Thursday, May 12, 2011

Complete DHS Daily Report for May 12, 2011

Daily Report

Top Stories

• According to CNN, undercover government investigators were able to get into major U.S. seaports — at one point driving a vehicle containing a simulated explosive — by flashing counterfeit or fraudulently obtained port “credentials” to security officials, Congress disclosed May 10. (See item 22)

22. May 10, CNN – (National) GAO: Investigators drove ‘explosive’ into secure port. Undercover government investigators were able to get into major U.S. seaports — at one point driving a vehicle containing a simulated explosive — by flashing counterfeit or fraudulently obtained port “credentials” to security officials, Congress disclosed May 10. This has raised serious questions about a program that has issued the cards to more than 1.6 million people. At issue are Transportation Worker Identification Credentials, or TWIC cards, now needed by truckers, stevedores, longshoreman, and others for unescorted access to the nation’s ports. DHS has long touted the cards as one of the most important layers in its multilayered system to protect ports from terrorists. But, in a highly critical report, the Government Accountability Office (GAO) said May 10 the program does not provide reasonable assurance that only qualified people get the credentials. In tests, GAO investigators got into ports using counterfeit TWICs or authentic TWICs acquired through fraudulent means, and by stating false reasons for needing access. An unclassified version of the report did not state how many tests were conducted, nor how many efforts were successful. But it said the tests were conducted at some of the nation’s busiest seaports. The findings are significant because a TWIC card suggests its holder is not a security threat, and potentially eases access to thousands of facilities, including airports and military installations, the GAO said. Source:

• CNN reports the swollen Mississippi River rolled south May 11 as communities along its delta braced for flooding, and vast farms remained under threat as it left a trail of submerged homes. (See item 64)

64. May 11, CNN – (National) Bulging Mississippi River heads south as residents watch, wait. The swollen Mississippi River rolled south May 11 as communities along its delta braced for flooding, and vast farms remained under threat as it left a trail of submerged homes. The river crested at Memphis, Tennessee, May 10 just a few inches short of a record set in 1937. As it slowly headed south, flooding concerns turned to Louisiana and Mississippi, where it is expected to rise to levels unseen since 1927. Louisiana’s governor said as many as 3 million acres could be affected by the flooding. Some 500 National Guard members have been mobilized so far, and 21 parishes have issued emergency declarations, according to the governor. The river’s crest is expected to begin arriving in Louisiana the week of May 16. In neighboring Mississippi, some of the waters seeped into casinos as the river inched toward a 48-foot crest late May 10. About 600 people in the Tunica community of Cutoff have been driven from their homes, a county spokesman said. Downstream in Louisiana, the U.S. Army Corps of Engineers said it was closing a major lock that allows for the transfer of barge traffic between the Mississippi and the Red River Basin. The Corps opened 44 more gates to the Bonnet Carre spillway in Norco, Louisiana, May 10, sending millions of gallons of water rushing into Lake Pontchartrain and, eventually, the Gulf of Mexico. In addition to 28 gates opened May 9, the Corps may consider an additional 38 May 11, according to the Jefferson Parish president. Residents and officials are especially concerned about the Morganza Spillway above Baton Rouge, which was last opened in 1973. Opening it could help spare Baton Rouge and New Orleans from some of the flooding’s damage, but it would flood populated and rural areas in the swampy Atchafalaya Basin. The basin is home to the Atchafalaya River and myriad tributaries. In Arkansas, the farm bureau estimated damage to agriculture could top $500 million as more than 1 million acres of cropland are under water. Source:


Banking and Finance Sector

15. May 11, KXTV 10 Sacremento – (California) Bomb scares assist area bank robber getaways. When a Lodi, California bank was robbed May 9, the tactic used by the robber was similar to several other robberies that have happened in three counties since late last year. Area police believe it is the same man who enters the bank each time, carrying a bag over his left shoulder. “He walks up to the teller, places the bag on the counter and in his right hand, he’s holding what appears to be a remote control or detonation device,” said a Ripon Police detective. Banks in Lockeford, Linden, Ripon, Turlock, and Amador County have been robbed as well. The detective said the robber is able to slow police response by simulating a bomb situation. “Not only do we have a bank robber we’re looking for, we also have to contend with the explosive device. It slows things down, most certainly,” he said. Police described the bank robber as about 40-years-old, about 5 feet, 7 inches tall and weighing about 170 pounds.The detective said the man is either a light-skinned Hispanic, or dark-skinned Caucasian. The devices left behind in banks are never actually explosive devices, and no one has been hurt. Source:

16. May 11, Associated Press – (National) Hedge fund founder convicted in inside-trade case. A former Wall Street titan was convicted May 11 of making a fortune by coaxing a crew of corporate tipsters to give him an illegal edge on blockbuster trades in technology and other stocks — what prosecutors called the largest insider trading case ever involving hedge funds. He was convicted of five conspiracy counts and nine securities fraud charges at the closely watched trial in federal court in Manhattan, New York. Prosecutors had alleged the 53-year-old man made profits and avoided losses totaling more than $60 million from illegal tips. His Galleon Group funds, they said, became a multibillion-dollar success at the expense of ordinary stock investors who did not have advance notice of the earnings of public companies, and of mergers and acquisitions. The verdict came after 7 weeks of testimony showcasing wiretaps of the man wheeling and dealing behind the scenes with corrupt executives and consultants. Some of the people on the other end of the line pleaded guilty and agreed to take the witness stand against the Sri Lanka-born defendant. Authorities said the 45 tapes used in the case represented the most extensive use to date of wiretaps — common in organized crimes and drug cases — in a white-collar case. The Galleon probe has resulted in more than two dozen arrests, and 21 guilty pleas. It also has led to a second investigation aimed at consultants in the securities industry who pass off inside information as the product of legitimate research. Source:

17. May 11, Boston Globe – (Massachusetts) After two fruitful robberies, man’s 3rd try at Allston bank fails. Officials said they are searching for a man whose third attempt at robbing the same Allston, Massachusetts, bank was unsuccessful May 10 after two previous successful tries last month. A yet-to-be identified man displayed a note demanding money from a teller at around 2:30 p.m. May 10 inside the Bank of America at 1237 Commonwealth Avenue, according to the FBI. The robbery attempt was unsuccessful and the man fled on foot. Officials said the same man successfully robbed that bank April 13 and April 25. He is listed on the state’s most wanted Web site. He is described as being white or Hispanic, 25 to 30 years old, between 5’10” and 6’2”, 180 to 190 pounds, wearing a black Nike Air Jordan baseball hat, a black North Face jacket worn over a tan/cream pullover, and dark pants. Source:

18. May 10, Knoxville News Sentinel – (National) ‘Party mom’ Leslie Janous waives extradition. West Knoxville, Tennesee’s fugitive embezzler and notorious “party mom” waived an extradition hearing May 9 after appearing before a federal magistrate in Arizona. She made her first court appearance before a U.S. magistrate judge after being arrested the week of May 2 after fleeing Tennessee. The 36-year-old had been on the lam since mid-April, but was arrested by FBI agents May 5 in Apache Junction, Arizona. A 2010 audit of precious-metals brokerage firm Scancarbon revealed the woman stole $4 million from the company where she had been a bookkeeper. Shortly after the audit, she was arrested. In February, she pleaded guilty to wire fraud and money laundering in U.S. district court and was freed by agreement with the U.S. attorney’s office pending a July sentencing hearing. Court documents show she faces a $500,000 fine and up to 20 years in prison for the wire fraud charge, and a $250,000 fine and up to 10 years in prison for the money laundering charge. A warrant was issued after an alarm on an ankle bracelet monitoring device the convict was ordered to wear upon her February guilty plea showed she failed to return home April 18. The FBI began a nationwide hunt — including involving “America’s Most Wanted” and billboards in seven states — for the woman that came to an end May 5. Source:

19. May 10, Federal Bureau of Investigation – (Illinois; Texas; Alabama) Two suburban men allegedly obtained $16 Million from 300 investors in fraudulent real estate investment scheme. Two businessmen who operated a defunct real estate investment company in Chicago, Illinois, were charged May 10 with engaging in an alleged investment fraud scheme that obtained more than $16 million from more than 300 investors. The defendants were each charged with one count of mail fraud and one count of wire fraud in a criminal complaint, announced a U.S. Attorney for the Northern District of Illinois, and the Special Agent in Charge of the FBI’s Chicago office. The defendants, who operated Michael Franks LLC, and several related business entities in Palatine, allegedly misused money they raised from investors for their own benefit and to make Ponzi-type payments to earlier investors. The charges allege the defendants offered investors passive ownership in multi-family residential properties, including apartment building complexes in Illinois, Texas, and Alabama. The charges allege certain real estate projects undertaken by Michael Franks LLC performed poorly and failed to generate enough revenue to meet operating expenses. The defendants began transferring funds from various investments to support poorly performing projects and to pay earlier investors with funds raised from new investors, without disclosing this information, the charges add. At the same time, they allegedly misused investor funds to pay employees, to make commission payments to individuals who raised new funds, and to pay themselves. Each count of mail fraud and wire fraud carries a maximum penalty of 20 years in prison and a $250,000 fine, and restitution is mandatory. The court may also impose a fine totaling twice the loss to any victim or twice the gain to the defendant, whichever is greater. Source:

For more stories, see items 47 and 48 below

Information Technology

47. May 11, The Register – (International) Newly emerged banking trojan challenges ZeuS-SpyEye duopoly. A new banking trojan with infection rates similar to SpyEye and Zeus in some regions has emerged. The Sunspot Trojan has already been linked to instances of fraudulent losses, according to transaction security firm Trusteer. The Windows-based malware is designed to carry out man-in-the-browser attacks, including Web injections, page-grabbing, key-logging, and screen shooting. The malware is also capable of requesting additional online banking details from the user such as payment card information (card number, ATM PIN, CVV, expiration date) and answers to secret questions. It also requests sensitive personal data (driver license number, mother maiden name, date of birth etc.) that might subsequently be used to impersonate marks to obtain fraudulent lines of credit. Anti-virus tool detection of the Sunspot Trojan is patchy at best. According to a Virus Total analysis, only 9 of 42 anti-virus programs tested, or 21 percent, currently detect Sunspot. Trusteer traced the Sunspot Command and Control Server hostname to a domain registered in Russia. Trusteer believes the malware has been in circulation for a while, but the enhanced financial fraud capabilities were only added far more recently. Source:

48. May 10, The Register – (International) Source code leaked for pricey ZeuS crimeware kit. Source code for the latest version of the ZeuS crimeware kit has been leaked on the Internet, giving anyone who knows where to look free access to a potent set of malware-generation tools. Complete source code is available in at least three different locations, ensuring it is now permanently available to the masses, a researcher with the firm CSIS Security told The Register. While the release could erode the paid market for the do-it-yourself malware kit, it could also spawn entire new kits that clone the existing code and build new features or services on top of it. “The source code has until now been shared in very closed communities or bought by criminals with significant funds,” the CSIS Security researcher said. “With the release of the entire code it’s obvious we will see new versions/rebrands or improvements in general. If this grows outside of the established underground ecosystem it could have a significant impact.” Selling in the criminal underground for anywhere from $2,000 to $10,000, ZeuS is best known as a tool for developing customized trojans that send victims’ banking credentials to servers under control of the attacker. Source:

49. May 10, Computerworld – (International) Microsoft downplays Server bug threat, say researchers. Microsoft is downplaying the threat posed by one of the three bugs the company patched May 10, security researchers said. The update in question, MS11-035, patches a single vulnerability in Windows Internet Name Service (WINS), a component in every supported edition of Windows Server, including Server 2003, 2008, and the newest, Server 2008 R2. Attackers could exploit the WINS bug by crafting a malicious data packet, then shooting it at a vulnerable Windows Server box. Researchers claimed that although Microsoft rated the bug as “critical,” the company’s highest threat ranking, it also noted that WINS is not installed by default, citing that as a mitigation factor. That overlooks the fact that many networks, especially larger ones in enterprises and government agencies, have WINS installed. “Most organizations have to install WINS,” said Rapid7’s enterprise security community manager. “With governments and big agencies — any large network — WINS is going to be running.” That’s because WINS — Microsoft’s name server for Windows networks — is required for many older third-party or custom-built applications, called “legacy” programs, said the director of security operations at nCircle Security. “There’s so much legacy that relies on WINS [that] our gut instinct is that most will have it installed in the data center,” he said. The two researchers agreed that Microsoft, intentionally or not, softened the warning by telling customers WINS is not installed by default. Source:

50. May 10, threatpost – (International) May Patch Tuesday fixes three remote Microsoft bugs. The May 2011 edition of Microsoft’s Patch Tuesday included two bulletins addressing bugs that could allow for remote code execution, but only one of which is rated critical. The first bulletin, MS11-035, addresses a privately reported critical vulnerability within the Windows Internet Name Service (WINS). This could allow for remote code execution on any individual PC receiving a specially crafted WINS replication packet. As WINS is not a default installation on any operating system, this bug only affects individuals who manually installed the application. The second bulletin, MS11-036, which is rated as important, addresses two privately disclosed bugs in PowerPoint that could also lead to remote code execution if a user opens a specially crafted PowerPoint file. Any attacker successfully exploiting these vulnerabilities would gain the same user rights as the logged-in user. Source:

51. May 10, The Register – (International) Facebook caught exposing millions of user credentials. Facebook has leaked access to millions of users’ photographs, profiles, and other personal information because of a years-old bug that overrides individual privacy settings, Symantec researchers said. The flaw, which researchers estimate has affected hundreds of thousands of applications, exposed user access tokens to advertisers and others. The tokens serve as a spare set of keys Facebook apps use to perform certain actions on behalf of the user, such as posting messages to a Facebook wall or sending RSVP replies to invitations. For years, many apps that rely on an older form of user authentication turned over these keys to third parties, giving them the ability to access information users specifically designated as off limits. The Symantec researchers said Facebook has fixed the underlying bug, but they warned that tokens already exposed may still be widely accessible. While many access tokens expire shortly after they are issued, Facebook also supplies offline access tokens that remain valid indefinitely. Facebook users can close this potential security hole by changing their passwords, which immediately revokes all previously issued keys. Source:

52. May 9, The Register – (International) OpenID warns of ‘psychic paper’ authentication attack. OpenID has warned of bugs in its authentication technology that create a possible means for hackers to modify data sent between Web sites. Many high-profile sites — including Google, Yahoo!, and Flickr — use the technology so that once users have logged into one site, they are not constantly prompted for passwords. Thousands of smaller sites also use the technology. The security weakness stems from an implementation flaw in authentication exchange, an extension to the OpenID system that gives sites the ability to exchange identity information between endpoints. The bug meant that proper checks on whether authentication information had been correctly signed were not carried out in some cases, thus creating a mechanism for hackers to offer false information that is accepted as genuine. The security bug has been confirmed in OpenID4Java and Kay Framework, but is not necessarily limited to them. Both libraries have been updated. Janrain, Ping Identity, and DotNetOpenAuth are immune from the bug. Source:

Communications Sector

53. May 11, Help Net Security – (National) Majority not prepared for IPv6 transition. About 88 percent of business networks were not fully ready for a change to IPv6, with two thirds saying their networks are only 0-20 percent ready, despite the fact the last blocks of IPv4 addresses have been allocated, according to Ipswitch. “While IPv6 provides the ability to greatly expand the number of devices on the Internet, it also poses migration, compatibility and management challenges for today’s IPv4-based networks,” said the vice president of product management and strategy at Ipswitch’s Network Management Division. “Our poll shows the need for companies to develop transition strategies in order to increase IPv6 readiness among enterprise networks and prevent any future disruption to mission-critical systems.” IPv6 is a next-generation IP protocol designed to replace IPv4, the Internet protocol most commonly used in the world and the foundation for most Internet communications. With the number of available IPv4 addresses quickly running out, transitioning to IPv6 will soon become a requirement for enterprise networks. IPv6 enables significant expansion of the IP addresses needed to accommodate the continuously growing number of worldwide Internet users, and provides additional security features for Internet traffic. Ipswitch’s WhatsUp Gold IT management platform has supported IPv6 for 5 years to help enterprises ease the transition to the new protocol. Source:

54. May 10, Computerworld – (Illinois) Some Verizon users still reporting LTE modem problems. Even though Verizon Wireless claims its fast Long Term Evolution (LTE) network is “up and running” following an April 26 outage, it is still not working for some customers, including 50 Chicago, Illinois-based users of laptops with LTE modems. A Chicago-based IT manager said via e-mail that she had upgraded 50 laptop Verizon 3G modems to Pantech 4G LTE modems before the outage, but they “constantly drop LTE because Verizon still has not fixed their switching issues between 4G and 3G.” Source:

55. May 10, Forbes – (National) Hacker group raids, targets FBI. A small group of hackers May 10 released a list of e-mail addresses and passwords for 363 employees of and defaced the LinkedIn accounts of 14 of them. The group announced the hack through Twitter handle LulzSec, or The Lulz Canon, featuring a stick figure in a top hat, monocle and twirly mustache. The group also hacked the Twitter account of Fox15 TV before releasing a few bawdy tweets. The same hackers were behind the theft of names, phone numbers, and e-mail addresses of 73,000 people who had applied for information on auditions for the U.S. edition of the television host’s talent show “The X-Factor”, to be broadcast on Fox television – this information was taken together with the employee details in the same attack. Earlier the week of May 9, the group posted the X-Factor list of names as a text file on Pirate Bay. A spokeswoman for Fox did not wish to comment on the matter. The group was unclear about why they were attacking Fox, saying there were different motivations among its members. They added that LulzSec was not part of Anonymous, a larger hacktivist and trolling collective that claimed responsibility for cyber attacks on HBGary Federal, MasterCard, and PayPal, though its members have participated in some of these previous operations. Source: