Thursday, December 16, 2010

Complete DHS Daily Report for December 16, 2010

Daily Report

Top Stories

• An ex-convict who fired several shots that missed school board members in Panama City, Florida, shot and killed himself after exchanging fire with a security guard, according to the Associated Press. (See item 41)

41. December 15, Associated Press – (Florida) Gunman fires at Fla. school board, kills self. An ex-convict calmly held a Bay District school board at gunpoint December 14 in Panama City, Florida, complaining about taxes and his wife being fired before shooting at close range as the superintendent begged, “Please don’t.” Minutes earlier, the room had been filled with students accepting awards, but no one was hurt except the gunman, who shot himself after exchanging fire with a security guard, police said. “It could have been a monumental tragedy,” Bay District Schools’ superintendent said. Video of the meeting shows the 56-year-old rising from his seat, spray-painting a red V on the wall, then waving a gun and ordering everyone to leave the room except the men on the board. They dove under the long desk they had been sitting behind as he fired at them. The gunman’s motivation was still murky December 15. He rambled to the board about tax increases and his wife, but also apparently created a Facebook page the week of December 6 that refers to class warfare and is laced with images from the movie “V for Vendetta,” in which a mysterious figure battles a totalitarian government. Source:

• The Register reports FBI agents looking into the theft of customer data belonging to McDonald’s are investigating similar breaches that may have hit more than 100 other companies. See item 51 below in the Information Technology Sector


Banking and Finance Sector

16. December 15, Arizona Daily Sun – (Arizona) ‘Halloween’ bandit captured. A Halloween-masked man who robbed two banks in Flagstaff and several other banks in the Valley appears to have been caught. The FBI would not comment December 14 on possible links by the suspect to other robberies. But an employee at one of the Flagstaff banks robbed in October told the Daily Sun December 14 that the bank had been notified by law enforcement that a suspect in the bank robbery was now in custody. The 50 year-old suspect was arrested during a traffic stop in Phoenix on December 11 following the robbery of a Bank of America on the 5000 block of West Baseline Road, the FBI said. The suspect was described as a white male, 6-feet, 2-inches, 230 pounds. A spokesman for the FBI refused to comment on whether the male is considered a suspect in the bank robberies attributed to the Halloween-masked bandit, dubbed the “Skeletor” bandit based on a cartoon character from the 1980s. Source:

17. December 15, – (Pennsylvania) DeMarco REI and OPM Group: Charges and civil complaint filed in foreclosure rescue scheme. An indictment was unsealed and a verified civil complaint was filed December 15 against a male suspect and his real estate companies, DeMarco REI, Inc. (“DeMarco REI”) and OPM Group, LLC, (“OPM”), alleging a mortgage fraud scheme involving more than $30 million in loans, a U.S. attorney in Philadelphia, Pennsylvania announced. The civil complaint seeks a temporary restraining order and preliminary injunction against the defendant. It also seeks to forestall foreclosures against the victims. The indictment charges the main suspect, and several associates with mail, wire, and bank fraud; and charges the main suspect with money laundering. The main suspect was arrested December 15. The case was investigated by the Pennsylvania Department of Banking, the FBI, and the U.S. Postal Inspection Service. Source:

18. December 14, KOCO 5 Oklahoma City – (Oklahoma) Police searching for violent bank robbers. Police are searching for two men who robbed an Oklahoma City, Oklahoma bank December 14. Investigators said two black men entered the Bank of the West at 5401 N.W. 23rd St. at about 6:17 p.m. and demanded money. The robbers forced the two employees behind the teller counter and entered the bank’s vault. The robbers bound the employees, assaulted one of them and stole an unknown amount of cash before leaving the bank on foot. The assaulted employee was transported to a local hospital. The robbers were wearing dark-colored winter jackets with the hoods pulled over their heads. The robbery is being investigated by the FBI and the Oklahoma City Police Department. Source:

19. December 11, Associated Press – (International) Vatican Bank mired in laundering scandal. The Institute for Religious Works is a bank in Vatican City, headquarters of the Roman Catholic church, and it is under harsh scrutiny in a case involving money-laundering allegations that led police to seize $30 million in Vatican assets in September. Critics said the case shows the “Vatican Bank” has never shed its penchant for secrecy and scandal. The Vatican called the seizure a “misunderstanding” and expressed optimism it would be quickly cleared up. But court documents showed prosecutors said the Vatican Bank deliberately flouted anti-laundering laws “with the aim of hiding the ownership, destination and origin of the capital.” The documents also reveal investigators’ suspicions that clergy may have acted as fronts for corrupt businessmen and Mafia. The documents pinpoint two transactions that have not been reported: one in 2009 involving the use of a false name, and another in 2010 in which the Vatican Bank withdrew $860,000 from an Italian bank account, but ignored bank requests to disclose where the money was headed. On September 21, financial police seized assets from a Vatican Bank account at the Rome branch of Credito Artigiano SpA. Investigators said the Vatican had failed to furnish information on the origin or destination of the funds as required by Italian law. The bulk of the money, $26 million, was destined for JPMorgan in Frankfurt, Germany, with the remainder going to Banca del Fucino. Prosecutors alleged the Vatican ignored regulations that foreign banks must communicate to Italian financial authorities where their money has come from. All banks have declined to comment. Source:

Information Technology

50. December 15, Computerworld – (International) Microsoft to boost Office 2003, 2007 security. Microsoft said December 14 it would backport an Office 2010 security feature to the older and more widely used Office 2003 and Office 2007 in early 2011. Dubbed Office File Validation (OVE), the technology validates older, pre-XML file formats for Word, Excel, PowerPoint, and Publisher, then opens those that do not conform to the documented format — rigged files containing an exploit, for example — in a special “sandbox” within Office 2010 called Protected View. That sandbox lets users view the contents of a document, but disables most editing functions to prevent malware that may be embedded in the file from executing. File format vulnerabilities — exploited by specially crafted documents — have long plagued Office, and remain the top threat to users. Source:

51. December 15, The Register – (International) Feds probe ‘100 site’ data breach. FBI agents looking into the theft of customer data belonging to McDonald’s are investigating similar breaches that may have hit more than 100 other companies that used e-mail marketing services from Atlanta, Georgia-based Silverpop Systems. “The breach is with Silverpop, an e-mail service provider that has over 105 customers,” said a special agent in the FBI’s Atlanta field office, told The Register. “It appears to be emanating from an overseas location.” He declined to provide further details. Over the past week, at least two other sites – one known to have ties to Silverpop and the other that appears to – offered similar warnings to their customers. deviantART, a Web site that boasts more than 16 million registered accounts, warned its users that their e-mail addresses, user names, and birth dates were exposed to suspected spammers as a result of a breach at the e-mail provider. Source:

52. December 15, BBC News – (International) Gawker hack triggers password resets at major sites. Yahoo, Twitter, and LinkedIn have asked users to change their details, days after gossip site Gawker was hacked. Online game World of Warcraft, which has more than 12 million subscribers, has also asked some users to reset their passwords. Blizzard, the company behind the game, said it was an attempt to “minimize the effects” of the Gawker breach. Although thousands of Twitter accounts were compromised after the attack, there have been few other reports of damage directly linked to the breach. Many companies, however, have taken steps to identify users at risk and warn them before an exploit can take place. A spokesman for LinkedIn said it is necessary to take “proactive security measures” to screen users thought to be in danger. Source:

53. December 14, SC Magazine – (International) Microsoft security update include IE, Stuxnet repairs. IT administrators received holiday greetings from Microsoft December 14: a large security update, comprised of 17 patches to fix 40 vulnerabilities. The record-setting update contained two patches labeled “critical.” One of those, a bulletin (MS10-090) that addresses seven flaws in Internet Explorer, is considered the highest priority fix as it closes a zero-day vulnerability that has been exploited in the wild. The other critical bulletin (MS10-091) resolves three bugs in the OpenType Font driver on Windows. “If a shared folder that contains a malicious OpenType font file is viewed, an attacker could run code in the Windows kernel,” a Microsoft spokesman said. “In order for a successful exploit, an attacker must convince a user to open a share that contains a malicious OpenType font file.” Less pressing for most organizations, but potentially most dangerous of all, is a patch for the last-known Stuxnet flaw – this one used to escalate privileges in conjunction with Stuxnet, the pernicious malware used to attack industrial control systems. Source:

54. December 14, H Security – (International) Over 500 patches for SAP. SAP – one of the largest manufacturers of business applications and enterprise software – released a huge number of so-called Security Notes December 14. An e-mail sent to SAP customers speaks of “a significant number of security notes”, it is rumored there are 525 of these notes. According to the e-mail, the “volume of fixes” was due to the use of new tools and methods in the quality assurance process. The vulnerabilities range from directory traversal via cross-site scripting, to SQL injection. However, most of the patches can be added through a “technical upgrade” to the new product release “SAP Business Suite 7 Innovations 2010”. This then leaves only a handful of patches to be added manually. Details of the vulnerabilities and the patches have not been made public and are only available to customers with ID and password access to the Service Market Place on SAP sites. Source:

55. December 13, Softpedia – (International) Fake Hallmark Christmas card emails carry malware. Security researchers warn about a new wave of fake e-mails purporting to come from Hallmark, which try to pass a computer Trojan as a Christmas card. According to Belgian e-mail security vendor MX Lab, the e-mails began circulating the week of December 6 and have a subject of “1st Christmas Card.” Their header is spoofed to appear as if they originate from card@hallmark(dot)com and they are using a Hallmark e-mail template that mimics the look of the company’s Web site. The message suggests the attackers do not only spread these fake e-mails on their own, but also try to socially engineer recipients to do it for them. The e-mails carry an attached archive file called, which contains a 610 kB-large SnowFairy.exe executable. The file is a Trojan that has a relatively high AV detection rate, according to Virus Total. Source:

For another story, see item 59 below in the Communications Sector

Communications Sector

56. December 15, Las Vegas Review-Journal – (Nevada; California) Accident cuts many rural phones for hours. Telephone service, including the 911 emergency line, was disrupted across parts of Lyon, Carson, and Alpine County California, and most of Douglas County, Nevada, when construction workers in the Johnson Lane area of northern Douglas County damaged a fiber optic line with a backhoe while working on a water line. According to reports, the outage sporadically affected land telephone lines, cellular, and Internet service across the region. The most serious impact was the shutdown of the emergency line county-wide. Lyon County’s amateur radio team assisted to keep communication flowing. Source:

57. December 15, Techworld – (International) Malware, DoS attacks a threat to mobile phones, warns EU agency. Smartphones could soon be used to launch distributed attacks, much like traditional PCs are now used as parts of larger botnet networks, according to a new report from the European Network and Information Security Agency (ENISA). In research that details the many risks of smartphones, the findings claim that while the devices are not currently being targeted for such attacks, this may change as mobile devices are becoming more popular, more connected and the complexity and the number of vulnerabilities in these platforms is increasing. Smartphone botnets could be used for familiar crimes such as spam, click fraud, and DDoS, the report claims. Since smartphones interface with cellular networks, they could also be used for new distributed attack scenarios; such as SMS spam and DDoS on telephony networks. Such attacks could be used to support wider attacks on, for example, other infrastructure. “Mobile phone coverage is becoming increasingly vital, especially in the event of an emergency, so smartphones open up new possibilities for DDoS attacks with potentially serious impacts,” according to the findings. In an example, the report cites an example of a 2001 virus that impacted DoCoMo, a Japanese mobile operator. The “i-mode virus” had access to call interfaces, which were available to malicious e-mails at the time and caused the user’s device to dial emergency numbers. Source:

58. December 14, Orlando Sun Sentinel – (Florida) AT&T wireless service issues resolved. Around 6:30 p.m. December 14, an independent construction crew doing work in Volusia County, Florida cut a fiber cable causing an AT&T wireless disruption to some customers in parts of Jacksonville, Tallahassee, Daytona, Ocala, Gainesville, and Panama City. Customers had trouble connecting to voice calls and voicemail. AT&T crews were on the scene working to repair the cut cable. The issue was resolved by 7:45 p.m. Source:

59. December 14, New York Times – (National) F.B.I. memos reveal cost of a hacking attack. A hacker attack on a company’s Web site can be costly, but exactly how much money it takes to repel and recover from a malicious strike is rarely disclosed by besieged companies. But an attack several years ago on Google cost it $500,000, according to internal FBI memos obtained by the New York Times through a Freedom of Information Act request. The documents also reveal some information about the attacker. A year earlier, Google suffered a $100,000 loss from the MyDoom virus, which slowed or stalled Google’s search engine for several hours, according to documents from a separate FBI investigation. The chief research officer for Barracuda Networks, a Web security company, said it was rare for the monetary damages caused by hackers to become public. In fact, many companies never bother to calculate the total because they are too busy keeping the hackers at bay or they simply never report the incident to law enforcement out of embarrassment, he said. In any case, he noted the cost of an attack could rise quickly when the amount of time it took to clean up afterward, reconfigure firewalls, and assess the initial response was included. Source: