Thursday, February 17, 2011

Complete DHS Daily Report for February 17, 2011

Daily Report

Top Stories

• According to USA Today, United Airlines canceled 15 flights February 15, after grounding its fleet of 96 Boeing 757s over safety issues. (See item 16)

16. February 16, USA Today – (National) United: Operations back to normal as 757 inspection continues. United Airlines said it canceled 15 flights late February 15, after grounding its fleet of 96 Boeing 757s over safety issues, but expected to resume normal operations February 16. The carrier voluntarily halted 757 takeoffs after it discovered it hadn’t completed safety checks on a critical equipment upgrade required by federal aviation regulators. As of the morning of February 16, United hadn’t completed inspecting all 757s, but expected to complete them “shortly,” a spokeswoman said United uses the planes mostly on long-range flights. The problem occurred on the 757’s air data computer, which measures air pressure and other atmospheric conditions to determine speed and altitude. On June 22, 2004, the Federal Aviation Administration (FAA) ordered the computers be replaced and that mechanics perform a check to ensure they were working properly. United hadn’t performed the required check after replacing the units. The airline said it was not aware of any problems or incidents caused by the computers. Each 757 has two of the computers so they can check each other’s accuracy, as well as a standby system in case of emergency, according to Boeing documentation. The FAA issued an emergency order requiring the computers be replaced because of a flaw that could cause pilots to erroneously believe they were flying too fast or too slow. The agency was unaware of the issue until it was notified February 15 by United, an FAA spokeswoman said. Although rare, erroneous speed readings have led to several fatal crashes, including two in 1996 on 757s, a USA TODAY report found. Source:

• Associated Press reports one U.S. Immigration and Customs Enforcement agent was killed and another injured when gunmen attacked their vehicle in the Mexican state of San Luis Potosi. (See item 36)

36. February 16, Associated Press – (International) Gunmen kill US agent, wound another, in Mexico. A U.S. Immigration and Customs Enforcement (ICE) agent on assignment to the ICE Attache in Mexico City, Mexico from his post in Laredo, Texas, died February 15 when gunmen attacked his blue Suburban vehicle in the northern state of San Luis Potosi. A second ICE agent was shot in the arm and leg and was in stable condition, according to statements from the Department of Homeland Security. The Homeland Security Secretary said the fatal attack on American law enforcement, the highest-profile attack since the 1985 torture and killing of a Drug Enforcement Administration agent, will not change the U.S. commitment to supporting Mexico in its crackdown on organized crime. The two agents were driving on a four-lane, federal highway between Mexico City and Monterrey when they were stopped at what may have appeared to be a military checkpoint, according to one Mexican official. Mexican military officers said they had no checkpoints in the area. After they stopped, someone opened fire on them, the official said. Police said a checkpoint was unlikely on such a high-speed stretch of highway and that the bullet-riddled Suburban was found off to one side of the road. The United States has increased equipment and training support for Mexico in recent years through its $1.4 billion Merida Initiative. Source:


Banking and Finance Sector

11. February 16, Pittsburgh Post-Gazette – (Pennsylvania) BNY Mellon employee accused of embezzling $452,000. A Bank of New York-Mellon employee in Pittsburgh, Pennsylvania, has been indicted for allegedly embezzling $452,037, according to court documents entered February 16. The 37-year-old woman, of Greenfield, Pennsylvania faces charges of theft by a bank employee and is the subject of an arrest warrant. The U.S. attorney’s office said an FBI investigation led to a federal grand jury charge for a string of thefts from April 2007 through August 2010. If convicted, the woman could face a maximum of 30 years in prison and a $1 million fine. Source:

12. February 15, – (National) Visa incents ‘Dynamic Authentication’. A move toward Europay, Mastercard and Visa (EMV) intergrated circuit cards can help merchants cut their security compliance costs, but only if they operate outside the United States, is the message from Visa Inc., which the week of February 7 announced the launch of the Visa Technology Innovation Program. It is designed to eliminate eligible international merchants from annual validations of compliance with the Payment Card Industry Data Security Standard. In the United States, where no official movement toward the EMV standard exists, other types of dynamic authentication are being encouraged by Visa. But they will not offer the same incentives (i.e. eliminating compliance validations) the Technology Innovation Program provides to qualifying EMV-compliant merchants in other parts of the world. “With the United States facing government price controls on debit and restrictive routing and exclusivity rules, it is not feasible or appropriate to drive the market toward major infrastructure investments, especially in an environment where financial institutions could lose billions in revenue as a result of the regulation,” Visa’s group executive for the Americas said in a statement issued by Visa. “With such a dramatic potential for revenue loss, financial institutions will likely curtail investments in future innovations.” Source:

13. February 15, Cookeville Times – (Tennessee) FBI investigates bank pipe bomb in Sparta. The FBI has taken over the investigation of a an incident in which a Sparta, Tennessee woman took a pipe bomb into a bank without realizing what she was carrying. The woman reported to police that she had found the pipe bomb at her home but did not know what it was and took it to work with her February 14 for examination by one of the police officers. US Bank on Highway 111 was evacuated after the woman showed the bomb to officers. The bomb squad detonated the bomb in a nearby grassy area and no one was injured. Area businesses were also evacuated and Tennessee Bomb and Arson was called as well as the FBI. Both northbound and southbound lanes of Highway 111 were shut down as a precaution. Source:

14. February 15, WMTW 8 Portland – (Maine) Security breach investigated at Day’s Jewelers. Customers of Day’s Jewelers in Portland, Maine were told to check their credit and debit card statements for unauthorized charges. The Maine State Police Computer Crimes Unit is investigating a security breach, involving hackers, company officials said. The breach affects customers who used credit and debit cards at stores in November and December 2010. The company said it could not release details about the breach because of the investigation, but in a statement, the president of Day’s Jeweler’s said, “We are working diligently with law enforcement as it investigates this criminal activity. The Maine Credit Union League helped bring the breach to the attention of authorities with the help of local credit unions. “They started putting two and two together and noticed most of those transactions that were fraudulent, those members had conducted a transaction at Day’s jewelry store,” said a Maine Credit Union League spokesman. Source:

15. February 14, KTLA 5 Los Angeles – (California) FBI: ‘Cooler Bandit’ wanted in 7 SoCal bank robberies. The FBI is asking for the public’s help catching a suspect suspected of robbing seven banks in Southern California since August 2009. The suspect has been dubbed the “Cooler Bandit” because he has been seen carrying a nylon-type lunch bag and water bottle during some of the robberies. The most recent robbery was on February 9 at a Bank of America in the 2400 block of West Florida Avenue in Hemet. Detectives said he has threatened to kill bank tellers if they did not hand over money. The “Cooler Bandit” is described as between 5’5” and 5’6” tall. He has a thin build, with black hair and brown eyes. He has worn sunglasses with orange lenses or clear glasses with black rims in some of the robberies. Source:,0,4282953.story

Information Technology

41. February 16, The Register – (International) Windows 0day could allow complete hijacking. Security researchers have warned of a new vulnerability afflicting older versions of Windows that could allow attackers to take complete control of machines running the operating systems. The flaw in “BrowserWriteErrorLogEntry()” function within the Windows mrxsmb(dot)sys driver “could be exploited by remote attackers or malicious users to cause a denial of service or take complete control of a vulnerable system,” researchers from French security firm Vupen warned. The warning came after proof-of-concept code was posted February 14 to the Full-disclosure mailing list. Attacks are triggered by sending vulnerable machines malformed Browser Election requests that cause a heap overflow in the mrxsmb(dot)sys driver. The term “Browser” in this context does not refer to an application for browsing Web sites, but rather, to networking technology used by older versions of Windows. The malformed Browser Election requests contain an “overly long Server Name string,” vulnerability tracking service Secunia said. Vupen, which rates the vulnerability as critical, has confirmed the bug in Windows Server 2003 SP2 and Windows XP SP3. Secunia rates it as moderately critical. Source:

42. February 15, – (International) ‘Reporter has stroke on TV’ turns into Facebook scam. During the Grammy Awards broadcast February 13, a Los Angeles, California television reporter appeared to be having a stroke during a live report. She slurred words and at times spoke gibberish, what physicians describe as classic stroke symptoms. Despite the fact she was fine, the video of her on-air meltdown has gone viral on YouTube, and has become a tool for at least one Facebook scam, according to security experts at Sophos software. Facebook users have started getting messages, which look like they are from friends, followed by a link. Users who click the link are redirected to a screen that indicates the video requires a “verified app” to be viewed. To get the app, users are prompted to click a button to download it. The scammers’ plan is to exploit interest in the video by tricking users into approving an application that will be able to access profiles and post messages onto the walls of Facebook accounts. Though users cannot see it, their own Facebook account is reaching out to all their friends, encouraging them to click on the link and view the same video. Source:

43. February 15, Help Net Security – (International) HBGary e-mails are a treasure trove for social engineers. The recent publication of the second batch of corporate e-mails exchanged between HBGary and HBGary federal executives and various contacts in U.S. intelligence, military, and law enforcement organizations is a godsend to individuals who aim to launch social engineering attacks against those people, a security expert said. The e-mails contain a variety of personal and business contact information of individuals who work for various U.S. intelligence agencies, the Air Force, and other high ranking government officials, and can also be used to extrapolate a likely web of social and business contacts between them and the business community. The topics of the e-mails themselves offer a great amount of useful knowledge about the organizations’ and the individuals’ needs and ways of thought — knowledge that can be deadly in the hands of an adept social engineer. Source:

For more stories, see items 47 and 48 below in the Communications Sector

Communications Sector

44. February 15, New York Magazine – (International) Iran tries internet censorship, execution as protesters demand democracy. After pro-democracy protests in Tehran, Iran, February 14, Iranian authorities have started blocking pro-opposition Web sites and electronic media, and greatly slowed broadband speed in major cities. Text-message and mobile-phone traffic was disrupted, and the word “bahman”, the current month in the Persian calendar, has been blocked. Authorities have tried to censorthe actual protests and reporting of the events, blocking the top two news sites and jamming satellite TV broadcasts and prohibiting photography. Conservative lawmakers have also called for the execution of two opposition leaders who asked for permission to demonstrate but were denied and did it anyway. Source:

45. February 15, MyBroadband – (International) Web Africa ADSL international connectivity problems. An outage on Web Africa’s SAT-3 link caused international connectivity downtime for subscribers. Internet Service Provider (ISP) Web Africa was experiencing an international bandwidth outage February 15 that was aggravated by routing problems which prevented failover of the SEACOM submarine fiber-optic cable that connects communication carriers in south and east Africa. Web Africa subscribers started reporting international connectivity problems February 15. Web Africa’s Web site confirmed the problems, assuring subscribers they were investigating the problem. According to Web Africa’s call center, they “can’t go into details”, but they said a portion of the SAT3 link from WebAfrica’s upstream providers were affected. The community coordinator for Web Africa, posted the following in the MyBroadband forums: “At this stage we are aware of a portion of our upstream provider’s section of SAT3 is currently down. Unfortunately I don’t have an ETA as yet. We do have SEACOM fail-over, however due to routing issues there are problems in switching this over.” Source:

46. February 15, Radio World – (National) FCC asks for money for direction-finding gear. The Federal Communications Commission (FCC) wants to equip its enforcement agents with better gear. In the budget submitted to Congress by the U.S. President, the FCC asked for $350,000 for portable direction-finding gear. It said that the current equipment used by the enforcement bureau’s field offices to identify and resolve interference, provide limited portable or semi-fixed capability for direction finding. Source:

47. February 15, Softpedia – (International) Hackers create WiFi content spoofing device. A pair of creative hackers have built a device capable of connecting to wireless networks and altering the Web content users access, as part of a project to demonstrate how news can be manipulated. The device mimics a pass-through power socket, making it hard to observe, and has already been tested in cafe shops in Berlin, Germany, where its creators are based. Inside the 12-centimeter long casing is a small circuit board with an Atheros chipset and an antenna. It runs a customized Linux distribution designed for embedded systems. When turned on, the device automatically searches for wireless networks and connects using passwords supplied in advance. A reverse SSH tunnel is established with a remote server, allowing attackers to control the device from a distance. The tunnel uses 2048-bit encryption and is routed over Tor nodes, making it virtually impossible to determine where the attacker is located. The device launches Address Resolution Protocol spoofing attacks to position itself as a gateway between the other wireless clients and the real router. This allows attackers to manipulate content passing through it. Combined with other techniques, especially on open wireless networks, the device can also be used to hijack users’ sessions, read e-mails, and perform other attacks. Source:

48. February 15, Help Net Security – (International) Two BBC sites serving malware via injected iFrame. A piece of malware detected by only 21 percent of the anti-virus solutions used by VirusTotal is currently being pushed onto unsuspecting visitors of the BBC 6 Music and BBC 1Xtra radio station Web sites. The visitor does not have to do anything except land on the Web site to become a victim of a drive-by download attack, since the Web sites have been injected with an iFrame that automatically loads the malicious code from a Web site parked on a co(dot)cc domain. According to Websense experts, the payload is delivered only the first time the user visits the site. “The code that is delivered to end users utilizes exploits delivered by the Phoenix exploit kit. A malicious binary is ultimately delivered to the end user,” they say, and add that the attack is part of a current mass-injection targeting vulnerable Web sites. Source:

No comments: