Thursday, August 4, 2011

Complete DHS Daily Report for August 4, 2011

Daily Report

Top Stories

• Reuters reports security company McAfee found a mammoth series of global cyber attacks it said involved one "state actor" infiltrating the networks of 72 organizations, including the United Nations, governments, and companies. (See item 33)

33. August 3, Reuters – (International) State actor seen behind enormous wave of cyber attacks. Security company McAfee discovered the biggest series of cyber attacks to date, involving the infiltration of the networks of 72 organizations including the United Nations, governments, and companies around the world, Reuters reported August 3. McAfee said it believed there was one "state actor" behind the attacks but declined to name it, though one security expert briefed on the hacking said the evidence points to China. The long list of victims in the 5-year campaign include the governments of the United States, Taiwan, India, South Korea, Vietnam and Canada; the Association of Southeast Asian Nations; the International Olympic Committee; the World Anti-Doping Agency; and an array of companies, from defense contractors to high-tech enterprises. In the case of the United Nations, the hackers broke into the computer system of its secretariat in Geneva in 2008, hid there for nearly 2 years, and quietly combed through reams of secret data. McAfee learned of the extent of the hacking campaign in March of this year when its researchers discovered logs of the attacks while reviewing the contents of a "command and control" server they discovered in 2009 as part of an investigation into security breaches at defense companies. It dubbed the attacks "Operation Shady RAT" and said the earliest breaches date back to mid-2006, though there might have been other intrusions. (RAT stands for "remote access tool," a type of software hackers and security experts use to access computer networks from afar). McAfee's vice president of threat research said McAfee had notified all 72 victims of the attacks, which are under investigation by law enforcement agencies around the world. Source:

• A demonstration at a Black Hat conference found most Supervisory Control and Data Acquisition systems used to run power plants and other critical infrastructure lack basic cyber security protections, CNET reports. See item 43 below in the Information Technology Sector


Banking and Finance Sector

12. August 3, Nashville Tennessean – (Tennessee) Gallatin police identify source of credit card fraud. Investigators have found the source of a credit card fraud outbreak in Gallatin, Tennessee, city police said August 2. A local business computer was hacked by a criminal enterprise and steps have been taken to prevent further financial theft. The business was not identified, but it was a targeted victim and the employees were not responsible for the fraudulent charges. The case is being investigated by Gallatin police, and the U.S. Secret Service. More than 100 cases of stolen financial information were reported in July from residents throughout Sumner County. Police previously said the trend among the cases was that most of the victims had used their cards in the 1400 block area of Nashville Pike in Gallatin. Many of the charges were for $80-$100, and were listed on bank and credit card account statements from various cities in Florida.


13. August 3, KCTV 5 Kansas City – (Missouri; Kansas; Oklahoma) Multi-state bank robber on a crime spree, FBI says. The FBI said August 3 it needs help tracking down a bank robber who is on a crime spree in three states, including Kansas and Missouri. Investigators said a man held up banks in Shawnee, Kansas, Joplin, Missouri, and 4 in Oklahoma — all since May 2011. Authorities said in many of the robberies, the suspect entered the bank 30 minutes to 2 hours prior to the robbery wearing dark sunglasses and a hat. The suspect then re-entered the bank wearing a disguise and demanded money from the teller. Authorities think he is driving a silver Volkswagen Jetta with Oklahoma tags. Source:

14. August 3, Denver Post – (Colorado) Man fires shots, leaves suspected bomb at Aurora payday business. A man who attempted to rob a payday-loan business on East Colfax Avenue in Aurora, Colorado, August 2 fired shots at an employee and left behind a backpack that he said contained a bomb. The Adams County Bomb Squad used a blast of water on the device and found what appears to be a bomb. "(It) was described as having all the makings of an explosive device," an Aurora police spokeswoman, said. The incident began at 4:30 p.m. at Ace Cash Express at 11703 East Colfax. Nearby streets were closed until about 7 p.m. The spokeswoman said the man walked into the store, put the backpack on the counter, and ordered an employee to give him money. The worker instead ducked behind a counter, and the man pulled a pistol from his waistband and fired two shots in the direction of the employee, she said. No one was injured. Police said the man is black and in his early 20s. He is about 6 feet tall and weighs about 165 pounds with a thin build. He was wearing a gray shirt, sunglasses and a black scarf over his face. Source:

15. August 2, Miami Herald – (Florida) U.S. attorney accuses 27 in South Florida of mortgage fraud. Four separate indictments were unsealed August 2 by the U.S. attorney’s office in Miami accusing 27 people in various mortgage fraud schemes against banks and South Florida homeowners. He said the charges range from mail fraud to insurance fraud to arson, and highlight the problems South Florida faces as the nation’s top market for mortgage loan fraud. The schemes resulted in more than $30 million in bad loans. Two of the cases involve typical mortgage fraud schemes, with straw buyers using falsified loan applications to buy homes at inflated prices while the fraud orchestrators pocketed large portions of the bank loans. According to the first unsealed indictment, a businessman, a loan processor, a closing agent, all of Miami-Dade County, and a real estate agent from Broward County, recruited 13 straw buyers to orchestrate a $20 million fraud on mortgage lenders. From January 2006 to March 2008, the group purchased 22 properties in Miami-Dade using bogus loan documents, taking out multiple loans on some properties. Straw buyers allegedly received kickback payments of $30,000 to $100,000 for the use of their credit information. The second unsealed indictment describes a similar scheme, allegedly carried out in Palm Beach County by three mortgage professionals. That case involves more than $9.2 million in bank loans for homes bought by straw buyers, the indictment states. A third indictment describes several crimes on a single property, including mail fraud, arson, and insurance fraud. A fourth case charges a Miami attorney with misappropriating more than $1 million in client funds during the closing process of real estate transactions. Of the 27 defendants charged, 25 are in custody. If convicted, the defendants could each face 20 years in prison. Source:

16. August 2, Seattle Times – (Washington) Berg enters guilty plea in Meridian fraud case. A Mercer Island, Washington man charged with defrauding investors of about $100 million in a Ponzi scheme involving his Meridian Mortgage funds, pleaded guilty August 2 to wire fraud, bankruptcy fraud, and money laundering, according to documents filed in court. The three-count plea deal is expected to bring a sentence of 18 years, according to the U.S. attorney's office and the man's lawyer. The mortgage manager, whose array of Meridian investment funds began to collapse in mid-2010, was charged with siphoning off millions of dollars from the funds to finance his luxurious lifestyle, the creation of a high-end motor-coach company, and the acquisition of a Mercer Island home, two yachts, and two jets. Prosecutors said he used incoming money from some investors to pay off earlier investors, maintaining the illusion this funds were investing in real estate and earning steady high returns. But according to the indictment, after a certain point, the man never purchased any assets as promised, and instead "fabricated false records for many of the seller-financed real-estate contracts and loans purportedly purchased or financed by the funds." The court-appointed bankruptcy trustee for the mortgage funds told investors in May the Meridian funds took in about $160 million of investor cash, and at their downfall showed a balance of $210 million, including phony earnings. The trustee calculated that more than $100 million was misappropriated, and the assets recovered may total $27.7 million. Source:

17. August 2, Windsor Locks-East Windsor Patch – (National) Florida man pleads guilty to stealing $200,000 in credit card scheme. A 36-year-old Miami, Florida man pleaded guilty in federal court in New Haven, Connecticut, August 2 to bilking $200,000 from several businesses in a credit card scheme. The man pleaded guilty to one count of access device fraud and one count of identity theft, a U.S. Attorney for the District of Connecticut, announced in a press release. According to court documents and statements made in court, between May 2010 and November 2010, the man unlawfully obtained several credit card numbers and created counterfeit credit cards bearing an embossment of the credit card numbers and the names of two actual persons. He also created counterfeit drivers’ licenses in the names of the two persons. The convict then used the counterfeit credit cards to purchase gift cards from Stop & Shop, Big Y, Staples, and Safeway stores, and to rent vehicles from Hertz. These transactions occurred in Massachusetts, Connecticut, Rhode Island, New York, and Virginia. He sold most of the gift cards to others, and kept some for his own use. As a result of this fraud scheme, the businesses and the credit company that supported the credit accounts suffered losses in excess of $200,000. Source:

Information Technology Sector

41. August 2, Help Net Security – (International) Spear-phishing and crimeware assembling marked second half of 2010. The Anti-Phishing Working Group (APWG) reports the development of crimeware surged in the half-year period ending in December 2010, with one data contributor registering more than 10 million new malware samples in the period, while other analysts describe important shifts in approaches to crimeware deployment by cybercrime gangs. Cybercriminals repurpose base code of existing crimeware using polymorphic techniques to craft new variations of crimeware to evade detection by filters reliant on fingerprints of known crimeware. A PandaLabs technical director said 55 percent of the new samples created in the 2nd half of 2010 were Trojans, the favorite weapon used by cybercriminals to infect consumers’ computers. A senior manager at Security Research for Websense said his laboratory noticed a shift toward a binary weapons approach to infecting PCs with crimeware, assembling the final crimeware code from several components that arrive through different mechanisms, and at different times. While measurements for conventional social engineering-based phishing showed some slowing of growth in the 2nd half of 2010, reports of hyper-focused phishing attacks on key personnel have been increasing since then, and have continued growing through early 2011, indicating a larger shift in tactics by established cybercrime gangs. Source:

42. August 2, ComputerWorld – (International) Google patches 30 Chrome bugs, adds Instant Pages. Google patched 30 vulnerabilities in Chrome August 2. Fourteen of the 30 vulnerabilities patched were rated "high", the second-most-serious ranking in Google's four-step scoring system, while nine were pegged "medium", and the remaining seven were labeled "low". None of the flaws were ranked "critical", the category usually reserved for bugs that may allow an attacker to escape Chrome's anti-exploit sandbox. Most of the vulnerabilities rated as a high threat — nine of the 14 — were identified as "use-after-free" bugs, a type of memory management flaw that can be exploited to inject attack code. Source:

43. August 2, CNET – (International) Researchers warn of SCADA equipment discoverable via Google. A demonstration August 2 during a Black Hat conference workshop revealed that Supervisory Control and Data Acquisition (SCADA) systems used to run power plants and other critical infrastructure lack many security precautions to keep hackers out, and that operators sometimes advertise their wares on Google search. The chief technology officer at security consultancy FusionX typed in search terms associated with a Programmable Logic Controller (PLC), an embedded computer used for automating functions of electromechanical processes. Among the results was one referencing a "RTU pump status" for a Remote Terminal Unit, such as those used in water treatment plants and pipelines, that appeared to be connected to the Internet. The result also included a password —"1234". Most SCADA protocols do not use encryption or authentication, and they do not have access control built into them or the device itself, said a fellow presenter and founder of Red Tiger Security. This means that when a PLC has a Web server and is connected to the Internet, anyone who can discover the Internet Protocol address can send commands to the device and the commands will be performed. "If that RTU or PLC has large motors connected to it, pumping out water or chemicals, the equipment could be turned off," the Red Tiger Security founder said. "If it was a substation and the power recloser switches were closed, we could break it open and create an (electricity) outage for an entire area or city ... The bottom line is you could cause physical damage to whatever is connected to that PLC." Source:

44. August 1, Help Net Security – (International) A unique malware file is created every half-second. Sophos has released its Mid-Year 2011 Security Threat Report, which reveals that since the beginning of 2011, the company has identified an average of 150,000 malware samples every day. This equates to a unique malware file being created every half-second, a 60 percent increase since 2010. In addition, around 19,000 malicious Web site addresses (URLs) are now identified daily, with 80 percent of those URLs being pages on legitimate Web sites that have been hacked or compromised. High-profile hacking attacks against governments and corporations have dominated the security landscape in 2011. The result is that other security issues that could pose a greater threat to businesses, governments, and consumers have received less attention. Source:

For another story see item 33 above in the Top Stories

Communications Sector

45. August 2, WMUR 9 Manchester – (New Hampshire) Phone problems fixed for 5 northern NH towns. Communications in five northern New Hampshire communities were back to normal August 2. FairPoint Communications said the problems began the morning of August 2 after an excavator digging on Route 16 damaged a cable. A FairPoint spokesman said August 2 the affected communities were Conway, North Conway, Bartlett, Jackson, and Tamworth. The 911 emergency service worked through the problems, but some calls between towns were cut. A police lieutenant said his department coordinated operations with the Carroll County sheriff's office. Source:

46. August 2, Paducah Sun – (Tennessee; Kentucky) Comcast customers lose service because of severed lines. Only 3 days after local Comcast customers lost service because of severed fiber optic lines in Nortonville, Kentucky, services were cut again July 30 when a fiber optic line was severed in Nashville, Tennessee. A Comcast spokeswoman said a fiber optic line was severed in several places at 1:30 p.m. after a car wreck took down a utility pole in Nashville. Damages to the line resulted in a loss of services to the majority of Comcast customers in the local area. Services were restored by 11 p.m. July 30, the spokeswoman said. Source:

47. August 2, Longview Daily News – (Washington) CenturyLink crews work to restore landline service in Winlock area. About 2,000 customers in the Winlock, Washington, area lost their landline phone service around 2 p.m. August 2. By 3:45 p.m., all but about 200 customers' service had been restored, said a public relations manager for CenturyLink (formerly Qwest). "We do have crews on site and are working on this to restore service as quickly as possible," the spokeswoman, who didn't know the cause of the outage, said. Customers that don't have dial tones should go to 609 Kerron Street in Winlock if they have an emergency and have no cell phones, she said. Source: