Wednesday, July 27, 2011

Complete DHS Daily Report for July 27, 2011

Daily Report

Top Stories

• RSA's SecurID token users, including defense contractors and federal employees, were targeted with fake e-mails supposedly from the U.S. National Security Agency (NSA) urging them to update token codes, Help Net Security reports. See item 40 below in the Information Technology Sector

• An East Bay Regional Park District police officer on patrol in Moraga, California, had to be rescued July 25 after he was shot at by multiple people, according to the Contra Costa Times. (See item 49)

50. July 25, USA Today – (Alaska) Bear seriously injures teens hiking in Alaska. The two teens seriously injured by a grizzly bear in an attack July 23 in Alaska are in improved condition, a spokeswoman at Anchorage's Providence Alaska Medical Center said July 25. A 17-year-old from Denver was in good condition, and a 17-year-old from New City, New York was in serious condition. A mother grizzly with a cub attacked a group of seven teens hiking in Alaska's Talkeetna Mountains, the Anchorage Daily News reported. The attack took place as the seven, part of a wilderness survival course, were crossing a river in an area near popular Denali National Park, reports said. Two of the teens received life-threatening wounds, and others suffered injuries, either from the bear or from exposure to the elements, the daily news said. Source:


Banking and Finance Sector

13. July 26, WGAL 8 Lancaster – (Pennsylvania) Former EFI official pleads guilty to loan fraud. Another guilty plea in federal court was entered July 25 in a loan fraud scheme by a Lancaster, Pennsylvania company. An Alabama man pleaded guilty to the $53 million loan fraud scheme at an equipment finance company. He and seven others are accused of looting the accounts and falsifying the books of Equipment Finance Inc. (EFI) of Lititz, Pennsylvania from 2001 to 2007 — saying they were lending money to logging companies to buy new equipment. EFI was purchased by Sterling Financial, and later became part of the Bank of Lancaster County. The convict faces up to 45 years in prison. Source:

14. July 26, – (Tennessee; Florida) Secret Service joins credit card fraud investigation. A federal agency is investigating a recent outbreak of credit and debit card fraud in Gallatin, Tennessee. The Secret Service was asked by local police to assist with the case around July 20, said the assistant to the special agent in charge for the agency’s Nashville field office. The Gallatin Police Department had received 94 reports of credit card fraud as of July 25 that were believed to be connected to the same case. The trend among the reports was that victims saw illicit charges on their bank or credit card statements of $90-$100 mostly from businesses in Florida, a Gallatin police sergeant said. Another common link among the reported cases was that many of the victims had used their cards in businesses in the Volunteer State Community College area, located around the 1400 block of Nashville Pike. Gallatin police said the week of July 18 they believed devices designed to steal information from the magnetic strips of consumers’ credit or debit cards may have been inserted inside card-swipe machines. Source:

15. July 25, Houston Chronicle – (Texas) Armored car guard, robbers in gunfight at SE Houston bank. A pair of masked robbers shot it out with an armored car guard July 25 during an attempted hold-up at a bank in Houston, Texas, authorities said. The robbers pulled up in a truck about 8 a.m. while the Loomis armored car guard was working on an ATM machine outside a Bank of America branch on the South Loop near Woodridge, FBI officials said. The two robbers got out and began shooting at the guard, who returned fire. They fled without getting any money, FBI officials said. There were no reported injuries, but FBI officials said they couldn't confirm if the robbers were struck by gunfire from the guard. The truck used in the attempted robbery was later found near the scene. It had earlier been reported stolen, officials said. Source:

16. July 25, KGW 8 Portland – (Oregon) 'Ditto Bandit' bank robbery suspect captured. An alert bank employee and a security guard worked to capture the suspect in a string of robberies at a Sellwood, Oregon bank July 25. The employee spotted the 30-year-old walking toward the bank July 25 and recognized him as the man wanted in the 3 recent robberies July 1, July 11, and July 19. The employee alerted the security guard and then the guard took the man into custody, police said. The suspect was booked into the Multnomah County jail on a U.S. Marshals hold and bank robbery charges were pending. The Sellwood bank that was robbed is located at 8112 Southeast 13th Avenue. Police dubbed this the “Ditto Bandit” case, because the robber hit the exact same bank every time. Source:

17. July 25, Minneapolis Star Tribune – (Minnesota) Edina mortgage broker charged in scheme. An Edina, Minnesota mortgage broker was charged July 22 for his role in a $20 million mortgage fraud scheme that involved 57 properties. The 40-year-old man was charged in federal court with one count of conspiracy to commit wire fraud. If convicted, he faces a maximum penalty of 20 years in prison, according to a release issued July 25 by the U.S. attorney's office. He was charged with conspiring with others between 2004 and 2007 to obtain mortgage loan proceeds based on fraudulent documentation. One of his partners in the scheme pleaded guilty to one count of conspiracy to commit wire fraud June 27. According to the charges, unnamed co-conspirators identified and recruited buyers for residential properties. Two of the co-conspirators allegedly told buyers they would receive kickbacks after the property sales closed, and were told they could put those payments toward the mortgages or use them to improve the properties. The accused broker allegedly helped prepare and submit false mortgage loan applications, which misrepresented the buyers' true financial situations. The fraudulent documents were used to get loans approved, and loan proceeds were disbursed by wire transfer into the accounts of various title companies. The broker and his co-conspirators then allegedly caused those title companies to disburse some proceeds from each transaction into bank accounts not associated with the property buyers to conceal the undisclosed kickbacks. According to the charges, the broker received about $200,000 for assisting buyers to secure mortgage loan funding for 26 properties. Source:

18. July 25, – (International) Plan to fight organized crime recognizes growing cyber threats. Presidential administration officials July 25 unrolled a plan to fight global organized crime that says computer crime is a much greater threat today, because online networks undergird nearly every illicit network. The 38-page written plan highlights the Web's role in perpetuating and thwarting transnational organized crime. For instance, syndicates orchestrating intellectual property theft — which garnered a lot of time during the July 25 event — include enterprises that steal proprietary items "through intrusions into corporate and proprietary computer networks," the document noted. Online fraud committed by Central European cybercrime networks is estimated to have robbed Americans of about $1 billion during a 1-year period, the strategy said. "Through cybercrime, transnational criminal organizations pose a significant threat to financial and trust systems — banking, stock markets, e-currency, and value and credit card services — on which the world economy depends," the document stated. But the United States is short on help to track the digital money trail that crooks leave behind with their online transactions, computer addresses, and wireless devices. To bolster domestic crime-fighting forces, the United States wants to coordinate with foreign partners on executing better computer forensics analysis, as well as recovering digital evidence for prosecutions, the paper stated. The White House strategy tackles drug trafficking, human smuggling and terrorist financing, among other areas of global conspiracy, and is based on a year-long review that ended in January 2010. It is the first such organized crime study in 15 years. In addition, the agenda includes a new executive order that slaps economic sanctions on syndicates, and prohibits Americans from doing business with them. Source:

19. July 25, Waynesville Daily Guide – (Missouri) Former Bank of Crocker loan officer pleads guilty to fraud. A U.S. Attorney for the Western District of Missouri, announced July 25 a Crocker, Missouri man pleaded guilty in federal court to stealing more than $450,000 from the bank where he was employed as a loan officer. The 42-year-old pleaded guilty to an information charging him with bank fraud. From 2004 to 2008, the former loan officer at the Bank of Crocker fraudulently obtained loans, lines of credit, and funds from bank customers’ accounts without their knowledge or approval. He did so by: making loans to unsuspecting borrowers of the bank and diverting the proceeds to his own personal accounts; drawing on existing bank customers’ lines of credit to make payments on his personal accounts, loans and credit cards; issuing cashier’s checks for deposit into his personal accounts; and issuing fraudulent letters of credit, which the Bank of Crocker had to guarantee. He admitted to stealing $451,763.46 from multiple bank customers, and from the bank itself. Under federal statutes, he is subject to a sentence of up to 30 years in federal prison without parole, plus mandatory restitution and a fine of up to $1 million. Source:

Information Technology Sector

35. July 26, Softpedia – (International) Serious SSL bug patched in iOS. Apple released security updates for its iOS mobile platform to address a serious SSL validation vulnerability that allows attackers to compromise secure communications. The flaw affects X.509 certificate chains and was patched by improving validation in the newly released iOS 4.3.5 for iPhone (GSM), iPod touch and iPad, and iOS 4.2.10 for iPhone (CDMA). "A certificate chain validation issue existed in the handling of X.509 certificates. An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS," Apple wrote in its advisory. "Other attacks involving X.509 certificate validation may also be possible," the iDevice maker noted. The vendor credits researchers from Recurity Labs, and Trustwave's SpiderLabs for discovering the flaw. Due to the serious impact this vulnerability can have on privacy, users were encouraged to upgrade to the new iOS versions as soon as possible. Source:\

36. July 26, The Register – (International) Phishers go after your Google AdWords account. Cyber criminals launched a "Google AdWords" phishing campaign to try and trick users into disclosing sensitive log-in credentials to a fake, newly registered Web site. Spam messages promoting the ruse falsely claim a recipient's campaign has been stopped and they need to login to their "Adwords account" to reactivate it. The widely distributed spam messages link to a realistic replica of the Google AdWords page, net security firm Sophos warned. The dodgy site — google-oa(dot)net — was registered the week of July 25. Google AdWords accounts normally use the same log-in credentials as other associated Google accounts (Gmail, Google Docs, etc.). Fraudsters behind the scam may be just as interested in these accounts as in compromised access to Google AdWords accounts. Source:

37. July 26, H Security – (International) Apple details iWork 9.1 security fixes. Five days after it was released, Apple provided details of the security related changes in iWork 9.1, also referred to as "iWork Update 6." As well as adding support for Mac OS X 10.7 Lion, the latest update to the iWork 09 office suite –- comprising Pages (documents), Numbers (spreadsheets), and Keynote (presentations) –- addresses three security holes. According to Apple, buffer overflow and memory corruption issues in Numbers could be used by an attacker to crash the application or execute arbitrary code. A memory corruption bug in Pages when handling Microsoft Word documents that could lead to arbitrary code execution has also been fixed. For an attack to be successful, a victim must first open a specially crafted malicious Excel or Word file. Two of the vulnerabilities were reported by researchers working with TippingPoint's Zero Day Initiative, and a researcher who worked with VeriSign iDefense Labs. Versions 9.0 to 9.05 are affected. Source:

38. July 25, threatpost – (International) New Mac backdoor Olyx found bundled with Windows malware. Security researchers discovered a new piece of malware that targets Mac OS X users and installs a remote-control backdoor on compromised machines. The malware, called Olyx, was discovered in a package that also contained Windows malware. Researchers said the Mac backdoor is remarkably similar to the Gh0st RAT used in the Ghostnet attacks in 2009. The Olyx backdoor was discovered by researchers at Microsoft, who found it paired with a malicious Windows executable in a package called “PortalCurrent events-2009 July 5(dot)rar.” Upon analyzing the package, researchers found there were two files: the Olyx backdoor targeting Mac users, and an executable called "Video-Current events 2009 July 5(dot)exe." That executable also is signed with a valid digital certificate issued by a Chinese company. The certificate, which was valid at the time the file was signed, has been revoked since then, Microsoft said. The second binary is called Current events 2009 July 5 Mach-O. "The Mach-O binary file targets Mac OS X users," researchers said. They noted it installs and runs in the background without root or administrator privileges. It disguises itself as a Google application support file by creating a folder named ”google” in the /Library/Application Support directory, where the backdoor installs as “startp.” It also keeps a copy in the temporary folder as "google.tmp." It creates ”” in the /Library/LaunchAgents, to ensure that it launches the backdoor only once when the user logs in — this applies to all accounts on the system," the researchers added "The backdoor initiates a remote connection request to an IP address, where it continues to make attempts until established." Once the compromised machine is able to connect to the remote server, the attacker has the ability to download new files to the Mac, upload data stored on the machine, and move through its file system. Source:

39. July 25, IDG News Service – (International) Intel acknowledges SSD 320 bug, plans firmware upgrade. Intel July 24 acknowledged a bug could cause its SSD 320 solid-state drives to fail, and said a firmware upgrade is on its way to address the problem. In some instances, a power loss may cause Intel's SSD 320 drives to crash and lose data. On rebooting the system, the system BIOS could report the SSD as having only 8MB of storage capacity. Intel 2 weeks ago said the error was possibly a bug, and that the issue was being investigated. "Intel has reproduced 'Bad Context 13x Error' utilizing strenuous testing methods," an Intel spokeswoman said. "This 'Bad Context 13x Error' can be addressed via a firmware update and Intel is in the process of validating the firmware update. A future update will define the schedule to deliver the firmware fix." Source:

40. July 25, Help Net Security – (International) SecurID users targeted by fake NSA email. RSA's SecurID token users have been targeted with fake e-mails supposedly coming from the U.S. National Security Agency (NSA) urging them to update their token code. The address from which the e-mails are sent has been spoofed and says "protection@nsa(dot)," but the offered malicious links take the victim to the national-security-agency(dot)com domain, which according to Cyveillance, was registered only the day before the spam run was started. "A critical vulnerability has been discovered in a certain types of our token devices," warns the e-mail, counting on the fact the user is already aware of the RSA hack executed earlier in 2011, and its implications for the security of the company's SecurID tokens. The authors of the e-mail also appropriated the NSA and Central Security Service logos to give an appearance of legitimacy to the warning. But it appears they did not pay attention to the construction of the text itself, which contains several spelling mistakes. Cyveillance did not explicitly say what the "security token update" offered for download is, but it is likely to be a malicious executable. Source:

Communications Sector

41. July 26, Leavenworth Times – (Kansas) Repair of damaged radio tower to be delayed. One way or another, the Leavenworth County Commission in Kansas said July 25 they would like to fix a communication tower recently damaged during a thunderstorm. But the commission said they would like to wait to actually get those repairs online as its insurance company considers a claim related to the damage. A county director of buildings and grounds said the tower in DeSoto, Kansas, that is part of the Leavenworth County public safety communication system through an agreement with Johnson County, was thought to be struck by lightning during the storms of July 12. That incident caused the tower’s generator to get stuck in the "on" position, which in turn burned out the starter and damaged other electronics, he said. Since then, he said the Kansas Department of Transportation (KDOT) has investigated and surveyed the damage. The repair was estimated to take about 8 weeks, the spokesman said, while replacement could take as little as 2 weeks. Given that the tower was part of the emergency communications grid, the county commissioner said he would rather replace the generator immediately. The county counselor suggested the county still make the tower operational “as soon as possible” to avoid potential liability should an incident occur because of the damage. The undersheriff said the tower was operational and will remain so as long as it has access to electricity. And if the power should go out, he said he was confident the nearest towers, in Tonganoxie and Bonner Springs, could provide nearly complete coverage in the southern portion of the county. He said the service provider for the communication system, Motorola, was inspecting the tower to ensure it was properly grounded. Source:

42. July 25, Cincinnati Enquirer – (Ohio) Lightning sets off warning signals, hits Union Twp. communications center. Some warning sirens went off July 24 in Union Township, Ohio, for the second time in a week without being activated. Lightning struck two towers in Union Township activating sirens and disrupting the Union Township Communications Center, said the Clermont County Communications Center director. The towers were in Mt. Carmel at Ohio 32, and the one on top of the Union Township Communications Center. The sirens went off about 4:45 p.m. The same thing happened July 20, the communications director said. That incident also was because lightning struck towers in and around Union Township, but the exact ones have not been determined. Crews will be inspecting the towers the week of July 25 to make sure all the equipment is protected properly, he said. “It appears we suffered a lightning strike to the community center,” a lieutenant with the Union Township Police Department said. When the strike happened, the backup systems maintained operations while the whole system rebooted, he said. Residents should not have noticed any disruption in service. The communications center suffered minimal damage, the lieutenant said. Officials were accessing operations and equipment July 25, but daily operations were normal. Source:

43. July 25, Associated Press – (Nebraska) Prairie dogs chewed through cable, causing phone, internet outage in western Nebraska. Prairie dogs got the blame for an Internet and phone outage in western Nebraska July 25. Officials with Charter Communications said prairie dogs apparently chewed through some buried fiber optic cable about 2 miles away from Ogallala. The problem was discovered July 25. A spokeswoman told KNEB radio in Scottsbluff that there were hundreds of prairie dog mounds in the area, and it took time to find the cut and get it repaired. Service was rerouted and repairs were completed about 7 hours later. Source:

Tuesday, July 26, 2011

Complete DHS Daily Report for July 26, 2011

Daily Report

Top Stories

• The U.S. defense industry is under siege by cyber spies in an attack that provided a link to a rigged spreadsheet containing a real list of high-level executives, Dark Reading reports. (See item 18)

18. July 22, Dark Reading – (International) New targeted attack campaign against defense contractors under way. The U.S. defense industry is under siege by cyber spies in an attack that provides a link to a rigged spreadsheet containing a real list of high-level defense industry executives who attended a recent Intelligence Advanced Research Projects Activity event, Dark Reading reported July 22. A defense contractor friend of the CEO of Invincea sent him a copy of a targeted yet suspicious e-mail with the unsolicited attachment he received. It appears the attackers sent the same e-mail and malicious attachment to the other 163 event attendees, the CEO said. The embedded URL — which appears to be a subdomain of a domain that redirects to the legitimate research project Web site — provides a ZIP archive to the attendee roster, which includes the names of directors, presidents, and CEOs of major defense and intelligence companies. “Unzipped, you see an XLS-looking file, but it’s actually an executable,” the CEO said. “It extracts another custom program that’s an HTTP client. This client beacons out to a server. You wouldn’t notice it even if you were looking at your system process table: It looks like standard browser activity.” It is not until the system is rebooted, however, that problems begin: The client reaches out to a command-and-control (C&C) server, which sends it another executable file. “That’s the payload of the weapon,” the CEO said. A team at ThreatGrid analyzed the executable, and found it is a remote C&C trojan hosted on a Web site. The trojan gives the attackers full control of the victim’s machine and Internet settings in the registry, and can update root certificate lists that could be used for SSL man-in-the-middle attacks. The researchers were unable to tell how far the attackers got or what they might have stolen. They said the attack appeared to be an ongoing, active campaign targeting multiple defense contractors with similar methods but some different documents and executables. Source:

• Investigators probing the ransacking of International Monetary Fund (IMF) computers concluded a recent attack was carried out by cyber spies connected to China, according to Bloomberg. See item 21 below in the Banking and Finance Sector


Banking and Finance Sector

19. July 24, Spokane Spokesman-Review – (International) Tamarack founder sues Credit Suisse for racketeering, fraud, conspiracy, more. The founder and former board chairman of the failed Tamarack Resort in Tamarack, Idaho, and the founder and former manager and developer of the Yellowstone Club in Montana, have filed to intervene in a pending lawsuit against Credit Suisse, charging the Swiss bank with racketeering, fraud, conspiracy, and more, in a scheme they charge directly contributed to the financial failure of both resorts. The existing lawsuit, originally filed in January of 2010 by a group of property owners from four failed luxury resorts, charged the second-largest bank in Switzerland with engaging in a “predatory” lending scheme designed to force all four resorts into foreclosure, and acquire the pricey properties for pennies on the dollar while raking in “enormous” fees. In addition to Tamarack and the Yellowstone Club, the 2010 federal lawsuit covers two other failed luxury resorts: Lake Las Vegas in Nevada, and Ginn Sur Mer resort in the Bahamas. The scheme, according to the legal filings, involved a “new and exotic real estate loan product” that Credit Suisse developed in 2004, targeting owners of high-end real real estate resort developments with the pitch they could enjoy all the future profits and equity from their developments. Appraisal values for the properties were vastly inflated using a new methodology. As a result, the Yellowstone Club was appraised at $420 million in September o004, but in July 2005, it was appraised at $1.165 billion. Tamarack was appraised at $284 million in December 2005, but 1 month later Credit Suisse said it was worth $1.5 billion. The Swiss bank ran the huge loans through its Cayman Islands branch, which the new filings charge “consisted of a lonely PO box and no office personnel whatsoever.” The original lawsuit seeks $8 billion in actual damages, and $16 billion in punitive damages, including $150 million each for the four communities impacted by the failed resort projects. Source:

20. July 22, Port Huron Times-Herald – (Michigan) Former Citizens First executive charged. A former Citizens First Savings Bank executive has been charged with hiding troubled assets from the Federal Deposit Insurance Corporation (FDIC). According to documents filed in a U.S. district court in Michigan, the man ordered that unfavorable real estate appraisals be purged from Citizens’ mortgage loan files in July 2009 before they were examined by the FDIC. Hiding the roughly 100 troubled assets was meant to prevent examiners from accurately assessing the bank’s stability, the U.S. district attorney’s Office alleged. The former executive resigned October 2, 2009, as president of mortgage banking. The FDIC closed Citizens First, based in Port Huron, Michigan, April 30, 2010. First Michigan Bank took over the bank’s deposits and assets. The federal case against the former executive was opened in June. If convicted, he faces up to 30 years in prison, and/or $1 million in fines. Source:|mostcom

21. July 22, Bloomberg – (International) China-based spies said to be behind hacking of IMF computers. Investigators probing the recent ransacking of International Monetary Fund (IMF) computers have concluded the attack was carried out by cyber spies connected to China, according to two people close to the investigation. Computer specialists have spent several weeks piecing together information about the attack, which the IMF disclosed June 8. Evidence pointing to China includes an analysis of the attack methods, as well as the electronic trail left by hackers as they removed large quantities of documents from the IMF’s computers. The multistaged attack, which used U.S.-based servers as part of their equipment, ended May 31, people involved in the investigation said. IMF officials have said little publicly about the scope of the attack or its origins, citing the on-going nature of the investigation, which involves outside forensics experts, and the fund’s own information-technology team. People familiar with the incident said the hackers were able to download a large quantity of documents from dozens of computers on the IMF’s network, which was first infected when an employee downloaded a file containing a piece of sophisticated spying software that quickly spread. The IMF is a cornerstone institution in the global economic system, managing financial crises around the world. Its computers are likely to contain confidential documents on the fiscal health of many countries. The financial status of countries is critical data for major nation-state investors or holders of sovereign debt. The IMF’s adviser to the chief information officer said in an e-mail to IMF staff that the attack was not related to identity theft or commercial fraud, another indication the intruders were not ordinary cyber thieves. Source:

Information Technology Sector

43. July 25, Computer Weekly – (International) SecurEnvoy tackles trojan-based cookie hack. SecurEnvoy has developed a security technique to protect a secure Web session it claims solves the problem of hacking session cookies. According to SecureEnvoy, cybercriminals can hijack a user’s online session through cookies. The technique involves infecting a computer with a trojan, and then intercepting relevant Web-based commands — plus cookie transmissions — to prevent the Web site noting the legitimate user has terminated their online session. “By using a trojan to log the relevant GET and POST commands, as well as injecting data into an active Web session, cybercriminals can allow a legitimate user to log off their online Web service, but keep the session alive on another internet connection,” SecurEnvoy’s chief security officer said. While most two-factor authentication systems do not include protection beyond initial authentication, SecurEnvoy said it has built steps to protect the integrity of the session and its associated cookie. Even if someone tries to intercept the session cookie and other relevant data through nefarious means, the lack of authentication in combination with the fingerprinted cookie session will cause the unauthorized session to be dropped, SecurEnvoy said. Source:

44. July 25, H Security – (International) phpMyAdmin updates close critical security holes. Versions and of phpMyAdmin close four security holes in the open source database administration tool. According to the phpMyAdmin developers, the security releases address two “critical” vulnerabilities that could lead to possible session manipulation in swekey authentication or remote code execution. A “serious” bug that could allow an attacker to perform a local file inclusion and a “minor” cross-site scripting (XSS) hole have also been fixed. Versions and earlier are affected. The 2.11.x branch, which reached its end of life earlier in July, is not affected by the session manipulation hole, but may be affected by the others. Source:

45. July 23, Help Net Security – (International) Oslo bombing Facebook scams infecting 1 user per second. Websense has found an alarming number of Facebook scams taking advantage of the recent attacks in Oslo, Norway. As of July 23, one scam appears to be infecting one user every second. The scam is a form of “clickjacking” that replicates itself on users’ walls after they click on fake posts within their news feed. Users should be cautious when clicking on breaking news trends and stories within search results related to the Oslo attacks. Searching for breaking trends and current news represented a higher risk (22.4 percent) than searching for objectionable content (21.8 percent). Source:

46. July 22, Help Net Security – (International) Chameleon-like fake AV delivered via clever social engineering. A complex and efficient fake AV spreading campaign has been spotted targeting Facebook users. It starts with users apparently contacted by a Facebook friend via the social network’s chat feature. The message contains a link to a YouTube video. The user follows the link and sees they can’t watch the video until they follow a download link to upgrade Abobe Flash Player. The file the user actually downloads is Trojan(dot).FakeAV(dot)LVT. “It copies itself as %windir%\services32.exe and as %windir%\update.X\svchost.exe, where update is a hidden directory and X is the version of the malware,” a BitDefender researcher said. “After that, it adds a registry key in %SYSTEM% and the malicious code is added thus to the list of authorized applications for the firewall or it disables the firewall altogether. Then it proceeds to disable all notifications generated by the firewall, the update module and whatever antivirus it finds” The malware has the ability to detect which legitimate AV solution the user has installed on the computer, and to display personalized warning message windows that mimic the ones thE legitimate solution would present. The malware “finds” a virus on the system and asks the user to reboot the computer so it can clean it up. The reboot triggers an unwelcome series of events: the system boots in safe mode, which allows the malware to start and uninstall the legitimate AV solution, and then the system is rebooted once again — this time in normal mode. The now unprotected system is ready to be misused by a downloader component integrated in the trojan, which downloads further malware from an array of URLs, depending on the OS running on the computer. Source:

47. July 22, threatpost – (International) Apple laptop batteries can be bricked, firmware hacked. A security researcher has discovered a method that enables him to completely disable the batteries on Apple laptops, making them permanently unusable, and perform a number of other unintended actions. The method, which involves accessing and sending instructions to the chip housed on smart batteries could also be used for more malicious purposes. The basis of research is the battery used in most Apple laptops. The battery has a chip on it that contains instructions for how IT is meant to behave and interact with the operating system, and other components. Source:

48. July 22, H Security – (International) iCal messages crash Lotus Domino server. IBM is warning users of a vulnerability in its Lotus Domino product that could be exploited to crash the server. According to the company, an attacker could send a specially crafted iCal message to a Domino server, causing the Router task to utilize 100 percent of the CPU. When the message is opened in the Notes client, both the client and server will crash. The server will restart, exhaust resources and crash again, repeatedly. The flaw allows for denial of service attacks on the server. Versions up to and including Lotus Notes/Domino 8.5.2 Fix Pack 2 (FP2) are reportedly affected. IBM has provided an interim fix in Domino 852FP2IF1. Alternatively, users can upgrade to Lotus Notes/Domino 8.5.2 Fix Pack 3 (FP3), which was released July 18, to close the hole. Source:

Communications Sector

49. July 25, WPTZ 5 Plattsburgh – (New York) Land-line telephone service is experiencing network problems. Residents in the North Country of New York were experiencing sporadic problems with connecting telephone calls from land lines July 24 and 25. Phone companies were experiencing network problems in Clinton, Essex, and Franklin counties that were causing sporadic phone system problems including possible outages and/or inability to place phone calls. 9-1-1 systems were still functioning. Source:

50. July 25, International Falls Journal – (Minnesota) Psalm 99.5 radio tower collapses. A 650-foot transmitting tower for Psalm 99.5, a non-commercial Christian radio station based in International Falls, Minnesota, collapsed July 24. It was the station’s largest tower which carried its main signal. The tower was located near Loman and transmitted music and talk programming to Falls and Fort Frances, and throughout several larger towns in northern Minnesota. The station’s staff worked quickly to put up a temporary 100-foot antenna to resume programming in the Falls and Fort Frances Juyl 24, but the station manager said the range the station was on the air was at most a 15-mile radius. The fallen tower could transmit throughout a 90-mile radius as well as send signal to receivers in the Iron Range to be rebroadcast in other cities. Psalm was off the air in three-quarters of its listening area, including seven towns that have translators built to pick up signal from the fallen tower. Those cities include Bemidji, Red Lake, Warroad, Ely, Babbitt, Tower, and Angle Inlet. Psalm’s second station in Hibbing had a tower sending a signal to Grand Rapids, Eveleth/Virginia, Hoyt Lakes, Chisholm, and Cook. Programming in those areas was still on the air. Optimistically, the station manager said, the station would have a new tower in October. Source: &id=14787065&instance=comments

51. July 24, Findlay Courier – (Ohio) Telephone service outage in Arcadia, Vanlue. Telephone service in Arcadia and Vanlue, Ohio, was out of service July 24, the Hancock County Sheriff’s Office said after being contacted by TDS Telecom. A lightning strike caused the outage July 23, the sheriff’s office said. 911 services were also affected. No time frame had been established as of July 24 to restore services. Source:,2011,Jul,24&c=n