Friday, March 4, 2011

Complete DHS Daily Report for March 4, 2011

Daily Report

Top Stories

• WABC 7 New York reports an airport security official has provided evidence the perimeter fence at John F. Kennedy International Airport in Queens, New York, is in complete disrepair. (See item 17)

17. March 2, WABC 7 New York City – (New York) Perimeter fence security concern at JFK Airport. A source from the Port Authority of New York and New Jersey concerned about security gave WABC 7 New York photographs showing the perimeter fence at John F. Kennedy International Airport (JFK) in Queens, New York in complete disrepair. An aerial view from NewsCopter 7 showed at least a quarter mile of the perimeter fence is down, leaving a gaping hole in security along a main JFK runway. A memo from a Port Authority police officer warned “higher-ups” that “There is nothing to prevent a vessel or person” from entering the runway, and added that it is a ‘‘severe security risk.” “This cannot stop anyone,” said the former director of security for Israel’s EI AI Airline. The broken fence is the latest set-back in a $100 million project to ring the perimeters of all four Port Authority airports with surveillance cameras and motion sensors. But several sources familiar with the project said there has been little progress and Eyewitness News confirmed the anti-terrorism monitoring system is still in the testing phase, monitoring equipment still in boxes, a command center is still not installed. Meanwhile, regular police perimeter patrols were eliminated in anticipation of the new electronic fencing system which is now 3 years behind schedule. Source:

• According to CNN, a German official said the man who shot and killed two American troops March 2 at an airport in Germany was a radicalized Muslim whose aim was to kill American troops. (See item 36)

36. March 3, CNN – (International) Killer of U.S. airmen is radical Muslim, German official says. The 21-year-old man who shot and killed two American troops March 2 in Germany was a recently radicalized Muslim whose aim was to kill American troops, a German official said March 3. The suspect seems to have been acting on his own but had spent time on local radical Islamist Web sites, said the interior minister of the German state of Hesse, where the shooting took place. The man from Kosovo is in custody after two U.S. airmen were killed and two others were wounded in the shooting on a U.S. military bus at Frankfurt Airport, authorities said. The suspect is from the northern town of Mitrovica, Kosovo’s interior minister told CNN, citing the U.S. Embassy in Pristina as his source. He went up to the service members to make sure they were American troops, then opened fire, the Hesse interior minister said March 3. At some point, the 9 mm handgun jammed and the suspect fled, the official added. The gun was illegally purchased. The gunman was a postal worker at the Frankfurt airport, but he worked outside the secure area. Source:


Banking and Finance Sector

11. March 3, Softpedia – (International) Banking trojan hijacks SSL connections. Security researchers from Symantec warn of a new banking trojan capable of hijacking the SSL connections between browsers and online banking sites in a way that is hard to spot. Variants of the trojan, detected as Trojan(dot)Tatanarg, have been in circulation since last October, but its code is believed to be based on an older threat called W32(dot)Spamuzle. The trojan has a modular architecture, with separate components handling different tasks, and the functionality of most banking malware. It can inject rogue HTML code into pages (man-in-the-browser attacks), disrupt antivirus software, uninstall other banking trojans and enable Windows remote access. It also features a backdoor component through which attackers can issue commands to control the infected computers. Another functionality of this trojan is its ability to function as a proxy between browsers and SSL-secured Web sites. This is achieved by hijacking the legitimate SSL connection and establishing a new one on the browser end using a self-signed certificate. Users are advised to always keep tantivirus programs up to date to ensure they have the latest protection available. Also, if possible, online banking should be performed from a dedicated computer. Source:

12. March 3, Boston Globe – (Massachusetts) Everett bank robber gets cash and then leaves fake pipe bomb behind, police say. The man who robbed a bank in Everett, Massachusetts, March 3 left behind what appeared to be a pipe bomb equipped with a timer, forcing authorities to spend nearly 3 hours investigating before they learned the bomb was a fake. The police chief said a white male walked into the branch of the East Boston Savings Bank on Revere Beach Parkway shortly after 9 a.m. He walked up to a teller, demanded cash, and then pulled out what looked like a pipe bomb, the chief said. After the teller handed over some cash, the thief ran out of the bank but left the realistic looking device on the counter. Bank employees and customers were evacuated and the state police bomb squad was summoned. At noon, Route 16, which had been closed in both directions while the suspicious package was examined, was in the process of being fully reopened. During the investigation, bomb squad technicians dispatched multiple robots into the bank, and appeared to monitor what the robots were observing on a laptop computer. Source:

13. March 2, Associated Press – (New York; National) Ex-Goldman director charged. Federal regulators have charged a former Goldman Sachs board member with insider trading, saying he gave confidential information to the key figure in what prosecutors call the largest hedge fund insider-trading probe ever. The Securities and Exchange Commission (SEC) announced the civil charges against the man March 1. SEC said an insider told the founder of the Galleon Group hedge fund, that Warren Buffett’s Berkshire Hathaway planned to invest $5 billion in Goldman before it was publicly announced at the height of the financial crisis. The insider also is charged with giving the former board member confidential earnings information from Goldman and Procter & Gamble (P&G). The insider served on Goldman’s board from 2006 until last May. He was a P&G board member from 2007 until resigning March 1, after the charges were announced. The insider was an investor in some of the Galleon hedge funds when he passed the information along, and he had other business interests with the former board member, SEC said. The former board member used the information from the insider to illegally profit in hedge fund trades, SEC alleged. Source:|head

14. March 2, The Sacramento Bee – (California) ‘Poodle bandit’ pleads guilty to six bank robberies. An El Dorado County, California, man, dubbed the “Poodle Bandit” by investigators, has pleaded guilty to six counts of armed bank robbery. The man, who is from Somerset, entered the plea March 1 in federal court in Fresno. The man was dubbed the Poodle Bandit because of the curly gray wig he wore during each of the alleged robberies. According to a U.S. Department of Justice news release, he admitted he robbed six banks in five counties in the Eastern District of California between March 8, 2010 and May 6, 2010. The man also admitted that during each robbery, he entered the bank and armed with a handgun ordered tellers to give him all the money. As part of the plea agreement, the man also admitted he robbed a bank in the Northern District of California April 5, 2010. He was apprehended after a citizen saw him leaving the Oak Valley Bank in Modesto and called authorities. Source:

15. March 2, Chicago Tribune – (Illinois) Discarded computer parts spark police response. Computer components inside a package left inside a West Loop bank in Chicago, Illinois, March 2 resulted in a major response from Chicago police and fire officials. The item was found just before 8 a.m. at a Bank of America branch in the 500 block of West Madison Street, across from the Presidential Towers complex. Fire department officials called for a precautionary hazardous materials response as police bomb and arson detectives responded to the scene. An X-ray of the package found it was filled with computer parts and did not pose a threat, said a police spokesman. A Bank of America spokeswoman said the incident did not disrupt bank operations. Police shut down several surrounding streets, as police secured the package, but they were reopened at about 10:10 a.m. Source:,0,5947848.story

Information Technology

43. March 3, H Security – (International) iTunes 10.2 addresses multiple security vulnerabilities. Apple has released an update, version 10.2, to the popular iTunes media player software, closing a number of security vulnerabilities in its product. According to Apple, iTunes 10.2 corrects five vulnerabilities in ImageIO, as well as two issues in the libxml library, many of which could possibly be used by an attacker to execute arbitrary code. The update also fixes a total of 50 bugs in the WebKit browser engine which could also lead to arbitrary code execution via a man-in-the-middle attack while browsing the iTunes Store. Source:

44. March 3, Help Net Security – (International) Potentially deadly trojan is a modified security solution. An interesting tactic for hiding a trojan was recently spotted by Symantec researchers. Instead of using their own malicious code, the malware authors decided to take advantage of the code belonging to the KingSoft WebShield browser protection software (part of the KingSoft Internet Security solution). A researcher explains, “Kingsoft WebShield has the ability to lock the home page to a specific domain as well as to redirect URLs based entirely on plain text configuration files. This means that a person with malicious intent can repackage it using malicious configuration files and use this as a home-made Trojan package.” The new package contains the legitimate software and its support components, but also two configuration files that practically modify it into the trojan. Once the apparently legitimate software is installed and running, one of these files makes it so that the home page is changed to one of the designated URLs — which house advertisement link farms — and locked so that the user cannot change it. The other one makes sure that if a user wants to visit one of a number of popular domains listed in it, he/she is also redirected to one of the aforementioned designated URLs. Source:

45. March 3, Help Net Security – (International) Twitter crime rate rises 20 percent. Barracuda Labs analyzed more than 26 million Twitter accounts in order to measure and analyze account behavior. The analysis enabled researchers to model normal user behavior and identify features that are strong indicators of illegitimate account use. Key highlights from the Twitter research include: In general, activity continues to increase on Twitter: more users are coming online; true Twitter users are tweeting more often, and even casual users are becoming more active. As users become more active, the malicious activity also increases. The number of real Twitter users increased to 43 percent, up from only 29 percent in June 2010. For every 100 Twitter users, 39 have between 1 and 9 followers, while 50 percent of Twitter users have more than 10 followers. Approximately 79 percent of Twitter users tweet less than once per day. After decreasing at the end of 2009, the Twitter crime rate increased 20 percent from the first half of 2010 to the second half of 2010, going from 1.6 percent to 2 percent. Attackers are distributing malware and exploiting vulnerabilities to achieve their malicious goals. Source:

46. March 2, H Security – (International) Wireshark updates close critical vulnerabilities. The Wireshark developers have announced the release of version 1.2.15 and 1.4.4 of their open source, cross-platform network protocol analyser; maintenance updates address two highly critical security vulnerabilities that could cause the application to crash. The first issue (CVE-2011-0538), discovered by a member of the Red Hat Security Response Team, could lead to memory corruption when reading a .pcap file in the pcap-ng format –- this could be used by a remote attacker, for example, to effect a denial-of-service (DoS) attack. The other (CVE-2011-0713) is a bug that could lead to a heap-based buffer overflow when reading a specially crafted Nokia DCT3 trace file, possibly leading to the execution of arbitrary code. Further changes include fixes for 32-bit systems when reading a malformed 6LoWPAN packet and updates to various dissectors. Source:

47. March 2, Help Net Security – (International) PDF-Pro multiple vulnerabilities. Several vulnerabilities in PDF-Pro can be exploited to compromise a user’s system, according to Secunia. Among the vulnerabilities: the application loads libraries (e.g. dwmapi(dot)dll) in an insecure manner, which can be exploited to load arbitrary libraries by tricking a user into e.g. opening a PDF file located on a remote WebDAV or SMB share; a boundary error in the bundled PDF Reader ActiveX control (ePapyrusReader(dot)ocx) when handling arguments passed to the “open()” method can be exploited to cause a stack-based buffer overflow; two boundary errors in ePapyrusReader.ocx when handling arguments passed to the “open_stream()” method can be exploited to cause heap-based buffer overflows. The vulnerabilities are confirmed in version bundling ePapyrusReader(dot)ocx version Other versions may also be affected. Source:

48. March 2, IDG News Service – (International) FTC, DOJ crack down on money-making schemes. A yearlong sweep targeting bogus employment and money-making schemes has resulted in more than 90 law enforcement and civil actions, including a restraining order against a company that made $40 million by promising customers it would help them build Web-based businesses, U.S. agencies announced March 2. The Operation Empty Promises enforcement effort has led to 3 new cases and developments in seven other cases at the U.S. Federal Trade Commission (FTC), 48 criminal enforcement actions at the U.S. Department of Justice, 7 civil actions at the U.S. Postal Inspection Service, and 28 actions by state law enforcement agencies, the agencies announced. Among the companies targeted was Ivy Capital, which promised customers assistance in setting up Web-based businesses in exchange for fees of up to $20,000, the FTC said. Ivy Capital’s business coaching services offered “worthless babble,” and customers encountered “endless technical difficulties” with software the company sold, the director of the FTC’s Business Protection Bureau said. Source:

Communications Sector

49. March 2, Associated Press – (National) FCC to study rules on cable-broadcast negotiations. The Federal Communications Commission is set to vote March 3 to launch a review of the federal rules that govern negotiations over the fees that cable, satellite, and other video services pay TV stations to carry their signals in channel lineups. To supplement advertising revenue, broadcasters have begun demanding cash for signals they used to give away for free, and that contributes to rising cable bills. The FCC’s actions follow a series of high-profile standoffs that left some consumers without their local stations. In October, a breakdown in negotiations between Cablevision Systems Corp. and News Corp.’s Fox network left 3 million Cablevision subscribers in the New York area without Fox programming for 15 days — including through two World Series games — after the broadcaster pulled its signal. The FCC wants to examine its existing rules to determine if there are other ways to prevent impasses by ensuring that both sides negotiate in good faith. Source: