Wednesday, December 15, 2010

Complete DHS Daily Report for December 15, 2010

Daily Report

Top Stories

• Computerworld reports that PBS NewsHour identified a subset of the 1.3 million accounts accessed in the Gawker hack that included an unknown number of accounts with the .gov domain. (See item 39 below and 48 in the Information Technology Sector)

39. December 13, Computerworld – (National) Hackers could use leaked Gawker info to attack government workers. Passwords used by people employed by U.S. federal, state, and local governments were among those disclosed by the Gawker hack December 11 and 12, according to a report by PBS NewsHour December 13. If the passwords published online by the Gnosis hacker group were also used by those people for their work e-mail accounts, the passwords could be used in future targeted attacks against government employees to plant malware or steal other information. PBS NewsHour identified a subset of the 1.3 million accounts accessed in the Gawker hack that included an unknown number of accounts with the .gov domain, including ones from the Department of Defense, NASA, National Institute of Health, and the U.S. Postal Inspection Service. Employees at agencies in several states, ranging from Idaho to Virginia, were also among those whose addresses and passwords were harvested. Gnosis’ list of compromised e-mail addresses and passwords has been published on the Internet, and is readily available to anyone, other hackers included, via a BitTorrent download. Source:

• According to the Kent Reporter, the U.S. Army Corps of Engineers continues to watch levees across western Washington and has deployed six flood fight teams for river observation and conducting emergency operations as rivers continue to rise. (See item 58)

58. December 13, Kent Reporter – (Washington) Army Corps remains on levee watch; Hanson Dam reservoir has adequate storage for floodwaters. The U.S. Army Corps of Engineers continues to watch levees around western Washington and has deployed six flood fight teams for river observation and conducting emergency operations as rivers continue to rise across western Washington. Currently Howard Hanson Dam is retaining water to keep flows at Auburn at or below 9,000 cubic feet per second (cfs), the trigger flow rate for a flood warning. Flows were expected to drop below the 9,000 cfs trigger flow at or around 1 p.m. December 13. The reservoir is nearly empty and capable of storing the forecast inflow amounts should additional storage be needed to keep downstream flows below flood stage. As coordinated with local officials, the Corps is sending levee walkers out along the Green River levees for a real-time assessment of levee conditions, although no problems are expected at this rate of flow, which is 3,000 cfs below the flood level on the lower Green River. Source:


Banking and Finance Sector

10. December 14, Wallet Pop – (National) One in four households victim of white collar crime: report. White collar crime now affects more Americans than all other forms of crime combined, according to a new report published by the the National White Collar Crime Center (NW3C). Conducted by the NW3C and the Bureau of Justice Assistance, the 2010 National Public Survey on White Collar Crime found that nearly one in four American households were victims of white collar crime during the past 12 months. The survey of 2,503 adults from June to August 2010 asked respondents about personal and household experiences involving mortgage fraud, credit card fraud, identity theft, unnecessary home or auto repairs, price misrepresentation, and losses due to dishonest stockbrokers, fraudulent business ventures, and Internet scams. The NW3C is a non-profit membership group that studies white collar crime and works with law enforcement and companies. The group also partners with the FBI on the Internet Crime Complaint Center. Source:

11. December 13, Montgomery News – (Pennsylvania) Alleged robber of three Abington banks indicted. The alleged robber of three Abington, Pennsylvania banks was indicted December 9. The 44-year-old male suspect was charged with four counts of bank robbery between July 12 and August 17. According to the FBI, the suspect is charged with robbing a Citizens Bank in Philadelphia July 12. In Abington, the suspect allegedly robbed three banks on Old York Road within 1 month. The suspect is charged with the July 19 robbery of a PNC Bank branch, 123 Old York Road, the August 12 robbery of a FirstTrust Bank branch, 261 Old York Road, and the August 17 robbery of a TD Bank branch, 710 Old York Road. The FBI and Abington police sent out several surveillance photos of the suspect, who eventually turned himself in to police in Reading August 26. The suspect has an additional charge of walking away from the halfway house, where he had been staying. According to the FBI, the suspect left the house June 27 and did not return there, or to his job at a Willow Grove restaurant. If convicted of all charges, the suspect faces up to 85 years in prison, a fine of $1.25 million, 3 years of supervised release, and a special assessment of $400, the FBI said. Source:

12. December 13, IDG News Service – (International) Operation Payback has new target: Corporate fax machines. The activists behind Operation Payback have come up with a new way to annoy corporations that have severed their ties with WikiLeaks: bombard them with faxes. In online chats, group members have posted the fax numbers for about a half-dozen corporations and are calling volunteers to fill up the fax machines, using free online fax services such as and They are recommending that people use anonymizing software such as the Tor Project to access these sites, so that they cannot be traced by authorities. Anonymous has posted a list of numbers that it says are no longer responsive. One number, the Visa fax number listed by Yahoo Finance, was disconnected Monday afternoon. A Visa spokesman did not immediately have a comment on the situation, but Visa seems to be aware of the problem. A call center operator asked for Visa’s fax number on Monday said simply: “I cannot provide that information.” Source:

13. December 12, Reuters – (International) Dutch release man accused of cyber attacks. A 19-year-old Dutchman arrested on December 11 over a cyber attack on the Web site of the public prosecution office was released December 12 after admitting involvement in the attack, Dutch authorities said. The man was the second teenager arrested in the Netherlands for cyber attacks in the past few days after police detained a 16-year-old youth December 9 in connection with cyber attacks by WikiLeaks supporters. The youth, arrested in The Hague, is being held on remand. The prosecutor’s office said December 12 that the 19-year-old man admitted involvement in the so-called “denial of service” attack against the prosecutor’s Web site. He also confessed to being involved in cyber attacks against Mastercard, Visa and Moneybookers, the statement added. Cyber activists around the globe have attacked organizations seen as foes of WikiLeaks in retaliation for the ending of services to the Web site after it published thousands of secret U.S. diplomatic reports. Source:

14. December 11, Associated Press – (National) Madoff trustee sues accountants for $900 million. The trustee recovering money for investors who lost billions of dollars in Bernard Madoff’s fraud sued two accountants for $900 million, accusing them of assisting the convict in a $20 billion Ponzi scheme. The trustee filed the lawsuit December 10 against the two accountants. The trustee also named their wives, one of the accountant’s son, and other family members as defendants. The suit was filed hours after the trustee filed a civil racketeering case accusing offshore bankers of assisting the convict in his fraud. Taken together, the actions seem to broaden the number of accomplices the trustee thinks are responsible in the convict’s decades worth of fraud, even though the financier insisted to authorities that he acted alone. The suit seeks to recover $900 million that investors allegedly gave to the convict believing he would invest it. The convict admitted last year the investments were a scam and most of the money had disappeared by late 2008. The trustee said the accountants were active participants in the fraud, helping funnel money into the convict’s investment funds. Source:

15. December 11, – (Michigan; Pennsylvania) Two banks closed Dec. 10. Federal and state regulators closed two banks December 10, raising the total number of failed institutions to 173 so far in 2010. Paramount Bank, Farmington Hills, Michigan, was closed by the Michigan Office of Financial and Insurance Regulation, which appointed the Federal Deposit Insurance Corp. (FDIC) as receiver. FDIC entered into a purchase and assumption agreement with Level One Bank, Farmington Hills, to assume all Paramount deposits. The four branches of Paramount reopened December 13 as branches of Level One. As of September 30, Paramount had about $252.7 million in assets and $213.6 million in deposits. FDIC and Level One entered into a loss-share transaction on $233.1 million of Paramount’s assets. Level One will share in the losses on the asset pools covered under the loss-share agreement. FDIC estimated the cost to the Deposit Insurance Fund (DIF) will be $90.2 million. Earthstar Bank, Southampton, Pennsylvania was closed by the state’s secretary of banking, and the FDIC was appointed as receiver. FDIC entered into a purchase and assumption agreement with Polonia Bank, Huntingdon Valley, Pennsylvania, to assume all of Earthstar’s deposits, except for certain out-of-state certificates of deposit. As of September 30, Earthstar had about $112.6 million in assets and $104.5 million in deposits. Polonia also agreed to purchase approximately $77.1 million of the failed bank’s assets. The FDIC will retain most of the assets for later disposition. Source:

Information Technology

47. December 14, H Security – (International) Google issues security update for Chrome 8. Google has released version 8.0.552.224 of Chrome for Windows, Mac OS X, and Linux into its Stable and Beta channels. The security update addresses a total of five vulnerabilities in the WebKit-based browser, two of which are rated as “High” priority. One of the high risk issues affects only 64-bit versions of Linux, while the other relates to stale pointers in cursor handling. Other issues include browser crashes due to bad extensions, CSS parsing problems, and a NULL pointer issue in web worker handling. Further details of the vulnerabilities are being withheld until “a majority of users are up-to-date with the fix”. Source:

48. December 14, Computerworld – (International) Gawker hack analysis reveals weak passwords. Gawker, which operates several popular technology sites, including Gizmodo and Lifehacker, confirmed December 12 that its servers had been hacked, and that hundreds of thousands of registered users’ e-mail addresses, usernames, and passwords had been accessed. A group calling itself “Gnosis” claimed credit for the attack and said it had pilfered more than 1.3 million accounts. The most common passwords were uncovered by Duo Security, an Ann Arbor, Michigan-based two-factor authentication provider, after running John the Ripper (JtR), a password hash cracking tool, on the list of Gawker user passwords posted on the Web over the weekend. Using an eight-core Xeon-powered system, Duo Security brute-forced 400,000 password hashes of the 1.3 million stolen from Gawker, cracking the first 200,000 in under an hour. The director of security operations at nCircle Security, said December 13 it was a sure bet that hackers would utilize the Gawker information, because many people reuse the same password for most of their e-mail and online accounts. He was commenting on the news that some e-mail addresses revealed in the Gawker hack belonged to employees of federal, state, and local governments, and that hackers would use the information in targeted attacks to gain access to agency networks. Duo provided a clearer idea of the scope of the threat to governments, pointing out that 15 of the accounts for which it had cracked password encryption belonged to people working at NASA, 9 were assigned to users employed by Congress, and 6 belonged to employees of the Department of Homeland Security. Source:

49. December 14, Softpedia – (International) New information stealing trojan hijacks shortcuts. Security researchers warn about a new information stealing trojan which hijacks file shortcuts in order to ensure its execution after reboot, instead of adding registry entries. According to malware analysts from German antivirus vendor Avira, upon execution, the trojan searches for .lnk (shortcut) files on the desktop and in a predefined set of folders. It reads the target of those shortcuts and renames the files to click_[original_name].exe. It then creates copies of itself with the original names in the same locations in order to be executed when users click on the shortcuts. The copies contain instructions to run the renamed files after being executed themselves, in order to cover up the hijacking. Once running in memory, the trojan monitors browsing sessions for login attempts on a list of hardcoded websites, including PayPal, Google, YouTube, Yahoo!, and MSN. Some Chinese sites like,,, or are also targeted, possibly suggesting this threat’s origin. Furthermore, the login information captured by the trojan is sent to a website hosted on a server in China. Source:

50. December 14, Help Net Security – (International) Hacktivism and social engineering emerge as top threats. Hacktivism and more profit-oriented malware, social engineering, and malicious codes with the ability to adapt to avoid detection will be the main threats in the coming year, according to PandaLabs. There will also be an increase in the threats to Mac users, new efforts to attack 64-bit systems and zero-day exploits. The major security trends of 2011 are: malware creation, cyber war, cyber-protests, social engineering, BlackHat SEO attacks, Windows 7 influencing malware development, mobile phones, Mac, HTML5, and highly dynamic and encrypted threats. Source:

51. December 13, – (International) RealPlayer receives big security fix. Real Networks has issued a security update for its RealPlayer media tool. The company said that users who update to the latest versions of the Windows, MacOS X, and Linux versions of RealPlayer will be protected from the 27 reported flaws. Real Networks said that none of the vulnerabilities has been reported as being actively targeted for exploits in the wild. Among the 27 vulnerabilities addressed in the patch are flaws which, if exploited, could allow an attacker to remotely install and execute code on a targeted system. The company said that users can protect against all of the vulnerabilities by upgrading to the latest version of the software. Source:

Communications Sector

52. December 13, New Jersey Office of the Attorney General – (New Jersey; National) Union County man pleads guilty to stealing valuable internet domain name. The New Jersey Attorney and Criminal Justice Director announced that a Union County man pleaded guilty today to stealing a company’s Internet domain name and selling it over eBay for more than $110,000 to an unsuspecting buyer. This is the first known conviction for a domain name theft. According to the Director, the convict, 26, of Union Township, pleaded guilty to theft by unlawful taking, theft by deception, and computer theft, all in the second degree, before a Superior Court judge in Union County. The charges were contained in a November 16, 2009 state grand jury indictment. The convict was arrested on July 30, 2009 by members of the New Jersey State Police Cyber Crimes Unit as a result of a State Police investigation into the theft of, an Internet domain name. On that same date, troopers executed a search warrant at the convict’s residence and seized a large volume of business and computer records relevant to the domain name theft. Source: