Thursday, May 26, 2011

Complete DHS Daily Report for May 26, 2011

Daily Report

Top Stories

• The Arizona Republic reports three Maricopa County Sheriff’s Office employees were arrested May 24 by authorities who said they were involved in a drug- and human-trafficking ring and used sheriff’s office intelligence to guide smugglers. (See item 41)

41. May 25, Arizona Republic – (Arizona; International) 3 in MCSO accused of cartel ties. Three Maricopa County, Arizona, Sheriff’s Office employees, including a deputy in the human-smuggling unit, were arrested May 24 by authorities who said they were involved in a drug- and human-trafficking ring and used sheriff’s office intelligence to guide smugglers through the Valley. The sheriff’s employees were among 12 suspects arrested May 24 during a series of early-morning raids at 16 locations where investigators targeted members of the organization. The group mostly moved heroin, according to investigators, and officials suspect each of the arrested sheriff’s employees played a crucial role in moving the drugs and hiding the illicit profits. Authorities said the ring moved about $56,000 worth of heroin a week through the Valley. The sheriff’s employees helped set up a shell corporation called West Utilities Group Inc., which was used to launder nearly $50,000 in drug proceeds, according to court documents. The investigation went public when search warrants were served and a series of arrests were made May 24. But officials said the probe could last for months and target other suspects. Source:

• According to the New York Times, 14 people were killed by tornadoes that struck Arkansas, Kansas, and Oklahoma, downing power lines and destroying livestock, and wiping out homes, businesses and churches. (See item 51)

51. May 25, New York Times – (National) Storms kill at least 14 people in 3 states. Residents of the South and Midwest braced for another round of severe weather May 25, only hours after at least 14 people were killed in a series of storms that struck portions of Arkansas, Kansas and Oklahoma, including a tornado that killed five people near Oklahoma City. The Oklahoma tornado struck around midday May 24 devastating El Reno, a town of 15,000 people about 25 miles west of downtown Oklahoma City, officials said. At least five people were killed and officials said the number could rise May 25 as rescue teams searched through the rubble of houses, businesses and churches in the area. Five people died in Canadian County, two in Logan County and one in the Grady County, where a woman died when a tornado hit a mobile-home park, said a spokeswoman for the Oklahoma medical examiner. At least 60 people were injured across central Oklahoma, many along the Interstate 40 corridor. The tornado left a trail of shredded and overturned cars along I-40, destroyed livestock, set off a gas line explosion, and spurred people across El Reno to evacuate their homes. On May 25, about 70,000 people remained without electricity in Oklahoma. In Kansas, two people died when winds blew a tree into their van near St. John, the authorities said.. And in Arkansas, at least four people died in storms, including one killed by a tornado in Franklin County, said a spokesman for the state department of emergency management. Other tornadoes were reported in Texas near Springtown and Azle, just northwest of Fort Worth and near Muenster. The Texas tornadoes caused no injuries. Source:


Banking and Finance Sector

14. May 25, Show Low White Mountain Independent – (Arizona) Five plead guilty in $5.4 million bank fraud. Five defendants pleaded guilty in federal court May 23 to defrauding banks out of $5.4 million in a conspiracy involving Surfside Boat Center, a high-end boat dealership in Mesa, Arizona, that is now defunct. The charges stem from the defendants’ use of the boat dealership to fraudulently obtain millions of dollars in purchase loans from various banks. More than 50 loans from 11 lenders were represented to be for legitimate boat sales but were instead for straw sales, and the funds were put to personal use by the defendants. The defendants ultimately defaulted on the loans. The defendants pled guilty to conspiracy, bank fraud, and money laundering. Under the terms of the plea agreements, all defendants face prison terms and must repay the loan balances to the banks. A conviction for bank fraud carries a maximum penalty of 30 years in prison and/or a $1 million fine; a conviction money laundering carries a maximum penalty of 10 years in prison, and/or a $250,000 fine; and a conviction for conspiracy carries a maximum penalty of 5 years, and/or a $250,000 fine. Source:

15. May 24, Federal Bureau of Investigation – (Minnesota) Federal jury convicts Burnsville man of bilking mortgage lenders out of more than $43 Million. A jury convicted a 44-year-old Burnsville, Minnesota man in federal court May 24 on seven counts of wire fraud, three counts of mail fraud, and one count of conspiracy to commit wire fraud and mail fraud in a scheme that bilked mortgage lenders out of more than $43 million. The evidence presented at trial indicated that between 2005 and 2008, the man conspired with others to obtain money fraudulently through over 100 residential property transactions. To further this scheme, the conspirators negotiated with builders of new properties as well as owners of existing properties to buy property and property groupings at greatly reduced prices. They then solicited real estate purchasers by promising they would receive large cash pay-outs, or “kickbacks,” from lenders’ funds. They failed to tell potential buyers about the reduced prices they negotiated for the properties, choosing instead to quote them the grossly inflated prices. By charging buyers the higher prices, they acquired enough cash from loan proceeds to pay buyers their kickbacks and still have money left for themselves and their co-conspirators. Once a potential buyer was recruited through this scheme, the conspirators, or someone working on their behalf, drafted a purchase agreement that reflected the inflated sale price only and failed to disclose to lenders the kickback amount to the buyer. The convict faces a potential maximum penalty of 20 years in federal prison on each count. Source:

16. May 24, Hartford Courant – (Connecticut) President of bankrupt fuel oil company pleads guilty to bank fraud. The former president of Waterbury, Connecticut-based F&S Oil, a home heating oil business whose bankruptcy cost customers millions of dollars in prepaid contracts, pleaded guilty in federal court May 24 to taking millions more in fraudulent loans from the company’s banker. He pleaded guilty to a single count of bank fraud for overstating company receivables to collect what federal prosecutors said was from $2.5 million to $7 million on three lines of credit. In legal papers filed in court, federal prosecutors said the man falsified the oil company’s cash flow to tap loans F&S had with Citizens Bank. F&S was forced to file for bankruptcy protection in early 2008, creating thousands of claims among those of its 12,000 customers who had signed prepaid heating oil contracts. If sentenced under the advisory guidelines used in federal court, the former president could get from 41 to 51 months in prison. Source:

17. May 23, Washington Times – (National) IRS staff committed tax credit fraud. According to federal investigators, more than 100 employees of the Internal Revenue Service (IRS) cheated the government by fraudulently claiming a first-time homebuyer tax credit included in the 2008 and 2009 economic stimulus packages, the Washington Times reported May 23. The Treasury Department’s inspector general for tax administration, in several reports over the past few years, identified a total of 128 IRS employees who claimed the credit but who also made other claims that showed they either were not first-time buyers or bought their homes outside the eligibility period for the credit, which was worth up to $8,000. The IRS employees represented a small part of the total fraud in the program, which the inspector general said may have totaled more than $500 million overall. At least one IRS employee is facing charges of making a false claim while acting as an officer of the government — a felony punishable by up to 5 years in prison — stemming from the tax credit. In another case, a part-time IRS employee in Georgia has been charged with altering information on IRS computers to help four friends and family members appear eligible for the credit. She pleaded guilty March 24 to one count of accessing a computer without authorization and is awaiting sentencing. Source:

18. May 23, Baltimore Sun – (International) Baltimore feds target Internet gambling sites. Federal investigators in Baltimore, Maryland, set up a phony business — and handled $33 million in transactions from Internet gamblers — in a lengthy sting operation that led to the indictment of two online betting companies and their international owners, the U.S. attorney’s office announced May 23. Details were released after 11 associated bank accounts were seized in 5 countries and 10 Web domain names were shut down. The indictments are the result of an undercover operation by Homeland Security Investigations in Baltimore, a division of U.S. Customs and Immigration Enforcement. The agency created a phony payment-processing business. A half-dozen Internet gambling companies ultimately relied on it. Agents said the phony business processed more than 300,000 transactions in 2 years for the defendants using banks in Portugal, Malta, Panama, the Netherlands, and the United States. If convicted of running an illegal gambling business, the defendants face a maximum of 5 years in prison. Money laundering carries a maximum sentence of 20 years. Source:,0,5157985,full.story

Information Technology

43. May 25, H Security – (International) Chrome 11 update patches critical holes. Google has released version 11.0.696.71 of its Chrome Web browser, a maintenance and security update that addresses a total of four security vulnerabilities, two of which are rated as critical: the new version fixes a critical memory corruption bug in the GPU command buffer and an out-of-bounds write problem in blob handling discovered by a member of the Chromium development community. A high-risk exploit –- a stale pointer in floats rendering –- along with a low-risk bug that bypassed the pop-up blocker have also been closed. Source:

44. May 25, Softpedia – (International) Sensitive data extracted from Comodo Brazil Website. Hackers managed to compromise the Web site of Comodo Brazil and extracted sensitive data about the company’s SSL certificate customers. It appears the attack vector used was SQL injection. A partial database dump was posted on pastebin(dot)com May 21, together with information about the vulnerability. The compromised data includes certificate authority name, e-mail, fax, phone number, order number, certficate request, private key file name, and other details. Customer details such as organization names, addresses, telephones, domain names, type of Web servers, serial numbers, and more, are also included. There is also a list of what appears to be employee accounts, with @comdobr(dot)com e-mail addresses and hashed passwords. The password for an account called validacao@comodobr(dot)com (validation@) is listed in plain text. Source:

45. May 25, The Register – (International) Timing attack threatens private keys on SSL servers. Security researchers have discovered a “timing attack” that creates a possible mechanism for a hacker to extract the secret key of a TLS/SSL server that uses elliptic curve cryptography (ECC). Elliptic curve cryptography is a type of public-key algorithm that uses the maths of elliptic curves rather than integer factorization, which is used by RSA as a one-way function. By using ECC, it is possible to provide equivalent levels of difficulty for a brute-force attack as can be provided by the more familiar integer-factorization approaches, but using smaller key lengths. The approach has benefits for mobile and low-power systems. Two researchers discovered some implementations of ECC are vulnerable to a form of side-channel attack based on measuring the length of time it takes to digitally sign a message. The attack can be carried out locally or, with greater difficulty, remotely. The researchers validated their research through tests on an OpenSSL Server running ECC they had established, as explained in the abstract of a research paper by the computer scientists. Source:

46. May 24, Computerworld – (International) Apple admits Mac scareware infections, promises cleaning tool. Apple May 24 promised an update for Mac OS X that will find and delete the MacDefender fake security software, and warn still-unaffected users when they download the bogus program. The announcement — part of a new support document that the company posted late May 24 — was the company’s first public recognition of the threat posed by what security experts call “scareware” or “rogueware.” “In the coming days, Apple will deliver a Mac OS X software update that will automatically find and remove Mac Defender malware and its known variants,” Apple said. “The update will also help protect users by providing an explicit warning if they download this malware.” Apple also outlined steps that users with infected Macs can take to remove the scareware. Source:

47. May 24, Help Net Security – (International) Spammers establish their own fake URL-shortening services. For the first time ever, spammers have established their own their own fake URL-shortening services to perform URL redirection, Symantec said. This new spamming activity has contributed to May’s increase in spam by 2.9 percent. Under this scheme, shortened links created on fake URL-shortening sites are not included directly in spam messages. Instead, the spam e-mails contain shortened URLs created on legitimate URL-shortening sites. These shortened URLs lead to a shortened-URL on the spammer’s fake shortening site, which redirects to the spammer’s own Web site. These new domains were registered several months before they were used, potentially as a means to evade detection by legitimate URL-shortening services since the age of the domain may be used as an indicator of legitimacy making it more difficult for the genuine shortening services to identify potential abuse. Source:

48. May 24, Computerworld – (International) Researcher blasts Siemens for downplaying SCADA threat. The security researcher who voluntarily canceled a talk on critical vulnerabilities in Siemens’ industrial control systems the week of May 16 took the German company to task May 23 for downplaying the problem. The researcher, with NSS Labs, took exception to Siemens’ claim the vulnerabilities he and a colleague uncovered had been discovered “while working under special laboratory conditions with unlimited access to protocols and controllers.” “There were no ‘special laboratory conditions’ with ‘unlimited access to the protocols.’ My personal apartment on the wrong side of town where I can hear gunshots at night hardly defines a special laboratory,” he said in a message posted on a public security mailing list. “[And] I purchased the controllers with money my company so graciously provided me with.” While Siemens promised the week of May 16 that it would patch the bugs, it downplayed the threat to its industrial control systems, and the thousands of companies that rely on Siemens’ programmable logic control systems, the researcher argued. Source:

For another story, see item 50 below in the Communications Sector

Communications Sector

49. May 24, Network World – (International) Lack of IPv6 traffic stats makes judging progress difficult. The Internet is poised to undergo the biggest upgrade in its 40-year history, from the current version of the Internet Protocol known as IPv4 to a new version dubbed IPv6, which offers an expanded addressing scheme for supporting new users and devices. However, it will be difficult for Internet policymakers, engineers, and the user community at large to tell how the upgrade to IPv6 is progressing because no one has accurate or comprehensive statistics about how much Internet traffic is IPv6 versus IPv4. The issue of IPv6 traffic measurement is timely given that the Internet engineering community is preparing for its biggest trial of IPv6: World IPv6 Day June 8. So far, 225 Web site operators — including Google, Yahoo and Facebook — have agreed to participate in the event by serving up their content via IPv6 for 24 hours. Without accurate IPv6 traffic statistics, neither the sponsors nor the participants of World IPv6 Day will be able to tell for sure how much IPv6 traffic is sent over the Internet June 8, or how much difference the event has on IPv6 traffic volumes afterward. Source:

50. May 24, IDG News Service – (International) Sony says hacker stole 2,000 records from Canadian site. Sony confirmed May 24 someone had hacked into its Web site and stole about 2,000 customer names and e-mail addresses. Close to 1,000 of the records have already been posted online by a hacker calling himself Idahc, who said he is a “Lebanese grey-hat hacker.” Idahc found a common Web programming error, called an SQL injection flaw, that allowed him to dig up the records on the Canadian version of the Official Sony Ericsson eShop, an online store for mobile phones and accessories. The hacker got access to records for about 2,000 customers, including their names and e-mail addresses and a hashed version of users’ passwords, according to a Sony Ericsson Mobile Communications spokeswoman. “Sony Ericsson has disabled this e-commerce Web site,” she said. “We can confirm that this is a standalone Web site and it is not connected to Sony Ericsson servers.” Other than the names and e-mail addresses, no personal or banking information was compromised, she said. Sony Ericsson is a mobile-phone company run jointly by Sony and Ericsson. Source:

Wednesday, May 25, 2011

Complete DHS Daily Report for May 25, 2011

Daily Report

Top Stories

• The FDA has advised parents, caregivers, and health care providers not to feed SimplyThick, a thickening product, to premature infants after use of the product was possibly linked to 2 deaths and 13 serious illnesses. (See item 38)

38. May 20, U.S. Food and Drug Administration – (National) FDA: Do not feed SimplyThick to premature infants. The U.S. Food and Drug Administration (FDA) is advising parents, caregivers, and health care providers not to feed SimplyThick, a thickening product, to premature infants. The product may cause necrotizing enterocolitis (NEC), a life-threatening condition. FDA first learned of adverse events possibly linked to the product May 13. To date, the agency is aware of 15 cases of NEC, including 2 deaths, involving premature infants who were fed SimplyThick for varying amounts of time. The product was mixed with mothers’ breast milk or infant formula products. Illnesses have been reported from at least four different medical centers. The illnesses involve premature infants who became sick over the past 6 months. SimplyThick was added to the feeding regimen of infants — who later developed NEC — to help with swallowing difficulties stemming from complications of premature birth. Parents and caregivers who have medical concerns or concerns or questions related to the use of the product should contact their health care provider. The product is sold in packets of individual servings and in 64-ounce dispenser bottles. It can be purchased from distributors and local pharmacies throughout the United States. Source:

• The Register reports LinkedIn will reduce the persistence of cookies it uses to identify users folllowing the discovery of security issues with the site that create a possible means for fraudsters to hijack profiles. See item 53 below in Information Technology


Banking and Finance Sector

18. May 24, Arlington Heights Daily Herald – (Illinois) 4 indicted in Naperville 'skim' scam. Four men were accused in a federal indictment of conspiring to “skim” credit card information from unsuspecting customers at a Naperville, Illinois restaurant, authorities said May 23. The men each face felony charges of conspiracy to commit credit card fraud. Two also face charges of substantive credit card fraud, possession of access-device making equipment, and aggravated identity theft. A special grand jury indictment filed in May accuses the men of using a handheld ”skimming device” to obtain encoded information from the magnetic strips of credit cards. Authorities said the defendants then created counterfeit cards and used them to go shopping at retail stores in Lombard, Northlake, and Streamwood. In all, the alleged scheme resulted in losses of more than $213,000, authorities said. Source:

19. May 24, Lexington Herald-Leader – (National) Former Lexington employee pleads guilty in Big Brothers Big Sisters fraud. The former office manager for Big Brothers Big Sisters of the Bluegrass in Kentucky pleaded guilty May 23 to bank fraud for cashing $435,837 in checks on the organization's account, according to the U.S. attorney's office. The woman admitted she issued 142 fraudulent checks to other people from 2008 through October 2009. She would keep much of the cash, once in a while paying smaller amounts to those who cashed the checks at Central Bank, the plea agreement states. She would telephone Big Brothers' bookkeeper at Stivers and Co., an accounting firm hired by the agency, and authorize checks payable to third parties, according to the plea agreement. She would pick up the checks from Stivers and forge the signatures of Big Brothers board members who could sign checks. The convict would then give the checks to the third parties, who would cash them. The maximum penalty for the crime is 30 years in prison, a fine of up to $1 million, and up to 5 years of supervised release. Source:

20. May 23, Reuters – (International) Gas tank attacks damage two Mexico banks; no injuries. Two small explosive devices went off before dawn May 23 at two banks in Mexico City, Mexico, shattering windows but leaving no injuries, the city's top prosecutor said. No arrests have been made, but the Mexico City Attorney General (AG) said authorities suspect youth gangs were behind the attack. "There were just material damages," he told Mexican television. The attack did not appear related to the country's drug war, in which cartels have set off car bombs as they resist a government crackdown. The explosive devices May 23 appeared to be using small butane tanks, the AG said. Images from Televisa network showed shattered glass on the floor and damaged furniture inside a BBVA Bancomer bank office on the city's west side. The other explosion was at a Santander Serfin branch, Reforma newspaper reported. A third device was left in another Santander Serfin branch but did not explode, Reforma reported. Source:

21. May 23, Wall Street Journal – (International) Ohio couple pleads guilty to conspiring to finance Hezbollah. A married couple from Toledo, Ohio, pleaded guilty May 23 to charges related to a plan to send hundreds of thousands of dollars to Hezbollah. The couple met multiple times between August 2009 and June 2010 with a confidential source working on behalf of the Federal Bureau of Investigation, during which time they discussed ways to secretly send money to Hezbollah leaders in Lebanon, court documents said. The confidential source delivered $200,000 to the couple June 3, 2010, and told them he would return later in the day with more money, court documents said. Shortly thereafter, the couple was seen inside their home bundling a portion of the money in plastic wrap and duct tape to prepare it for concealment. The wife pleaded to one count of conspiracy, and the husband to a total of five counts that included conspiracy to provide support to a foreign terrorist organization, and conspiracy to violate money laundering law. Source:

22. May 23, KWTV 9 Oklahoma City – (Oklahoma) Reward offered for Oklahoma City 'Pantyhose Posse'. According to the FBI, two unknown white or Hispanic men entered the MidFirst Bank located on S.W. 44th Street in Oklahoma City, Oklahoma, around 10:15 a.m. May 23 wearing black pantyhose over their heads. Investigators said one of the robbers vaulted the counter and verbally demanded hundred-dollar bills while holding a firearm. The other robber stood in the lobby area of the bank holding another firearm. The bank employees complied with the robbers' demand. The robbers gathered an undetermined amount of money and left the bank. Currently, law enforcement believes the so-called "Pantyhose Posse" is also responsible for two other Oklahoma City bank robberies. The first located at Bank of Oklahoma at 4324 S.E. 44th Street May 6, and Coppermark Bank at 6809 N. Meridian Avenue May 11. In addition to MidFirst's reward of $4,000 dollars, the Oklahoma Banker's Association is offering $2,000 in reward money, and Coppermark Bank also is offering $2,000. Source:

23. May 21, Stockton Record – (California) Alleged bank robber who used fake bombs hears string of charges. A 58-year-old man accused of using phony bombs to threaten his victims in a string of bank robberies appeared in a Stockton, California courtroom May 21 to hear a judge read out the charges. Authorities said the man walked into the banks, each time placing on the counter a package, which he claimed to be an explosive. He then demanded money, officials said. The alleged bank robberies took place at Bank of the West branches in Lockeford, Ripon, and Lodi, and at the Farmers & Merchants Bank in Linden. Officials have said they also suspect the man of similar robberies in Amador and Stanislaus counties, but May 21 the charges filed against him stemmed only from alleged cases in San Joaquin County. The robberies happened between December 2010 and May 2011. San Joaquin County Sheriff's deputies arrested the man May 18 at his Stockton home on Acacia Avenue. He is charged with four counts of second-degree robbery, and four counts of making a false bomb threat, according to the criminal complaint filed with the San Joaquin County Superior Court. Source:

For more stories, see items 56 and 57 below in Information Technology

Information Technology

52. May 24, IDG News Service – (International) Dimension Data finds vulnerabilities on Cisco devices. Large numbers of companies using Cisco network equipment are still vulnerable to a single security vulnerability flaw nearly 2 years after a patch was issued, an analysis of network scans by Dimension Data for its 2011 Network Barometer Report has found. Overall, Dimension's Technology Lifecycle Management assessment service discovered that an average of 73 percent of the 270 assessments it carried out on Cisco-dominated global companies had at least 1 known device security vulnerability that had yet to be patched. This held true for companies of all sizes and across all geographies. A single prominent vulnerability, Cisco PSIRT (Cisco Product Security Incident Response Team) 109444, was found on 66 percent of the networks reviewed, accounting for much of the security exposure it found. PSIRT 10944 has been rated by the industry Common Vulnerability Scoring System as being between 6.4 and 7.8 out of 10 in terms of severity (moderately critical), and capable of allowing an attacker to hit affected devices with a successful DDoS attack, Dimension Data said. Source:

53. May 24, The Register – (International) LinkedIn slashes cookie lifespan after research exposes security flaws. LinkedIn said it would reduce the persistence of cookies it uses to identify users of the business-focused social networking site following the discovery of security issues with the site that create a possible means for fraudsters to hijack profiles. A security researcher discovered LinkedIn session cookies are transmitted over an unsecured HTTP connection even in cases where users follow the option of signing in over a secure (SSL) connection. These cookies remain active for up to a year. Hackers who captured these cookies could obtain unauthorized access to other users' accounts. The LEO_AUTH_TOKEN cookie grants access to an associated account irrespective of whether or not users are logged in at the time, the researcher warned. These cookies work for up to a year or until a user changes their password and logs in using this new password, generating a fresh authentication token. LinkedIn boasts more than 100 million registered users. In response to the research, LinkedIn reduced the persistence of the authentication cookie from 1 year to 3 months. Also, the business-focused social network is extending plans to support SSL across its site –- not just during logins. Source:

54. May 24, The Register – (International) Exploited Hotmail bug stole email without warning. Microsoft has patched a bug in its Hotmail e-mail service that attackers were exploiting to silently steal confidential correspondences and user contacts from unsuspecting victims. The vulnerability was actively being exploited using e-mails that contained malicious scripts, a Trend Micro researcher said May 23. Successful attacks required only that a Hotmail user open the malicious e-mail or view it in a preview window. The commands embedded in the e-mails uploaded users' correspondences and user contacts to servers under the control of attackers without requiring the victim to click on links or otherwise take any action. The scripts also had the capability of enabling e-mail forwarding on the targeted Hotmail account, allowing attackers to view e-mails sent to the victim in the future. Source:

55. May 24, Softpedia – (International) Hackers continue to exploit holes in Sony's Web properties. Hacking outfit LulzSec hacked into the Sony Music Online's Japanese Web site and leaked the database structure. The pastebin link does not lead to a full database dump, but to a listing of the tables and columns that can be found inside it. Instead of extracting and publishing the data themselves, the hackers made public two SQL injection vulnerabilities that can be exploited by anyone with a simple understanding. The LulzSec members also mentioned there are "two other databases hosted on this boxxy box" and encouraged people to go for them on their own. SQL injection vulnerabilities occur when user input is not properly sanitized. They can be exploited by attackers to access the underlying database with the credentials of the vulnerable Web site. A Romanian hacker known as d3v1l disclosed two other vulnerabilities in Sony Web properties. One is also an SQL injection located in the Sony Pictures Italia Web site, while the other is a cross-site scripting (XSS) flaw on


56. May 23, threatpost – (International) Black Hole exploit kit available for free. Several weeks after the source code for the Zeus crimeware kit turned up on the Web, the Black Hole exploit kit now appears to be available for download for free as well. Black Hole normally sells for $1,500 for an annual license, and is currently one of the more powerful attack toolkits on the market. The Black Hole exploit kit is somewhat newer and less well-known than attack toolkits such as Zeus and Eleonore, but it has been used by attackers for major Web-based attacks for the last few months. Researchers have found that thousands of URLs have been infected with Black Hole exploit code, which is then used to infect site visitors via drive-by downloads. Kits such as Black Hole and Zeus typically will sell for upwards of $1,000 for an annual license, and some of them also give buyers the option to add extra modules and exploits for additional fees. Source:

57. May 23, Softpedia – (International) Qakbot increasingly prevalent this quarter. Security researchers from Symantec warn that Qakbot, a data stealing piece of malware, has registered an activity spike during April which continued into May. Qakbot dates back to 2009 and the main infection vector used by its creators are drive-by download attacks that exploit vulnerabilities in outdated software. The piece of malware is technically a worm because it has self-propagation mechanisms that involve copying itself to network shares and removable drives. Once running on a computer, the worm can download and execute additional files, steal and send data to its creators, and open a backdoor for them to control the system. The Symantec malware researchers who monitored Qakbot for the past few years, recorded a significant spike in the malware's activity in April. The worm's creators released new variants that were able to spread very quickly, peaking at almost 250,000 hits in the second half of April. This activity was significantly different than that of similar malware, suggesting a renewed interest. The researchers warn users, especially those in corporate environments where this worm thrives best, to be on the lookout for the Qakbot. It can steal keystrokes, digital certificates, POP3 account passwords, and FTP credentials, which are then used to infect Web pages with drive-by download code. It also targets online banking session tokens. Source:

58. May 23, The Register – (International) Researchers find irreparable flaw in popular CAPTCHAs. Computer scientists have developed software that easily defeats audio CAPTCHAs offered on account registration pages of a half-dozen popular Web sites by exploiting inherent weaknesses in the automated tests designed to prevent fraud. Decaptcha is a two-phase audio-CAPTCHA solver that correctly breaks the puzzles with a 41-percent to 89-percent success rate on sites including eBay, Yahoo, Digg,, and Microsoft's The program works by removing background noise from the audio files, allowing only the spoken characters needed to complete the test to remain. In virtually all of the tests, Decaptcha was able to correctly solve the puzzle at least once in every 100 attempts, making the technique suitable for botmasters with large armies of compromised computers. The high success rate was largely the result of the ease in removing sound distortions known as background noise, intermediate noise, and constant noise inserted into the background to throw off speech-recognition programs. Most audio-based CAPTCHA systems are wide open to the attack. Source:

Communications Sector

59. May 24, Waterbury Republican-American – (Connecticut) Texas men charged after trooper finds them on tower. Two men from Texas who got around a barbed-wire fence and climbed the communications tower at Mohawk State Forest in Cornwall, Connecticut were arrested May 23. State police said a 20-year-old man, of Spring Branch, and the 26-year-old man, of Fredericksburg, were in the tower when a state trooper spotted lights flickering from it while he was on routine patrol. The 20-year-old was charged with second-degree criminal trespass and delivery of alcohol to a minor. The 26-year-old was charged with possession of drug paraphernalia, possession of a controlled substance, possession of liquor and second-degree criminal trespass. They were both held overnight on $5,000 bond and arraigned May 23 in Bantam Superior Court. Police said there was no apparent damage to the communications tower. Source:

60. May 20, Nextgov – (National) LightSquared cell network knocks out first responders' GPS in tests. Initial tests of a controversial cellular broadband network planned by LightSquared showed the company's system knocked out global positioning system (GPS) receivers used by first responders. LightSquared of Reston, Virginia, tested its system last month at Holloman Air Force Base, New Mexico, with the participation of state police vehicles and county ambulances, both of which experienced outages from the company's cell tower, according to the director of the State of New Mexico E911 program. LightSquared operates in the 1525-1559 MHz and 1626.5-1660.5 MHz bands, and the Federal Communications Commission directed the tests to determine if the network interfered with GPS systems that operate in the nearby 1559-1610 MHz bands. The director of E911, in a May 11 letter to the director of the Air Force Global Positioning Directorate said the results of the April tests, "substantiate concerns that the LightSquared network will cause interference to GPS signals and jeopardize 911 and public safety nationwide." LightSquared, the GPS industry, and numerous federal agencies are conducting tests through June to determine the extent of interference from the company's system to GPS receivers. The Federal Aviation Administration said another test of the LightSquared system started May 23 in Las Vegas, Nevada and will continue through May 27. FAA warned of potential GPS outages within 300 miles of the LightSquared tower in Boulder City, Neveda, 25 miles southeast of Las Vegas. The U.S. defense and transportation departments have serious concerns about the impact LightSquared's network of 40,000 cell towers will have on GPS receivers. LightSquared maintains the interference is not caused by its system, but by sensitive GPS receivers that "see" into the frequency band the network uses. Source: