Thursday, February 3, 2011

Complete DHS Daily Report for February 3, 2011

Daily Report

Top Stories

· Agence France-Presse reports a 36-year-old Iranian man has been charged with exporting specialized metals to his homeland for potential use in nuclear and ballistic missile programs, in violation of a U.S. embargo. The man remains at large and is believed to be in Iran, the Justice Department said. (See Item 11)

11. February 1, Agence France-Presse – (International) U.S. charges Iranian with illegal metals exports. U.S. authorities said February 1 an Iranian man has been charged with exporting specialized metals to his homeland for potential use in nuclear and ballistic missile programs, in violation of a U.S. embargo. The man, 36, was indicted on 11 charges for ―illegally exporting and attempting to export specialized metals from the United States through companies in Turkey to several entities in Iran, including some entities that have been sanctioned for involvement in ballistic missile activities,‖ the Justice Department said. The man remains at large and is believed to be in Iran, the Justice Department said. U.S. authorities detailed data that showed the man and associates operated ―a procurement network that provides direct support to Iran’s missile program by securing metal products, including steel and aluminum alloys, for subordinates of Iran’s Aerospace Industries Organization (AIO).‖ From 2004 to 2007 he allegedly conspired to export the goods to Iran in violation of a U.S. embargo, including to Sanam Industrial Group, a firm ―sanctioned by the United States and United Nations for involvement in nuclear and ballistic missile activities,‖ the Justice Department said. Source:

· Techworld reports that the rising tide of distributed denial of service attacks (DDoS) is being made worse by a tendency to mis-deploy firewalls and intrusion prevention systems in front of servers, a report by Arbor Networks has found. A survey of 111 global service providers revealed a major jump in DDoS attack size in the company’s 2010 Infrastructure Security Report. See Item 55 below in the Information Technology Sector.


Banking and Finance Sector

12. February 2, York Dispatch – (Pennsylvania) Police: Pair involved in multiple bank robberies in York County. Two Baltimore, Maryland, residents who allegedly robbed a bank — then led police on a high-speed chase while tossing cash and a gun from the getaway car — are facing more bank robbery charges. The suspects were captured January 5 after allegedly robbing a Sovereign Bank in York Township, Pennsylvania. Once in custody after the chase, both told police they had been involved in other bank robberies, police said. In all, the male suspect is charged in five York County bank robberies, while the female suspect is charged in four, according to court records. Source:

13. February 1, Softpedia – (International) Internationalized PayPal phishing attacks spotted in the wild. Security researchers from Avira have spotted an e-mail PayPal phishing attack currently hitting people’s inboxes which has both an English and a French version. A data security expert at Avira points out that the two e-mails are almost identical, except for the language, even down to the Reference Number mentioned in the text. The only other difference is that the English version advertises a link to the phishing page, while the French variant has a button. The lure is a common one and tries to scare users into believing their accounts have been limited due to unusual credit card activity. To increase the credibility of the e-mail, the phishers included legitimate anti-phishing advices for users. Another noteworthy aspect of this attack is that the message is very well formulated compared to the majority of phishing scams. Source:

14. February 1, Associated Press – (National) Apple Stores hit by crime spree using identity theft, thousands of stolen credit cards. Dozens of people have been charged with forming a prolific identity theft ring that used thousands of stolen credit card numbers to shop at Apple stores around the country, according to a court document and a law enforcement official. The group obtained stolen account numbers, forged credit cards and used them to buy laptops, iPhones, and other merchandise at Apple stores in locales ranging from New York to Los Angeles to Wauwatosa, Wisconsin – with a ringleader steering the scheme even while behind bars, according to an indictment charging 18 people with grand larceny. A law enforcement official said the allegations ultimately involved 27 people and roughly $1 million in merchandise. The Manhattan district attorney’s office declined to comment February 1. The New York district attorney and the U.S. Secret Service were expected to unveil a major cybercrime case February 3; the Secret Service did not immediately return a telephone call about the matter February 1. It was not immediately clear how the group is accused of getting the credit card numbers. But leaders created phony cards, provided them to associates, and contrived to send the associates ―to locations in (Manhattan) and elsewhere to purchase goods, such as laptop computers, iPods, iPhones, other electronic devices, gift cards, and clothing products‖ starting in May 2009, the indictment said. Source:

15. February 1, NBC Miami – (Florida) Shopping center evacuated over stinky box. A package at a Southwest Miami-Dade bank triggered a response by the bomb disposal team. An entire shopping center was evacuated February 1 after a suspicious package, which turned out to be a box full of chicken and goat parts, was discovered near a Bank of America. The box was swarming with flies, officials said. The incident happened around 10 a.m. near the Shoppes at Quail Roost shopping center, CBS4 reported. A bomb-detection robot tried to detonate the potentially explosive device, but nothing happened. When bomb squad members got closer to the box, they realized how strong the odor was. It is unclear who left the package at the bank. Source:

For another story, see item 60 below in the Communications Sector

Information Technology

50. February 2, Help Net Security – (International) VLC 1.1.7 fixes security issue. VideoLAN unveiled VLC 1.1.7, a security update on 1.1.6. When parsing an invalid MKV (Matroska or WebM) file, input validation are insufficient. If successful, a malicious third party will be able to trigger execution of arbitrary code. Exploitation of this issue requires the user to explicitly open a specially crafted file. As a workaround the user should refrain from opening files from untrusted third parties or accessing untrusted remote sites (or disable the VLC browser plugins), until the patch is applied. Alternatively, the MKV demuxer plugin (libmkv_plugin.*) can be removed manually from the VLC plugin installation directory. Source:

51. February 2, The Register – (International) Facebook plugs gnarly authentication flaw. Security researchers have discovered a flaw that creates a means for a malicious website to grab hold of a Facebook user’s private data without their consent as well as to post messages impersonating the user on the social networking Web site. The authentication-related bug was discovered by two researchers who reported the flaw to Facebook the week of January 23. The social networking site responded to the report by patching the hole the weekend of January 30. The vulnerability only worked if a user had visited a malicious Web site while logged into Facebook and only in social network profiles that allow applications to run, a feature that the vast majority of Facebook users enable. ―If the user has ever allowed a Web site – YouTube, Farmville, or ESPN, etc. – to connect to Facebook, she will lose her private data to the malicious website, or even enable the Web site to post phishing messages on Facebook on her behalf,‖ one of he researchers explained. Source:

52. February 2, Softpedia – (International) Waledac uses almost 500,000 stolen email credentials to spam. Security researchers from LastLine have analyzed the new Waledac botnet, which appeared at the beginning of 2011, and found a cache of 489,528 stolen POP3 e-mail credentials. In addition, a number of 123,920 FTP login credentials stolen from victims were also found. These are used to upload so called doorway pages on legitimate websites, which then redirect visitors to malware distribution servers or rogue online pharmacies. A total number of 9,447 such pages were discovered in January on 222 websites. The file names contain randomly generated numbers and letters. The command and control server has so far registered 12,249 unique node IDs and 13,070 router IDs. These form Waledac’s peer-to-peer fallback update mechanism. Source:

53. February 2, Help Net Security – (International) Expanding phishing vector: Classified ads. The online classified advertisement services sector has been increasingly exploited as a phishing attack vector by ecrime gangs, a trend confirmed by the growth of attacks abusing classified companies in the first half of 2010, accounting for 6.6 percent of phishing attacks in Q2 2010 alone, according to the APWG. Though the online payment services sector remained the most targeted industry with 38 percent of detected attacks in Q2, up from 37 percent in Q1, the classified advertisement services sector exhibited the most rapid growth in phishing attacks of all sectors in the half. Meanwhile, the growth of detected samples of rogueware – malicious crimeware disguised as anti-virus or anti-spyware software – rose some 13 percent from quarter to quarter, up from 183,781 in Q1 to 207,322 in Q2, 2010. Source:

54. February 1, Softpedia – (International) Phishers spoof Facebook security to hijack accounts. Phishers have begun spoofing Facebook Security within rogue private messages in order to trick users into exposing their login credentials. The Facebook Secuity page is used by the social networking site to issue important security-related announcements and advices to users. According to researchers from antivirus vendor Trend Micro, recent phishing attacks do just that via fake private messages sent in the name of the Facebook Security team. These messages inform people their accounts were accessed from another location and ask them to review their activity immediately. In addition to Facebook Security’s popularity and credibility, the phishers are piggybacking on a legitimate feature introduced by the social networking site in 2010 to protect accounts. The site allows users to register devices they commonly use to log in with and opt to be alerted when someone attempts to authenticate from a device that is not on the list. The rogue private messages generated by the phishing attack advertise an URL that takes users to a fake login page asking them for both their Facebook and e-mail login credentials. Security researchers note that the fake profiles used to send the phishing messages use the Facebook Security name written with diacritics. Source:

55. February 1, Techworld – (International) DDoS attacks made worse by firewalls, report finds. The rising tide of distributed denial of service attacks (DDoS) is being made much worse by a tendency to mis-deploy firewalls and intrusion prevention systems in front of servers, a report by Arbor Networks has found. The company surveyed 111 global service providers across fixed and mobile sectors for its 2010 Infrastructure Security Report and uncovered a huge jump in DDoS attack size during the year. Maximum attack sizes reached 100Gbit/s for the first time, double that for 2009, and 10 times the peak size seen as recently as 2005, increasingly in the form application attacks rather than simple packet flooding. Attack frequency also appears to be increasing, with 25 percent of respondents seeing 10 or more DDoS attacks per month, and 69 percent experiencing at least 1. But according to Arbor, service providers and corporate could significantly reduce their DDoS vulnerability by designing their security infrastructure to better locate policy-based security devices such as firewalls. During 2010, nearly half of all respondents had experienced a failure of their firewall or IPS due to DDoS, something that could have been avoided in many cases using better router security configuration. Source:

56. February 1, The Register – (International) Newest PS3 firmware hacked in less than 24 hours. Hackers say they unlocked the latest firmware for the PlayStation 3 game console, less than 24 hours after Sony released it. Sony announced the release of Version 3.56 February 2. That same day, game console hacker KaKaRoToKS tweeted that he had released the tools to unpack the files, allowing him to uncover the new version’s signing keys. So far, he hacker has released only the signing keys for 3.56, which have since been removed from following copyright take-down demands. Determined gamers can still find the data in underground sites, including on It is now a matter of someone using the key to create a customized version of the firmware and releasing it. According to unconfirmed reports, Version 3.56 contains hidden functionality that allows Sony to scan PS3 consoles for custom firmware and other unauthorized software and report the results back to the company. Sony reportedly can modify the scanner anytime it wants to, without having to update the firmware. Version 3.56 also introduces a significantly re-engineered private encryption key that makes it next to impossible to roll back the update. Source:

Communications Sector

57. February 2, Homeland Security Today – (National) Companies rally against DHS endorsement of granting spectrum to first responders. A coalition of companies protested February 1 the Presidential Administration’s move to grant directly a segment of radio spectrum to first responders, criticizing the move to deny them the opportunity to bid on those wavelengths. Under a plan floated by the Federal Communications Commission (FCC), the federal government would auction off the 700 MHz spectrum to commercial companies, using the profits to build out first responder capabilities nationally. The commercial companies could use the spectrum for commercial purposes, selling the airwaves to the private sector, but must grant first responders priority access under the proposal. Source:

58. February 2, Ars Technica – (International) US Customs begins pre-Super Bowl online mole-whack. With the Super Bowl less than a week away, U.S. Customs has shut down a new set of Internet domain names for sites that linked to live sports broadcasts on the Web. As usual, the underlying servers were not affected and many sites are already running at new, non-U.S.-controlled addresses. Readers began notifying people this afternoon that sites like were down, replaced with a U.S. government warning page instead. U.S. Customs has been running Operation In Our Sites for months now, making crackdowns in waves against sites accused of copyright infringement and counterfeiting. Sites like the popular Spanish Rojadirecta were hit. The sites make it possible to view just about every sporting event live online, even exclusive pay-per-view events, and the US Congress has taken notice. Source:

59. February 1, Palo Alto Online – (California) Powerline catches fire in Palo Alto, people evacuate. A fire on a transmission pole temporarily shut down Cambridge Avenue in Palo Alto, California, February 1, and severed phone and Internet service to some Comcast and AT&T customers into the afternoon. The blaze began at about 9:50 a.m. in communications equipment and wiring attached to a pole, the Palo Alto Fire Department battalion chief said. Firefighters evacuated employees from 376 to 410 Cambridge as chunks of insulation and other debris dropped to the ground. The fire emitted an acrid, sulfur smell. The buildings and adjacent electrical transformers were not in danger. Inspectors do not yet know what caused the fire, he said Utilities workers checked the lines after firefighters extinguished the flames. The fired did not effect electricity to any city customers, communications manager for the city’s utilities administration, he said. The problem appeared to be in AT&T’s lines. Source:

60. February 1, Softpedia – (International) BT customers targeted by phishers. Security researchers from GFI Software warn that BT customers are currently targeted by phishers in attacks spoofing the company’s website and trying to steal their financial details. The researchers only analyzed the phishing page, which mimics the BT customer login site and takes users to a fake form to update their billing information. The form asks for a wealth of financial information, including full credit card details, billing address, and bank account number. After submitting the information users are told the data will be verified by BT’s Billing Department within 24 hours, which is a method of buying time until the victim realizes what happened. Even though the GFI researchers have not detailed the method in which the fake page is advertised to users, they said it is probably being done via e-mail. Source:

61. January 31, Washington Times – (National) Pirated content almost 25% of Internet traffic. The illegal downloading and sharing on the Internet of copyrighted material such as pirated movies, music, and games accounts for almost one-quarter of all global traffic on the World Wide Web, according to a study conducted by British anti-piracy consultants Envisional. Information Technology and Innovation Foundation released the study January 31. The authors analyzed data from several previous studies of Internet traffic and looked in detail at the material being shared in several samples of thousands of transactions on different peer-to-peer (P2P) networks and other content-sharing services. The copyrighted content being shared illegally included films, television episodes, music, and computer games and software, the report said. Other content-sharing services illegally making copyrighted material available accounted for another 12 percent, the report stated, meaning a total of 23 percent of global Internet traffic was copyrighted material being shared illegally. Source: