Wednesday, May 18, 2011

Complete DHS Daily Report for May 18, 2011

Daily Report

Top Stories

• Credit Union Journal reports U.S. authorities are working through legal channels for the return of hundreds of millions of loan proceeds they believe were stolen from Ohio-based St. Paul Croatian Federal Credit Union in the biggest credit union fraud ever. See item 12 below in the Banking and Finance Sector.

• According to CNN, as many as 25,000 homes and millions of acres of farmland could be flooded as federal officials seek to prevent the Mississippi River from devastating major cities in Louisiana, Mississippi, and Arkansas. (See item 59)

59. May 17, CNN – (National) Cresting Mississippi River floods Arkansas, Mississippi, Louisiana. A near-record crest is forecast in Greenville, Mississippi, May 17 as the bloated Mississippi River makes its relentless march toward the Gulf of Mexico. By the weekend of May 21, flood waters are expected to peak at record levels in Vicksburg and Natchez, Mississippi, as well as in Red River Landing and Baton Rouge, Louisiana, according to the National Weather Service. A U.S. Army Corps of Engineers spokesman told CNN’s “John King USA” 20,000 to 25,000 homes could be flooded. Officials said the spillway gates are likely to be open for weeks, and it will be weeks before the river falls below flood stage and those who have evacuated can safely return. The diversion will drain water from the Mississippi through the Atchafalaya basin to the Gulf of Mexico at Morgan City. Louisiana’s governor told residents May 16, the decision to open the spillways has lowered crest projections in parts of the state. River observations now suggest the Corps may need to divert less water from the spillway than initially thought, he said. But based on historical estimates, damages to agriculture alone in Louisiana could total $300 million, he said. The Corps of Engineers opened two gates in the Morganza Spillway May 14, the first release from the facility since 1973. As of May 16, 15 of the structure’s 125 bays had been opened, diverting about 763,000 gallons of water per second, a Corps spokeswoman said. The plan is eventually to open about a quarter of the spillway, according to the agency. At the Bonne Carre Spillway, which feeds into Lake Ponchatrain, 330 of 350 bays are open, with water coursing through it well above its rated capacity, the manager said May 16. The flood is the most significant to hit the lower Mississippi River valley since at least 1937 and has so far affected nine states: Missouri, Illinois, Kentucky, Tennessee, Ohio, Indiana, Arkansas, Louisiana, and Mississippi. As many as 22 cities and communities where river levels are monitored by the U.S. government remain flooded. Across the South and lower Midwest, flood waters have already covered about 3 million acres of farmland. Source:


Banking and Finance Sector

11. May 17, Orange County Register – (California) Suspects sought in 2 bank robberies. Authorities are searching for two men who carried out apparently unrelated bank robberies in Irvine and Lake Forest, California, May 16, an FBI official said. The first robbery was reported at an East West Bank branch in a shopping center at Walnut Avenue and Jeffrey Road about 12:45 p.m., an FBI special agent said. A man entered the bank, handed the teller a note, demanded cash and left with an undisclosed amount of money, the special agent said. No injuries were reported, and no weapon was seen. Authorities believe the Irvine robbery was carried out by the “Gone Plaid Bandit,” who earned his nickname from his wardrobe choices during bank robberies in Yorba Linda and Anaheim Hills in February 2011. The second robbery was reported at a City Bank branch in the 2300 block of El Toro Boulevard about 2:50 p.m., the FBI said. As in the first robbery, a man reportedly handed a note to a teller, demanded money and left with an undisclosed amount of cash before fleeing on foot. Witnesses did not see a weapon, and no injuries were reported. The second man is not suspected of being a serial bank robber, the FBI said, and the two incidents are not believed to be related. Source:

12. May 16, Credit Union Journal – (International) Millions in looted CU funds traced to the Balkans. U.S. authorities are working through legal channels for the return of millions of dollars of loan proceeds from Eastlake, Ohio-based St. Paul Croatian Federal Credit Union (FCU) they believe was siphoned from the one-time $240 million credit union to local banks as part of the biggest credit union fraud ever. The U.S. Department of Justice (DOJ) is working with the National Credit Union Administration (NCUA) and numerous international law enforcement agencies, including Interpol, for the repatriation of the U.S. credit union funds as the scope of the international criminal case expanded with seven more individuals indicted May 13, making a total of 16 charged in the case. So far, authorities have traced almost $6 million in fraudulent loan proceeds transferred to Macedonian and Albanian bank accounts by a purported head of a Macedonia crime syndicate who is in federal prison in Cleveland, Ohio, awaiting trial in the case. The Albanian national who maintains homes in Skopje, Macedonia, and in Eastlake is among those charged with bribing the CEO of St. Paul Croatian to obtain millions of dollars in loans they had no intention of repaying. Authorities said the CEO approved more than 1,000 fraudulent loans with no collateral to 300 account holders. Many of the loans were made in the name of phony businesses, even though St. Paul Croatian was never approved to make business loans. Investigators have traced $70 million of the fraudulent loans so far, but believe the fraud is much bigger. NCUA estimates the fraud will cost the National Credit Union Share Insurance Fund as much as $170 million in losses, making it the biggest credit union fraud ever. Source:

13. May 16, Reuters – (National) Day trader guilty in scam tied to Lehman salesman. A Florida day trader pleaded guilty May 16 to criminal charges over an insider trading scheme based on tips obtained from a wife of a former Lehman Brothers Holdings Inc. salesman, prosecutors said. The 35-year-old Miami Beach, Florida man admitted to one count each of securities fraud and conspiracy in a hearing May 16 before a U.S. magistrate judge in Manhattan, New York. Prosecutors said the scheme ran from February 2005 to Sept. 2008, and included a purchase by the man’s day trading partner of 2,500 shares in Veritas DGC Inc for their joint account based on material nonpublic data. They said this purchase led to illegal profit when Veritas agreed in September 2006 to a $3.1 billion takeover by France’s Compagnie Generale de Geophysique, creating the world’s largest publicly-traded provider of seismic surveys. Prosecutors said the man’s partner got tips from a Lehman salesman, who received them from his wife on transactions her employer at the time, Brunswick Group LLC, had been working on. The Lehman salesman pleaded guilty to one count of securities fraud and four counts of conspiracy in December 2008. He has cooperated with prosecutors, and has not been sentenced. In a parallel civil lawsuit, the Securities and Exchange Commission said the scheme resulted in $4.8 million of illegal profits. Source:

14. May 16, Associated Press – (New Jersey) Piscataway man pleads guilty in mortgage fraud scheme. A 41-year-old Piscataway, New Jersey man who owned and operated several mortgage foreclosure rescue companies pleaded guilty May 16 to conspiracy to commit wire fraud and conspiracy to commit money laundering in a scheme that defrauded mortgage lenders of more than $10 million. Prosecutors said the man and employees of his company falsely promised homeowners they would help them avoid foreclosure by putting their homes in the name of third-party buyers. The man and his accomplices used the straw buyers to obtain dozens of mortgage loans, often using false information. He faces a maximum possible penalty of up to 50 years in prison. Source:

15. May 13, Dow Jones Newswires – (New York) SEC charges NY investment adviser with securities violations. The U.S. government charged a New York investment adviser with violating securities regulations May 13, alleging he made distorted claims about a real-estate fund and then used money from unwitting investors in another venture to prop it up. The Securities and Exchange Commission (SEC) said the man told investors his real-estate fund was safe and liquid and generated at least 8 percent a year in returns, though the SEC alleged the fund’s actual performance didn’t justify those claims. The SEC said that as the real-estate investment flagged, the suspect raised money from investors in Campus Capital Corp. to shore up the fund and engage in other transactions that personally benefited him, without disclosing the practices. He raised about $20 million for the Gaffken & Barriger Fund — the real-estate investment — from January 1998 to March 2008, according to the SEC. It said Campus Capital raised $12 million from October 2001 to July 2008. Source:

16. May 13, Bloomberg News – (District of Columbia; Texas) Security lax for new $100 bills at printing plants, audit says. The U.S. government left millions of $100 bills inadequately protected at a currency-printing plant with windows that lacked security features, the Treasury Department’s inspector general said in an audit report released May 13. About 54.4 million new $100 bills and 4 million uncut sheets of notes had “inadequate security” at a Bureau of Engraving and Printing (BEP) plant in Washington, D.C., according to the inspector’s report. The audit also criticized security at the bureau’s Fort Worth, Texas, facility. The finished bills were “wrapped in protective plastic, but were not stored in a locked security cage,” the audit said. As of January 2011, some notes had been stored in the production area for more than 9 months even though finished notes usually “are moved to a secure, limited-access vault shortly after production.” The production area had 26 windows that lacked “protective security features,” the report said. The $100 bills also were at “increased risk of theft and loss” because about 225 employees had access to the production area, compared with 21 workers who are allowed into the vault. In a response included with the audit, the BEP said it would move bills and sheets that were not yet finished into vaults. Still, the money was always safe, it said. “After careful consideration, and based on multiple compensating controls, such as cameras, access control systems, locking mechanisms, etc., the BEP stored finished notes in highly secure space,” the bureau said. Source:

Information Technology

44. May 17, IDG News Service – (International) Researcher: Dropbox misrepresents security features. Cloud data storage and synchronization company Dropbox has been hit with a complaint by the U.S. Federal Trade Commission (FTC) alleging the company has deceived consumers about the level of encryption security it offers. In a letter sent to the FTC, a University of Indiana PhD and security researcher claimed while Dropbox encrypted every file it stored, this could be reversed by employees, undermining the company’s security credibility. Not only did this design fall short of “industry best practices”, the researcher wrote, it also represented a serious security risk the company was not being upfront about. “Dropbox has and continues to make deceptive statements to consumers regarding the extent to which it protects and encrypts their data,” he wrote. “Dropbox’s customers face an increased risk of data breach and identity theft because their data is not encrypted.” He believes Dropbox deceived its users, infringing Section 5 of the FTC Act. Source:

45. May 16, Softpedia – (International) Dangerous Linux denial of service vulnerability disclosed as 0-day. Greyhat hackers from Goatse Security have published the details of a dangerous denial of service vulnerability affecting many Linux distributions. The flaw can be exploited by tricking users into opening an overly-long, specially-crafted apt:// URL in a browser that supports the protocol. Because the advanced packaging tool is a common Linux software manager application, a large number of distributions are affected. This includes the popular Debian, Ubuntu, Fedora, Red Hat Enterprise Linux, and SUSE Linux Enterprise Desktop, but also Alinex, BLAG Linux and GNU, CentOS, ClearOS, DeMuDi, Feather Linux, Foresight Linux, gnuLinEx. gNewSense, Kaella, Knoppix, Linspire, Linux Mint, Musix, GNU/Linux, Parsix, Scientific Linux, and Ututo. Successful exploitation of the vulnerability crashes the X session with an “Unexpected X error: BadAlloc (insufficient resources for operation) serial 1779 error_code 11 request_code 53 minor_code 0)” error. In addition to this denial of service vulnerability, the Goatse Security greyhats also released an exploit for a theme rendering bug in GNOME that makes buttons disappear and leaves users with relogin as the only option. Source:

46. May 16, Computerworld – (International) Windows scareware fakes impending drive disaster. Scammers are trying to trick Windows users into paying to fix fake hard drive errors that have apparently erased important files, a researcher said May 16. The con is a variant of “scareware,” also called “rogueware,” software that pretends to be legitimate but is a sales pitch based on spooking users into panicking. Most scareware masquerades as antivirus software. But a Symantec researcher has found a new kind of scareware that impersonates a hard drive cleanup suite that repairs disk errors and speeds up data access. Dubbed “Trojan.Fakefrag” by Symantec, the fake utility ends up on a Windows PC after its user surfs to a poisoned site — often because the scammers have manipulated search engines to get links near the top of a results list — and falls for a download pitch. “[Trojan.Fakefrag’s] aim is to increases the likelihood of you purchasing a copy of Windows Recovery by craftily convincing you your hard drive is failing,” the researcher said, referring to the name of the fake suite the trojan shills. Source:

47. May 16, The Register – (International) 99% of Android phones leak secret account credentials. The vast majority of devices running Google’s Android operating system are vulnerable to attacks that allow adversaries to steal the digital credentials used to access calendars, contacts, and other sensitive data stored on the search giant’s servers, university researchers have warned. The weakness stems from the improper implementation of an authentication protocol known as ClientLogin in Android versions 2.3.3 and earlier, the researchers from Germany’s University of Ulm said. After a user submits valid credentials for Google Calendar, Contacts, and possibly other accounts, the programming interface retrieves an authentication token that is sent in cleartext. Because the authToken can be used for up to 14 days in any subsequent requests on the service, attackers can exploit them to gain unauthorized access to accounts. Google patched the security hole earlier in May with the release of Android 2.3.4, although that version, and possibly Android 3, still cause devices synchronizing with Picasa Web albums to transmit sensitive data through unencrypted channels, the researchers said. Based on Google’s own statistics, this means more than 99 percent of Android-based handsets are vulnerable to the attacks, which are similar in difficulty and effect to so-called sidejacking exploits that steal authentication cookies. Source:

48. May 16, CNET News – (International) Facebook, spammers are in ‘arms race’. Within days of Facebook implementing new security features designed to block spam, several new social-engineering attacks were spreading that managed to side-step the company’s antispam defenses, a Facebook spokesman told CNET May 16. The company began turning on a feature the week of May 9 that displays warnings when it detects users are about to be tricked by cross-site scripting (XSS) and clickjacking attacks. In such attacks, users are tricked into clicking something (clickjacking) or pasting some code into their browser Web address bar (XSS). Yet there were several XSS attacks the weekend of May 14 and 15, and warnings were not displayed. In all the attacks, the user action results in the spam messages being re-posted to the victim’s Facebook pages and those of their friends. Ultimately, surveys are proffered for the victim to fill out. The spammers receive money for each survey completed, and the farther the spam spreads, the more money that can be made. A threat analyst at M86 said he suspected some of the spam was getting past Facebook’s defenses by obfuscating the Javascript. Facebook seems to have made it harder for spammers to create campaigns that automatically execute and spam users’ friends, so that victims are sent off to external sites and required to cut and paste text into their browsers, he said. Source:

Communications Sector

See item 47 above in the Information Technology Sector.

Tuesday, May 17, 2011

Complete DHS Daily Report for May 17, 2011

Daily Report

Top Stories

• Firefighters worked more than 12 hours over 2 days to extinguish a fire at a biodiesel plant that caused explosions and millions in damage, and injured three firefighters. (See item 2)

2. May 16, Erie Times-News – (Pennsylvania) Firefighters return for rekindle of Harborcreek biodiesel plant blaze. Firefighters returned to a burning biodiesel plant in Harborcreek Township, Pennsylvania May 15 after flames rekindled in several areas of the facility. Light, hazy smoke rose off the building, the home to American Biodiesel Energy Inc. and North American Powder Coatings. Firefighters from at least five companies were called to the property, at 4680 Iroquois Avenue, at 7:30 p.m. Flames shot at least 100 feet and thick, black smoke billowed from the business. Nearby residents reported hearing multiple explosions. One sent a large piece of sheet metal flying about 200 feet. Firefighters were still there 2 hours later. Much of the building had burned May 14. About 100 firefighters from multiple volunteer departments had spent more than 6 hours controlling the blaze then. Three were injured. Investigators have not yet determined what caused the fire. The south wall of the building was intact May 15. Firefighters entered through a side door. A first assistant chief of Fairfield Hose Co. said all of the building except for the warehouse, was destroyed. Fire and rescue crews responded to the blaze May 14 at 8:18 p.m. The first assistant chief said it took 6 to 7 hours to get the fire under control, and 4 to 5 more hours before it was out. He headed back May 15 with Pennsylvania State Police to get their first look inside the remains of the building and try to determine how the fire began. Rescue crews were at first uncertain whether anyone was trapped in the structure May 14. “There was nobody inside the building that we know of,” the assistant chief said May 15. The plant’s heavily damaged front half contained equipment worth several million dollars, the building’s owner said. American Biodiesel Energy converts used cooking oil into biodiesel. Source:

• The opening of spillway floodgates forced thousands of residents of towns along the Mississippi River in Louisiana to evacuate their homes, which along with 3 million acres of farmland, were in the path of hundreds of millions of gallons of water. (See item 62)

62. May 15, CNN – (Louisiana) Louisiana residents rush to protect homes, escape from looming floods. Residents of towns along the swollen Mississippi River May 15 packed up their valuables and made last-ditch efforts to place sandbags and makeshift levees outside their homes, trying to protect themselves and their homes from rising waters. These efforts occurred as the U.S. Army Corps of Engineers opened two additional gates on the Morganza spillway, located about 115 miles northwest of New Orleans, Louisiana. This is after opening the first two bays the previous day. The plan is to let out water from as many as one-fourth of the spillway’s 125 bays to spare the Louisiana cities of Baton Rouge and New Orleans from severe flooding, a Corps spokesman has said. But it may still affect nearly 4,000 people who live along the river, as it sends water toward homes and farmland in the Atchafalaya Basin, according to Louisiana’s governor. Some of the spillway’s gates will likely be open for weeks, and it will be at least that long before the river falls safely below flood stage and those who have evacuated can safely return, said the Corps’ New Orleans district commander. While the spillways will divert water away from Louisiana cities, low-lying central parts of the state will be flooded. Across the South and lower Midwest, floodwaters have already covered about 3 million acres of farmland, eroding for many farmers what could have been a profitable year for corn, wheat, rice and cotton, officials said. Source:


Banking and Finance Sector

14. May 16, Times of Trenton – (New Jersey) Cops: Pair had 180 fake credit cards, $13,000 in cash. Two California residents were apprehended by township police in Cinnaminson, New Jersey, May 14 after a traffic stop and pursuant warrant search yielded 180 counterfeit credit cards and more than $13,000 in cash, officials said. The two suspects were charged with possession of more than 50 counterfeit credit cards, two counts of credit card fraud, and one count of attempted credit card fraud. The duo was remanded to the Burlington County Jail, and their bail was set at $135,000 cash each, police said. Detectives later learned the suspects were staying at a Mount Laurel inn, and police there, along with officials from the U.S. Secret Service, executed a signed warrant on their rooms. The search yielded more evidence, and the investigation is ongoing. Source:

15. May 15, Seattle Times – (Washington) Tacoma police, Army investigate fraud scam. The U.S. Army and Tacoma, Washington, police are investigating a fraud ring that last year allegedly bilked Army and Air Force Exchange Service stores out of about $500,000 in merchandise, and also hit other businesses that extend credit. Promoters of the scheme promised to reduce debt, persuading some 1,800 people, including dozens of soldiers, to participate. Those people allowed the promoters electronic access to their credit accounts to pay down bills. More than $3 million used to pay those debts was illegally diverted from a bank in Ohio, according to investigative documents and interviews with law-enforcement and bank officials. Now some of the soldiers who accepted the deal risk being charged as co-conspirators in crimes of wire fraud and larceny, according to investigative documents. At Joint Base Lewis-McChord in Washington State, 78 soldiers have come under scrutiny, according to the Army. At least 46 of those soldiers are facing disciplinary actions, including more than a dozen who were charged through the military judicial system. Pierce County prosecutors have yet to file any charges in the case. Source:

16. May 14, Federal Bureau of Investigation – (Utah) Utah man indicted in fraudulent lien scheme. An indictment unsealed May 12 in federal court in Salt Lake City, Utah, charges a 53-year-old man from Ogden, Utah, with violations of federal law in connection with alleged schemes to obstruct justice, impede Internal Revenue Service (IRS) laws, pass fictitious documents purporting to be actual financial instruments, assert diplomatic immunity, and defraud others through the use of a fraudulent lien scheme. Ten counts of the indictment, which allege attempted mail fraud or mailings in furtherance of a scheme and artifice to defraud, relate to conduct that started with traffic stops in Ogden and continued through subsequent court proceedings in Weber County. The indictment alleges that in November 2010, the man mailed documents to the attention of various employees or entities of the State of Utah, Weber County, Ogden City, and the Ogden Police Department, which claimed the agencies contracted to pay more than $53 trillion in damages to the man. In an apparent effort to create an appearance of indebtedness, the man followed up by filing a lien against the various employees and entities falsely asserting they owed him more than $53 trillion. The lien was filed on 77 parcels located within Weber County, including municipal property and private residences associated with the employees and entities. The indictment also charges the man with obstructing justice in an effort to impede a matter in U.S. Tax Court by repeatedly filing false and frivolous documents involving the judge in an IRS case, and impeding internal revenue laws. Two counts of the indictment also allege he passed fictitious documents to the U.S. Department of Treasury. Source:

17. May 13, Associated Press – (North Carolina) Greensboro man pleads guilty in $9 million scheme. Federal prosecutors said a Greensboro, North Carolina, man has pleaded May 13 to wire fraud and money laundering in a $9 million investment scheme. From 2006 to 2009, prosecutors said the man told investors their money would be invested in different businesses and that they would get their returns when his contracts expired, handing out promissory notes detailing due dates and interest rates. But prosecutors said the man instead used the cash to pay other investors, bought himself cars and trips and paid off a $1 million loan on his Bald Head Island, North Carolina, home. In all, prosecutors said he took more than $9 million from investors. He faces up to 30 years in prison when he is sentenced in August. Source:

18. May 13, Washington Post – (District of Columbia) D.C. man guilty in bank robbery spree. A 64-year-old Washington, D.C. man pleaded guilty May 14 to robbing 11 banks in the city in a 16-month spree that ended with his arrest in March. The man, who typically claimed to have a gun or a pipe bomb but never showed a weapon, also admitted trying to rob a twelfth bank. Each of the dozen counts against him carries a possible sentence of 20 years in prison, authorities said. Beginning November 23, 2009, the convict robbed a half-dozen Chevy Chase Bank branches, three branches of PNC Bank, and one branch each of Capital One and SunTrust banks, the U.S. attorney’s office said. He also attempted to rob a fourth PNC branch. “In nearly a dozen bank robberies, this prolific bank robber netted just $22,000,” the U.S. attorney said. Source:

Information Technology

46. May 16, IDG News Service – (International) PlayStation Network, Qriocity back for most users. Basic services on the PlayStation Network and Qriocity services were switched on for users in North America, Europe, the Middle East, Australia, and New Zealand for the first time in more than 3 weeks, but users in Asia face a longer wait for service to resume. Sony pulled the plug on the two online services after discovering April 19 that its data center in San Diego, California, was attacked. A subsequent computer forensics investigation into the hack revealed the massive theft of personal information including user names, e-mail addresses, login IDs, and passwords. The PlayStation Network is a platform for online gaming, and a channel through which Sony sells games and other content to console and handheld owners. Qriocity is an online service for Sony’s networked consumer electronics products that offers music and video content. Service was resumed in North America late May 14 and in other markets May 15. PlayStation users were being asked to download a firmware update for the console before they can reconnect to the network. Then, upon login, users must change their password. The only issue in the resumption of services came in the password reset process, which was slowed because of the large number of e-mail messages generated by the system. Some e-mail and Internet service providers temporarily throttled messages from Sony due to the high volume resulting in short delays. Sony also halted the password reset process for 30 minutes to clear a backlog of messages. Source:

47. May 16, Softpedia – (International) infects visitors with malware. Security researchers from cloud security provider Zscaler warn that technology Web site was compromised and many of its pages were executing drive-by download attacks against visitors. is one of the oldest technology news Web sites. Attackers managed to inject rogue IFrames into different portions of the site, both within articles and the site’s main pages such as home, about us, etc. According to a senior security research engineer at Zscaler, there are multiple infections and the iframes take visitors to different malicious Web sites. One example is the rogue code injected into an article, which redirects visitors to an exploit kit. These kits perform various checks to determine what versions of certain program users have installed on their computers and then serve exploits for vulnerabilities in those products. The most commonly used applications such as Java Runtime Environment, Flash Player, Adobe Reader, or the browser itself are usually targeted. Source:

48. May 13, Softpedia – (International) Google’s doodles exploited to distribute scareware. Scareware distributors are exploiting the search traffic generated by Google’s anniversary doodles to infect users with fake antivirus programs. Google habitually honors different individuals or celebrates various holidays by changing their logo with graphics drawn specifically for that occasion which are dubbed “doodles.” If the celebration has an international significance, Google changes the logo on all of its localized Web sites. When clicked, these doodles lead users to a Google search page for a set of keywords related to the event. For example, the week of May 9, Google replaced its logo with a doodle to honor an internationally recognized American modern dance legend. Clicking on the doodle took users to Google search results for the dancer, with the third entry on the page being a slide of image results from Google Images. According to security researchers from German antivirus vendor Avira, several of the images displayed in those search results were linking to malicious scareware pages. Clicking on them took users to Web sites displaying fake antivirus scans and distributing a rogue security application to help them clean fictitious infections found on their computers. Source:

49. May 13, H Security – (International) Backwards Unicode names hides malware and viruses. AV vendor Norman discovered malware that camouflages its file name via special Unicode characters. For instance, they may show up as exe.importantdocument.doc in the e-mail client or in Windows Explorer. However, an executable file that will still be treated as such by the system, and launched when double-clicked, is hidden behind this file name. Norman’s virus analyst said this effect is caused by such Unicode characters as 0x202E (right-to-left override) and 0x202B (right-to-left embedding). When located in the right place, a file name such as cod.stnemucodtnatropmi.exe suddenly turns into some “important documents.” The telltale “exe” at the beginning can be hidden further. For instance [RTLO]cod.yrammusevituc[LTRO]n1c[LTRO].exe turns into the seemingly harmless n1c.executivesummary.doc when displayed in Explorer, which is unlikely to raise suspicion. However, the system will still recognise the “.exe” file extension and treat the file accordingly. Source:

For another story, see item 51 below

Communications Sector

50. May 16, Twinsburg Bulletin – (Ohio) Dix websites’ ad server attacked by malware. The Web banner server on Dix Communications newspaper Web sites, including the www(dot), was attacked by a computer spyware virus earlier in May. The malware virus can download itself onto Windows-based computers, attempting to steal data. Users may have received a warning page generated by their browser software for a limited period on the afternoon of May 6. “Unfortunately, malicious attacks like this are too common on the Internet,” the president of the Internet Division of Dix said. “The virus was identified and removed promptly, but illustrates the risks prevalent on the Internet. Most people running PCs these days run updated anti-virus software on their personal computers, and their anti-virus software should have stopped this type of attack.” The FBI was contacted about the attack, and steps have been taken to further protect Dix Web sites and their users from future attacks. Dix said no data was breached on its servers during the attack. Source:

51. May 13, IDG News Service – (International) Microsoft explains recent hosted e-mail outages. Microsoft offered some details about outages that recently plagued its hosted e-mail customers in the Americas. In a blog post May 12, Microsoft described four separate issues that occurred the week of May 9 that prevented or delayed e-mail delivery. The first started at 9:30 a.m. May 10 on the West Coast when “malformed e-mail traffic” stopped the e-mail service from working, despite a capability in the service designed to handle such traffic, the corporate vice president of Microsoft Online Service wrote. Microsoft isolated the problem traffic at noon, but customers faced total delays of 6 to 9 hours for e-mail delivery. A similar issue with malformed traffic hit at 9:10 a.m. and again at 11:35 a.m. May 12. The second issue resulted in the backup of 1.5 million messages waiting to be delivered. That meant some customers may have experienced e-mail delivery delays of as long as 3 hours, he said. The final incident happened the afternoon of May 12 with a Domain Name Service failure on the site that hosts Web access to Outlook in the Americas. The issue prevented users from accessing Outlook Web Access, and impacted some functions of Microsoft Outlook and Microsoft Exchange ActiveSync devices. That problem took about 4 hours to fix. Source: