Wednesday, March 2, 2011

Complete DHS Daily Report for March 2, 2011

Daily Report

Top Stories

• Bloomberg reports Morgan Stanley experienced a “very sensitive” break-in to its network by the same China-based hackers who attacked Google Inc.’s computers more than 1 year ago, according to a cyber-security company working for the bank. See item 13 below in the Banking and Finance Sector

• According to Associated Press, a man armed with an assault rifle, handgun, and a knife walked into the Grant Parish Sheriff’s Office in Colfax, Louisiana, took a hostage, and wounded a deputy before being shot. (See item 31)

31. March 1, Associated Press – (Louisiana) Louisiana deputy shot in sheriff’s office. A man armed with an assault rifle, handgun, and a knife walked into the Grant Parish Sheriff’s Office in Colfax, Louisiana February 28, took a hostage, and wounded a deputy before being shot. The suspect had the weapons plus extra magazines and ammunition for each firearm when he walked into the sheriff’s office at 3 p.m., state police said. After he started shooting, deputies in the building returned fire. The gunman, a 52-year-old man from Colfax, Louisiana, and the deputy were in the hospital, a state police trooper said in a news release. The suspect is listed in critical but stable condition and the deputy was listed as stable, state police said. It is unknown if the deputy was the hostage. A spokesman said since it was an ongoing investigation that he would not release more details on what happened. Police did not release a motive. Source:


Banking and Finance Sector

13. February 28, Bloomberg – (International) Morgan Stanley attacked by China-based hackers who hit Google. Morgan Stanley experienced a “very sensitive” break-in to its network by the same China-based hackers who attacked Google Inc.’s computers more than 1 year ago, according to e-mails stolen from a cyber-security company working for the bank. The e-mails from the Sacramento, California-based computer security firm HBGary Inc., which identify the first financial institution targeted in the series of attacks, said the bank considered details of the intrusion a closely guarded secret. “They were hit hard by the real Aurora attacks (not the crap in the news),” wrote a senior security engineer at HBGary, who said he read an internal Morgan Stanley report detailing the so-called Operation Aurora attacks. The nickname came from McAfee Inc., a cyber-security firm, which said the attacks occurred for about 6 months starting in June 2009 and marked “a watershed moment in cyber security.” The number of companies known to be hit in the attacks was initially estimated at 20 to 30 and now exceeds 200, said the senior vice president for Terremark Worldwide Inc., which provides information-technology security services. The HBGary e-mails do not indicate what information may have been stolen from Morgan Stanley’s databanks or which of the world’s largest merger adviser’s multinational operations were targeted. Source:

14. February 28, Cypress Times – (International) Alleged supporter of terrorist group extradited from Paraguay. Following a joint investigation by U.S. Immigration and Customs Enforcement’s (ICE) Homeland Security Investigations (HSI) and the FBI, a former resident of Brooklyn, New York, has been charged with conspiring to provide material support to Hizballah. The 38-year-old is a dual citizen of the United States and Lebanon. The suspect is among several defendants charged in the conspiracy. He was indicted November 24, 2009, along with nine co-defendants. The suspect was taken into U.S. custody in Asuncion, Paraguay February 24 by U.S. Marshals who escorted him to Washington D.C. At the time of the indictment, the suspect had left the United States. On June 15, 2010, Paraguayan authorities arrested him for material support of terrorism. He is charged in 28 of 31 counts in the indictment, including conspiring to provide material support to Hizballah in the form of proceeds from the sale of counterfeit money, stolen (genuine) money, and fraudulent passports. According to the indictment, the suspect and several other defendants were also charged with several counts of transporting stolen goods, trafficking in counterfeit goods, and making false statements to government officials. Source:

15. February 26, Federal Bureau of Investigation – (New Jersey) Mortgage company president sentenced for orchestrating $136 million fraud scheme. A Montclair, New Jersey, man was sentenced February 26 to 168 months in prison for his role in orchestrating the $136 million fraud scheme that bankrupted Pine Brook, New Jersey-based United States Mortgage Corp. and its subsidiary, CU National Mortgage, LLC, the U.S. attorney announced. The 47-year-old man, the former president and controlling shareholder of United States Mortgage, previously pleaded guilty before a U.S. district judge to one count of mail and wire fraud conspiracy and one count of money laundering. The judge also imposed the sentence February 26 in Newark federal court. According to documents filed in this and related cases and statements made in court: Beginning as early as 2002 to January 27, 2009, the man conspired to fraudulently sell Fannie Mae hundreds of loans belonging to various credit unions. Other members of the conspiracy included United States Mortgage’s chief financial officer (CFO) and its servicing manager. The lead conspirator directed the former CFO, who provided numerous reports to credit unions falsely stating loans that had been sold were still in the credit unions’ portfolios, to falsify records to conceal the fraudulent sales. The lead conspirator admitted he devised the scheme to prop up United States Mortgage, and that he used the proceeds to fund United States Mortgage’s operations, his personal investments, and investments he made on United States Mortgage’s behalf. Source:

For another story, see item 43 below in the Information Technology Sector

Information Technology

37. March 1, Help Net Security – (International) Reset Gmail accounts to be restored completely. Gmail users that managed to enter their accounts only to find them devoid of any content can find relief, as Google said things will be back to normal for all affected users very soon. According to Google, the bug that triggered the event managed to affect many copies of the data in multiple data centers, but the information has also been backed up on tapes which have not been affected since they are offline. “But restoring data from them also takes longer than transferring your requests to another data center, which is why it’s taken us hours to get the email back instead of milliseconds,” explained Google. It blamed the bug on a storage software update that was being deployed at the time. Source:

38. March 1, Softpedia – (International) LastPass fixes serious cross-site scripting vulnerability. Password management service LastPass has fixed a serious cross-site scripting vulnerability on its Web site which could have been exploited to obtain sensitive information about other people’s accounts. LastPass allows users to generate secure passwords for each of their accounts and store them inside an encrypted container controlled by a master password. The company offers extensions for all major browsers, which help with auto-fill and other operations, but the login details can also be accessed via its Web site. The flaw on lastpass(dot)com was discovered by a United Kingdom independent security researcher who notified the company. The vulnerability, which LastPass said was a reflected cross-site scripting (XSS) one, could have been exploited by loading the vulnerable page in a frame on another Web site. If the victim browsed that site while logged into LastPass, the attacker could have retrieved the e-mail address, password reminder, list of sites, and log-in history. In a post on its official blog, LastPass assured users the vulnerability was fixed before it could be exploited. Source:

39. March 1, H Security – (International) 19 vulnerabilities - Chrome 9 update proves expensive for Google. Google has released version 9.0.597.107 of its Chrome browser, which fixes a total of 19 security vulnerabilities, 16 of them rated as high risk. It was possible to crash the browser using JavaScript dialogues and SVG files, or to use the address bar for URL spoofing. Also fixed is an integer overflow when handling text areas. Google is keeping full details of the vulnerabilities secret until the bulk of users have switched to the new version. Source:

40. March 1, Help Net Security – (International) Malware family integration across botnets. Analysis by Symantec reveals that in February, 1 in 290.1 e-mails (0.345 percent) was malicious making February among the most prolific time periods both in terms of simultaneous attacks and malware family integration across Zeus (aka Zbot), Bredolab, and SpyEye. Also in February, there were at least 40 variants of malware associated with the Bredolab Trojan, accounting for at least 10.3 percent of e-mail-borne malware blocked by MessageLabs Intelligence in February. These latest findings reveal that contrary to recent beliefs, Bredolab is not dead and techniques previously associated with Bredolab malware have now become more common among other major malware families. Since the end of January, MessageLabs Intelligence has tracked significant volumes of collaborative attacks that make use of well-timed and carefully crafted targeted techniques. As February began, the attacks increased in number and these malware families were used aggressively to conduct simultaneous attacks via propagation techniques, signaling the likelihood of a common origin for these infected e-mails. Source:

41. February 28, The Register – (International) Tainted ads punt scareware to surfers on LSE and Myvue sites. Several highly trafficked United Kingdom sites – including the Web site of the London Stock Exchange – served malware-tainted ads as the result of a breach of security by a third-party firm they shared in common. Surfers visiting auto-trading site Autotrader(dot)co(dot)uk and the cinema site Myvue(dot)com were also exposed to the attack, which stemmed from a breach at their common ad provider, Unanimis, rather than at any of the three sites themselves. Unconfirmed reports suggest eBay(dot)co(dot)uk was also affected. The malicious ads made several concealed redirects before dropping surfers on a portal soliciting rogue anti-virus (scareware). By attacking third-party networks rather than Web sites, cyber criminals can increase the potency of attacks, according to an official from Websense Security Labs. Source:

42. February 28, Computerworld – (International) Infected Android app runs up big texting bills. A rogue Android application tweaked by hackers can hijack a smartphone and run up big texting bills before the owner knows it, Symantec said February 28. The newest in a line of compromised Android apps, said a principle security response manager at Symantec, is Steamy Window, a free program that Chinese hackers modified, then re-released into the wild. The cyber criminals grabbed a copy of Steamy Windows, then added a backdoor trojan horse — “Android(dot)Pjapps” by Symantec’s label — to the app’s code. The reworked app is placed on unsanctioned third-party “app stores” where unsuspecting or careless Android smartphones find it, download it, and install it. The trojan planted by the malware-infected Steamy Windows can install other applications, monkey with the phone’s browser bookmarks, surreptitiously navigate to Web sites, and silently send text messages, said the Symantec response manager. The last is how the criminals make money. “The Trojan lets them send SMS [short message service] messages to premium rate numbers,” he said, for which the hackers are paid commissions. Source:

43. February 28, Softpedia – (International) Russian underground cybercriminal forum hacked. A closed underground forum that served as a hangout for some of the most notorious Russian cybercriminals was hacked and its entire database was leaked. According to LifeNews(dot)ru, MAZA(dot)la was compromised February 18 by hackers from a rival forum called Direct Connection. Direct Connection is home to the CyberLords Team, the hacking crew of one of the fraudsters who stole $10 million from RBS WorldPay. MAZA(dot)la also had its notorious members, such as “BadB,” founder of the CarderPlanet underground marketplace. Russian spammer and malware writer “Severa,” was also a MAZA(dot)la forum regular, as well as well known identity thieves “zo0mer” and “My0,” who are still wanted by U.S. authorities. In total, MAZA(dot)la had over 2,000 members whose information and private communications are now in the hands of law enforcement authorities. The site was taken offline shortly after the hack and currently remains down. Source:

For another story, see item 13 above in the Banking and Finance Sector

Communications Sector

44. February 28, Miami Herald – (International; North Carolina) Feds investigate Haitian campaign robo-calls in the U.S. The U.S. Federal Communications Commission is investigating a series of fervent campaign “robo-calls” in 2010 by a Haitian presidential candidate, which led to evacuations at the Fort Bragg military base in North Carolina, the Miami Herald has learned. In the weeks prior to Haiti’s November election, anyone who had ever placed a call to Haiti received a string of pre-recorded calls from the presidential candidate. After the January 12 earthquake, the list included countless Haitian Americans, journalists, non-profit groups, and the U.S. military. On November 17, the Army criminal investigations team swept the cleared buildings for explosives and listened to recordings left on voice mailboxes, a spokesman said. But the U.S. Telephone Consumer Protection Act has specific rules for automated pre-recorded calls: They cannot go to cellular phones when the receiver has to pay for the call. On residential lines, there needs to be full disclosure on whom the call is coming from and how to reach that person. The law applies not only to calls made within the United States, but also to calls made from outside the country to U.S. phones. Source:

45. February 28, Albany Times-Union – (New York) Glitch interrupts Oscars on WTEN. Some television viewers in Albany, New York, had a frustrating time tuning into the Oscars February 27 when a Time Warner Cable equipment failure interrupted reception for almost an hour. Service to News 10 (WTEN) abruptly cut out about a quarter to 8 p.m., just before the Academy Awards began, the station’s news director said. The station quickly posted online alerts that directed viewers to Channel 554 and to streaming video on its Web site. A piece of equipment had failed in the Albany area, a spokeswoman for Time Warner Cable in the Northeast said. She did not know specific details about the situation.”Engineers quickly jumped on the issue, identified the piece of equipment that failed, turned around, and made sure service was restored,” the news director said. She estimated that service was down for less than an hour. Source:

46. February 28, Reno Gazette-Journal – (Nevada) Fire knocks out KNPB service outside of Reno area. A weather-related fire February 27 that destroyed a KNPB broadcasting transmitting filter caused viewers of the television station outside the Reno, Nevada, area to lose the station’s signal on their televisions for several more days. The programming vice president said February 28 the filter system destroyed on Red Peak eliminated the broadcast of KNPB channels for viewers who do not subscribe to Charter Cable channels and those who have certain satellite systems. The programming president said the signal was knocked out at 8:38 p.m. February 27 during the premiere of the station’s new production of “Stewards of the Rangeland.” A snow and ice storm caused a chemical fire that did not require the response of the fire department. The station has ordered a replacement for the filter, which could take a week or more to obtain. During that time, the signal will still be lost to certain viewers. Source:

For another story, see item 42 above in the Information Technology Sector

No comments: