Friday, October 29, 2010

Complete DHS Daily Report for October 29, 2010

Daily Report

Top Stories

• The Lexington Herald-Leader reports that two teenage boys were charged with wanton endangerment and possession of an explosive device after they mixed rubbing alcohol and a bag of swimming-pool chemicals on a Lincoln County schoolbus, sending 37 people to the hospital. (See item 20)

20. October 28, Lexington Herald-Leader – (Kentucky) 37 people treated after prank on Lincoln County school bus. Thirty students from Lincoln County schools and a school bus driver were taken to a Kentucky hospital October 27, after the driver found that two high school boys were mixing rubbing alcohol and a bag of swimming-pool chemicals on the bus. The boys, ages 14 and 16, were charged with wanton endangerment and possession of an explosive device and sent to the Adair County Juvenile Detention Center, the Lincoln County sheriff said. In addition to the 30 students, doctors treated two bus drivers, four parents and a nurse from the hospital who first came into contact with the students. Source:

• Arrest warrants were issued for three Colorado men accused of stealing more than 20 miles of copper wire from telephone poles in eastern Uintah County, Utah, according to Deseret News. See item 56 below in the Communications Sector


Banking and Finance Sector

13. October 28, KARE 11 Minneapolis – (Minnesota) 4 Minneapolis men sentenced for robbing the same bank three times. The last of four Minneapolis, Minnesota men was sentenced October 27 in federal court for robbing the same U.S. Bank branch on three separate occasions last year. A U.S. District Court Judge sentenced one 24-year-old man to 110 months in prison on three counts of bank robbery and one count of carrying a firearm during the commission of a crime of violence. The man was indicted, along with three co-defendants, November 10, 2009, and pleaded guilty January 7, 2010. In his plea agreement, the man admitted stealing $5,710 from the bank, which is located at 4930 34th Ave. S. in Minneapolis, April 13, 2009. He also admitted brandishing a revolver during that robbery. In addition, he admitted stealing $4,371 from the same bank May 8, 2009, and another $5,341 from the bank July 28, 2009, while armed both times. Source:

14. October 28, Media Newswire – (New Jersey) Two New Jersey men charged with $7 million mortgage fraud scheme. A former mortgage broker and his purported co-conspirator in a mortgage fraud scheme were arrested October 28 on a criminal complaint which alleges they conspired to defraud various mortgage lenders of more than $7 million by conducting at least 50 fraudulent real estate transactions involving residential properties in New Jersey, the U.S. Attorney announced. The two men were arrested by special agents of the FBI and the U.S. Secret Service on a charge of conspiracy to commit wire fraud. Both defendants are expected to appear before the U.S. Magistrate Judge in Newark federal court. According to the complaint, one suspect, supposedly in the real estate business, and the second suspect, a former mortgage broker, engaged in a conspiracy to defraud mortgage lenders from January 2007 to December 2009. The first suspect, with the assistance of two attorneys, arranged to purchase properties owned by financial institutions — commonly referred to as real-estate-owned or REO properties. The second suspect recruited other individuals to purchase those same properties at around the same time, referred to in the complaint as the “borrowers.” Source:

15. October 28, The Register – (International) Did ZeuS’s daddy give hard Trojan love to rival cybercrook? The author of the infamous ZeuS crimeware toolkit may have handed over its development to a former rival in the banking Trojan development business. “Slavik” has handed over the ZeuS source code to SpyEye developer “Harderman”, according to an investigation by a security blogger and former Washington Post reporter — and based on posts on numerous Russian language underground cybercrime forums. Slavik’s apparent handover is surprising because SpyEye, a relative newcomer to the world of banking Trojans, was programmed to overwrite ZeuS installations on compromised PCs. Slavik may have decided to lay low as a result of a recent string of cybercrime prosecutions against ZeuS phishing mules in the United States and U.K. as well as the arrest of five alleged bot herders in the Ukraine. The arrest of crooks suspected of masterminding phishing operations using versions of ZeuS and controlling networks of compromised PCs strikes much closer to home for Slavik. In addition, Microsoft began adding detection for ZeuS into its Malicious Software Removal Tool, claiming early success with the clean-up of an estimated 274,000 PCs. The move follows months of reports of online banking losses linked to the distribution of variants of ZeuS. Source:

16. October 27, Scottsboro Daily Sentinel – (Alabama) Bomb threat at FNB Bank in Bridgeport. Jackson County investigators are looking into a fake bomb threat that occurred on the afternoon of October 26 at FNB Bank in Bridgeport, Alabama. According to a police spokesman, a person called the bank and told the teller to wire an undisclosed amount of money to a private account. “He said, if not, a bomb would be set off in the bank,” the spokesman said. Bridgeport police and the Jackson County Sheriff’s Office responded to the scene. “The bank was evacuated,” the spokesman said. “We conducted an investigation and a search of the building. No bomb was located.” The spokesman said no arrests have been made. “At this time, we’re tracking down some leads,” he said. Source:

17. October 27, Arizona Republic – (Arizona) ‘Thou Shall Not Steal Bandit’ strikes in Scottsdale. The FBI’s Bank Robbery Task Force and Scottsdale Police Department are asking the public for help to identify the “Thou Shalt Not Steal Bandit,” who robbed a Scottsdale, Arizona bank October 27. The robber has struck banks in Carefree, Phoenix and Peoria. On Wednesday, he robbed Johnson Bank at 32621 N. Scottsdale Road. FBI said the robber carries a firearm and wears black camouflage clothing and goggles. He enters through the bank’s roof before opening and confronts employees. He then restrains employees after taking money and flees. The suspect robbed the National Bank of Arizona in Carefree April 27, a Chase Bank in Phoenix December 11, 2009, and a Chase Bank in Peoria March 24, 2009. The FBI described the robber as a white male, age 28 to 40, 5 foot 8 to 5 foot 10 inches tall and weighing 170 to 180 pounds. Source:

Information Technology

51. October 28, Computerworld – (International) Bredolab-infected PCs downloading fake antivirus software. A massive takedown operation conducted by Dutch police and security experts the week of October 25 does not appear to have completely dissolved the Bredolab botnet, but it is unlikely to recover. The latest look at the botnet by FireEye’s Malware Intelligence Lab showed two domains are being used to issue instructions to infected computers. PCs infected with Bredolab are programmed to check in with certain domains to receive new commands. One domain, which is on an IP (Internet Protocol) address registered with a collocation facility in Kazakhstan, is telling infected computers to download a fake antivirus program called Antivirusplus. If infected, users are badgered to buy the programs, which offer little or no actual protection from threats. The other domain is instructing computers to send spam. That domain is hosted on an IP address assigned to a collocation facility in Russia. The infected computers that are communicating with domains appear to have a variant of Bredolab installed. Malware authors frequently have to modify the code in order to avoid detection by antivirus software. Source:

52. October 28, – (National) Most smartphone users breach employers’ security, says survey. More than half of mobile device users access their employer’s networks every day without permission, a survey has found. More than 80 percent of users of mobile devices, whose security is not controlled by a company, said they have accessed work information. Network systems company Juniper Networks surveyed 6,000 mobile device users and found that the use of smartphones and tablet computers poses a potentially major security risk to corporate information. Consumer-focused devices are often far more poorly protected than laptops or secure email devices that have been designed and configured by a company’s own IT department. The survey found that, despite citing information security as a major concern, device owners are using the machines to bypass corporate data protection measures. “Almost 44 percent of respondents use their devices for both personal and business purposes,” said a Juniper statement. “Eighty-one percent admit using their devices to access their employer’s network without their employer’s knowledge or permission and 58 percent do so every single day.” Those users are not unaware of the dangers of using sophisticated mobile devices; 64 percent of them are very or extremely concerned about the possibility of identity theft when a device is stolen or lost, according to the survey. Source:

53. October 28, Help Net Security – (National) BoingBoing hacked and defaced., the popular blog and “directory of wonderful things,” has been hacked and its home page replaced with a message containing vulgar language and pictures. The site was pulled down by the administrators shortly after the attack, which is suspected to have been executed via an SQL injection, TechCrunch reports. The site was available again October 28, but the site’s commenting system “will be on hold for a while longer” due to the attack. Source:

54. October 27, Computerworld – (International) Mozilla: No ‘kill switch’ for Firesheep add-on. Mozilla October 27 said it would not — or could not — pull a “kill switch” to disable the Firesheep add-on that lets anyone steal log-on and account access information to Facebook, Twitter, and other major Web services. Firesheep adds a sidebar to Mozilla’s Firefox browser that shows when anyone on an open network — a coffee shop’s Wi-Fi network, for instance — visits any insecure site on a list that includes the microblogging service Twitter and the hugely-popular Facebook social networking site. Mozilla has a “blocklist” mechanism that it can, and has in the past, applied as a last-resort defense against potentially-dangerous browser add-ons. The blocklist automatically cripples or uninstalls unwanted extensions that have been added to Firefox. But Mozilla either can not or will not add Firesheep to the blocklist. “[Firesheep] demonstrates a security weakness in a number of popular Web sites, but does not exploit any vulnerability in Firefox or other Web browsers,” said the director of Firefox, in an e-mail reply to questions about Mozilla’s possible moves. He did not respond to questions about whether Mozilla is technically able to cripple Firesheep, or simply chooses not to. Source:

55. October 27, Computerworld – (International) Mozilla patches Firefox zero-day bug in 48 hours. Less than 48 hours after receiving a report of a critical flaw in Firefox, Mozilla issued an emergency update October 27 that patched the problem. Mozilla released Firefox 3.6.12 and Firefox 3.5.15 to patch the vulnerability, which had been exploited by malware secretly planted on the Nobel Peace Prize Web site. Mozilla said the vulnerability existed in the Windows, Mac OS X, and Linux versions of Firefox 3.6, and the older Firefox 3.5. The currently-stalled Firefox 4 was not at risk, a Firefox security engineer said in comments appended to the Mozilla blog post that confirmed the flaw. The Trojan was designed to install attack code on compromised machines; that code would then hijack the PC and give the hacker complete control. Earlier October 27, a German security company, Avira, said the Trojan’s links to the hacker’s command-and-control servers had been severed. Avira expressed surprise at the unreliability of the malware, and wondered why the attacker had essentially thrown away a valuable zero-day vulnerability on such poorly-written code. “Usually cybercriminals abuse [zero-day vulnerabilities] for profitable malware,” Avira said. Today’s update was the fourth one-fix patch from Mozilla this year. Source:

Communications Sector

56. October 27, Deseret News – (Utah) 3 charged with stealing 20 miles of copper wire from telephone poles. Arrest warrants were issued for three Colorado men accused of stealing more than 20 miles of copper wire from telephone poles in eastern Uintah County, Utah. The suspects were charged October 20 in 8th District Court with one count each of theft, a second-degree felony. A Strata Networks representative contacted Uintah County sheriff’s investigators in August to report the telecommunications company was missing 20 miles of copper transmission line from its poles. The missing line spanned from the Green River Bridge near Jensen to the Old Bonanza Highway and then south into the oil and natural gas fields of Uintah County, according to court records. Deputies said they visited a metal recycling center in Vernal, where they obtained samples of copper wire that matched the missing wire. A recycling center employee said the wire had been purchased from one of the suspects and a third man, court records state. Investigators tracked the suspect to a trailer court in Colorado and questioned him. He admitted to taking “downed lines” from the area, and said the other two suspects had helped him, the charges state. A spokesman for Strata Networks, said the copper line was still affixed to the telephone poles when it was taken. “It had recently been abandoned but before we had a chance to go get it, some individuals came and helped themselves to it,” he said. Source:

57. October 27, Radio Ink Magazine – (Tennessee; National) FCC issues fines to TN stations. The Federal Communication Commission’s Enforcement Bureau hit the licensees of two Tennessee stations with forfeitures for a variety of violations. In August 2009, agents inspected Rodgson Inc.’s WSDQ-AM/Dunlap, and found the EAS receivers were not receiving audio and no one at the station knew how to send an EAS test. There were no EAS logs available, and staff said the equipment had not worked for at least 1 year. The general manager also told agents the station had never had a public inspection file. On inspecting the tower site, FCC agents found the fence was damaged and the gate had been removed from its hinges and was propped up over the gate opening, and there was no sign of a lock, though there was a chain. In January 2010, the Atlanta FCC office issued a notice of apparent liability for $25,000, and that has now been reduced to $5,500 after Rodgson documented its inability to pay the higher amount. In South Pittsburg, Tennessee, agents inspected the studios of WEPG-AM and found the station had no public inspection file, and they were told it had never had one. On looking over the antenna site, the agents found the gate of the chain link fence was wide open, and there was no lock. There was also “dense overgrowth of weeds and bushes” inside the fence and around the gate,and no perimeter property fence. The Atlanta office issued a notice of apparent liability in January 2010, and that has been reduced to $3,500 after the company showed its inability to pay. Source:

For another story, see item 52 above in the Information Technology sector.