Tuesday, September 20, 2011

Complete DHS Daily Report for September 20, 2011

Daily Report

Top Stories

• Dozens of employees at Honolulu's airport were fired or suspended after an investigation found workers did not screen checked bags for explosives, the Transportation Security Administration said. – Associated Press (See item 24)

24. September 17, Associated Press – (Hawaii) TSA fires 28 Honolulu bag screeners after probe. Dozens of employees at Honolulu's airport were fired or suspended after an investigation found workers did not screen checked bags for explosives, the Transportation Security Administration (TSA) said September 16. The firings and suspensions amounted to the single largest personnel action for misconduct in the federal agency's history. The TSA said in a statement that 28 workers were "removed," 15 suspended, and 3 resigned or retired. The cases of two other employees were still being decided. The agency began an investigation at the end of 2010 after two Honolulu employees told officials that thousands of bags were not checked properly or screened for traces of explosives. The probe, which included interviews with more than 100 employees, determined that some checked bags during one shift at the airport were not properly screened. In June 2011, the TSA placed 36 of the workers on paid administrative leave as it began the process of firing them. It also suspended 12 workers at that time. The Honolulu airport has 750 TSA employees. Source: http://www.msnbc.msn.com/id/44557230/ns/travel/#.TndCq-x3jTo

• National Transportation Safety Board officials are investigating the cause of a stunt plane crash that killed 10 people and injured at least 70 at an air show September 16 in Reno, Nevada. – ABC News (See item 52)

52. September 19, ABC News – (Nevada) Nevada air race crash death toll rises. A 10th person has died from injuries sustained when a stunt plane crashed at the Reno Air Race near Reno, Nevada September 16. At least 70 people were injured in the crash. News of the death came as investigators turned their attention to the pilot who may have been unconscious when his World War II-era P-51 Mustang smashed into a crowd of spectators, killing him and nine others. He was traveling at 500 miles per hour when he crashed, killing fans seated in the VIP seats on the tarmac. Witnesses said that as the P-51 Mustang Galloping Ghost rounded the final clubhouse turn, something dropped off the tail of the plane, and that that may have been what caused the problem. In one of the final photos taken before the crash, half of a sliver piece of metal — crucial for the aircraft to maintain balance — appeared to be missing. Investigators said that they recovered a damaged "elevator trim tab" among the debris. The pilot's age and medical history may also prove relevant to their investigation, according to National Transportation Safety Board (NTSB) officials. They said that the Reno-Tahoe Airport Authority is resuming operations at the airport where the crash occurred, and that on-scene public affairs officials would be returning to Washington D.C.. Officials said that the airplane had a recording system, and a box containing memory cards was found at the scene of the crash. Investigators said they had analyzed the cards to see if there was any footage that could explain what happened. One NTSB member said that investigators recovered a "tremendous amount of material" at the scene. Source: http://abcnews.go.com/US/reno-air-race-crash-tenth-person-dies/story?id=14552222


Banking and Finance Sector

17. September 19, Reuters – (International) SEC alleges insider trading in Global Industries. The U.S. Securities and Exchange Commission (SEC) September 16 filed an insider trading lawsuit in connection with the recent purchase of U.S. underwater oil services company Global Industries Ltd. by France's Technip SA . According to the complaint, the unnamed defendants bought Global shares on the 2 trading days immediately before Technip on September 12 said it would buy the company for $8 per share, a 55-percent premium. The defendants realized $1.73 million of illegal profit by then selling their shares, according to the complaint. The SEC said the purchases were made through an account in the name of Austria's Raiffeisen Bank International AG held at broker-dealer Brown Brothers Harriman & Co. It said the purchases accounted for about 10 percent of daily trading volume in Global, though there was no major publicly available news about the Louisiana-based company. This "suggests that the information was obtained as a result of breaches of fiduciary duty," the SEC said. The complaint seeks to force the defendants to give up their illegal profit and pay civil fines. Source: http://www.chicagotribune.com/business/sns-rt-us-sec-insidertrading-globalindustriestre78i2tr-20110919,0,4100864.story

18. September 17, Associated Press – (Mississippi) 2 convicted for possessing fake credit cards. A federal jury in Mississippi September 16 convicted two men from Miami for possession of about 91 counterfeit credit cards. A U.S. attorney said September 16 that a 54-year-old and a 23-year-old will be sentenced December 13. Each faces up to 10 years in prison, and a $250,000 fine. Vicksburg Police arrested the men March 2 after a traffic stop. The false credit cards, found in their car, were embossed with account numbers that did not belong to the persons named on the face of the cards. Source: http://www.chron.com/news/article/2-convicted-for-possessing-fake-credit-cards-2175623.php

19. September 17, St. Petersburg Times – (Florida) Man arrested in Holiday ATM 'skimming' case at Bank of America. All authorities had was a "pretty good picture" of a dark-haired man suspected of putting a "skimming" device on an ATM in Holiday, Florida to steal financial information from unsuspecting customers. As it turned out, the photo, taken last month by a Bank of America surveillance camera, was all they needed. Detectives identified their suspect, and at 3:30 a.m. September 12, officers in Destin arrested a 23-year-old man from the country of Moldova they think was involved in a fraud operation that could have victimized residents across the state. The suspect faces charges of organized fraud, two counts of criminal use of personal identification information, three counts of possession of a scanning device, and four counts of grand theft. Bank workers had discovered scratches and gluey residue on the ATM August 26. An investigation showed that over several nights in August, a thief or thieves placed a device — called a skimmer — on the ATM to read and copy card numbers. Such data is then transferred onto cloned credit cards, and used to withdraw cash at other ATMs. Officials said last month that 44 victims had been identified so far, with more than $26,000 stolen from their Bank of America accounts. Source: http://www.tampabay.com/news/publicsafety/crime/man-arrested-in-holiday-atm-skimming-case-at-bank-of-america/1191920

20. September 16, Federal Bureau of Investigation – (Illinois) Former Jerseyville bank vice president convicted. A 56-year-old of Jerseyville, Illinois woman pled guilty in federal court in East St. Louis to bank fraud, a U.S. attorney for the Southern District of Illinois, announced September 16. The bank fraud took place from at 2003, through January, 2011, in Jersey County, Illinois. The offense carries a maximum penalty of up to 30 years’ imprisonment and/or a fine of $1 million, 5 years’ supervised release, and mandatory restitution. The charge also includes a forfeiture allegation seeking property and proceeds traceable to the violation, which includes the convict's residence, two condominiums, a boat, vehicles, and bank stock. In her guilty plea, she admitted she electronically transferred funds from the bank’s corresponding accounts to her own accounts, inflated expenses to a prepaid expense account, took money from a certificate of deposit account, and concealed the money in the bank’s general ledger. To perpetuate the scheme, she provided false data in monthly reports to the board. She additionally provided false information to federal examiners, and to state bank examiners. The convict had been employed by the Jersey State Bank since abut 1976. During her employment she held various positions including assistant cashier, a director of the bank holding corporation, and executive vice president. Her responsibilities included being in charge of the bank’s general ledger and corresponding accounts, and she provided regular reports to the president and board members as to the bank’s assets, stability and financial soundness. It is reported that about $4.4 million was embezzled from the bank. Source: http://7thspace.com/headlines/394301/former_jerseyville_bank_vice_president_convicted.html

21. September 16, Infosecurity – (National) FBI probes over 400 cases of corporate bank account cyberjacking. The FBI is currently investigating over 400 reported cases of corporate banking account takeovers in which cybercriminals have initiated unauthorized automated clearing house (ACH) and wire transfers from U.S.-based organizations, an FBI official told a U.S. House panel the week of September 12. Through this method, cybercriminals have attempted to steal over $255 million and have actually stolen around $85 million, the assistant director of the FBI’s cyber division told a House subcommittee on financial institutions and consumer credit. He explained that these cyberattacks are usually carried out through targeted phishing e-mails that contain either malware, or a link to a malware-laden Web site. The phish targets a person within the company who can initiate fund transfers on behalf of the business or institution. “Once the recipient opens the attachment or navigates to the Web site, malware is installed on the user’s computer, which often includes a keylogging program that harvests the user’s online banking credentials. The criminal then either creates another account or directly initiates a funds transfer masquerading as the legitimate user. The stolen funds are often then transferred overseas”, he explained. The targets of these phishing attacks are small and medium-sized businesses, local governments, school districts, and healthcare providers, he noted. Source: http://www.infosecurity-us.com/view/20810/

For another story, see item 45 below in the Information Technology Sector

Information Technology Sector

44. September 19, The Register – (International) Go Daddy mass hack points surfers towards malware. Hundreds of Go Daddy Web sites were compromised to point towards a site hosting malware the weekend of September 17 and 18. The mass hack of around 445 sites involved the injection of hostile code into the .htaccess files. Go Daddy quickly removed the hostile code before working with its customers to take back full control of the sites, which were reportedly compromised by a password hack. Go Daddy’s chief information security officer told Domain Name Wire: "The accounts were accessed using the account holder’s username and password.“ It was unclear how the passwords needed to pull off the attack were obtained, but some sort of targeted phishing attack is one possibility. Go Daddy's investigation into the attack continues, but the chief suggested the blame for the mass hack was outside Go Daddy's control. Source: http://www.theregister.co.uk/2011/09/19/go_daddy_mass_compromise/

45. September 19, threatpost – (International) New attack breaks confidentiality model of SSL, allows theft of encrypted cookies. Two researchers developed a new attack on TLS 1.0/SSL 3.0 that enables them to decrypt client requests on the fly and hijack supposedly confidential sessions with sensitive sites such as online banking, e-commerce, and payment sites. The attack breaks the confidentiality model of the protocol, and is the first known exploitation of a long-known flaw in TLS, potentially affecting the security of transactions on millions of sites. The attack will be presented at the Ekoparty conference in Argentina September 23, and, unlike many other attacks on TLS and SSL, it has nothing to do with the certificate trust model in the protocol. Instead, the researchers developed a tool called BEAST that enables them to grab and decrypt HTTPS cookies from active user sessions. The attack can even decrypt cookies that are marked HTTPS only from sites that use HTTP Strict Transport Security, which forces browsers to communicate over TLS/SSL when it is available. Source: http://threatpost.com/en_us/blogs/new-attack-breaks-confidentiality-model-ssl-allows-theft-encrypted-cookies-091611

46. September 19, Softpedia – (International) Rogue certificates used in spam campaigns. After the scandal formed around DigiNotar, spammers sent bank business clients e-mails informing them their certificates have expired, urging them to click on a link to solve the issue. Most Internet browsers and applications banned DigiNotar certificates, an episode that created confusion. According to SC Magazine, numerous security researchers discovered e-mails that tried to fool unsuspecting users into thinking something was wrong with their certificates, thus making them access a Web site to fix the problem. When a link was clicked, a page containing an exploit kit was accessed and the system became completely compromised. “Once the browser visits that site, a series of attacks begin which can result in the download of Trojan.Buzus," revealed Barracuda Networks security researchers. In the monitoring period in which they kept a close watch on that virus, they realized besides stealing log-in information, the malware also opened a backdoor, giving hackers access to the infected device. As a researcher from Websense Security Labs mentioned, it appears this Blackhole exploit kit has not been used a lot. He explained the threat consists of a .scr file that delivers the exploits, also stating that ”This is not a targeted attack in an advanced persistent threat style, but it looks like a phishing e-mail, but this is much more sinister as it delivers an exploit kit and not a standard phish." Source: http://news.softpedia.com/news/Rogue-Certificates-Used-in-Spam-Campaigns-222232.shtml

47. September 17, Softpedia – (International) Induc virus returns and it's more dangerous than ever. A more aggressive version of the 2009 Win32.Induc.A virus has been seen in the wild and, unlike its predecessor, this one sets out to take over all executable files, spreading malware and opening gateways on the computers it infects. The new virus is called Win32.Induc.P and Malware City calls it “the most innovative to come out so far this year.” While the A version only infects compiled applications and especially targets Delphi compilers, the P variant attacks not just those, but others such as RAD Studio development suites. Right from the beginning, the virus tries to compromise all the executable files it finds in its way, from one computer to the other, using any means it can try. The downloader integrated into the core of the malware tries to access external addresses immediately after the infected files are run, downloading even more malicious elements onto the infected system. Bitdefender discovered a keylogger and a backdoor application that allow cybercriminals to completely take over the victim device. The virus infects as user's entire system in a Jeefo kind of way, but the damage caused can lead to more disastrous outcomes. Software developers appear to be the most vulnerable as they might end up with freshly compiled compromised applications that they consider to be clean. Also, while performing application updates, RAD Studio and Delphi users might open malware download portals. Source: http://news.softpedia.com/news/Induc-Virus-Returns-and-It-s-More-Dangerous-Than-Ever-222146.shtml

48. September 16, Computerworld – (International) Google patches 32 Chrome bugs, revs browser to v.14. Google patched 32 vulnerabilities in Chrome September 16, as it upgraded the stable edition of the browser to version 14. Fifteen of the 32 vulnerabilities were rated "high," the second-most-serious ranking in Google's four-step scoring system, while 10 were pegged "medium," and the remaining 7 were marked "low." None of the flaws were ranked "critical," the category usually reserved for bugs that may allow an attacker to escape Chrome's anti-exploit sandbox. Six of the vulnerabilities rated high were identified as "use-after-free" bugs, a type of memory management flaw that can be exploited to inject attack code, while seven of the bugs ranked medium were "out-of-bounds" flaws, including a pair linked to foreign language character sets used in Cambodia and Tibet. Source: http://www.computerworld.com/s/article/9220094/Google_patches_32_Chrome_bugs_revs_browser_to_v.14

For another story see item 21 above in the Banking and Finance Sector

Communications Sector

49. September 16, Saratoga Springs Saratogian – (New York; Massachusetts) Telephone service interrupted for thousands. Service has been restored to Cornerstone Telephone customers in the Troy, New York area, following an outage that lasted about 2.5 hours September 16. Cornerstone, which is based in Troy, serves more than 14,000 voice customers in New York, and Massachusetts, A spokeswoman for the company, said the outage affected a small portion of their customers. She said the problem occurred when a carrier for the company experienced an outage. Phone service went out at about 12:35 p.m., and was restored at 3 p.m. Source: http://saratogian.com/articles/2011/09/16/news/doc4e73aabd8f971044527628.txt

No comments: