Friday, June 3, 2011

Complete DHS Daily Report for June 3, 2011

Daily Report

Top Stories

· Mount Clemens Daily Tribune reports that to prevent sewer backups, about 2.3 billion gallons of sewage was dumped into Lake St. Clair and other local waterways in Michigan due to recent heavy rains, forcing the continued closure of three local beaches. (See item 38)

38. June 1, Mount Clemens Daily Tribune – (Michigan) 2.6 billion gallons of sewage dumped into Lake St. Clair. About 2.3 billion gallons of sewage was dumped into Lake St. Clair and other local waterways in Michigan due to the recent heavy rains, forcing the continued closure of three local beaches. Metro Beach in Harrison Township and the two St. Clair Shores beaches — at Memorial Park and Blossom Heath — are off-limits because of high E. coli bacteria levels. The Macomb County Health Department is now reporting that the heavy rains which commenced May 25 on caused sewer systems to overflow in 15 different locations along the lakeshore, the Clinton River and the river’s tributaries. Of the total pollution discharged, at least 2 million gallons consisted of raw sewage. The volume of untreated sewage that was spewed into the waterways starting May 25 could rise dramatically once all the figures are in. At the George W. Kuhn Drain in Madison Heights (formerly the Twelve Towns Drain), Oakland County officials sent 1.6 billion gallons of treated sewage gushing into the Red Run Drain over a 54-hour period on May 25-27. Officials said the discharges are necessary to prevent sewer backups that would flood thousands of home basements. As of June 1, the county has experienced 3.6 billion gallons of pollution discharges in 2011. Source:

· CNNMoney reports hundreds of personal Gmail accounts, including those of some senior U.S. government officials, were hacked as a result of a massive phishing scheme originating from China, Google said June 1. (See item 44)

44. June 2, CNNMoney – (International) Massive Gmail phishing attack hits top U.S. officials. Hundreds of personal Gmail accounts, including those of some senior U.S. government officials, were hacked as a result of a massive phishing scheme originating from China, Google said June 1. The account hijackings were a result of stolen passwords, likely by malware installed on victims’ computers or through victims’ responses to e-mails from malicious hackers posing as trusted sources. That type of hack is known as phishing. Gmail’s security systems themselves were not compromised, Google said. The company believes the phishing attack emanated from Jinan, China. In addition to the U.S. government personnel, other targets included South Korean government officials and federal workers of several other Asian countries, Chinese political activists, military personnel, and journalists. After the most recent cyber attack, a Chinese official insisted June 2 that his government takes the attacks seriously. A spokesman from Google declined to comment on how the company obtained the information about the most recent hack. Public information, user reports, and a third-party hacking blog called Contagio was used to determine the scope, targets, and source of the attack. Source:


Banking and Finance Sector

17. June 2, Salem News – (Massachusetts) Man, woman sought in 7 bank robberies are nabbed in Andover. Two suspects in a string of bank robberies stretching across eastern Massachusetts were arrested outside the Eastern Bank on Main Street in Salem, Massachusetts, at 5 p.m. May 31. The two are being charged by Andover police with attempting to commit a crime. They will likely face additional state and federal charges, according to an Andover police lieutenant. One of the suspects has already admitted to police that he was involved in seven other robberies across the state — at various banks in Lynnfield, Salem, Canton, Reading, Melrose, Braintree and Everett. The arrest was the culmination of a lengthy investigation by the FBI’s Violent Crimes Task Force and an all-day surveillance of the two suspects, police said. Source:

18. June 2, Omaha World-Herald – (Nebraska) Omahans accused of Ponzi scheme. An estimated 130 investors from the Omaha, Nebraska area lost everything they put into a supposed low-risk investment plan that authorities are now describing as a Ponzi scheme with a total loss of $4.7 million. The U.S. Commodity Futures Trading Commission has filed a federal lawsuit against an Omaha attorney and two Omaha residents, alleging that they defrauded investors of their money, engaged in a Ponzi scheme and spent investors’ money on golf club memberships and trips to Europe. The federal lawsuit alleges that the three used more than $850,000 to make Ponzi-style payments in which they redirected investors’ money to other investors to meet promised returns. According to the lawsuits, from August 2005 to at least July 2008, the three ran investment pools by the names Elite Entities and MJM Enterprises. They billed the pools as low-risk but aggressive ways to trade in commodity futures contracts and off-exchange foreign currency contracts. Instead of disclosing the pools’ actual trading performance, defendants periodically provided pool participants with account statements that showed huge returns. After the Nebraska Department of Banking and Finance began investigating the three, the lawsuit said, the deceit continued. The Trading Commission lawsuit contends that the three represented to the state that they had shut down Elite. The commission said they failed to inform state regulators that they had reorganized the business under the name MJM Enterprises. Source:

19. June 1, KFDA 10 Amarillo – (Texas) Banking breach has hundreds scrambling to recover money. It was confirmed June 1 that thousands of dollars have been stolen from account holders with The People’s Federal Credit Union in Texas. The banking breach has many scrambling to recover their money. A ring of criminals is cleaning out the debit card accounts of hundreds of account holders, many in Amarillo, Texas. The criminals are using a computer program to generate debit card numbers. When they find a valid number, they issue a card and use it at places in other states that do not require a pin. Source:

20. June 1, Minneapolis-St. Paul Business Journal – (Minnesota) MN man pleads guilty to $7M insurance scam. An Eden Prairie, Minnesota man pleaded guilty May 31 to one count of wire fraud and one count of money laundering in a $7 million insurance scam in which he submitted false claims for his business. He faces up to 20 years in prison for wire fraud and another 10 years for money laundering. The man was charged April 20 with defrauding Zurich North America by submitting false insurance claims for his business, Security Management Technologies. Prosecutors said the man reported lightning damage to supercomputers at his business in June 2008 and kept about $9.5 million meant for equipment replacement from the insurance company. He also kept $1.9 million for business interruption coverage that was based on a falsified tax return, according to the charges. Criminal investigators from the Internal Revenue Service seized three aircraft, a boat, three vehicles and more than $5 million from bank accounts. Source:

21. June 1, Grand Rapids Press – (Michigan; Illinois; Ohio) Saginaw woman pleads guilty in multi-state stolen check scheme. On June 1, a Saginaw, Michigan woman pleaded guilty to bank fraud in connection with a crime ring that stole purses to cash stolen checks and defraud banks in Michigan, Illinois and Ohio of at least $58,305. The government said that beginning in January, ―several male associates whose real identities were not known to‖ the woman broke into parked cars and stole checkbooks and identification, including drivers’ licenses. ―Thereafter, and at the direction of those male criminal associates, she forged high numbers of stolen checks by making them payable to other victims of the break-ins, disguised herself as those payee victims, and then used the stolen means of identification of payee victim to negotiate, or attempt to negotiate, the forged checks at banks รข€¦,‖ an assistant U.S. Attorney wrote in a plea agreement. The woman faces up to 30 years in prison when sentenced. Source:

22. June 1, Wall Street Journal – (International) IMF taking steps against possible hacking threat. The International Monetary Fund (IMF) has taken steps to combat a possible cyber attack from hacking group Anonymous Operations, a spokesman said June 1. Website Zero Hedge on June 1 had a post linking to an Anonymous Operations Twitter account that suggested hackers would target the IMF’s website in relation to the fund’s work with Greece. The IMF is one of several key negotiators trying to work with the struggling European nation as it seeks to restructure a bailout package and its debt obligations. In statements previously attributed to the group, the hacking collective has blamed the IMF and Greek government for the conditions of fund aid to the country. In a May 25 statement cited by Zero Hedge and attributed to Anonymous, the group said ―the people of Greece have been left with no other option than to take to the streets in a peaceful revolution against the economic tyrants that are the IMF.‖ Source:

Information Technology

50. June 2, The Register – (International) Apple strikes back with update blocking new scareware. Apple has updated Mac OS X to detect a piece of scareware that managed to bypass its malware-blocking measures. A variant of a rogue antivirus package known as MacDefender was introduced May 31 that evaded the malware protection feature built into the latest version of the Mac operating system. The variant was introduced just hours after Apple had added a malware signature designed to stop downloads of the malicious program. The latest update is specifically designed to detect a file called mdInstall.pkg, which installs MacDefender.C. Like similarly named programs such as MacGuard, the programs get installed after Mac users are tricked into believing their machines are riddled with infections. The ruse works by presenting people surfing Google Images, Facebook, and other sites with images depicting an antivirus scan on a Mac hard drive. Inevitably, the scan falsely claims that the users’ machines are compromised and urges the rogue antivirus package be installed immediately. Apple added the MacDefender definitions May 31, following widely scattered evidence that the social engineering attacks were achieving their intended result. Source:

51. June 1, IDG News Service – (International) Facebook video scam puts malware on Mac and Windows. Facebook seems unable to stop scammers from circulating malicious Web links that install fake antivirus software on victims’ computers. The scam was spotted May 31 by antivirus vendor Sophos. At that time the criminals behind it were luring victims into installing the software by offering links purportedly to a video of the disgraced former International Monetary Fund Managing Director and a hotel maid. The scam switched June 1 and the link was supposed to be an X-rated video of two female celebrities. In both cases there is no such video. People who click on the link are sent to a Web site that tries to install the fake antivirus software. The scam is slightly different, depending on whether the victim is using a Mac or a PC. On the PC, the site tells victims that they need to install the latest version of Adobe Flash Player to watch the video. But the software they install is actually the fake antivirus program. On the Mac, there is a pop-up window that looks like a security warning. When victims click to ―fix‖ the security problems, they end up installing the fake software. The same type of software, MacGuard or MacDefender, has recently been plaguing Mac users. Source:

52. June 1, Help Net Security – (International) Auto-dialing trojans migrate to Android devices. Auto-dialing malware has migrated from Symbian devices to Android ones, warns NetQin Mobile researchers. The trojan has been spotted embedded in over 20 Android applications offered for download on various online forums, including Donkey Jump, Jungle Monkey, Gold Miner, Voice SMS, Drag Racing, and others. Once one of these applications is installed, the trojan prompts the user to upgrade the app. The ―upgrade‖ installs the trojan and prompts the user to restart the application, which formally activates the trojan. The goal of the trojan is to steal users’ private information and send it to a remote server, and to dial or send text messages to predetermined numbers, which results in higher monthly bills for the users. Source:

For another story, see item 44 above in Top Stories

Communications Sector

53. June 1, Fargo Forum – (North Dakota) WDAY TV, AM radio equipment damaged. After Memorial Day storms brought station programming to a halt for WDAY TV and WDAY-AM 970 radio, engineers are assessing damage. WDAY Channel 6 news went down May 30, and when a generator could not keep the equipment cool enough, programming was shut down. While regular programming resumed May 31, Xcel Energy restored power to the station about 4:50 p.m. Although there was no direct damage to the building or the station, the WDAY operations manager said the temperature will take its toll on the equipment. Even though no permanent damage was sustained to the news station, storms damaged all three WDAY-AM 970 radio towers. Source:

54. June 1, WRBL 3 Columbus – (Georgia) West Point conference call building evacuated, about 37 reported sick. The Senior Vice President of Global Operations for InterCall said the building located on O.G. Skinner Drive has been shut down after chemicals used to clean the building made at least 37 people sick in West Point, Georgia. He said the walls of the building were cleaned June 1 through June 2. When the 3rd shift employees came on some of them reported to be nauseous or have a headache. A West Point Police Chief was on scene of the evacuation. He said about 20 to 35 people so far have been transported to the hospital. Source:

Thursday, June 2, 2011

Complete DHS Daily Report for June 2, 2011

Daily Report

Top Stories

• According to the New York Post, New York City officials were scrambling to fix an online security lapse that permits detailed floor plans for buildings that are top terror targets to be downloaded from a city Web site. (See item 50)

50. May 31, New York Post – (New York) City officials move to have detailed floor plans of landmark buildings removed from department of finance’s Web site. New York City officials are scrambling to fix glaring online security lapses after the New York Post reported that detailed floor plans for top terror targets can be downloaded from the New York City Department of Finance’s Web site, a finance spokesman said May 31. The department, which maintains an online database of property records, is working with the New York Police Department to remove schematics and floor plans for landmark buildings that are often attached to routine leasing and deed documents. As the Post reported May 19, plans for 1 World Trade Center, which is currently under construction — and is described by the police commissioner as the nation’s No. 1 terror target — were posted on the finance’s department’s Web site, along with an updated leasing agreement. Law enforcement is now focusing on what else may be buried among the city’s online records. Source:

• The Associated Press reports that approaching floodwaters from the Missouri and Souris rivers May 31 forced crews to race to build miles of emergency levees to protect South Dakota’s capital city, and two North Dakota towns. (See item 62)

62. May 31, Associated Press – (North Dakota; South Dakota) Levees going up to protect South Dakota cities. Crews raced approaching floodwaters May 31 to complete emergency levees aimed at protecting South Dakota’s capital city, and two other towns as the swollen Missouri River rolled downstream from the Northern Plains. Meanwhile, the mayor of Minot, North Dakota, ordered a quarter of the city’s residents to evacuate areas along the flooding Souris River. He said the evacuation affects about 10,000 people who live along a 4-mile stretch of the Souris, which has risen with rain, snowmelt and discharges from Lake Darling. The mayor said residents are expected be out of their homes by the night of June 1, in part to give construction crews room to raise and reinforce earthen dikes in the area. Residents of Dakota Dunes in southeastern South Dakota, below the final dam on the Missouri River, have been told to move their possessions to higher ground and be ready to leave their homes by June 2, a day before releases from the dams are set to increase again. The U.S. Army Corps of Engineers is increasing releases from the six dams on the Missouri to drain water from record rains of up to 8 inches that fell in eastern Montana and Wyoming and western North Dakota and South Dakota in the past 2 weeks. Heavy runoff from melting snow in the northern Rocky Mountains is expected to add to the problem soon. In North Dakota, more than 7 miles of levees were being built in Bismarck, and another 3.5 miles were going up across the river in Mandan. Source:


Banking and Finance Sector

14. May 31, Reuters – (National) SEC employee misled fellow investors: watchdog. A Securities and Exchange Commission (SEC) employee invested in a company accused of preying on deaf people, and misled fellow investors into thinking their money was safe despite a SEC probe. The SEC Inspector General (IG) recommended disciplinary action, including possible dismissal of the employee, according to a roundup of his recent and pending investigations sent to the U.S. Congress May 31. The IG’s office received a tip in February from a regional senior official who said a Washington, D.C.-based employee invested in an investment company that was the subject of an active investigation. The tipster accused the employee of “providing false, misleading and nonpublic information” to other investors, telling them the company was legitimate, and that they would “be receiving considerable sums of money from their investments.” The IG’s report did not mention the names of the employee or the company, but court records from these dates point to Imperia Invest IBC, an Internet-based investment company that allegedly targeted deaf investors and others by raising more than $7 million from them without delivering a single payment. A federal judge in Utah later ordered the firm to pay $15.2 million in disgorgement and prejudgment interest. The IG said the SEC employee later admitted to communicating with investors and was placed on administrative leave. Source:

15. May 31, Salt Lake Tribune – (Utah) Sandy man accused in $12 million Ponzi scheme. A Sandy, Utah man was indicted May 31 for allegedly running a Ponzi scheme that took in about $12 million from investors, who were told some of the money would go into a development of a human jet-pack rocket suit. The man was charged with 17 counts of money laundering, and wire and bank fraud. Between January 2007 and March 2010, the man held investment club meetings, where he portrayed himself as a successful investor, the indictment released May 31 said. The man advised potential investors to use an “equity mining” scheme to obtain investment money. He encouraged them to inflate their income or assets on bank documents to obtain loans for houses, boats or other luxury items that were for more than the items actually sold for, with the difference to be invested with him, the indictment states. “Virtually all of investors’ money was used by [the man] to either pay ‘returns’ to other investors or for his own personal use,” the U.S. Attorney’s Office for Utah said in a news release. Between 75 to 100 investors gave the man more than $12 million, the indictment said. If convicted, the suspect faces up to 30 years in prison on the bank fraud counts, and lesser time for the other charges, plus potentially millions of dollars in fines. Source:

16. May 31, Associated Press – (International) Canadian pleads guilty in Vermont bank fraud case. A Canadian man pleaded guilty May 31 for his part in what Vermont prosecutors said was a bank fraud scheme. The 48-year-old man, of Quebec, Canada entered the plea May 31 in federal court in Rutland. Prosecutors said that during a 3-month period in 2010 and 2011, the man defrauded People’s United Bank and Passumpsic Savings Bank of about $92,000. They said he did it by opening checking accounts at the banks’ Newport offices and depositing checks drawn on banks in Canada even though he knew there was not enough money to cover them. The man, who was arrested by Newport police in March, faces up to 30 years in prison. Source:

17. May 31, Associated Press – (Arizona) Former Phoenix loan officer pleads guilty in $40 million mortgage fraud case. A former Phoenix, Arizona loan officer pleaded guilty May 27 in two separate fraud cases. The U.S. attorney’s office said May 31 the suspect entered guilty pleas to 13 charges of mortgage, bankruptcy, bank and mail fraud in federal court May 27. The woman admitted to her leadership role in a $40 million mortgage fraud involving Countrywide Home loans. From January 2005 to December 2007, the convict admitted she and others recruited straw buyers to purchase homes by obtaining loans using false information. The loans were obtained based on inflated property appraises, and the extra $9 million was diverted to the woman and others in the case. Source:

Information Technology

43. June 1, Computerworld – (International) Google faces new round of Android malware. For the second time in 3 months, Google pulled dozens of malware-infected smartphone apps from the Android Market. The 34 apps were pulled over the weekend of May 28 and 29, and May 31 by Google after security researchers notified the company. As in the March episode, when Google removed more than 50 apps, the newest round consisted of pirated legitimate programs that had been modified with malicious code and then re-released to the Android Market under false names. However, there was an important difference to this campaign, said the CTO of Lookout, a firm that specializes in mobile security. “These apps have the ability to fire up a page on the Android Market,” he said, adding that the hackers can send commands to the smartphone telling it what market page to display. He speculated that the attackers intended the new feature as a way to dupe users into downloading additional rogue apps that would have malicious functions, just as when a hijacked PC is told to retrieve more malware. “They seem to have been designed to encourage people to install additional payloads,” he said. He said it was impossible to deduce hacker intent from the malicious apps’ code, but he believed the criminals took the new path because social engineered attacks — those that rely on tricking victims into installing malware rather than depending on an exploited vulnerability — are more difficult to defend against. Source:

44. June 1, H Security – (International) Wireshark updates close security holes. The Wireshark development team has announced the release of versions 1.2.17 and 1.4.7 of its open source, cross-platform network protocol analyzer. According to the developers, these maintenance and security updates address multiple vulnerabilities that could, for example, cause the application to crash “by injecting a series of malformed packets onto the wire or by convincing someone to read a malformed packet trace file.” These include issues related to a large/infinite loop in the DICOM dissector in Wireshark 1.4.x, and, in the 1.2.x branch, bugs in the X.509if dissector. A number of bugs in some of the 1.4.x dissectors have also been fixed. Source:

45. May 31, Softpedia – (International) Remote desktop access to infected PCs being sold by the unit. Security researchers from RSA warn that cyber criminals are increasingly selling remote desktop access to infected computers by the unit based on several criteria. Such services are being offered by the traditional CC shops that specialize in the selling of stolen credit card information. “It is rather common that CC shop operators are also bot-herders (or people who have access to botnets), selling the stolen CC data collected by their Trojans. By adding the sale of RDP access to his shop, the seller grants fraudsters the choice to exploit PCs they would otherwise have no way of tampering with,” the RSA researchers explained. The selling of Remote Desktop Protocol (RDP) access credentials has been practiced before, but usually in an unorganized fashion and not in specific volume quantities. The new services allows fraudsters to filter their purchases by geographic location (country, region, city), the bandwidth available to the computer (download and upload separately), the RDP user’s level of access (admin or not), OS version, and even hardware specs such as CPU and RAM. Source:

46. May 31, Computerworld – (International) Mac OS update detects, deletes MacDefender ‘scareware’. Apple May 31 released an update for Snow Leopard that warns users they have downloaded fake Mac security software and claims to scrub machines already infected with the so-called “scareware.” A security researcher with Sophos confirmed the update alerts users when they try to download any bogus MacDefender antivirus software. The update, labeled 2011-003, adds a new definition to the rudimentary antivirus detection engine embedded in Mac OS X 10.6 (Snow Leopard), and also changes the frequency with which the operating system checks for new definitions to daily. Before May 31, Apple had added only five detection signatures to the antivirus component of Snow Leopard. Source:

47. May 31, Softpedia – (International) Boot loader for unsigned drivers is being advertised on underground forums. Security researchers from antivirus vendor ESET have spotted an offer on the underground market for a new boot loader capable of loading unsigned drivers. The offer was spotted on a Russian-language forum and the poster claims his “boot loader for drivers” that do not require a digital signature is still being tested. This type of malware, which installs itself in the master boot record (MBR) and can control how Windows starts, is in high-demand because of its resiliency. One of the most well known threats that display this behavior is TDL4, a bootkit that is able to infect all forms of Windows, including 64-bit ones. The TDL4 developers are definitely not amateurs and are able to come up with sophisticated techniques to bypass the protections introduced by Microsoft. During April’s Patch Tuesday, Microsoft released a patch that targeted bootkits and TDL4 in particular. The modifications made to some system files rendered the malware nonfunctional. Within half a month, the TDL4 developers already adapted to the change and put out a new version capable to overcome the protections put in place by Microsoft. Source:

48. May 31, H Security – (International) Python 2.5.6 fixes medium severity issues. For those still running Python 2.5.x, the release of Python 2.5.6 is likely to be the last release of Python 2.5; after October 2011 there will be no more security issues fixed in Python 2.5 and it is recommended that users update to Python 2.7.1, which is the latest version of the current Python 2.x series. The Python 2.5.6 update fixes a number of medium severity issues. These are a vulnerability to XSS attacks in SimpleHTTPServer, a failure to follow redirections with file: schemes in urllib and urllib2 (CVE-2011-1521), incorrect integer overflow checks (CVE-2010-1634), and a denial of service vulnerability in audioop (CVE-2010-2089). Source:

49. May 26, – (International) Spammers using domain parking services to bypass anti-spam filters. Security experts are warning that spammers are increasingly taking advantage of domain parking services offered by registrars in an attempt to circumvent reputation-based anti-spam products and conceal their sites.’s senior software engineer explained in a blog post that parking services are usually used by registrants to reserve a domain for future use to mitigate the risk of cyber squatting, or to monetize a particular domain through online advertising. However, his team recently noticed “a large domain parking service being abused by spammers on a massive scale.” “Each domain hosted on the service contains an open redirect script, allowing spammers to redirect to any URL of their choice,” he said. “Since the redirect does not affect the parking page, and domains parked on domain parking services are typically not used for any other purpose, it is unlikely that the domain owners will notice when their domains are inevitably added to anti-spam block lists.” The researcher warned that such strategies could help spammers escape detection by some anti-spam products, especially given that many of the domains have been registered for years and are therefore seen as more likely to have a good reputation. Source:

For another story, see item 50 above in Top Stories

Communications Sector

See item 43 above in Information Technology