Friday, January 14, 2011

Complete DHS Daily Report for January 14, 2011

Daily Report

Top Stories

• The South Florida Sun Sentinel reports 15 people, including 7 bankers, were charged with bribery, money laundering, and identity theft for participating in a scheme that resulted in $10 million in fraudulent bank loans. See item 12 below in the Banking and Finance Sector

• According to the Washington Post, shortly before Christmas, federal officials received a tip that a top terrorist was behind a plot to conceal bombs in thermos liners carried aboard planes. (See item 16)

16. January 13, Washington Post – (National) TSA tip: Suspect planned thermos bomb. Shortly before Christmas, federal officials received a tip that terrorists might be concealing bombs in thermos liners carried aboard planes, the Transportation Security Administration (TSA) head said January 13. Addressing an American Bar Association committee in Washington D.C., he said he got a tip December 23 that a 28-year-old Saudi national who is on that country’s most-wanted list and was tied to the plot to explode a bomb disguised as toner cartridge on a cargo plane, was behind the plot to make a thermos bomb. “Anyone who has traveled with a thermos since then has been getting more screening,” the TSA head said. He also said he expected modification to controversial airport scanners and pat-down procedures this year to address privacy concerns. Source:


Banking and Finance Sector

11. January 13, Associated Press – (California) College leader charged with stealing from students. A Southern California college program director has been charged with using a bogus bank account to steal $500,000 from students. Prosecutors said the 56-year-old suspect is being held on $3 million bail after he pleaded not guilty January 10 to two forgery counts and two identity theft counts, all of them felonies. The Inland Valley Daily Bulletin said the suspect is the director of Walnut’s Mt. San Antonio College fire technology program. A Los Angeles County sheriff’s detective said the suspect overcharged students for classes and deposited the money in a fraudulent bank account using Mt. San Antonio College’s tax identification number. Source:

12. January 12, South Florida Sun Sentinel – (Florida) Broward assistant principal, former sheriff’s aide, 7 bankers among those ensnared in federal bank fraud probe. A Broward Schools assistant principal, a former sheriff’s investigative aide and seven Broward and Palm Beach County, Florida, bankers were ensnared in a sweeping undercover FBI investigation into alleged widespread bank fraud. A total of 15 defendants were charged January 12 in a scheme federal authorities said marks a new twist in the defrauding of South Florida banks while featuring bribery, money laundering, and identity theft. Using tactics commonly seen in home mortgage fraud cases, people fraudulently obtained small business loans and lines of credit by bribing corrupt bankers and submitting phony financial documents, a U.S. attorney said. The official who heads the FBI in South Florida said he anticipates dozens more people will be arrested on similar criminal charges in the coming months. The 2-year investigation centered on a man who ran a company called Palm Beach Business Consultants. The FBI said this suspect helped secure more than $10 million in fraudulent loans from 10 area banks. Source:

13. January 11, Washington Post – (Maryland) Robbery at White Oak credit union. Montgomery County, Maryland police are investigating a January 8 robbery at the Mid-Atlantic Federal Credit Union in White Oak, authorities said January 11. Two male suspects entered the Mid-Atlantic Federal Credit Union at 11140 New Hampshire Avenue at 10:42 a.m. wielding handguns and announcing a robbery, police said. Montgomery County Police detectives and the FBI are investigating the robbery. Source:

14. January 11, United Press International – (National) FBI: Bank heists rose in third quarter. U.S. bank robberies increased in the third quarter of 2010, the FBI said January 11. The bureau reported 1,325 bank holdups, an increase from 1,212 in the same quarter of 2009. Money was taken in 90 percent of the incidents, totaling more than $9.3 million. Nearly $1.4 million was recovered and returned to financial institutions. Robbers most often struck on Fridays and between 9 a.m. and 3 p.m. Acts of violence accompanied 4 percent of the holdups, resulting in 4 deaths, 21 injuries and 9 people being taken hostage, the bureau said. The FBI said the South had the greatest number of reported holdups with 482. Source:

15. January 11, U.S. Department of Justice – (New York) Queens attorney pleads guilty in Manhattan federal court to participating in $23 million mortgage fraud scheme. The United States Attorney for the Southern District of New York announced that a real estate attorney pled guilty January 10 before a U.S. District Judge in Manhattan federal court to a seven-count indictment charging him with conspiracy to commit bank and wire fraud, and six counts of bank fraud, in connection with a scheme that defrauded banks out of more than $23 million in home mortgage loans. The suspect made hundreds of thousands of dollars in illicit profits from the scheme, in which he worked closely with corrupt loan officers of GuyAmerican Funding, a mortgage brokerage firm in Queens, New York. The suspect is the ninth defendant convicted of participating in this mortgage fraud scheme. Source:

For another story, see item 42 below in Information Technology

Information Technology

39. January 13, Softpedia – (International) Critical security update released for Google Chrome. Chrome 8.0.552.334 was released as a security update for the stable channel of Google’s increasingly popular browser and contains fixes for a flurry of vulnerabilities. In total, there were 16 security issues patched, 2 of which were rated with medium risk, 13 with high, and 1 with critical. The critical flaw is a stale pointer in speech handling and its discovery is credited to a regular Chrome security contributor. Source:

40. January 13, Softpedia – (International) Adobe will allow deleting Flash cookies from within browsers. Adobe has been working with browser vendors to develop a way of deleting Flash Player local shared objects (LSO), also known as Flash cookies, directly from browsers. Local shared objects are part of the local storage feature that rich Internet applications can use to store various settings or cached items. Security researchers have warned since several years ago that local storage can be abused for user tracking purposes. Flash LSOs, in particular, can be used to re-spawn tracking cookies. For example, a Web site can store a unique identifier in a plain text cookie and a LSO. If the user deletes the cookie through the browser controls and revisits the Web site, the ID can be read from the LSO used to recreate the cookie. Source:

41. January 13, H Security – (International) Wireshark updates address vulnerabilities. The Wireshark development team has released version 1.2.14 and 1.4.3 of its open source, cross-platform network protocol analyzer. According to the developers, the security updates address a high-risk vulnerability (CVE-2010-4538) that could allow a remote attacker to initiate a denial of service attack or possibly execute arbitrary code on a victim’s system. Affecting both the 1.2.x and 1.4.x branches of Wireshark, the issue is reportedly caused by a buffer overflow in ENTTEC (epan/dissectors/packet-enttec.c) — the vulnerability is said to be triggered by injecting a specially crafted ENTTEC DMX packet with Run Length Encoding compression. A buffer overflow issue in MAC-LTE has also been resolved in both versions. In version 1.4.3, a vulnerability in the ASN.1 BER dissector that could have caused Wireshark to exit prematurely has been corrected. Source:

42. January 12, Softpedia – (International) Fake Miles & More emails lead to Zbot drive-by download. Security researchers warn about fake e-mails purporting to come from the Miles & More frequent flyer program and leading users to a Zbot drive-by download website. The rogue e-mails bear a subject of “ITINENERARY RECEIPT” and have the header spoofed to appear as originating from a memberservices[at]miles-and-more(dot)com address. The contained message suggests users’ credit cards were charged without their knowledge. “Thanks for the purchase! Booking number: LVSN50. Your credit card has been charged for $493.67. Please print PASSENGER ITINERARY RECEIPT by logging into your Miles account by clicking the link below,” the e-mails read. According to researchers from BitDefender who analyzed the attack, the link leads to a page on a religious Web site that was most likely compromised. The page contains hidden iframes loading the Neosploit exploit pack from a third-party server. The toolkit performs several checks to determine the version of popular applications installed on the visitor’s computer and serves the appropriate exploit. If successful, the exploit will silently download and execute a generic Trojan downloader which will install a variant of the ZeuS information stealing Trojan. Source:

Communications Sector

Nothing to report

Thursday, January 13, 2011

Complete DHS Daily Report for January 13, 2011

Daily Report

Top Stories

• A recently fired employee of Trunkline Gas was jailed on charges he turned off the natural gas supply to the entire city of Fairfield, Illinois, January 9, according to WFIW 1390 AM Fairfield. (See item 1)

1. January 12, WFIW 1390 AM Fairfield – (Illinois) Fired employee allegedly shuts off Fairfield’s gas. A recently fired employee of Trunkline Gas has been jailed on charges he turned off the natural gas supply to the entire city of Fairfield, Illinois, January 9, WFIW Radio reported. The man faces local charges of burglary and interference with a public utility for allegedly breaking into a Trunkline Gas monitoring station north of Wayne City January 9, and closing a valve that halted the flow of gas to more than 2,700 Fairfield customers. By closing the valve, two high pressure lines that serve the city were shut down, the station said. The man could face more serious charges as federal agents have joined the investigation. Workers were able to restore the flow of gas to Fairfield in less than an hour, and no customers were affected by the early morning incident, the station was told. “The pressure had dropped from 240 psi to about 100 psi. If the line had lost all pressure, it would have taken over a week to re-pressurize the system and get everyone’s pilot lights reignited” a spokesman said. Investigators said the man was fired from his job at Trunkline in late 2010 after more than 30 years on the job. Trunkline officials feared he would vandalize their facilities and had increased security at their major transmission station near Johnsonville over the past 2 months, the radio station reported. The heightened security included hiring back off-duty Wayne County sheriff’s deputies to provide surveillance at their main transmission headquarters during the overnight hours. Source:

• The Boston Globe reports about 100 major dams across Massachusetts are in poor condition and could cause significant property damage or death if they failed, the state auditor’s office reported January 11. Despite this fact, emergency plans had been filed with state regulators for only 8 of the 37 largest dams. (See item 68)

68. January 12, Boston Globe – (Massachusetts) 100 major dams need repair, state auditor says. One hundred major municipal dams across Massachusetts are in poor condition and could cause significant property damage if they failed, the state auditor’s office reported January 11, renewing calls for stricter oversight. The 2-year investigation concluded the state’s aging and neglected stock of dams poses a “significant threat to public safety’’ and needs an estimated $60 million in repairs. More than one in five potentially hazardous public dams have substantial structural deficiencies, the report found. The auditor called on the legislature to establish a no-interest loan program to help communities pay for the repairs. “These are difficult times, but some prudent budgeting and financing now could avert a major crisis in the future,’’ he said in a statement that accompanied the report. He noted delaying repairs would sharply increase their cost. In the report, state inspectors rated six dams as unsafe, the lowest category of safety. Two are in Foxborough; the others are in Athol, Bolton, Danvers, and Dudley. Sixteen of the deficient dams assist in flood control for the surrounding areas. Counting privately owned dams, there are 254 high- or significant-hazard dams in Massachusetts classified as poor or unsafe. A breach at a high-hazard dam would be likely to cause serious property damage and possibly claim lives, according to state regulators. Failures at significant-hazard dams might cause serious damage. The report called on regulators to rank the 100 dams in order of risk to prioritize repairs. Communities with the highest number of deficient dams included Fitchburg, Foxborough, Attleboro, Springfield, and Worcester. Local officials said they were working with state regulators to schedule repairs. The report found most towns with deficient dams had not made emergency plans in case of a breach, and one in four communities said they had “no idea of what to do in an emergency.’’ Among the 37 largest dams, only 8 had emergency plans on file with state regulators. Source:


Banking and Finance Sector

19. January 12, Federal Bureau of Investigation – (California) Bank official guilty of taking bribes, disclosing suspicious activity report. A former official with Chase Bank has been found guilty of disclosing the existence of a suspicious activity report (SAR) filed with federal officials, and then soliciting thousands of dollars in bribes to help the borrower deal with a possible criminal investigation related to the illegally disclosed SAR. The 45-year-old suspect, who resides in Victorville, California, was convicted January 11 of three counts of bank bribery, and one count of unlawfully disclosing a SAR. The federal jury deliberated about 30 minutes before issuing its verdict, which included a not guilty finding on a charge of attempted economic extortion. Following a 1-week trial in U.S. District Court, the jury determined the suspect demanded a $25,000 bribe, ultimately accepted $10,000 in bribes from the customer, and disclosed the existence of a SAR. Source:

20. January 12, WBNS 10 Columbus – (Ohio) Suspect in 8 bank robberies arrested. A man believed to be responsible for a string of central Ohio bank robberies has been arrested, the FBI announced January 12. The suspect was taken into custody on Tuesday evening at a home on East 12th Avenue in Columbus, Ohio, authorities said. The FBI said a tip led officers to the location. The suspect was wanted in connection with eight bank holdups, including a robbery that occurred January 11. He was also suspected in other robberies in Columbus, Springfield, and London. The FBI said it believes the man was also responsible for the robbery of a Lewis Center bank January 10, where he dropped the money while fleeing. Source:

21. January 11, Federal Bureau of Investigation – (New Jersey) New Jersey man pleads guilty to bank fraud scheme that lasted years. A 32 year-old male suspect, who resides in Sewell, New Jersey, pled guilty January 11 to a multi-year bank fraud scheme that netted him over $1.8 million between the summer of 2005 and the summer of 2009 from JP Morgan Chase Bank, the U.S. attorney announced. The suspect also admitted to engaging in transactions larger than $10,000 with the proceeds of the fraud, and to one count of tax fraud. While an employee of JPMorgan Chase Services, the suspect manipulated the bank’s internal books and records and caused the bank to wire transfer money to his account, to accounts of his family, and to accounts in which his life partner had right, title, interest, or control. Sentencing is scheduled for April 7, 2011 before a U.S. District Court judge. The suspect faces a statutory maximum possible sentence of 240 years in prison, a fine of $6.25 million, $2,200 in special assessments, and up to 5 years’ supervised release. Source:

22. January 11, Federal Bureau of Investigation – (New York) ‘Holiday Bandit’ identified as Marat G. Mikhaylich, wanted in connection with armed bank robberies in New York. The “Holiday Bandit” has been identified and he is wanted for allegedly robbing three New York banks. The first was robbed with a demand note and the second two at gunpoint. The suspect was identified through investigative techniques by the FBI-NYPD’s Joint Bank Robbery Task Force. The suspect is a white male, 6’3’’ to 6’5’’ tall, 35-years-old, and 210 pounds. He was last seen wearing a black hat, black ear muffs, dark sunglasses, a black winter jacket, and dark blue jeans. He has been seen with a black handgun. Source:

23. January 11, WOFL 35 Orlando – (Florida) Skimming devices found at Orlando ATMs. The Orlando, Florida Police Department is asking for the public’s help in finding a man who they say put a skimming device on an ATM. Investigators said December 12, a skimming device was discovered at an ATM machine at the Regions Bank at 5401 S. Kirkman Road. Around the same time a similar skimming device was found at the Dr. Phillips branch of the bank. Police warned skimmers are popping up on ATM’s across Orlando. On January 11, the SunTrust on S. Kirkman reported a skimmer on one of their ATMs. SunTrust reported 59 ATM cards were compromised and they believe fraudulent charges were made to 15 of those accounts. “Don’t know if it is the same person,” said a police official who noted police are trying to determine if all four incidents are connected.


24. January 10, San Diego Union-Tribune – (California) $20,000 reward in ‘Drywaller Bandit’ bank robberies. A $20,000 reward is being offered for information leading to the arrest and conviction of a serial bank robber dubbed the “Drywaller Bandit,” whose latest heist was January 8 in Oceanside, California the FBI said. The robber, who has been known to wear a dust mask, is suspected of robbing seven banks in Encinitas and Oceanside since late September, including two of them twice, an FBI spokesman said. The suspect wore a black mask January 8, when he allegedly robbed a Citibank on Oceanside Boulevard near Avenida del Oro at 9:55 a.m., the FBI spokesman said. Source:

For more stories, see item 56 below in Information Technology

Information Technology

54. January 12, Softpedia – (International) Microsoft issues workaround for actively exploited 0-day IE vulnerability. Microsoft is investigating reports of a zero-day Internet Explorer vulnerability being exploited in the wild and has released a workaround for customers to protect themselves until a permanent patch is ready. The vulnerability, identified as CVE-2010-3971, was originally reported on the Full Disclosure mailing list December 8 as a denial of service condition. However, vulnerability researchers who later analyzed it, discovered it can also be exploited to execute arbitrary code. The flaw stems from a use-after-free memory error within the “mshtml.dll” library and affects all versions of Internet Explorer running on all supported Windows variants. A group called Abysssec Security Research developed a working exploit capable of bypassing the DEP and ASLR protection mechanisms and added it to the Metasploit open source penetration testing framework. Microsoft released a workaround January 12 in the form of a “Fix It” tool that companies can deploy throughout their networks. Source:

55. January 12, The Register – (International) Attacks on IE drive-by bug go wild. Microsoft January 11 warned that attackers have begun exploiting a critical vulnerability in Internet Explorer (IE) and rolled out a temporary fix until a permanent patch is issued. The vulnerability in IE versions 6, 7, and 8, which involves the way the browser handles cascading style sheets (CSS), allows adversaries to perform drive-by malware attacks by luring victims to booby-trapped Web pages. The exploits are triggered by recursive CSS pages where style sheets include their own addresses. Microsoft confirmed the security flaw in late December. The company updated its advisory January 11 to reflect “reports of limited attacks attempting to exploit a vulnerability in all supported versions of Internet Explorer.” Microsoft also issued a workaround that large organizations can implement to protect themselves until a patch is released. It comes in the form of a Fix it that causes IE to reject CSS pages that contain the same URL as a style sheet that is trying to load it. Source:

56. January 11, Softpedia – (International) ZeuS builder service spotted on the underground market. Security researchers have spotted a ZeuS binary compilation service on the underground market which helps up-and-coming fraudsters reduce the costs of starting their own operation. Despite rumors of no longer being in active development or being sold by its original author, ZeuS remains the most popular crimeware toolkit. It consists of a builder that generates a customized Trojan known as ZBot (ZeuS Bot) together with the Web application to use on the command and control (C&C) server. Various versions of the ZeuS crimeware toolkit exist on the underground market. Some of the earlier ones can be obtained for free, but they are limited in features and are detected by most antivirus programs. The most up-to-date variant used to cost around $4,000, but since the toolkit also supports modules that add additional functionality, the final price could be up to $10,000. According to security researchers from RSA, somebody thought of this price problem and is now offering a low-cost Fraud-as-a-Service solution. Source:

57. January 11, Computerworld – (International) Microsoft patches critical Windows drive-by bug. Microsoft patched three vulnerabilities in Windows January 11, one of which can be exploited by attackers who dupe users into visiting a malicious Web site. The company also debuted a new defensive measure to help users ward off ongoing attacks exploiting a known bug in Internet Explorer (IE). One of the updates was classified as “critical” by Microsoft, while the other was marked “important.” MS11-002 was the update security researchers and Microsoft recommended users apply first. The update patched two vulnerabilities, one critical, the other important. “Attackers can exploit the critical vulnerability in MS11-002 by getting users to browse to a malicious Web site,” said a manager of Qualys’ vulnerabilities research labs. The tactic, usually called a “drive-by” attack, relies on enticing users to click a link offered in a baited e-mail. The bug is in the Microsoft Data Access Components, a set of components that lets Windows access databases such as Microsoft’s own SQL Server. The flaw is in the MDAC ActiveX control that allows users to access databases from within IE. Only users running IE are at risk from attacks exploiting the critical bug Microsoft disclosed in MS11-002. Microsoft said all client versions of Windows, including XP Service Pack 3, Vista, and Windows 7 were vulnerable. Source:

58. January 11, Softpedia – (International) Free City Cash scam spreads on Facebook. A new survey scam is rapidly propagating on Facebook by promising users free virtual currency for use in Zynga’s latest hit game CityVille. “Woohoo! Thanks CityVille I got my 1,000 City Cash! http[colon]//apps[dot]facebook[dot]com/[censored]” or “CityVille is giving 1,000 City Cash for a limited time only! Grab Yours Now! http[colon]//apps[dot]facebook[dot]com/[censored],” the messages promoting this scam read. City Cash is one of several in-game currencies which can be used to build special buildings, expand the city’s land, and perform other actions. City Cash can be either earned or bought with real money. However, this is nothing more than one of the many rogue application-based survey scams that have plagued Facebook for the past half year. Opening the spammed links takes users to a well-designed page bearing the CityVille logo, but clicking on the button to claim the alleged prize prompts a permissions request dialog from an app called “Giveaway Promo.” The application wants access to users’ profile information and to post on their walls in order to spam their friends. Source:

59. January 11, Softpedia – (International) Fake Coca-Cola survey emails lead to phishing page. Security researchers from e-mail security vendor AppRiver warned of a new phishing campaign which produces e-mails offering a reward taking part in a Coca-Cola opinion poll. The fake e-mails began hitting people’s in-boxes January 10, and bear a subject of “Happy New Year.” Their header has been spoofed to appear as if they come from a customer[at]cocacola[dot]us e-mail address. The message contained within is a bit confusing, as it portrays the well known company as a polling organization interested in peoples opinion about current events. Recipients are provided with a link to the poll page and in order to convince people to complete it, the e-mails offer $150 to every participant. Users are taken through a series of redirects before landing on a page reading “Coca-Cola’s Customer Satisfaction Survey.” This pages asks for a wealth of personal information, including full name, address, driver’s license number, mother’s maiden name, home phone number, date of birth, as well as full credit card details. Source:

Communications Sector

60. January 12, KRIV 26 Houston – (National) Windows Phone 7 users report glitch. The blogs on are reporting Microsoft is looking into a possible bug in its Windows Phone 7 mobile software. Some users report the phone is uploading massive amounts of information over the 3G Internet connection (thus using up some of their limited bandwidth). The data transfers range from several megabytes into the gigabytes, and some users said it is happening when they are not touching their phones. It is not known what kind of data might be uploading. Microsoft has offered no official response, and the problem does not appear to be widespread. Source: