Thursday, November 3, 2011

Complete DHS Daily Report for November 3, 2011

Daily Report

Top Stories

• Federal prosecutors sued Allied Home Mortgage Corp. and two of its officers, claiming one of the nation’s largest lenders committed serial frauds that could result in $1 billion in losses. – Courthouse News Service See item 12 below in the Banking and Finance Sector

• Four men in Georgia were charged with planning to use the lethal toxin ricin to attack government buildings and employees in several cities. – Associated Press (See item 33)

33. November 2, Associated Press – (National; Georgia) 4 men in Ga. accused of planning ricin attacks. Four men in Georgia intended to use an online novel as a scripfor a real-life wave of terror and assassination using explosives and the lethal toxin ricin, according to court documents. Federal agents raided their north Georgia homes November 1 and arrested them on charges of conspiring to plan the attacks. The four men are scheduled to appear in court November 3. Relatives of two of the men said thecharges were baseless. Court documents accused the men of trying to obtain an explosive device and a silencer to carry out targeted attacks on government buildings and employees. Two of the men are also accused of trying to seek out a formula to produce ricin, a biological toxin that can be lethal in small doses. One suspect discussed ways of dispersing ricin from an airplane in the sky over Washington D.C., court records state. Another suspected member of the group intended to use the plot of an online novel as a model for plans to attack U.S. federal law officers and others, authorities said. Court documents state the 73-year-old man told others he intended to model their actions on the online novel “Absolved,” which involves small groups of citizens attacking U.S. officials. Investigators said the four men took several concrete steps to carry out their plans. One suspect is accused of driving to Atlanta with a confidential informant to scope out federal buildings that house the IRS and other agencies. He and another suspect also arranged to buy what they thought was an explosive device and a silencer from an undercover agent. The men were arrested days after a lab test confirmed they had trace amounts of ricin in their possession, authoritiesaid. Court records indicate at least two of the suspects are former federal employees. Prosecutors say one suspect said he would like to make 10 pounds of ricin and simultaneously place it in several U.S. cities. Source:


Banking and Finance Sector

11. November 2, Arlington Heights Daily Herald – (Illinois) Ex-Crystal Lake man charged in $34 million Ponzi scheme. A former Crystal Lake, Illinois man has been charged as a new defendant in a pending Ponzi scheme case that caused losses of about $34 million, authorities said November 1. The man now joins a co-defendant to face charges the two tricked about 400 victims into investing more than $105 million to fund their scheme, authorities said. According to a federal indictment, the man acted as a sales agent and trader for a dozen investment funds operated in the U.S. Virgin Islands under the title of “Kenzie Funds.” He and his co-defendant misused the money they raised for their own benefit, and to make Ponzi-type payments totaling about $71 million to certain investors, the U.S. attorney’s office said. The men informed investors their money would be used primarily in foreign currency trading, and that Kenzie Funds had never lost money and had achieved profitable historical returns, according to the indictment. Between 2004 and July 2010, the defendants misappropriated a large part of the $105 million. The man was charged with 10 counts of mail fraud and six counts of filing false individual and corporate income tax returns, while his co-defendant is facing 10 counts of mail fraud. The indictment seeks forfeiture against both men of about $34 million. The man was also charged with six counts of filing false federal income tax returns between 2005 and 2007. Source:

12. November 2, Courthouse News Service – (National) Allied Mortgage fraud could cost taxpayers $1 billion, USA says. Federal prosecutors sued Allied Home Mortgage Corp. and two of its top officers November 1, claiming one of the nation’s largest privately held mortgage lenders committed serial frauds that cost taxpayers hundreds of millions of dollars, and cost thousands of people their homes. More than 30 percent of the 110,000 Federal Housing Administration (FHA) mortgages Allied originated in the past decade are in default, and the default rate for loans in 2006-07 climbed to 55 percent, prosecutors said. The FHA has paid $834 million “for mortgages originated and fraudulently certified by Allied that are now in default,” the U.S. attorney’s office said in announcing the lawsuit. “An additional 2,509 loans are currently in default but not yet in claims status, which could result in additional insurance claims paid by the HUD [U.S. Department of Housing and Urban Development] amounting to $363 million.” The nine-count complaint claims Allied, its CEO, and executive vice president (VP) and compliance director, defrauded the government and taxpayers by “knowingly and intentionally submit(ing) false loan certifications to the HUD by originating FHA loans out of shadow branches;” made false statements to HUD; made false annual certifications to HUD; made false branch certifications to HUD; violated the False Claims Act; and made false loan certifications to HUD. “Allied’s concealed corruption continued in part because [the CEO] persistently monitored and intimidated senior managers and other employees,” prosecutors claim. “[He] also required employees to sign extremely broad confidential agreements and has sued numerous former employees for the slightest perceived breach, including a former tax manager for speaking to the IRS.” Prosecutors said Allied ran hundreds of “shadow,” unapproved branch offices that originated FHA loans, and deceived the HUD by using the ID number of a HUD-approved branch on the applications. Source:

13. November 2, Middletown Times Herald-Record – (New York) Bank evacuated after staff gets ill; cause unknown. One person was taken to the hospital in Montgomery, New York, November 1 after multiple people at a Key Bank complained of dizziness, nausea, and headaches, town police said. At around 3:20 p.m., a Montgomery police lieutenant said he received a complaint of people feeling ill at the Key Bank at 1031 Route 17K. When police arrived, two bank tellers and a manager said they felt dizzy and nauseous. The officer on scene at the bank also began getting a headache. The bank was evacuated and cordoned off, the lieutenant said. One person was sent to St. Luke’s Cornwall Hospital complaining of dizziness and a headache, and another refused treatment. An Orange County haz-mat team checked carbon monoxide levels, but they were not sure of what caused the illnesses. Source:

14. November 1, U.S. Department of Treasury – (National) The passage of late legislation and incorrect computer programming delayed refunds for some taxpayers during the 2011 filing season. According to a report released November 1 by the Treasury Inspector General for Tax Administration, as of April 30, 2011, the IRS had identified 775,723 tax returns with $4.6 billion claimed in fraudulent refunds and prevented the issuance of $4.4 billion (96 percent) of those fraudulent refunds. The IRS also selected 199,854 tax returns filed by prisoners for fraud screening, a 256 percent increase compared to last year. However, the IRS review found implementing some legislative provisions such as the First-Time Homebuyer Credit, Adoption Credit, Nonbusiness Energy Property Credits, and Plug-in Electric and Alternative Motor Vehicle Credits resulted in an inability to identify to the Internal Revenue Service Commissioner 140,596 taxpayers erroneously claiming $140.2 million. In addition, 26,649 taxpayers had their Homebuyer Credit inaccurately processed, $5.8 million in repayment amounts was not assessed, and $675,063 in repayment amounts was erroneously assessed. Source:

15. November 1, U.S. Commodity Futures Trading Commission – (North Carolina) Federal court orders Charlotte, NC, couple and their companies to pay $24 million for defrauding customers in foreign currency Ponzi scheme. The U.S. Commodity Futures Trading Commission (CFTC) November 1 announced it obtained a federal court supplemental consent order requiring two defendants and their companies, Queen Shoals, LLC, Queen Shoals II, LLC, and Select Fund, LLC, to pay $24 million in restitution and civil monetary penalties for defrauding customers and misappropriating millions of dollars in a foreign currency (forex) Ponzi scheme. In addition, the supplemental consent order requires the following relief defendants to disgorge ill-gotten gains totaling $23.3 million because they received funds as a result of the defendants’ fraudulent conduct to which they had no legitimate entitlement: Secure Wealth Fund, LLC; Heritage Growth Fund, LLC; Dominion Growth Fund, LLC; Two Oaks Fund, LLC; Dynasty Growth Fund, LLC; and Queen Shoals Group, LLC. According to the CFTC’s complaint, starting in at least June 2008 and continuing through the present, the defendants fraudulently solicited at least $22 million from individuals and/or entities for the purported purpose of trading off-exchange forex on their behalf. In their personal and Web site solicitations, defendants falsely claimed success in trading forex, guaranteed customers profits through use of “non-depletion accounts,” represented that there would be no risk to customers’ principal investment, and lured prospective customers with promises of returns of 8 to 24 percent, according to the complaint. The defendants claimed to pool customers’ funds and then to use the profits generated by trading forex, along with gold and silver bullion, to guarantee payments to customers at the end of the 5-year “promissory note” period. In reality, however, defendants deposited little or none of customers’ funds into forex trading accounts. The defendants misappropriated customer funds for personal use or to make purported profit payments or return principal to existing customers. Source:

16. November 1, KMGH 7 Denver – (Colorado) Colo. credit card scam traced to theaters, other locations. Loveland, Colorado police said November 1 they have traced the large credit and debit card fraud in northern Colorado to many common locations. While officers are not releasing the entire list yet, they said one location was the Loveland Metrolux 14 in the Promenade Shops at Centerra. Investigators said the theater’s parent company, Metropolitan Theaters, hired an outside forensic analysis team to inspect its data transmission systems. Theater officials said the analysis showed there had been an external breach into the theater’s computer system initiated from outside the organization, police said. The theater company said measures have been put into place to remove the breach and make sure the systems are now secure. Loveland Police investigators said there are 1,180 related fraud cases that have been reported to law enforcement throughout northern Colorado. Purchases have been made online and in person, implying someone is printing new, physical cards with account numbers. Source:

17. November 1, KHON 2 Honolulu – (Hawaii) Nine indicted in identity theft ring bust. Authorities said November 1 they believe they have arrested the nine remaining members of an identity theft ring that has victimized 256 Oahu, Hawaii residents and businesses. The nine suspects were indicted by an Oahu grand jury on more than 150 counts of identity theft related crimes. Four other ring members have already been convicted and sentenced to 10 years in prison, and the alleged ring leader of the scheme is awaiting trial. Prosecutors believe the suspects stole more than $200,000 over 8 months starting in May 2010. Prosecutors believe the group created fake ids and counterfeit checks, and cashed them. The bust is the result of a 13-month investigation by police, sheriff’s deputies, prosecutors, and federal agencies. Source:

For another story see item 38 below in the Information Technology Sector

Information Technology Sector

36. November 2, IDG News Service – (International) Secunia offers to coordinate vulnerability disclosure on behalf of researchers. Danish vulnerability management company Secunia aims to make the task of reporting software vulnerabilities easier for security researchers by offering to coordinate disclosure with vendors on their behalf, IDG News Service reported November 2. The Secunia Vulnerability Coordination Reward Programme (SVCRP) is the latest addition to a list of offerings such as TippingPoint’s Zero Day Initiative or Verisign’s iDefense Labs Vulnerability Contributor Program that allow researchers to avoid having to deal with different vendor bug reporting policies. However, according to Secunia’s chief security specialist, the SVCRP is meant to complement these programs. Secunia plans to accept vulnerabilities other programs reject, regardless of their classification and as long as they are in off-the-shelf products. Flaws discovered in online services such as Facebook, for example, do not qualify. The company will not profit directly from the SVCRP and does not plan to provide advance notification about the reported flaws to its customers, as other companies do. Researchers will continue to receive payments they are entitled to from vendors for disclosing vulnerabilities even if they use the SVCRP for coordination, Secunia said. However, vendors will have the final word on whether they will pay out rewards to researchers who offload vulnerability coordination work to companies such as Secunia. Source:

37. November 1, Computerworld – (International) Update: Duqu exploits zero-day flaw in Windows kernel. The Duqu trojan infects systems by exploiting a previously unknown Windows kernel vulnerability that is remotely executable, security vendor Symantec said November 1. Symantec said in a blog post that CrySys, the Hungarian research firm that discovered the Duqu trojan earlier in October, has identified a dropper file that was used to infect systems with the malware. The installer file is a malicious Microsoft Word document designed to exploit a zero-day code execution vulnerability in the Windows kernel. “When the file is opened, malicious code executes and installs the main Duqu binaries” on the compromised system, Symantec said. According to Symantec, the malicious Word document in the recovered installer appears to have been specifically crafted for the targeted organization. The file was designed to ensure that Duqu would only be installed during a specific 8-day window in August, Symantec noted. No known workarounds exist for the zero-day vulnerability that Duqu exploits. The installer that was recovered is one of several that may have been used to spread the trojan. It is possible that other methods of infection are also being used to spread Duqu, Symantec noted. Source:

38. November 1, threatpost – (International) Zeus now using autorun as infection numbers rise. After tapering off, the Zeus trojan has been staging a comeback over the last few months, possibly using a new infection routine that leverages Windows’ autorun feature even after a company update to limit infections that use it, according to research by Microsoft. Microsoft’s Malicious Software Removal Tool removed the common banking trojan horse program from 185,000 computers in September and the company expects more than 100,000 removals in October, according to a new post on Microsoft’s Threat Research and Response blog. The growth spurt reflects Zbot’s growing use of Windows autorun functionality, said the senior anti virus research lead at Microsoft. Source:

39. November 1, The Register – (International) Researchers propose simple fix to thwart e-voting attack. Researchers have devised a simple procedure that can be added to many electronic voting machine routines to reduce the success of insider attacks that attempt to alter results, The Register reported November 1. The approach, laid out in a short research paper, augments the effectiveness of end-to-end verifiable election systems, such as the Scantegrity and the MarkPledge. They are designed to generate results that can be checked by anyone, by giving each voter a receipt that contains a cryptographic hash of the ballot contents. The researchers propose chaining the hash of each receipt to the contents of the previous receipt. By linking each hash to the ballot cast previously, the receipt serves not only as a verification that its votes have not been altered, but also as confirmation that none of the votes previously cast on the same machine have been tampered with. The procedure is intended to reduce the success of what is known as a trash attack, in which election personnel or other insiders comb through the contents of garbage cans near polling places for discarded receipts. The presence of the discarded receipts is often correlated with votes that can be altered with little chance of detection. The running hash is designed to make it harder for insiders to change more than a handful of votes without the fraud being easy to detect. Source:

40. November 1, IDG News Service – (National) Researchers defeat CAPTCHA on popular Websites. Researchers from Stanford University developed an automated tool capable of deciphering text-based anti-spam tests used by many popular Web sites with a significant degree of accuracy. The researchers presented the results of their 18-month long CAPTCHA study at the recent ACM Conference On Computer and Communication Security in Chicago. CAPTCHA stands for ‘Completely Automated Public Turing test to tell Computers and Humans Apart’ and consists of challenges that only humans are supposed to be capable of solving. Web sites use such tests to block spam bots that automate tasks such as account registration and comment posting. There are various types of CAPTCHAs, some using audio, others using math problems, but the most common implementations rely on users typing back distorted text. The Stanford team devised various methods of cleaning up purposely introduced image background noise and breaking text strings into individual characters for easier recognition, a technique called segmentation. Some of their CAPTCHA-breaking algorithms are inspired by those used by robots to orient themselves in various environments and were built into an automated tool dubbed Decaptcha. This tool was then run against CAPTCHAs used by 15 high-profile Web sites. The results revealed tests used by Visa’s payment gateway could be beaten 66 percent of the time, while attacks on Blizzard’s World of Warcraft portal had a success rate of 70 percent. For eBay, CAPTCHA implementation failed 43 percent of the time, and for Wikipedia, one in four attempts was successful. Lower success rates were found on Digg, CNN, and Baidu — 20, 16, and 5 percent respectively. Source:

41. November 1, CNET – (International) Socialbots’ steal 250GB of user data in Facebook invasion. Programs designed to resemble humans infiltrated Facebook recently and made off with 250 gigabytes of personal information belonging to thousands of the social network’s users, researchers said in an academic paper released November 1. The 8-week study was designed to evaluate how vulnerable online social networks were to large-scale infiltrations by programs designed to mimic real users, researchers from the University of British Columbia Vancouver said in the paper, titled “The Socialbot Network: When bots socialize for fame and money.” The 102 “socialbots” researchers released onto the social network included a name and profile picture of a fictitious Facebook user and were capable of posting messages and sending friend requests. They then used these bots to send friend requests to 5,053 randomly selected Facebook users. Each account was limited to sending 25 requests per day to prevent triggering anti-fraud measures. During that initial 2-week “bootstrapping” phase, 976 requests, or about 19 percent, were accepted. During the next 6 weeks, the bots sent connection requests to 3,517 Facebook friends of users who accepted requests during the first phase. Of those, 2,079 users, or about 59 percent, accepted the second round of requests. The increase was due to what researchers called the “triadic closure principle,” which predicts that if two users had a mutual friend in common, they were three times more likely to become connected. Researchers found social networks were “highly vulnerable” to a large-scale infiltration, with an 80-percent infiltration rate. Source:

For more stories, see items 16 above in the Banking and Finance Sector and 43 below in the Communications Sector

Communications Sector

42. November 2, KMGH 7 Denver – (Colorado) Guardrail work blamed for NW Colo. cellphone outages. Guardrail work near Dillon, Colorado, was blamed for a severed fiber-optic cable that cut cellphone service to thousands of customers in northwest Colorado October 31. The cable cut knocked out cellphone service for Verizon, AT&T, Cricket, Sprint, and T-Mobile customers. The severed CenturyLink line also disrupted long-distance phone service for land lines and Internet service, according to the Summit Daily. Ideal Fencing of Erie said it checked before starting work and was informed the area was clear of utility lines, the newspaper reported. A CenturyLink spokesman said his firm did a “temporary fix” on the damaged cable October 31 to restore cellphone and other services, the newspaper reported. Source:

43. November 1, Yuma Sun – (Arizona) Fire damages Yuma home; disrupts area Internet, cable and phone services. A Yuma, Arizona house fire damaged a Time Warner fiber optics cable November 1, disrupting Internet, cable television, and phone services for thousands of customers in Somerton, San Luis, the Foothills, and parts of Yuma. “Some of our fiber lines were melted by a nearby fire,” a Time Warner business manager said. “We have our construction members out there and they are determining if there is any additional damage.” The business manager said November 1 that service should be restored before the end of the day. The cause of the fire was under investigation. Source:

44. November 1, KTVL 10 Medford – (Oregon) CenturyLink Jackson Co. outages repaired. CenturyLink informed KTVL 10 Medford the evening of November 1 that their systems were back online and fully functional in Jackson County, Oregon following an equipment failure. Landline phone customers in the Rogue River and Gold Hill areas were without service the afternoon of November 1. A CenturyLink spokesman said crews were trying to determine what caused the outage. The outage affected 911 service in area. The director of Jackson County’s 911 Center said the county sent dispatchers and sheriff’s deputies to the affected areas. Source:

For another story see item 41 above in the Information Technology Sector

No comments: