Thursday, February 24, 2011

Complete DHS Daily Report for February 24, 2011

Daily Report

Top Stories

• Reuters reports that Ford Motor Co., facing government pressure after 77 injuries, announced plans to recall nearly 150,000 F-150 pickup trucks to fix air bags that could deploy without warning, a fraction of the vehicles the government contends should be called back and repaired. (See item 13)

13. February 23, Reuters – (National) Ford to recall F-150 pickups over air bags. Under government pressure, Ford Motor Co. said February 23 it will recall nearly 150,000 F-150 pickup trucks to fix air bags that could deploy without warning, a fraction of the vehicles the government contends should be called back and repaired. The recall covers trucks from the 2005-2006 model years in the United States and Canada for what Ford calls a “relatively low risk” of the air bag deploying inadvertently. The government, however, has urged the company to recall 1.3 million F-150s from the 2004-2006 model years, citing 77 injuries from air bags deploying accidentally. The recall is being closely watched because Ford’s F-Series pickup truck is the best-selling vehicle in America. The National Highway Traffic Safety Administration (NHTSA) has been investigating the air bag issues for more than a year. In May 2010, Ford told the government that the problems did not “present an unreasonable risk to vehicle safety” because there was a low rate of alleged injuries and the air bag warning lamp provided an “obvious warning” to drivers. Ford told NHTSA in May that some drivers reported injuries that included burns from contact with the air bag, bruises, neck and back pain, and minor cuts. “Two customers reported broken or chipped teeth and two reported fractures of the extremities (elbow or arm),” wrote the director of Ford’s automotive safety office. The NHTSA’s acting director of defect investigations, wrote in a memo November 24, 2010 that the agency knew of 238 cases in which the air bags deployed inadvertently and noted that Ford made production changes to the trucks in 2006 and 2007 to fix the air bag wiring and other issues. The memo said that Ford did not believe the issue “warrants any corrective action” because the number of reports and incidents were low, owners received “adequate warning” from the air bag warning light and the “resulting injuries are minor in nature.” The government said Ford should conduct a recall “to remedy this defective condition.” Source:

• According to the Associated Press, the U.S. State Department said officials are processing thousands of dual U.S.-Libyan nationals, private U.S. citizens, and nonessential embassy staffers for a ferry trip out of Libya where hundreds have died in protests. (See item 32)

32. February 23, Associated Press – (International) Evacuation effort for Americans begins. The U.S. State Department said officials are processing U.S. citizens for a ferry trip out of Libya. The government arranged the trip to evacuate Americans from Libya to the Mediterranean island of Malta. The State Department believes there are several thousand dual U.S.-Libyan nationals, and about 600 private U.S. citizens in Libya. Officials have been trying to get 35 nonessential embassy staff members and family members of embassy personnel out of the country. The U.S. President’s administration has not yet outlined any steps to take against the Libyan regime for its violent crackdown on protesters that has seen hundreds of people killed. Source:,0,1397849.story


Banking and Finance Sector

14. February 23, Associated Press – (National) ‘Burly Bandit’ gets 10 years. A bank-robbing bus driver who hit banks in six northeastern states is going to prison for 10 years. A judge in Bangor, Maine, also ordered the 48-year-old to pay $81,059 in restitution to the banks he hit during a 3-month spree last summer. Nicknamed the “Burly Bandit” by the FBI, the convict — a driver for Greyhound — pleaded guilty to 11 counts of robbery for the heists at banks and credit unions, which started April 9, 2010 in Buffalo, New York, continued in Vermont, Massachusetts, New Hampshire and Rhode Island, and ended with a July 13 job at Bangor Savings Bank in Orono, Maine. He was arrested the day after that heist following tips from people who recognized him from surveillance photos. Source:

15. February 23, Associated Press – (Arizona) Former loan officer charged in federal fraud case. A former Phoenix, Arizona, loan officer charged in a $40 million mortgage fraud scheme is facing additional charges. The U.S. Attorney’s Office said the 42-year-old was arrested by the FBI February 18. The suspect was being charged with bankruptcy fraud after prosecutors alleged she changed her name in May 2010. Prosecutors said the suspect tried to hide assets and income from bankruptcy court by filing them under her previous name. The suspect’s other trial, related to her alleged role in a nearly $40 million mortgage fraud scheme is set to begin in August. Source:

16. February 22, Federal Information & News Dispatch, Inc. – (Massachusetts) Man accused of $4M fake life settlement fraud. A Massachusetts man, also living in Florida, was charged February 17 in federal court with mail and wire fraud in connection with a 6-year scheme involving purported investments in “life settlements,” in which it is he defrauded about 20 victims of approximately $4 million. The 67-year-old suspect, of Winthrop, and Jupiter, Florida, was indicted on 5 counts of wire fraud and 13 counts of mail fraud. The indictment alleged that from 2002-2008, the suspect engaged in a scheme to defraud investors by misrepresenting to people how those funds would be used, invested and repaid. He instead diverted the funds for his own personal and business purposes. Source:

17. February 19, Reuters – (Colorado) Tied-up teller arrested in Colorado bank robbery. A Colorado bank teller who claimed he was robbed at knifepoint and tied up inside a bank vault was arrested February 19 along with his alleged accomplice after police said the crime was an inside job. The 22-year-old male was taken into custody after detectives determined “something was just not right” with his harrowing story, a spokesman with the Longmont, Colorado police department told Reuters. “This bank is inside an open, busy Wal-Mart,” the spokesman said. “A bank robber is not going to take the time to go to all that work.” He said police and FBI agents responded February 18 to reports of an armed robbery at the Academy Bank in Longmont. A bank employee said she discovered the teller bound with duct tape inside the bank vault when she reported for work, according to the police report. The teller told police “an Asian or Hispanic man with a chubby face” wearing an Army jacket and wielding a knife robbed him shortly after the bank opened, the spokesman said. Bank surveillance cameras captured images of a man matching the teller’s description fleeing the bank with an undisclosed amount of cash. Investigators identified the robber as a 22-year-old male, and from there the scheme unraveled, police said. On February 19, police searched the teller’s home and found “money and other evidence related to the crime,” the spokesman said. The robber and teller were arrested and charged with aggravated robbery and conspiracy to commit a theft of over $20,000. The teller also faces a false reporting charge. Source:

For another story, see item 43 below in the Information Technology Sector

Information Technology

39. February 23, Help Net Security – (International) 41% of organizations not aware of security risks. Forty-one percent of organizations are not well aware of or protected against IT security risks, according to McAfee. Another 40 percent are not completely confident they can accurately deploy countermeasure products thus leaving them at risk. The McAfee report found that to address these concerns, nearly half of all companies plan to spend an average of 21 percent more in 2011 on risk and compliance solutions. Overall, the survey indicated strong growth for risk and compliance products in 2011 with the majority of decision-making executives demanding integrated and automated solutions rather than point products. Source:

40. February 23, Softpedia – (International) Phishing on the rise again after holiday decline. German antivirus vendor Avira warnedt the number of phishing attacks is again on the rise after a significant decline in December 2010. “While the numbers for Phishing in December were almost all red, showing a dramatic drop for the (dot)org (-151 percent), (dot)com(-76 percent), and (dot)net(-24 percent) domains, we now have seen the exact opposite development in January 2011,” according to Avira. “Phishing was definitely on the rise and even if the malware URLs still show mostly as red numbers, some of them have also increased,” an Avira data security expert said. PayPal remains the most phished brand, having been targeted in almost 37 percent of attacks in January, an increase of 53 percent since December. eBay, was also among the favorite phishing targets, with attacks against the Web site almost doubling since December and accounting for 27 percent of the total. Source:

41. February 22, The Register – (International) Facebook users subjected to more clickjacking. Facebook users have been subjected to another round of clickjacking attacks that force them to authorize actions they had no intention of approving. The latest episode in this continuing saga, according to Sophos researchers, is a set of campaigns aimed at Italian-speaking users of the social network. The come-ons promise shocking videos about such things as the real ingredients of Coca Cola. Instead, they are forced into registering their approval of the videos using Facebook’s “Like” button. Clickjacking is a term that was coined in 2008. It describes attacks that allow malicious Web site publishers, or their users, to control the links visitors click on. They are typically pulled off by superimposing an invisible iframe over a button or link. Virtually every browser is vulnerable, although many come with safeguards that can make exploitation harder. Source:

42. February 22, Softpedia – (International) US spam levels begin to recover. U.S. spam levels began recovering in January, which pushed the country back into the list of top 20 spam sources after 2 months of absence. According to data from security vendor Kaspersky Lab, the overall amount of spam slightly increased in January by 0.5 percentage points and averaged 77.6 percent of all e-mail traffic. Meanwhile, e-mail phishing levels remained low. This type of rogue traffic comprised 0.03 percent of all e-mails sent in January, a decrease of 0.1 percent compared to December. The percentage of e-mail messages carrying malicious attachments remained significant at 2.75 percent, representing an increase of 1 percent over the last month of 2010. Source:

43. February 21, The Register – (International) Flash drives dangerously hard to purge of sensitive data. In research that has important findings for banks, businesses, and security experts, scientists have found computer files stored on solid state drives are sometimes impossible to delete using traditional disk-erasure techniques. Even when the next-generation storage devices show files have been deleted, as much as 75 percent of the data contained in them may still reside on the flash-based drives, according to the research, which was presented the week of February 21 at the Usenix FAST 11 conference in California. In some cases, the SSDs, or sold-state drives, incorrectly indicate the files have been “securely erased” even though duplicate files remain in secondary locations. The difficulty of reliably wiping SSDs stems from their radically different internal design. Traditional ATA and SCSI hard drives employ magnetizing materials to write contents to a physical location that’s known as the LBA, or logical block address. SSDs, by contrast, use computer chips to store data digitally and employ an FTL, or flash translation layer, to manage the contents. When data is modified, the FTL frequently writes new files to a different location and updates its map to reflect the change. In the process, left-over data from the old file, which the authors refer to as digital remnants, remain. Source:

For another story, see item 44 below in the Communications Sector

Communications Sector

44. February 23, Help Net Security – (International) Spyware compromises 150,000+ Symbian devices. A new variant of spyware “Spy(dot)Felxispy” on Symbian devices causing privacy leakage has recently been captured by the National Computer Virus Emergency Response Center of China. According to NetQin Mobile, there are more than a dozen variants of the spyware since it first was spotted, and the latest has affected more than 150,000 devices. Symbian is an open source system and software platform designed for smartphones and maintained by Nokia. Once installed, the spyware turns on the conference call feature without users’ awareness. When users are making phone calls, the spyware automatically adds itself to the call to monitor the conversation. NetQin Cloud Security Center detects the spyware can remotely turn on the speaker on the phone to monitor sounds around users without the users’ awareness. It is also capable of synchronizing the messages the user received and delivered to the monitoring phone. Source:

45. February 22, KXTV 10 Sacramento – (California) State Capitol vigil foe claims union web attack. A Conservative radio talk show host who announced plans on his Web site to infiltrate a union solidarity vigil at the California capitol said his site had been shut down by a union cyberattack. “It was a massive denial-of-service attack that crashed the server,” said the host, 55, who had posted plans on his site to disrupt a candlelight vigil on the west steps of the capitol February 22. He said the computer attack began February 21. The site was still down early February 22, although the talk show host said February 22 it would be restored shortly. The vigil was organized by a number of labor groups to express solidarity for union supporters in Wisconsin fighting a Republican-led effort to strip collective bargaining rights. The Web site, cached by Google before it went down, encouraged anti-union activists to wear Service Employees International Union (SEIU) t-shirts concealing anti-union protest signs that would be brought out during the vigil: We will approach the cameras to make good pictures ... signs under our shirts that say things like “screw the taxpayer!” and “you OWE me!” to be pulled out for the camera (timing is important because the signs will be taken away from us). In a brief conversation with News10, the talk show host said he was never serious about the infiltration plan, and simply posted it on his Web site to bait his opponents. Source:

Wednesday, February 23, 2011

Complete DHS Daily Report for February 23, 2011

Daily Report

Top Stories

• WUSA 9 reports the failure of thousands of wireless 911 calls during a snowstorm in the Washington D.C. area could be a problem occurring nationwide, and is a major weakness that could be exploited by terrorists, according to a federal communications official, and an anti-terrorism expert. (See item 49)

49. February 17, WUSA 9 District of Columbia – (District of Columbia) January snow storm exposes flaws ideal for terrorist attack. After a January 26 snowstorm crippled much of the Washington, D.C. metropolitan area, 9-1-1 communications systems were being criticized by many, including officials with the Federal Communications Commission (FCC). Various jurisdictions, including the District of Columbia and Montgomery County, reported that during the height of the storm, thousands of 9-1-1 emergency calls made by cell phones went dead. The callers heard busy signals, and in other cases, nothing at all. Emergency officials said the disruption in communication was caused by Verizon wireless trunk lines that went down as a result of an extremely high call volume and snow damage to actual phone towers and lines. The chief of the FCC public safety and homeland security bureau said that problem may be occurring nationwide. In Washington, a local anti-terrorism expert said failed 9-1-1 calls are a clear weakness that could be exploited by those wanting to cause harm. “The system is going to go down if it gets overloaded. That’s just a fact,” he said. “We should be looking at snowstorms as an opportunity to test and perfect our systems. If we can’t handle a snowstorm, there is a very good likelihood that we can’t handle a terrorist attack, and that’s the problem.” Source:

• According to the Associated Press, gusty winds led to more than 100 wildfires across Virginia, damaging federal and state land and other homes and property, and closing major highways. (See item 63)

63. February 19, Associated Press – (Virginia) Va. officials battling 100-plus wildfires. State and local officials were fighting more than 100 wildfires February 19 across Virginia. The Virginia Department of Forestry said firefighters in at least 50 localities were battling outdoor fires for much of the day. The department also said it is working two significant fires in Rockingham and Warren counties. The National Park Service and U.S. Forest Service are working fires in western Virginia. Fires temporarily closed several roads in Virginia, including Interstate 64 in New Kent County and Interstate 95 ramps in Prince William County. The Virginia Department of Transportation and Virginia State Police have been handling traffic control and detours. Officials said about 100 Louisa County residents were evacuated because their homes were threatened. Source:


Banking and Finance Sector

13. February 22, Help Net Security – (International) New type of financial malware hijacks online banking sessions. A new type of financial malware has the ability to hijack customers’ online banking sessions in real time using their session ID tokens. OddJob, which is the name Trusteer gave to this trojan, keeps sessions open after customers think they have “logged off,” enabling criminals to extract money and commit fraud unnoticed. This is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies. It shows how hacker ingenuity can side-step many commercial IT security applications traditionally used to defend users’ digital and online monetary assets. Trusteer has been monitoring OddJob for a few months, but had not been able to report on its activities until now due to ongoing investigations by law enforcement agencies. These have just been completed. Trusteer’s research team reverse engineered and dissected OddJob’s code methodology, right down to the banks it targets and its attack methods. Financial institutions have been warned OddJob is being used by criminals based in Eastern Europe to attack their customers in several countries including the United States, Poland, and Denmark. Source:

14. February 22, Help Net Security – (International) New type of financial malware hijacks online banking sessions. A new type of financial malware has the ability to hijack customers’ online banking sessions in real time using their session ID tokens. OddJob, which is the name Trusteer gave to this Trojan, keeps sessions open after customers think they have “logged off”, enabling criminals to extract money and commit fraud unnoticed. This is a completely new piece of malware that pushes the hacking envelope through the evolution of existing attack methodologies. It shows how hacker ingenuity can side-step many commercial IT security applications traditionally used to defend users’ digital - and online monetary - assets. Trusteer have been monitoring OddJob for a few months, but have not been able to report on its activities until now due to ongoing investigations by law enforcement agencies. These have just been completed. Trusteer’s research team has reverse engineered and dissected OddJob’s code methodology, right down to the banks it targets and its attack methods. Financial institutions have been warned that OddJob is being used by criminals based in Eastern Europe to attack their customers in several countries including the USA, Poland and Denmark. Source:

15. February 21, Kansas City Star – (Missouri) Hacking creates chaos for Snow Creek and its customers. Snow Creek ski resort in Weston, Missouri and many of its credit card customers appear to be victims of an attack by Internet hackers that first came to light the morning of February 18. By midday the Platte County business had cut its on-site credit card processing system from the Internet and was warning customers to keep close track of their bills. The resort was told by credit card processing companies, banks, and the Secret Service that a large number of dubious credit card transactions appeared to be linked to customers who had done business at Snow Creek. “The Secret Service thinks we got hacked in that nanosecond before the information is encrypted,” said Snow Creek’s general manager February 21. “It’s still not clear what happened.” The fraud, he said, does not appear to have taken place at Snow Creek. The credit card theft does not apply to people who bought lift tickets or other passes online. Fraudulent charges to credit cards belonging to customers and employees of Snow Creek came from around the world, the general manager said. The numbers reported February 18 seemed to grow exponentially in the following days, he said. Source:

16. February 19, Federal Bureau of Investigation – (Maryland; National) Three convicted in Maryland in $78 Mmllion mortgage fraud scheme. A federal jury convicted three individuals February 19 in district court in Greenbelt, Maryland, of fraud conspiracy, wire fraud, and conspiracy to commit money laundering in connection with their participation in a massive mortgage fraud scheme which promised to pay off homeowners’ mortgages on their “Dream Homes,” but left them to fend for themselves. In addition to the above described convictions, one of the individuals, chief financial officer of Metro Dream Homes (MDH), was also convicted of making a false statement in a federal court proceeding. According to evidence presented at the 6-week trial, beginning in 2005, the defendants targeted homeowners and home purchasers to participate in the Dream Homes Program. In exchange for a minimum of $50,000 initial investment and an “administrative fee” of up to $5,000, the conspirators promised to make the homeowners’ future monthly mortgage payments and pay off the homeowners’ mortgage within 5 to 7 years. To give investors the impression that the program was successful, MDH spent hundreds of thousands of dollars making presentations at luxury hotels, and set up offices in several states, including Maryland, the District of Columbia, Virginia, North Carolina, New York, Delaware, Florida, Georgia, and California. Source:

17. February 19, Associated Press – (Alaska) Anchorage woman charged with $7M Ponzi scheme. An Anchorage, Alaska woman is facing federal charges she operated a Ponzi scheme that defrauded investors of $7 million, the U.S. attorney’s office said February 18. The 64-year-old woman was named in a 26-count indictment. A grand jury in Anchorage indicted her for securities fraud, wire fraud, mail fraud, money laundering, bankruptcy fraud and bank fraud. She was arrested February 18, said a special agent and spokesman for the IRS Criminal Investigation’s Seattle field office. Prosecutors said the suspect carried out the scheme from 1996 to 2009, guaranteeing investors a high-rate of return and making false claims regarding how she was going to invest the victims’ money. They said she told victims she would invest their money in a global investment fund, European subprime loans, and an investment banking company. Prosecutors said she used the victims’ money for her personal expenses and to pay out early investors. The indictment alleges she fraudulently obtained money, ranging from $25,000 to around $3.7 million, from 14 victims. Source:

18. February 18, – (International) Rising global payments and emerging tech pose new fraud concerns. Global payment schemes are converging, but the convergence has been more by necessity than design. Payments instruments vary widely in various global markets, and those differences pose challenges for payments providers, and growing fraud opportunities for criminals. At the top of the list of growing fraud is money laundering; it’s the fraud that most-often gets through cross-border security gaps said an official who heads up banking and corporate strategy in the Americas for SWIFT, The Society for Worldwide Interbank Financial Telecommunication. The official said security is a top concern for any payments processor. But unique risks must be addressed in unique markets, and that’s making standardization and sweeping regulatory guidance aimed at fraud prevention next-to impossible. “Globalization will continue to bring new issues to bear, and compliance is something all institutions try to balance,” the official said. “We always want to think about security and maintaining integrity across the payments chain; sometimes it’s a difficult balance bringing innovation to market and security.” The year ahead, she said, will mark a tipping point for innovation, as well as cultural challenges. While the use of payment cards continues to grow or remains steady in the United States, usage in other parts of the world, even Europe, is not quite so accelerated. So, developing innovative solutions that enhance security to meet the demands of all markets is not easy. From a money-laundering perspective and overall fraud perspective, cultural differences create opportunity for fraudsters. Fake payments cards, created with account details from European accountholders, can easily be used in the United States, where cards are widely accepted and card technology is not so secure. Source:

19. February 17, KSTP 5 St. Paul – (Minnesota) FBI Says Robbery Suspect Hits 4th Metro Bank. With a mask and a small knife in hand, a man robbed a bank in Orono, Minnesota February 17, and FBI Agents said they believe it may be the same person who robbed three or four other banks in the metro area the past few weeks. FBI Agents said the First National Bank of the Lakes branch at 2445 Shadywood Road was robbed around 7:15 a.m. A bank employee arrived for work, and officials said the robber approached her from behind, told her he had a gun and to go into the bank. The employee told authorities she gave an undisclosed amount of money out of the night deposit safe to the man. She said the suspect left the bank through the front door. She was not hurt. The suspect is described as a white male, about 5 feet 9 inches tall, with a medium build. He was wearing dark clothing, along with a dark mask and gloves, white sneakers and carried a small blue, zippered bank bag. Source:

Information Technology

51. February 22, Help Net Security – (International) Phishing scam and malware distribution scheme combined. The Facebook phishing campaign spotted February 21 turned out not to be so unimaginative after all. F-Secure researchers decided to see it through and entered log-in credentials to a dummy account of theirs to see it it would be compromised. And immediately after having entered them and having pressed the “Login” button, a notice offering free laptops and iPads pops up. A click on any of the “Claim Now” buttons takes the victim to a page offering a free Smiley toolbar, but no free iPad. “No Spyware,” it says. “We take pride in our products!” But if the user falls for the claim and downloads the offered (dot)exe file, spyware is what they will get. It is a phishing scam combined with malware distribution. If the user does not have an AV solution installed on their computer, they might not notice the spyware is hard at work in the background. Source:

52. February 18, Darkreading – (International) New fast-flux botnet unmasked. A researcher at the RSA Conference 2011 said February 17 he discovered a new botnet that uses the rare fast-flux method to stay alive and evade takedown. He showed a sample of the botnet’s malware he had reverse-engineered, with evidence the botnet uses fast-flux. Fast-flux is basically load-balancing with a twist. It is a round-robin method where infected bot machines serve as proxies or hosts for malicious sites and are constantly rotated, changing their DNS records to prevent discovery by researchers. The now-defunct Storm and Warezov/Stration botnets were the first major ones to use fast-flux, but despite worries by researchers this method would catch on, it has remained rare. Avalanche/RockPhish and Warezov also used fast-flux to keep a low profile. “When fast-flux first came out, it was thought everybody was going to use it. That never materialized,” the researcher said. That is because an extra level of expertise and effort is required to design the botnet this way, he said. Source:

Communications Sector

53. February 19, PC Magazine – (International) Libya cuts internet access for several hours. Internet access in Libya was severed for several hours the weekend of February 19 and 20, as protestors took to the streets to demand an end to the 40-year reign of their ruler. On February 19, Internet monitoring firm Renesys said in a blog post “Libya is off the Internet.” By February 20, Renesys said Internet access in Libya had been restored. “At the moment, spot checks of Libyan domains and traceroutes into affected networks indicate that connectivity has been restored, and Libya is back on the Internet,” the company wrote. Source:,2817,2380677,00.asp