Wednesday, March 23, 2011

Complete DHS Daily Report for March 23, 2011

Daily Report

Top Stories

• reports DHS has relayed mitigation procedures to federal agencies that have installed RSA’s SecurID computer and network log-in tool because it has been compromised. (See item 39)

39. March 21, – (National) RSA security breach compromised federal network ID tool. A product many federal employees use to log on to computers and networks should be regarded as compromised due to the infiltration of key information about the application during a cyberattack against manufacturer RSA, some security experts said. DHS has relayed mitigation procedures to federal agencies that have installed RSA’s SecurID tools, the department announced March 18. A DHS official March 21 said the government is not recommending that agencies replace their SecurID products. The department is helping RSA and clients who control critical infrastructure deal with the threat to the devices, which are a single point of failure in the computer security ecosystem, according to some industry observers. Agencies “should consider [the ID tools] breached,” said a former World Bank computer specialist and now an executive at Core Security Technologies, a firm that lawfully penetrates its clients’ systems to identify network weaknesses. SecurID, which verifies the identities of authorized users, consists of a token — a portable physical object such as a smart card or USB drive that controls access to a system. The device displays a continuously changing code that the user enters, in conjunction with a personal identification number, or PIN, to log into a network through a process known as two-factor authentication. Source:

• According to Homeland Security Today, U.S. Customs and Border Protection agents caught 11 undocumented aliens who entered the U.S. from Mexico traveling in a stolen U.S. government vehicle, and wearing U.S. Marine Corps battle fatigues. (See item 44)

44. March 22, Homeland Security Today – (National) Illegals wearing USMC uniforms caught in allegedly stolen gov’t van. About a week before the authors of a Center for a New American Security report warned the most dangerous threat to the United States and its allies in the Western Hemisphere is the growth of powerful transnational criminal organizations (TCOs), the U.S. Marine Corps Operations Center received a disturbing OPREP-3 report from the Marine Corps Air Station at Yuma, Arizona. It was a situation report that counter-cartel authorities told Homeland Security Today could represent a troublesome new development in the smuggling of illegals into the United States. It alerted that on March 11, 11 undocumented aliens who had managed to enter the U.S. from Mexico had been caught wearing U.S. Marine Corps Marine Pattern (MARPAT) desert digital Battle Dress Uniforms (BDUs). When they were stopped by alert Customs and Border Protection (CBP) agents near Campo, California, the 11 illegals and the 3 U.S. citizens (who were wearing Marine woodland digital BDUs) traveling with them were driving an allegedly stolen official government vehicle with altered U.S. Government license plates. The three U.S. citizens apprehended with the illegals were processed on “alien smuggling charges,” an official said. In Mexico, it is not uncommon for legitimate law enforcement to encounter members of TCOs either wearing or having in their possession Mexican military and law enforcement uniforms and other official gear and equipment, including military munitions. Source:


Banking and Finance Sector

15. March 22, Boston Globe – (Massachusetts) Alleged ATM theft ringleaders arrested. The suspected ringleaders of a network that allegedly burglarized ATMs in 6 Massachusetts counties, stealing more than $340,000 in cash, were arrested and arraigned March 21. Authorities said suspects used stolen sport utility vehicles, blowtorches, and lookouts, and snapped wires to surveillance and alarm systems as part of their scheme targeting cash machines in Dracut, Framingham, and other communities in 2007 and 2008. The ring also stole items from businesses and apparently made plans to expand their criminal activities into other cities and towns. Indictments were issued last week against 16 people, and March 21 authorities arrested 4 of them. They face charges ranging from breaking and entering to larceny. The FBI worked in conjunction with state police and local law enforcement officials on an investigation that began in April 2007. A major break came when a confidential source divulged information about the ring’s activities, officials said. Court records detail the incidents, suggesting the burglaries were well planned, well timed, and involved familiarity with the locations. Source:

16. March 21, Agence France-Presse – (Texas) U.S. man arrested in hacker stock fraud scheme. U.S. authorities arrested and charged a Texas man March 21, accused of masterminding a scheme using a Russian hacker and an e-mail spam campaign to pump up the value of fledgling companies, the Justice Department (DOJ) said. The suspect was arrested by FBI agents on a federal indictment charging him with one count of conspiracy to commit securities fraud and transmit commercial e-mail messages with fraudulent information. The scheme employed hackers, including at least one in Russia, to distribute computer viruses to infect computers around the world and create “botnet” computers that were used to manipulate stocks, a DOJ statement said. “In addition to relying on unsuspecting investors to buy into the spam promotions, the hackers also hacked into the brokerage accounts of third parties, liquidated the stocks in those accounts, and then used those accounts to purchase shares of the manipulated stocks,” the statement said. “This created trading activity in the manipulated stocks and increased the volume of shares being traded, further creating an impression that the manipulated stocks were worth purchasing.” The scheme began as early as November 2007 and continued through February 2009, and allowed the perpetrators to gain control of so-called “penny stocks” which were not traded on major exchanges. In some cases, the conspirators would trade the stock among themselves to give the impression of trading volume to increase market interest. The conspiracy count with which the man was charged carries a maximum potential penalty of 5 years in prison and a $250,000 fine. Source:

17. March 21, Denver Post – (Colorado) FBI seeks man in five Denver-area bank robberies. The FBI is looking for the “Blessings Bandit”, who is suspected in five bank robberies in the Denver, Colorado area, including a Lakewood bank March 19, and a Centennial bank March 21. The TCF Bank branch at 7595 West Colfax Avenue in Lakewood was robbed at about 9 a.m., and the Chase Bank branch at 7490 South University Boulevard in Centennial was robbed just before 11 a.m. In each of the robberies, his note demanding cash and threatening violence ended with “God bless,” authorities said. He is described as white, 20 to 35 years old, about 6 feet tall with a slender build. Source:

18. March 21, Federal Bureau of Investigation – (National) Former bank president and senior loan officer indicted in multi-million-dollar fraud conspiracy. An indictment unsealed March 21, charges two former top officers of FirstCity Bank of Stockbridge, Georgia with a variety of offenses, including conspiracy to commit bank fraud and bank fraud in connection with misconduct at FirstCity Bank in the years before the bank’s seizure by state and federal authorities on March 20, 2009. In addition to the conspiracy and bank fraud charges, the indictment charges the officers with conducting a continuing financial crimes enterprise at the bank between February 2006 and February 2008, during which the conspirators’ crimes allegedly generated over $5 million in unlawful gross proceeds. The indictment charges the conspirators misrepresented the essential nature, terms, and underlying purpose of the loans and falsified documents and information presented to the loan committee and the board of directors. The conspirators then allegedly caused at least 10 other federally insured banks to invest in, or “participate in” the fraudulent loans based on these and other fraudulent misrepresentations, shifting all or part of the risk of default to the other banks. In the process of defrauding FirstCity Bank and the “participating” banks, the conspirators allegedly routinely misled federal and state bank regulators and examiners to conceal their unlawful scheme. Source:

19. March 21, WIS 10 Columbia – (South Carolina) RCSD: Suspect tried to open ATM with explosives. Richland County deputies are asking for help identifying someone who tried to break into an ATM on Farrow Road in Columbia, South Carolina. The county sheriff said the attempt happened at the Carolina First Bank around 2:50 a.m. March 16. Deputies responding to an alarm noticed that someone had used an explosive device and/or a cutting torch on the ATM, but failed to gain entry into the safe. The sheriff said surveillance cameras at the bank captured images of the suspect. Source:

For another story, see item 52 below in the Communications Sector

Information Technology

46. March 22, Computerworld – (International) Apple patches unused Pwn2Own bug, 55 others in Mac OS. Apple March 21 patched 56 vulnerabilities, most of them critical flaws that could be used to hijack machines, as part of 2011’s first broad update of Mac OS X. Of the 56 bugs patched in the update for Snow Leopard, 45 were accompanied by the phrase “arbitrary code execution,” Apple’s term for rating the flaws as “critical.” According to Apple’s advisory, more than a dozen of the bugs can be exploited by “drive-by” attacks that execute as soon as a victim browses to a malicious Web site with an unpatched edition of Mac OS X. Several in that class resided in Apple Type Services (ATS), the operating system’s font renderer, and could be exploited using malicious documents embedded with specially-crafted fonts. Of those four vulnerabilities, two were reported by researchers from Google. Other drive-by attacks could be launched using malformed files exploiting six vulnerabilities in Mac OS X’s ImageIO component, another five in QuickTime and two in QuickLook, the operating system’s document preview tool. Source:

47. March 22, Help Net Security – (International) breach compromises customer names and email addresses., one of the largest online retailers of CDs, DVDs, books, and gadgets, has notified its customers of a breach that possibly resulted in their names and e-mail addresses being compromised. According to the e-mail the company sent out, the breach happened to the company that handles part of its marketing communications. also made sure to point out no other personal customer information has been compromised. “Please do be vigilant with your email and personal information when using the internet. At we will never ask you for information such as passwords, bank account details or credit card numbers. If you receive anything suspicious in your email, please do not click on any links and forward the email on to for us to investigate,” the company advised its customers in an effort to prevent phishing attacks. Sophos advised customers to change their account password and watch their credit card transactions. Source:

48. March 22, The Register – (International) Dozens of exploits released for popular SCADA programs. The security of software used to control hardware at nuclear plants, gas refineries, and other industrial settings is coming under renewed scrutiny as researchers released attack code exploiting dozens of serious vulnerabilities in widely used programs. The flaws, which reside in programs sold by Siemens, Iconics, 7-Technologies, Datac, and Control Microsystems, in many cases make it possible for attackers to remotely execute code when the so-called supervisory control and data acquisition (SCADA) software is installed on machines connected to the Internet. Attack code was released by researchers from two separate security camps over the past week, The Register reported March 22. The vulnerability release includes proof-of-concept code for at least 34 vulnerabilities in widely used SCADA programs sold by 4 different vendors. A researcher from the first group said the majority of the bugs allow code execution, while others allow attackers to access sensitive data stored in configuration files, and one makes it possible to disrupt equipment that uses the software. And a Moscow-based security firm called Gleg announced the availability of Agora SCADA+, which attempts to collect virtually all known SCADA vulnerabilities into a single exploit pack. The 22 modules include exploits for 11 zero-day vulnerabilities, a researcher said. SCADA software often runs on extremely old systems that are difficult to replace without causing disruptions to critical equipment. As a result, installing patches and upgrades is frequently avoided despite any security benefits. Source:

49. March 21, Computerworld – (International) Japan disaster rocks computer chip supplies. The disaster in Japan is putting a pinch on 25 percent of the worldwide production of silicon wafers used to make computer chips, according to a report released March 21. Two Japanese factories — Shin-Etsu Chemical’s Shirakawa facility and MEMC Electronic Materials’ Utsunomiya plant — have halted operations. Those two facilities alone make up a quarter of the global supply of silicon wafers used to make semiconductors, according to IHS iSuppli, a research company. Both companies supply wafers to semiconductor companies around the globe. “Because of this, the suspension of operations at these plants could have wide-ranging implications beyond the Japanese electronics industry,” iSuppli noted in its report. Researchers also noted Shin-Etsu’s Shirakawa plant is responsible for 20 percent of the worldwide silicon semiconductor wafer supply. There reportedly has been significant damage to the plant’s production facilities and equipment. According to iSuppli, Shin-Etsu is trying to shift production to other facilities, but it is not clear how long that will take. Source:

50. March 21, Computerworld – (International) Adobe patches Flash zero-day bug in Reader. Adobe patched a critical vulnerability in Adobe Reader March 21. The company promised to ship a fix for Flash Player later the same day. The patches follow an announcement by Adobe March 14 attackers were exploiting an unpatched, or “zero-day,” vulnerability in Flash Player using malicious Microsoft Excel documents attached to e-mail messages. Reader and Acrobat were also vulnerable because the same Flash flaw existed in the “authplay.dll” component of those two programs. Authplay is the interpreter included in Reader and Acrobat that renders Flash content inside PDF files. Adobe rolled out a patch for Reader and Acrobat around 3 p.m. March 21, but said the same fix for Flash would not appear until later in the afternoon. Previously, Adobe said while it has seen attacks exploiting the vulnerability via malformed Flash files embedded in Excel spreadsheets, it had not spotted any that targeted users with malicious PDF documents. Source:

51. March 21, Softpedia – (International) wiki server hacked. The server housing the developer wiki has been hacked by unidentified attackers who stole account credentials, thus sparking fears of rogue code commits. The team announced the compromise March 19 and noted no other servers associated with the project’s infrastructure were affected. Based on the results of a preliminary investigation, the point of entry was a vulnerability in the DokuWiki software used on the platform. The attackers then managed to obtain root privileges on the device by exploiting a local Linux privilege escalation vulnerability. The biggest concern following the incident was stolen developer credentials might have been used to alter the official php source code. Because of this, a code audit which reviewed all commits since version 5.3.5 has been performed. No tampering was detected. As precaution, the team completely wiped the compromised wiki server and will force a password change for all repository accounts. Source:

For more stories, see items 16 above in Banking and Finance, 39 above in Top Stories, and 52 below

Communications Sector

52. March 22, The Register – (International) Sensitive data easily swiped from eBayed mobiles. Second-hand mobile phones sold on by their owners often contain extensive personal and sensitive data that leave sellers open to identity theft and other privacy risks. Pre-owned mobile phones and SIM cards purchased on eBay or from shops were checked using readily available equipment to see what personal information was left on the handsets. Around half the handsets and chips examined by an ethical hacker still held sensitive information. The hacker was able to recover information using a mobile phone SIM Reader, SIM recovery software, and forensic examination software. A total of 247 pieces of data were recovered from a total 19 of the 35 mobile phones and 27 of the 50 SIM cards. Data left on these handsets and communication devices included many photos, bank details, log-in details for social networking sites, and PIN numbers as well as private texts and e-mails. In a separate poll, most sellers (80 percent) claimed they had wiped their mobiles before selling them, with 6 in 10 stating they were confident that no personal data was left on devices subsequently offered up for sale. Source:

53. March 21, WSAZ 3 Huntington/Charleston – (West Virgina) Phone service restored for Mingo county residents. Officials with the Williamson County, West Virgina fire and police department said all phone service has been restored to Fibernet customers in Mingo County who lost all their landline phone services causing problems for the Williamson fire and police departments, and the local 911 center March 18. A Williamson fire chief told WSAZ the service was restored around 6 p.m., about 90 minutes after service was lost. There is still no word on what caused the outage. Source: