Friday, May 20, 2011

Complete DHS Daily Report for May 20, 2011

Daily Report

Top Stories

• According to the Associated Press, a Kentucky coal mine has been issued 10 withdrawal orders a month after federal regulators hit the mine’s operator with a first-ever pattern of violations notice. (See item 3)

3. May 18, Associated Press – (Kentucky) Ky. mine hit with 10 withdrawal orders in May. A Kentucky coal mine has been issued 10 withdrawal orders a month after federal regulators hit the mine’s operator with a first-ever pattern of violations notice. The U.S. Mine Safety and Health Administration (MHSA) announced the orders at Abner Branch Rider Mine in Leslie County May 18, saying inspectors found multiple violations at the Bledsoe Coal Corp’s mine in May. The mine was one of the first two ever issued a pattern of violation notice. The agency took the action in April, also citing the New West Virginia Mining Co.’s Apache Mine in McDowell County, West Virgina. That mining operation is currently idle. The 10 orders in May fall under the pattern of violations notice. Under the Federal Mine Safety and Health Act of 1977, MSHA may order miners withdrawn from a mine each time the agency issues a significant and substantial violation. The order remains in place until the violation is corrected. A mine operator can be removed from pattern of violation status only after a complete inspection is done without a significant and substantial violation citation being issued. The 10 withdrawal orders include 2 issued May 3 because the mine roof was not adequately supported to prevent a potential roof fall. Three were issued May 10 for inadequate ventilation controls and inadequate roof, rib, and face support, causing the withdrawal of more than 30 miners working over three shifts. Inspectors found ventilation controls between the secondary escapeway and the belt entry had become damaged and difficult to open. The order related to inadequate ventilation controls was terminated the following day when the operator installed a pressure relief slider in the personnel door, and made modifications to enable the doors to easily open. Source:

• KHOU reports newly released e-mails from the Texas Commission on Environmental Quality show the agency’s top commissioners told staff to continue lowering radiation test results in defiance of federal Environmental Protection Agency rules. (See item 28)

28. May 19, KHOU 11 Houston – (Texas) Texas politicians knew agency hid the amount of radiation in drinking water. Newly released e-mails from the Texas Commission on Environmental Quality (TCEQ) show the agency’s top commissioners directed staff to continue lowering radiation test results in 2007, in defiance of federal Environmental Protection Agency (EPA) rules, KHOU 11 Houston reported May 19. The e-mails and documents, released under order from the Texas Attorney General to KHOU, also show the agency was attempting to help water systems get out of formally violating federal limits for radiation in drinking water. Without a formal violation, the water systems did not have to inform their residents of the increased health risk. Under federal law, Texas and other states are only allowed to enforce EPA rules, according to the Safe Drinking Water Act, if the EPA determines the state has adopted drinking water standards that are “no less stringent” than the federal rules. A spokesperson for the Texas governor said the governor expects the TCEQ and all state agencies to follow all the laws that are on the books, which the spokesperson said the TCEQ began doing after that 2008 audit by the EPA. Source:


Banking and Finance Sector

13. May 18, KMOV 4 St. Louis – (Missouri) Suspected serial bank robber arrested, could be charged with eleven robberies. Federal and local authorities in St. Louis, Missouri, said May 18 they have arrested a suspect in a frenzy of bank robberies dating back to August 2010. The 37-year-old man was tracked down and arrested without incident at a hotel in St. Louis. The arrest was the result of the investigative efforts of the FBI, St. Louis County, and city police. The suspect has been charged with the robbery of the Montgomery Bank in the 3800 block of Union in St. Louis County May 16. Investigators said an alert witness gave police a good description of the getaway vehicle. That vehicle was spotted May 17and the man was arrested May 18. Authorities believe the suspect is responsible for as many as 10 other bank robberies. Source:

14. May 18, Reuters – (Ohio) Columbus police comb city for mullet-wearing bandit. Police in Ohio are searching for a mullet-wearing bandit they said has been on a bank-robbing spree across the state. A man is a suspect in at least two bank robberies in Columbus over the past 2 weeks, an FBI Special Agent told Reuters, and may have been involved in a third holdup. The latest heist took place May 18 at a Fifth-Third bank branch on Holt Road in Columbus. The suspect, who wears a Seattle Mariners baseball cap and large dark sunglasses and carries an oversized book bag, walked into the bank shortly after 9 a.m., the special agent said. After waiting his turn in line, he went up to a teller and passed a note saying he was robbing the bank. The same suspect is believed to have held up a branch of Chase Bank on Polaris Parkway in Columbus May 5, and the FBI said he may also have been involved in a robbery in northeast Ohio. Source:

15. May 18, Savannah Morning News – (National) Savannah’s serial bank robber strikes Pooler. Savannah, Georgia’s brazen bank robber — who did not bother to hide his face when he walked into two southside banks during one week in April, pulled a gun and demanded cash — struck again May 18. This time, it was a Pooler bank, located across the street from police headquarters. “He seems to be knowledgeable of how to go about the business of robbing a bank,” said the FBI’s resident agent in charge for Savannah. The May 18 robbery happened at 10:10 a.m. at the Bank of America, located at 105 U.S. 80 East, across Rogers Street from the Pooler police headquarters. The robber followed pretty much the same plan he did in the April 8 robbery of the SunTrust bank located inside the Kroger at 318 Mall Boulevard and the April 13 robbery of the Bank of America, located at 7802 Abercorn Street, less than a half mile away from the SunTrust branch. He walked into the bank wearing long sleeves and a baseball cap, handed the teller a note demanding money, and pulled out a gun and set it on the counter. The teller handed over an undisclosed amount of cash May 18. The FBI agent in charge said the robber peeled through the bills to make sure they did not contain dye packs. In the two previous robberies, the man is believed to have fled in a blue Chevy Astro van with a Georgia tag, but the FBI agent in charge said he may have used a gold vehicle for the May 18 job. He is believed to be working alone. Source:

16. May 18, Tempe East Valley Tribune – (Arizona) Bank offers reward in branch robberies. Wells Fargo Bank is offering up to a $5,000 reward for information leading up to the arrest and conviction of a man who has committed eight robberies at numerous branches throughout the East Valley in Arizona since November 23, including robbing a branch in Gilbert twice. FBI investigators believe the robberies were committed by the same suspect, whom they have dubbed the “Black Binder Bandit” because he carries a black binder or black bag when approaching bank tellers and has been seen on video surveillance wearing different caps or hats and sunglasses. In addition to robbing banks throughout Chandler, Gilbert, Mesa and Tempe, the man also robbed a branch of Bank of America at 2998 N. Alma School Road in Chandler January 7. Source:

17. May 18, – (International) Free trial scams targeted by Feds. The Federal Trade Commission (FTC) announced May 17 it has taken legal action against an online operation that allegedly raked in more than $450 million from consumers worldwide by luring them into “free” or “risk-free” trials on a variety of different products. The FTC has filed a complaint against a man and the companies he controls, citing his online “free trials” for various products including acai berry weight-loss pills, tooth whiteners and dietary supplements were merely bogus attempts to swindle consumers. “The defendants used the lure of a ‘free’ offer to open an illegal pipeline to consumers’ credit card and bank accounts,” the director of the FTC’s Bureau of Consumer Protection said in a written statement. The companies targeted consumers in the United States, Canada, Great Britain, Australia and New Zealand. The FTC said it plans to stop the illegal practices and make the defendants repay defrauded consumers. As part of its complaint, the FTC is also charging the man and his co-defendants with running phony work-at-home schemes, providing access to non-existent government grants, offering but not providing free credit reports, and running penny auctions. The defendants undertook these scams under various company names that include Just Think Media, Credit Report America, eDirect Software, WuLongsource, and Wuyi Source. They have also operated under the names Terra Marketing Group,,, Circle Media Bids Limited, Coastwest Holdings Ltd., Farend Services Ltd, JDW Media LLC, Net Soft Media LLC, Sphere Media LLC, and True Net LLC. Source:

Information Technology

43. May 19, Help Net Security – (International) OpenSSL weakness can expose sensitive information. A weakness has been reported in OpenSSL, which can be exploited to disclose potentially sensitive information, according to Secunia. The weakness is caused due to the implementation of the Elliptic Curve Digital Signature Algorithm (ECDSA) not properly preventing timing attacks, which can be exploited to, for example, disclose the private key of a TLS server using ECDSA signatures. Source:

44. May 19, Help Net Security – (International) Mac Protector: Fake AV targets Mac OS X users. New rogue AV is targeting Mac users. The name of the rogue AV is Mac Protector, and according to McAfee, the downloaded Trojan contains two additional packages: macprotector(dot)pkg (the application) and macProtectorInstallerProgramPostflight(dot)pkg (bash script that launches Mac Protector once it is installed). As with MAC Defender, an earlier AV targeting Mac users, the application requires root privileges to get installed, so the user is asked to enter the password. “Mac Protector is very sophisticated and uses a lot of resources to appear as a real anti-virus app to the user. There are a lot of images and sounds in the package that simulate system scanning, show the alerts, etc.,” McAfee said. “Mac Protector will perform a fake scan on the system, and will show rootkits and spyware detections for real and current processes.” Copying MAC Defender again, Mac Protector tries to convince the user his computer is infected by opening browser windows to sites with adult content. Once the fake scan is finished, the rogue AV said the user must register the app for it to be able to clean the system. To do that, the user is asked to submit credit card data. Source:

45. May 18, Computerworld – (International) Google moves fast to plug Android Wi-Fi data leaks. Google May 18 confirmed it is starting to release a server-side patch for a security vulnerability in most Android phones that could let hackers snatch important credentials at public Wi-Fi hotspots. “Today we’re starting to roll out a fix which addresses a potential security flaw that could, under certain circumstances, allow a third party access to data available in Calendar and Contacts,” a Google spokesman said in an e-mailed statement. “This fix requires no action from users and will roll out globally over the next few days.” Google will apply a fix on its servers since it does not need to issue an over-the-air update to Android phones. According to the University of Ulm researchers, who tested another researcher’s contention last February that Android phones sent authentication data in the clear, hackers could easily spoof a Wi-Fi hotspot and then steal data users’ phones transmitted during synchronization. In Android 2.3.3 and earlier, the phone’s Calendar and Contacts applications transmit data via unencrypted HTTP, then retrieve an authentication token from Google. Hackers could eavesdrop on the HTTP traffic at a public hotspot, lift authentication tokens, and use them for up to 2 weeks to access users’ Web-based calendars, contacts, and the Picasa photo storage and sharing service. Source:

46. May 18, IDG News Service – (International) Sony takes down PlayStation Network after URL error. Sony was forced to take part of its PlayStation Network offline briefly May 18 as it fixed a Web glitch that gave hackers a way to take over users’ accounts. Sony was hacked in April, and since May 14 had been bringing its PlayStation Network (PSN), Sony Online Entertainment network, and Qriocity sites back online. To lock down the networks’ security, Sony asked users to reset their passwords, but now a Web programming error has halted that process. According to a discussion forum posting by Sony, the company has turned off its sign-in feature for, Qriocity, PlayStation blogs, forums, and gaming Web sites as well as Music Unlimited on the Web. Midday May 18, the company gave a vague description of what had happened. “We temporarily took down the PSN and Qriocity password

reset page,” a Sony spokesman said. “In the process of resetting of passwords there was a URL exploit that we have subsequently fixed.” Contrary to some reports, the site had not been hacked, he said. Sony did not say exactly what it meant by “URL exploit,” but according to the gaming blog Nyleveia, Sony’s password reset page was configured so that anyone who knew their victim’s e-mail address and birth date could take over that account. The spokesman said this was due to a “vulnerability in the password reset form,” but did not publish details of how the password reset could be done. “Consumers who haven’t reset their passwords for PSN are still encouraged to do so directly on their PS3,” he wrote. “Otherwise, they can continue to do so via the website as soon as we bring that site back up.” Source:

47. May 16, Softpedia – (International) New Alureon version employs sophisticated encryption. Security researchers from Microsoft have come across a new version of Alureon malware that uses sophisticated obfuscation techniques to evade antivirus detection and analysis. Alureon is a family of trojans that intercept Internet traffic to steal log-in credentials, credit card data, and other sensitive information. Malicious programs from this family commonly use DNS hijacking techniques to achieve their goals, causing some infected computers to exhibit rogue DNS entries. The new Alureon version found by Microsoft researchers is different as it borrows encryption techniques from Win32/Crypto, a virus that dates back to 1999. Win32/Crypto encrypted its payload with a key whose recovery from the PE header required brute-forcing attacks executed by the malware itself. Microsoft’s malware researchers said while reviewing Win32/Alureon samples, they found they used Win32/Crypto-style decryption to elude anti-virus scanners. But the new Alureon uses an even more sophisticated method. It can take up to 255 retries to recover the decryption key, which, unlike Win32/Crypto, is spread across the entire PE image, between other code and resources. This makes recovering the encrypted file much more complicated for malware analysts, and makes detection harder for antivirus programs. Source:

Communications Sector

48. May 19, WOOD 8 Grand Rapids – (Michigan) Computers down at Sec of State branches. A computer system problem is interrupting transactions at Michigan Secretary of State branches in Lansing, Michigan. The Michigan Department of Technology, Management and Budget said May 19 it is working to correct an outage that occurred May 18 on a mainframe computer that supports secretary of state branch office systems. The problem stems from a broken fiber link. Secretary of state branch offices are open, but citizens visiting them will not be able to conduct most business transactions until further notice. Branches are not able to finish driver’s license or vehicle registration functions. No time estimate is available for restoration of service. Source:

Thursday, May 19, 2011

Complete DHS Daily Report for May 19, 2011

Daily Report

Top Stories

• Associated Press reports the U.S. Coast Guard May 17 shut down for many hours a 15-mile stretch of the swollen Mississippi River near Natchez, Mississippi, idling barges carrying everything from coal and steel to half of America’s grain exports. (See item 16)

16. May 18, Associated Press – (National) Mississippi River segment shut, then reopened to barges. The U.S. Coast Guard (USCG) reopened the swollen Mississippi River north of New Orleans, Louisiana May 17, allowing cargo vessels on the nation’s busiest waterway to pass one by one in the latest effort to reduce pressure from rising floodwaters. A 15-mile stretch at Natchez, Mississippi, had been closed earlier in the day, blocking vessels heading toward the Gulf of Mexico and others trying to return north after dropping off their freight. Had the channel remained closed, it could have brought traffic to a standstill up and down the mighty river, which moves about 500 million tons of cargo each year. And the interruption could cost the U.S. economy hundreds of millions of dollars for every day that it idled barges carrying coal, timber, iron, steel and more than half of America’s grain exports. USCG officials said wakes generated by passing barge traffic could increase the strain on levees designed to hold back the river. Authorities were also concerned barges could not operate safely in the flooded river, which has risen to the level of some docks and submerged others. It was not clear how long barges would be able to move just one at a time through the section. The river is expected to stay high in some places for weeks. The USCG did not have comprehensive figures on how many vessels were immediately affected, but the agency stopped at least 10 near Natchez. In past closures, those numbers have grown quickly. In 2008, the agency halted 59 ships within a day of shutting down a stretch of the river near New Orleans because of a barge and tanker collision. On a typical day, 600 barges move up and down the river, according to a spokesman for the Mississippi Valley Division of the U.S. Army Corps of Engineers. Source:

• According to WCHM, the U.S. Drug Enforcement Administration suspended the prescription-dispensing licenses of four physicians and a pharmacy because of the large volume of controlled substances they dispensed. (See item 32)

32. May 17, WCMH 4 Columbus – (Ohio) 4 Ohio doctors, 1 pharmacy lose licences for controlled substances. The U.S. Drug Enforcement Administration (DEA) has announced that four doctors and a pharmacy operating in Scioto County, Ohio, have had their DEA Certificate of Registration suspended. The Special Agent in Charge said the DEA served Immediate Suspension Orders (ISO) on four physicians and on Prime Pharmacy of Portsmouth. This administrative action suspends the physicians’ and pharmacy’s authority to prescribe or dispense Schedule II-V controlled substances. The ISOs are based on a preliminary finding by DEA that the continued registration of the doctors and pharmacy constitutes an imminent danger to public health and safety. According to the DEA, one of the doctor’s is one of the largest dispensers of controlled substances in the United States. Two other doctors, both of whom previously worked at Southern Ohio Complete Pain Management in Portsmouth, are responsible for the prescribing of hundreds of thousands of oxycodone products and anti-anxiety medications over the past 2 years. The suspension order at Prime Pharmacy prohibits the employees from continuing to possess, order, or dispense Schedule II – Schedule V controlled substances, such as hydrocodone and oxycodone. In addition, the DEA served notice of an Order to Show Cause on Physicians Pharmacy of Piketon. This is a business that has applied for a DEA Certificate of Registration to handle controlled substances. The physicians and businesses received written notice of the factual and legal basis for this action. All will be given an opportunity for an administrative hearing on the ISOs and the Order to Show Cause. At that time, the physicians, and businesses listed above may contest whether the suspension orders should be lifted, and their certificates of registration should be reinstated. Source:


Banking and Finance Sector

12. May 18, Santa Maria Times – (California) Woman faces federal fraud charges. A Nipomo, California woman who ran a bookkeeping service in Santa Maria pleaded not guilty May 16 to 18 federal counts involving fraudulent tax returns, identity theft and fraudulent loan applications. The 39-year-old woman was arrested May 16 by special agents with the Internal Revenue Service (IRS) Criminal Investigation Division and the FBI at her office in Santa Maria. She is charged with eight counts of making false claims to the IRS, three counts of aggravated identity theft, five counts of making false statements on loan applications, and two counts of making false statements to the FBI. The indictment alleges the woman stole several people’s identities, and used their names and Social Security numbers on fraudulent tax returns to obtain refunds from the IRS. The returns allegedly listed income the taxpayers did not earn, and claimed credits for a brother and several children and grandchildren who were not the taxpayers’ dependents. The indictment said the fraudulent tax refunds totaled $27,950, but it does not specify if all that money allegedly went to the woman. She is also charged with submitting false personal and corporate income tax returns to Santa Lucia Bank in applications for $1.64 million in loans. The indictment also charges the woman with lying to the FBI twice in 2007 about collaborating with loan officers to create false tax documents and provide false employment verification for borrowers. Source:

13. May 17, The Sacramento Bee – (California) Eight arraigned in Sacramento-area mortgage fraud scheme. An indictment returned May 12 by a federal grand jury in Sacramento, California charges eight Sacramento-area residents with wire and mail fraud in connection with an alleged mortgage fraud scheme that involved multiple properties in the Sacramento area and operated from late 2006 to late 2007. The indictment alleges the defendants were responsible for originating more than $16.3 million in residential mortgage loans on 14 homes purchased through so-called straw buyers. All of the homes went into foreclosure, causing losses of approximately $9.6 million, according to a federal Department of Justice news release. According to the indictment, the suspects prepared loan applications containing materially false information straw buyers’ income, employment, assets and liabilities, and intent to occupy the residences, and a real estate broker presented the fraudulent applications to lending institutions. They then allegedly created shell companies, or used companies that had no connection with the properties, for use in submitting invoices to falsely claim that they had made repairs to the properties. They then received payments from escrow to which they were not entitled, officials said. Source:

14. May 17, Associated Press – (Nebraska) Ex-Nebraska City broker pleads no contest to fraud. The trial of one of two former Nebraska City, Nebraska brokers accused of bilking more than 150 investors out of more than $20 million abruptly ended May 17 when he pleaded no contest to four charges of securities fraud, prosecutors said. One of the suspects originally faced eight felony counts of intentional securities fraud. As part of the plea agreement, prosecutors amended the charges, so they were based on inadvertent omissions of information, not intentional acts. The man and his accomplice were accused of improperly selling risky investments in several interrelated Florida companies to investors. Prosecutors said the two invested clients’ money in high-risk enterprises and never fully explained the risks even though the investors wanted conservative investments because most were near retirement age or already retired. “More than 100 Nebraskans trusted [the two] to invest money they had worked a lifetime to save,” the Nebraska attorney general said in a statement. Last month, a federal judge awarded $30 million to more than 200 investors who claimed they had been defrauded by the pair. That ruling was part of a federal class-action lawsuit investors filed in 2007. Several other lawsuits and arbitration claims have been filed against the former brokers. Source:

15. May 16, Softpedia – (Alabama) NACHA Spam Gang Starts Using Shortened URLs. The malware distribution gang that sends spam e-mails purporting to come from the Electronic Payments Association (NACHA) has switched to using shortened URLs in its campaigns. Posing as NACHA is not a new technique. It has been used since November 2009, however, a new campaign has been going strong for the past few weeks. The fake e-mails bear many subjects and the same variety is kept for the spoofed addresses. The e-mails tell recipients their ACH (Automated Clearing House) transfers have been canceled or rejected by their financial institution and directs them to an URL for more details. They read: “The ACH transfer (ID: 65388185980), recently sent from your checking account (by you or any other person), was cancelled by the other financial institution. Please click here [link] to view details. If you have any questions or comments, contact us at info@nacha(dot)org. Thank you for using http://www(dot)” The links lead to Web sites that prompt users with updates for Java which are actually variants of the notorious ZeuS baking trojan. According to the director of research in computer forensics at the University of Alabama at Birmingham (UAB), the gang behind this campaign was known for registering hundreds of domain names for each spam run. However, it recently switched tactics and is now abusing almost three dozen URL shortening services, many of which are obscure and are unlikely to respond to abuse reports. The service was the most abused based on the spam e-mails collected and analyzed by the UAB department. More than 1,000 malicious shortened URLs have been observed in this campaign. Using this method, spammers are able to keep a high level of variation in their e-mails, but a low cost for their campaign. Source:

For another story see item 49 below in the Communications sector

Information Technology

42. May 18, Help Net Security – (International) New vulnerability reporting framework. The Industry Consortium for Advancement of Security on the Internet (ICASI) published of its Common Vulnerability Reporting Framework (CVRF) Version 1.0. CVRF is an XML-based framework that enables stakeholders across different organizations to share critical vulnerability-related information in an open and common machine-readable format. This format replaces the myriad of current nonstandard reporting formats, thus speeding up information exchange and processing. “CVRF represents a true milestone in industry efforts to raise and broaden awareness of security vulnerabilities,” said the president of ICASI and director of IT Policy and Information Security at IBM. “With the use of CVRF, the producers of vulnerability reports will benefit from faster and more standardized reporting. End users will be able to find, process and act upon relevant information more quickly and easily, with a higher level of confidence that the information is accurate and comprehensive.” Source:

43. May 18, H Security – (International) Opera 11.11 closes a critical hole. With the update to version 11.11, Opera developers closed a critical security hole that enables attackers to inject malicious code. The vulnerability is found in the code for processing framesets: certain frame constructions cause a memory error that eventually allows attackers to inject malicious code. Source:

44. May 16, Softpedia – (International) Google denies Chrome sandbox breach. Google Chrome’s security engineers reject the claim that French vulnerability research outfit VUPEN Security broke out of the browser’s reputed sandbox. Google’s experts argued his was not an attack against the Chrome sandbox itself, but against the Flash Player plug-in bundled with the browser. VUPEN’s founder and head of research does not agree with the counter-claims by Google engineers. “Nobody knows how we bypassed Google Chrome’s sandbox except us and our customers, and any claim is a pure speculation,” he said in a statement. VUPEN has already announced that, according to company policy, it will not disclose details about the exploited vulnerabilities to Google. Instead, the company will share the intelligence with its government customers. Such action is received with much criticism from users, however, as many 0-day exploits are being sold in a legitimate manner. Source:

45. May 16, Softpedia – (International) Security updates for Adobe Audition, Flash Media Server and RoboHelp. Adobe has released security updates for several products, including Audition, Flash Media Server, and RoboHelp, that address critical vulnerabilities that could compromise systems they run on. Two flaws were patched in Adobe Flash Media Server (FMS) for Windows and Linux, one that could be exploited by attackers to execute arbitrary code on the underlying system. Identified as CVE-2010-3864, the vulnerability is rated as critical and is described as a memory corruption issue. The second flaw, CVE-2011-0612, can lead to a denial of service condition if corrupted XML data is parsed by the server. Adobe said users should install Flash Media Server version 4.0.2 or Flash Media Server version 3.5.6, depending on the branch they are currently running. Two vulnerabilities were also patched in Adobe Audition, the company’s audio editing product, that could be exploited to execute arbitrary code. Identified as CVE-2011-0614 and CVE-2011-0615, the flaws are described as memory corruption issues and were discovered by Zero Science Lab and Core Security Technologies. The vulnerabilities can be exploited by convincing victims to open maliciously-crafted Audition Session (.ses) files. Audition Session (.ses) file format is no longer a supported format beginning with Adobe Audition CS5.5. Only Adobe Audition 3.0.1 and earlier versions for Windows are affected by these vulnerabilities, and the vendor said users should switch to use of the XML session format instead of .ses. Also, a manual patch was released for RoboHelp 8, RoboHelp 7, RoboHelp Server 8, and RoboHelp Server 7, that are affected by a cross-site scripting vulnerability. The flaw, CVE-2011-0613, is rated as important and was reported by Jardine Software Inc. It can be fixed by replacing wf_status.htm and wf_topicfs.htm with the patched versions provided by Adobe. Source:

46. May 14, Softpedia – (International) Apache patches denial of service flaw in HTTP server. The Apache Project has released version 2.2.18 of its Web server software package to address a vulnerability that could lead to a denial of service condition. The flaw, identified as CVE-2011-0419, is located in the apr_fnmatch() function of the Apache Portable Runtime. It can be exploited remotely by sending specially crafted requests to Apache Web servers configured with mod_autoindex enabled. The Apache developers encouraged users to upgrade. For those who cannot upgrade, Apache said users can mitigate the risks of the vulnerability by setting the ‘“gnoreClient” option of the “IndexOptions” directive. Because the flaw is actually located in the Apache Portable Runtime (APR), which is also used in other projects in addition to the Apache HTTP Server, third-party developers are also advised to upgrade the runtime to version 1.4.4 in their applications. The Apache HTTP Server is the most widely used Web server software and has played an important role in the growth of the World Wide Web. Source:

47. May 13, Softpedia – (International) Large video game publisher loses data to hackers. Hackers broke into servers belonging to Eidos Interactive, a reputed game publisher now owned by Square Enix, and stole sensitive data. The hackers who instrumented the attack seem to be affiliated with the Anonymous splinter group that recently took over AnonOps, the hacktivist collective’s IRC network. The target appears to be the Deus Ex Human Revolution Web site. The morning of May 12, the first page of the Web site displayed a message listing the handles and names of the hackers who hacked the site. However, according to IRC logs, the real hackers went by the handles of evo and n` (nigg), two Anonymous members. The handles and names placed on the defaced page were intentional and designed to cause problems for those individuals. The logs leaked by someone who monitored the hackers’ chat room reveale vo had particular plans for the site. The techniques described are commonly used by cyber criminals to infect computers in drive-by download attacks, which suggests evo might be familiar with this type of activity. Nigg disagreed with the idea because there was not enough time to put it into practice. Instead, they went for the defacement and leaking of captured information. A torrent was uploaded to The Pirate Bay claiming to contain 370 CVs and the Web site’s user database. Square Enix later confirmed, and two product Web sites were compromised by a group of hackers. As a result, the company said, up to 350 CVs and 25,000 e-mail addresses used by people to register for updates were stolen. Source:

48. May 12, SC Magazine Australia – (International) AusCERT: Cisco IP phones prone to hackers. Contact centers and businesses using a Cisco Internet phone were at risk of having communications intercepted and confidential information leaked, a hacking group demonstrated. A security consultant said VoIP phone systems could turn on their users, hacked to become networked listening devices or “bugs,” wiretapped remotely, or silenced, blacking out communications. Contact centers that often use Internet-protocol phones because they were cheap to run, were especially at risk, he said. The researcher, director of the penetration tester HackLabs in Sydney, Australia, demonstrated how phone conversations were illictly recorded, injected with sound, or redirected to expensive and elusive offshore premium numbers. Similarly, a distributed denial-of-service attack could take a phone fleet offline, he said, noting he had seen them cripple networks at Australian companies. The weaknesses result from Cisco’s reliance on Web functions that gave users functions at the cost of easier penetration for hackers. A Cisco spokesman said it was serious about security and advised users to apply the relevant recommendations in the manual to secure their systems. Source:,auscert-cisco-ip-phones-prone-to-hackers.aspx

For more stories, see items 49, and 51 below

Communications Sector

49. May 18, Help Net Security – (National) SpyEye Trojan attacks Verizon’s online payment page. Trusteer discovered a configuration of the SpyEye Trojan targeting Verizon’s online payment page and attempting to steal payment card information. The attack took place between May 7 and May 13. The chief technology officer of Trusteer explained that, “SpyEye uses a technique called ‘HTML injection’ to modify the pages presented in the victim’s browser, in this particular case the injected HTML is used to capture credit card related data. The attack is invisible to Verizon customers since the malware waits for the user to logon and access their billing page and only then injects an authentic-looking replica Web page that requests this information. Since the user has logged on and has navigated to the familiar billing page, they have no reason to suspect this request for payment information is suspicious,” she added. This practice allows criminals to commit card non present fraud on the Internet, and also makes it more difficult for banks to identify the source of fraudulent transactions since they cannot trace it back to a specific computer. Source:

50. May 17, Television Broadcast – (National) FCC cracks down on rogue broadcasters. Federal Communications Commission (FCC) agents have been busy in May, issuing more than $250,000 in fines as part of an effort to shut down rogue broadcasters. A majority have targeted pirate radio operations. As of May 17, the FCC had issued $258,000 in fines; $141,000 for operation of unlicensed radio transmitters. On May 5, alone, the commission fined five pirates a total of $50,000. Other violations involve failure to maintain functional Emergency Alert System equipment, inadequately maintained transmitter and tower facilities, excessive power levels, and improper record-keeping. Piracy was most prevalent in the eastern portion of the United States. Source:

51. May 17, IDG News Service – (International) Some sites struggle to stay up due to Heroku attack. A potential Denial-of-service attack (DDoS) on Heroku, the Ruby platform-as-a-service provider now owned by, is creating availability issues for its customers. The problems started May 16 when Heroku reported a small number of users, primarily those that point a root domain to Heroku via static Internet Protocol addresses, were getting connection errors. Via its status page, Heroku later told customers it was working with its network service provider to mitigate availability issues coming from what it believed was a distributed DDoS. “The current attack protection procedures have reduced the effects of this attack to intermittent issues,” the status page said. The company, which uses Heroku and had some issues, advised customers via Twitter to try reloading if they were unable to access the site. Another company, Rexly, apologized to customers having trouble using its service due to Heroku’s “hiccups.” warned users about issues related to Heroku’s service. Source:

52. May 17, Associated Press – (International) US official: solar storms expected to peak in 2013 with potentially devastating effect. A senior official at the U.S. National Oceanic and Atmospheric Administration (NOAA) said solar storms pose a growing threat to critical infrastructure such as satellite communications, navigation systems and electrical transmission equipment. The NOAA Assistant Secretary said the intensity of solar storms is expected to peak in 2013 and countries should prepare for “potentially devastating effects.” Solar storms release particles that can temporarily disable or permanently destroy fragile computer circuits. A former NASA astronaut who in 1984 became the first woman to walk in space, told a United Nations weather conference in Geneva on May 17 that “it is not a question of if, but really a matter of when a major solar event could hit our planet.” Source: