Friday, November 12, 2010

Complete DHS Daily Report for November 12, 2010

Daily Report

Top Stories

The UK Guardian reports the Armenian government said it had detained a man suspected of supplying nuclear bomb-grade uranium to two smugglers caught in the Republic of Georgia trying to sell it on the black market. (See item 15)

15. November 8, UK Guardian – (International) Nuclear smuggling: Armenia arrests suspected supplier. The Armenian government said November 8 it had detained a man suspected of supplying nuclear bomb-grade uranium to two smugglers caught in the Republic of Georgia earlier this year trying to sell it on the black market. The Armenian national security service said the man, who served several months in 2005 for a previous attempt to smuggle highly enriched uranium (HEU), had been arrested based on information from Georgian investigators. Officials said Armenian security officials were conducting a joint investigation into the March incident with their Georgian counterparts. Two Armenians pled guilty in a Tbilisi court to an attempt to sell a weapons-grade sample of HEU in the Georgian capital to a man they believed to be a representative of an Islamist jihadist group. The would-be buyer in the alleged March 11 deal was an undercover Georgian security agent. The two men admitted smuggling 18 grams of uranium into Georgia from Yerevan, the Armenian capital. The smugglers told Georgian investigators they were given the HEU by the supplier, a petty trader and an acquaintance of one of the men, who had boasted he could get hold of much more from contacts in the Urals and in Siberia. The Armenian smugglers were asking $50,000 per gram for their sample and were offering more if the sale was successful. Source: http://www.guardian.co.uk/world/2010/nov/08/nuclear-smuggling-armenia-arrest

• The University of Texas-Brownsville campus was evacuated after a series of gun battles in neighboring Matamoros, Mexico killed 55 people, according to the Daily of the University of Washington. (See item 46)

46. November 10, Daily of the University of Washington – (National; International) Campus watch. After gunfire on the Texas-Mexico border in Matamoros, Mexico, came in contact with parts of the University of Texas-Brownsville (UTB) campus November 5, students, faculty, and staff were evacuated and classes and activities were canceled, CNN reported. The shooting killed at least 55 people in Matamoros, according to a statement released by the Mexican Navy. Students expressed disbelief when they heard the gunshots. “I was shocked that this could happen so close to campus,” a junior, who heard the shots from the soccer field, said to the Brownsville Herald. “I don’t think the other (out-of-state) teams realized how close we were to the border, what we are dealing with down here.” Although violence has been spilling across the Mexican border into Texas, students said they still felt safe going back to campus November 8 after the evacuation and cancellation. Source: http://dailyuw.com/2010/11/10/campus-watch/

Details

Banking and Finance Sector

21. November 10, Bank Info Security – (National) Online banking, ATM outage: malware likely to blame. Malware is likely to blame for the so-called “computer glitch” that took down a handful of the country’s largest banks’ ATMs and online banking sites over the weekend of November 5. The nation’s three largest banks and a handful of others were derailed over the weekend when their ATM and online banking channels were taken down. All of the institutions affected — Bank of America, Chase, U.S. Bank, Wells Fargo, Compass, USAA, Suntrust, Chase, Fairwinds Credit Union, American Express, BB&T on the East Coast, and PNC — are blaming the outage on a computer glitch related to the time-zone change. But a senior analyst at Aite Group LLC who covers banking and payments fraud said there is likely a great deal more going on behind the scenes. In fact, she suspects the weekend outage is related to a widespread malware attack. “It has all the hallmarks of that, based on the geographic spread of it, the targeted systems and the banks in question,” she said. Source: http://www.bankinfosecurity.com/podcasts.php?podcastID=837

22. November 10, Federal Bureau of Investigation – (District of Columbia) D.C. man convicted in connection with bank robbery spree. A 46-year-old has been convicted by a federal jury of one count of bank robbery and two counts of attempted bank robbery, all of which occurred during a week-long robbery spree in 2010, a U.S. attorney said. The verdicts were returned October 28, 2010 and followed a 3-day trial in the United States District Court for the District of Columbia. Sentencing is scheduled for February 11, 2011. According to the government’s evidence, between February 26, 2010, and March 4, 2010, the suspect robbed a Citibank located in Northwest Washington D.C., and attempted to rob a Bank of America in Southwest Washington, and a BB&T bank in Northwest Washington. During each of the robberies, the suspect presented a teller with a note warning that he would detonate a bomb if he was not given money. Source: http://7thspace.com/headlines/363227/dc_man_convicted_in_connection_with_bank_robbery_spree.html

23. November 10, Kansas City Star – (Kansas) Teller found tied to chair after being kidnapped, forced to open bank. A teller at an Overland Park, Kansas, bank told authorities he was kidnapped November 10 and driven to the bank so his kidnapper could rob it. A co-worker called police about 7:20 a.m. after finding the teller tied to a chair inside the U.S. Bank branch, a Kansas City FBI spokeswoman said. The co-worker was going through normal opening procedures when the teller was found, she said. The kidnapping victim told authorities a man kidnapped him about 1 or 1:30 a.m. and drove him around for a while before taking him to the bank at 10100 W. 119th St. The victim suffered minor injuries. The bank robber was described as a white male, about 5 feet 8 or 10 inches tall and weighing 180 pounds. He was wearing black or dark blue pants with a white stripe down the right leg, a black dress shirt with a gray T-shirt over it. The robber’s face was covered with mask, and a dark colored ski mask. The robber fled in the teller’s light blue, small four-door Chevrolet car, which had Kansas tags. U.S. Bank announced November 10 it is offering a reward of up to $100,000 for information leading to the arrest and conviction of this robber or anyone responsible for recent robberies of other of its banks in the Kansas City area. Source: http://www.kansascity.com/2010/11/10/2415703/police-investigating-morning-bank.html

24. November 9, Tacoma News Tribune – (Washington) Three arrested for ATM skimming incidents. Three suspects believed to have skimmed several bank ATMs in the Puget Sound, Washington, area are in custody following a multi-agency operation targeting fraud. Skimming is placing devices in ATMs to gather data from other cards, then using that information to make fraudulent withdrawals and point of sale purchases. The U.S. Secret Service Electronic Crimes Taskforce, U.S. Immigration and Customs Enforcement, King County Sheriff’s Office, and police officers from Seattle, Bellevue, Kirkland, and Lynwood joined forces in the surveillance operation that culminated in arrests November 6. One suspect in a Newcastle skimming incident was located and arrested in Kirkland. Two others were followed to a bank ATM in Puyallup, where law enforcement officers watched the men place a skimming device on the ATM and steal money. Source: http://blog.thenewstribune.com/crime/2010/11/09/three-arrested-for-atm-skimming-incidents/

25. November 9, Arizona Republic – (Arizona) Downtown Phoenix gas leak forces evacuation, light-rail delays. A gas leak in downtown Phoenix, Arizona, near Central Avenue and Monroe Street forced an office building to be evacuated and Valley Metro Light Rail to stop trains for about 30 minutes November 9. A construction company hit a 2-inch natural gas line near 112 N. Central Ave. after 11 a.m. The leak caused an evacuation of approximately 5,000 people from the U.S. Bank building on First Avenue, according to a Phoenix fire spokesman. Fire and emergency crews isolated the immediate area and confirmed that the gas did not reach explosive or dangerous levels of concentration. Light Rail’s line on Central Avenue and Washington Street, which runs westbound, was shut down from Culver Street to 11th Street, a Valley Metro spokeswoman said. Service also ran slower than normal due to the gas leak, but Metro Light Rail reopened both lines and resumed its normal service at about 12:45 p.m. Source: http://www.azcentral.com/news/articles/2010/11/09/20101109downtown-phoenix-gas-leak-abrk.html

26. November 9, WLBT 3 Jackson – (Mississippi) Phony debt collector scam warning. A warning for consumers from Mississippi’s Attorney General’s Office about phony debt collectors: A number of people have reported receiving threatening phone calls, accusing them of defaulting on payday loans. The attorney general warned the scammers have the victims’ Social Security numbers, old bank account numbers, and other personal information. They tell people they will be arrested if they do not pay up immediately. “We’ve had over 150 calls in the past 4 weeks for individuals stating that they’ve had this same scam call. In fact, one lady lost $1,300 by giving them her bank account information. So that’s what they’re fishing for,” the attorney general said. Source: http://www.wlbt.com/Global/story.asp?S=13474897

27. November 9, KUSA 9 Denver – (Colorado) 2 men, 2 women sought in 4 bank robberies. The FBI Rocky Mountain Safe Streets Task Force is releasing surveillance pictures of bank robbers in three Denver, Colorado-area bank heists November 8, and a fourth November 5. In the first robbery November 5 just after 5 p.m. at Bank of the West on West Hampden Avenue near South Sheridan Boulevard in Englewood, a man showed the teller a demand note. On November 8, a white man went into the Wells Fargo Bank on East Hampden Avenue near South Tamarac Drive in Denver and showed a stun gun as he demanded money. Later that day, a woman went into the U.S. Bank on S. Monaco Street near East Hampden Ave. and got away with money after showing a demand note. And shortly after that, a different woman used a handgun to rob the 1stBank on East 104th Avenue near Colorado Boulevard in Thornton. Source: http://www.9news.com/news/local/article.aspx?storyid=162610&catid=346

28. November 9, Gresham Outlook – (Oregon) FBI investigating three East County bank robberies. Gresham, Oregon, police and the FBI are investigating a series of three bank robberies, the most recent November 9. The first robbery took place at 9:50 a.m. November 6, at the U S Bank at 300 E. Powell Blvd. in Gresham. A lone suspect entered the bank, demanded cash from a teller, and fled. Three robbers then hit the Wells Fargo Bank at 2501 S.W. Cherry Park Road in Troutdale at 11:45 a.m. November 6. The suspects approached bank tellers, demanded money, and fled. Between the two robberies, an attempt was made to rob the Bank of the West at 825 N.E. Hogan Drive at 11:30 a.m., said a sergeant with the Gresham Police Department. But the robbers did not realize that only the drive-through was open. So when they tried to open the bank’s doors, they were locked. A third robbery took place at the West Coast Bank at 473 N.W. Burnside Road in Gresham at 10:36 a.m. November 9. The suspect is described as a Caucasian female who fled the scene before police arrived. Source: http://portlandtribune.com/news/story.php?story_id=128933547473758900

29. November 8, Bank Info Security – (International) New, improved Trojans target banks. Security researchers are warning financial institutions about the Qakbot Trojan, a rare kind of malware that is allegedly infiltrating large banks and other global financial institutions. It is unlike other types of malware because it has the ability to spread like a worm, but still infect users like a Trojan. Named for its primary executable file, _qakbot.dll, the Trojan is not new, but its qualities and difference in attack set it head and shoulders above other more well-known Trojans, such as Zeus, in that it can infect multiple computers at a time. It is the only Trojan known to exclusively target U.S. banks, said an RSA security researcher. The more well-known Trojans and their variants, Zeus and Spyeye, are all available for sale on the black market, said the researcher who is head of new technologies, consumer identity protection at RSA, the security division of EMC. First discovered by Symantec in 2007, Qakbot is likely being run by one group. It is likely an organized crime group developed it, focusing on their own specific methods, and tailored the Trojan to a specific segment — large banks and their commercial customers. Source: http://www.bankinfosecurity.com/articles.php?art_id=3075

For another story, see item 55 below in the Information Technology Sector

Information Technology

53. November 10, Computerworld – (International) Microsoft forgets to patch Mac Office 2004, 2008. MicrosofNovember 9 revealed four vulnerabilities in the Mac version of its Office suite, but then failed to produce patches for the 2004 and 2008 editions. Office for Mac 2011, which launched October 26, was the only version updated as part of Microsoft’s monthly Patch November 9. Microsoft did not explain the omission of Office for Mac 2004 and Office for Mac 2008 patches, or say when it would ship updates for those editions. According to that bulletin, Office for Mac contains four vulnerabilities, all rated “important,” the second-highest threat ranking in Microsoft’s four-step scoring system. Microsoft confirmed that each bug could be used by attackers to infect a Mac with malware by labeling them with the phrase “remote code execution.” Along with a fifth bug, the same four flaws were patched November 9 in all still-supported versions of Office for Windows. Source: http://www.computerworld.com/s/article/9195819/Microsoft_forgets_to_patch_Mac_Office_2004_2008

54. November 10, Network World – (International) Google SERP’s show malicious URL links. Cybercrooks continue to abuse the Web, boosting their ability to produce search engine optimization (SEO) poisoning so individuals using search engines such as Google increasingly are ending up with choices that are dangerous malware-laden URL links on the Search Engine Results Page (SERP). Some 22.4 percent of Google searches done since June 2010 produced malicious URLs, typically leading to fake antivirus sites or malware-laden downloads as part of the top 100 search results, according to the Websense 2010 Threat Report published November 9. That is in comparison to 13.7 percent of Google searches having that outcome in the latter half of 2009, said the Websense senior manager of security research. The rising level of SEO poisoning, also known as “Black Hat SEO,” shows that cybercriminals “are fine-tuning their activities and getting better at this,” he said, adding that although search engines such as Google work hard to try and stymie the Black Hat SEO effect, the trend is evident. The irony is that when it comes to getting infected by malware, the chances of that are now less risky at porn and adult content sites, historically viewed as a high source of malware (now at 21.8 percent) than just searching for less scandalous topics, such as news, IT, and entertainment. Source: http://news.techworld.com/security/3248172/

55. November 9, DarkReading – (International) Researchers see real-time phishing jump. Real-time phishing attacks that cheat two-factor authentication are on the rise around the globe as phishers adapt to the latest barriers put in their way, according to a team of researchers. Researchers at Trusteer November 9 said 30 percent of all attacks during the past two-and-a-half months against Web sites using two-factor authentication have been real-time, man-in-the-middle (MITM) methods that allow attackers to bypass this stronger authentication. The data comes from a sampling of thousands of phishing attacks. Phishing attacks typically are static, so they are mostly rendered powerless when a bank uses two-factor authentication, such as one-time passwords. That is because the attacker may be able to capture the first level of credentials, but they are not able to easily capture and use OTPs, which quickly expire. So phishers are adapting their attacks to find ways around stronger authentication, and security experts said it was only a matter of time until they routinely started cheating banks and other transactional sites’ two-factor authentication. This type of real-time MITM attack has been isolated and rare thus far, experts saod. Trusteer researchers have spotted these attacks in South Africa, Europe, and now in the United States, the firm’s CEO said. And while these attacks are not a new concept, this is the first time his team has seen them in such high numbers, he said. Source: http://www.darkreading.com/authentication/security/attacks/showArticle.jhtml?articleID=228200550

56. November 9, CNET News – (International) FBI probes 4chan’s ‘Anonymous’ DDoS attacks. The FBI has launched an investigation into an online protest that allegedly took down numerous Web sites belonging to antipiracy and entertainment groups, as well as the U.S. Copyright Office, a source with knowledge of the probe told CNET November 9. Over the past 2 months, a group calling itself “Anonymous,” with links to the 4chan Web forum and image board, has launched distributed denial-of-service attacks (DDoS) against Web sites operated by the Motion Picture Association of America, the Recording Industry Association of America, Hustler magazine, rocker Gene Simmons, the British Phonographic Industry, and other similar groups in France, Australia, Spain, and elsewhere. Source: http://news.cnet.com/8301-31001_3-20022264-261.html

57. November 9, Computerworld – (International) Microsoft patches critical Outlook drive-by bug. Microsoft November 9 patched 11 vulnerabilities, including one in Office that hackers will quickly exploit to launch drive-by attacks, security experts said. As expected, Microsoft did not ship a fix for the flaw in Internet Explorer (IE) that criminals are using to hijack Windows PCs. Of the 11 flaws addressed in three separate updates, only one was pegged as “critical,” Microsoft’s top ranking in its four-step scoring system. The remaining 10 were all marked “important,” the second-highest rating. “The one that gives me the heebie-jeebies this month is the Office update,” said the director of security operations at nCircle Security. “The RTF vulnerability can be triggered simply by viewing a message in Outlook, so all you have to do is receive a [malicious] message. Then the game is over.” He was referring to MS10-087, a five-patch update for Office XP, 2003, 2007 and 2010 on Windows, and Office for Mac 2004, 2008 and 2011. The only critical bug this month is in the RTF (rich text format) parser within Outlook, the e-mail client packaged with Office. “The vulnerability could be exploited when the specially crafted RTF e-mail message is previewed or opened in Outlook,” Microsoft’s advisory stated. Both Office 2007 and Office 2010, Microsoft’s two newest suites, can be exploited using drive-by attacks launched against Outlook. Today’s patch was the first critical update for Office 2010, which launched only in June 2010. Source: http://www.computerworld.com/s/article/9195719/Microsoft_patches_critical_Outlook_drive_by_bug

58. November 9, Computerworld – (International) Researchers sound alarm over critical Mac OS X bug. Security researchers November 9 warned that Apple’s OS X contains a critical vulnerability that attackers could use to hijack Macs running the older Leopard version of the operating system. Although Leopard was supplanted by the new Snow Leopard operating system more than 1 year ago, the older version still accounts for about a third of all installations of Mac OS X. The bug is a variation of one Apple patched last August in iOS. The flaw was used to “jailbreak” iOS 4 devices, and it could also be exploited to plant malware or commandeer an iPhone, iPad, or iPod Touch. According to Core Security Technologies, which issued an advisory November 8, Apple has wrapped up work on a patch. Source: http://www.computerworld.com/s/article/9195680/Researchers_sound_alarm_over_critical_Mac_OS_X_bug

Communications Sector

59. November 9, Port Huron Times-Herald – (Michigan) Phone service working. Phone issues reported November 9 have been resolved in Port Huron, Michigan. The Marysville fire chief said phones throughout the city were down. He said the outage was caused by a cut in a fiber line run by telephone service provider PAETEC. Repairs were made and service has been restored, Marysville Fire Department officials said. A spokesman for the St. Clair County Community College, said the campus also was without landlines. As of 4:25 p.m., landlines were working again on campus. Source: http://www.thetimesherald.com/article/20101109/NEWS05/101109008/Phone-service-working

60. November 9, Tuscaloosa News – (Alabama) Comcast services out for about 15 hours in Tuscaloosa, Alabama. An equipment failure led to the loss of high-definition television, Internet, and phone services for Comcast customers in Tuscaloosa and Northport, Alabama for about 15 hours. The outage was first reported to Comcast officials about 8 p.m. November 7, said the senior director for government affairs for Comcast’s Southern region. The director said services had been restored to most households by 11:30 a.m. November 8, but the evening of November 8, some households reported still being without Internet service. “At this point, it appears that a piece of electronic data transport gear may have failed, but we have now restored services through a back-up link,” she said. On the morning of November 8, Comcast technicians were relying on a back-up temporary measure to restore services. She said she was unsure when a permanent fix would be in place. Officials with the cities of Northport and Tuscaloosa said the Internet loss did not affect city operations, as both city halls rely on other providers for Internet access. Source: http://www.tuscaloosanews.com/article/20101109/NEWS/101109616/1007/news02?Title=Comcast-services-out-for-about-15-hours&tc=ar