Wednesday, June 29, 2011

Complete DHS Daily Report for June 29, 2011

Daily Report

Top Stories

• The Associated Press reports firefighters in New Mexico were battling a wildfire that threatened the Los Alamos nuclear laboratory, and an above-ground storage site holding as many as 30,000, 55-gallon drums of plutonium-contaminated waste. (See item 51)

51. June 28, National Public Radio and KANW 89.1 Albuquerque – (New Mexico) Evacuations ordered as fire threatens Los Alamos. Firefighters in northern New Mexico were battling June 28 to stall a raging wildfire before it reaches the town that is home to the government laboratory that produced the first atomic bomb. The 44,000-acre Las Conchas wildfire burned in the mountains above Los Alamos as firefighters spent much of their time putting out spot fires, “the biggest threat we have right now to homes in the community,” the deputy Los Alamos County fire chief said late June 27. About 13,000 people have been moved from Los Alamos. Those who refused to leave will be monitored by police and the National Guard, officials said. Strong winds were forecast for June 28. Meanwhile, air tankers were set to drop fire retardant and water on the fire. The wildfire has destroyed 30 structures south and west of Los Alamos. Blowing embers sparked at least one fire at the Los Alamos National Laboratory, but it was quickly put out. The spot fire scorched a section known as Tech Area 49, which was used in the early 1960s for a series of underground tests with high explosives and radioactive materials. The fire has forced the lab to close, but officials said radioactive materials stored there are safe. But the anti-nuclear watchdog group Concerned Citizens for Nuclear Safety said the fire appeared to be about 3.5 miles from a dumpsite where as many as 30,000, 55-gallon drums of plutonium-contaminated waste were stored in fabric tents above ground. The group said the drums were awaiting transport to a dump site in southern New Mexico. Lab officials at first declined to confirm that such drums were on the property, but in a statement early June 28, a lab spokeswoman said such drums are stored in a section of the complex known as Area G. She said the drums contain cleanup from Cold War-era waste that the lab sends away in weekly shipments to the Waste Isolation Pilot Plant. Source:

• According to the Associated Press, a former Citigroup vice president embezzled $19.2 million from the bank through a series of secret money transfers, federal prosecutors said June 27. See item 16 below in the Banking and Finance Sector


Banking and Finance Sector

12. June 28, Associated Press – (New York) Ex-NYC lawyer admits tax evasion in banking scheme. A disbarred New York City, New York lawyer agreed June 27 to pay nearly $10 million in penalties for his part in a Swiss banking scheme. The New York Post reported that the lawyer acknowledged in federal court June 27 that he didn’t pay “a substantial amount of taxes” from 2006 through 2008. He said he knew his actions were unlawful and asked to apologize to the court. His plea deal calls for up to 37 months in prison. He was charged with evading more than $2.3 million in federal income taxes on $26.4 million that prosecutors said he stashed in overseas accounts at banking giant UBS. Six others have been charged in the scheme to conceal more than $100 million in Swiss-based assets. Two have pleaded guilty, and two have pleaded not guilty. Source:

13. June 28, Asbury Park Press – (New Jersey) Manalapan mortgage firm officers charged with $7.5 million refinancing scheme. A Monmouth County, New Jersey grand jury handed up a 100-count indictment June 27 charging seven people in a multimillion-dollar mortgage refinance fraud scheme operating out of a Manalapan-based business, prosecutors said. They are charged in a more than $7.5 million scheme to defraud homeowners and others by arranging to refinance mortgages and then failing to pay off the original mortgages, according to a Monmouth County prosecutor. The scheme also involved stealing the identities of some mortgage-refinance applicants and using them to get lending institutions to fund refinances that never occurred, the prosecutor said. A year-long investigation by the Monmouth County Prosecutor’s Office into the business practices of Hawthorne Capital Corp. uncovered multiple instances of theft and attempted theft by two employees and the conspiracy involving the other defendants named in the indictment, the prosecutor said. One employee is charged with two counts of conspiracy. Two others are each charged with 27 counts of theft, 16 counts of attempted theft, 16 counts of forgery, four counts of conspiracy, two counts of money laundering, and other charges. Source:|head

14. June 28, Dow Jones Newswires – (National) U.S. mortgage-fraud reports up 31% in 1Q -report. Reports of mortgage fraud in the United States rose 31 percent in the first 3 months of this year as banks scoured their files for shady loans made during the housing boom, according to a government report released June 28. The Financial Crimes Enforcement Network, a Treasury Department agency, reported 25,485 “suspicious activity reports” related to suspected mortgage fraud in the January-March 2011 period. That was up from 19,420 in the same quarter a year earlier. The increase was attributed to large mortgage servicers performing thorough reviews of loan files after receiving demands from mortgage investors to repurchase mortgages that have fallen into default. In the January-March period, 86 percent of mortgage-fraud reports involved activities that occurred more than 2 years ago. Source:

15. June 28, IDG News Service – (International) slammed again as punishment over WikiLeaks. MasterCard’s main Web site was unavailable June 28 as it appeared hackers were again targeting the company for its refusal to process donations for the whistle-blowing site WikiLeaks. MasterCard along with companies such as Visa, PayPal and the Swiss Bank PostFinance stopped processing payments for WikiLeaks shortly after the site began releasing portions of 250,000 secret U.S. diplomatic cables in November 2010. The hacking collective known as Anonymous spearheaded a drive to conduct distributed denial-of-service attacks against those sites. WikiLeaks wrote on Twitter June 28 that “hacktivists” had taken down MasterCard “over the continuing WikiLeaks fiscal embargo.” In another Twitter posting, it said the “unlawful banking blockade” was in its sixth month and named Visa, MasterCard, PayPal, Bank of America, and Western Union as targets. Source:

16. June 27, Associated Press – (National) Citigroup ex-VP arrested in NYC on fraud charges. A former Citigroup vice president (VP) embezzled $19.2 million from the bank in a one-man “inside job” involving a series of secret money transfers, federal prosecutors said June 27. The 35-year-old man from Englewood Cliffs, New Jersey, surrendered June 26 at John F. Kennedy International Airport in New York after arriving on a flight from Bangkok, Thailand. Officials at Citigroup Inc. — where the man was vice president of the treasury finance department until quitting in January — said in a statement they were “outraged by the actions of this former employee” and hoped to see him “prosecuted to the full extent of the law.” The former VP “used his knowledge of bank operations to commit the ultimate inside job,” a U.S. attorney said in a statement. According to a criminal complaint, the former VP’s department financed loans and processed wire transfers within Citigroup. From May 2009 through the end of 2010, he siphoned funds from various Citigroup accounts, placed them in the bank’s cash account, and then wired the money into his private account at another bank in New York, the complaint alleged. In one November 2010 transaction, he wired $3.9 million from a Citigroup fund in Baltimore, Maryland to his New York account, the complaint said. That fraudulent transfer, and seven others went undetected until a recent internal audit, it said. Source:

17. June 27, CNN Money – (National) Citi: Millions stolen in May hack attack. Citigroup acknowledged June 27 that a hacking incident last month stole millions of dollars from customers’ credit card accounts. Citigroup told CNN that about $2.7 million was stolen from about 3,400 accounts on May 10. The hackers actually accessed a much larger number of accounts: 360,083. Fewer than 1 percent of the hacked accounts had money removed from them, according to Citigroup. The bank reiterated that customers will not be responsible for financial losses from the attacks. Citigroup announced June 16 that more than 200,000 new credit cards had been issued to hacked customers. In some cases, customers had already closed their account or had received a new credit card, so they didn’t need the Citi-initiated replacement. Citigroup waited until June 3, more than 3 weeks after its discovery of the hack, to start sending out notification letters. However, the company insisted that it acted quickly to deal with the security problem. Source:

Information Technology Sector

40. June 28, Help Net Security – (International) Thousands of Tumblr accounts compromised. Tumblr users have been targeted with an aggressive phishing campaign within the last week, and are still being lured into entering log-in credentials for access to adult content, Help Net Security reported June 28. The scheme appears to be successful, as GFI researchers accessed a dropzone for the stolen credentials and discovered a massive amount of data. The scammers used the compromised Tumblr accounts to set up more and more phishing pages. Various domains were also used to perpetuate the scam, including tumblriq(dot)com, tumblrlogin(dot)com, and tumblrsecurity(dot)com — all registered in the last few weeks to bogus clients. “The problem has become so pervasive that regular Tumblr users are setting up dedicated anti phishing sites to advise users of the problem,” the researchers said. Also, Tumblr created an automated reply for people reporting the scheme, in which it advises affected users to reset the password for their account, to remove the fake log-in template by choosing a new theme, and to “unfollow” all the blogs their account is following thanks to the scammers. Source:

41. June 28, Computerworld – (International) DHS releases software security scoring system. The DHS, along with the SANS Institute and Mitre, released a scoring system June 26 designed to help enterprises verify whether the software they are using meets reasonable standards for secure coding. The organizations released an updated list of the Top 25 most dangerous programming errors found in software, and a measuring system that lets enterprises score the security of their software based on the presence or absence of those flaws. The goal is to give enterprises information that will let them make more informed decisions regarding the security of their software, said the director of research at SANS. The hope is that organizations within the private sector and government will use the Top 25 list and scoring system during the software procurement process, he said. Source:

42. June 28, Softpedia – (International) Former YouSendIt CEO pleads guilty to DoS attacks. The co-founder of digital content delivery service YouSendIt admitted to launching a denial of service attack against the company’s servers. The man, 32, served as YouSendIt’s CEO from its creation in 2004 until August 2005. He then acted as its chief technology officer until November 2006 when he left to work as a consultant. In March 2009, he founded a new company called FlyUpload which offered the same content distribution services as YouSendIt. Eight months later, in Novermber 2009, the entrepreneur was indicted on four counts of transmission of a code to cause damage to a protected computer. The complaint claimed he used an Apache benchmarking tool to overload YouSendIt’s servers with requests on four separate occasions between December 2008 and June 2009. The man pleaded guilty June 24 to one of the four counts. He faces a maximum of 5 years in prison, followed by 3 years of supervised release and a fine of up to $250,000. The program the man admitted to using is called ApacheBench and is designed to test how many requests per second a server is capable of handling, an operation commonly referred to as stress testing. He was released on a $100,000 bail and is scheduled to be sentenced September 29. Source:

43. June 27, Softpedia – (International) Android malware delivery techniques used for advertising fraud. Security researchers warn that application repackaging, a technique commonly used to distribute Android malware, is being used in advertising fraud schemes. Android malware distributors are already taking legitimate apps that appeal to users and repackaging them with trojans. The rogue apps are then distributed from unofficial app markets or even Google’s official application store. Compared to the original apps, the rigged ones request more extensive permissions that are required for the malicious components. The technique has attracted the attention of other cyber criminals. “Android apps are written in Java, and so they have a very low threshold for cloning, there are no real barriers to reverse engineer them,” F-Secure security researchers said. But in one case, the cloned app did not have malicious code. Instead, it had an extra module that displays ads during its runtime. “Presumably, the point of the repackaging is to include the advertisement module, with the developers gaining some kind of monetary reward when users view or click through the ads being displayed,” the researchers said. In this case, the cloned app was very popular, with between 1 million and 5 million installs by June 27. Source:

44. June 27, The Register – (International) Hackers pierce network with jerry-rigged mouse. Hackers from penetration testing firm Netragard were hired to pierce the firewall of a customer that specifically ruled out the use of social networks, telephones, and other social-engineering vectors. Gaining unauthorized physical access to computers was also off limits. To accomplish their goal, the hackers modified a popular, off-the-shelf computer mouse to include a flash drive and a powerful microcontroller that ran custom attack code that compromised whatever computer connected to it. “The microcontroller acts as if there’s a person sitting at the keyboard typing,” Netragard’s CTO said. “When a certain set of conditions are met, the microcontroller sends commands to the computer as if somebody was typing those commands on the keyboard or the mouse.” “There’s no defense, either. Plug one of these in and you’re basically screwed.” To get someone from the target company to use the mouse, Netragard purchased a readily available list of names and other data of its employees. After identifying a worker, they shipped him the modified mouse under the guise of a promotional event. Three days later, the malware contained on the mouse connected to a server controlled by Netragard. Netragard’s description of the attack comes as the DHS released results from a recent test that showed 60 percent of employees who picked up foreign computer discs and USB thumb drives in the parking lots of government buildings and private contractors connected them to their computers. Source:

45. June 27, Computerworld – (International) Rootkit infection requires Windows reinstall, says Microsoft. Microsoft informed Windows users they must reinstall the operating system if they get infected with a new rootkit that hides in the machine’s boot sector. A new variant of a trojan Microsoft calls “Popureb” digs so deeply into the system that the only way to eradicate it is to return Windows to its out-of-the-box configuration, an engineer with the Microsoft Malware Protection Center said the week of June 20. “If your system does get infected with Trojan:Win32/Popureb.E, we advise you to fix the MBR (master boot record) and then use a recovery CD to restore your system to a pre-infected state,” he said. A recovery disc returns Windows to its factory settings. Malware such as Popureb overwrites the hard drive’s MBR, the first sector — sector 0 — where code is stored to boot up the operating system after the computer’s BIOS does its start-up checks. Because it hides on the MBR, the rootkit is invisible to the operating system and security software. According to the Microsoft engineer, Popureb detects write operations aimed at the MBR — operations designed to scrub the MBR or other disk sectors containing attack code — and swaps the write operation with a read operation. Although the operation will seem to succeed, the new data is not actually written to the disk. In other words, the cleaning process will have failed. Source:

For more stories, see items 15 and 17 above in the Banking and Finance Sector

Communications Sector

See item 43 above in the Information Technology Sector

No comments: