Friday, April 15, 2011

Complete DHS Daily Report for April 15, 2011

Daily Report

Top Stories

• ABC news reports the FBI and the Justice Department said April 13 they disabled a “botnet” of more than 2 million computers infected with malicious code that Eastern European cyber criminals may have used to drain millions of dollars from bank accounts around the world. See item 20 below in the Banking and Finance Sector

• According to Homeland Security Newswire, the first in-depth study of security personnel at European airports found they do not report threats more than 40 percent of the time. (See item 21)

21. April 14, Homeland Security Newswire – (International) Airports personnel don’t report suspicions, mistrust technology. The first in-depth study of European airports, conducted by the EU-funded Behavioral Modeling for Security in Airports (BEMOSA) Consortium, found airport personnel do not rely primarily on procedures or rules in emergency cases. The report contains the first results of an extensive study aimed at obtaining data on how emergencies and security threats are actually handled in airports. The results will be presented at a special workshop on applying human factors to airport security. The workshop will be hosted by BEMOSA in Belgium May 25. BEMOSA’s experts concluded there appeared to be a definite need to improve security decision-making procedures. The need arises out of the observed problems of recognizing a threat and acting upon it. The report said there appears to be a gap between procedures and actual behavior when a threat is recognized — and especially when it is acted upon. Some of the key findings of the report stated the following: only 53.1 percent of airport employees and 63 percent of security workers said they put complete trust in security technologies; only 23.6 percent of airport employees and 58 percent of security workers said they alerted others when they saw something suspicious; and 54.3 percent of the workers and 40 percent of security personal never raised the alarm or called a security code. The study aims to describe real behavior patterns in order to develop airport staff training programs for improving crisis handling and hazard reduction. Source:


Banking and Finance Sector

16. April 13, Boston Herald – (Massachesetts; National) Framingham man pleads guilty to multimillion-dollar Ponzi scheme. A Framingham, Massachusetts man was convicted April 13 in federal court of mail fraud in connection with a large-scale investment fraud scheme with more than 100 victims and losses of at least $15 million. The 77-year-old man pleaded guilty before a U.S. District Judge to 18 counts of mail fraud. The man had claimed to be a broker working on behalf of a Japanese clothing manufacturer selling uniforms to state government entities, according to prosecutors, and told his victims that he needed their money to finance the manufacture of those contracted-for uniforms. To induce people to invest, the man offered them returns ranging from 9 percent to 15 percent, which was supposed to be paid from the proceeds of the uniform sales. When victims asked to see documents relating to the uniform business, the man showed them what appeared to be purchase orders from state entities for uniforms, which were fabricated documents. By the time the scheme fell apart in 2009, he had outstanding promissory notes to his victims totaling nearly $30 million. The scheme started to unravel in late 2008, when some of his investors started seeking more information and documents from him about the uniform business. The man put them off temporarily, but then he started defaulting on some scheduled payments. He then tried to delay by claiming he was in the process of selling the business and would pay everyone off with the proceeds. Instead, in mid-December 2009, he fled to Las Vegas, Nevada. He was eventually tracked down and arrested at a casino in Mississippi. Sentencing is scheduled for July 21 when the man faces up to 20 years in prison, to be followed by 3 years of supervised release and a $250,000 fine. Source:

17. April 13, Bloomberg – (International) Federal Reserve computer hacker suspect pleads guilty to account fraud. A Malaysian man charged with hacking the Federal Reserve’s computers and conducting a credit card scheme pleaded guilty April 13 to illegally possessing card account numbers with intent to defraud. The 32-year-old man entered his plea April 13 before a U.S. district judge in Brooklyn, New York. The man originally pleaded not guilty November 22. The computer network of the Federal Reserve Bank of Cleveland was hacked in June 2010, resulting in thousands of dollars of damage from the effects on 10 or more computers, according to court papers filed November 18, the day the man was charged in a four-count indictment. No Federal Reserve data or information was accessed or compromised, a spokeswoman for the central bank said in November. The credit card numbers the man sold did not come from the Federal Reserve, his lawyer said in court. When he was arrested October 21 shortly after arriving in the U.S., the man possessed more than 400,000 stolen credit and debit card numbers, according to prosecutors in the office of the U.S. attorney in Brooklyn. He was able to gain access to data of several federal credit unions, according to prosecutors. Source:

18. April 13, Bloomberg – (National) FrontPoint portfolio manager charged with securities fraud. A FrontPoint Partners portfolio manager was charged April 13 with conspiracy and securities fraud as part of a U.S. crackdown on so-called expert networks. The man surrendered April 13 to FBI agents at their New York office, said an FBI spokesman. He also was charged with insider trading by the Securities Exchange Commission (SEC), according to a news release from the commission. Information the man obtained from an insider about hepatitis C drug trials enabled him to avoid more than $30 million in losses in the six now-closed FrontPoint Healthcare Funds he once managed, prosecutors said. He was named in a three-count felony complaint unsealed April 13 in U.S. District Court in New York, charged with conspiracy to commit securities fraud, and conspiracy to obstruct justice. The insider who passed data on to the man pleaded guilty April 11 before a U.S. district court judge in New York to conspiracy, securities fraud, conspiracy to obstruct justice and making false statements to the FBI, said a spokeswoman for the U.S. attorney’s office. As part of an amended complaint filed by the SEC April 13 in U.S. District Court in New York, FrontPoint agreed to pay more than $33 million in disgorgement and interest, without admitting or denying wrongdoing, the SEC said in its news release. Source:

19. April 13, Associated Press – (Wisconsin) Wis. man accused of robbing bank with a bomb threat pleads guilty to federal charges. A man pleaded guilty April 13 in federal court to robbing a Fitchburg bank in Wisconsin. Federal prosecutors said the 56-year-old man of Pewaukee walked into the Park Bank in January 2011 and presented a note that demanded money and said he had planted bombs around the bank’s lobby and entrances. He made off with about $5,625. Police did not find any bombs, but they did locate the suspect driving on Interstate 94. A high-speed chase ensued that ended when the suspect ran over spike strips. The U.S. attorney said as part of the plea deal, the man acknowledged he robbed three other banks around eastern Wisconsin near the end of 2010 using similar bomb threats. The man is set to be sentenced June 21. Source:

20. April 13, ABC News – (International) Feds take ‘Coreflood Botnet’: ‘Zombie’ army may have infected 2 Million computers, stolen hundreds of millions of dollars. The FBI and the U.S. Justice Department (DOJ) said April 13 they have disabled a “botnet” of more than 2 million computers infected with malicious code that Eastern European cyber criminals may have used to drain millions of dollars from bank accounts around the world. U.S. authorities continue to combat the network of remotely controlled computers called the “Coreflood” botnet, which has secretly recorded computer users’ keystrokes to compromise vast amounts of banking and financial data. Coreflood is believed to have been operating since 2002 and has resulted in an unknown number of U.S. bank accounts being broken into with losses that could be in the hundreds of millions of dollars, according to FBI officials. DOJ and the FBI filed a civil complaint against 13 “John Doe” defendants, charging them with wire fraud, bank fraud, and illegal interception of electronic communications. The FBI and DOJ also have executed search warrants to seize Internet domain names believed tied to the control servers for the Coreflood program. Investigators received a temporary restraining order allowing them to seize control of the infected servers to try to further dismantle and disable the botnet. Source:

Information Technology

47. April 14, IDG News Service – (International) Hackers gain root access to WordPress servers. Hackers have compromised several servers that support WordPress and may have obtained source code, according to the founding developer of Automattic, the company behind the popular blogging platform. He wrote on the WordPress blog that Automattic has been reviewing log records to determine how much information was exposed and re-evaluating “avenues to gain access.” “We presume our source code was exposed and copied,” he wrote. “While much of our code is open source, there are sensitive bits of our and our partners’ code. Beyond that, however, it appears information disclosed was limited.” He wrote the company had no specific advice for WordPress users besides using strong passwords, and not using the same password for multiple sites. In the comment section of the blog post, a user asked if WordPress stores passwords in plain text or stores hashes of passwords. The founding developer wrote WordPress uses the Portable PHP password hashing framework. Source:

48. April 14, Softpedia – (International) ZeuS bot herder taunts security researchers through fake digital certificate. A recently identified ZeuS trojan sample is digitally signed with a fake certificate whose purpose is to make the piece of malware harder to detect. According to security experts from Avira who discovered the sample, the digital certificate is signed by an entity called “DetectMe :)” and dates since the end of February. Although the ability to digitally sign code has been around since Windows NT, the practice has only seen more adoption starting with Vista where the difference between signed and unsigned executables is clearly noticeable in User Access Control alerts. Digitally signed malware, as in malicious programs that actually use a valid certificate signed by a trusted CA, are rare because the benefits of doing it are hardly worth the trouble. Nevertehless, some malware authors sign their creations with forged certificates occasionally in an attempt to trick less sophisticated file scanners or the users themselves. ZeuS bot runners in particular seem to be more inclined to do this than others. Source:

49. April 13, Softpedia – (International) VLC 1.1.9 fixes critical security flaws. The VideoLAN Organization has released a version 1.1.9 of VLC media player to address two critical vulnerabilities that could be exploited by potential attackers to execute arbitrary code remotely. One of the flaws fixed in VLC 1.1.9 was disclosed April 9 and is located in the MP4 demultiplexer, the plug-in responsible for parsing MP4 (MPEG-4 Part 14) files. The vulnerability stems from an error in the “MP4_ReadBox_skcr()” function and can result in a heap-based buffer overflow. The bug is rated as highly critical by Secunia and can be exploited over the Web, due to the VLC ActiveX control and Firefox plug-in. The second vulnerability addressed in the new version of the popular open source media player is actually located in the libmodplug third-party library. Libmodplug is used to render music module files in multiple formats including .669, .amf, .ams, .dbm, .dmf, .dsm, .far, .it, .j2b, .mdl, .med, .mod, .mt2, .mtm, .okt, .psm, .ptm, .s3m, .stm, .ult, .umx, and .xmSound. The arbitrary code execution vulnerability in the plug-in can be exploited by tricking users to open specially crafted S3M files. This flaw can be exploited over the Web and network shares. The vulnerability was resolved by updating the libmodplug plug-in included in VLC to version, which was released at the beginning of April. Source:

50. April 13, Help Net Security – (International) ‘Request rejected’ spam campaign leads to fake AV. A spam e-mail campaign carrying a malicious attachment designed to download and run a fake AV solution on the recipient’s computer is hitting inboxes around the world. The subject of the e-mail is “Request rejected.” The message does not contain any clue as to what the rejected request might be, and since the purported sender and its e-mail address do not offer any additional information, many users might be tricked into downloading the attached zip file to find out more information. According to CA researchers, the zipped attachment contains a file by the name of EX-38463(dot)pdf(dot)exe, which is a downloader trojan that connects the computer to hdjfskh(dot)net, from where it downloads and executes a fake AV variant. The fake AV has the ability to change its name based on which version of Windows OS the computer runs: XP, Vista, or Win7. It also has a variety of fake alert windows that it uses to great effect to scare the victims into believing their computer is affected by malware. Source:

51. April 13, IDG News Service – (International) Conflicts, disasters could hurt PC shipments in Q2. The natural disasters in Japan and political tension in the Middle East could hurt PC shipments during the second quarter of 2011, an IDC analyst said April 13. Japan is a major manufacturer of components such as batteries, and any disruption in the supply chain could impact the price of and demand for PCs, IDC’s research director said. The earthquake and tsunami that hit Japan March 11 caused extensive damage to buildings and factories. Ensuing blackouts and closure of transportation links hurt Japan’s supply chain. Also, rising oil prices, driven by the recent conflicts in the Middle East and Libya, could increase the cost of making and supplying computers and components, the IDC analyst said. Such events could trigger a rise in PC prices. PC shipments worldwide are already on shaky ground. PC shipments totaled 80.56 million during the first quarter of 2011, declining by 3.2 percent compared to the first quarter of 2010, IDC said in a report released April 13. Source:

For another story see item 20 above in the Banking and Finance Sector

Communications Sector

52. April 13, WLFI 18 Lafayette – (Indiana) Accident at WXXB radio tower kills two. Two workers are dead after an accident near Buck Creek, Indiana April 13, according to the Tippecanoe County Deputy Coroner. A crew of five workers was installing a radio tower when the accident happened. According to a police press release, two workers were working at a height of 340 feet when they fell, along with a piece of equipment being used to add another segment to the tower. Both workers were fatally injured in the fall, according to the Tippecanoe County Sheriff’s Office. Sheriff’s deputies, Buck Creek Fire and Rescue, and TEAS Paramedics responded to the scene just before 9 a.m. The Occupational Safety & Health Administration was on the scene of the accident. The tower is still unstable, and a road near the tower was closed. Source:

53. April 13, Hannibal Courier-Post – (Missouri) Sliced cable cuts Internet, phone service to many. For approximately 7 hours April 9, many people in Northeast Missouri were without Internet access. The loss of Internet service, and for some phone and video service, was the result of an accidental slice of a fiber-optics line in Renick. According to a general manager with U.S. Cable for the state of Missouri, an unidentified power company accidentally cut the cable. “That fiber line is actually a backbone to not only us as an Internet provider, but other Internet providers in this area of Missouri also use that same fiber backbone,” he said, noting other companies were also impacted to a degree. Source: