Wednesday, July 27, 2011

Complete DHS Daily Report for July 27, 2011

Daily Report

Top Stories

• RSA's SecurID token users, including defense contractors and federal employees, were targeted with fake e-mails supposedly from the U.S. National Security Agency (NSA) urging them to update token codes, Help Net Security reports. See item 40 below in the Information Technology Sector

• An East Bay Regional Park District police officer on patrol in Moraga, California, had to be rescued July 25 after he was shot at by multiple people, according to the Contra Costa Times. (See item 49)

50. July 25, USA Today – (Alaska) Bear seriously injures teens hiking in Alaska. The two teens seriously injured by a grizzly bear in an attack July 23 in Alaska are in improved condition, a spokeswoman at Anchorage's Providence Alaska Medical Center said July 25. A 17-year-old from Denver was in good condition, and a 17-year-old from New City, New York was in serious condition. A mother grizzly with a cub attacked a group of seven teens hiking in Alaska's Talkeetna Mountains, the Anchorage Daily News reported. The attack took place as the seven, part of a wilderness survival course, were crossing a river in an area near popular Denali National Park, reports said. Two of the teens received life-threatening wounds, and others suffered injuries, either from the bear or from exposure to the elements, the daily news said. Source:


Banking and Finance Sector

13. July 26, WGAL 8 Lancaster – (Pennsylvania) Former EFI official pleads guilty to loan fraud. Another guilty plea in federal court was entered July 25 in a loan fraud scheme by a Lancaster, Pennsylvania company. An Alabama man pleaded guilty to the $53 million loan fraud scheme at an equipment finance company. He and seven others are accused of looting the accounts and falsifying the books of Equipment Finance Inc. (EFI) of Lititz, Pennsylvania from 2001 to 2007 — saying they were lending money to logging companies to buy new equipment. EFI was purchased by Sterling Financial, and later became part of the Bank of Lancaster County. The convict faces up to 45 years in prison. Source:

14. July 26, – (Tennessee; Florida) Secret Service joins credit card fraud investigation. A federal agency is investigating a recent outbreak of credit and debit card fraud in Gallatin, Tennessee. The Secret Service was asked by local police to assist with the case around July 20, said the assistant to the special agent in charge for the agency’s Nashville field office. The Gallatin Police Department had received 94 reports of credit card fraud as of July 25 that were believed to be connected to the same case. The trend among the reports was that victims saw illicit charges on their bank or credit card statements of $90-$100 mostly from businesses in Florida, a Gallatin police sergeant said. Another common link among the reported cases was that many of the victims had used their cards in businesses in the Volunteer State Community College area, located around the 1400 block of Nashville Pike. Gallatin police said the week of July 18 they believed devices designed to steal information from the magnetic strips of consumers’ credit or debit cards may have been inserted inside card-swipe machines. Source:

15. July 25, Houston Chronicle – (Texas) Armored car guard, robbers in gunfight at SE Houston bank. A pair of masked robbers shot it out with an armored car guard July 25 during an attempted hold-up at a bank in Houston, Texas, authorities said. The robbers pulled up in a truck about 8 a.m. while the Loomis armored car guard was working on an ATM machine outside a Bank of America branch on the South Loop near Woodridge, FBI officials said. The two robbers got out and began shooting at the guard, who returned fire. They fled without getting any money, FBI officials said. There were no reported injuries, but FBI officials said they couldn't confirm if the robbers were struck by gunfire from the guard. The truck used in the attempted robbery was later found near the scene. It had earlier been reported stolen, officials said. Source:

16. July 25, KGW 8 Portland – (Oregon) 'Ditto Bandit' bank robbery suspect captured. An alert bank employee and a security guard worked to capture the suspect in a string of robberies at a Sellwood, Oregon bank July 25. The employee spotted the 30-year-old walking toward the bank July 25 and recognized him as the man wanted in the 3 recent robberies July 1, July 11, and July 19. The employee alerted the security guard and then the guard took the man into custody, police said. The suspect was booked into the Multnomah County jail on a U.S. Marshals hold and bank robbery charges were pending. The Sellwood bank that was robbed is located at 8112 Southeast 13th Avenue. Police dubbed this the “Ditto Bandit” case, because the robber hit the exact same bank every time. Source:

17. July 25, Minneapolis Star Tribune – (Minnesota) Edina mortgage broker charged in scheme. An Edina, Minnesota mortgage broker was charged July 22 for his role in a $20 million mortgage fraud scheme that involved 57 properties. The 40-year-old man was charged in federal court with one count of conspiracy to commit wire fraud. If convicted, he faces a maximum penalty of 20 years in prison, according to a release issued July 25 by the U.S. attorney's office. He was charged with conspiring with others between 2004 and 2007 to obtain mortgage loan proceeds based on fraudulent documentation. One of his partners in the scheme pleaded guilty to one count of conspiracy to commit wire fraud June 27. According to the charges, unnamed co-conspirators identified and recruited buyers for residential properties. Two of the co-conspirators allegedly told buyers they would receive kickbacks after the property sales closed, and were told they could put those payments toward the mortgages or use them to improve the properties. The accused broker allegedly helped prepare and submit false mortgage loan applications, which misrepresented the buyers' true financial situations. The fraudulent documents were used to get loans approved, and loan proceeds were disbursed by wire transfer into the accounts of various title companies. The broker and his co-conspirators then allegedly caused those title companies to disburse some proceeds from each transaction into bank accounts not associated with the property buyers to conceal the undisclosed kickbacks. According to the charges, the broker received about $200,000 for assisting buyers to secure mortgage loan funding for 26 properties. Source:

18. July 25, – (International) Plan to fight organized crime recognizes growing cyber threats. Presidential administration officials July 25 unrolled a plan to fight global organized crime that says computer crime is a much greater threat today, because online networks undergird nearly every illicit network. The 38-page written plan highlights the Web's role in perpetuating and thwarting transnational organized crime. For instance, syndicates orchestrating intellectual property theft — which garnered a lot of time during the July 25 event — include enterprises that steal proprietary items "through intrusions into corporate and proprietary computer networks," the document noted. Online fraud committed by Central European cybercrime networks is estimated to have robbed Americans of about $1 billion during a 1-year period, the strategy said. "Through cybercrime, transnational criminal organizations pose a significant threat to financial and trust systems — banking, stock markets, e-currency, and value and credit card services — on which the world economy depends," the document stated. But the United States is short on help to track the digital money trail that crooks leave behind with their online transactions, computer addresses, and wireless devices. To bolster domestic crime-fighting forces, the United States wants to coordinate with foreign partners on executing better computer forensics analysis, as well as recovering digital evidence for prosecutions, the paper stated. The White House strategy tackles drug trafficking, human smuggling and terrorist financing, among other areas of global conspiracy, and is based on a year-long review that ended in January 2010. It is the first such organized crime study in 15 years. In addition, the agenda includes a new executive order that slaps economic sanctions on syndicates, and prohibits Americans from doing business with them. Source:

19. July 25, Waynesville Daily Guide – (Missouri) Former Bank of Crocker loan officer pleads guilty to fraud. A U.S. Attorney for the Western District of Missouri, announced July 25 a Crocker, Missouri man pleaded guilty in federal court to stealing more than $450,000 from the bank where he was employed as a loan officer. The 42-year-old pleaded guilty to an information charging him with bank fraud. From 2004 to 2008, the former loan officer at the Bank of Crocker fraudulently obtained loans, lines of credit, and funds from bank customers’ accounts without their knowledge or approval. He did so by: making loans to unsuspecting borrowers of the bank and diverting the proceeds to his own personal accounts; drawing on existing bank customers’ lines of credit to make payments on his personal accounts, loans and credit cards; issuing cashier’s checks for deposit into his personal accounts; and issuing fraudulent letters of credit, which the Bank of Crocker had to guarantee. He admitted to stealing $451,763.46 from multiple bank customers, and from the bank itself. Under federal statutes, he is subject to a sentence of up to 30 years in federal prison without parole, plus mandatory restitution and a fine of up to $1 million. Source:

Information Technology Sector

35. July 26, Softpedia – (International) Serious SSL bug patched in iOS. Apple released security updates for its iOS mobile platform to address a serious SSL validation vulnerability that allows attackers to compromise secure communications. The flaw affects X.509 certificate chains and was patched by improving validation in the newly released iOS 4.3.5 for iPhone (GSM), iPod touch and iPad, and iOS 4.2.10 for iPhone (CDMA). "A certificate chain validation issue existed in the handling of X.509 certificates. An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS," Apple wrote in its advisory. "Other attacks involving X.509 certificate validation may also be possible," the iDevice maker noted. The vendor credits researchers from Recurity Labs, and Trustwave's SpiderLabs for discovering the flaw. Due to the serious impact this vulnerability can have on privacy, users were encouraged to upgrade to the new iOS versions as soon as possible. Source:\

36. July 26, The Register – (International) Phishers go after your Google AdWords account. Cyber criminals launched a "Google AdWords" phishing campaign to try and trick users into disclosing sensitive log-in credentials to a fake, newly registered Web site. Spam messages promoting the ruse falsely claim a recipient's campaign has been stopped and they need to login to their "Adwords account" to reactivate it. The widely distributed spam messages link to a realistic replica of the Google AdWords page, net security firm Sophos warned. The dodgy site — google-oa(dot)net — was registered the week of July 25. Google AdWords accounts normally use the same log-in credentials as other associated Google accounts (Gmail, Google Docs, etc.). Fraudsters behind the scam may be just as interested in these accounts as in compromised access to Google AdWords accounts. Source:

37. July 26, H Security – (International) Apple details iWork 9.1 security fixes. Five days after it was released, Apple provided details of the security related changes in iWork 9.1, also referred to as "iWork Update 6." As well as adding support for Mac OS X 10.7 Lion, the latest update to the iWork 09 office suite –- comprising Pages (documents), Numbers (spreadsheets), and Keynote (presentations) –- addresses three security holes. According to Apple, buffer overflow and memory corruption issues in Numbers could be used by an attacker to crash the application or execute arbitrary code. A memory corruption bug in Pages when handling Microsoft Word documents that could lead to arbitrary code execution has also been fixed. For an attack to be successful, a victim must first open a specially crafted malicious Excel or Word file. Two of the vulnerabilities were reported by researchers working with TippingPoint's Zero Day Initiative, and a researcher who worked with VeriSign iDefense Labs. Versions 9.0 to 9.05 are affected. Source:

38. July 25, threatpost – (International) New Mac backdoor Olyx found bundled with Windows malware. Security researchers discovered a new piece of malware that targets Mac OS X users and installs a remote-control backdoor on compromised machines. The malware, called Olyx, was discovered in a package that also contained Windows malware. Researchers said the Mac backdoor is remarkably similar to the Gh0st RAT used in the Ghostnet attacks in 2009. The Olyx backdoor was discovered by researchers at Microsoft, who found it paired with a malicious Windows executable in a package called “PortalCurrent events-2009 July 5(dot)rar.” Upon analyzing the package, researchers found there were two files: the Olyx backdoor targeting Mac users, and an executable called "Video-Current events 2009 July 5(dot)exe." That executable also is signed with a valid digital certificate issued by a Chinese company. The certificate, which was valid at the time the file was signed, has been revoked since then, Microsoft said. The second binary is called Current events 2009 July 5 Mach-O. "The Mach-O binary file targets Mac OS X users," researchers said. They noted it installs and runs in the background without root or administrator privileges. It disguises itself as a Google application support file by creating a folder named ”google” in the /Library/Application Support directory, where the backdoor installs as “startp.” It also keeps a copy in the temporary folder as "google.tmp." It creates ”” in the /Library/LaunchAgents, to ensure that it launches the backdoor only once when the user logs in — this applies to all accounts on the system," the researchers added "The backdoor initiates a remote connection request to an IP address, where it continues to make attempts until established." Once the compromised machine is able to connect to the remote server, the attacker has the ability to download new files to the Mac, upload data stored on the machine, and move through its file system. Source:

39. July 25, IDG News Service – (International) Intel acknowledges SSD 320 bug, plans firmware upgrade. Intel July 24 acknowledged a bug could cause its SSD 320 solid-state drives to fail, and said a firmware upgrade is on its way to address the problem. In some instances, a power loss may cause Intel's SSD 320 drives to crash and lose data. On rebooting the system, the system BIOS could report the SSD as having only 8MB of storage capacity. Intel 2 weeks ago said the error was possibly a bug, and that the issue was being investigated. "Intel has reproduced 'Bad Context 13x Error' utilizing strenuous testing methods," an Intel spokeswoman said. "This 'Bad Context 13x Error' can be addressed via a firmware update and Intel is in the process of validating the firmware update. A future update will define the schedule to deliver the firmware fix." Source:

40. July 25, Help Net Security – (International) SecurID users targeted by fake NSA email. RSA's SecurID token users have been targeted with fake e-mails supposedly coming from the U.S. National Security Agency (NSA) urging them to update their token code. The address from which the e-mails are sent has been spoofed and says "protection@nsa(dot)," but the offered malicious links take the victim to the national-security-agency(dot)com domain, which according to Cyveillance, was registered only the day before the spam run was started. "A critical vulnerability has been discovered in a certain types of our token devices," warns the e-mail, counting on the fact the user is already aware of the RSA hack executed earlier in 2011, and its implications for the security of the company's SecurID tokens. The authors of the e-mail also appropriated the NSA and Central Security Service logos to give an appearance of legitimacy to the warning. But it appears they did not pay attention to the construction of the text itself, which contains several spelling mistakes. Cyveillance did not explicitly say what the "security token update" offered for download is, but it is likely to be a malicious executable. Source:

Communications Sector

41. July 26, Leavenworth Times – (Kansas) Repair of damaged radio tower to be delayed. One way or another, the Leavenworth County Commission in Kansas said July 25 they would like to fix a communication tower recently damaged during a thunderstorm. But the commission said they would like to wait to actually get those repairs online as its insurance company considers a claim related to the damage. A county director of buildings and grounds said the tower in DeSoto, Kansas, that is part of the Leavenworth County public safety communication system through an agreement with Johnson County, was thought to be struck by lightning during the storms of July 12. That incident caused the tower’s generator to get stuck in the "on" position, which in turn burned out the starter and damaged other electronics, he said. Since then, he said the Kansas Department of Transportation (KDOT) has investigated and surveyed the damage. The repair was estimated to take about 8 weeks, the spokesman said, while replacement could take as little as 2 weeks. Given that the tower was part of the emergency communications grid, the county commissioner said he would rather replace the generator immediately. The county counselor suggested the county still make the tower operational “as soon as possible” to avoid potential liability should an incident occur because of the damage. The undersheriff said the tower was operational and will remain so as long as it has access to electricity. And if the power should go out, he said he was confident the nearest towers, in Tonganoxie and Bonner Springs, could provide nearly complete coverage in the southern portion of the county. He said the service provider for the communication system, Motorola, was inspecting the tower to ensure it was properly grounded. Source:

42. July 25, Cincinnati Enquirer – (Ohio) Lightning sets off warning signals, hits Union Twp. communications center. Some warning sirens went off July 24 in Union Township, Ohio, for the second time in a week without being activated. Lightning struck two towers in Union Township activating sirens and disrupting the Union Township Communications Center, said the Clermont County Communications Center director. The towers were in Mt. Carmel at Ohio 32, and the one on top of the Union Township Communications Center. The sirens went off about 4:45 p.m. The same thing happened July 20, the communications director said. That incident also was because lightning struck towers in and around Union Township, but the exact ones have not been determined. Crews will be inspecting the towers the week of July 25 to make sure all the equipment is protected properly, he said. “It appears we suffered a lightning strike to the community center,” a lieutenant with the Union Township Police Department said. When the strike happened, the backup systems maintained operations while the whole system rebooted, he said. Residents should not have noticed any disruption in service. The communications center suffered minimal damage, the lieutenant said. Officials were accessing operations and equipment July 25, but daily operations were normal. Source:

43. July 25, Associated Press – (Nebraska) Prairie dogs chewed through cable, causing phone, internet outage in western Nebraska. Prairie dogs got the blame for an Internet and phone outage in western Nebraska July 25. Officials with Charter Communications said prairie dogs apparently chewed through some buried fiber optic cable about 2 miles away from Ogallala. The problem was discovered July 25. A spokeswoman told KNEB radio in Scottsbluff that there were hundreds of prairie dog mounds in the area, and it took time to find the cut and get it repaired. Service was rerouted and repairs were completed about 7 hours later. Source:

No comments: