Monday, May 9, 2011

Complete DHS Daily Report for May 9, 2011

Daily Report

Top Stories

• According to the Military Times, the U.S. Air Force has grounded all of its F-22 Raptors until further notice because of potential, life-threatening malfunctions in the oxygen-generation system. (See item 9)

9. May 5, Military Times – (National) Air Force grounds entire F-22 fleet. The U.S. Air Force has grounded all of its F-22 Raptors until further notice because of potential malfunctions in the fighter jets’ oxygen-generation system. The commander of Air Combat Command (ACC) ordered a stand-down of the 165-plane fleet May 3, an ACC spokeswoman said. She did not immediately know how long the Raptors will be out of service. The On-Board Oxygen Generating System (OBOGS) has been under investigation since an F-22 crashed in November just outside Elmendorf Air Force Base in Alaska. Until the stand-down, Raptor sorties had been restricted to an altitude of 25,000 feet or below for training missions because of the potential malfunctions. The limits were “designed for mishap prevention and is a prudent measure to ensure the OBOGS are operating safely,” an ACC spokesman said in March, when the command first publicly disclosed the investigation. An OBOGS malfunction can be potentially life-threatening, according to a subject matter expert. Source: http://www.militarytimes.com/news/2011/05/airforce-grounds-entire-f22-fleet-050511w/

• CNET News reports a group of hackers said it is planning another wave of cyberattacks against Sony in retaliation for its handling of the PlayStation Network breach that saw 100 million user accounts compromised. See item 37 below in the Information Technology Sector

Details

Banking and Finance Sector

10. May 6, WSVN 7 Miami – (Florida) Police search for 2 armored car robbers. Police in Miami, Florida, were searching May 6 for two men in a white Nissan Altima who robbed an armored truck guard May 5. According to Miami-Dade Police, the robbery happened inside a Pollo Tropical at around 3:30 p.m. The Garda armored truck pulled into the parking lot to collect money from the restaurant. Then two men came out of the white Nissan Altima and ambushed the armored truck guards while they were inside the restaurant. The suspects reportedly wrestled a gun away from a guard, and one of the subjects fired a shot inside before they fled with a bag of money in the Nissan. Once outside, a bystander pulled his own gun to shoot at the fleeing robbers. The robbers fled along 67th Avenue where they dumped the gun and an empty bag that once held money from the car. Police said they found the items about a block away from the scene, in front of a fire station. Police cordoned off the evidence for FBI investigators. The two robbers remain at large. Source: http://www.wsvn.com/news/articles/local/21004232237046/

11. May 5, Reuters – (National) US narrows case vs accused Ponzi schemer Stanford. Federal prosecutors have narrowed their criminal case against a Texas financier accused of running a $7 billion Ponzi scheme. The government filed an amended, 14-count indictment in U.S. district court in Houston, Texas, May 4 that drops five mail fraud counts and two wire fraud counts. It also dropped part of a conspiracy count. The man could still face as much as 20 years in prison if convicted on any of the 10 fraud counts in the revised indictment. No trial date has been set. Prosecutors have accused the man of defrauding investors who bought bogus certificates of deposit issued by his Antigua-based Stanford International Bank Ltd. They have said the one-time billionaire used proceeds in part to fund other ventures and a lavish lifestyle that included several yachts and private jets, and homes around the world. It was unclear why the case was narrowed and the other defendants were dropped. Four co-defendants in the original June 2009 indictment were also dropped from the new indictment. The suspect now faces five counts of mail fraud and five counts of wire fraud. He is also charged with obstructing a U.S. Securities and Exchange Commission (SEC) probe, and conspiring to obstruct the SEC, commit money laundering, and commit mail fraud and wire fraud. Source: http://www.reuters.com/article/2011/05/05/stanford-indictment-idUSN056191220110505

12. May 5, Allstate Insurance Company – (New York) Allstate Insurance Company files $4 million insurance fraud case. Allstate Insurance Company is seeking to recover $4 million against 20 New York area defendants in its first insurance fraud lawsuit of 2011. The complaint specifically cites six physicians, eight medical professional corporations, and the lay-owned companies allegedly used to control the medical professional corporations. The complaint alleges New York medical professional corporations known as Right Aid Diagnostic Medicine P.C., A Plus Medical P.C., Omega Medical Diagnostic P.C., Shore Medical Diagnostic P.C., Oracle Radiology of NY P.C., Atlantic Radiology Imaging P.C., Atlantic Radiology P.C. and Aurora Radiology P.C. were fraudulently incorporated through a scheme using the names of licensed medical physicians, and that lay-owners, none of whom were physicians, secretly owned and controlled the professional corporations. Allstate’s complaint further alleges these defendants caused the submission of fraudulent claims and MRI reports to Allstate demanding payment of No-Fault benefits. The lawsuit was filed following an investigation by Allstate’s Special Investigative Unit and seeks reimbursement for personal injury protection benefits Allstate paid on behalf of its customers during time frames specified in the lawsuit. Source: http://www.prnewswire.com/news-releases/allstate-insurance-company-files-4-million-insurance-fraud-case-121334814.html

13. May 5, WECT 6 Wilmington – (North Carolina) ‘The Credit Doctor’ pleads guilty to fraud. A man from Wilmington, North Carolina, who advertised himself as “The Credit Doctor,” pleaded guilty the week of May 2 to bank fraud among other charges. The man pleaded guilty in federal court to bank fraud, three counts of wire fraud, three counts of money laundering, one count of obstruction of justice and one count of aggravated identity theft. According to his indictment, he submitted hundreds of false credit card and lines of credit applications in the names of multiple people or businesses to banks from 2005 to 2009. He touted specialized skills in obtaining credit for new businesses and credit repair to potential customers, gathering their personal information in the process as “The Credit Doctor of North Carolina.” The customers believed they were only going to get up to two credit cards, but he would get as many as 20 for the individuals. he was also accused of submitting false applications regarding annual income and when businesses were established as well as using fictitious tax returns. The indictment states the man started one account and ended up laundering more than $950,000 through his Sun Trust accounts from 2006 to 2009. Between 2005 and 2011, the man was accused of causing $4 million worth of credit application and wire fraud. He could get up to 30 years just on the bank fraud, plus 20 more for the wire fraud, money laundering, and obstruction of justice. The maximum penalty for aggravated identity theft is 2 years in prison. Source: http://www.wect.com/story/14582024/the-credit-doctor-pleads-guilty-to-fraud

14. May 3, Reuters – (International) North Korea behind cyber attack on S.Korea bank-prosecutors. North Korean computer hackers were responsible for bringing down the network of a South Korean bank in April 2011, prosecutors in Seoul, Korea said May 3, in the latest of a string of cyber attacks thought to have originated from the secretive state. A senior prosecutor from the Seoul central prosecutors office said an “unprecedented act of cyber terror” by a North Korean group caused the network breakdown of South Korea’s agricultural banking cooperative Nonghyup. The crash of Nonghyup’s computer system affected millions of customers who were unable to use the bank’s credit cards and ATMs for more than a week. Prosecutors said the April 12 attack was “meticulously prepared and executed” by the same group that carried out cyber attacks on key South Korean government and business Web sites in 2009 and March 2011. One of the Internet protocol addresses used to break into the Nonghyup network was the same as one used a few months ago for the distributed denial-of-service attack that originated from North Korea, the prosecution said. It said the attack was a new type of cyber terrorism that targeted a private firm to destroy the financial system, “which is the backbone of (the South’s) capitalist society”. Source: http://www.reuters.com/article/2011/05/03/korea-north-cyber-idUSL3E7G31BT20110503

Information Technology

36. May 5, Help Net Security – (International) LastPass resets passwords for all users following potential breach. LastPass — the widely used password management and form filling system — has reset the master password for all its users following the discovery of two network traffic anomalies that could have been the result of a hack. Believing it is better to be cautious and prevent future damages, the company decided to assume the anomalies are due to unauthorized access to their database and that some data has been stolen. “We know roughly the amount of data transferred and that it’s big enough to have transferred people’s email addresses, the server salt and their salted password hashes from the database,” the LastPass Team explained on the company blog. “We also know that the amount of data taken isn’t remotely enough to have pulled many users encrypted data blobs.” The company is investigating the matter, but it is still in the dark about what actually happened and what attack vector has been used — if, indeed, the anomalies are the result of an attack. “We had our asterisk phone server more open to UDP than it needed to be, which was an issue our auditing found but we couldn’t find any indications on the box itself of tampering, the database didn’t show any changes escalating anyone to premium or administrators, and none of the log files give us much to go on,” they said. Source: http://www.net-security.org/secworld.php?id=10981

37. May 5, CNET News – (International) Third attack against Sony planned. A group of hackers said it is planning another wave of cyberattacks against Sony in retaliation for its handling of the PlayStation Network breach. An observer of the Internet Relay Chat channel used by the hackers told CNET May 5 that a third major attack is planned the weekend of May 7 and 8 against Sony’s Web site. The people involved plan to publicize all or some of the information they are able to copy from Sony’s servers, which could include customer names, credit card numbers, and addresses, according to the source. The hackers claim they currently have access to some of Sony’s servers. Should the planned attack succeed, it would be the latest blow in a series of devastating security breaches of Sony’s servers over the past month. Source: http://news.cnet.com/8301-31021_3-20060227-260.html

38. May 5, Computerworld – (International) Microsoft plans critical update to Windows Server next week. Microsoft May 5 said it will patch a critical bug in its Windows server software and two other vulnerabilities in PowerPoint, the presentation maker bundled with Office. After April’s record-setting Patch Tuesday — which fixed 64 flaws — May’s much lighter load was not surprising; Microsoft habitually takes an even-odd approach, with even-numbered months featuring fewer updates. Of the two updates slated to ship May 10, Microsoft has classified one as “critical,” the highest threat ranking in its four-step score, and the other as “important,” the next-most serious. The critical update will patch Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2, the three still-supported editions of its server operating system. The vulnerability exists even in the newest version, Server 2008 R2 Service Pack 1. Windows desktop operating systems, including Windows XP, Vista, and Windows 7, are not affected, however. Source: http://www.computerworld.com/s/article/9216448/Microsoft_plans_critical_update_to_Windows_Server_next_week

39. May 5, Computerworld – (International) Anonymous denies hacking Sony, stealing credit cards. The hacking group Anonymous has denied responsibility for the attack on Sony’s networks, claiming that it has “never...engaged in credit card theft.” In a statement posted to the Daily KOS site, the group said others were trying to frame it for the hack of Sony’s PlayStation and Online Entertainment networks. “Whoever broke into Sony’s servers to steal the credit card info and left a document blaming Anonymous clearly wanted Anonymous to be blamed for the most significant digital theft in history,” Anonymous said. “No one who is actually associated with our movement would do something that would prompt a massive law enforcement response.” Although Sony declined to testify May 4 before a U.S. House of Representatives subcommittee investigating data breaches, in its written response May 3 to questions, the company said Anonymous was at least partially responsible for the hacks because it had conducted denial-of-service (DoS) attacks against Sony in the weeks prior to the credit card hack. Source: http://www.computerworld.com/s/article/9216440/Anonymous_denies_hacking_Sony_steal...

40. April 6, The Register – (International) Java-based malware tries Mac-smacking cross-platform attack. Malware-writers have developed a Java-based, equal-opportunity botnet trojan in an apparent bid to infect more machines outside the Windows ecosystem. IncognitoRAT uses source code and libraries that, in theory, allows it to attack both Windows and Mac machines. Only the Windows version of the malicious downloader has been spotted actually spreading, McAfee reports. “The original propagation vector of IncognitoRAT is a Windows executable, but apparently it was created using the tool JarToExe, which includes, among other features, the ability to convert .jar files into .exe files, to add program icons and version information, and protect and encrypt Java programs,” a McAfee researcher explained. “The victim’s machine has to have the Java Runtime Environment installed and must be online. As soon as the file is executed, it starts downloading a ZIP file with a pack of Java-based libraries to perform several remote activities.” Once successfully executed, the malware establishes remote control of compromised systems, allowing criminal hackers to either control or extract and upload private information from compromised devices. Source: http://www.theregister.co.uk/2011/05/06/java_based_malware/

Communications Sector

Nothing to report