Wednesday, December 1, 2010

Complete DHS Daily Report for December 1, 2010

Daily Report

Top Stories

• CNN reported a 15-year-old sophomore, accused of holding 23 classmates and a teacher hostage for about 5 hours November 29 at his Marinette, Wisconsin high school, fired his two weapons at least five times and had a duffel bag containing more bullets with him. (See item 36)

36. November 30, CNN and Associated Press – (Wisconsin) Police: School suspect fired at least 5 times, had more bullets. A 15-year-old sophomore, accused of holding 23 classmates and a teacher hostage for about 5 hours November 29 at his Marinette, Wisconsin high school, fired his two weapons at least five times and had a duffel bag containing more bullets with him, authorities said November 30. The alleged hostage-taker died November 30 at a hospital of a self-inflicted gunshot wound, authorities said. The teen turned one of his guns on himself as police broke into the Marinette High School classroom after hearing gunshots. All 24 hostages were unharmed. The Marinette police chief said police are still trying to determine a motive, saying the student was well-liked, had no prior law enforcement contact, and “was a good student.” Five or six shell casings from both weapons — a .22-caliber semi-automatic and a 9-millimeter semi-automatic — were found in the classroom. Bullets were also found in the suspect’s pocket at the hospital, and a duffel bag left in the classroom contained “numerous live rounds,” the chief said. A bomb squad was called in to X-ray and remove the bag. The school was closed November 30. Source:

• U.S. Immigration and Customs Enforcement announced that seizure orders were executed against 82 domain names of commercial Web sites engaged in the illegal sale and distribution of counterfeit goods and copyrighted works. See item 53 below in the Communications Sector


Banking and Finance Sector

12. November 30, Seattle SunBreak – (Washington; International) Hacker breached 1,000+ credit card accounts in Seattle attack. At the end of October, a wave of credit card fraud caught people’s attention, with the Tukwila, Washington-based BECU credit union acknowledging some 100 cases reported by its capitol hill customers. A month later, the U.S. Secret Service said that more than 1,000 credit and debit card accounts may have been breached by a foreign hacker. Reports Bank Info Security: The scheme appears to involve the sale or distribution of the stolen account information to numerous individuals across the country, as well as in foreign countries. Those individuals then used the information to make purchases against the consumer accounts. Capitol Hill Seattle (CHS) reported on the story from the ground up, discovering that the Broadway Grill restaurant was the victim of a hack of its software, and then the hacker was able to “leapfrog from the restaurant’s access to a critical server in the transaction process” where account information was available. “He was able to access numbers off the server going back prior to October,” a Secret Service Agent told CHS, gaining access to accounts of people who had never eaten at Broadway Grill. At that time, fraud reports had totaled about 400. Source:

13. November 29, St. Petersburg Times – (Florida) Bomb threat empties East Lake bank. A Fifth Third Bank in East Lake, Florida was evacuated November 29 after the company received a bomb threat, authorities said. “A male called, and he stated that the place was going to blow up,” said a Pinellas County Sheriff’s Office spokesman. The sheriff’s office was notified of the threat to the bank branch at 1100 East Lake Road about 12:45 p.m. Authorities were on the scene, and there was no indication of an explosive device, the spokesman said. Source:

14. November 29, Forbes – (National) WikiLeaks will unveil major bank scandal. First WikiLeaks exposed government secrets. Next up: The private sector, starting with one major American bank. In an exclusive interview earlier in November, the WikiLeaks founder told Forbes that his whistleblower site will release tens of thousands of documents from a major U.S. financial firm in early 2011. The WikiLeaks founder would not say exactly what date, what bank, or what documents, but he compared the coming release to the e-mails that emerged in the Enron trial, a comprehensive look at a corporation’s bad behavior. “It will give a true and representative insight into how banks behave at the executive level in a way that will stimulate investigations and reforms, I presume,” he told the Forbes reporter. Source:

15. November 29, Gwinnett Daily Post – (Georgia) FBI: Armored car employee robbed Monday at gunpoint. The robbery of an armored car employee November 29 in Snellville, Georgia, may be connected to a recent series of similar crimes in metro Atlanta, officials said. According to the FBI’s Atlanta office, a courier for Loomis Armored Car was reloading an ATM at the Wells Fargo Bank at 3520 Centerville Highway November 29, when a black man approached him and put a semi-automatic handgun to his head at about 9:20 a.m. The suspect made out with an undisclosed amount of cash and was seen getting into the back seat of a blue or silver vehicle, described as possibly being a “Buick, Oldsmobile or Jaguar,” the Special Agent in Charge said. Gwinnett police responded to the scene before turning it over to the FBI. The robber is described as a black man in his late 20s, medium build and wearing a black-hooded sweatshirt and black cap. FBI agents are “comparing the details” of several other armored vehicle robberies in recent months — including another in Gwinnett — to weigh whether they are connected, the Special Agent in Charge said. Source:

16. November 29, Swellesley Report – (Massachusetts) Wellesley bank robber — the U-30 Bandit — pleads guilty. The Boston branch of the FBI announced November 29 that a Norwood, Massachusetts man dubbed the “U-30 Bandit” has been convicted in federal court of eight counts of armed bank robbery, including at a Bank of America in Wellesley in March 2009. The 34 -ear-old suspect pled guilty to the eight counts related to bank robberies in which he brandished a semi-automatic handgun and sometimes left behind hoax devices that initially looked like bombs. He became known as the U-30 Bandit because he got in and out of the banks he robbed in under 30 seconds. The suspect faces up to 25 years in prison on each count of bank robbery. His half brother and getaway driver was sentenced for his role in 3 robberies to 60 months in jail. Source:

17. November 29, Alton Telegraph – (National) Reports of card fraud still coming in. Law enforcement agencies continue to receive reports of fraudulent purchases and cash withdrawals from the accounts of customers at two Bethalto, Illinois-area financial institutions, leading authorities to believe organized crime may be involved. “We’re still getting them and turning them over to the FBI,” said a Madison County Sheriff’s Department spokesman. The thief could be operating offshore and selling credit and debit card numbers to others in the United States, he said. He said the numbers indicate a large operation, perhaps international in scale. The institutions are First MidAmerica Credit Union, and Liberty Bank in Bethalto. Fraudulent transactions have been made all over the country, including the Texas cities of Houston, Dallas, and Waco, as well as in Colorado, and Louisiana. The transactions have ranged between $46 and $651 each. The spokesman said his office has received 30 reports of fraudulent transactions, and perhaps hundreds of reports have come in to other law enforcement agencies. The Bethalto Police Department received six reports in the week from November 22 to November 29. Source:

For more stories, see item 47 below in the Information Technology sector

Information Technology

45. November 30, Infosecurity – (International) Security researcher warns on fake trojan removal kit. A security researcher has issued a warning about a fake trojan removal kit that infects Windows users with the ThinkPoint Rogue malware. Writing in his security blog November 29, the researcher said the “Windows Trojan Removal Kit” effectively hijacks users’ PCs using the ThinkPoint Rogue malware. This malware, the Sunbelt Software/GFI Software researcher said, only has a close to 50 percent detection rate in the IT security software stakes. The file, he said, is currently being offered up by typical “fake security scan” pages, such as microsoftwindowssecurity152(dot)com. Installing the executable can potentially cause fake “Blue Screens of Death” and payment nag screens to appear. He has posted details on his blog about how to work around the supposed locked up desktop, and how the malware appears to be flagging itself as Trojan.Win32.Generic.pak!cobra, a malware infection that was originally discovered at the start of this year. Source:

46. November 30, Softpedia – (International) New rootkit functions as adware distribution platform. Security researchers from BitDefender have come across a new rootkit, which seems designed to drop a lot of adware programs on the infected systems. Detected as Rootkit.Woor.A, the malware installs itself as a randomly named service and runs as a system driver. This allows it to perform actions with kernel privileges. The rootkit overwrites the legit explorer.exe with a malicious version, which is subsequently called during the normal system boot process. The rootkit also interferes with the operation of antivirus programs and other system monitoring application by preventing their execution on the system. The researchers warn that a component downloads all sorts of adware-like programs, such as games, video players, or streaming and instant messaging utilities. The rogue programs ask users to pay for licenses and having so many installed on the computer can affect its performance considerably. Source:

47. November 29, Computerworld – (International) Scammers can hide fake URLs on the iPhone, says researcher. Identity thieves can hide URLs on the iPhone’s limited screen real estate, tricking users into thinking they are at a legitimate site, a security researcher said November 29. In a proof-of-concept, the researcher showed how legitimate Web applications such as Bank of America’s mobile banking application hide Safari’s address bar after rendering the page. He speculated that developers use this practice to use as much as possible of the limited screen real estate on mobile devices like the iPhone. “Note that on the iPhone, this only happens for sites that follow directives in HTML to advertise themselves as mobile sites,” said the researcher on his personal blog and in an entry on the SANS Institute’s blog. The ability to hide the address bar in iOS is by design, noted the researcher. “I did contact Apple about this issue and they let me know they are aware of the implications, but do not know when and how they will address the issue,” the researcher said. He suggested that Apple modify iOS to prevent Web applications from hiding the URL. Source:

48. November 29, PC World – (International) Ransomware attack resurfaces to hold files hostage. The latest ransomware attack seems to be a variant of the GpCode Trojan that has made seemingly annual reappearances to extort money for the past few years. A compromised system will show a Notepad pop-up, or change the desktop background to display a message that reads “Attention!!! All your personal files were encrypted with a strong algorithm RSA-1024 and you can’t get an access to them without making of what we need!” This message is followed by more broken English instructions directing the user to read a text file explaining that a ransom of $120 is required to get the decryption key. Past ransomware extortion efforts created an encrypted copy of the file, but left the original intact. This latest version, however, encrypts the original file — making any recovery efforts significantly harder, if not virtually impossible. Users are directed to shut the computer down as quickly as possible once the ransom alert appears. In the background, the malware is still busy doing its dirty work, and by shutting the system down — yanking the plug from the wall if necessary — the user might be able to save some of the data. Source:

49. November 29, The Register – (International) Pirate Bay appeal failure spawns more DoS attacks. The failure of the Pirate Bay appeal has spawned reprisal denial of service attacks by the loosely banded Anonymous collective against the International Federation of the Phonographic Industry (IFPI). Both the and sites became largely unavailable November 27 after the sites became the latest target of the ongoing Operation:Payback campaign against entertainment industry Web sites. Activists behind the attack used the Low Orbit Ion Cannon (LOIC) to flood the site with useless traffic. The move follows the decision by a Swedish appeal court to reduce the sentences of three of the Pirate Bay defendants but to increase their fines. The IFPI chief exec was among the first to welcome the verdict, a move that arguably made the organization a prime target for reprisal denial of service attacks. Source:

50. November 27, Softpedia – (International) Two arrested in Japan for using malware to steal Lineage accounts. Two people were arrested in Japan November 17 for allegedly infecting Lineage II players with a trojan designed to steal their online gaming log-in credentials. The Yomiuri Shimbun newspaper reported the two were arrested based on suspicion of unauthorized computer access. According to the police, the two met online while playing “Lineage II: The Chaotic Throne,” a very popular Massively Multiplayer Online Role Playing Game, and decided to hijack the accounts of other players. They set up a Web site claiming to offer software that artificially increases the abilities of Lineage II virtual characters and started advertising it. The software was actually a trojan designed to steal account Lineage usernames and passwords. The two put game items like swords and shields found in the compromised accounts up for sale on specialized real-money market places. The suspects were allegedly able to earn almost $12,000 between April and June 2010. The police suspects there were more than 100 victims. The pair might also end up facing charges of business obstruction. Source:

For more stories, see items 51 and 53 below in the Communications Sector

Communications Sector

51. November 30, IDG News Service – (National) P2P-based alternative to DNS hopes to challenge ICANN. A group led by the former Pirate Bay spokesman is forming to develop a peer-to-peer-based alternative to today’s ICANN-controlled DNS system, according to a blog posted November 30. He went public with the project, which also includes an alternative root server, on his Twitter account. The first step is a new root server, and the second step will be a new DNS system, he said. The P2P DNS project is aimed at keeping the Internet uncensored, the blog post said. The underlying infrastructure will be based on BitTorrent technology. To improve security, the data and the transmission will be signed, he said. Developing a system that can compete with DNS will be not be easy. One of the main challenges will be to offer the same robustness, said an IT security advisor at Swedish consultant Kirei. The P2P DNS Project could succeed in attracting users in file-sharing circles, but will have a hard time getting other users on board. The project could also come to realize the security advisor’s greatest fear, which is DNS will be split into different parts. Source:

52. November 30, TechFlash – (Washington) Mysterious bullet hole leads to Comcast outage in West Seattle. Service went down for about 2,500 Comcast customers in Seattle, Washington November 29 after a bullet hole was discovered to have severed a fiber line. Technicians for the company were able to quickly resolve the problem. In a Tweet, Comcast representatives admitted that an outage tied to a bullet hole is “pretty unusual.” In a follow-up, the company said they may never know why it occurred. A TechFlash reporter reached out to Comcast to get a more detailed explanation on what happened and whether they have turned the matter over to the Seattle Police Department. A Comcast spokesman said the company did not plan to investigate further. Source:

53. November 29, U.S. Immigration and Customs Enforcement – (International) ICE seizes 82 Web site domains involved in selling counterfeit goods as part of Cyber Monday crackdown. Seizure orders were executed against 82 domain names of commercial Web sites engaged in the illegal sale and distribution of counterfeit goods and copyrighted works as part of an ongoing investigation by U.S. Immigration and Customs Enforcement (ICE), known as Operation In Our Sites v. 2.0. During the course of the operation, federal law enforcement agents made undercover purchases from online retailers suspected of selling counterfeit goods. In many instances, the goods were shipped directly into the United States from suppliers in other countries using international express mail. If the goods were confirmed as counterfeit or otherwise illegal, seizure orders for the domain names of the Web sites that sold the goods were obtained from U.S. magistrate judges. Individuals attempting to access the Web sites will find a banner indicating the domain name of the site has been seized by federal authorities. Source: