Thursday, June 30, 2011

Complete DHS Daily Report for June 30, 2011

Daily Report

Top Stories

• The Charleston State Journal reports federal investigators said coal dust and the failings of Massey Energy were responsible for an April 2010 explosion in a West Virginia mine that killed 29 miners. (See item 2)

2. June 29, Charleston State Journal – (National) MSHA: Coal dust caused UBB mine disaster not methane gas. Federal investigators said it was a coal dust explosion, not a methane gas inundation reported by Massey Energy, that caused an explosion at the Upper Big Branch (UBB) Mine in Montcoal, West Virginia, in April 2010. The U.S. Mine Safety and Health Administration (MSHA) director, and an agency spokesman, held a news conference to inform the public of their latest findings in the investigation of the UBB disaster that killed 29 miners. Numerous details were released although the report, said to be more than 200 pages in length, will not be finished until October. One of the more shocking revelations was a second set of books kept by management at the Massey owned mine. The MSHA spokesman said there is no violation for having numerous sets of books. However, at issue was the fact that safety violations and hazards were not reported in the main book made available to miners, safety inspectors, and others. A production book turned over to MSHA by Massey showed numerous hazards underground that were not noted in the official log. Three separate examples were shown to the media June 29. The report concluded that the main issue was a lack of rock dusting. In fact, 17 violations tied to rock dusting occurred within a year of the blast that killed 29 miners. The MSHA spokesman stopped short of saying the explosion was preventable, but was adamant that the devastation would not have been as great if Massey had operated properly. “No one should have been injured and definitely no one should died in this explosion," he said. More than a year after the investigation began, the spokesman said he does not feel as confident about the happenings underground in current mining operations. Source:

• According to Computerworld, hackers obtained the names, e-mail addresses, and other personal data of DefenseNews Web site subscribers, including many active and retired U.S. military personnel and defense contractors. See item 47 below in the Information Technology Sector


Banking and Finance Sector

14. June 29, Associated Press – (National) Bank of America in $8.5B mortgage settlement. Bank of America and its Countrywide unit will pay $8.5 billion to settle claims that the lenders sold poor-quality mortgage-backed securities that went sour when the housing market collapsed. The Charlotte, North Carolina, bank said the settlement with 22 investors is subject to court approval and covers 530 trusts with original principal balance of $424 billion. As a result of the settlement, Bank of America put its second-quarter loss at $8.6 billion to $9.1 billion. Excluding the settlement and other charges, the bank expects to post a quarterly loss of $3.2 billion to $3.7 billion. Source:

15. June 29, Charlotte Observer – (North Carolina) 3 others accused of mortgage fraud. In the latest fallout from the housing bubble, federal prosecutors in Charlotte, North Carolina, June 28 filed charges against three more defendants for mortgage fraud-related offenses. One of the cases is part of the wide-ranging mortgage fraud investigation known as Operation Wax House. The other involved two defendants accused of similar offenses. In the Wax House case, an Atlanta, Georgia woman was charged with one count of mortgage fraud conspiracy, according to a criminal bill of information. She is accused of being a "straw buyer" in one of the mortgage cells. Federal prosecutors said Operation Wax House could ultimately net up to 70 defendants, including promoters, mortgage brokers, closing attorneys, notary publics, and straw buyers. The 4-year-old probe has centered on seven high-priced south Charlotte and Union County neighborhoods. It involved about 80 homes and $100 million in loans. Separately, the U.S. attorney's office filed mortgage fraud conspiracy charges against two men for operating a mortgage fraud cell in Mecklenburg and Union counties that targeted the Providence Downs neighborhood, according to a bill of information. Using an entity called Direct Home Service, they arranged for borrowers to buy property at inflated prices and induce lenders to make loans for the purchases, according to the bill. The participants would then split the difference between the true price and the inflated price. They generated proceeds of $5.4 million. The bill also charges one of the men with failure to report income from the scheme to the Internal Revenue Service. Source:

16. June 28, Associated Press – (Connecticut; International) SEC secures $230M in Conn. fraud investigation. Federal financial regulators have secured $230 million from an offshore bank account linked to a Connecticut-based financier who is accused of running a massive investment fraud, authorities said June 28. The U.S. Securities and Exchange Commission said the money should help victims of a Venezuelan-American accused of running a pyramid scheme that exposed investors to hundreds of millions of dollars in potential losses. A pension fund for Venezuela's state oil workers accounted for most of the investment. The financier who lives in New Canaan, Connecticut, faces up to 70 years in prison after pleading guilty in March 2011 to criminal charges, including several counts of fraud and conspiracy to obstruct justice. He was accused of transferring money among investment accounts without telling clients to cover up huge financial losses and then falsifying documents to deceive investors, creditors, and investigators. Source:

17. June 28, Atlanta Journal-Constitution – (Georgia) Atlanta man convicted of credit schemes, ID thefts. A federal jury June 28 found a 37-year-old Atlanta, Georgia man guilty of bank fraud, credit card fraud, and aggravated identity theft in schemes that cost American Express, SunTrust Bank, and hundreds of individuals millions of dollars. He faces maximum sentences of 2 years for aggravated ID theft, 30 years on each of the conspiracy and bank fraud counts, and 50 years total on the credit card fraud counts. He also faces total fines of up to $33 million. From November 2008 through February 2010, the man ran several fraud schemes in Atlanta, prosecutors said. An undercover FBI agent, posing as an employee of a company with financial data, offered to make sensitive data available to the man. He gave the agent dozens of counterfeit credit cards, and discussed a variety of criminal schemes. Trial evidence showed that in one scheme, the man purchased information such as account numbers from a source in the Ukraine, then encoded phony credit cards with the data and used them. Also, he got hold of internal SunTrust account information and impersonated account holders, resulting in money transfers to accounts under his control. In another scheme, he set up fictitious merchant accounts with American Express and used stolen American Express credit card account numbers to run credit card transactions through the accounts, resulting in American Express paying millions of dollars to the fictitious merchants. Source:

18. June 28, Oklahoma City Oklahoman – (Oklahoma) Electrical fire causes evacuation at Arvest Bank in Norman. An electrical wire fire behind Arvest Bank in Norman, Oklahoma, caused a loss of power and the brief evacuation of employees shortly before 1 p.m. June 28. A senior vice president (VP) of operations with the bank said it is the second electrical fire in 2 days in the alley behind the bank at 200 E Main Street. Oklahoma Gas and Electric (OG&E) crews were called to repair lines June 27 when a fire broke out in the alley, the senior VP said. Crews were called back June 28 when another fire erupted, sparking lines and causing a loss of power. Employees were evacuated for about 10 minutes while firefighters extinguished the blaze. An outside back wall of an adjacent building was singed. No one was injured, and no other damage was reported. The senior VP said the bank is continuing to operate with power provided by a generator while OG&E crews repair the lines.


19. June 28, Associated Press – (Pennsylvania) ID theft bandit who romanced bank workers, had them steal victim information, convicted in Pa. A "Don Juan"-style bandit was convicted June 28 in Philadelphia, Pennsylvania, of running a large ID theft ring with the help of girlfriends working on the inside at various banks. Federal prosecutors said the 35-year-old Philadelphia man stole more than $1 million from victims after his paramours slipped him account information. He faces a mandatory 2 years in prison, and up to 330 years in all. Fifteen people have pleaded guilty in the case, including three women friends — a PNC bank branch manager, a Wachovia Bank teller, and a Colonial Penn Insurance Co. employee. The man's lawyer questioned the credibility of fellow defendants who testified against him. They included lieutenants who recruited drug addicts to serve as "check runners". Source:

For more stories, see items 43 and 44 below in the Information Technology Sector

Information Technology Sector

43. June 29, Softpedia – (International) FBI questions Iowa woman about LulzSec Hackers. A 29-year-old woman from Iowa had her home raided by the FBI and was questioned in connection with an investigation into attacks carried out by former LulzSec members. According to Gawker, the woman from Davenport, Iowa, was paid a visit by the FBI June 23. In addition to executing a search warrant, the agents were there to ask her about hackers who broke into HBGary earlier in 2011. She was a person of interest because she hung out in an IRC channel where hackers discussed the attack as it was happening. She later leaked the logs from that chat room, becoming their enemy. That is why when she was proposed to infiltrate the hacker group, she said such a plan would not work. However, the request itself seems to indicate the FBI is seeking to get informants inside Anonymous. Source:

44. June 29, Softpedia – (International) Operation Phish Phry lead defendant jailed for thirteen years. The lead defendant in a major phishing case known as Operation Phish Phry received 13 years in prison. The 27-year-old man from Los Angeles, California, received an 11-year sentence the week of June 20 for his role in an international phishing scheme shut down in 2009 by the FBI and Egyptian law enforcement authorities. More than 100 people were charged with crimes related with the scheme in the fall of 2009 in the United States and Egypt, the largest number of individuals ever to be indicted in a single cyber crime case. The man was named as a defendant together with 52 other individuals in an indictment returned in Los Angeles. He pleaded guilty to 49 counts of bank and wire fraud, aggravated identity theft, computer fraud, and money laundering. A number of 46 other defendants were convicted in the same case so far, many of which were hired by the man to receive money stolen from U.S. accounts and wire it to Egypt. The fraudsters distributed phishing e-mails that instructed recipients to input their account details on fake Bank of America or Wells Fargo Web sites. The losses are estimated at more than $1 million. In addition to the Operation Phish Phry sentence, the man also received 5 years in prison the week of June 27 for growing marijuana in his house. Two years of the second sentence are to run consecutively with his 11-year one, bringing his expected jail time to 13 years. Source:

45. June 28, IDG News Service – (International) Groupon India data published on Internet, said researcher. The user database of Groupon's Indian subsidiary, SoSasta, was published on the Internet and indexed by Google, according to an Australian security consultant. He said he had no clue as to how the database was published on the Internet. The consultant contacted Risky.Biz, a security news and podcast Web site presented by a man in Australia, after the SoSasta discovery to seek advice on disclosure. The Web site contacted the CEO of Groupon who called back personally within 24 hours of initial contact, according to a report on the Web site. SoSasta was acquired by Groupon in January this year, but continues to use the original brand on its group-buying deals Web site. Groupon said it was alerted June 24 about the security issue, and corrected the problem immediately. SoSasta runs on its own platform and servers and is not connected to Groupon sites in other countries, Groupon said. This issue does not affect data from any other country or region, it added. Source:

46. June 28, Softpedia – (International) Hacker group publishes stolen PayPal and MySpace credentials. A group of hackers has leaked tens of MySpace and PayPal login credentials that were allegedly captured by sniffing packets on open wireless networks. Called D3V29, the group has openly declared its affiliation with Operation Anti-Security (AntiSec), the hacking campaign originally started by LulzSec and carried forward by Anonymous. D3V29 posted the "dumps" on pastebin(dot)com, and advertised the links on its Twitter feed. The group told SC Magazine AU that it obtained the credentials by scanning public wireless networks in restaurants and stores with self-made software. The software is described as batch code that connects to the network and intercepts log-in data. The description resembles that of ARP spoofing attacks. Source:

47. June 28, Computerworld – (International) Hackers steal info on military, defense personnel. E-mail addresses and names of subscribers to DefenseNews, a highly-regarded Web site that covers national and international military and defense news, were accessed by hackers and presumed stolen, Gannett announced June 27. DefenseNews' subscribers include active and retired military personnel, defense contractors, and others in the United States' and other countries' defense establishments. "We discovered the attacker gained unauthorized access to files containing information of some of our users," said Gannett Government Media, an arm of the media chain that publishes DefenseNews, and the Military Times and Federal Times Web sites, as well as a number of military-specific magazines and journals, ranging from the Army Times to the Intelligence, Surveillance and Reconnaissance Journal. In a message posted to its site June 27, Gannett acknowledged the accessed information included first and last names, e-mail addresses, account passwords, and duty status branch of service for military personnel. Gannett urged registered users to reset their site passwords, "as well as your other online accounts, particularly those that use the same email address used for your Gannett Government Media Corporation account." The attack was first detected June 7. Source:

Communications Sector

48. June 28, South Florida Sun-Sentinel – (Florida) Will AT&T Wireless reimburse South Florida customers for four-hour outage? AT&T Wireless blames faulty equipment for a 4-hour service outage June 28, affecting many South Florida customers. The equipment failure occurred along the company’s network in southern Broward County, and lasted from 6 p.m. to 10 p.m., the AT&T spokeswoman said. She said the company did not know how many customers were affected, and has no current plan to credit customers for the 4 hours they were not able to make calls or send texts. The service failure affected the company’s mobile broadband customers, which include 3G and HSPA+, the latter being AT&T’s current version of 4G service. Source:

49. June 28, Associated Press – (South Dakota) Severed cable causes outage in Black Hills. An electrical company worker cut a fiber optic line and telephone line in western South Dakota, disrupting phone and Internet service for thousands of people in the Black Hills region June 27. People in Rapid Valley also lost their ability to dial 911, though the Qwest spokesman said that problem was fixed by mid-afternoon. Qwest crews installed a temporary fiber optic line and plan a permanent fix later. State regulators said the incident will be investigated. Source:

Wednesday, June 29, 2011

Complete DHS Daily Report for June 29, 2011

Daily Report

Top Stories

• The Associated Press reports firefighters in New Mexico were battling a wildfire that threatened the Los Alamos nuclear laboratory, and an above-ground storage site holding as many as 30,000, 55-gallon drums of plutonium-contaminated waste. (See item 51)

51. June 28, National Public Radio and KANW 89.1 Albuquerque – (New Mexico) Evacuations ordered as fire threatens Los Alamos. Firefighters in northern New Mexico were battling June 28 to stall a raging wildfire before it reaches the town that is home to the government laboratory that produced the first atomic bomb. The 44,000-acre Las Conchas wildfire burned in the mountains above Los Alamos as firefighters spent much of their time putting out spot fires, “the biggest threat we have right now to homes in the community,” the deputy Los Alamos County fire chief said late June 27. About 13,000 people have been moved from Los Alamos. Those who refused to leave will be monitored by police and the National Guard, officials said. Strong winds were forecast for June 28. Meanwhile, air tankers were set to drop fire retardant and water on the fire. The wildfire has destroyed 30 structures south and west of Los Alamos. Blowing embers sparked at least one fire at the Los Alamos National Laboratory, but it was quickly put out. The spot fire scorched a section known as Tech Area 49, which was used in the early 1960s for a series of underground tests with high explosives and radioactive materials. The fire has forced the lab to close, but officials said radioactive materials stored there are safe. But the anti-nuclear watchdog group Concerned Citizens for Nuclear Safety said the fire appeared to be about 3.5 miles from a dumpsite where as many as 30,000, 55-gallon drums of plutonium-contaminated waste were stored in fabric tents above ground. The group said the drums were awaiting transport to a dump site in southern New Mexico. Lab officials at first declined to confirm that such drums were on the property, but in a statement early June 28, a lab spokeswoman said such drums are stored in a section of the complex known as Area G. She said the drums contain cleanup from Cold War-era waste that the lab sends away in weekly shipments to the Waste Isolation Pilot Plant. Source:

• According to the Associated Press, a former Citigroup vice president embezzled $19.2 million from the bank through a series of secret money transfers, federal prosecutors said June 27. See item 16 below in the Banking and Finance Sector


Banking and Finance Sector

12. June 28, Associated Press – (New York) Ex-NYC lawyer admits tax evasion in banking scheme. A disbarred New York City, New York lawyer agreed June 27 to pay nearly $10 million in penalties for his part in a Swiss banking scheme. The New York Post reported that the lawyer acknowledged in federal court June 27 that he didn’t pay “a substantial amount of taxes” from 2006 through 2008. He said he knew his actions were unlawful and asked to apologize to the court. His plea deal calls for up to 37 months in prison. He was charged with evading more than $2.3 million in federal income taxes on $26.4 million that prosecutors said he stashed in overseas accounts at banking giant UBS. Six others have been charged in the scheme to conceal more than $100 million in Swiss-based assets. Two have pleaded guilty, and two have pleaded not guilty. Source:

13. June 28, Asbury Park Press – (New Jersey) Manalapan mortgage firm officers charged with $7.5 million refinancing scheme. A Monmouth County, New Jersey grand jury handed up a 100-count indictment June 27 charging seven people in a multimillion-dollar mortgage refinance fraud scheme operating out of a Manalapan-based business, prosecutors said. They are charged in a more than $7.5 million scheme to defraud homeowners and others by arranging to refinance mortgages and then failing to pay off the original mortgages, according to a Monmouth County prosecutor. The scheme also involved stealing the identities of some mortgage-refinance applicants and using them to get lending institutions to fund refinances that never occurred, the prosecutor said. A year-long investigation by the Monmouth County Prosecutor’s Office into the business practices of Hawthorne Capital Corp. uncovered multiple instances of theft and attempted theft by two employees and the conspiracy involving the other defendants named in the indictment, the prosecutor said. One employee is charged with two counts of conspiracy. Two others are each charged with 27 counts of theft, 16 counts of attempted theft, 16 counts of forgery, four counts of conspiracy, two counts of money laundering, and other charges. Source:|head

14. June 28, Dow Jones Newswires – (National) U.S. mortgage-fraud reports up 31% in 1Q -report. Reports of mortgage fraud in the United States rose 31 percent in the first 3 months of this year as banks scoured their files for shady loans made during the housing boom, according to a government report released June 28. The Financial Crimes Enforcement Network, a Treasury Department agency, reported 25,485 “suspicious activity reports” related to suspected mortgage fraud in the January-March 2011 period. That was up from 19,420 in the same quarter a year earlier. The increase was attributed to large mortgage servicers performing thorough reviews of loan files after receiving demands from mortgage investors to repurchase mortgages that have fallen into default. In the January-March period, 86 percent of mortgage-fraud reports involved activities that occurred more than 2 years ago. Source:

15. June 28, IDG News Service – (International) slammed again as punishment over WikiLeaks. MasterCard’s main Web site was unavailable June 28 as it appeared hackers were again targeting the company for its refusal to process donations for the whistle-blowing site WikiLeaks. MasterCard along with companies such as Visa, PayPal and the Swiss Bank PostFinance stopped processing payments for WikiLeaks shortly after the site began releasing portions of 250,000 secret U.S. diplomatic cables in November 2010. The hacking collective known as Anonymous spearheaded a drive to conduct distributed denial-of-service attacks against those sites. WikiLeaks wrote on Twitter June 28 that “hacktivists” had taken down MasterCard “over the continuing WikiLeaks fiscal embargo.” In another Twitter posting, it said the “unlawful banking blockade” was in its sixth month and named Visa, MasterCard, PayPal, Bank of America, and Western Union as targets. Source:

16. June 27, Associated Press – (National) Citigroup ex-VP arrested in NYC on fraud charges. A former Citigroup vice president (VP) embezzled $19.2 million from the bank in a one-man “inside job” involving a series of secret money transfers, federal prosecutors said June 27. The 35-year-old man from Englewood Cliffs, New Jersey, surrendered June 26 at John F. Kennedy International Airport in New York after arriving on a flight from Bangkok, Thailand. Officials at Citigroup Inc. — where the man was vice president of the treasury finance department until quitting in January — said in a statement they were “outraged by the actions of this former employee” and hoped to see him “prosecuted to the full extent of the law.” The former VP “used his knowledge of bank operations to commit the ultimate inside job,” a U.S. attorney said in a statement. According to a criminal complaint, the former VP’s department financed loans and processed wire transfers within Citigroup. From May 2009 through the end of 2010, he siphoned funds from various Citigroup accounts, placed them in the bank’s cash account, and then wired the money into his private account at another bank in New York, the complaint alleged. In one November 2010 transaction, he wired $3.9 million from a Citigroup fund in Baltimore, Maryland to his New York account, the complaint said. That fraudulent transfer, and seven others went undetected until a recent internal audit, it said. Source:

17. June 27, CNN Money – (National) Citi: Millions stolen in May hack attack. Citigroup acknowledged June 27 that a hacking incident last month stole millions of dollars from customers’ credit card accounts. Citigroup told CNN that about $2.7 million was stolen from about 3,400 accounts on May 10. The hackers actually accessed a much larger number of accounts: 360,083. Fewer than 1 percent of the hacked accounts had money removed from them, according to Citigroup. The bank reiterated that customers will not be responsible for financial losses from the attacks. Citigroup announced June 16 that more than 200,000 new credit cards had been issued to hacked customers. In some cases, customers had already closed their account or had received a new credit card, so they didn’t need the Citi-initiated replacement. Citigroup waited until June 3, more than 3 weeks after its discovery of the hack, to start sending out notification letters. However, the company insisted that it acted quickly to deal with the security problem. Source:

Information Technology Sector

40. June 28, Help Net Security – (International) Thousands of Tumblr accounts compromised. Tumblr users have been targeted with an aggressive phishing campaign within the last week, and are still being lured into entering log-in credentials for access to adult content, Help Net Security reported June 28. The scheme appears to be successful, as GFI researchers accessed a dropzone for the stolen credentials and discovered a massive amount of data. The scammers used the compromised Tumblr accounts to set up more and more phishing pages. Various domains were also used to perpetuate the scam, including tumblriq(dot)com, tumblrlogin(dot)com, and tumblrsecurity(dot)com — all registered in the last few weeks to bogus clients. “The problem has become so pervasive that regular Tumblr users are setting up dedicated anti phishing sites to advise users of the problem,” the researchers said. Also, Tumblr created an automated reply for people reporting the scheme, in which it advises affected users to reset the password for their account, to remove the fake log-in template by choosing a new theme, and to “unfollow” all the blogs their account is following thanks to the scammers. Source:

41. June 28, Computerworld – (International) DHS releases software security scoring system. The DHS, along with the SANS Institute and Mitre, released a scoring system June 26 designed to help enterprises verify whether the software they are using meets reasonable standards for secure coding. The organizations released an updated list of the Top 25 most dangerous programming errors found in software, and a measuring system that lets enterprises score the security of their software based on the presence or absence of those flaws. The goal is to give enterprises information that will let them make more informed decisions regarding the security of their software, said the director of research at SANS. The hope is that organizations within the private sector and government will use the Top 25 list and scoring system during the software procurement process, he said. Source:

42. June 28, Softpedia – (International) Former YouSendIt CEO pleads guilty to DoS attacks. The co-founder of digital content delivery service YouSendIt admitted to launching a denial of service attack against the company’s servers. The man, 32, served as YouSendIt’s CEO from its creation in 2004 until August 2005. He then acted as its chief technology officer until November 2006 when he left to work as a consultant. In March 2009, he founded a new company called FlyUpload which offered the same content distribution services as YouSendIt. Eight months later, in Novermber 2009, the entrepreneur was indicted on four counts of transmission of a code to cause damage to a protected computer. The complaint claimed he used an Apache benchmarking tool to overload YouSendIt’s servers with requests on four separate occasions between December 2008 and June 2009. The man pleaded guilty June 24 to one of the four counts. He faces a maximum of 5 years in prison, followed by 3 years of supervised release and a fine of up to $250,000. The program the man admitted to using is called ApacheBench and is designed to test how many requests per second a server is capable of handling, an operation commonly referred to as stress testing. He was released on a $100,000 bail and is scheduled to be sentenced September 29. Source:

43. June 27, Softpedia – (International) Android malware delivery techniques used for advertising fraud. Security researchers warn that application repackaging, a technique commonly used to distribute Android malware, is being used in advertising fraud schemes. Android malware distributors are already taking legitimate apps that appeal to users and repackaging them with trojans. The rogue apps are then distributed from unofficial app markets or even Google’s official application store. Compared to the original apps, the rigged ones request more extensive permissions that are required for the malicious components. The technique has attracted the attention of other cyber criminals. “Android apps are written in Java, and so they have a very low threshold for cloning, there are no real barriers to reverse engineer them,” F-Secure security researchers said. But in one case, the cloned app did not have malicious code. Instead, it had an extra module that displays ads during its runtime. “Presumably, the point of the repackaging is to include the advertisement module, with the developers gaining some kind of monetary reward when users view or click through the ads being displayed,” the researchers said. In this case, the cloned app was very popular, with between 1 million and 5 million installs by June 27. Source:

44. June 27, The Register – (International) Hackers pierce network with jerry-rigged mouse. Hackers from penetration testing firm Netragard were hired to pierce the firewall of a customer that specifically ruled out the use of social networks, telephones, and other social-engineering vectors. Gaining unauthorized physical access to computers was also off limits. To accomplish their goal, the hackers modified a popular, off-the-shelf computer mouse to include a flash drive and a powerful microcontroller that ran custom attack code that compromised whatever computer connected to it. “The microcontroller acts as if there’s a person sitting at the keyboard typing,” Netragard’s CTO said. “When a certain set of conditions are met, the microcontroller sends commands to the computer as if somebody was typing those commands on the keyboard or the mouse.” “There’s no defense, either. Plug one of these in and you’re basically screwed.” To get someone from the target company to use the mouse, Netragard purchased a readily available list of names and other data of its employees. After identifying a worker, they shipped him the modified mouse under the guise of a promotional event. Three days later, the malware contained on the mouse connected to a server controlled by Netragard. Netragard’s description of the attack comes as the DHS released results from a recent test that showed 60 percent of employees who picked up foreign computer discs and USB thumb drives in the parking lots of government buildings and private contractors connected them to their computers. Source:

45. June 27, Computerworld – (International) Rootkit infection requires Windows reinstall, says Microsoft. Microsoft informed Windows users they must reinstall the operating system if they get infected with a new rootkit that hides in the machine’s boot sector. A new variant of a trojan Microsoft calls “Popureb” digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration, an engineer with the Microsoft Malware Protection Center said the week of June 20. “If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR (master boot record) and then use a recovery CD to restore your system to a pre-infected state,” he said. A recovery disc returns Windows to its factory settings. Malware such as Popureb overwrites the hard drive’s MBR, the first sector — sector 0 — where code is stored to boot up the operating system after the computer’s BIOS does its start-up checks. Because it hides on the MBR, the rootkit is invisible to the operating system and security software. According to the Microsoft engineer, Popureb detects write operations aimed at the MBR — operations designed to scrub the MBR or other disk sectors containing attack code — and swaps the write operation with a read operation. Although the operation will seem to succeed, the new data is not actually written to the disk. In other words, the cleaning process will have failed. Source:

For more stories, see items 15 and 17 above in the Banking and Finance Sector

Communications Sector

See item 43 above in the Information Technology Sector