Monday, March 7, 2011

Complete DHS Daily Report for March 7, 2011

Daily Report

Top Stories

Agence France-Presse reports that a U.S. Navy intelligence specialist was charged March 3 with espionage after he allegedly tried to sell classified information to an undercover FBI agent. (See item 38)

38. March 3, Agence France-Presse – (National) U.S. Navy officer charged with espionage. A U.S. Navy intelligence specialist was charged March 3 with espionage after he allegedly tried to sell classified information to an undercover FBI agent, officials said. The Specialist 2nd Class faced charges of attempting to forward classified information to a person not authorized to receive such information, the U.S. Navy said in a statement. A court-martial date has not yet been set, but the man was charged with 4 specifications of attempted espionage, and 11 specifications of mishandling classified information. FBI and Naval Criminal Investigative Service agents apprehended the man December 1 in Fayetteville, North Carolina, after being suspected of trying to sell information marked “secret” and “top secret.” He is currently held at Naval Brig Norfolk in Virginia. All charges stemmed from incidents that took place when the man was assigned to the Expeditionary Combat Readiness Center at Joint Expeditionary Base Little Creek in Fort Story, Virginia, according to the Navy. Source:

• According to Associated Press, a heavily armed man who crashed his pickup truck in Bellmore, New York, then shot an emergency medical technician, appeared to be planning a mass killing, police said March 2. (See item 43)

43. March 3, Associated Press – (New York) N.Y. police: Gunman had planned mass murder. A heavily armed man who crashed his pickup truck in Bellmore, New York, then shot an emergency medical technician (EMT) responding to the accident before being killed by police, appeared to be planning a mass killing, police said March 2. The man had a rifle strapped to his chest, and extra ammunition inserted in elongated wristbands on his arms, the Nassau County Police Commissioner told reporters. He had six weapons in his possession, including a Tec-9 automatic pistol. Shooting erupted at about 10 p.m. March 1, after the man hit a utility pole with his truck. When the volunteer ambulance crew arrived, he fired at least eight shots at them from an assault rifle, wounding the EMT. Police responding to the crash then fatally shot the man when he threatened them. Source:


Banking and Finance Sector

13. March 3, WFTS 29 Tampa – (Florida) Search for Bank Bag Bandit goes public. Surveillance pictures were released March 2 of a man wanted by the FBI and local authorities in Tampa, Florida, for at least three bank robberies in three counties dating back to November 2010. The man dubbed the “Bank Bag Bandit” is wanted for robbing the First Citrus Bank in Tampa, Superior Bank in Spring Hill, and BB&T Bank in Pasco County. During each of the robberies, the suspect threatened the tellers with a handgun and demanded money. He wore a dark colored hat, sunglasses, mask over his face, and a dark colored jacket. According to a report, the Bank Bag Bandit fled in a gray or silver Ford F150 pick-up truck, Lariat Edition. Source:

14. March 3, Boulder Daily Camera and Longmont Times-Call – (Colorado) Suspects arrested in Boulder, Longmont bank robberies. Suspects are under arrest in bank robberies in Boulder and Longmont, Colorado, as investigators continue to look for any links between those crimes and two other bank robberies in Boulder the week of February 28. Boulder police issued an arrest warrant March 3 for a man on suspicion of robbing the Wells Fargo at 1690 Canyon Boulevard February 28. Also March 3, Longmont police arrested a 34-year-old Kansas man, on suspicion of robbing the Wells Fargo bank in the Safeway at 1050 Ken Pratt Boulevard just after 6 p.m. March 1. Investigators believe he was in the state just to rob banks, a Longmont police spokesman said. The FBI and Boulder police have been investigating 3 robberies that occurred in a 24-hour period, 2 February 28 — at the Wells Fargo and a Circle K convenience store — and one March 1 at the Boulder Valley Credit Union. Source:

15. March 3, IDG News Service – (National) Cybercriminals targeting point-of-sale devices. Point-of-sale (POS) payment processing devices for credit and debit cards are proving to be rich targets for cybercriminals due to lax security controls, particularly among small businesses, according to a report from Trustwave. Trustwave, which investigates payment card breaches for companies such as American Express, Visa, and MasterCard, conducted 220 investigations worldwide involving data breaches in 2010. The vast majority of those cases came down to weaknesses in POS devices. “Representing many targets and due to well-known vulnerabilities, POS systems continue to be the easiest method for criminals to obtain the data necessary to commit payment card fraud,” according to Trustwave’s Global Security Report 2011. POS devices read the magnetic stripe on the back of a card that contains account information, which is then transmitted for payment processing. Although there are rules for security controls developers should use for the devices, such as the Payment Application Data Security standard (PA-DSS), Trustwave said “these controls are rarely implemented properly.” POS devices are an attractive target for cybercriminals since the data they access from the cards is more complete, Trustwave said. Source:

16. March 2, Cleveland Plain Dealer – (National) 9 indicted in collapse of St. Paul Croatian Credit Union. Nine people were indicted March 2 by a federal grand jury in Cleveland, Ohio on charges of fraud stemming from the collapse of the St. Paul Croatian Credit Union last April. Federal law enforcement officials described it as one of the largest credit union failures in American history. It cost the National Credit Union Share Insurance Fund $170 million. Among those charged were the credit union’s chief operating officer, according to prosecutors. The man was initially charged in January with bank fraud and money-laundering and has been in jail since then. The indictment, March 2 added more charges, including bank bribery. More than 1,000 fraudulent loans, totaling more than $70 million, to more than 300 account-holders at the credit union between 2000 and 2010, were issued, the indictment said. To conceal his scheme and to prevent the loans from appearing on the books as delinquent, the man rewrote the loans with new repayment terms using fictitious names and names of credit union members without their knowledge, the indictment said. Source:

17. March 2, Minnesota Star Tribune – (Minnesota) Masked gunman robs third bank. A masked gunman robbed the TCF Bank in St. Anthony, Minnesota March 1 and is suspected of a similar robbery February 28, and another January 3, the FBI said. The suspect robbed the TCF Bank on Silver Lake Road about 7 p.m. He displayed a handgun in the lobby, ordered everyone to lie on the floor and demanded money from a teller, according to an FBI news release. He fled on foot. The man is also suspected of robbing the TCF Bank on Suburban Avenue in St. Paul February 28. He also brandished a gun in that incident. He is also a suspect in the TCF Bank robbery in West St. Paul January 3. The suspect is described as an Asian man, 5 foot 7, wearing all black clothes and a black mask. Source:

Information Technology

47. March 4, Help Net Security – (International) Trojans still top malware threat. Continuing a trend observed since the summer of 2010, the same types of Trojan horse programs have persistently dominated the threat landscape through February 2011, according to GFI Software. Statistics show Trojans made up 6 of the top 10 malware threats of February. Trojans detected as Trojan(dot)Win32(dot)Generic!BT continue to be the number one threat, accounting for 22.97 percent of total detections. This is an increase from the 21.38 percent in January and 21.93 percent in December of total threats detected. These Trojans are downloaders associated with rogue security programs known as “scareware.” Once they are on a user’s system, these programs perform a fake scan of a victim’s computer for malware then display false warnings that the machine is infected in an attempt to convince victims to purchase fake security software. Source:

48. March 4, – (International) DroidDream Android malware contains hidden payload. A closer analysis of the DroidDream malware found embedded in applications on the Android Market shows a second payload that may cause further security problems. The chief technical officer at Lookout, told that the DroidDream software searches for a specific package named com(dot)android.providers(dot)downloadsmanager. If this is not present, it installs a second piece of code. Analysis of this second payload is continuing, but could be the underpinnings to create a botnet. “We’re still analyzing the application, so I’ll draw a line between what we know for sure. So far this code has used an exploit to route the phone and break out of the security sandbox,” Lookout’s chief technical officer said. Source:

49. March 3, Darkreading – (International) WordPress hit by multigigabit DDoS attack. The WordPress blog hosting service came back online March 3 after several hours of pummeling by a relentless distributed denial-of-service (DDoS) attack that either slowed or knocked offline its 18 million blogs. This was the largest DDoS attack ever against WordPress, reaching the capacity of multigigabits per second and tens of millions of packets per second, according to WordPress’ Twitter update. The attack took its toll on all three of the site’s data centers, which are based in Chicago, Illinois, and San Antonio and Dallas, Texas. WordPress told Sophos it received outside help in thwarting the attack. “The DDoS is too large for us to mitigate directly, so we’ve been collaborating with our upstream providers and relying on their intervention. This is a precision interventional, so potentially the attack could be shifted around it,” according to WordPress. “This is the largest and most sustained attack we’ve seen in our 6-year history. We suspect it may have been politically motivated against one of our non-English blogs, but we’re still investigating and have no definitive evidence yet,” WordPress’s founder told CNET. Source:

50. March 3, Computerworld – (International) Microsoft pushes anti-AutoRun update at XP, Vista users. Microsoft the week of February 21 changed how it delivers an update that disables AutoRun, a Windows feature worms, including Conficker and Stuxnet, have used to infect millions of PCs. The company is now pushing the update to Windows XP and Vista users automatically. When Microsoft first deployed the update February 8, it said the patch would be offered as an optional download. To retrieve it, users had to manually checkmark the “KB971029” update in the “Software, Optional” section of Windows Update in XP, or in Vista’s Windows Update panel under “Important.” But the week of February 21, Microsoft changed those rules and began feeding users the update through the Automatic Updates feature of Windows Update, which automatically downloads and installs hotfixes and other software upgrades. Microsoft’s move to cripple AutoRun is a response to the malware’s continued reliance on infection tactics that abuse AutoRun and AutoPlay, the technologies that automatically launch executable files on removable media, especially USB flash drives. Source:

51. March 2, The Register – (International) Rogue AV pimps finally show love for alternative browsers. Mozilla Firefox, Google Chrome, and Apple Safari are beginning to see ad distributing malware that are disguised as legitimate antivirus programs with the look and feel of the browser itself. A security researcher from Zscaler recently uncovered a campaign tailored to the browser that the intended victim is using. Those with Internet Explorer (IE) will see the same graphic depicting a Windows 7 security alert, but when a person is using Firefox, the image contains internal Firefox elements in the source code and also spoofs the security warning the browser shows when users attempt to navigate to an address known to be malicious, a senior security researcher at Zscaler said. When the intended target visits the page with Chrome, the ruse looks altogether different. The first screen shows a warning window bearing the browser’s distinctive logo and the words “Chrome Security has found critical process activity on your system and will perform fast scan of system files.” The user then sees what purports to be a Chrome window showing a virus scan. Safari is also spoofed, although with significantly less effort. The scan page defaults to the look and feel of IE. The ads are an attempt to trick visitors into believing they have infections that can be cured by the software being offered in the ad. Source:

Communications Sector

52. March 4, – (Texas; National) Feds arrest operator of Web site accused of pirating live streams of copyrighted sporting events. Federal authorities March 3 followed up their previous technical attempt to curtail online piracy with the confiscation of domain names by arresting a man accused of operating the Web site at one of those domains. Federal authorities are charging the suspect, 32, of Deer Park, Texas, of pirating live streams of sporting events and pay-per-view programs at channelsurfing(dot)net. The feds said March 3, that a Homeland Security investigation found the suspect made more than $90,000 in profits from online merchants who paid to advertise on the site. Channelsurfing(dot)net was an online portal to pirated telecasts of games owned by the National Football League, the National Basketball Association, the National Hockey League, World Wrestling Entertainment, and Ultimate Fighting Championship, according to the criminal complaint unsealed March 3, in a federal district court in New York. If convicted, the suspect faces a maximum prison sentence of 5 years. Source:

53. March 3, National Journal – (National) FCC votes to review TV retransmissionnegotiation rules. The Federal Communications Commission (FCC) made no immediate changes to retransmission rules March 3, but the panel’s members warned broadcasters and cable companies not to use the FCC’s decision to review the rules as an excuse to back out of negotiations. The commission unanimously voted to consider and seek comment on potential changes to TV retransmission rules, which govern how cable companies or other video distributors retransmit broadcast stations. Recent high-profile disputes between cable and satellite TV carriers and broadcasters have led to millions of viewers in the dark when programming is pulled. And right now a spat between Dish Network Corp. and Lin TV Corp. is threatening to cause another “blackout.” Among the potential changes to be examined are measures that would provide more guidance about good-faith negotiating requirements, improve notice requirements for consumers, and eliminating rules that provide for contract enforcement through the FCC, rather than through the courts. Source: