Friday, May 13, 2011

Complete DHS Daily Report for May 13, 2011

Daily Report

Top Stories

• The Register reports a group collaborating with the U.S. Computer Emergency Readiness Team is warning oil refineries, power plants, and other industrial facilities of a bug in a popular piece of software that could allow attackers to take control of their computer systems. See item 41 below in the Information Technology Sector.

• CNN reports two men suspected of planning an attack on a Manhattan synagogue who purchased guns and a hand grenade were arrested by New York City police May 11. (See item 49)

49. May 12, CNN – (New York) Terror plot against New York synagogue busted. Two men suspected of planning an attack on a Manhattan synagogue were arrested by New York City police May 11, two law enforcement sources told CNN May 12. The suspects had not yet selected which synagogue, one of the sources told CNN. “The men bought three or four guns and a hand grenade and that’s when the arrests were made,” according to the source who asked not to be identified. The men were arrested on a street on the west side of Manhattan, in a sting that was part of a New York City Police Department undercover operation, the two law enforcement sources said. The terror threat “was on the radar screen for a few months,” well before the leader of al Qaida was killed by the U.S. military in Pakistan, one of the law enforcement sources said. The men appear to be lone wolves acting on their own, the sources said. They noted the men are of North African descent. At least one of the men is a U.S. citizen. The men offered no resistance during the arrest. Their plot appears to be more aspirational than operational, because they had not worked out details, one of the sources said. Source:


Banking and Finance Sector

12. May 12, Associated Press – (Arizona) Phoenix realtor pleads guilty to mortgage fraud. A Phoenix, Arizona real estate agent pleaded guilty May 9 in a mortgage fraud scheme that costs lenders almost $10 million. Federal prosecutors said the 31-year-old pleaded guilty to charges of conspiracy to commit wire fraud. Prosecutors said he could face up to a 30-year prison term. Three others charged in the same case also have entered guilty pleas while the remaining defendant is scheduled for trial in July. Prosecutors said that from September 2005 through September 2007, the man facilitated the submission of mortgage loan applications for unqualified straw buyers that contained false information. They said the man and the others concealed cash kickbacks to the straw buyers from lenders. The conspiracy involved 49 homes and all went into foreclosure. Source:

13. May 12, Chicago Sun-Times – (Illinois; Minnesota) Two NWI banks sued over income made in man’s Ponzi scheme. When two Lake County, Illinois banks decided to buy portions of loans from a financial group in Minnesota, the moves seemed to pay off with about $8 million of profit. A May 11 lawsuit claims, however, that Merrillville-based Centier Bank and Munster-based Peoples Bank SB profited off victims involved in an $80 million Ponzi scheme run by a Lakeville, Minnesota man, and now the two are being sued to pay back the money. According to the lawsuit, filed in the U.S. district court in Hammond, the man gave loans to people through his company First United Funding. He would then sell portions of the loans to other banks, which made money when people paid back the principal and interest. However, in 2002, First United started defrauding the banks by either selling more portions to a loan than existed, or by selling portions of loans that never existed. According to the suit, Centier paid in 2005 and 2006 about $8 million for portions of two loans, one of which never actually existed. First United paid Centier a little more than $14 million on those supposed portions, meaning Centier made a profit of about $6 million, according to the lawsuit. Peoples paid $10 million for ownership of similar loans, receiving a profit of $2 million from First United. Other banks that bought into similar loans were not as fortunate, the lawsuit says, and lost about $80 million. Source:

14. May 11, CNN – (International) Connecticut fugitive arrested. A 65-year-old suspect in a $7 million Connecticut robbery was arrested May 10, more than 2 decades after the heist, the FBI in San Juan, Puerto Rico, said. The man was arrested in Cayey, Puerto Rico, the FBI said in a statement. The man is accused of participating in the armed robbery of a Connecticut Wells Fargo depot September 12, 1983. According to the FBI in Connecticut, the robbery of the armored car facility in West Hartford was one of the largest cash heists at the time, and dozens of collaborators have been arrested. A federal arrest warrant was issued in August 1985 charging the man with obstruction of commerce by robbery and conspiracy, the FBI said. Another warrant was issued in March 1986 charging the man with bank robbery, aggravated robbery, theft from interstate shipment, foreign and interstate transportation of stolen money, and conspiracy to interfere with commerce by robbery, the FBI said. If convicted, he could face 275 years of imprisonment. The FBI said the man, a native of Puerto Rico, is believed to be a member of the domestic terrorist organization Los Macheteros — or “the machete wielders” — which has claimed responsibility for several murders, armed robberies, and terrorist bombings. Source:

15. May 11, Louisville Courier Journal and Associated Press – (Kentucky) Two convicted in Kentucky oil investment scam. A Kentucky oilman and a Lexington lawyer were convicted of fraud May 1 for bilking more than $33 million from 500 people by promising high returns on oil field investments and using the money instead to buy cars, jewelry, and other luxuries. The convictions came after a 3-week trial in U.S. district court in Lexington., Kentucky, and capped an investigation that ramped up after the oilman threw a lavish Sweet 16 party for his daughter that was featured on MTV. The oil man was convicted on multiple wire, mail, and securities fraud counts. The men face up to 20 years in prison at their August 24 sentencing. The government claimed the two men conspired to sell a “pipe dream” that had no chance of paying off because there was not enough oil underground in the entire state to make the investors whole, let alone reward them with a profit. Drilling in Green and Adair counties produced mainly dry holes. In closing arguments, the assistant U.S. attorney said the defendants operated a pyramid scheme, with payments from new investors given to longer-term investors, and some people received no money. Source:|head

Information Technology

41. May 12, The Register – (International) CERT warns of critical industrial control bug. A group collaborating with the U.S. Computer Emergency Readiness Team is warning oil refineries, power plants, and other industrial facilities of a bug in a popular piece of software that could allow attackers to take control of their computer systems. The vulnerability in the Genesis32 and BizViz products made by Massachusetts-based Iconics could allow attackers to remotely execute malicious code on machines that run these supervisory control and data acquisition programs (SCADA), the Industrial Control Systems CERT warned May 11. The programs are used to control equipment used in factories, water, wastewater and electric utilities, and oil and gas refineries. The vulnerability stems from a stack-overflow bug found in an ActiveX control used by the SCADA programs and can be exploited to gain command-execution capability, researchers from Australasia-based warned. “By passing a specially crafted string to the ‘SetActiveXGUID’ method, it is possible to overflow a static buffer and execute arbitrary code on the user’s machine with the privileges of the logged on user,” the researchers warned. They included a proof-of-concept exploit written in JavaScript. Iconics has updated the vulnerable component to plug the security hole. According to the advisory, version 9.22 of Genesis32 and BizViz is not susceptible to the attack. Source:

42. May 12, Softpedia – (International) ZeuS distributed as fake Windows security updates. A wave of fake e-mails distributing a variant of the notorious ZeuS banking trojan and posing as Windows security update notifications has been in circulation for almost a week. According to security researchers from e-mail and Web security vendor AppRiver, the spam campaign began May 6 in advance of Microsoft’s Patch May 10 and was still running May 12. The fake e-mails purport to come from Microsoft Canada and bear a subject of “URGENT: Critical Security Update.” Recipients are advised to download and install an important patch released by Microsoft for all versions of Windows, which is actually a trojan. The scam is not very well constructed, with text poorly spelled. In addition, the update claims to also apply to Windows 98 and 2000, versions of Windows which are no longer supported by Microsoft, while Windows Vista is missing from the list. The perpetrator may have copied an old spam template and made small changes to it, such as adding Windows 7 to the enumeration. No efforts have been made to obfuscate or hide the true destination of the download link, which points to a location under the twotowers(dot)ca domain name. Source:

43. May 12, Softpedia – (International) More rogue apps pulled from Android market. Google pulled another set of trojanized apps from the Android market that were silently subscribing users to premium rate services via SMS. According to security researchers from AegisLab who analyzed the malicious code, the apps contained an SMS trojan. They were posted by a user named “zsone” and had names like iBook, iCartoon, iCalendar, iMine, iMatch, iGuide, LoveBaby, 3D Cube horror terrible, Sea Ball, Shake Break, or ShakeBanger. The number of affected apps might be larger, and Google is still investigating more suspicious ones, but at the moment, those have been confirmed as malicious. It appears SMS trojan is targeting Chinese users because it sends subscription codes to special numbers that only work in China. Also, the attackers have been taken measures to hide the malicious behavior. It is unclear if the rogue subscriptions result in a one-time charge or if users have their accounts billed monthly for the fake service. Many experts find the increasing trend of uploading trojanized apps on the official Android Market troubling, especially since there is little oversight from Google regarding the publishing process. Source:

44. May 11, Computerworld – (International) Facebook denies privacy breach allegations by Symantec. Facebook May 11 denied it may have accidentally exposed personal user data to advertisers and other third parties for several years, as claimed the week of May 9 by two security researchers at Symantec Corp. The researchers noted May 10 that a Facebook programming error — since fixed — could have allowed advertisers to access member profiles, photographs, and chat messages, and to post messages and mine personal data from them. According to Symantec, the leaks stemmed from a faulty API used by developers of Facebook applications. It caused “hundreds of thousands” of Facebook applications to accidentally expose access tokens granted by users to Facebook applications. Facebook downplayed the issue and argued Symantec’s report has a “few inaccuracies.” A Facebook spokeswoman noted, “We appreciate Symantec raising this issue and we worked with them to address it immediately.” But, “specifically, no private information could have been passed to third parties, and the vast majority of tokens expire within two hours,” she said. “The report also ignores the contractual obligations of advertisers and developers, which prohibit them from obtaining or sharing user information in a way that violates our policies,” the spokeswoman said. Source:

45. May 11, Computerworld – (International) Google engineers deny Chrome hack exploited browser’s code. Several Google security engineers have countered claims that security company Vupen found a vulnerability in Chrome that could let attackers hijack Windows PCs running the company’s browser. Instead, those engineers said the bug Vupen exploited to hack Chrome was in Adobe’s Flash, which Google has bundled with the browser for over a year. Google’s official position, however, has not changed since May 9, when Vupen announced it had successfully hacked Chrome by sidestepping not only the browser’s built-in “sandbox” but also by evading Windows 7’s integrated anti-exploit technologies. But others who work for Google were certain at least one of the flaws Vupen exploited was in Flash’s code, not Chrome’s. Source:

46. May 11, Computerworld – (International) Microsoft leaves Mac Office users in the lurch, says researcher. Microsoft May 10 told Mac Office users it does not yet have a fix for a PowerPoint bug it patched for Windows customers. “Security updates for Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Open XML File Format Converter for Mac are unavailable at this time,” the company’s MS11-036 security bulletin said. “Microsoft will issue updates for these software when testing is complete, to ensure a high degree of quality for their release.” MS11-036 was part of May’s two-update Patch May 10, and closed a pair of holes rated “important” in PowerPoint 2002, 2003, and 2007 on Windows. Only one of the two bugs affects Office for Mac 2004 and Office for Mac 2008. The newest versions, Office 2010 on Windows and Office for Mac 2011, do not contain the vulnerabilities. A Microsoft’s spokesman May 11 declined to spell out a timetable for May’s missing Mac patch, saying only the company is working on a fix. According to MS11-036, attackers can hijack a Windows PC or Mac by convincing victims to open a malformed PowerPoint file, such as one attached to an e-mail message or available for viewing and downloading from a malicious Web site. Source:

Communications Sector

47. May 12, Politico – (National) FCC wants Web phone outage reports. Phone companies have long been on the hook for reporting service outages to federal regulators when the dial tone goes dead in the midst of a storm or equipment woes. Now that so many consumers and businesses are relying on Internet-based phones, the Federal Communications Commission (FCC) is considering whether to extend those reporting requirements into the digital age. The FCC is expected at its meeting May 12 to propose possible new rules that could require Internet service and voice over Internet protocol — or VoIP — providers to explain when service is interrupted. The big difference, ISPs and VoIP providers argue, is current rules that apply to a world of telephone lines that travel over a centrally switched network are inappropriate for a communications system that relies on digital packets and cloud computing. But sources told Politico the FCC is likely to make the case it has authority to require the outage reports. The panel is expected to ask for public input as to whether the reports should be kept confidential, and what the standard should be for defining an outage. The FCC is also expected to tie the reporting requirements with the efficacy of the 911 system, the sources said. With more than 20 million Americans using VoIP, network outages are particularly problematic when they cause emergency systems to go down. Source:

48. May 10, KNVX 15 Pheonix – (Arizona) Arizona man caught stealing relay radio antenna. A northern Arizona man was arrested May 6 for allegedly trying to steal a large antenna from a radio relay station. The Mohave County Sheriff’s Office (MCSO) said the 32-year-old man was caught when deputies responded to a call of a burglary in progress at the station near Jurassic Drive and Estrella Road around 3:30 p.m. in Golden Valley. Officials said deputies found a male subject with a Chevrolet Suburban and flatbed trailer loading the large antenna onto the trailer. The man was detained and admitted taking items from the relay station to a recycling center. Deputies had recently visited the station and noticed metal and other items missing, the MCSO said. Deputies checked with the recycling center and confirmed that the suspect had recently turned in items for which he was paid. The man was booked into Mohave County Jail for burglary, theft, aggravated criminal damage, and trafficking in stolen property. The investigation continues and more arrests are pending, according to authorities. Source: