Friday, October 1, 2010

Complete DHS Daily Report for October 1, 2010

Daily Report

Top Stories

•According to the Wall Street Journal, more than 60 people have been charged in an alleged global scheme to use computer viruses to steal at least $3 million from U.S. bank accounts. See item 9 below in the Banking and Finance Sector.

•Threats of a possible “Mumbai-style” terror attack on Western interests in Europe are considered “credible” and U.S. officials are not ruling out the possibility that the plot could extend to the United States, a senior U.S. counterterrorism official told NBC News. One coalition official with access to intelligence reporting suggested possible attacks on hotelsor other public gathering spots. (See item 45)

45. September 30, Associated Press, Reuters, NBC News and – (International) Purported Europe terror plot called ‘credible’. Threats of a possible “Mumbai-style” terror attack on Western interests in Europe are considered “credible” and U.S. officials are not ruling out the possibility that the plot could extend to the United States, a senior U.S. counterterrorism official told NBC News. One coalition official with access to intelligence reporting, which came from human sources as well as electronic intercepts, suggested possible attacks on hotels or other public gathering spots in a “fedayeen-style” commando attack by at least 25 operatives, much like the devastating coordinated assault in Mumbai in 2008. The official said information about a possible plot emanating from al-Qaida-linked groups in northwest Pakistan was first picked up by U.S. intelligence several weeks ago and was believed to be aimed at targets in France, Germany or the United Kingdom. There is no evidence the alleged plot has been disrupted. “No one is assuming the threat has subsided,” the U.S. official said. U.S. intelligence analysts are divided over how alarming the current threat reporting is, and some officials emphasized they have no “specific” information to suggest an attack is imminent — or that the United States is being targeted. Source:


Banking and Finance Sector

9. September 30, Wall Street Journal – (International) More than 60 charged in cyber scheme. More than 60 people have been charged in an alleged global scheme to use computer viruses to steal at least $3 million from U.S. bank accounts. The U.S. investigation is related to the arrest of 19 people in London September 28, in a probe into an international cybercrime group that allegedly stole at least $9.5 million from U.K. banks, a person familiar with the investigation said September 30. According to U.S. court documents, computer hackers in Eastern Europe used the Zeus Trojan to access bank accounts of small- and mid-size businesses and municipal entities in the United States. The charges in New York include conspiracies to commit bank fraud, possess false identification documents, commit wire fraud, commit money laundering, and make false use of a passport. Persons named in criminal complaints in federal court in Manhattan include citizens of Russia and Moldova. Nine people have been arrested in the New York area, while one person has been taken into custody elsewhere in the United States, the FBI’s New York office confirmed September 30. Many of those arrested in the New York area are money mules who are used to funnel money to the cybercrime group. Source:

10. September 30, The Register – (International) PayPal plugs mobile site phishing risk. PayPal has fixed a cross-site scripting problem on its mobile payments site that, left unaddressed, had the potential for misuse in phishing attacks. The vulnerability, discovered by hacking and security site Security-Shell, also created a possible mechanism for hackers to redirect surfers from onto untrusted sites. In a statement issued September 29, PayPal said it had plugged the Web site vulnerability. Source:

11. September 30, Associated Press – (International) Failed bank heist in Baghdad leaves 3 dead. A gang using bombs and automatic weapons tried to storm a bank in southwestern Baghdad in Iraq, in a failed robbery September 30 that officials said left three people dead, including two policemen. Police said the assault began with four bombs exploding near the state-run Al-Rafidain bank. In the ensuing gunbattle, two policemen and a bystander were shot dead. Two of the robbers were captured. Police and hospital officials said a total of six people were wounded, including three policemen. An Iraqi military spokesman said it was unclear whether the gang had political links or was purely criminal. Source:

12. September 30, Washington Post – (National) J.P. Morgan will halt foreclosures. J.P. Morgan Chase announced September 29 that it will freeze foreclosures in about half the country because of flawed paperwork, a move that Wall Street analysts said will pressure the rest of the industry to follow suit. The bank’s decision will affect 56,000 borrowers in 23 states where allegations of forged documents and signatures and other similar problems are being used to try to overturn court-ordered evictions. Yet the impact may be much broader, given J.P. Morgan’s stature in the industry. If other banks adopt the same approach, the foreclosure process in many parts of the country will grind to a halt. Officials at Fitch Ratings, a credit-rating firm that measures the health of companies, said the “defects” found in foreclosure documents at J.P. Morgan are industry-wide. Underscoring that concern, Fitch said it is considering whether to lower the grades it gives to the mortgage servicing divisions of the nation’s largest lenders. The paperwork problems at J.P. Morgan mirror those uncovered the week of September 20 at Ally Financial. Source:

13. September 29, KGBT 4 Harlingen – (Texas; International) 14 arrested for smuggling $3.1 million aboard Mexico-bound bus. Fourteen passengers from a tour bus bound for Mexico are facing federal charges after being arrested at an international bridge under cash smuggling charges. All were charged with “knowingly conspiring to evade currency transaction reporting requirements of $3.1 million in U.S. currency concealed in luggage” said a U.S. Attorney. Seven passengers were U.S. citizens, and the other seven were Mexican nationals. All were arrested September 26 at the Hidalgo-Reynosa International Bridge. Authorities reported that an intensive inspection of the tour bus resulted in the discovery of 17 pieces of luggage — each containing hundreds of thousands of dollars in U.S. currency. The cash was found wrapped in deflated air mattresses. This was the largest currency seizure by Customs and Border Protection (CBP) in Fiscal Year 2010, according to the CBP Commissioner. Source:

14. September 28, Federal Bureau of Investigation – (Pennsylvania) Mortgage broker and loan officer charged in fraud scheme. An indictment was filed September 28 in Philadelphia, Pennsylvania against a mortgage broker, loan officer, and an associate for engaging in schemes to defraud Wilmington Trust Federal Savings Bank and Malvern Federal Savings Bank involving properties valued at more than $35.5 million, a U.S. Attorney announced. The broker intentionally misrepresented material facts to Wilmington Trust about borrowers’ income and assets, the potential rental income, and accurate appraisals of properties. The loan officer with Wilmington Trust allegedly worked in conjunction with her to approve mortgage loans for borrowers who did not meet Wilmington Trust’s criteria for income, assets, and credit scores. The mortgage broker and an associate are charged with engaging in a scheme to defraud Malvern Federal. She allegedly altered borrowers’ income tax returns prior to submitting them to Malvern Federal. Source:

Information Technology

36. September 30, The Register – (International) Facebook security team zeroes in on Koobface hackers. The head of Facebook’s anti-malware team told delegates at the Virus Bulletin conference in Vancouver September 29 that the hackers behind Koobface made an estimated $35,000 per week through their botnet in 2009. But he added that the true identities of the miscreants behind the worm are known to Facebook and that “law enforcement agencies are investigating,” according to a report on the presentation from security firm Sophos. The Koobface strain of malware has targeted surfers on Facebook and other social networks for months. Prospective marks are typically encouraged to download malware disguised as a Flash update or similar content from a third-party Web site, which is under the hackers’ control. The business plan behind the malware relies on a combination of promoting scareware and raking in income from click fraud, according to a security analyst. Source:

37. September 30, – (International) Security experts vote to outlaw PDF standard. Security experts at the Virus Bulletin 2010 conference voted overwhelmingly to abolish Adobe’s PDF standard and replace it with a safer format. A senior threat researcher at Sophos conducted a straw poll on the future of PDF during a conference session, and found that 97 percent favor dumping the standard and working on a safer format with better software security. The poll was unofficial, but did highlight growing concerns in the security community about Adobe’s software after a string of attacks against the code. A senior technology consultant at Sophos told that Adobe is taking steps to improve the situation, but is “increasingly seen as the new Microsoft.” Source:

38. September 29, Softpedia – (International) Phishers target WoW players through in-game mail system. Security researchers from Trend Micro warn that World of Warcraft (Wow) players are being targeted through the game’s internal mail system by phishers looking to steal their credentials. Rogue chat messages (whispers) have been used to direct players to phishing pages for a while now, but Trend Micro researchers warn that attackers are increasingly impersonating game administrators. The messages attempt to scare users into thinking that there is something wrong with their account and they risk getting suspended unless they log into a Web site and perform a special action. However, the mail system has also begun being abused by phishers. “In this new trickery, the phishing URLs are sent via WoW in-game mail and is received by players in their in-game mailboxes,” the solutions product manager at Trend warned. “The mail message is full of a mix of surprises. It combines several elements from other Blizzard games. [รข€¦] To add to its credibility, the phishing URL contains the string worldofwarcraft and an abbreviation of Cataclysm,” he explained. Source:

39. September 29, Computerworld – (International) IE users most at risk from DLL hijacking attacks. Users of Microsoft’s Internet Explorer (IE) are more vulnerable to rogue DLL attacks than people who use rival browsers such as Mozilla’s Firefox or Google’s Chrome, a security researcher said September 29. When running on Windows XP, IE6, IE7, and IE8 do not warn users when they click on a malicious link that automatically downloads a malicious dynamic link library, or DLL, to the PC, said the CEO of Slovenian security company Acros Security. Users running IE7 or IE8 on Windows Vista or Windows 7 are safer, said the researcher, who noted that both browsers run by default in “Protected Mode” on those operating systems. The problem on XP is that it automatically opens Windows Explorer, the operating system’s file manager, whenever IE encounters a remote shared folder. “It’s not so much that IE itself is vulnerable to binary planting, but that other applications’ binary planting vulnerabilities can be exploited relatively easily through IE, and in most cases without a single warning,” the researcher said. Source:

40. September 28, DarkReading – (International) In wake of attacks, enterprises look to plug browser security hole. The recent exploitation of a cross-site scripting flaw in Twitter’s Web site underscores that browsing Web sites, even well-known, “legitimate” sites, has inherent risks, said the vice president of security research for Web security firm Zscaler. “If it is not your code, if you did not build it, it is not trusted,” he said. For consumers, experts recommend using two browsers: an up-to-date browser for everyday use, and a locked-down browser — preferably running in a virtual machine — to go to specific sensitive sites. Mozilla Firefox with the NoScript plug-in is a popular choice. However, most companies would find it difficult to mandate such a policy, let alone enforce it, he said. Instead, companies should rely on training and education to make their employees more informed about the threats online, experts said. The goal is to gain more control over how Web sites impact the browser, said the manager of advanced security intelligence for HP TippingPoint. Source:

For another story, see item 10 above in the Banking and Finance Sector

Communications Sector

41. September 30, Pensacola News Journal – (Florida) Cox outage slows area businesses. After about 3 hours without working cable, Internet and telephone lines September 29, Cox Communications customers in and around Pensacola, Florida, had their services restored. Affected customers lost from about 11:30 a.m. to 2:30 p.m., a Cox spokeswoman said. The outage was the result of an internal power failure, which has never happened. The outage affected customers across the Panhandle, from the Pensacola area to as far east as Niceville and Destin. Source:

42. September 29, WLUC 6 Marquette – (Michigan) Phones working again in the Keweenaw. Phone service has been restored to AT&T customers in northern Houghton and Keweenaw counties in Michigan. The 289 and 337 exchanges began working again just before 10 a.m. September 29, after crews repaired a damaged fiber optic cable located south of Calumet. Authorities said the cable was cut but they are not sure how. The outage began around 8 p.m. September 28 and lasted for nearly 14 hours. Dozens of volunteer firefighters stayed at their departments the entire night to help with emergencies. Source:\home\lists\search&id=518630

43. September 29, KDRV 12 Medford – (Oregon) Phone service restored in Illinois Valley. The Josephine County Sheriff’s Office in Oregon said phone service was restored in the Illinois Valley area at approximately 3 a.m. September 29. The sheriff said the 18-hour outage, which only affected landlines, was caused by a critical hardware failure. Cell phone service was not interrupted, neither were local calls, only those made outside the area, which included 911 calls. Josephine County Emergency Communications set up a secondary reporting system to cover emergency calls that included HAM radios at multiple locations in Selma and Cave Junction. The Josephine County Sheriff’s Office uses an emergency notification system through the Web site, which is free for residents to sign up for. The system will send a message to residents’ computers or cell phones. Source:

44. September 29, Forbes – (International) Did the Stuxnet Worm kill India’s INSAT-4B satellite? On July 7, 2010, a power glitch in the solar panels of India’s INSAT-4B satellite resulted in 12 of its 24 transponders shutting down. As a result, an estimated 70 percent of India’s Direct-To-Home (DTH) companies’ customers were without service. India’s DTH operators include Sun TV and state-run Doordarshan and data services of Tata VSNL. Once it became apparent that INSAT-4B was effectively dead, SunDirect ordered its servicemen to redirect customer satellite dishes to point to ASIASAT-5, a Chinese satellite owned and operated by Asia Satellite Telecommunications Co., Ltd. India’s Space Research Organization is a Siemens customer. According to the resumes of two former engineers who worked at the ISRO’s Liquid Propulsion Systems Center, the Siemens software in use is Siemens S7-400 PLC and SIMATIC WinCC, both of which will activate the Stuxnet worm. The CEO of Taia Global, Inc. uncovered this information as part of his background research for a paper he is presenting at the November Black Hat Abu Dhabi conference. His objective is to provide an analytic model for determining attribution in cases like Stuxnet. His objective for this post is to show there are more and better theories to explain Stuxnet’s motivation than just Israel and Iran, as others have posited. Source: