Friday, July 8, 2011

Complete DHS Daily Report for July 8, 2011

Daily Report

Top Stories

• The hackers bombarding the city of Orlando, Florida with cyber attacks, are threatening the city's mayor and police officers, according to WFTV 9 Orlando. (See item 40)

40. July 7, WFTV 9 Orlando – (Florida) FBI investigates 'Anonymous' hackers. The hackers who have been bombarding the city of Orlando, Florida with cyberattacks, are now threatening the city's mayor and police officers. Police said members of the group Anonymous released a set of disturbing photos in their latest attack. The group posted two photos to their Twitter account. One shows the mayor 's home in the background. The second photo depicts two headless Orlando police officers, and a mask in the bottom right corner. The FBI was called to investigate who posted the images. Anonymous said its actions are in response to the city ordinance that restricts the number of times a group can feed the homeless at Lake Eola. The group said they are siding with Food Not Bombs, a homeless feeding organization. Orlando police are treating the photos as a threat. The department bolstered patrols around the mayor's home. Source:

• A federal cyber emergency team issued a warning that said the most popular Siemens industrial control systems are vulnerable to cyber attack, H Security reports. See item 49 below in the Information Technology Sector.


Banking and Finance Sector

16. July 7, Orange County Register – (California) ‘Drifter bandit' strikes for second time this week. A serial robber known as the "drifter bandit" struck again July 6, authorities said, robbing a bank in Laguna Niguel, California, a day after holding up a branch in San Juan Capistrano. A man entered the Citibank branch in the 30000 block of Golden Lantern about 4:30 p.m., demanded cash from a teller, and left with an undetermined amount of money, an Orange County Sheriff's Department investigator said. Witnesses believed the man fled on foot to an apartment complex, the investigator said, but authorities were unable to locate him. No weapon was seen, and no injuries were reported. The "drifter bandit" – so named due to his unkempt appearance – is believed to have robbed a Chase bank branch in San Juan Capistrano May 3, a U.S. Bank branch in Dana Point May 26, and a Farmers & Merchants Bank branch in San Juan Capistrano July 5. He reportedly carried a handgun during the second San Juan Capistrano robbery. Source:

17. July 7, Associated Press – (Louisiana; International) Metairie man pleads guilty to involvement in international counterfeiting scam. A Metairie, Louisiana man pleaded guilty July 6 to having counterfeit postal money orders and securities. According to court documents, since at least September 2009, the man has been a part of an international ring of counterfeiters who distribute fake securities and monetary documents, including traveler's checks, cashier's checks, and money orders, to people throughout the United States through a fraudulent "Mystery Shopper" program. The program involved contacting and, ultimately, hiring unsuspecting "employees" who sign up via e-mail. Employees were required to receive counterfeit securities and cash them. The man was responsible for sending each person on the list at least one of the counterfeit securities. Court documents said that when the man was arrested, he had hundreds of counterfeit cashier's checks. Source:

18. July 6, WVIT 30 New Britain – (National) Police make 2 arrests in connection with ATM skimming. Police arrested a New London, Connecticut man with an extensive criminal history July 6 in connection with ATM skimming, and a New York man believed to be behind dozens of skimming incidents. Darien police said the suspect has an extensive criminal history in Virginia, New York, and Connecticut, and that he committed crimes in Massachusetts, Connecticut, and Rhode Island similar to the one he is accused of in Darien. Police took the man into custody and charged him with two counts of conspiracy to commit identity theft, unlawful reproduction of a credit card, fraudulent use of an automated teller machine, criminal attempt to commit larceny, and unlawful use of a scanning device. With the assistance of the Connecticut Financial Crimes Task Force and the Secret Service, Darien police also identified a 40-year-old of Levittown, New York, as another suspect. On July 6, Darien police executed an arrest warrant and arrested the man, who they believe is responsible for 26 similar incidents in Massachusetts, Rhode Island, and Connecticut. He was brought to Darien police headquarters and charged with two counts of conspiracy, two counts of identity theft, unlawful reproduction of a credit card, fraudulent use of an automated teller machine, and unlawful use of a scanning device. Source:

19. July 6, South Florida Business Journal – (Florida) Four charged in reverse mortgage scheme. Three loan officers and a title agent were charged in Florida July 6 with defrauding seniors and financial institutions in a $2.6 million reverse mortgage scheme. The U.S. Attorney for the Southern District of Florida filed conspiracy to commit wire fraud charges against the four suspects. The charges carry up to 30 years in prison plus a $1 million fine. Federal agents allege that while the three loan officers worked at 1st Continental Mortgage in Fort Lauderdale and Boca Raton in 2009 and 2010, they engaged in a scheme that stole from borrowers, reverse mortgage lender Genworth Financial Home Equity, and the Federal Housing Authority, which insures loans. It is alleged the three fraudulently inflated property appraisal values so borrowers would get reverse mortgages without having real equity. Authorities also claim that when the title agent closed the loans, she wired the proceeds to herself instead of paying off the borrowers’ existing mortgages. She allegedly filed fraudulent documents showing the existing mortgages had been paid off. Officials also claimed she sent the other three defendants $988,086 in loan proceeds for their personal benefit. It is alleged the four then tried to cover up their actions by creating fictitious offers to buy the properties in short sales. Source:

20. July 6, Reuters – (National) F.D.I.C. rule to allow seizure of executives’ pay if firms fail. Federal regulators will be able to take back up to 2 years of Wall Street executives’ pay if they are found responsible for the collapse of a major financial firm, under a plan approved July 6. The provision is part of a broader Federal Deposit Insurance Corporation (FDIC) rule laying out the order in which creditors will be paid during a government liquidation of a large, failing financial firm. The Dodd-Frank financial oversight law gives financial agencies the power to recoup executives’ pay, but bankers complained regulators were taking it too far. The FDIC’s final rule provided some relief by clarifying “negligence” as the standard. The agency noted it was not using the more narrow standard of ”gross negligence.” The liquidation authority is a major part of the Dodd-Frank law. The idea is to preserve economic stability by unwinding troubled firms, but in a way that is less politically explosive than taxpayer-financed bailouts and less traumatic to the markets than bankruptcies like the Lehman Brothers collapse of 2008. At the top of the list of what will be paid off first under the new resolution system are any debts the FDIC or receiver took on as part of the cost of seizing a firm, administrative expenses, money owed to the U.S. Treasury, and money owed to employees for things such as retirement benefits. Source:

21. July 6, Reuters – (National) FDIC sues former Indymac Bank CEO Michael Perry. The Federal Deposit Insurance Corporation (FDIC) sued a former IndyMac Bank chief executive officer (CEO) to recover over $600 million in damages and costs related to residential loans made by the lender, according to court documents. The FDIC said the CEO "negligently" allowed the production of a pool of more than $10 billion in "risky," residential loans intended for sale to a secondary market. These loans were made between at least April-October 2007. The lawsuit was filed in the district court of California. The lending caused IndyMac, a large California mortgage lender that failed in July 2008, and its receiver to incur damages of more than $600 million, court documents showed. Last July, the FDIC also sued to recover $300 million from former executives of IndyMac. Source:

22. July 6, Houston Chronicle – (Texas) Houston couple, daughter plead guilty in mortgage scam. A Houston, Texas man, his wife, and his daughter each face 5 years in prison and a $250,000 fine after pleading guilty in a multi-million-dollar mortgage fraud scheme, federal officials said July 6. The three family members admitted they paid people to act as straw borrowers for loans to purchase homes that they had no intention of paying back, officials with the U.S. attorney's office in Houston said. More than 70 homes were part of the scheme, officials said. They provided false information about the bogus buyers to the lenders, and funneled some of the proceeds to themselves, authorities said. They also agreed to pay restitution if ordered by the court, officials said. Source:

For another story, see item 50 below in the Information Technology Sector

Information Technology Sector

49. July 7, H Security – (International) Even more Siemens industry control systems vulnerable. The U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a warning explaining the recently reported replay attacks on control systems (Programmable Logic Controllers or PLCs) sold by Siemens affect more models than previously believed, H Security reported July 7. In such attacks, attackers can get access to the automation network and send unauthorized commands to a PLC, allowing them to shut it down. PLCs are used for automated or electromechanical processes in chemical, energy, nuclear, and manufacturing plants. In mid-June, Siemens said it believed its SIMATIC S7-1200, a relatively rarely used system, was the only one vulnerable. Now, it appears the very popular SIMATIC S7-200, S7-300, and S7-400 are also vulnerable. Attackers are able to sniff the traffic between PLCs and other systems and replay packets (with commands) later. According to the report, the attack partly works because the International Organization for Standardization Transport Service Access Point (ISO-TSAP) protocol used for communication does not support authentication or encryption. ICS-CERT said such communication protocols for industry were designed to be open. The lack of security functions was not a problem in the past because of the closed environments such systems are used in, but such systems are increasingly networked, which increases the risk. In its warning, ICS-CERT did not say whether the devices are also vulnerable to the DoS hole reported for the S7-1200. Siemens and ICS-CERT said they are working to solve the problem. Siemens recommended blocking external access to PROFIBUS, MPI, and PROFINET. Source:

50. July 7, IDG News Service – (International) Apple developing fixes for dangerous iOS vulnerabilities. Apple said July 7 it is developing a fix for vulnerabilities that affect its iPhone, iPad, and some iPod touch models, a problem that the German government warned could be used to steal confidential data. The vulnerabilities became publicized with a new release July 6 of JailbreakMe 3.0, a framework that allows unauthorized applications to be installed in devices such as the iPhone. Apple prohibits the installation of applications that have not been approved for distribution in its App Store. However, hackers exploit vulnerabilities in the iOS operating system that allow the phones to be "jailbroken," allowing applications not vetted by Apple to be used that are obtained through alternative application markets, such as Cydia. Germany's Federal Office for Information Security (BSI) issued an alert July 6 about the vulnerabilities, which it said could be exploited if a user opened a specially crafted PDF document. The issue involves how the iOS parses fronts within the mobile version of the Safari browser. There is also a second vulnerability that circumvents address space layout randomization (ASLR), a security feature which mixes up how programs are loaded into memory and makes it more difficult for an attacker. BSI noted it would be possible for an attacker using the flaws to steal passwords, banking data, and e-mails, as well as have access to built-in cameras, intercept telephone calls, and obtain the GPS coordinates of a user. Source:

51. July 7, Softpedia – (International) Mobile phishing attacks use fake WAP pages. Security researchers from Symantec spotted phishing attacks that target mobile users and make use of fake Wireless Application Protocol (WAP) pages for popular services. Mobile phishing is not very widespread currently, but the number of attacks continues to grow due to the increased popularity of smartphones. Many companies offer a version of their Web sites for mobile devices. These can be designed for smartphones or as WAP pages for old feature phones that do not have advanced browsers. WAP pages use a reduced number of Web technologies, mainly XHTML, and almost no graphics, to reduce traffic because WAP speeds are very restricted. "Symantec has recorded phishing sites spoofing such Web pages and has monitored the trend. In June, social networking and information services brands were observed in these phishing sites," the company warned. Source:

52. July 6, – (International) Unpatched WordPress blogs distribute malware. WordPress recently released the latest version of its software, WordPress 3.2, which comes with a steeper security update than previous versions. However, a Sophos researcher issued a caution: "As big a step forward as this is, however, it doesn't bring Web hosts nearly close enough to versions of PHP and MySQL that could be considered safe to use." The researcher investigated blogs that were hacked into and used to distribute malware. SophosLabs identified about 30 sites festering with infections, and the researcher sought to detect any patterns that made them vulnerable. He found the 10 older versions of WordPress were not only out of date, but also crammed with many known vulnerabilities. The only current patched version — aside from the new 3.2 — is 3.1.4. Source:

53. July 6, Softpedia – (International) New rootkit infects NTFS loader. Security researchers from Kaspersky Lab identified a new piece of malware that writes malicious code to the NTFS boot loader. The threat which Kaspersky detects as Cidox, features two rootkit drivers, one for 32-bit versions of Windows, and one for 64-bit ones. As part of its infection routine, Cidox determines the version of the operating system and copies the relevant driver to empty sectors at the beginning of the drive. It only infects NTFS partitions, and determines the active one by looking at MBR code. It then proceeds to replace the Extended NTFS initial program loader (IPL) code. The original one is encrypted and saved at the end. This is part of a special technique that leverages Windows kernel features to load the malicious driver into the system. The driver has the purpose of hooking into several processes including svchost.exe, iexplore.exe, firefox.exe, opera.exe, and chrome.exe via a special Dynamic-link library. Source:

For another story see item 40 above in Top Stories

Communications Sector

54. July 7, Kalispell Daily Inter Lake – (Washington; Montana; Idaho) Phone service goes out for six hours. Telephone service throughout Flathead and Lake counties in Montana was interrupted for about 6 hours July 6 after a CenturyLink fiber-optic line near the naval base at Bremerton, Washington, was cut. Phone service in Kalispell went out between 9 and 10 a.m. and was restored at 3:20 p.m. Service in the two counties was restored in an area-by-area process, but by 4 p.m., a CenturyLink spokesman said all areas were back online. Late July 6, he said company officials still had not been able to learn how the line had been cut. People in Washington, Idaho, and the two Montana counties were affected by the outage. Land lines and cellphones were affected, the spokesman said. Internet service was not affected, nor was there any interruption to the local 911 system or other emergency telephone services, he said. Most customers were still able to make local calls, he added. CenturyLink workers installed 1,000 feet of new cable to replace the damaged line. Source:

55. July 6, Wilmington Star-News – (North Carolina) Wilmington Christian radio station goes off air after copper theft. Wilmington, North Carolina’s Life 90.5 FM radio station went off the air for about a day and a half July 3 to July 5 after thieves took copper from an air conditioning unit. The theft occurred July 3 at a transmitter location near Brunswick Forest, and the heat was quickly building by July 4, said the vice president of Carolina Christian Radio. That caused the station to shut down its equipment so it would not overheat. Since it was the July 4 holiday, no one was available to fix the unit immediately, he said. The station was on the air again by about 12 p.m. July 5, he said, noting a police report was filed July 4 with the Brunswick County Sheriff’s Office. No arrests have been announced yet. Source:

For more stories, see items 50 and 51 above in the Information Technology Sector