Wednesday, July 20, 2011

Complete DHS Daily Report for July 20, 2011

Daily Report

Top Stories

• Security researchers from F-Secure spotted a new PDF-based e-mail attack that appears to target people working in the defense industry, according to Softpedia. (See item 14)

14. July 18, Softpedia – (International) New PDF-based targeted attack against military contractors spotted. Security researchers from F-Secure spotted a new PDF-based e-mail attack that appears to target people working in the defense industry. According to the Finnish antivirus vendor, the attack was intercepted the week of July 11 and is still ongoing. It uses the 2012 AIAA Strategic and Tactical Missile Systems Conference as a lure. The e-mails distribute a malicious PDF file that claims to be a call for papers for the renowned defense industry conference classified as SECRET. "When opened in Adobe Reader, it exploits a known Javascript vulnerability and drops a file called lsmm(dot)exe. This is a backdoor that connects back to the attacker," F-Secure's chief research officer said. According to a scan on Virus Total, the malicious PDF file still has a low detection rate with only 15 out of 43 antivirus engines detecting it. After the exploitation occurs, a non-malicious PDF file about the call for papers is opened on the computer to distract the user and avoid raising suspicion. The exact target of this attack is not known by F-Secure, but judging by its characteristics, security experts think it is most likely someone in the defense industry, possibly a military contractor. Source:

• Authorities in Spain and the United States have broken up an international drug money-laundering ring and seized buildings, cars, and cash valued at more than $140 million, CNN reports. See item 15 below in the Banking and Finance Sector.


Banking and Finance Sector

15. July 19, CNN – (International) Authorities bust international drug money-laundering ring. Authorities in Spain and the United States have broken up an international drug money-laundering ring and seized buildings, cars, and cash valued at more than $140 million, the Spanish National Police said July 18. More than 20 people were arrested — 17 in Spain and 4 in the United States — during the operation, more than 2 years in the making. Authorities accuse those arrested with participating in a drug money-laundering ring that spanned three continents. As U.S. authorities tell it, cocaine was smuggled in multihundred-kilogram quantities from Colombia to Spain, where it was processed and sold. The proceeds were then sent to a man, identified by the U.S. Attorney's Office for the Southern District of Florida, who would allegedly launder the money with the help of at least two co-conspirators. The man is thought to have received more than $26 million in drug proceeds from Spain between 2004 and the present, the attorney's office said in a statement. Among the group's favorite ways to launder money was through the purchase and sale of real estate and luxury cars, authorities said. They seized 21 properties in Spain,4 in the United States, and 60 cars, including one thought to be worth more than $2.8 million. Spanish police said they also seized $35 million in cash, kept in 50- and 100-euro bills, in Madrid. Source:

16. July 18, Fort Worth Star-Telegram – (Texas) Woman pleads guilty in mortgage fraud case. The woman at the forefront of an elaborate $13 million mortgage fraud pleaded guilty July 18 in Texas to engaging in organized criminal activity. The 46-year-old former mortgage broker whom prosecutors have described as the linchpin of the operation, entered her plea July 18 and faces as much as life in prison. She also pleaded guilty to three charges of money laundering, which will be barred from prosecution, but the judge can consider them at sentencing, officials said. Officials have said the scheme surfaced several years ago after the Tarrant County district attorney's office received an anonymous letter asking authorities to look into why so many houses in Mansfield's Twin Creek subdivision were foreclosed, vacant, or for sale. An investigation revealed that false data from "straw buyers" was being used to buy homes at inflated prices and pocket the proceeds. Twelve defendants, most of them straw buyers, have been sentenced for their roles in the fraud, an assistant district attorney said. Most reached agreements with prosecutors and received 5 to 10 years' probation and a $10,000 fine in exchange for guilty pleas and cooperation. Source:

17. July 14, Dow Jones Newswires – (National) Report: IRS didn't notify some taxpayers when data released. The Internal Revenue Service (IRS) didn't always properly notify taxpayers after inadvertently disclosing personal information, according to a Treasury Department audit released July 14. Not all citizens were notified that their personal data had been released, in a sample of 98 case files from the 2009 and 2010 fiscal years the IRS had flagged as inadvertent disclosures of personal taxpayer information, according to a report from the Treasury Inspector General for Taxpayer Administration (TIGTA). In total, the IRS processed 4,081 inadvertent disclosures during the 2009 and 2010 fiscal years, of which 1,493 required taxpayer notification. The IRS collects personal and financial data from more than 142 million people. The omission occurred in 5 percent of cases in the report's sample because IRS employees hadn't documented the name of the taxpayer whose data had been disclosed. In another 10 percent of cases, the taxpayer wasn't notified because only tax account data was released, which the IRS does not consider "personally identifiable information." The audit noted that taxpayers weren't notified in a timely manner. In 74 percent of the incidents that required notification, the IRS didn't alert taxpayers within 45 days. Letters sent to these taxpayers from the IRS took an average of 86 days. The IRS systems also were missing some cases of personal data disclosure, the auditors reported, after finding 815 incidents the IRS's four computer systems hadn't flagged. The TIGTA made four recommendations to the IRS, including educating employees on the need to gather enough information on individuals whose information has been released. Tax account information should be treated as sensitive personal information as well, the audit advised, and taxpayers should be notified more promptly. Source:

Information Technology Sector

36. July 19, Dark Reading – (International) More Windows kernel vulnerabilities may yet emerge, researcher says. A researcher who discovered a fundamental design flaw in the kernel of the Windows operating system said the software company has done a good job of patching so far, but it is likely more vulnerabilities will emerge before its work is done. The researcher, from security company Norman ASA, said despite announcements made on Patch Tuesday the week of July 11, which corrected some 13 Windows kernel vulnerabilities, there likely will be more vulnerabilities found. The researcher, who discovered the fundamental flaws in the 15-year-old Win32.sys operating environment, will present his findings on kernel vulnerabilities in a talk at Black Hat USA in Las Vegas, Nevada, in August. The vulnerabilities generally are the result of a function in the Win32k graphical user interface called user-mode callbacks, a mechanism that allows the kernel to make calls back into user-mode. User-mode callbacks enable the operating system to do a variety of tasks, such as invoking application-defined hooks, providing event notifications, and copying data to or from user-mode, the researcher explained. Source:

37. July 18, Help Net Security – (International) Facebook scammers use Tumblr sites to evade detection. Facebook users have been targeted again by survey scammers, and this time the lure is a video of a woman exposing herself on live television. There are two versions of the scam. In one, when the user clicks on the play button on the destination page, the click is hijacked and used to "like" the page. In the other, the user is asked to confirm they are an adult by clicking on the "Jaa" button that actually shares the link with friends. "To ensure that this scam continues, the scammers are using Tumblr sites to redirect users to the same Fake YouTube page," a researcher explained. "By redirecting users via Tumblr, scammers can evade Facebook filters as well as stay off the radar of Facebook’s recent Web of Trust integration." The scam ends with the user being encouraged to fill out surveys to receive a gift. Source:

38. July 18, The Register – (International) Microsoft turns screws on bot herders with hefty reward. Microsoft is offering a $250,000 reward for information leading to the arrest of those who controlled Rustock, a recently dismantled botnet that in its heyday was one of the biggest sources of illegal spam. The announcement of the bounty July 17 comes 4 months after Microsoft waged a novel campaign to take down Rustock, which enslaved an estimated 1 million PCs. The number of infected machines has been cut in half since that time, and Microsoft has already taken out ads in Russian newspapers in an attempt to track down the operators of the notorious botnet. Now, Microsoft is redoubling those efforts with the promise of the quarter-million dollar bounty to anyone who can help Microsoft and law enforcement officials identify and catch the perpetrators. Source:

Communications Sector

39. July 18, WAAY 31 Huntsville – (Alabama) Verizon Wireless outage frustrates customers. According to a Verizon spokesperson, service was restored to most of the Huntsville, Alabama area by the early evening of July 18. But throughout the morning and afternoon of July 18, dozens of angry customers were in and out of the Verizon Wireless store on University Drive wanting to know what was going on. Cellular phones were not working because 52 cell sites were out of service in the Huntsville area. Verizon officials would not say how many customers were affected during the outage, or what caused the cell sites to stop working. Source:

40. July 18, IDG News Service – (International) Mobile networks near capacity, survey finds. Mobile networks in North America are filled to 80 percent of capacity, with 36 percent of base stations facing capacity constraints, according to a survey by investment bank Credit Suisse. Networks in other regions also are more than 50 percent utilized, with the global average at 65 percent, Credit Suisse said after surveying carriers around the world. That level of use matches the average "threshold" rate that would trigger the service providers to start buying more network equipment, the report said. Looking ahead, on average the carriers expected their utilization rate to grow to 70 percent within 12 months. At a certain level, heavy use of a base station can affect the mobile experience of individual subscribers. The survey found that 23 percent of base stations worldwide had capacity constraints (defined as a utilization rate over 80 percent during busy hours), while 36 percent in North America were under that kind of pressure. The North American networks were 72 percent utilized 2 years ago. The region's carriers expect the rate to ease back down to that point within 2 years. North American service providers are likely to buy more equipment soon, because having their networks 74 percent filled is the threshold rate in that region, the survey indicated. Source:

Tuesday, July 19, 2011

Complete DHS Daily Report for July 19, 2011

Daily Report

Top Stories

• Officials found vandals had removed 44 spikes from train tracks in Bellingham, Washington, July 11. But the discovery was made before any trains could derail, according to KAPS 660 AM Mount Vernon. (See item 31)

31. July 14, KAPS 660 AM Mount Vernon – (Washington) Spikes removed from train tracks in Bellingham. Forty-four spikes were removed from train tracks in Bellingham, Washington, but railroad officials said they discovered the vandalism before any trains could derail. A Burlington Northern Santa Fe Railway spokesman said the removal of spikes discovered July 11 could have caused significant damage if an alert inspector had not noticed the track tampering. The spikes were taken from the main track along Bellingham Bay, about 1 mile south of the Alaska Ferry terminal in Fairhaven. The theft took place near a trestle that was damaged by a fireworks-ignited fire July 4. The company is investigating both incidents, and is offering rewards of up to $5,000 for information leading to arrests in either case. Source:

• A court July 15 charged 14 suspected al-Qa'ida militants for allegedly planning to attack the U.S. Embassy in Turkey, the Associated Press reports. (See item 44)

44. July 18, Associated Press – (International) Turkey court files charges against 14 militants in anti-U.S. plot. A court has charged 14 suspected al-Qa'ida militants for allegedly planning to attack the U.S. Embassy in the Turkish capital, Ankara. The charges — which were filed by an Ankara court July 15, come as the U.S. Secretary of State visits Turkey’s cultural capital of Istanbul for a meeting on religious tolerance. The 14 suspects were captured just before her arrival. A 15th suspect was released, though may later also face trial. Turkish media have speculated homegrown radical Islamist militants affiliated with al-Qa'ida were preparing to avenge the May 2 killing of the group's leader in Pakistan by U.S. forces. The state-run Anatolia news agency reported July 16 one of the suspects had carried out surveillance around the U.S. Embassy in Ankara, and some other foreign missions, including taking photos. It said police seized 1,500 pounds of chemicals, bomb-making instructions, assault rifles, ammunition, and maps of Ankara. Police captured the suspects after tracking one of them for 6 months, according to Anatolia. Police captured the suspect less than a week ago on a street in Sincan, a town on the outskirts of the capital where he is believed to have received weapons training. The others were rounded up July 12. In June, police arrested 10 suspected al-Qa'ida militants in the city of Adana, home to the Incirlik Air Base used by the United States to transfer noncombat supplies to Iraq and Afghanistan. Authorities have said Muslim militants tied to al-Qa'ida planned to attack Incirlik in the past, but were deterred by high security. Source:


Banking and Finance Sector

20. July 18, Bloomberg News – (National) Former commodities trader McCrudden will plead guilty in death-threat case. A former commodities trader accused of threatening to kill financial regulators has agreed to plead guilty, his lawyer said July 18. The man will plead guilty to two counts of transmission of threats to injure, his lawyer said in federal court in Central Islip, New York, before opening arguments were scheduled to begin in his trial. The charges carry a maximum sentence of 10 years in prison. The 50-year-old, who also ran his own hedge funds, was accused of threatening the lives of 47 current and former officials, including the SEC chairwoman, and the Commodity Futures Trading Commission (CFTC) chairman. The man has been held without bail since he was arrested January 13 returning from Singapore. He is charged with threatening the regulators in profanity-filled e-mails and, after the CFTC sued him in December, Web postings. He had said he was being persecuted for fighting back against unfair regulatory actions that destroyed his career. Source:

21. July 17, Memphis Commercial Appeal – (National) Man arrested in Bank of Bartlett robbery accused of robberies in four states. One of two men arrested in the Bank of Bartlett robbery in Tennessee July 15 is also accused of robbing banks in Arkansas, Alabama, Georgia, and Mississippi. The two suspects are accused of robbing the Bank of Bartlett at 9915 Highway 64 in Cordova, Tennessee. Both men were armed when they entered the bank and approached a teller. One suspect demanded money while the other ordered employees and customers to lie on the floor, according to the Safe Street Task Force. As the two men left in a getaway vehicle with an undisclosed amount of money, a customer followed and called Memphis Police. Police chased the getaway vehicle and stopped it at Macon Road and Tennessee Highway 385. The men were arrested without incident. One is a known fugitive, the task force said. He is also wanted in Tupelo, Mississippi, for the July 7 armed robbery of a Trustman’s Bank office. Federal authorities have also been seeking him in connection with bank robberies in Conway and Marion, Arkansas, in early July. Source:

22. July 16, Daily Yomiuri Online – (International) Thieves raid evacuation areas / Unguarded ATMs robbed of 684 million yen; empty homes violated. Some 56 ATM thefts have been reported in the three disaster-hit Tohoku prefectures in Japan since the March 11 earthquake and tsunami, with the amount of money stolen totaling 684 million yen, according to the National Police Agency (NPA). About 420 million yen, or 60 percent of the money, was stolen from within 20 kilometers of the Fukushima No. 1 nuclear power plant. Deserted in the wake of the disaster, ATMs in convenience stores and financial institutions in the area in particular have become targets for theft. According to the NPA, further ATM thefts are unlikely to occur as cash left at empty stores and banks has now been collected. Arrests have been made in connection with only one of the thefts. About 28 cases took place in the zone within 20 kilometers of the crippled nuclear power plant, which was largely deserted after an evacuation advisory was issued March 12. One reason for the police's lack of progress in investigating the thefts is that alarm systems and security cameras at many stores and banks were not operating at the time of the robberies, due to power outages caused by the disaster. Source:

23. July 15, – (National) Study: Banks fall short on credit card fraud protection. A new study conducted by Javelin Strategy & Research showed that while banks are good at handling credit card fraud once it has occurred, they could be doing more to protect their customers' information from hackers and to prevent identity theft. The study ranked America's largest banks on a scale out of 100: 45 points for fraud prevention, 35 for detection, and 20 for resolving problems after they've occurred. While the average for problem resolution was 18 out of 20, the scores for prevention and detection were much more troubling: only 24 out of 45 and 17 out of 35, respectively. Source:

24. July 15, United Press International – (International) SEC alleges foreign currency Ponzi scheme. The U.S. Securities and Exchange Commission (SEC) filed charges July 14 against the head of a purported foreign currency trading firm, alleging he ran a Ponzi scheme. The SEC alleged the man, who led First Capital Savings & Loan, raised $21 million from investors in at least 26 states and promised monthly returns of up to 7.15 percent through foreign currency trading, the watchdog agency said July 15 in a release. The agency said the man, who fled to Peru and was arrested there earlier this year, used most of the money to fund a start-up newspaper called "USA Tomorrow," according to the SEC. His scheme began to fall apart in June 2008, and he and First Capital had lost all of the investors' money by September 2008, the SEC said. Still, the suspect solicited at least an additional $1 million from at least 36 investors between June 2008 and February 2009 by pushing First Capital's fictitious high returns, the SEC alleged. The agency's lawsuit asked for court orders to bar the defendants from engaging in securities fraud, and to require them to disgorge their ill-gotten gains and pay financial penalties. Source:

25. July 15, KGTV 10 San Diego – (California) Man in 'Dapper Bandit' series convicted. A man dubbed the "Dapper Bandit" was convicted July 15 of holding up a Mira Mesa check-cashing business and a bank in Point Loma, California, December 2010. Authorities believe the 42-year-old also committed four earlier robberies in Fresno, King County, and Westlake Village. He was convicted of two counts of robbery following a 1-day trial. He robbed the check-cashing store December 20 and got away with $1,000, according to a deputy district attorney (DA). He held up a U.S. Bank branch a week later. The defendant, who got his moniker because he was well-dressed when he committed the crimes, was arrested New Year's Eve as he tried to cross into the United States from Mexico. He told investigators that he was on his way back to rob the same bank because he ran out of money, the deputy DA said. The defendant has a 1992 robbery and prior escape convictions and was on parole prior to his arrest at the border. Jurors were unable to agree on whether he used a gun during the heists, which would have increased his punishment. Source:

26. July 15, U.S. Department of Justice – (Virginia; Maryland) Virginia real estate businessman pleads guilty to mortgage and investment fraud schemes. A Virginia real estate businessman pleaded guilty July 15 to fraud charges in connection with mortgage and investment schemes to obtain more than $12 million in fraudulent loans. He pleaded guilty in a U.S. District Court in the Eastern District of Virginia to one count of bank fraud, and one count of wire fraud. In his guilty plea, the man admitted that between November 2005 and May 2011, he orchestrated at least three mortgage fraud schemes where he used “straw borrowers” with good credit scores to apply for and obtain nearly $11.5 million in fraudulent loans relating to three Northern Virginia residential properties. He did so by causing lenders to receive false and inflated income information about the straw borrowers, and he submitted forged and fraudulent documentation to lenders purporting to verify that false data. After attempting to refinance the loans and forestall foreclosure, he ultimately defaulted on loans for all three properties. He also admitted in his plea that between June 2008 and October 2010, he engaged in a fourth scheme to obtain more than $800,000 in fraudulent loans from at least eight residents of Maryland, and Virginia. He obtained the loans by promising high rates of return over short periods of time in exchange for money he claimed he would invest in various property ventures. He later defaulted on each loan, generally paying back no more than 10 percent of the borrowed amounts. At sentencing, he faces a maximum penalty of 30 years on the bank fraud count, and 20 years on the wire fraud count. For each count, he also faces a fine of the greater of $250,000 or twice the value gained or lost from the scheme. In his plea, he agreed to forfeit $7.9 million, pay back about $5.3 million. Source:

Information Technology Sector

52. July 18, H Security – (International) VLC Media Player 1.1.11 closes heap overflow holes. The VideoLAN project announced the release of version 1.1.11 of VLC Media Player. The twelfth release of the 1.1.x branch of VLC is a maintenance and security update that fixes two previously reported heap overflow vulnerabilities in the Real Media and AVI file parsers. Other changes include improvements to the VLC interface on Mac OS X systems and fullscreen fixes for the Win32 Web plug-in, as well as several codec and translation updates. Extensions support and the AVI mixer for converting and transcoding also received fixes. Source:

53. July 18, Softpedia – (International) Toshiba confirms loss of customer data following Website hack. Toshiba confirmed one of its U.S. Web sites was compromised the week of July 11, which led to the loss of user account information. A spokesperson for the consumer electronics company told the Wall Street Journal its U.S. unit observed issues with its Web server July 11 and began investigating. The company confirmed the server was compromised July 13, and user data was stolen. This coincided with a hacker leaking data extracted from the Web site on pastebin. According to Toshiba, the hacked site housed personal information of more than 7,500 customers, but only data belonging to 681 of them was compromised. This is somewhat consistent with what the hacker claimed. He said one database table called "Tbl_Gb_Users" had 5,203 entries, and he eventually leaked about 800 of them. The Toshiba spokesperson stressed no financial data or credit card details were exposed as a result of the breach. Source:

54. July 15, IDG News Service – (International) Intel investigating possible bug in SSD 320 drives. Intel said it was investigating a potential bug that may be causing SSD 320 solid-state drives to fail. The company was offering replacement drives to affected customers until the issue is resolved, a customer service representative said. In Intel forums, users were complaining about SSD 320 drives crashing due to power issues, causing data loss. In some instances, the storage capacity on the drive was being reported as only 8MB after the crash. An Intel technical support representative said that until the issue is resolved, affected customers will be sent a replacement drive. The SSD 320 was released in March and is being used in PCs and Apple Mac computers. Source:

55. July 15, Softpedia – (International) New mass injection attack distributes zeus. Security researchers from Sophos warn of a widespread Web injection attack that has infected many Web sites with code distributing a variant of the zeus trojan. "Huge numbers of sites have been injected with a malicious JavaScript that attempts to load content from an exploit site when innocent users browse the affected pages," a principal virus researcher at Sophos said. The injection is widespread with the malicious code, detected by Sophos as Mal/ObfJS-AB, currently representing a quarter of all reported threats. The attack does not seem to be limited to any particular type of Web site or Web server, suggesting the compromise vector might be stolen FTP accounts. Since the purpose of the attack is to distribute a variant of the zeus information-stealing trojan, this theory is even more likely. The injected code redirects visitors to a third-party page that launches PDF and Java exploits. Successful attacks install a zeus variant. "Perhaps the most interesting thing about this attack is the exploit site JavaScript (the content we block as Mal/ExpJS-N). We have been seeing the same exploit script at the end of spam links and JS/Sinowal-V redirects in recent weeks," the Sophos researcher said. "The script is heavily obfuscated and uses polymorphic and anti-emulation techniques to attempt to evade detection." He said affected Web sites span over different hosting providers, so it does not appear that any hosting company is targeted in particular, as seen in some mass injection attacks. Source:

56. July 15, Macworld – (International) Apple releases iOS updates to fix PDF vulnerabilities. After a report from the German government the week of July 11 regarding PDF-related security vulnerabilities in MobileSafari, Apple released updates for all iOS devices that fix the problem July 15. Though they both fix the same three vulnerabilities, the patch comes in two versions, due to the different versions of the iPhone 4. iOS 4.3.4 applies to the iPad and iPad 2, the third- and fourth-generation iPod touch, the iPhone 3GS, and the iPhone 4 (GSM model); users of the CDMA model of the iPhone 4 instead receive iOS 4.2.9. The issues addressed in the updates include the PDF problem within Apple's CoreGraphics framework, which exploits FreeType's TrueType and Type 1 fonts to execute malicious code, and a conversion problem within the IOMobileFrameBuffer framework, which could allow code to inadvertently gain system privileges by posing as the user. The PDF-related exploits were also being used in the latest jailbreak method for iOS devices, a process that could be accomplished via the Web site; Apple's patch reportedly now disables that method. Source:

Communications Sector

57. July 17, – (Illinois) Man charged after climbing Millstadt water tower. A 20-year-old Millstadt, Illinois man was charged July 16 with two felonies after he climbed the old city water tower July 15 and had to be brought down by rescue teams from several jurisdictions. He was charged with property damage and interfering with utilities for allegedly damaging communications equipment on the tower. A police lieutenant said the suspect climbed up at 9 p.m. after an argument with a girlfriend. Firefighters from Columbia and a St. Clair County rescue team climbed 120 feet to help him down 3 hours later, he said. The city no longer stores water in the tower. Source:

58. July 15, West Virginia Media – (West Virginia) Phone service restored in Clendenin. Frontier Communications reported July 15 that the phone outage that affected the Clendenin, West Virginia area was repaired. The outage caused the 548 exchange to be without service. Frontier technicians were in the area and trying to locate the problem, according to Kanawha County Metro 911. Residents were asked to use their cell phones to dial 911 for emergencies, but anyone without a cell phone was advised to go to the nearest fire station to report an emergency. Source:

For another story, see item 56 in the Information Technology Sector