Wednesday, March 9, 2011

Complete DHS Daily Report for March 9, 2011

Daily Report

Top Stories

• The Center for Public Integrity reports an audit by the U.S. Department of Agriculture’s Inspector General found the agency’s process for testing ground beef for E. coli is flawed. (See item 23)

23. March 7, Center for Public Integrity – (National) USDA audit says E. coli testing in ground beef is flawed. The U.S. Department of Agriculture (USDA) has found its process for testing for E. coli in ground beef is flawed and may be missing bacteria during tests. These findings come from an audit released March 7 by the agency’s Inspector General (IG). It warns the current sampling method “is not designed to yield the statistical precision that is reasonable for food safety or to verify that plant controls or interventions are working as intended.” The audit makes four recommendations for improving inspections of the nearly 4 billion pounds of ground beef produced annually in the United States. These recommendations include developing a redesigned sampling program to provide “higher confidence” in the testing regime. The audit was done at the request of a U.S. Representative from Connecticut. The IG warned that, in situations where E. coli is present in 1 percent of the inspected bin, the current screening method would miss it more than half the time. Or, as the report puts it, “if the contamination level is very low, FSIS (Food Safety and Inspection Service) is more likely to miss contamination than to detect it.” Source:

• According to ABC News, a U.S. marshal was shot and killed, and two other law enforcement officers were injured while serving a warrant near St. Louis, Missouri. (See item 39)

39. March 8, ABC News – (Missouri) St. Louis shootout ends with U.S. Marshal and suspect dead. A U.S. marshal was shot in the head and killed March 8 while serving an arrest warrant near St. Louis, Missouri, setting off a standoff that ended with two other officers injured and the suspect killed. The marshal was taken to a hospital where he died, the U.S. Marshals Service said in a statement. The officers were attempting to serve an arrest warrant at the suspect’s home in the St. Louis suburb called Dutchtown, when the man opened fire with a semi-automatic pistol as the officers tried to enter the home. A shot fired at the St. Louis police officer ricocheted off his bullet-proof vest and entered his shoulder. He appears to have suffered a broken shoulder, sources said. The injured marshal is believed to have been shot in the leg or foot. When authorities arrived at the suspect’s home, he told them, “I’m only going out in a body bag,” ABC News radio affiliate KTRS reported. Three children were removed from the home before shots were fired. Source:


Banking and Finance Sector

11. March 8, BNO News – (California) Ten Americans indicted after scamming more than $1.5 million from elderly victims. Ten Americans have been indicted on federal charges of running a so-called advance fee scheme that targeted elderly victims in the United States with promises of millions of dollars in inheritances — but only if they paid money upfront to facilitate the transfer of the promised bequests.The U.S. Attorney’s Office for the Central District of California March 7 released the first details about the cases. One suspect, who is a Nigerian national, allegedly orchestrated the domestic part of the scheme, which sent spam e-mails to thousands of potential victims. The senders of the e-mails falsely claimed to have control of millions of dollars in inheritance money in Nigeria, and they falsely told victims they would receive inheritance money if the victims paid a variety of advance fees for taxes or documentation. The suspect and his associates allegedly claimed to be attorneys, bankers, diplomats or other government officials, all of which was designed to convince victims they were dealing with legitimate professionals. The indictment alleged the suspects lured victims by initially demanding relatively small amounts of money. But once the victims paid the modest amounts, they were asked to wire increasingly larger amounts — as much as $35,000, according to the court documents. This so-called Nigerian 419 scam — which references to the section of the Nigerian criminal code that deals with fraud — allegedly bilked at least two dozen victims, most of whom were elderly, who collectively lost more than $1.5 million. Three of the ten defendants were arraigned March 7 in district courtt, where they pleaded not guilty and were ordered to stand trial later this year. The investigation into the 419 scam was initiated by the Treasury Inspector General for Tax Administration after one of the fraudsters allegedly impersonated an IRS agent to convince a victim to pay fictitious taxes. Source:

12. March 8, Norfolk Virginian-Pilot – (Virginia) 2 guilty of trying to defraud Navy credit union. Two men have pleaded guilty to fraud charges in an attempt to defraud nearly a half-million dollars from the Navy credit union. One suspect of Norfolk, Virginia, pleaded guilty March 7 in U.S. District Court to two charges related to credit union fraud. His accomplice of Virginia Beach, Virginia, pleaded guilty last month to credit union fraud and aggravated identity theft. The two admitted that between 2009 and 2010, they tried to cash $460,000 in checks obtained with stolen identities. They netted about $160,000, according to a court filing. One man admitted he stole the identities of customers at Navy Federal Credit Union, and then he and his accomplice obtained loan checks for bogus used car and motorcycle purchases. They also used unidentified third parties to help cash the checks. One, who is in jail, will be sentenced May 2 while his accomplice remains free pending sentencing June 6. Source:

13. March 8, Daily Stamford – (Connecticut) New Canaan man pleads guilty in ponzi scheme. A New Canaan, Connecticut man accused of defrauding people in a Ponzi scheme pleaded guilty March 7 in federal court and now faces up to 70 years in prison. The suspect pleaded guilty to five federal charges in U.S. District Court in Bridgeport. He owns and operates the Michael Kenwood Group, which operated several hedge funds in Stamford. “This investigation has revealed that [the suspect] operated a massive Ponzi scheme that has defrauded foreign investors of hundreds of millions of dollars,” said a U.S. attorney for Connecticut. “While the precise dollar losses will not be known for some time, based on this fast-moving investigation, we believe this case represents the largest white-collar prosecution ever brought by this office.” According to federal and FBI officials, from 2006 to February 2011, the suspect engaged in a scheme to defraud his investors, creditors, and the Securities and Exchange Commission (SEC). He allegedly created fraudulent documents as well as a fictitious asset verification letter falsely representing that one of his hedge funds had at least $275 million in credits as a result of outstanding loans even though he knew it did not have such credits. In addition, authorities said, the suspect misled investors, creditors, and the SEC about the true performance of the funds. The suspect pleaded guilty to two counts of wire fraud, one count of securities fraud, one count of investment adviser fraud, and one count each of conspiracy to obstruct justice, to obstruct an official proceeding and to defraud the SEC. Source:

14. March 7, Perry County Times – (Pennsylvania) Harrisburg man charged with 3 bank robberies. State police have arrested a Harrisburg, Pennsylvania man and charged him with seven bank robberies, including three in Perry County. The suspect, 25, of the 2800 block of Canby Street, is being held on $750,000 bail in Adams County Prison. He is charged in connection with robberies of First National Bank of Liverpool December 30 and January 24, and of the PNC Bank in Duncannon February 18. State police in Gettysburg also have charged the suspect with an Adams County bank robbery February 18 that occurred prior to the robbery of the PNC Bank. East Pennsboro Township police have charged him with robberies November 23 and December 9 at the PNC Bank in Enola. Assisting in the investigations were the FBI Task Force, state police’s bureau of emergency and special 0perations, the state police troop H vice unit, and the East Pennsboro, and Camp Hill police departments. Source:

15. March 7, San Francisco Chronicle – (California) Alleged Concord bank robber tentatively identified by Danville Police. The man who police said is responsible for several bank robberies around the Bay Area since February, including one in Concord, California February 24, has been tentatively identified by the Danville Police Department. The suspect robbed a bank in Danville March 7. According to Danville police, the suspect robbed the Chase Bank location at 661 San Ramon Valley Boulevard. A male, in his 20s, described as African American or Middle Eastern, wearing a white turban, approached a teller and demanded money. No weapon was seen and no one was injured during the robbery. The suspect received an estimated $20,000 from the teller and then fled the bank on foot. Witnesses told responding officers they had seen a person matching the suspect’s description running north from the scene. The FBI is assisting Danville police and a suspect has been tentatively identified. Source:

For another story, see item 45 below

Information Technology

41. March 8, Softpedia – (International) Google patches remote code execution Android Market vulnerability. Google has fixed a critical vulnerability in the Android Market Web site that allowed potential attackers to remotely install rogue apps on visitors’ devices. The bug stemmed from a simple cross-site scripting (XSS) weakness in the form used to publish new applications and was discovered by a security researcher at Duo Security. He explained that insufficient input validation in the application description form allowed the insertion of malicious code in the resulting application page. The code could have been used to trigger a remote app installation procedure through the INSTALL_ASSET functionality. This type of installation, which is considered a feature of the Android Market, was criticized because it does not display any prompt on the user’s device asking for confirmation. Source:

42. March 8, H Security – (International) Vulnerabilities in STARTTLS implementations. Vulnerabilities in implementations of the STARTTLS protocol for establishing an encrypted TLS connection could allow commands to be injected into a connection. According to a description by the discoverer of the problem, a Postfix developer, the key point is commands are injected into the connection before it has been secured/encrypted, but are only executed once the secure connection has been established. The developer illustrated the problem with an example involving securing SMTP with TLS. A client sends “STARTTLS\r\n”; using a man-in-the-middle attack an attacker changes this to “STARTTLS\r\nRSET\r\n”. The client and server then establish a TLS connection. The server then regards the injected RSET command added during the unprotected phase as if it has been transferred subsequent to the TLS connection being established. The RSET command in this example is relatively innocuous as it is a harmless protocol reset command, but other commands could be injected in a similar fashion. Source:

43. March 8, Softpedia – (International) Microsoft detects spikes in SWF malware attacks using embedded JavaScript. Microsoft has seen spikes in the number of attacks using SWF malware that embed malicious JavaScript and warn this technique might become more prevalent. SWF-based malware is not new. It is commonly used to exploit vulnerabilities in Adobe Flash Player in order to install further threats on computers. The new trojan identified by Microsoft and dubbed Trojan:SWF/Jaswi.A targets CVE-2010-0806, an arbitrary code execution vulnerability in Internet Explorer 6 and 7. However, what sets it apart is the way the JavaScript-based exploit is launched. Most SWF malware use the getURL function to redirect users to malicious sites, but Jaswi.A uses a function called to initiate the injection. If successful, the attack downloads a file called uusee(dot)exe, which is a Chinese password stealer known as PWS:Win32/Lolyda(dot)AU. Source:

44. March 8, H Security – (International) USB driver bug exposed as ‘Linux plug&pwn’. A researcher from MRW InfoSecurity has reported a bug in the Caiaq USB driver that could be used to gain control of a Linux system via a USB device. The bug is caused by the device name being copied into a memory area with a size of 80 bytes using strcpy() without its length being tested. A crafted device with a long device name could thus write beyond the limits of this buffer, allowing it to inject and execute code. Because the driver is included, and automatically loaded, in most Linux distributions, to execute code in kernel mode an attacker would merely have to connect such a device to a Linux system’s USB port. MRW said it has assembled a suitable USB device for this purpose, boasting in a Tweet of a “Linux plug&pwn.” Source:

45. March 8, Help Net Security – (International) Illegal online pharmacies target mobile users. As witnessed by Cyveillance, fake pills pushers have begun targeting mobile device users. The look of regular Web sites is not optimized for mobile browsing — the font size is usually too small and navigation is too difficult. So, the scammers running some illegal online pharmacies have decided that there is enough interest to warrant the setting up of Web sites optimized for mobile device interaction. They even incorporated a .mobi Internet domain for the site. But apart from these cosmetic changes, the danger for users remains the same: fake pills that can endanger their health and unsecured, unencrypted payment processing that may result in their credit card details getting stolen and misused. Source:

46. March 7, Softpedia – (International) Private open-source software security mailing list shuts down after hacking. A private mailing list — referred to as Vendor-Sec — used by Linux and FreeBSD vendors to coordinate responses to critical vulnerabilities was closed down after its server was compromised and destroyed by hackers. “...I noticed a break-in into the machine last week [the week of February 27], which was likely used to sniff email traffic of vendor-sec,” the moderator announced on the OSS Security mailing list March 3. “This incident probably happened on Jan. 20 as confirmed by timestamp, but might have existed for longer,” he added. Before deciding on what course of action to take regarding the decade-old mailing list, he asked for input from people in the open-source software security industry about its usefulness in the current context. But, before any meaningful discussion had a chance to start, the hackers realized they were detected, re-entered, and destroyed the system.


For another story, see item 47 below

Communications Sector

47. March 8, The Register – (International) IPv6 intro creates spam-filtering nightmare. The migration towards IPv6 will make it harder to filter spam messages, service providers warn. While the expansion to IPv6 allows far more devices to have a unique Internet address, it creates many problems for security service providers, who have long used databases of known bad IP addresses to maintain blacklists of junk mail sources. Spam-filtering technology typically uses blacklists as one key component in a multi-stage junk mail filtering process that also involves examining message contents. “The primary method for stopping the majority of spam used by e-mail providers is to track bad IP addresses sending e-mail and block them – a process known as IP blacklisting,” explained a senior solutions architect at spam-filtering company Cloudmark. “With IPv6, this technique will no longer be possible and could mean that e-mail systems would quickly become overloaded if new approaches are not developed.” Other technologies also track IP addresses for various purposes, including filtering out sources of denial of service attacks, click fraud, and search engine manipulation. Source:

Tuesday, March 8, 2011

Complete DHS Daily Report for March 8, 2011

Daily Report

Top Stories

• Associated Press reports two natural gas companies suspended the use of injection wells in central Arkansas after an industry commission found a link between the wells and hundreds of recent earthquakes in the area. (See item 5)

5. March 4, Associated Press – (Arkansas) ‘Fracking’ disposal sites suspended, likely linked to Arkansas earthquakes. Two natural gas companies have agreed to temporarily suspend use of injection wells in central Arkansas where earthquakes keep occurring. Oklahoma City, Oklahoma-based Chesapeake Energy and Clarita Operating of Little Rock, Arkansas told the Arkansas Oil and Gas Commission March 4 they have stopped operation of the wells near Greenbrier and Guy pending the panel’s next regular meeting March 29. The commission said there is likely a link between the wells and the earthquakes. There have been more than 800 earthquakes in the area in the past 6 months and a magnitude 4.7 quake –- the strongest in Arkansas in 35 years –- hit there March 6. The high-pressure wells are used to dispose of waste water from natural gas drilling. Source:

• According to the Cleveland Plain Dealer, a technician’s use of a walkie-talkie rendered the Davis-Besse nuclear plant’s entire emergency shutdown system inoperable for a time, March 3. (See item 9)

9. March 5, Cleveland Plain Dealer – (Ohio) Walkie talkie disrupts safety system at Davis-Besse nuclear plant. The Davis-Besse nuclear power plant in Oak Harbor, Ohio went “radio-inactive” March 3 — losing its emergency water cooling system for 2 minutes — due to a technician’s walkie talkie. The technician used his walkie talkie in a room containing a back-up or auxiliary control panel for a system designed to automatically pump water into the reactor in the event of a catastrophic accident. The radio wave disrupted the signal from the control panel to special pumps and emergency valves that even on stand-by are electrically alive for an instantaneous reaction. In two bursts of conversation lasting 8 seconds and 19 seconds during a 2-minute period, the technician rendered the plant’s entire emergency shutdown system inoperable, the company told federal regulators March 3. The company posted a sign on the door to the room warning all employees not to key radios near the sensitive control panel, a company spokesman said. The incident should have never happened, said a nuclear safety engineer with the Union of Concerned Scientists. He said such incidents occurred many times in the early 1980s, so much that the Nuclear Regulatory Commission (NRC) issued a warning bulletin in December 1983. “This hasn’t happened in decades,” he said. “We will definitely be looking into this,” said a spokeswoman for the NRC’s regional office in Chicago. Source:


Banking and Finance Sector

15. March 6, WGN Radio 720 Chicago – (Illinois) Bank blaze inside Loop highrise spurs evacuation. An extra-alarm fire inside a Loop bank branch in Chicago, Illinois, injured two people March 6 and led firefighters to evacuate the building. Fire crews responded to the call of the fire at 33 N. Dearborn Street about 1:35 p.m., fire officials said. The fire appeared to have been contained to a Bank of America branch on the main floor. A bicycle unit police officer was riding past the building with her partner when she saw a “wall of fire” through the bank’s windows. Firefighters elevated the fire to a 2-11 alarm and did a floor-by-floor search, evacuating between 10 and 15 people from upper floors, the assistant deputy fire commissioner said. He said fire officials were investigating claims the building’s fire alarm never sounded. Source:,0,2125233.story?track=rss

16. March 5, Boston Herald – (Massachusetts) Cops eye link in hoax bomb bank robberies. Winthrop, Massachusetts, police believe the same man who left a phony bomb at an Everett bank March 3, robbed a bank in Winthrop March 6. A man robbed the Bank of America on Bartlett Road in Winthrop at 9:20 a.m. March 6, handing the teller a note written on an envelope threatening he had a bomb. “He showed the teller a device that was consistent with a pipe bomb,” the Winthrop police chief said. He said the man did not leave the bogus bomb at the bank. The area was searched, in case the device had been left elsewhere, and deemed safe. He said the robbery may have been committed by the same man who robbed a bank in Everett March 3. In the Everett incident, a man robbed an East Boston Savings Bank and caused a bomb scare when he left a suspicious package behind. The device turned out to be a hoax. The suspect is described as a white male between the ages of 40 and 45, wearing a white hat with an emblem, a leather jacket, and a black scarf. Source:

17. March 4, Sparta Expositor – (Tennessee) Walling man arrested on explosives charge. A Walling, Tennessee man was arrested March 4 in connection with a pipe bomb found February 14 at US Bank on Highway 111, in Sparta. The man faces a Class B felony prohibited weapons charge for allegedly making and transporting the pipe bomb, according to a detective with White County Sheriff Department (WCSD). The detective stated February 14 a female employee of a business located in the US Bank facility found a package, took it to the business, and called another detective with WCSD. Tennessee Highway Patrol’s Bomb Squad later detonated the pipe bomb. There were no injuries and no property damage. The warrant alleges the suspect “admitted to assisting in the construction of the bomb in Overton County and did transport it to White County.” Source:

18. March 3, Biloxi Sun Herald – (Mississippi; Georgia; Alabama) 81 bogus credit cards found in traffic stop. Two Georgia men have been indicted on charges alleging authorities found 81 counterfeit credit cards hidden in their vehicle and their clothes after their arrests in a traffic stop in Harrison County, Mississippi. Harrison County sheriff’s investigators arrested the two men on suspicion of fraud September 30, and Homeland Security Investigations began a probe. An indictment unsealed the week of February 28 alleged the men used one of the fake cards at a gas station in Georgiana, Alabama, before they were pulled over in Harrison County at the 33 mile-marker on Interstate 10. Public records do not show where the men were heading. Both men were charged with conspiracy and access-device fraud, a type of credit-card fraud. Their trial is set for April 4. Source:

Information Technology

48. March 7, IDG News Service – (International) After attacks, Google vows to fortify Android store. Google will build new safeguards into Android Market, its application store for the Android mobile OS, following an attack the week of February 28 that infected thousands of phones and forced the company to wipe the malware remotely from phones, it said March 6. More than 50 applications in the Android Market were found to contain a program called DroidDream, which is capable of stealing information about a mobile device and downloading other malicious applications to the phone. Google addressed the issue March 5, when it confirmed it decided to use a command that remotely erases malicious applications. Android users who have downloaded a malicious application will get an e-mail within 3 days from the address explaining the situation, wrote Android’s security lead. In addition to wiping malware, Google is also forcing an update on users called “Android Market Security Tool March 2011” which fixes the security issues DroidDream exploits. Some users may get a notification on their device that a malicious application has been removed Android’s security lead wrote. About a day after the vulnerabilities have been fixed, users will receive a second e-mail. Phones running Android versions below 2.2.2 are vulnerable. The issues are fixed in the latest 2.3 version of Android, known as “Gingerbread.” Source:

49. March 7, H Security – (International) Further attacks on WordPress under investigation. Following a massive attack on March 3, WordPress was hit by a second attack in the early hours of the morning March 4. Apparently there was some speculation the attacks might be connected to the current unrest in the Middle East, but investigation now appears to show these attacks originated in China, with some traffic from Korea and Japan. The Automattic status page which displays the operating status for WordPress and other services showed the two outages. A note on the second attack states, “Unfortunately, the DDoS attack from yesterday returned in a different form this morning and affected sitewide performance,The good news is that we were able to mitigate it quickly and performance returned to normal around 11:15 UTC. We are continuing to monitor the situation closely.” WordPress’s founder commented to TechCrunch that one of the targeted sites was a Chinese-language site that was also blocked on Baidu, leading to the initial assumption that the attack was political. Later, he said closer investigation showed it more likely to have been business related, although there has been no response from the site’s owner. Source:

50. March 7, H Open Source – (International) Mozilla patches Java applet problems in Firefox. Two days after it released the Firefox 3.6.14 and Thunderbird 3.1.8 security updates, the Mozilla project has issues new versions of its open source Web browser and e-mail client to address several critical issues found in the previous releases. According to the developers, Firefox 3.6.15 fixes a bug that prevented some Java applets from loading in version 3.6.14, while Thunderbird 3.1.9 corrects a problem that caused a crash after the update. Various other bugs affecting all platforms have also been closed in both Firefox and Thunderbird. Source:

Communications Sector

51. March 7, Radio Ink – (Florida) Fort Lauderdale business owner sapped with $20,000 pirate fine. A man received a $20,000 Federal Communications Commission (FCC) fine for operating an unlicensed radio transmitter at his commercial property in Fort Lauderdale, Florida. In response to complaints about an unlicensed station on 99.5 MHz, agents from the enforcement bureau’s Miami office used direction-finding techniques to locate the source of radio frequency transmissions on the frequency March 16 and August 24, 2010. They wound up at a commercial property owned by the man. FCC agents determined the signals from the man’s building exceeded the limits for operation and therefore required a license. A review of FCC records showed no authorization was issued to him, or to anyone for any operation of an FM broadcast station on this frequency, at or near this address. Agents again used direction-finding techniques August 31, 2010, to locate the source of radio frequency transmissions at 99.5 MHz to his commercial property in Fort Lauderdale. Again agents determined the signals exceeded the limits for operation and therefore required a license. Despite having acknowledged receipt of both notices of unlicensed operation, the man continued to operate an unlicensed radio station on 99.5 MHz from his property. Source:

For another story see item 48 above in the Information Technology Sector