Monday, January 3, 2011

Complete DHS Daily Report for January 3, 2011

Daily Report

Top Stories

• Alexandria Daily Town Talk reports four men were arrested for firing six bullets into the 1-million gallon Alexandria, Louisiana water tank, causing leaks and $1,000 in damage. (See item 30)

30. December 30, Alexandria Daily Town Talk – (Louisiana) 4 men charged with damaging Alexandria water storage tank. Four Rapides Parish, Louisiana men have been charged with damaging one of the city of Alexandria’s water storage tanks for shooting it with a high-powered rifle. The men turned themselves in and confessed their involvement in damaging the tank, which is near Castor Plunge Road in Woodworth, according to the Rapides Parish Sheriff’s Office. One 21-year-old suspect of Alexandria, Louisiana was charged with criminal damage between $500 and $50,000. Three other suspects of Woodworth, Louisiana, were charged with one count each of criminal mischief. The 1 million-gallon tank was hit by six bullets in early December. Five bullets penetrated the tank, causing leaks and damage estimated at $1,000. Criminal damage, a felony offense, carries the punishment of up to a $10,000 fine and between 1 and 15 years in prison. Criminal mischief, a misdemeanor offense, is punishable with a fine not to exceed $500 and up to 6 months in parish jail. Source:

• According to Reuters, three men suspected of planning a deadly attack on an office block on Copenhagen’s city hall square that houses a Danish newspaper were charged with an attempted act of terrorism and possession of weapons December 30. (See item 54)

54. December 30, Reuters – (International) Danish court charges 3 men with attempted terrorism. Three men suspected of planning a deadly attack on a Danish newspaper were charged with an attempted act of terrorism and possession of weapons December 30. Police detained four men in Denmark and one in Sweden, December 29, on suspicion of plotting an assault by January 1 on the office block on Copenhagen’s city hall square that houses Jyllands-Posten — the Danish daily that published cartoons of the Prophet Mohammad in 2005 — and another newspaper. The three — one Tunisian and two Swedish citizens — pleaded not-guilty to the charges, officials said. The Danish security police chief said the arrests prevented an “imminent terror attack” that aimed “to kill as many as possible” of the people present at the Copenhagen offices of the newspaper. A court in Glostrup ordered the suspects be held in custody for 4 weeks pending more investigations. A fourth man detained in Denmark, a 26-year-old Iraqi asylum-seeker, was released but remains a suspect, though police did not have evidence to hold him further. The fifth detainee, a 37-year-old Swedish citizen, was scheduled to appear before a court in Sweden December 30, and was also expected to be remanded in custody, a Swedish court official said. The men came to Denmark from Sweden the night of December 28. Police found plastic strips that could be used as handcuffs, a machine gun, a pistol, and more than 100 cartridges. Source:


Banking and Finance Sector

8. December 30, Softpedia – (International) Domain name of Russia’s largest online payment processor hijacked. Fraudsters have managed to hijack the domain name of ChronoPay, Russia’s biggest online payment processor, and point it to a fake version of the site in order to steal credit card details. An analyst reports directed visitors to the phishing page for several hours during the night between December 25 and December 26. Criminals managed to steal credit card data from 800 customers during that period and then posted a message in the company’s name saying the entire database of transactions from 2009 and 2010 was compromised. ChronoPay’s CEO rejected this claim as untrue, and said the company is working with its domain registrar, Directnic, to determine how the hijack occurred. Apparently the attackers not only managed to change the domain’s DNS records, but also transferred it from Directnic to Network Solutions. They also stole and leaked many private keys used to sign SSL certificates that protect ChronoPay transactions, however, according to the CEO, almost all of them are old. Source:

9. December 30, Softpedia – (International) Major cyber fraud syndicate dismantled in Asia. Authorities in the Philippines and China have arrested more than 100 members of a crime syndicate involved in a variety of telecommunications, bank, and credit card scams. A total of 24 men were arrested December 28 during simultaneous raids coordinated by Philippines’ National Bureau of Investigation (NBI) at six locations in Manila. One suspect resisted arrest and attacked an NBI agent with a knife. He was shot in the stomach and was taken to the hospital. The Philippine Star reports that, at first, authorities did not even know the nationalities of the suspects. Interrogators eventually got them to write down their names in Chinese characters, and the Chinese embassy sent a representative to help establish identities. The suspected leader of the gang apparently was not among the men arrested in Manila. But Chinese police detained 100 individuals believed to be part of the same crime syndicate, which stole more than $130 million from people in China, Taiwan, and Hong Kong. Aside from credit card counterfeiting, the gang resorted to intimidation to obtain money. Investigators said they impersonated judges, prosecutors and police officers to trick people into thinking they owed money to the government. Source:

10. December 30, Longmont Times – (Colorado) Four suspected in nine bank robberies. FBI investigators suspect that four people arrested December 28 on suspicion of robbing a Broomfield, Colorado bank are also responsible for up to eight other bank robberies, including one earlier during the evening of December 28 in Lafayette, Colorado. An FBI spokesman said Broomfield police arrested four suspects — two men and two women — after the TCF Bank in Broomfield at 4100 West 144th Ave. was robbed at 6:40 p.m. Federal prosecutors charged the four suspects with armed bank robbery and aiding and abetting. If convicted, they face up to 25 years in prison, $250,000 in fines, 5 years of parole and $4,492 in restitution. Source:

11. December 30, New York Post – (National) Insider probe nets new arrest. The U.S. Attorney for the Southern District of New York arrested a sixth person on charges of leaking secrets as part of his widespread crackdown on insider trading. The attorney first broke open the gang of trading cheats involving hedge funds, bankers, and consultants a year ago, snaring several executives and traders. On December 29, he arrested a Silicon Valley, California businesswoman accused of peddling technology company secrets to the highest bidders among portfolio managers going back to 2006. Federal prosecutors said the 43-year-old suspect managed to secure inside information on publicly traded tech companies, including chipmakers Marvell Technology Group Ltd. and Nvidia Corp. She allegedly sold her tips to numerous hedge fund players, including the founder of an unidentified New York fund. Source:

12. December 30, Bank Info Security – (National) 54 banking breaches in 2010. There have been 54 reported banking-related data breaches so far in 2010, according to the Identity Theft Resource Center (ITRC) — slightly fewer than the total of 62 breaches in 2009. But it is possible that additional 2010 breaches will be reported after the new year. Of the 54 breaches tracked by the ITRC: 9 are related to insider theft; 6 are related to missing paper documents; 8 were linked to card skimming attacks; 5 resulted from stolen or missing hardware; 8 are blamed on cyberattacks or outside network intrusions; 4 are related to the exposure of data on the Web; 6 are linked to an accidental breach; and 3 were of unknown origin. While some breaches were accidental or related to sloppy security, such as the improper disposal of paper files and documents, many involved a malicious or criminal element. Whether linked to an insider, a cyberattack or an ATM skimming device, the incidents prove criminals continue to target financial institutions. Source:

13. December 30, Times News of Burlington – (South Carolina; Mississippi) Man suspected of more bank robberies. A man who police think robbed a bank in Mebane, North Carolina, and another in Myrtle Beach, South Carolina, the week of December 20, may be the same suspect who robbed a bank in Mississippi earlier in December. In all three cases, the man did not do anything to disguise his appearance. The robbery at Sun Trust bank in Horn Lake, Mississippi, happened at about 10:37 a.m. December 13. The bank was inside a Kroger grocery store, according to a Horn Lake Police Department news release. Authorities with the Horn Lake police said the man walked into the bank, indicated to the teller he had a weapon and then left with an undetermined amount of money. The suspect was described as a bald, white man, between 185 and 200 pounds and about 5 feet 10 inches tall. A close-up surveillance photo was taken of the suspect. Source:

14. December 29, Associated Press – (National) Allstate sues Countrywide over investments. Allstate has sued Countrywide Financial over $700 million in toxic mortgage-backed securities the insurer bought beginning in 2005, only to see their value decline rapidly. Allstate maintains that beginning in 2003, Countrywide abandoned its underwriting standards and misrepresented crucial information about the underlying mortgage loans that made up the securities it sold. The suit, filed December 27 in federal court in Manhattan, New York, targets Countrywide, the co-founder and longtime chief executive, and other executives, as well as Bank of America, which bought the mortgage giant in 2008. Charlotte, North Carolina-based Bank of America, the nation’s largest bank, said in an e-mail, “We are still reviewing the complaint, but this unfortunately appears to be a situation where a sophisticated investor is looking for someone to blame for a downturn in the economy and losses on an investment it made.” Source:

15. December 29, KITV 4 Honolulu – (Hawaii) Robbery attempt causes Maui bank scare. A First Hawaiian Bank on the island of Maui in Hawaii closed temporarily December 29 after a man police said tried to rob the branch left a device. The attempted robbery happened at the Kahului branch at about 11:30 a.m. A man wearing camouflage jacket and pants entered the bank and handed a teller a note, demanding money be placed in a bag, police said. The man did not receive any money. When he exited, the man left a device and mentioned something about blowing the place up, police said. The bank closed and the Maui Police Department responded. Personnel made sure the device was safe. The FBI and Bureau of Alcohol, Tobacco, Firearms and Explosives is helping in the investigation. Source:

Information Technology

44. December 30, H Security – (International) Critical update for WordPress. A critical update has been made available for WordPress in the form of version 3.0.4. The update fixes a security bug in WordPress’s KSES library which performs HTML sanitization within the publishing platform. The update to the GPL licensed WordPress should be available in the WordPress dashboard or can be downloaded from Source:

45. December 30, The Register – (International) PlayStation 3 code signing cracked. Hardware hackers claim to have uncovered the private key used by Sony to authorize code to run on PlayStation 3 systems. The hackers uncovered the hack in order to run Linux or PS3 consoles, irrespective of the version of firmware the game’s console was running. By knowing the private key used by Sony, the hackers are able to sign code so a console can boot directly into Linux. Previous approaches to running the open source OS on a game console were firmware specific and involved messing around with USB sticks. The same code-signing technique might also be used to run pirated or counterfeit games on a console. That is not the intention of the hackers even though it might turn out to be the main practical effect of the hack. The group, fail0verflow, who also run the Wii’s Homebrew Channel, gave more information about the crack and a demo during the annual Chaos Communication Conference hacker congress in Berlin. Sony’s weak implementation of cryptography was exploited by fail0verflow to pull off the hack. Source:

46. December 30, Columbus Dispatch – (International) Nationwide employee sentenced to 2 1/2 years for counterfeit video games. The new monitoring software alerted Nationwide Insurance officials to a spreadsheet that an employee had sent from his personal e-mail account to his Nationwide e-mail account. The spreadsheet listed eBay accounts, credit-card numbers, and false identity information that he used in a lucrative counterfeiting scheme for 5 years. A U.S. District Judge sentenced the 36-year-old to 2-and-a-half years in prison December 29. Agents with the FBI Cybercrime Task Force and the U.S. Postal Inspection Service found he had sold more than 35,000 computer games with a retail value of $700,000. Investigators found he sold the games from 2005 through December 2009 for $10 rather than the $20 retail price for an original new game. He also allowed customers to download games purchased over the Internet, using a server he leased under the name TML Direct. Source:

47. December 29, Computerworld – (International) Skype blames buggy Windows software, swamped servers for outage. Skype December 29 blamed the previous week’s outage on a combination of overloaded instant messaging servers, buggy software, and the failure of its “supernode” infrastructure. In a lengthy blog entry December 29, Skype’s chief information officer provided more details on the outage that kept the instant message, Internet telephone, and video chat service offline for much of December 22 and parts of December 23. Previously, Skype had tapped its supernodes — the systems running Skype that also act as directories — for the outage. He said a bug in an older version of the Windows Skype client was at the root of the failure, although the flaw did not trigger the blackout. The bug in version 5.0.0152 caused Windows clients to crash when they received a delayed response from “a cluster of support servers responsible for offline instant messaging” that had been overloaded, he said. About 50 percent of all Skype users were running the buggy 5.0.0152 version of the Windows client the week of December 20. He did not explain how or why those servers — which triggered the Windows client crashes, and thus, the outage — became unresponsive December 22. When the Windows clients began crashing — at the peak, about 4 out of every 10 copies of version 5.0.0152 failed — they also took down as many as 30 percent of Skype’s supernodes, which were also running the problem-plagued edition. The downfall of those supernodes eventually took all the rest offline as well, as users swamped the remaining supernodes with requests after experiencing a crash. Source:

48. December 29, Softpedia – (International) Pharma spam led the trends this year. According to a report from Trend Micro, junk e-mails with a medical theme were the most common type of spam observed in 2010, even though they did not always lead to rogue pharmacy Web sites. Medicine has always been among the top categories of spam, but even more so in 2010 as malware distributors and phishers also adopted the theme. “This spam type was not limited to selling pharmaceutical products online, the spammers also used these messages to disguise their phishing and malware attacks,” Trend Micro researchers wrote. In addition, there were a lot of other cases where spam e-mails did not have a medical theme by themselves, however the links they contained led users to rogue pharmacy Web sites. Sometimes these rogue e-mails were part of combined attacks, where users were directed to pharma sites and drive-by download pages. Source:

49. December 29, Infosecurity – (International) Phoenix Exploit hacker kit methodology explained. Websense has posted a detailed analysis of the Phoenix Exploit kit, which is used by hackers to seed and infect users’ PCs across the Internet, and then monitor the results for data harvesting. The kit, which was originally discovered by M86 Security in the summer of 2009, has been disassembled by a security researcher with Websense, who reported the kit’s installation routines are hidden. This is, he explains, “probably an attempt by the developers to make it harder for security researchers to understand how to install the kits, especially if there is no ‘readme.txt’ file included.” Looking at the PHP code, he said researchers can see it is Base64 encoded and a ZLIB compressed stream of data. “The PHP script uses an ‘eval’ statement with ‘gzuncompress’ and ‘base_64decode’ functions to decode the stream of data. The kit does not contain a current set of exploits, as users must contact the developer and activate the kit, presumably by paying a fee,” Infosecurity noted. According to the Websense security researcher, the developers of the Phoenix Exploit kit are working on not only protecting their exploit code from being recognized, but also their installations. Source:

50. December 29, Softpedia – (International) Old apps can pose privacy risks for Facebook users and their friends. People who own a Facebook account since before April 2010 should remove older apps and install new versions, because they still have unrestricted access to a wealth of information about them and their friends. Back in April, Facebook announced a new data control system where users would be notified at install of how an application needs to interact with their account and information in order to work properly. This allows people to weigh the privacy versus functionality trade-off of certain apps, and was part of the company’s work with the Canadian privacy commissioner. The new permissions dialog became mandatory starting June 1, 2010, but it did not affect the access granted to already installed apps. While Facebook was clear about this aspect with developers, it failed to include it in their announcement to users. Source:

51. December 29, IDG News – (International) Android mobile malware has botnet-like traits. Hackers are aiming for users of Google’s Android mobile operating system with a malicious application that harvests personal information and sends it to a remote server. The malware, which has been named “Geinimi,” appears to be the first one that has botnet-like capabilities targeted at the Android platform, said the chief technology officer for Lookout Mobile Security, which develops mobile security software. Geinimi appears to target Chinese-speaking users of Android, and Lookout was tipped off to Geinimi after a user wrote a post concerned about it on a forum, he said. Lookout researchers, which posted a writeup on Geinimi, have found it has been wrapped into legitimate free and paid games for Android users with games’ developers unaware their applications were being used as a lure. Those tampered applications are appearing on third-party Web sites offering Android applications that have not been vetted for security. Some programs have apparently been downloaded thousands of times. The company is still analyzing Geinimi, and it is not clear what its creators are aiming to do with a victim’s phone. Source:

For another story, see item 8 above in the Banking and Finance Sector

Communications Sector

52. December 30, Web Host Industry Review – (Texas; National) FBI raids Texas Web host in relation to ‘Anonymous’ attacks on PayPal. According to a lengthy report published December 29 on investigative Web site The Smoking Gun, the FBI raided Texas-based Web hosting company Tailor Made Services, seizing a computer believed to be involved in the “Operation:Payback” denial of service attacks targeting PayPal in December. A second investigation may have led to the seizure of a machine hosted by Hurricane Electric, according to the report. PayPal was targeted in the attacks, organized by the association of Internet users known as “Anonymous” — which is based out of the community site 4chan — along with several other sites reported to have suspended services to the whistle-blowing Web site WikiLeaks. According to the affidavit published by The Smoking Gun, the FBI investigation began earlier in December, after PayPal contacted agents, supplying a list of IP addresses it believed were involved in executing the Operation: Payback attacks against the company. Source:

53. December 29, H Security – (International) 27C3: GSM cell phones even easier to tap. At the 27th Chaos Communication Congress (27C3) hacker conference, security researchers demonstrated how open source software on a number of revamped, entry-level cell phones can decrypt and record mobile phone calls in the GSM network. Using a normal laptop and a homemade monitoring device, the team leader of Berlin’s Security Research Labs explained that GSM mobile communications can be decrypted in “around 20 seconds.” He said his team was able to record and playback entire conversations in plain text. Last year, the team showed how they managed to crack the A5/1 encryption algorithm used in GSM in 3 months using 40 distributed computers. Since then, he said his team has considerably improved the rainbow tables needed for the attack; the tables are once again available from the BitTorrent peer-to-peer network. The team leader said he has also made a lot of progress with the other hardware and software needed for the attack. Furthermore, the scenario for the attack has been redesigned and refined. If TMSI allows a cell phone to be precisely addressed, the data can then be collected from voice communication in the cell phone network and subsequently decrypted. Source: