Wednesday, November 17, 2010

Complete DHS Daily Report for November 17, 2010

Daily Report

Top Stories

• WTKR 3 Norfolk reports 12 bridges in Chesapeake, Virginia are in such need of repair that fire trucks and emergency vehicles cannot use them even in emergencies. (See item 43)

43. November 15, WTKR 3 Norfolk – (Virginia) Debilitating bridges in Chesapeake pose big problems for emergency vehicles. The worst bridge in Chesapeake, Virginia, is crumbling so badly that fire trucks can not cross it, not even in emergencies. The bridge is shedding large pieces of concrete, some weighing up to 3 pounds, and pieces of metal that could be a danger to the cars traveling right underneath. A small neighborhood bridge on Bells Mill Road is too fragile for some of the city’s heavier fire trucks. Other fire trucks can use it but only in emergencies. Chesapeake leaders are telling state politicians, “There are twelve bridges in the city that, due to weight restrictions, pose problems for emergency response times as public safety vehicles are forced to take circuitous routes to return to service.” Firefighters said sometimes they have to detour so far around a problem bridge that, when they get a call, they can be miles out of position. City leaders said if Chesapeake got hit with a major hurricane, heavy supply trucks might be endlessly re-routed around these battered bridges before getting help to neighborhoods. The Chesapeake Fire Department just released a list of bridges that pose the biggest problems for its heavy trucks. Source:,0,3466383.story

• A new report predicted that state-sponsored hacking in Stuxnet-like attacks, man-in-the-browser attacls, and insider attacks are among the key cyber threats facing organizations in 2011, according to See item 51 below in the Information Technology sector


Banking and Finance Sector

14. November 16, Insurance Journal – (National) Cyber crime reaches milestone. Complaints about Internet crimes have reached a milestone. On November 9, the Internet Crime Complaint Center (IC3) logged its 2 millionth consumer complaint alleging online criminal activity. The IC3, a partnership between the FBI and the National White Collar Crime Center, became operational in May 2000 and received its 1 millionth complaint 7 years later, on June 11, 2007. It took half that time to receive the 2 millionth complaint., which may be due to the IC3’s increased visibility as well as the continued growth of cyber crime. The IC3 refers cyber crime complaints to law enforcement agencies. Since its inception, the IC3 has referred 757,016 criminal complaints to law enforcement around the globe. The majority of referrals involved fraud in which the complainant incurred a financial loss. The total reported loss from these referrals is approximately $1.7 billion, with a median reported loss of more than $500 per complaint. Many complaints involved identity theft, such as loss of personally identifying data, and the unauthorized use of credit cards or bank accounts. Source:

15. November 16, RIA Novosti – (International) Russian banks probed for involvement in U.S. hacker attacks. Russia’s financial watchdog is looking into the activities of its banks and other financial institutions for possible involvement in hacker attacks in the United States, the head of the agency said November 16. “We are working together with the Americans. The question we are looking at is whether our Russian financial institutions could have been involved in these [money laundering and hacking] operations,” the head of the Russian Financial Monitoring Service said at a meeting with the Russian Prime Minister. In mid-October, a U.S. court found two Russians guilty of staging a cyber attack on banks and stealing money. The two Russians were members of the group behind a scam to penetrate companies’ computer networks, steal bank details, and siphon off cash. Their partners in crime have yet to be identified. Source:

16. November 16, Bay City News Service – (California) Geezer Bandit strikes again. A serial bank robber responsible for 10 bank robberies in California in San Diego County and one in Temecula, has apparently struck for the 12th time, this time in Kern County, the FBI said. The “Geezer Bandit’’ is believed to have held up a Bank of America branch office in Bakersfield November 12, an FBI Special Agent said. Authorities dubbed the serial thief the Geezer Bandit because he appears to be a man in his 70s or 80s. However, authorities have said it was possible the bandit was actually a younger person disguised by a realistic Hollywood-style mask and rubber hand coverings. He first appeared in August 2009 and has been the subject of several Facebook fan pages. November 12’s robbery in Bakersfield marks the Geezer Bandit’s first robbery since June 24, when he held up a bank in Temecula. Source:

17. November 16, Toledo Blade – (Ohio) Masked gunmen rob W. Toledo credit union. Two men held up the Toledo Fire Fighters Credit Union the morning of November 15, and fled in a stolen car, the FBI said. Authorities said two men armed with handguns entered the credit union at 2800 West Laskey Rd. at 9:35 a.m. and demanded money. A surveillance camera photographed one of the robbers jumping over the teller’s counter. Police would not say whether any money was taken. The men fled in a stolen blue Cutlass Ciera, which was recovered a short distance from the credit union. No injuries were reported. The men were wearing dark clothing, dark ski masks, and gloves. Anyone with information is asked to contact the FBI at 419-243-6122 or Toledo Police Crime Stopper Program at 419-255-1111. Source:

18. November 15, Elyria Chronicle-Telegram – (Ohio) FBI still hunting for four bank robbers. Four of 12 bank robbers remain at large after robbing different Lorain County banks this year, including a man who dressed as a woman during a heist November 13. A Cleveland FBI spokesman said there have been no updates in the unsolved robberies as authorities continue to work the cases. The FBI spokesman said Lorain County has seen a sharp rise in bank robberies in 2010 compared to only two occurring in 2009. Neighboring Cuyahoga County has also seen a rise in robberies with 24 reported since September 4, the FBI spokesman said. “Certainly the economy does have an effect on crime rates, but most are robbing banks because they have an addiction,” the FBI spokesman said. “The majority of our bank robbers are addicted to drugs, alcohol or gambling. They’re very desperate people.” The latest heist involved a man dressed as a woman who robbed the Chase Bank at 2232 Fairless Drive, Lorain, November 13. The robber was described as a black man in his late 20s or early 30s wearing a navy pea coat, a wig and sunglasses. Source:

19. November 15, Central Valley Business Times – (California) Arrest in $11 million Ponzi scheme. A 43-year-old of Sacramento has been arrested on a complaint charging him with wire fraud stemming from a Ponzi scheme that bilked investors out of $11 million, according to an U.S. district attorney. The complaint alleged that between 2005 and 2009, the suspect, using the corporate name Genesis Innovations, recruited people to invest in real estate, promising investors a 14 percent annual rate of return. According to the complaint, the suspect got about $11 million dollars from investors, some of them giving him their retirement savings. But, said the government, he only invested about $2.5 million in real estate with the rest of the money going to pay supposed investment returns and to fund the suspect’s lavish lifestyle, which included a leased Lamborghini and Range Rover, a purchased BMW, frequent meals at high-end restaurants, stays at luxury hotels, and jewelry. Source:

For another story, see item 47 below in the Information Technology sector

Information Technology

46. November 16, Sophos – (International) Is a Facebook security hole helping hackers spread iPhone 4 spam? Is a security weakness on Facebook allowing cybercriminals to post spam messages directly onto users’ walls. Overnight November 15 into November 16, a number of users saw posting messages like the following on their Facebook walls: “Apple is giving away 1000 Iphone4s i just got mines =).” Clicking on the link takes one to a Web site that promotes a “make money fast” scheme, attempting to recruit home workers. This latest wave of spam messages indicated they were posted “via Email”. That is the facility Facebook supplies to post status updates to a Facebook page remotely, by sending an e-mail to a unique address (every Facebook account has a specific e-mail address for this purpose). One guess is the facility may have been compromised, and scammers have found a way to update users’ statuses of users by sending an e-mail message directly to their walls. Source:

47. November 16, – (International) Zeus malware targets Citrix Access Gateway. Versions of the Zeus malware have begun harvesting log-in credentials for network appliances, according to researchers. Security firm Trusteer has uncovered new code within certain Zeus configuration files that attempts to collect data from Citrix VPN tools. The company said the code appears to be specific to certain Zeus 2.0 installations, and instructs an infected machine to capture and transmit a screenshot of all mouse clicks whenever the text ‘/citrix/’ appears in the browser’s address bar. Researchers at Trusteer believe the code is an attempt by a Zeus botnet operator to harvest account details from Citrix Access Gateway deployments by using screenshots to capture “keystroke” images from virtual keyboards. The on-screen keyboards are typically used to thwart key-logging malware tools. “This attack code clearly illustrates that Zeus is actively targeting enterprises, and specifically remote access connections into secure networks,” Trusteer said. “Fraudsters are no longer satisfied with simply going after bank accounts. They are also targeting intellectual property and sensitive information contained in company IT networks and applications.” Source:

48. November 16, The Register – (International) World’s most advanced rootkit penetrates 64-bit Windows. A notorious rootkit that for years has ravaged 32-bit versions of Windows has begun claiming 64-bit versions of the Microsoft operating system as well. The ability of TDL, aka Alureon, to infect 64-bit versions of Windows 7 is something of a coup for its creators, because Microsoft endowed the OS with enhanced security safeguards that were intended to block such attacks. The rootkit crossed into the 64-bit realm sometime in August 2010, according to security firm Prevx. According to research published November 15 by GFI Software, the latest TDL4 installation penetrates 64-bit versions of Windows by bypassing the OS’s kernel mode code signing policy, which is designed to allow drivers to be installed only when they have been digitally signed by a trusted source. The rootkit does this by attaching itself to the master boot record in a hard drive’s bowels and changing boot options. Prevx researchers said TDL is the most advanced rootkit ever seen in the wild. It is used as a backdoor to install and update keyloggers and other types of malware. Once installed it is undetectable by most antimalware programs. In keeping with TDL’s high degree of sophistication, the rootkit uses low-level instructions to disable debuggers, making it hard for white hat hackers to do reconnaissance. Source:

49. November 15, Softpedia – (International) Tumblr and 4chan battle it out with DDoS and cute kittens. The Tumblr and 4chan Web sites suffered various downtimes after its members decided to attack each other with distributed denial of service (DDoS) and images of cute kittens. The 4chan image board is the birthplace of many Internet memes and is responsible for advancing many others, such as the LOLcat phenomenon — the posting of cat pictures with funny captions. The Web site is best known for its /b/ random board, where most users post as “Anonymous” and where almost any subject can be approached. Meanwhile, Tumblr is a microblogging site with a similar focus on image posting, but whose users favor pictures of cute things and inspirational quotes. Users of the two sites hardly see eye to eye and 4chan members in particular have repeatedly harassed Tumblrers. 4chan’s recent anti-Tumblr campaign, dubbed Operation Overlord, was scheduled to conclude November 14 with a coordinated DDoS attack using the Low Orbit Ion Cannon (LOIC) program. However, Tumblr members unexpectedly went on the counter-offensive and called for an invasion of 4chan. Their weapon of choice? Images of cute kittens. Lots of them. And the idea actually worked to some extent. As Tumblr users rushed to 4chan and started posting, the image board experienced a temporary downtime. Of course, DDoS has historically proven more efficient than kitty flood, so 4chan’s retaliation caused significant disruptions on Tumblr. 4chan members are experienced DDoSers, since the site is the origin of the notorious Anonymous group of hacktivists, which has organized many such attacks over the years. Source:

50. November 15, The Register – (International) ‘Super-secret’ debugger discovered in AMD CPUs. A hardware hacker has discovered a secret debugging feature hidden in all AMD chips made in the past decade. The password-protected debugger came as a shock to reverse-engineers who have hungered for an on-chip mechanism for performing conditional and direct-hardware breakpoint operations. Although AMD has built the firmware-controlled feature into all chips since the Athlon XP, the company kept it a closely guarded secret that was only disclosed late the week of November 8 by a hacker who goes by the name Czernobyl. “AMD processors (Athlon XP and better) have included firmware-based debugging features that expand greatly over standard, architecturally defined capabilities of x86,” the hacker wrote. “For some reason, though, AMD has been tightly secretive about these features; hint of their existence was gained by glancing at CBID’s page.” To put a chip into developer mode, a user must first enter what amounts to a password — 9C5A203A — into the CPU’s EDI register. Czernobyl was able to deduce the secret setting by brute forcing the key. Presumably, the debugger is an internal AMD utility used during development and then turned off before shipping. Source:

51. November 15, – (International) Imperva warns of rise in Stuxnet hacking threats. State-sponsored hacking, man-in-the-browser, and insider attacks are among the key threats facing organizations in 2011, according to research from Imperva. The data security firm released its top security trend predictions November 15, warning that the likely proliferation of Stuxnet-like attacks means that companies must monitor traffic and set security controls across all organizational layers. To reduce the threat from insider attacks, Imperva recommended tightening controls so access to sensitive information is given only on a need-to-know basis, and to eliminate unnecessary privileges. The sophistication of man-in-the-browser attacks will increase, meanwhile, forcing online service providers to invest in better protection such as strong device identification, client profiling, session flow tracking, and site-to-client authentication. Other trends noted by Imperva include the growing use of sophisticated smartphones in the enterprise, which could present challenges to IT departments as they struggle to include the devices in traditional data and application security practices. Finally, Imperva predicted that social networks will finally begin to take seriously threats such as cross-site scripting attacks by boosting application layer security, and rolling out stronger authentication and account control features. Source:

52. November 15, DarkReading – (International) Cybercriminals, insiders may work together to attack businesses. Employees working with cybercriminals might not be the norm for security breaches, but it is not a rare crime, either, experts said. It is not unusual for cybercriminals to gain inside access through bribery and solicitation — two components of social engineering, according to Verizon Business’ Data Breach Investigations Report. Social engineering accounted for 28 percent of breaches analyzed in the report, with solicitation and bribery leading to nearly a third of those breaches. “These were scenarios in which someone outside the organization conspired with an insider to engage in illegal behavior,” the report said “They recruit, or even place, insiders in a position to embezzle or skim monetary assets and data, usually in return for some cut of the score.” Most of the cases of insider cooperation analyzed by Verizon Business — which included data from the U.S. Secret Service — involved embezzlement from banks, retailers, or the hospitality industry. Source:

53. November 14, PCWorld – (International) New Trojan threat emerges. Internet security specialist BitDefender has warned about the dangers of a new spying Trojan it describes as “a serious enemy” that can be used as a corporate spying tool. BitDefender stated that Trojan.Spy.YEK sniffs for critical data and archives that may hold private information and sends them back to the attacker. BitDefender malware researchers indicated that because Trojan.Spy.YEK has spying and backdoor features, it is a serious enemy. “A spying malware in the local network of a company means danger and unfortunately the number of such threats is constantly increasing,” the researchers said. “With an encrypted dll in its overlay, this Trojan is easily saved in windows\system32\netconf32.dll and once injected in explorer.exe nothing can stop it from connecting (whenever necessary) to a couple of meeting spots with the attacker,” the researchers said. “The backdoor component helps it register itself as a service so as to receive and follow instructions from a command and control center, while the spyware component sends away data about files, operating system, while also making screenshots of the ongoing processes.” Some of the commands Trojan.Spy.YEK is supposed to execute are: sending the collected files using a GET request, sending info regarding the operating system and computer, taking screenshots and sending the results, listing the processes that run on the system and sends them away, finding files with a certain extension. “Shortly put,” the researchers said, “it uploads all the interesting data on a FTP server without the user’s consent. Source:

Communications Sector

54. November 16, – (National) T-Mobile Samsung Galaxy Tab hacked to enable voice calls. Not long after the launch of the Samsung Galaxy Tab for T-Mobile, the enterprising hackers of XDA-Developers have developed a method to re-enable voice calling via the device, although the method is more involved for the average modder. The U.S. version of the Galaxy Tab has had its voice calling capability removed by Samsung, whereas the European carrier and unlocked versions tout voice calling over Bluetooth or the built-in microphone as a feature. Source:

55. November 16, Targeted News Service – (National) U.S. Department of Commerce takes major step towards unleashing the wireless broadband revolution. The Commerce Department, through the National Telecommunications and Information Administration (NTIA), announced November 16 that it is recommending that 115 MHz of spectrum be reallocated for wireless broadband service within the next 5 years — an important step towards achieving the President’s goal to nearly double the amount of commercial spectrum available over the next decade. NTIA released two complementary reports detailing the effort to nearly double commercial wireless spectrum: a Ten-Year Plan and Timetable, as well as a Fast Track Evaluation identifying the 115 megahertz of spectrum to be made available within 5 years. NTIA developed the Ten-Year Plan and Timetable in response to the June 28, 2010 Presidential Memorandum that directed the Secretary of Commerce, working through NTIA, to collaborate with the Federal Communications Commission (FCC) to make available a total of 500 megahertz of federal and nonfederal spectrum over the next 10 years for mobile and fixed wireless broadband use. The report, developed with input from other Federal agencies and the FCC, identifies 2,200 megahertz of spectrum for evaluation, the process for evaluating these candidate bands, and the steps necessary to make the selected spectrum available for wireless broadband services. Source:

56. November 16, Towanda Daily Review – (Pennsylvania) Fire ruled as arson. The fire November 14 that destroyed a house on Southside Road in Franklin Township, Pennsylvania and caused telephone and Internet outages to over 300 households has been ruled arson, according to fire officials and the state police. There are currently no suspects in the case, according to the chief of the Franklin Township Volunteer Fire Company and the first assistant chief of the fire company. The fire damaged copper lines used for telephone and Internet services, as well as fiber optic cable, said the local manager for Frontier Communications. The fire knocked out telephone and Internet service for a total of 316 Frontier Communications customers, 266 of whom were in the Franklindale and Barclay Mountain areas. The other affected customers were in the Overton, Preacher Brook, and Laquin areas, he said. All telephone and Internet service was restored by 2:30 a.m. November 15. The fire, which was extremely hot, damaged Frontier Communications lines near the house, the fire chief said. Source: