Friday, July 1, 2011

Complete DHS Daily Report for July 1, 2011

Daily Report

Top Stories

• The Los Angeles Times reports a Nigerian stowaway who flew from New York to Los Angeles, with an expired boarding pass in someone else's name was carrying at least 10 different boarding passes. (See item 20)

20. June 30, Los Angeles Times – (National) Nigerian stowaway had at least 10 boarding passes, none in his name, officials say. A Nigerian stowaway who flew from New York to Los Angeles, California with an expired boarding pass in someone else's name was carrying at least 10 different boarding passes, said the FBI agent who took him into custody. Not one of the passes was in the name of the suspect, who acknowledged sneaking aboard a Virgin America flight June 23, officials said. He was arrested as he tried to board a Delta flight from Los Angeles to Atlanta, Georgia, June 29. The crime of being a stowaway is a felony that carries a prison term of up to 5 years, an FBI affidavit said. The FBI became involved June 25, when it "received information from a dispatch operator at the Los Angeles Department of Airports Police and the captain of Virgin America Flight 415," an FBI Special Agent wrote. He said after the flight took off, the suspect was found in a seat that was supposed to be empty. A flight attendant questioned him and he "produced a boarding pass and ticket for the day before and not in his name," the agent wrote, adding the attendant alerted the captain, who suggested the suspect be asked for additional identification. He hesitated, but then showed identification with his true name, the agent wrote. It was a student ID from the University of Michigan, and the captain noted, the names did not match. The affidavit does not explain why the suspect was not detained on his arrival in Los Angeles. Instead, investigators caught him June 29 when he tried to board Delta Airlines Flight 46 to Atlanta. The suspect had apparently made it through airport security again, having spent the night of June 28 in the airport after passing through security, officials said. He was arrested at the departure gate. The Transportation Security Administration said its review of the matter indicated the stowaway went through physical screening at a security checkpoint. At the Delta gate, the suspect tried to use an expired boarding pass, saying he had missed his flight of the previous day, the same ruse that had worked before, officials said. The suspect said he had been told he could "just go to the gate," according to the affidavit. The Delta agent told him "No," twice, but he kept trying to board. When confronted, the affidavit stated, the suspect "acknowledged that he did not pay for the Virgin America flight." The suspect was in custody in Los Angeles. Source:

• Security researchers said a new and improved botnet that has infected more than 4 million PCs is "practically indestructible", according to Computerworld. See item 46 below in the Information Technology Sector


Banking and Finance Sector

15. June 30, Kaspersky Lab Security News Service – (National) Fake IRS spam campaign pushing Zeus bot. There is a large scale spam campaign underway in which attackers use fairly well-crafted e-mails that appear to come from the IRS to infect victims with the Zeus bot. The attack has been ongoing for a couple of weeks and researchers said that although the attackers have taken some precautions to prevent analysis of the sites and malware being used, they also made some key mistakes. The Zeus-laden fake IRS e-mails have been making the rounds since mid-June. The subject line typically says, "Federal Tax payment rejected" or "Your IRS payment rejected", and the sender's address is spoofed to include the domain. The body of the e-mails often have some spelling and grammatical errors and include a link to a PDF file. That file directs the victim to a download that will drop the Zeus binary on his or her machine. Source:

16. June 29, Kalmazoo Gazette – (Michigan) Man who claims to be 'Robin Hood Bandit' is to be charged with South Haven Township bank robbery. A 49-year-old Indianapolis, Indiana man who claimed to be known as the Robin Hood Bandit was scheduled to be arraigned June 29 in U.S. district court after police said he stole $8,967 from Chemical Bank in South Haven Township, Michigan. He will face one count of armed robbery and one count of brandishing a firearm during a robbery, according to a court filing from the federal court's Western Michigan District in Grand Rapids. On June 25, Bryant allegedly approached a bank teller at about 11:40 a.m. and held up a sign that read, "Let's Go! you only Have 30 seconds!!! All Big Bills!!! 100's $50's + 20 I will Start Shootin," according to a criminal complaint filed June 27. When South Haven police officers responded to the robbery, they saw the suspect walking out of a wooded area near the bank and carrying a large black bag that was open and full of money. Police also could see a "starting pistol" in the bag. The man was arrested and later confessed to robbing the Chemical Bank, authorities said. "[He] bragged that he had robbed 17 other banks and had been to Federal prison for banks he had robbed in New York and Indiana. He said Federal agents had previously nicknamed him the 'Robin Hood Bandit' because he gave cash to individuals in need," the criminal complaint said. Source:

17. June 28, Computerworld – (National) Federal agency issues new security rules for financial institutions. The federal agency that regulates banks June 28 issued new rules for online security for financial institutions, instructing them to use minimal types of "layered security" and fraud monitoring to better protect against cybercrime. It is the first time the Federal Financial Institutions Examination Council (FFIEC) has updated its rules since 2005, and the instructions to regulated financial services today focus on protecting high-dollar Automated Clearinghouse (ACH) transactions that have been targeted by sophisticated cybercrime groups that hijack business PCs in order to initiate fraudulent transactions. The FFIEC also instructs banks and financial institutions to focus their network defense on layered security protections that involve fraud monitoring; use of dual customer authorization through different access devices; the use of out-of-band verification; and the use of "positive pay," debit blocks and other technologies to appropriately limit the transactional use of the account. The FFIEC guidelines also tell financial institutions they must use "two elements at a minimum" as "process designed to detect anomalies and effectively respond to suspicious and anomalous activity." The fraud-detection processes must include: initial login and authentication to customers requesting access to the institution's electronic banking system, and initiation of electronic transactions involving the transfer of funds to other parties. Source:

Information Technology Sector

44. June 30, Softpedia – (International) WordPress gets new security update. The WordPress development team released version 3.1.4 of the popular blogging platform to address several vulnerabilities and security issues. The new release fixes a privilege escalation weakness that allows users with Editor levels to gain higher access to the site than usual. WordPress developers credited a member of SEC Consult with discovering and reporting this vulnerability. Two members of the WordPress security team also contributed multiple security fixes and hardening measures for various sorting and ordering functions. In addition to 3.1.4, the development team released the third release candidate (RC3) of the upcoming WordPress 3.2 version. This is expected to be the final release candidate before the new version ships and contains all security patches in 3.1.4 and some additional fixes. The developers write that RC3 includes "few minor RTL, JavaScript, and user interface fixes; and ensures graceful failures if 3.2 is run on PHP4." There is also a reminder that the minimum requirements for the upcoming version will be PHP 5.2.4 and MySQL 5.0. Source:

45. June 30, Softpedia – (International) Vulnerabilities patched in new Joomla release. The Joomla Project released a new version of its popular CMS platform to address four security vulnerabilities, and two other bugs, Softpedia reported June 30. The new Joomla 1.6.4 version contains patches for two cross-site scripting (XSS) vulnerabilities, one unauthorized access issue, and an information disclosure weakness. The XSS flaws were rated as medium severity and were reported March 24 and May 25. Cross-site scripting is a common vulnerability that results from improper filtering of user input in forms and can result in unauthorized code being injected into pages. There are many types of XSS vulnerabilities with persistent (stored) being the most dangerous because the code injection is permanent. Meanwhile, reflected XSS weaknesses can only be exploited by tricking victims to open maliciously crafted URLs. The Joomla advisories do not specify the type of scripting flaws. Source:

46. June 29, Computerworld – (International) Massive botnet 'indestructible,' say researchers. A new and improved botnet that has infected more than 4 million PCs is "practically indestructible," security researchers said. "TDL-4," the name for both the bot trojan that infects machines and the ensuing collection of compromised computers, is "the most sophisticated threat today," said a Kaspersky Labs researcher in a detailed analysis June 27. The director of malware research at Dell SecureWorks and an internationally-known botnet expert agreed during an interview June 29. The researchers based their judgments on a variety of TDL-4's traits, all which make it an extremely tough character to detect, delete, suppress, or eradicate. The Kapersky Lab researcher said TDL-4 infects the master boot record (MBR) of the PC with a rootkit — malware that hides by subverting the operating system. The master boot record is the first sector — sector 0 — of the hard drive, where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks. Because TDL-4 installs its rootkit on the MBR, it is invisible to both the operating system, and more importantly, security software designed to sniff out malicious code. What makes the botnet indestructible is the combination of its advanced encryption and the use of a public peer-to-peer (P2P) network for the instructions issued to the malware by command-and-control (C&C) servers. Source:

47. June 29, Computerworld – (International) Google patches 7 bugs in Chrome browser. Google patched seven vulnerabilities in Chrome June 28 as it issued the second security update for its browser during the month of June. All but one of the flaws fixed in Chrome 12.0.742.112 were rated "high," the second-most-severe threat in Google's four-step ranking system. Several components received patches, including the browser's "V8" JavaScript engine, and the cascade style sheet and HTML parsers. Before June 28, Google last patched Chrome June 8, when it quashed 15 bugs. Three of the seven vulnerabilities were identified as "use-after-free" bugs, a type of memory management flaw that can be exploited to inject attack code. Source:

48. June 29, Softpedia – (International) Thunderbird 5 contains security fixes. Mozilla released the next major version of Thunderbird, 5.0, which contains several new features and enhacements, but also many security and stability fixes. Thunderbird 5 was released June 28 and is the first Thunderbird release resulting from Mozilla's new rapid development cycle that aims to produce a new stable version every 6 weeks. The most important change in the new version is it is based on Gecko 5, the same variant of Mozilla's layout engine used by Firefox 5 and, therefore, contains the same security fixes. According to the release announcement, Thunderbird 5 includes "over 390 platform fixes that improve speed, performance, stability and security," however, no other details were released. It can be assumed the new version contains patches for the vulnerabilities addressed in Thunderbird 3.1.11, which was released together with Firefox 3.6.18 the week of June 20. Source:

For more stories, see items 15 above in the Banking and Finance Sector and 50 below in the Communications Sector.

Communications Sector

49. June 30, IDG News Service – (International) LightSquared files GPS report and new plan. LightSquared filed a long-awaited report on possible Global Positioning System (GPS) interference by its planned cellular network to the Federal Communications Commission (FCC) June 30, along with a formal proposal to use a different block of frequencies to prevent those problems. In a press release announcing the filings, the carrier focused on its new plan and slammed the GPS industry as the cause of the interference. "GPS device test results, which were also filed at the FCC today, show unequivocally that the interference is caused by the GPS manufacturers' decision over the last eight years to design products that depend on using spectrum assigned to other FCC licenses," LightSquared said. The company said its alternative plan, in which it would initially stay out of the portion of its spectrum closest to the GPS band, would solve interference for 99.5 percent of GPS devices in the United States, including all GPS-enabled cell phones. LightSquared has been testing its planned Long Term Evolution (LTE) network for interference with GPS over the past few months. The Federal Communications Commission required the test report as a condition for letting LightSquared build a hybrid satellite and LTE network across the United States. Source:

50. June 30, Help Net Security – (International) Gmail to improve phishing email detection. Google decided to introduce a change in the way it presents Gmail user with received e-mails. Now, every time a user receives an e-mail from someone who is not in his/her Gmail contacts, the header will automatically show the sender’s e-mail address without him having to press the "show details" link. "If the sender’s full email address is displayed, then Gmail thinks that you have not communicated with this sender in the past. If the email address is quite long, we'll show you a shortened version," Gmail Help explained. With this change, Google is hoping to help users in detecting phishing and other spam e-mails. "If someone fakes a message from a sender that you trust, like your bank, you can more easily see that the message is not really from where it says it’s from," said a software engineer at Google. Also, when Gmail detects a suspicious e-mail or when it seems that someone has spoofed a Gmail address, it will warn the user about it. Source: