compromised PCs strikes much closer to home for Slavik. In addition, Microsoft began adding detection for ZeuS into its Malicious Software Removal Tool, claiming early success with the clean-up of an estimated 274,000 PCs. The move follows months of reports of online banking losses linked to the distribution of variants of ZeuS. Source:

16. October 27, Scottsboro Daily Sentinel – (Alabama) Bomb threat at FNB Bank in Bridgeport. Jackson County investigators are looking into a fake bomb threat that occurred on the afternoon of October 26 at FNB Bank in Bridgeport, Alabama. According to a police spokesman, a person called the bank and told the teller to wire an undisclosed amount of money to a private account. “He said, if not, a bomb would be set off in the bank,” the spokesman said. Bridgeport police and the Jackson County Sheriff’s Office responded to the scene. “The bank was evacuated,” the spokesman said. “We conducted an investigation and a search of the building. No bomb was located.” The spokesman said no arrests have been made. “At this time, we’re tracking down some leads,” he said. Source:

17. October 27, Arizona Republic – (Arizona) ‘Thou Shall Not Steal Bandit’ strikes in Scottsdale. The FBI’s Bank Robbery Task Force and Scottsdale Police Department are asking the public for help to identify the “Thou Shalt Not Steal Bandit,” who robbed a Scottsdale, Arizona bank October 27. The robber has struck banks in Carefree, Phoenix and Peoria. On Wednesday, he robbed Johnson Bank at 32621 N. Scottsdale Road. FBI said the robber carries a firearm and wears black camouflage clothing and goggles. He enters through the bank’s roof before opening and confronts employees. He then restrains employees after taking money and flees. The suspect robbed the National Bank of Arizona in Carefree April 27, a Chase Bank in Phoenix December 11, 2009, and a Chase Bank in Peoria March 24, 2009. The FBI described the robber as a white male, age 28 to 40, 5 foot 8 to 5 foot 10 inches tall and weighing 170 to 180 pounds. Source:

Information Technology

51. October 28, Computerworld – (International) Bredolab-infected PCs downloading fake antivirus software. A massive takedown operation conducted by Dutch police and security experts the week of October 25 does not appear to have completely dissolved the Bredolab botnet, but it is unlikely to recover. The latest look at the botnet by FireEye’s Malware Intelligence Lab showed two domains are being used to issue instructions to infected computers. PCs infected with Bredolab are programmed to check in with certain domains to receive new commands. One domain, which is on an IP (Internet Protocol) address registered with a collocation facility in Kazakhstan, is telling infected computers to download a fake antivirus program called Antivirusplus. If infected, users are badgered to buy the programs, which offer little or no actual protection from threats. The other domain is instructing computers to send spam. That domain is hosted on an IP address assigned to a collocation facility in Russia. The infected computers that are communicating with domains appear to have a variant of Bredolab installed. Malware authors frequently have to modify the code in order to avoid detection by antivirus software. Source:

52. October 28, – (National) Most smartphone users breach employers’ security, says survey. More than half of mobile device users access their employer’s networks every day without permission, a survey has found. More than 80 percent of users of mobile devices, whose security is not controlled by a company, said they have accessed work information. Network systems company Juniper Networks surveyed 6,000 mobile device users and found that the use of smartphones and tablet computers poses a potentially major security risk to corporate information. Consumer-focused devices are often far more poorly protected than laptops or secure email devices that have been designed and configured by a company’s own IT department. The survey found that, despite citing information security as a major concern, device owners are using the machines to bypass corporate data protection measures. “Almost 44 percent of respondents use their devices for both personal and business purposes,” said a Juniper statement. “Eighty-one percent admit using their devices to access their employer’s network without their employer’s knowledge or permission and 58 percent do so every single day.” Those users are not unaware of the dangers of using sophisticated mobile devices; 64 percent of them are very or extremely concerned about the possibility of identity theft when a device is stolen or lost, according to the survey. Source:

53. October 28, Help Net Security – (National) BoingBoing hacked and defaced., the popular blog and “directory of wonderful things,” has been hacked and its home page replaced with a message containing vulgar language and pictures. The site was pulled down by the administrators shortly after the attack, which is suspected to have been executed via an SQL injection, TechCrunch reports. The site was available again October 28, but the site’s commenting system “will be on hold for a while longer” due to the attack. Source:

54. October 27, Computerworld – (International) Mozilla: No ‘kill switch’ for Firesheep add-on. Mozilla October 27 said it would not — or could not — pull a “kill switch” to disable the Firesheep add-on that lets anyone steal log-on and account access information to Facebook, Twitter, and other major Web services. Firesheep adds a sidebar to Mozilla’s Firefox browser that shows when anyone on an open network — a coffee shop’s Wi-Fi network, for instance — visits any insecure site on a list that includes the microblogging service Twitter and the hugely-popular Facebook social networking site. Mozilla has a “blocklist” mechanism that it can, and has in the past, applied as a last-resort defense against potentially-dangerous browser add-ons. The blocklist automatically cripples or uninstalls unwanted extensions that have been added to Firefox. But Mozilla either can not or will not add Firesheep to the blocklist. “[Firesheep] demonstrates a security weakness in a number of popular Web sites, but does not exploit any vulnerability in Firefox or other Web browsers,” said the director of Firefox, in an e-mail reply to questions about Mozilla’s possible moves. He did not respond to questions about whether Mozilla is technically able to cripple Firesheep, or simply chooses not to. Source:

55. October 27, Computerworld – (International) Mozilla patches Firefox zero-day bug in 48 hours. Less than 48 hours after receiving a report of a critical flaw in Firefox, Mozilla issued an emergency update October 27 that patched the problem. Mozilla released Firefox 3.6.12 and Firefox 3.5.15 to patch the vulnerability, which had been exploited by malware secretly planted on the Nobel Peace Prize Web site. Mozilla said the vulnerability existed in the Windows, Mac OS X, and Linux versions of Firefox 3.6, and the older Firefox 3.5. The currently-stalled Firefox 4 was not at risk, a Firefox security engineer said in comments appended to the Mozilla blog post that confirmed the flaw. The Trojan was designed to install attack code on compromised machines; that code would then hijack the PC and give the hacker complete control. Earlier October 27, a German security company, Avira, said the Trojan’s links to the hacker’s command-and-control servers had been severed. Avira expressed surprise at the unreliability of the malware, and wondered why the attacker had essentially thrown away a valuable zero-day vulnerability on such poorly-written code. “Usually cybercriminals abuse [zero-day vulnerabilities] for profitable malware,” Avira said. Today’s update was the fourth one-fix patch from Mozilla this year. Source:

Communications Sector

56. October 27, Deseret News – (Utah) 3 charged with stealing 20 miles of copper wire from telephone poles. Arrest warrants were issued for three Colorado men accused of stealing more than 20 miles of copper wire from telephone poles in eastern Uintah County, Utah. The suspects were charged October 20 in 8th District Court with one count each of theft, a second-degree felony. A Strata Networks representative contacted Uintah County sheriff’s investigators in August to report the telecommunications company was missing 20 miles of copper transmission line from its poles. The missing line spanned from the Green River Bridge near Jensen to the Old Bonanza Highway and then south into the oil and natural gas fields of Uintah County, according to court records. Deputies said they visited a metal recycling center in Vernal, where they obtained samples of copper wire that matched the missing wire. A recycling center employee said the wire had been purchased from one of the suspects and a third man, court records state. Investigators tracked the suspect to a trailer court in Colorado and questioned him. He admitted to taking “downed lines” from the area, and said the other two suspects had helped him, the charges state. A spokesman for Strata Networks, said the copper line was still affixed to the telephone poles when it was taken. “It had recently been abandoned but before we had a chance to go get it, some individuals came and helped themselves to it,” he said. Source:

57. October 27, Radio Ink Magazine – (Tennessee; National) FCC issues fines to TN stations. The Federal Communication Commission’s Enforcement Bureau hit the licensees of two Tennessee stations with forfeitures for a variety of violations. In August 2009, agents inspected Rodgson Inc.’s WSDQ-AM/Dunlap, and found the EAS receivers were not receiving audio and no one at the station knew how to send an EAS test. There were no EAS logs available, and staff said the equipment had not worked for at least 1 year. The general manager also told agents the station had never had a public inspection file. On inspecting the tower site, FCC agents found the fence was damaged and the gate had been removed from its hinges and was propped up over the gate opening, and there was no sign of a lock, though there was a chain. In January 2010, the Atlanta FCC office issued a notice of apparent liability for $25,000, and that has now been reduced to $5,500 after Rodgson documented its inability to pay the higher amount. In South Pittsburg, Tennessee, agents inspected the studios of WEPG-AM and found the station had no public inspection file, and they were told it had never had one. On looking over the antenna site, the agents found the gate of the chain link fence was wide open, and there was no lock. There was also “dense overgrowth of weeds and bushes” inside the fence and around the gate,and no perimeter property fence. The Atlanta office issued a notice of apparent liability in January 2010, and that has been reduced to $3,500 after the company showed its inability to pay. Source:

For another story, see item 52 above in the Information Technology sector.

Thursday, October 28, 2010

Complete DHS Daily Report for October 28, 2010

Daily Report

Top Stories

• The Washington Post reports that authorities are investigating a nascent plot to carry out a series of terrorist bombings at train stations in the Washington D.C. Metro system, according to federal intelligence and law enforcement sources. (See item 24)

24. October 27, Washington Post – (District of Columbia; Maryland; Virginia) Feds investigate plot to attack Metro. Federal law enforcement authorities are investigating a nascent plot to carry out a series of terrorist bombings at train stations in the Washington D.C. Metro system, according to intelligence and law enforcement sources. The investigation is focused on a naturalized U.S. citizen, originally from Pakistan, who became the target of an undercover sting operation, the sources said. An administration official said the man drew the attention of law enforcement officials by seeking to obtain unspecified materials. The planned attack was not imminent, the sources said. Federal officials stressed the public was never in danger. They said that, as part of the sting, the man was asked to conduct video surveillance; he later turned that material over to federal agents whom he believed to be connected to al-Qaeda. Unlike other U.S. citizens implicated in recent terrorism plots, the man does not appear to have received overseas training from al-Qaeda or any of its affiliates, the sources said. Source:

• According to the Associated Press, the FBI said the same gun was used to shoot at the Pentagon and the National Museum of the Marine Corps in Northern Virginia. Investigators are not sure yet if the weapon was used to shoot at a Marine recruiting station in Chantilly, Virginia October 25. (See item 44)

44. October 26, Associated Press – (Virginia) FBI: Same gun used in Pentagon, museum shooting. The same gun was used to shoot at the Pentagon and the National Museum of the Marine Corps in Northern Virginia earlier this month, the FBI said October 26. A third military office — a Marine Corps recruiting station in Chantilly, Virginia, outside Washington — was shot at overnight October 25; Marines who work there discovered the shooting the morning of October 26, the FBI said. Investigators are conducting ballistics tests to determine whether the recruiting station shooting is related to the previous incidents. No one was injured in any of the shootings. Investigators have not determined a motive or identified a suspect, said a spokeswoman for the FBI’s Washington field office. Though all three shootings have targeted offices with links to the military, the FBI has not issued any specific advisories or warnings to recruiting stations or other military buildings. Source:


Banking and Finance Sector

14. October 27, Associated Press – (International) Venezuelan charged with extortion in U.S. A Venezuelan was jailed in Miami, Florida on charges of attempting to extort $1.5 million from a businessman involved in a securities controversy in Venezuela. Prosecutors said the 61-year-old suspect faced a bail hearing October 27 in Miami federal court. The case involves a businessman and his former securities firm that was taken over by a Venezuelan securities commission. Prosecutors said the suspect was appointed receiver of the company. The suspect allegedly told the businessman if he did not pay, his reputation would be ruined and he might face arrest in Venezuela. Authorities said the suspect was arrested the week of October 18 by the FBI in Miami carrying a $750,000 check, part of the businessman’s payment. Source:

15. October 27, Arizona Daily Star – (Arizona) 2 charged with preying on mortgage investors. The owners of a mortgage investment company in Tucson, Arizona have been indicted on criminal charges in connection with a program that led to $2.9 million in foreclosure losses. The two suspects, both 33, were indicted on charges, including conspiracy, fraud, theft, money laundering, and illegally conducting an enterprise, the state attorney general said October 26. The suspects owned and operated AZI Rent2Own LLC — also known as Arizona Investments or AZI — which claimed to specialize in mortgage investment and rent-to-own programs. Between 2006 and 2008, 25 homes were involved in either straw buyer or investor schemes perpetuated by AZI Rent2Own, the indictment said. About 45 lending institutions and 31 renters were victimized, it said. FBI agents began investigating the suspects about 1 year ago when several consumer complaints were filed against them, the attorney general said. The FBI found the men were defrauding investors and renters of homes in Pima County by using straw-buyers or investors to flip properties — many of which had been rented under rent-to-own agreements. Source:

16. October 26, Wall Street Journal – (International) ASX bond futures platform crashes after data. The Australian Securities Exchange (ASX) bond futures trading platform crashed October 27, just days after Singapore Exchange Ltd. bid 8.2 billion for the stock and futures market operator. The trading platform went down after third quarter inflation data prompted a scramble for front-end bonds as traders bet the central bank would not need to hike rates. ASX Ltd. blamed a system error for the crash, which stopped the ASX 24 trading platform from matching trades. Buy and sell orders are matched in the electronic machine engine in milliseconds to make an official trade. Trading resumed in core products such as bond futures just over 90 minutes later. Traders were scathing at the outage, citing expensive trading costs associated with the ASX, and complaining of previous system crashes. Interest rate futures traders were especially caught given inflation numbers were softer than anticipated, dousing expectations of a rate hike by the Reserve Bank of Australia. Singapore Exchange’s takeover bid for the ASX has sparked an outcry among some key lawmakers in Australia who question whether the deal is in the national interest, citing Singapore’s record on democracy and the freedom of speech. Source:

17. October 26, NAZ Today & Associated Press – (Arizona) Carbon monoxide leak forces evacuation of Bank of America building in Flagstaff. A second-alarm carbon monoxide leak sent at least 15 people to the hospital and forced the evacuation of the Bank of America building in Flagstaff, Arizona October 26. Shortly before 4:30 p.m., firefighters received several calls of a possible gas leak. As the first wave of firefighters arrived, they were met by several people complaining of symptoms consistent with carbon monoxide poisoning, according to a Flagstaff fire department captain. Firefighters determined that it was a carbon monoxide leak and a second alarm was issued as rescuers began evacuating the building. An eyewitness told NAZ Today that most floors were evacuated by 4:45. By 5 p.m., 19 people had reported illnesses to firefighters, and 15 weree transported to Flagstaff Medical Center, according to a firefighter at the scene. The Associated Press is reporting that in all, 25 people were evaluated by paramedics. A Flagstaff Medical Center spokeswoman told the Associated Press that 17 patients had been seen at the hospital. Source:

18. October 26, Ventura County Star – (California; Oregon) Thousand Oaks man arrested in connection with Ponzi scheme. Federal authorities arrested a Thousand Oaks, California man October 26 for allegedly operating a Ponzi scheme that cheated investors out of more than $18 million. The suspect was taken into custody by FBI and Internal Revenue Service agents and charged with wire fraud, mail fraud, and money laundering. The FBI office in Portland and Oregon Division of Finance and Corporate Securities had been investigating the suspect for at least 1 year in connection with his business activities at Sunburst Associates Inc., which he operated for 30 years, the last few at 199 E. Thousand Oaks Blvd., Suite 106, Thousand Oaks, California. The suspect reportedly got people to invest in second mortgages he sold to homeowners, promising high rates of return and a security interest in the property allegedly pledged to secure the investment. Many of the investors are in Oregon and are over 65. According to the indictment, the suspect spent the investors’ money on personal items, including a car and a home. Source:

19. October 26, DarkReading – (International) Emerging Qakbot Exploit Is Ruffling Some Feathers. The Qakbot Trojan has been causing ripples in the IT security pond, researchers said. In a blog posted October 25, researchers at RSA Security offered a closer look at Qakbot and its unusual behavior. Qakbot is different in that it almost exclusively targets U.S. financial institutions, the researchers said. It also is the first Trojan seen to be exclusively targeting business/corporate accounts. “The goal for Qakbot is to siphon out larger sums of money, much more than would generally be available in private online accounts,” RSA saaid. “While Qakbot is not the first and only Trojan to target such accounts, it is the only one that shows this type of strict ‘preference’ by design, and with no exceptions.” How does Qakbot infect its prey? Researchers are not sure. RSA said it has not found HTML or JavaScript code injections, or man-in-the-browser attacks that are typically used to circumvent two-factor authentication mechanisms. “Still, we suspect that Qakbot does have some sort of module for completing real time attacks, since it would otherwise not target business accounts to begin with,” the blog said. Qakbot is designed to spread like a worm — infecting multiple machines at a time — while also stealing data like an ordinary banker Trojan, RSA said. Qakbot targets shared networks, copying its executable file into shared directories, a technique that enables it to propagate on corporate networks, the blog observed. Source:

Information Technology

46. October 27, Help Net Security – (International) Boonana Trojan for Mac OS X spreads via social media. SecureMac has discovered a new Trojan in the wild that affects Mac OS X, including Snow Leopard (OS X 10.6). The Trojan.osx.boonana.a, is spreading through social networking sites, including Facebook, disguised as a video. It is currently appearing as a link in messages with the subject “Is this you in this video?” When a user clicks the infected link, the Trojan initially runs as a Java applet, which downloads other files to the computer, including an installer, which launches automatically. When run, the installer modifies system files to bypass the need for passwords, allowing outside access to all files on the system. Additionally, the Trojan sets itself to run invisibly in the background at startup, and periodically checks in with command and control servers to report information on the infected system. While running, the Trojan hijacks user accounts to spread itself further via spam messages. Users have reported the Trojan is spreading through e-mail as well as social media sites. Source:

47. October 27, IDG News Service – (International) Mozilla scrambles to patch Firefox flaw used in attacks. Mozilla developers are scrambling to fix a new Firefox browser bug being used by criminals to install malicious software on victims’ computers. The flaw was uncovered October 26 by security vendor Norman, which said it learned of the bug after analyzing attack code surreptitiously installed on the Nobel Peace Prize Web site. “If a user visited the Nobel Prize site while the attack was active early October 26 using Firefox 3.5 or 3.6, the malware might be installed on the user’s computer without warning,” Norman said in a press release. In a blog posting, Mozilla confirmed the attack exploited a previously unpatched flaw, and said it had heard from “several security research firms” that the code has been used on the Internet. “We have diagnosed the issue and are currently developing a fix, which will be pushed out to Firefox users as soon as the fix has been properly tested,” Mozilla said in its blog post. Mozilla said the bug affects Firefox 3.5 and 3.6, on all supported platforms — Windows, Linux and Mac OS X. According to Norton, the attack seen on the Nobel site targets Windows. It installs a Trojan program that can then be used by attackers to download more malicious software and essentially take control of the victim’s computer. The attack does not appear to be widespread at this point. Source:

48. October 27, SC Magazine UK – (International) Over half of European companies do not have a uniform approach in place for transferring data securely. Over three-quarters of European companies regularly transfer business critical data, yet most do not have a uniform approach in place. A survey found 77 percent of European companies transfer confidential personal or financial information, inside and outside the company, yet 53 percent of those surveyed state security is the greatest challenge posed by data transfer, and 64 percent said their companies do not have a uniform approach in place for data transfer. Uniform procedures, which ensure compliance with current and future data protection standards, are critical for assuring important file transfer systems, yet 17 percent of employees do not know who in their company is responsible for data transfer security. As such, if an error occurs during data transfer, they do not know who to contact to address the issue. Furthermore, 23 percent of those questioned do not know how to encode or decode data, notify recipients, or how to implement anti-virus procedures after the transfer. The technical services director EMEA at managed file transfer manufacturer Attachmate, who conducted the survey, said: “The survey shows many corporations have yet to adapt security requirements and data transfer procedures to existing standards, even though data size and volume continue to grow worldwide.” Source:

49. October 26, New York Times – (International) Leader of SpamIt investigated by Russian police. On October 26, Russian police officials announced a criminal investigation of a suspected spam kingpin. They said he had probably fled the country. Moscow police authorities said the suspect was a central figure in the operations of, which paid spammers to promote online pharmacies, sometimes quite lewdly. suddenly stopped operating September 27. With less financial incentive to send junk mail, spammers curtailed their activity by an estimated 50 billion messages er day. Why the site closed was unclear until October 26, when Moscow police officials met with reporters to discuss the case. They accused the suspect of operating a pharmacy without a license, and of failing to register a business. On October 26, they searched his apartment and office in Moscow, according to an investigator in the economic crime division of the Moscow police department. The investigator said the search of the apartment turned up seven removable hard drives, four flash cards, and three laptops. Specific, computer-crime related charges may follow after police examine their contents, she said. The investigation began September 21, 6 days before closed. The drop-off in spam since went down had been noted by companies in the United States that monitor the Internet. Source:

50. October 25, IDG News Service – (International) Security company strengthens CAPTCHAs with video. A security company called NuCaptcha is incorporating advertising into a video CAPTCHA system that is much harder for computers to break. CATPCHA stands for “Completely Automated Public Turing Test to Tell Computers and Humans Apart.” It was developed to thwart Web annoyances such as spam and false account registrations, among others. It uses a box of jumbled letters humans must decode to allow, for example, a registration to proceed. When CAPTCHAs were first introduced, it was difficult for optical character recognition (OCR) technologies to break them. Over the last few years, that has changed, and CAPTCHAs are much less effective. In order to halt automated CAPTCHA-solving programs, the puzzles have been made more difficult to solve, so much so that many are nearly unreadable to humans as well. NuCaptcha does CAPTCHAs but with a twist: rather than a static box of text the system runs the text as a streaming banner within a video. The movement of the text throws off automated CAPTCHA-solving software. The text also does not have to be obscured as much, making it much easier for people to read and likely to keep users on the Web site. Source:

Communications Sector

51. October 27, TechWorld – (International) Consumer smartphones to get remote wipes and SIM swap alerts. Consumer smartphone users could soon be given access a range of advanced security features previously offered only to large corporates, after equipment maker Juniper announced new software for mobile networks. Using Juniper’s new beta release Pulse Mobile Security Suite, networks will be able to offer all users — including Android, BlackBerry, Nokia, iPhone, and Windows Phone — the ability to locate lost or stolen devices using GPS, perform remote data wipes, and block spam and malware. Android and BlackBerry support is immediate, Windows Mobile 6.1 will follow next month, Symbian in December 2010, the iPhone in the first half of 2011, and Windows 7 Phone (as opposed to older Microsoft mobile OSes) at an unspecified point in the future. The platform also makes possible sophisticated “big brother” parental controls such as the blocking of messages containing certain terms, and can even warn if a SIM chip has been swapped out. If they want, service providers can also offer cloud-based services including automatic data backup. The service can also be offered to companies as well as consumers, which from the network’s point of view represents a useful convergence of two markets into one technology. Source:

52. October 26, WXIN 59 Indianapolis – (Indiana) Communications tower falls on Bloomington elementary school. On October 26, a communications tower next to a Bloomington, Indiana school fell on top of the building as a result of a round of strong storms and high winds. It happened at Lakeview Elementary on Strain Ridge Road. No one was hurt and the school said the building only sustained minor damage to the roof. The students were in “tornado” mode at the time due to a warning issued by the National Weather Service. Witnesses said they heard a loud bang, like thunder, when the tower hit the building. Source:,0,7797782.story

53. October 26, Lancaster Intelligencer Journal – (Pennsylvania) Blue Ridge customers see half-hour cable glitch. About 14,000 Blue Ridge Communications customers saw a jumbled picture October 26 if they turned on their televisions. The Palmerton, Pennsylvania-based cable company was upgrading equipment to add more high-definition channels to its lineup when a problem occurred, a spokesman said. The problem ended up pixellating some channels for about a half-hour, he said. The outage happened around 5:30 a.m. The affected customers made up less than half of the 33,000 total customers in the Ephrata/Lititz/Adamstown area. Source:

Wednesday, October 27, 2010

Complete DHS Daily Report for October 27, 2010

Daily Report

Top Stories

• According to the San Jose Mercury News, Pacific Gas & Electric (PG&E) said October 25 it has identified about 300 manual gas valves in California that may need to be replaced with speedier automatic or remotely controlled shut-off technology, at a potential cost of up to $450 million. (See item 3)

3. October 25, San Jose Mercury News – (California) PG&E says it may need 300 speedier shutoff valves. Criticized for its long delay in manually shutting off gas to the ruptured pipeline in San Bruno, California, Pacific Gas & Electric (PG&E) said October 25 it has identified about 300 manual gas valves that may need to be replaced with speedier automatic or remotely controlled shut-off technology, at a potential cost of up to $450 million. Also, while the utility said it found no immediate safety issues in a check of 16 miles of pipe in and around San Bruno after the blast that killed eight people and destroyed 35 homes, the company did find 38 leaks throughout its extensive network. Four of the leaks — one in Hollister, two in Napa, and another in Gridley — were in large transmission lines, similar to the one that erupted in San Bruno. Two of the four were in PG&E facilities. The others were in smaller pipes, many feeding gas to individual customers. The company, which expects to complete checking its entire gas system by December 15, said all of the leaks have been fixed. In its disclosures October 25, the company said the cost of replacing a manual valve with one that automatically closes after a drop in pressure from a pipe rupture or that can be remotely controlled by a human operator varies from $100,000 to $1.5 million, depending on such factors as how accessible the valve is for retrofitting. Source:

• The Dayton Daily News reports that two men were being questioned after federal agents and local officers learned the men planned to shoot up a Dayton, Ohio Veterans Affairs center, and found a rocket launcher and other weapons at an apartment. (See item 31)

31. October 25, Dayton Daily News – (Ohio) Rocket launcher recovered in alleged plot to attack Dayton VA. Two men were being questioned after federal agents and local officers learned the men planned “to show up at the Dayton, Ohio Veterans Affairs (VA) Center and basically shoot a bunch of people up,” police said October 25. Federal agents found a rocket launcher and other weapons at the Miami Bluffs, Ohio apartment of one of the men October 25, according to the Miami Township deputy police chief. A VA spokeswoman refused to comment, citing privacy regulations and the ongoing investigation. An FBI Special Agent confirmed the agency is investigating a threat made to the Dayton VA Medical Center either October 24 or 25, but he would not say how the threat was made. A deputy police chief said the men received services from the Dayton VA. ”I understand them to be American citizens who were also veterans,” he said. A neighbor said he found the unloaded rocket launcher in a garbage bin when he was taking out his trash. He said he climbed into the bin and recovered the launcher. The rocket launcher, green with “U.S. Army” written on it, was not loaded. Source:


Banking and Finance Sector

12. October 26, Media Newswire – (New York) Founder of the Cobalt Companies sentenced in Manhattan federal court to 85 years in prison for $23 million real estate fraud scheme. The United States Attorney for the Southern District of New York announced that the founder of the Cobalt Companies was sentenced October 26 to 85 years in prison on charges stemming from a fraud that raised more than $23 million from over 250 investors in private placement real estate offerings. The suspect was sentenced in Manhattan federal court by a judge who presided over the 3-week jury trial at which the suspect, along with two co-defendants, was found guilty. The Manhattan U.S. Attorney said: "He (the suspect) is a career con-man who stole millions of dollars from hundreds of investors by selling worthless interests in a bogus

investment offering. This office will continue to work with our partners at the Federal Bureau of Investigation to ensure that sham investment opportunities like Cobalt do not corrupt the marketplace." Source:

13. October 25, Carmi Times – (Illinois) Franklin County man admits robbing Collinsville, Marion banks. A Franklin County, Illinois man pleaded guilty October 22 in federal court in East St. Louis, Illinois to robbing banks in Collinsville and Marion. The U.S. Attorney for the Southern District of Illinois said the 34-year-old suspect pleaded guilty to a three-count indictment charging him with two counts of bank robbery, and one count of carrying and use of a firearm during a crime of violence. The statutory penalties applicable to each of the bank robbery counts are up to 25 years' imprisonment, up to a $250,000 fine, up to 5 years' supervised release, and a $100 special assessment. The statutory penalty applicable to the firearm offense is not less than 7 years' imprisonment up to life imprisonment, consecutive to the sentence imposed on the bank robbery in which the firearm was used, up to a $250,000 fine, up to 5 years' supervised release and a $100 special assessment. Source:

14. October 25, Mount Vernon News – (Ohio) Fire damages downtown building. A basement fire October 25 at 201 S. Main St. in Mount Vernon, Ohio spread throughout the building as firefighters from Knox County fought the blaze. The Mount Vernon Fire Department (MVFD) responded to a call of light smoke coming from the basement of the building on the southwest corner of South Main and West Gambier streets at approximately 6:30 a.m. According to the MVFD assistant chief, the fire started in the basement of the building, which is used for storage. A gas line ruptured, which helped fuel the fire, the fire chief said. Power on the west side of South Main was shut off. Because of the power outage and smoke throughout the downtown, many businesses have closed including the main office of First-Knox National Bank, The Alcove, and Associated Insurance. Source:

15. October 25, Kansas U.S. Attorney's Office – (Kansas) Dodge City man charged in bank robbery. Federal charges have been filed against a Dodge City, Kansas man accused of robbing a bank in Dodge City, the U.S. Attorney said October 25. The 31 year-old suspect is charged with one count of bank robbery, two counts of unlawful possession of a firearm after a felony conviction, and one count of using a firearm in a crime of violence. A criminal complaint filed Sunday in U.S. District Court in Wichita alleges that on October 21, the suspect robbed the Bank of America at 2307 Central Avenue. During the robbery, the suspect was carrying a handgun. After surveillance photos taken during the robbery were made public, police learned that the suspect was in Dodge City. On October 22, officers went to a house in the 1300 block of Sunnyside in Dodge City where the suspect was staying. The suspect was carrying a handgun when the officers encountered him in the backyard of the residence and ordered him to drop the gun. When the suspect failed to comply and tried to re-enter the house, the officers shot him. If convicted, he faces a maximum penalty of 25 years in federal prison and a fine up to $250,000 on the bank robbery charge, a maximum penalty of 10 years and a fine up to $250,000 on each count of unlawful possession of a firearm after a felony conviction, and a penalty of not less than 5 years and a fine up to $250,000 on the charge of carrying a firearm in furtherance of a crime of violence. The Dodge City Police Department, the Kansas Bureau of Investigation, and the FBI investigated. Source:

Information Technology

42. October 26, IDG News Service – (International) Dutch team up with Armenia for Bredolab botnet take down. Armenian authorities arrested a 27-year-old man October 26 on suspicion of running a large botnet that was dismantled after a unique take-down operation by Dutch law enforcement and computer security experts October 25. Dutch authorities said they seized dozens of servers used to control the Bredolab botnet, estimated to have infected millions of computers worldwide. Bredolab is a type of malicious software program that can steal login and password details, log keystrokes, and steal any data from an infected computer. The Dutch High Tech Crime Team, which is part of the National Crime Squad, began investigating the botnet over the summer, according to a press release issued October 25. The Bredolab botnet was capable of infecting up to 3 million computers per month. By the end of last year, it was estimated that 3.6 billion spam e-mails were sent out daily containing the Bredolab malware, according to the High Tech Crime Team. The Armenian man was tracked down in a joint effort between Fox IT, which is based in the Netherlands, and Dutch law enforcement. The man is suspected of renting computers that had been infected with Bredolab to cybercrime players in other countries, said the founder of Fox IT. The Armenian man had constructed a massive botnet, at one point infecting up to 29 million computers in countries including Italy, Spain, South Africa, the United States, and the U.K. Source:

43. October 26, The Register – (International) Botnet-harbouring ISPs named and shamed. The United States, Germany, and France rank as the top three countries for hosting botnet command and control servers. Countries such as China and Russia that tend to be most associated with hacking, spamming, and cybercrime rank far below Western countries in a list compiled by net security firm Damballa. For the first half of 2010, almost a quarter of botnet CnC servers were hosted by service providers in the United States, with the top three countries (United States — 23.9 percent, Germany — 17.9 percent and France — 8.6 percent) hosting more than half of all CnC servers. "Half of the servers used by cyber-criminals for the purpose of controlling their botnet empires are located in commercial hosting facilities within countries not traditionally associated with this kind of crime," writes the vice president of research at Damballa. "The ability to host a server is typically independent of where the criminals are actually located and the type of victims they are trying to capture. ISPs and hosting providers listed in the top 10 do not necessarily conduct criminal practices, but they have found themselves in a position of being 'preferred' by the criminals operating the botnets," he said. Source:

44. October 26, SC Magazine – (International) Sites ending in .com., .vn are the riskiest, McAfee finds. The .com extension has surpassed the African nation of Cameroon's .cm suffix as the most likely top-level domain to infect computers with malware, according to McAfee's third annual study of the Web's most dangerous recesses. Released October 26, the report found 56 percent of all sites labeled "risky" end in the most heavily trafficked top-level domain (TLD) extension of .com. Researchers studied 27 million Web sites as part of their analysis and determined that 6.2 percent pose a risk, up from 5.8 percent 1 year ago. Web sites registered in Vietnam ranked as the No. 1 riskiest country domain, as 29 percent of sites ending in .vn posed a security threat. Cameroon had the riskiest country TLD in 2009, but fell to the second spot in 2010. Vietnam had held the 39th spot last year. "Cybercriminals target regions where registering sites is cheap and convenient and pose the least risk of being caught," the director of research for McAfee Labs said. "A domain that's safe one year can be dangerous the next." A number of domains fell out of favor – such as .sg (Singapore), which dropped from 10th to 81st most risky — after domain managers cracked down on scam registrations, according to McAfee. Source:

45. October 26, PCWorld – (National) Firesheep's a huge hit with amateur hackers. Firesheep, an amateur hacking tool, has been downloaded more than 104,000 times a mere 24 hours after its launch, according to TechCrunch. Firesheep is a Firefox add-on programmed by a Seattle-based software developer who said he designed the extension to demonstrate the HTTP vulnerability in certain Web sites (such as Twitter, Facebook, Flickr, Tumblr, and Yelp). The extension basically allows people to view information traded over a public network, in the form of cookies — when someone logs on to one of the 26 sites in Firesheep's database, their information is vulnerable to being swiped. Because Firesheep uses information swiped from cookies, it will not reveal passwords to any snoopers — just a person's username and session number ID. So, while people might be able to see sensitive information (say, the person's Facebook account), they cannot do anything that requires the password (for example, in Amazon, they will not be able to purchase anything or access credit card information). Furthermore, Firesheep is limited to hacking people on the same network — so if one is on a password-protected network, only people on that network will potentially be able to get information. Of course, this means that one should be extra careful while on an open or public Wi-Fi network. The add-on is currently available for Mac OS X and Windows, with Linux support coming soon. Source:

46. October 26, Agence France-Presse – (International) Nobel website hacked. The Nobel Peace Prize Web site came under cyber attack from Taiwan, Norwegian telecoms operator Telenor said October 26, less than 3 weeks after jailed Chinese dissent Liu Xiaobo won the award. "The site was compromised, or as is more commonly said, 'hacked,' " the computer security director at Telenor told AFP, confirming a report in the Aftenposten daily. Visitors to the Web site risked infection by a Trojan virus. The director said the last IP address used by the hacker was at the National Chiao Tung University in Taiwan, but he cautioned that the attack may have originated elsewhere as hackers often used many computers to hide their traces. "We cannot say anything about the identity of the hacker or his motivations," he said. The Nobel Institute in Oslo said it had heard of the attack, but said the Web site was now back to normal. Source:

47. October 25, InformationWeek – (International) Workers abusing social sites on corporate networks. More than 70 percent of the traffic on corporate networks today comes from the Internet, and a sizable portion of it stems from employees’ use of Gmail, Hotmail, Facebook, and BitTorrent for personal reasons. That finding comes from a study released by next-generation firewall vendor Palo Alto Networks, based on firewall data captured in 723 organizations worldwide: 275 in North America, 207 in the Asia-Pacific region, and 241 in Europe. To provide more precise details, Palo Alto divided the personal applications it found into three categories: socializing, saying (e-mail and IM), and sharing. Altogether, these applications account for about 25 percent of the traffic seen on corporate networks. In terms of socializing, the most popular networking platforms were Facebook (95 percent), Twitter (93 percent), LinkedIn (85 percent), MySpace (79 percent), and Facebook applications (76 percent). While all social networking platforms have risks, Palo Alto said the prevalence of Facebook applications was cause for concern. "The more that enterprises download Facebook applications, the more likely they are to be attacked," said the director of EMEA marketing for Palo Alto. Relatively speaking, Facebook and its applications are bandwidth hogs, consuming 500 percent more bandwidth than the other 47 social networking applications seen combined, without even factoring in Facebook mail and chat traffic. Source:

48. October 25, InformationWeek – (National) White House unveils Internet privacy committee. The White House council on technology has formed a new subcommittee to develop principles to balance the Internet's economic opportunity with the right to privacy. The National Science and Technology Council's new subcommittee on privacy and Internet policy also will aim to synchronize the practices of federal agencies with policy being considered and developed by lawmakers, according to a White House blog post unveiling the committee. The post is attributed to the general counsel at the Department of Commerce, and an assistant attorney general at the Department of Justice, the chairs of the new panel. The subcommittee will try to develop a common Internet privacy strategy among all legislative and regulatory stakeholders, in the United States and abroad, they wrote. The panel also will work with the private sector to balance the needs of those doing business on the Internet with privacy principles or policies that are developed, as well as enforcement activity necessary to maintain them. The subcommittee is comprised of representatives from many federal departments and executive-level agencies. They include, among others: the departments of homeland security, education, energy, health and human services, state, transportation, and treasury; the Office of Management and Budget; the Office of Science and Technology Policy; and the National Security Staff Cybersecurity Directorate. Source:

Communications Sector

49. October 26, Associated Press – (South Carolina) FiberNet replacing West Virginia power station. FiberNet said it plans to replace a power-generating station in Charleston, West Virginia after the company experienced its second service interruption in October. FiberNet customers across the state lost telephone and Internet service for about 4 hours October 25. The company said it met with state public service commission officials to explain how it plans to prevent future outages. That includes replacing the power station at its central office. Another FiberNet outage occurred in at least six counties October 10. Source:

50. October 26, – (New York) Utica, New York tower accident injures three. An accident at a broadcast tower in Deerfield, New York serving the Utica market sent three tower workers to the hospital October 25. The three men were working on the tower installing a digital antenna for W59AU, the low power translator of PBS affiliate WCNY-TV/SYRACUSE, when the antenna apparently shifted and sent the three workers for dropping more than 20 feet to the ground. One worker was evaluated and released, while another received severe facial injuries, and the third sustained a foot injury in the accident. The mishap canceled NBC affiliate WKTV's noon news because its building was evacuated, and WCNY's local signal was taken off the air. WCNY sister WUNY and WXUR are also on the tower. Source:

51. October 26, – (National) iPhone security flaw allows hackers to make calls even when locked. A security hole has been discovered in iPhones running iOS 4.1, which allows anyone to bypass the iPhone lock screen to make unauthorized phone calls. According to a MacForums member, the flaw can be exploited by simply tapping the emergency call button, then dialing any non-emergency number instead, and immediately tapping the lock screen, which will give the user access to the phone’s contacts app. Reports have already emerged that this method does not work with the iOS 4.2 beta, so presumably Apple already knows about it and is working on fixing it. iOS 4.2 is expected to hit supported devices in November 2010. Source:

52. October 26, Mibz – (National) Nokia N900 hacked to run native Palm Pre apps thanks to preenv. The Nokia N900 is probably the most hackable device in the world and the latest hack available for the N900 is called Preenv 0.1. This app requires one to have a rooted Nokia N900 and to activate the extras-devel packages. One will also need a rooted Palm Pre, as this enables one to port Palm Pre games on the Nokia N900. This is possible thanks to Palm and Nokia’s way of developing native apps for Linux called SDL 1.2. Another thing which helps Preenv is the similarity between the hardware of the Nokia N900 and the Palm Pre, which both have the same processor and PowerVR SGX GPU that supports OpenGL ES 2.0. Source:

53. October 25, Radio Ink – (New York; National) FCC issues $10,000 NAL to suspected pirate. The Federal Communication Commission's (FCC's) enforcement bureau has issued a $10,000 notice of apparent liability (NAL) to the operator of an unlicensed station at 90.5 FM in Spring Valley, New York. In October 2009, agents responded to a complaint and traced a signal to PC Taxi Services and PC Auto Repair in Spring Valley, and were referred to the owner. The owner then showed the agents a room where, according to the NAL, agents "observed a radio station in operation." He also led them to the roof, where an FM antenna was found, and to an attic where a transmitter was behind a stack of tires. He told the agents he was letting a friend operate the station, and turned off the transmitter at the agents' request. The bureau then sent a notice of unlicensed operation to the owner, who responded by denying he had any knowledge of the station. The bureau was not persuaded, saying, "The facts show that he had control of the station and was involved in the general conduct or management of the station." The operator has 30 days to either pay or file a written response seeking a cancellation or reduction of the forfeiture. Additionally, the Enforcement Bureau has issued a $10,000 NAL to Multicultural Broadcasting, saying WNYG/Babylon, NY's public inspection file was not available when a bureau agent inspected the station during regular hours, and that issues/programs lists were missing from the file. Source:

54. October 25, Associated Press – (New York; National) Computer trouble disrupts AP coverage for 5 hours. The Associated Press (AP) suffered a 5-hour computer outage October 25 that prevented much of its news coverage from being delivered to newspapers and other media outlets. The problems started at about 3 p.m. as the news cooperative tried to apply a security patch recommended by Microsoft Corp. The AP wanted the added protection before next week's national and state elections. To perform the security upgrade, AP switched from its main system to back-up computers and they failed, said the AP's chief information officer. Engineers tried to revert to the main system but had problems there too. The breakdown was not completely fixed until about 8 p.m. The outage shut down a news database that sends stories, photos, and video through the Web instead of satellites, which the AP had relied on for years. Most of the roughly 1,500 U.S. newspapers that receive AP's coverage have converted to the Web feed. Some of the newspapers could have fallen back on old satellite technology on their premises. The outage also affected online video customers. Source: