Wednesday, June 22, 2011

Complete DHS Daily Report for June 22, 2011

Daily Report

Top Stories

• According to the Associated Press, Pacific Gas & Electric Co. agreed to pay $26 million and acknowledged safety violations in a 2008 fatal natural gas explosion that destroyed one home and damaged several others in California. (See item 4)

4. June 20, Associated Press – (California) PG&E admits safety violations in fatal 2008 Sacramento-area home explosion, will pay $26M fine. Pacific Gas & Electric Co. (PG&E) has agreed to pay $26 million in penalties and acknowledged safety violations in a fatal natural gas explosion that destroyed one home and damaged several others in a Sacramento, California suburb December 24, 2008, state regulators said June 20. The explosion in Rancho Cordova killed one man and injured five others. Investigators found PG&E installed incorrect pipe during a repair in 2006, and was slow in responding to a leak report the day of the blast. The motion to approve the agreement — signed by attorneys for both the commission’s Consumer Protection and Safety Division and the company — cited February 2011 testimony in which “PG&E stated, ‘The tragic explosion and fire ... resulted from a series of failures by PG&E employees to follow prescribed procedures, failures for which PG&E takes full responsibility.’“ Under the terms of the stipulated resolution, PG&E would pay a $26 million fine to the state’s general fund and agree that it violated several pipeline safety regulations. In addition, the company would pay the costs of the state investigation and the proceedings against the utility. The fines and costs would be charged to shareholders, not customers. Source:

• ABC News reports 11 companies, including Iran’s state-sponsored shipping line, were indicted in New York City for conspiring to evade U.S. sanctions on trade with Iran by duping major U.S. banks to funnel more than $60 million through them. See item 19 below in the Banking and Finance Sector


Banking and Finance Sector

15. June 21, – (International) Debit breach hits Ohio accounts. The recent breaches that affected dozens of Northeast Ohio banks and credit unions were most likely caused by the interception of CVV2 card security codes, a senior director of fraud product management at the Fair Isaac Corporation (FICO) said June 20. The fraudsters, using stolen debit details, hit accounts with fraudulent signature-based transactions used for online and over-the-phone purchases. Based on the number of organizations hit, tens of thousands of accounts may have been exposed. The affected banks include Keybank, Dollar Bank, Fifth Third, PNC, Huntington, Charter One, Ohio Savings, and FirstMerit. At least six credit unions also were reportedly hit. Fraudulent purchases, some of which neared $4,000, at Walmart, AutoZone and CVS were reported. Other transactions were initiated overseas, including some in Germany and the Philippines. The Electronic Crimes Task Force, a unit of the U.S. Secret Service, is in charge of the investigation. The breach could also have been related to a phishing scheme, through which attackers gathered card information directly from consumers. Source:

16. June 21, Federal Trade Commission – (National) First Universal Lending: FTC stops bogus loan modification firm. Under a settlement with the Federal Trade Commission (FTC), a federal court banned three men and their company from the mortgage modification business, and ordered them to pay nearly $19 million for consumer refunds. The defendants allegedly deceived distressed homeowners with phony claims they would negotiate with lenders to modify mortgages and make them more affordable, the FTC announced in a June 21 news release. The agency sued First Universal Lending and its owners in November 2009 as part of Project Stolen Hope, a federal-state crackdown on mortgage foreclosure rescue, and loan modification scams. As alleged in the FTC’s complaint, the defendants encouraged homeowners to stop making mortgage payments, saying lenders would not negotiate unless they were at least a few months behind on payments. After charging up to $7,000 in up-front fees, the defendants often did little or nothing to help consumers, the agency charged. The court subsequently halted the defendants’ operation, froze their assets, and ordered them to disable their Web sites and computers. In addition to imposing a judgment of more than $18.8 million against the defendants, the settlement order bans them from the mortgage relief services business. Source:

17. June 21, Sarasota Herald Tribune – (National) Marian Morgan may change plea in Ponzi scheme case. A Sarasota, Florida woman — whose e-mails to investors marked her as the ringleader in an alleged $27 million Ponzi scheme — has asked for a June 22 hearing potentially to change her plea to guilty as a September trial date loomed. Last month, the government filed a broader indictment, adding two defendants and saying all four conspired together, and raising the alleged amount stolen to $27 million from $10 million. Simultaneously with the new indictment, prosecutors obtained the cooperation of a newly named defendant, an Omaha promoter known mostly for oil and gas deals, who admitted to funneling about $13 million to the so-called investment vehicle, Morgan European Holdings. Source:

18. June 21, Florence Times Daily – (Alabama) Former bank VP arrested. A former vice president at Farmers and Merchants Bank of Waterloo, Alabama was arraigned June 20 in federal court and accused of defrauding more than $1.4 million from the bank during a 6-year period, based on court records. The man was charged with one count of bank fraud, and three counts of altering bank records, based on documents filed in the U.S. attorney’s office in Birmingham. The documents accuse the man of defrauding the bank of $1.406 million between March 2004 and August 2010. FBI agents investigated the allegations after possible loan problems were discovered as bank officials prepared for an audit by state banking examiners. Documents show some customers reported that loans in their name were made without their knowledge, and the accused former vice president orchestrated the scheme. He is accused of approving loans to several bank customers and later changing names of the borrowers to other customers who never asked for the money. Court documents state the man changed names in an effort to hide nonpayment on the loans. Source:

19. June 20, ABC News – (International) Iran scam to evade terror sanctions busted, NYC official says. Eleven companies, including Iran’s state-sponsored shipping line, were indicted in New York City June 20 for allegedly conspiring to evade U.S. sanctions on trade with Iran by duping major U.S. banks in order to funnel more than $60 million through the Manhattan banks. The conspiracy indictment seeks to enforce a U.S. ban on trading with Iran that was imposed because the country harbors terrorists and participates in the proliferation of weapons of mass destruction. Iran’s national shipping company is alleged to play a key logistical role in that nation’s ballistic missile program as well as to serve as a conduit for supplying weapons to terrorist organizations. The Islamic Republic of Iran Shipping Lines (IRISL), its regional offices, and affiliates as well as five individuals were charged in the 319-count indictment with using corporate shells and aliases to “exploit the services of financial institutions located in Manhattan,” the district attorney said. According to the indictment, the state-sponsored shipping company allegedly sent or received scores of illegal payments through Manhattan banks by using alias names and corporate alter egos in Singapore, the United Arab Emirates, and the United Kingdom. Among the banks whose security measures were circumvented in the alleged conspiracy were JP Morgan Chase, Standard Chartered Bank, Bank of New York Mellon Corp, HSBC, Deutsche Bank Trust Company Americas, Bank of America, Citibank, and Wachovia (now Wells Fargo), the indictment said. Source:

20. June 20, Associated Press – (National) Finance researcher convicted in trade fraud. A finance researcher who prosecutors said used code words like “recipes,” ‘‘cooks,” and “sugar” to disguise an insider trading scheme was convicted of wire fraud June 20 in federal court. She also was convicted of conspiracy to commit securities fraud and wire fraud in one of the first trials to result from a government crackdown of Wall Street middlemen suspected of peddling inside information as if it were legitimate research. The 43-year-old Fremont, California woman was among 13 people arrested last year on charges she conspired to accept cash and gifts to feed inside information to hedge funds. Most of the other defendants have pleaded guilty. The investigation into Primary Global Research grew out of what prosecutors have called the largest hedge fund insider trading case in history. The main defendant in that case, a one-time billionaire, is awaiting sentencing after being convicted last month for fraud associated with his Galleon Group of hedge funds. Source:

21. June 20, WISH 8 Indianapolis – (Indiana) Indianapolis man charged in string of bank robberies. An Indianapolis, Indiana man was charged June 20 in connection with a string of bank robberies. The U.S. attorney’s office said the 45-year-old man was involved in thefts at eight Indianapolis banks. The FBI was involved in the investigation, along with the Indianapolis Metropolitan Police Department, and the Marion County Sheriff’s Department. If convicted, the suspect could face up to a maximum of 20 years in prison and a $250,000 fine on each of the eight counts of bank robbery. Source:

Information Technology Sector

49. June 21, Associated Press – (International) UK police make arrest in hacking attacks. A 19-year-old man was arrested June 20 in Wickford, England, on suspicion of hacking attacks on Sony and the CIA Web site, British police said June 21. The Metropolitan Police said the arrest took place following a joint operation by its Internet crimes unit and the FBI. Police would not say if the suspect was tied to the Lulz Security hacking collective, which has claimed responsibility for recent high-profile attacks, but did confirm that a computer seized in the operation will be examined for Sony data. Lulz had boasted of successfully hacking Sony in addition to subsequent attacks on the CIA Web page and the U.S. Senate computer system. The hackers recently called for “war” on governments that control the Internet. The teenager was taken to a central London police station for questioning, police said. Officers are conducting forensic examinations on “a significant amount of material” found in the search of a home following the arrest. Source:

50. June 21, IDG News Service – (International) Dropbox left document storage accounts open for four hours. Online storage service Dropbox accidentally turned off password authentication for its 25 million users for 4 hours June 20 — although much less than 1 percent of those accounts were accessed during the period, the company said. It is still investigating whether any of those accounts were improperly accessed. Dropbox’s CTO wrote that the company introduced a code change at 1:54 p.m. PST that caused a problem in the authentication mechanism. About 4 hours later, the problem was discovered, and Dropbox killed all of the sessions of those who were logged in at the time. A fix was introduced at 5:46 p.m. PST, the CTO said. Source:

51. June 21, H Security – (International) Firefox and Thunderbird updates patch security holes. The Mozilla Project has published updates for Firefox and Thunderbird to fix several bugs and other critical issues found in previous versions. The latest Firefox 5 rapid release update addresses a total of eight security vulnerabilities, five of which are rated as “Critical” by Mozilla. Previous versions of the browser (up to and including 4.0.1) contained a bug in a JavaScript Array object that could result in an integer overflow and the execution of malicious code, as well as a crash on multipart/x-mixed-replace images due to memory corruption. A number of critical memory safety hazards in the browser engine have been fixed. The update to the 3.6.x branch of Firefox, version 3.6.18, fixes nearly 20 bugs. These include four of the critical security holes noted above, as well as another critical issue related to multiple dangling pointer problems, and a cookie isolation error. As Thunderbird 3.1.x is based on the same Gecko browser engine as Firefox 3.6.x, the 3.1.11 update addresses most, if not all of the vulnerabilities fixed in Firefox 3.6.18. Source:

52. June 21, threatpost – (International) Android NFC bug could be first of many. Google is working on a fix for a newly discovered vulnerability affecting Nexus S Android phones that could cause applications on the phone to crash using incorrectly formated Near Field Communications (NFC) transactions. The issue could result in denial of service attacks on Nexus S applications. It is one of the first publicly disclosed vulnerabilities concerning the NFC features of the Nexus S, and could be the first of many related to NFC — a powerful communications protocol that phone makers, carriers, and merchants hope to use for everything from mobile phone payments to information kiosks, experts warn. The vulnerability was among a handful discovered by a student at the Technische Universitaet Berlin and a well-known researcher on mobile device security. He said the vulnerability was one that could allow a malicious NFC tag to send incorrect information to a Nexus S phone. For example: a rogue or misconfigured smart tag could request a memory allocation from a NFC-enabled phone that is in excess of the amount of memory on the phone itself. That could cause the NFC service on Nexus S phones to crash unexpectedly, he said. Source:

53. June 20, IDG News Service – (International) Researchers: Amazon cloud users leave security holes. Researchers in Germany have found security problems within Amazon’s cloud-computing services due to its customers ignoring or forgetting published security tips. Amazon offers computing power and storage using its infrastructure via its Web services division. The platform allows people to quickly roll out services and upgrade or downgrade according to their needs. A postdoctoral researcher in the System Security Lab of Technische Universitat Darmstadt, said June 20 Amazon’s Web Services is so easy to use that a lot of people create virtual machines without following the security guidelines. In what they termed was the most critical discovery, the researchers found the private keys used to authenticate with services such as the Elastic Compute Cloud (EC2) or the Simple Storage Service (S3) were publicly published in Amazon Machine Images (AMIs), which are pre-configured operating systems and application software used to create virtual machines. The keys should not be there. “They [Customers] just forgot to remove their API keys from machines before publishing,” the researcher said. The consequences could be expensive: With those keys, an interloper could start up services on EC2 or S3 and create “virtual infrastructure worth several thousands of dollars per day at the expense of the key holder,” according to the researchers. They looked at 1,100 AMIs and found another common problem: One-third of those AMIs contained SSH (Secure Shell) host keys or user keys. Source:

54. June 20, CSO – (International) Mesh networks may make SQL injection attacks more persistent. Massive Web site compromises using a technique known as structured query language (SQL) injection has long been a top security concern for Web developers and site owners. Now, the attacks may become harder to detect and prevent, according to one security firm’s analysis. Web security firm Armorize announced it detected a new type of mass SQL injection attack that uses a simple form of peer-to-peer networking to make the compromised network hard to take down. Historically, mass Web attacks are simple: Code written in the SQL is sent to the back-end Web database using a vulnerability in the site’s code. When the security flaw is in a common application, the attack can compromise thousands of sites at the same time. In the latest version of the attack, rather than injecting sites with a single static script that points visitor browsers to a handful of malicious download sites, the attackers create a dynamic script that sends visitors to a previously compromised Web server. The new technique makes blacklisting much harder, according to Armorize’s president and chief technology officer. Source:

55. June 17, U.S. Immigration and Customs Enforcement – (Texas; International) Wichita Falls, Texas, man, pleads guilty in federal court to copyright infringement of computer software. A man from Wichita Falls, Texas, pleaded guilty June 16 before a U.S. magistrate judge to one count of copyright infringement, a U.S. attorney from the Northern District of Texas announced. The man, who is presently in federal custody, faces a maximum statutory sentence of 5 years in prison and a $250,000 fine. Also, he could be ordered to pay restitution. Sentencing is scheduled for October 25. According to documents filed in the case, from June 8, 2006 through April 9, 2007, the convict infringed the copyrighted works of Adobe Systems Inc. by reproducing copies of software for his financial gain. The investigation revealed the man owned and operated various Web sites, including,,,,, and These sites, which he advertised online, offered “backup” copies of software, owned by Adobe, Microsoft, and Autodesk Inc., for sale at about one-fifth of the manufacturer’s retail value. The man also provided counterfeit product registration codes (serial numbers) that were distributed with the software so that the customer could install the software. Source:

For another story see item 57 below in the Communications Sector

Communications Sector

56. June 21, Omaha World-Herald – (Iowa; Nebraska) Flooding affects cell towers. Flooding along the Missouri River has prompted AT&T and Sprint Nextel to take a number of cellular towers along the Nebraska-Iowa border offline June 20. Sprint and AT&T eliminated power and service to 12 sites in flooded areas along Interstate 29. Flood levels would damage equipment, including radio and satellite facilities, and the electronics that are stored underground beneath each tower. Sprint built a sandbag fortress and plugged pipes around one of its Omaha, Nebraska wire line switches that powers some of its business land-line customers in the Omaha metropolitan area, and AT&T erected two temporary cell sites in areas not affected by flooding. Two areas affected most by the AT&T outages are I-29 between Pacific Junction, Iowa, and Nebraska City, Nebraska and a patch between Little Sioux and Missouri Valley in Iowa. Source:

57. June 21, InformationWeek – (International) Network Solutions suffers DDoS attack. Network Solutions apparently began suffering a distributed denial of service (DDoS) attack June 20 that left its customers unable to access DNS servers, hosted Web sites, servers, or e-mail accounts. Reports of outages began appearing late June 20, and by June 21 the company was blaming a DDoS attack. “Some customers may see interruptions caused by a ddos distributed denial of service attack. Our network folks are working on it,” said multiple posts to the Network Solutions Twitter feed the morning of June 21. In a direct response to a customer query June 21, another Network Solutions Twitter message said, “We are dealing with external factors. Your sites are up but dados preventing ppl from reaching. Them”— suggesting a chaotic environment in the support center, as well as the continuing persistence of the DDoS (apparently mistyped as “Dados”) attack. “Network Solutions indicated to us that they had a major DoS attack, which crippled their system, and anyone who has a domain name registered with them,” said the president and CEO and Hospitality Consultants. “The result was that no access to servers or domains was possible for several hours,” beginning at about 6:30 a.m. June 21, EST. Source:

58. June 20, IDG News Service – (International) LightSquared may change bands to save GPS. Mobile broadband startup LightSquared proposed an alternative network plan June 20 in which it would use different frequencies to prevent interference with Global Positioning Systems (GPS). LightSquared said it proposed setting aside the part of its spectrum closest to the frequencies used by GPS and instead using a band controlled by satellite carrier Inmarsat. The company recently reached an agreement with Inmarsat that allows it to use that spectrum. In its original plan, LightSquared would have moved into that band over 2 or 3 years as its business grew. Instead, it will use those frequencies from the beginning. The Federal Communications Comission set a deadline June 15 for that testing, but granted LightSquared an extension until July 1. After evaluating the data from the tests, LightSquared said it started developing an alternative spectrum plan to reduce interference. The plan involves the company temporarily leaving one band of 10MHz of spectrum for another 10MHz band that is lower in frequency. The lower band is farther from the GPS frequencies and is largely free of interference problems except for an effect on “a limited number of high-precision GPS receivers,” LightSquared said. The higher band that it originally had planned to use in its launch will be set aside for testing and developing mitigation plans over the next few years, the company said. Source:

59. June 20, The Register – (International) Web authentication authority suffers security breach. Another Web authentication authority has been attacked by hackers intent on minting counterfeit certificates that would allow them to spoof the authenticated pages of high-profile sites. Israel-based StartCom, which operates StartSSL, suffered a security breach June 15, the company said in an advisory. The certificate authority, which is trusted by the Microsoft Internet Explorer, Google Chrome, and Mozilla Firefox browsers to vouch for the authenticity of sensitive Web sites, has suspended issuance of digital certificates and related services until further notice. StartCom’s CTO and COO told The Register the attackers targeted many of the same Web sites targeted during a similar breach in March against certificate authority Comodo. The hackers behind the StartCom attack failed to obtain any certificates that would allow them to spoof Web sites, and they were also unsuccessful in generating an intermediate certificate that would allow them to act as their own certificate authority, the company’s CTO and COO said. The private encryption key at the center of the company’s operations is not stored on a computer attached to the Internet, so they did not acquire that sensitive document either, he said. Source:

For another story, see item 52 above in the Information Technology Sector