Thursday, June 2, 2011

Complete DHS Daily Report for June 2, 2011

Daily Report

Top Stories

• According to the New York Post, New York City officials were scrambling to fix an online security lapse that permits detailed floor plans for buildings that are top terror targets to be downloaded from a city Web site. (See item 50)

50. May 31, New York Post – (New York) City officials move to have detailed floor plans of landmark buildings removed from department of finance’s Web site. New York City officials are scrambling to fix glaring online security lapses after the New York Post reported that detailed floor plans for top terror targets can be downloaded from the New York City Department of Finance’s Web site, a finance spokesman said May 31. The department, which maintains an online database of property records, is working with the New York Police Department to remove schematics and floor plans for landmark buildings that are often attached to routine leasing and deed documents. As the Post reported May 19, plans for 1 World Trade Center, which is currently under construction — and is described by the police commissioner as the nation’s No. 1 terror target — were posted on the finance’s department’s Web site, along with an updated leasing agreement. Law enforcement is now focusing on what else may be buried among the city’s online records. Source:

• The Associated Press reports that approaching floodwaters from the Missouri and Souris rivers May 31 forced crews to race to build miles of emergency levees to protect South Dakota’s capital city, and two North Dakota towns. (See item 62)

62. May 31, Associated Press – (North Dakota; South Dakota) Levees going up to protect South Dakota cities. Crews raced approaching floodwaters May 31 to complete emergency levees aimed at protecting South Dakota’s capital city, and two other towns as the swollen Missouri River rolled downstream from the Northern Plains. Meanwhile, the mayor of Minot, North Dakota, ordered a quarter of the city’s residents to evacuate areas along the flooding Souris River. He said the evacuation affects about 10,000 people who live along a 4-mile stretch of the Souris, which has risen with rain, snowmelt and discharges from Lake Darling. The mayor said residents are expected be out of their homes by the night of June 1, in part to give construction crews room to raise and reinforce earthen dikes in the area. Residents of Dakota Dunes in southeastern South Dakota, below the final dam on the Missouri River, have been told to move their possessions to higher ground and be ready to leave their homes by June 2, a day before releases from the dams are set to increase again. The U.S. Army Corps of Engineers is increasing releases from the six dams on the Missouri to drain water from record rains of up to 8 inches that fell in eastern Montana and Wyoming and western North Dakota and South Dakota in the past 2 weeks. Heavy runoff from melting snow in the northern Rocky Mountains is expected to add to the problem soon. In North Dakota, more than 7 miles of levees were being built in Bismarck, and another 3.5 miles were going up across the river in Mandan. Source:


Banking and Finance Sector

14. May 31, Reuters – (National) SEC employee misled fellow investors: watchdog. A Securities and Exchange Commission (SEC) employee invested in a company accused of preying on deaf people, and misled fellow investors into thinking their money was safe despite a SEC probe. The SEC Inspector General (IG) recommended disciplinary action, including possible dismissal of the employee, according to a roundup of his recent and pending investigations sent to the U.S. Congress May 31. The IG’s office received a tip in February from a regional senior official who said a Washington, D.C.-based employee invested in an investment company that was the subject of an active investigation. The tipster accused the employee of “providing false, misleading and nonpublic information” to other investors, telling them the company was legitimate, and that they would “be receiving considerable sums of money from their investments.” The IG’s report did not mention the names of the employee or the company, but court records from these dates point to Imperia Invest IBC, an Internet-based investment company that allegedly targeted deaf investors and others by raising more than $7 million from them without delivering a single payment. A federal judge in Utah later ordered the firm to pay $15.2 million in disgorgement and prejudgment interest. The IG said the SEC employee later admitted to communicating with investors and was placed on administrative leave. Source:

15. May 31, Salt Lake Tribune – (Utah) Sandy man accused in $12 million Ponzi scheme. A Sandy, Utah man was indicted May 31 for allegedly running a Ponzi scheme that took in about $12 million from investors, who were told some of the money would go into a development of a human jet-pack rocket suit. The man was charged with 17 counts of money laundering, and wire and bank fraud. Between January 2007 and March 2010, the man held investment club meetings, where he portrayed himself as a successful investor, the indictment released May 31 said. The man advised potential investors to use an “equity mining” scheme to obtain investment money. He encouraged them to inflate their income or assets on bank documents to obtain loans for houses, boats or other luxury items that were for more than the items actually sold for, with the difference to be invested with him, the indictment states. “Virtually all of investors’ money was used by [the man] to either pay ‘returns’ to other investors or for his own personal use,” the U.S. Attorney’s Office for Utah said in a news release. Between 75 to 100 investors gave the man more than $12 million, the indictment said. If convicted, the suspect faces up to 30 years in prison on the bank fraud counts, and lesser time for the other charges, plus potentially millions of dollars in fines. Source:

16. May 31, Associated Press – (International) Canadian pleads guilty in Vermont bank fraud case. A Canadian man pleaded guilty May 31 for his part in what Vermont prosecutors said was a bank fraud scheme. The 48-year-old man, of Quebec, Canada entered the plea May 31 in federal court in Rutland. Prosecutors said that during a 3-month period in 2010 and 2011, the man defrauded People’s United Bank and Passumpsic Savings Bank of about $92,000. They said he did it by opening checking accounts at the banks’ Newport offices and depositing checks drawn on banks in Canada even though he knew there was not enough money to cover them. The man, who was arrested by Newport police in March, faces up to 30 years in prison. Source:

17. May 31, Associated Press – (Arizona) Former Phoenix loan officer pleads guilty in $40 million mortgage fraud case. A former Phoenix, Arizona loan officer pleaded guilty May 27 in two separate fraud cases. The U.S. attorney’s office said May 31 the suspect entered guilty pleas to 13 charges of mortgage, bankruptcy, bank and mail fraud in federal court May 27. The woman admitted to her leadership role in a $40 million mortgage fraud involving Countrywide Home loans. From January 2005 to December 2007, the convict admitted she and others recruited straw buyers to purchase homes by obtaining loans using false information. The loans were obtained based on inflated property appraises, and the extra $9 million was diverted to the woman and others in the case. Source:

Information Technology

43. June 1, Computerworld – (International) Google faces new round of Android malware. For the second time in 3 months, Google pulled dozens of malware-infected smartphone apps from the Android Market. The 34 apps were pulled over the weekend of May 28 and 29, and May 31 by Google after security researchers notified the company. As in the March episode, when Google removed more than 50 apps, the newest round consisted of pirated legitimate programs that had been modified with malicious code and then re-released to the Android Market under false names. However, there was an important difference to this campaign, said the CTO of Lookout, a firm that specializes in mobile security. “These apps have the ability to fire up a page on the Android Market,” he said, adding that the hackers can send commands to the smartphone telling it what market page to display. He speculated that the attackers intended the new feature as a way to dupe users into downloading additional rogue apps that would have malicious functions, just as when a hijacked PC is told to retrieve more malware. “They seem to have been designed to encourage people to install additional payloads,” he said. He said it was impossible to deduce hacker intent from the malicious apps’ code, but he believed the criminals took the new path because social engineered attacks — those that rely on tricking victims into installing malware rather than depending on an exploited vulnerability — are more difficult to defend against. Source:

44. June 1, H Security – (International) Wireshark updates close security holes. The Wireshark development team has announced the release of versions 1.2.17 and 1.4.7 of its open source, cross-platform network protocol analyzer. According to the developers, these maintenance and security updates address multiple vulnerabilities that could, for example, cause the application to crash “by injecting a series of malformed packets onto the wire or by convincing someone to read a malformed packet trace file.” These include issues related to a large/infinite loop in the DICOM dissector in Wireshark 1.4.x, and, in the 1.2.x branch, bugs in the X.509if dissector. A number of bugs in some of the 1.4.x dissectors have also been fixed. Source:

45. May 31, Softpedia – (International) Remote desktop access to infected PCs being sold by the unit. Security researchers from RSA warn that cyber criminals are increasingly selling remote desktop access to infected computers by the unit based on several criteria. Such services are being offered by the traditional CC shops that specialize in the selling of stolen credit card information. “It is rather common that CC shop operators are also bot-herders (or people who have access to botnets), selling the stolen CC data collected by their Trojans. By adding the sale of RDP access to his shop, the seller grants fraudsters the choice to exploit PCs they would otherwise have no way of tampering with,” the RSA researchers explained. The selling of Remote Desktop Protocol (RDP) access credentials has been practiced before, but usually in an unorganized fashion and not in specific volume quantities. The new services allows fraudsters to filter their purchases by geographic location (country, region, city), the bandwidth available to the computer (download and upload separately), the RDP user’s level of access (admin or not), OS version, and even hardware specs such as CPU and RAM. Source:

46. May 31, Computerworld – (International) Mac OS update detects, deletes MacDefender ‘scareware’. Apple May 31 released an update for Snow Leopard that warns users they have downloaded fake Mac security software and claims to scrub machines already infected with the so-called “scareware.” A security researcher with Sophos confirmed the update alerts users when they try to download any bogus MacDefender antivirus software. The update, labeled 2011-003, adds a new definition to the rudimentary antivirus detection engine embedded in Mac OS X 10.6 (Snow Leopard), and also changes the frequency with which the operating system checks for new definitions to daily. Before May 31, Apple had added only five detection signatures to the antivirus component of Snow Leopard. Source:

47. May 31, Softpedia – (International) Boot loader for unsigned drivers is being advertised on underground forums. Security researchers from antivirus vendor ESET have spotted an offer on the underground market for a new boot loader capable of loading unsigned drivers. The offer was spotted on a Russian-language forum and the poster claims his “boot loader for drivers” that do not require a digital signature is still being tested. This type of malware, which installs itself in the master boot record (MBR) and can control how Windows starts, is in high-demand because of its resiliency. One of the most well known threats that display this behavior is TDL4, a bootkit that is able to infect all forms of Windows, including 64-bit ones. The TDL4 developers are definitely not amateurs and are able to come up with sophisticated techniques to bypass the protections introduced by Microsoft. During April’s Patch Tuesday, Microsoft released a patch that targeted bootkits and TDL4 in particular. The modifications made to some system files rendered the malware nonfunctional. Within half a month, the TDL4 developers already adapted to the change and put out a new version capable to overcome the protections put in place by Microsoft. Source:

48. May 31, H Security – (International) Python 2.5.6 fixes medium severity issues. For those still running Python 2.5.x, the release of Python 2.5.6 is likely to be the last release of Python 2.5; after October 2011 there will be no more security issues fixed in Python 2.5 and it is recommended that users update to Python 2.7.1, which is the latest version of the current Python 2.x series. The Python 2.5.6 update fixes a number of medium severity issues. These are a vulnerability to XSS attacks in SimpleHTTPServer, a failure to follow redirections with file: schemes in urllib and urllib2 (CVE-2011-1521), incorrect integer overflow checks (CVE-2010-1634), and a denial of service vulnerability in audioop (CVE-2010-2089). Source:

49. May 26, – (International) Spammers using domain parking services to bypass anti-spam filters. Security experts are warning that spammers are increasingly taking advantage of domain parking services offered by registrars in an attempt to circumvent reputation-based anti-spam products and conceal their sites.’s senior software engineer explained in a blog post that parking services are usually used by registrants to reserve a domain for future use to mitigate the risk of cyber squatting, or to monetize a particular domain through online advertising. However, his team recently noticed “a large domain parking service being abused by spammers on a massive scale.” “Each domain hosted on the service contains an open redirect script, allowing spammers to redirect to any URL of their choice,” he said. “Since the redirect does not affect the parking page, and domains parked on domain parking services are typically not used for any other purpose, it is unlikely that the domain owners will notice when their domains are inevitably added to anti-spam block lists.” The researcher warned that such strategies could help spammers escape detection by some anti-spam products, especially given that many of the domains have been registered for years and are therefore seen as more likely to have a good reputation. Source:

For another story, see item 50 above in Top Stories

Communications Sector

See item 43 above in Information Technology

No comments: