Wednesday, August 17, 2011

Complete DHS Daily Report for August 17, 2011

Daily Report

Top Stories

• The source code for SpyEye, a data-stealing Trojan, was published online and could be used by cybercriminals with little chance of getting caught, a researcher said August 15. – DarkReading, See item 43 below in the Information Technology Sector

• Witnesses at Echo Resort in Coalville, Utah, said a group of men rented two boats early August 7, piloted them to Echo Dam, and spent hours shining lights along the width of the structure. – KSL 5 Salt Lake City (See item 56)

56. August 16, KSL 5 Salt Lake City – (Utah) Suspicious activity prompts investigation at Echo Dam. Witnesses at the Echo Resort in Coalville, Utah, said a group of men arrived at the Echo Dam early August 7, KSL-TV 5 Salt Lake City reported August 16. They paid a resort worker $35 to launch at least two boats. Several of the men remained on shore while others piloted their boats to the dam and spent hours shining lights along the width of the structure. They were gone by daylight. The resort employee mentioned it to his boss later the next day, and the boss called police. "Well it certainly was an unusual event," said a spokesman for the U.S. Bureau of Reclamation, which oversees Echo Dam and numerous other dams in Utah. The witnesses said the men did not appear to be from the United States. Summit County sheriff's deputies, along with federal authorities, were on the scene the next morning. The dam was deemed safe. Witnesses at the resort said authorities used what appeared to be a remote submarine to check out the dam under the surface. Echo Resort enhanced security and printed up flyers for campers describing the event and asking them to be on the lookout. Source:


Banking and Finance Sector

19. August 16, Bank Info Security – (International) Global card fraud ring busted. New South Wales (NSW) Police in Australia said the department's fraud squad has arrested and charged five Malaysian and Sri Lankan nationals suspected of being behind an elaborate international card-skimming scheme that spanned the United Kingdom, mainland Europe, and North America. The alleged scheme, which authorities have been investigating for several months, involved skimming at point-of-sale terminals in numerous merchant locations. Police did not say how the accused are suspected of pulling off the scam, but did say authorities seized numerous point-of-sale (POS) terminals, PIN overlays, and other electronics, such as laptops and mobile phones. Authorities also discovered $10,000 in Canadian dollars, falsified identification and travel documents, and a number of Canadian credit cards. Over the last several months, investigators in connection with the case have seized more than 50 stolen POS terminals, dozens of skimmers, and more than 18,000 blank and counterfeit cards. So far, 25 people have been arrested and charged. Source:

20. August 15, Fierce Government IT – (National) GAO: FDIC cybersecurity lacking. The confidentiality and integrity of the Federal Deposit Insurance Corporation's (FDIC) information systems are vulnerable, said a Government Accountability Office (GAO) report published August 12. Weak passwords, poor user-access policies, inconsistent encryption and unsatisfactory patch implementation threaten the FDIC's financial systems and databases, the GAO found. While security risks persist at the FDIC, the situation is an improvement when compared to past cybersecurity problems at the agency. FDIC remediated 26 of the 33 control weaknesses the GAO identified in a similar 2009 audit, the government watchdog found. However, the report authors noted, "the corporation did not always fully implement key information security program activities, such as effectively developing and implementing security policies." The GAO suggested the FDIC develop, document, and implement information security fixes for its loss-share loss estimation process. The GAO also made 38 new cybersecurity recommendations to address 37 findings from the audit, which were outlined "in a separate report with limited distribution," report authors wrote. Source:

21. August 15, Bloomberg – (International) Ex-Optionable chief admits to scheme to hide losses at Bank of Montreal. The former CEO of Optionable Inc. pleaded guilty August 15 to his role in a scheme to hide millions of dollars in losses at the Bank of Montreal. The 52-year-old pleaded guilty in federal court in Manhattan, New York, to one count of conspiracy to commit wire fraud. The case stems from $690.5 million of pretax commodity-trading losses the bank announced in April 2007. Those losses grew to C$853 million for the fiscal year, paring profit by C$440 million. The former CEO was charged with fraud in 2008 for helping a former trader at the bank conceal the losses. The former CEO, an ex-convict who hid his criminal record, helped a former trader hide commodity losses from the bank to win business for Optionable, a brokerage firm focusing on energy derivatives, according to prosecutors. The former CEO was sentenced to 30 months in prison for credit-card fraud in 1997, and 6 months for income-tax evasion in 1993, court records show. Source:

22. August 15, Bloomberg – (International) Ex-Ahold executive Mark Kaiser pleads guilty in $800 million fraud case. The ex-marketing chief of a former U.S. unit of Dutch grocer Royal Ahold NV pleaded guilty August 15 to conspiracy 13 months after his previous conviction for overstating earnings was overturned. The 54-year-old former U.S. Foodservice Inc. admitted in a federal court in Manhattan, New York, to participating in an $800 million securities fraud. He could receive as much as 5 years in prison. Prosecutors alleged he made fraudulent representations about U.S. Foodservice’s financial condition in a bid to burnish his resume for a promotion at the Columbia, Maryland-based unit. He was convicted in 2006 of helping the subsidiary inflate profits from 2000 to 2003 by wrongly recording promotional rebates as income, and sentenced to 7 years in prison. In July 2010, the U.S. Court of Appeals in New York threw out his convictions for securities fraud, conspiracy and our counts of making false filings with the Securities and Exchange Commission. The appeals court said he was entitled to a new trial because the lower court judge erred by admitting into evidence the statement of the unit’s general counsel. Source:

23. August 15, ABC News – (Oregon; Washington; Montana) 'Bad Hair Bandit': 18 bank robberies in 9 months. A woman known as the "Bad Hair Bandit" for the assortment of ill-fitting wigs she has worn while robbing at least 18 banks since December 2010 may have struck again, authorities said August 15. After a spree that had apparently been confined to Washington and Oregon, the FBI is investigating whether the same bandit robbed a bank in Montana the week of August 8. On August 11, an unidentified woman wearing a short, dark-haired wig walked into the Bank of Butte in Butte, Montana, passed a note to the teller, and walked out with more than $1,000. The Butte-Silver Bow County sheriff told the Montana Standard that the FBI is now investigating whether the Butte robber was the infamous "bad hair bandit." Witnesses described the woman at the Butte robbery as a white female, 40, 5 foot 8 to 5 foot 10 inches tall and with a heavy build. According to the FBI Web site, the bad hair bandit typically enters the bank and passes a note to a teller in which she demands cash and states that she is armed. She tends to wear a zippered hoodie, eyeglasses, a baseball cap, and some type of wig, and appears to flee by car, which the bureau describes as possibly a newer silver or gold sedan similar to a Honda Accord. Source:

For another story see item 43 below in the Information Technology Sector

Information Technology Sector

41. August 16, CNET News – (International) iOS dev to pay $50,000 fine over child privacy. An iOS developer has been fined $50,000 for allegedly violating the Children's Online Privacy Protection Act (COPPA), the Federal Trade Commission (FTC) announced August 15. COPPA is a far-reaching act, requiring Web site operators to notify and obtain parent or guardian consent before children's personal information is collected, used, or disclosed. Privacy policies that are clear and understandable for parents are also required. According to the government organization, iOS developer W3 Innovations, which is doing business as Broken Thumb Apps, violated COPPA in several of its applications, including Emily's Girl World, Emily's Dress Up, Emily's Dress Up & Shop, and Emily's Runway High Fashion. According to the FTC, the company's games, which let kids design outfits and create virtual models, have been downloaded more than 50,000 times. The violation, the FTC alleges, relates to W3's collection of "thousands of e-mail addresses" from kids who posted comments and requests for advice on "Emily's Blog." In addition, the FTC alleges the company allowed kids to post personal information on message boards without "verifiable parental consent." Source:$50000-fine-over-child-privacy/

42. August 16, The Register – (International) Man reveals secret recipe behind undeletable cookies. A privacy researcher has revealed the evil genius behind a for-profit Web analytics service capable of following users across more than 500 sites, even when all cookie storage was disabled and sites were viewed using a browser's privacy mode. The technique, which worked with sites including Hulu, Spotify, and GigaOm, is controversial because it allowed analytics startup KISSmetrics to construct detailed browsing histories even when users went through considerable trouble to prevent tracking of the Web sites they viewed. It had the ability to resurrect cookies that were deleted, and could also compile a user's browsing history across two or more different browsers. It came to light only after academic researchers published a paper late last month. The KISSmetrics CEO responded with a post on the firm's Web site claiming the research “significantly distorts our technology and business practices.” The company also added a ”consumer-level opt-out for those who wish to be entirely removed from all KISSmetrics tracking. One of the researchers stands by the findings and said KISSmetrics' recently updated privacy policy does not make it clear how users go about opting out of tracking. The researcher said the only way to block the tracking using the technique is to block all cookies and to clear the browser cache after each site visited. Source:

43. August 15, DarkReading – (International) Source code for SpyEye Trojan published; more exploits on the horizon, researcher says. The source code for SpyEye, an infamous data-stealing Trojan, has been published on the Web and could easily be adapted and used by any savvy cybercriminal with virtually no cost or chance of getting caught, a researcher said August 15. "One of the most dangerous Swiss Army knives in malware is now available to billions," said a senior threat intelligence analyst at security vendor Damballa. According to a blog posted by the analyst on the Damballa Web site, the SpyEye builder patch source code was leaked by French security researcher Xyliton, part of the Reverse Engineers Dream (RED) Crew. The SpyEye malware kit has been widely used in cyberspace for some time now, but it generally was sold at a price of around $10,000. Now, with the crack, the kit is being sold inexpensively on hacker forums. "What this means is that anybody can use it," the analyst said. Perhaps just as important, the "crack" enables malware developers to avoid the attribution that was previously associated with the high-priced toolkit, he stated. Where previous exploits using the kit could often be traced back to the original buyer of the toolkit, there have already been some SpyEye exploits spotted that have no attribution. "This will make it more difficult to track SpyEye botnets back to the source," the analyst said. SpyEye, which incorporated elements of the popular Zeus Trojan earlier this year, was already ranked as one of the top three threats on the Web this year, infecting some 2 million devices. Source:

For more stories, see item 25, above in the Banking and Finance Sector and 44 below in the Communications Sector

Communications Sector

44. August 16, FierceTelecom – (National) Verizon network sabotage claims hit 143 as strike continues. Verizon told The New York Times August 15 that the number of network damage incidents suspected to have been caused in the last week or so by sabotage —allegedly by striking union workers — had reached 143. Meanwhile, a New York City anti-terrorism unit reportedly was called upon to keep an eye on possible incidents of sabotage on Verizon's network, a report that drew criticism from union workers who wondered why Verizon was not providing for its own security efforts. Each day, the activity around the ongoing strike seems to find a new fever pitch. Several union rallies were held around the country August 15, while Verizon continued to accuse the striking workers of illegal tactics. Source:

45. August 15, Muskegon Chronicle – (Michigan) Phone outage affects 3,900 in Shelby area. About 3,900 people were without land-line phone service, and 550 lost their high-speed Internet connection August 15 due to an outage in the Shelby, Michigan area, according to Mason-Oceana 911. The Mason-Oceana 911 director advised people without service who experience an emergency during the outage to go to the Shelby Police Department, 36 W. Third, or Shelby Fire Department, 466 N. Industrial Park. The outage also has affected some cellular carriers in the Shelby area. A Frontier spokesman said technicians were rebooting the phone system in the Shelby office, and service should be restored shortly. Source:

For another story see item 41 above in the Information Technology Sector

Tuesday, August 16, 2011

Complete DHS Daily Report for August 16, 2011

Daily Report

Top Stories

• Flood watches and advisories remained in effect August 15 for parts of New York City as rain led to power outages, airport delays, train disruptions, and stranded motorists along major thoroughfares. – WPIX 11 New York (See item 19)

19. August 15, WPIX 11 New York – (New York) NYC metro area swamped by record rainfall, flooding continues. Flood watches and advisories remained in effect August 15 for portions of New York and New Jersey as rain led to power outages, train delays and service disruptions, airport delays, and stranded motorists along the area's major thoroughfares. Forecasters said Central Park got 3 inches of rain, while portions of Brooklyn got swamped with 4 inches; approximately 7 inches fell at John F. Kennedy Airport in Queens. The rain came down in sheets August 14, stranding motorists in their cars; people had to be fished out of a car submerged in 4 feet of water at the corner of 9th and Smith Streets in Carroll Gardens, Brooklyn; and at Garfield Street, between 4th and 5th avenues, five cars stalled out in the water. Flooding also occurred in the Bronx, Queens, Manhattan, and parts of Westchester County. Stranded cars closed the Roosevelt Avenue ramp on the Brooklyn Queens Expressway (BQE), while the Staten Island Expressway between Clove and Richmond roads also had to be closed. In the subways, following dayl-ong efforts at pumping out water and resolving weather-related problems with signals and switches, work crews were able to restore service to the Sea Beach N line in Brooklyn. Problems on the N began at 4:40 a.m. with weather-related signal problems at 36th Street and continued with serious flooding on the tracks at 86th Street. Normal service resumed shortly before 5 p.m. In addition, E service resumed between West 4th Steet and WTC. A number of bus detours remain in place. There were a number of service disruptions on the Long Island Railroad (LIRR). There was a traffic management program in effect for traffic arriving at John F. Kennedy International Airport. This was causing some arriving flights to be delayed an average of 2 hours and 58 minutes. Source:,0,4962870.story

• The Indiana State Fair in Indianapolis reopened August 15, two days after storm winds collapsed a stage, killing five people and injuring more than 40. – CNN (See item 49)

49. August 15, CNN – (Indiana) Indiana fair reopens with service for 5 killed in stage collapse. The Indiana State Fair in Indianapolis reopened August 15 with a public memorial service for five people killed when a concert stage collapsed during a storm August 13. The fairgrounds were closed at the night of August 13 following the accident, which occurred shortly before a country music duo was to take the stage before an audience of about 12,000. Officials August 15 were focusing on grieving with victims and beginning repairs to get the fair back underway, Indiana's governor told CNN. "Our first instinct in Indiana is not to go rushing around, looking for scapegoats. It's to take care of business, take care of those who've been hurt and then, of course ... study to see if something could have done better and learn any necessary lessons," he said. He described the stage's collapse as a "freakish accident" August 14. Investigators sifted through debris of the stage August 14, trying to determine what caused the accident that also injured at least 40 people, authorities said. Metal scaffolding fell onto a section usually occupied by the country duo's most ardent fans about 4 minutes after authorities took the stage to warn the crowd to seek shelter, according to a timeline of events released by investigators. Forecasters had warned heavy rain and strong winds would hit the fair nearly 2 hours before the storm moved through August 13. The National Weather Service estimated winds at 60 to 70 miles-per-hour. Video shows the blue canvas top fraying and flapping just seconds before the steel scaffolding gave way, sending a heavy bank of stage lights and metal onto fans closest to the outdoor stage. Source:


Banking and Finance Sector

14. August 15, – (Kansas) One bank closed Aug. 12. First National Bank of Olathe, Olathe, Kansas, was closed by the Office of the Comptroller of the Currency, which appointed the Federal Deposit Insurance Corp. (FDIC) as receiver. To protect the depositors, the FDIC entered into a purchase and assumption agreement with Enterprise Bank & Trust, Clayton, Missouri, to assume all of the deposits of First National Bank of Olathe. As of June 30, First National Bank of Olathe had approximately $538.1 million in total assets and $524.3 million in total deposits. The FDIC estimates the cost to the Deposit Insurance Fund will be $116.6 million. Source:

15. August 15, Associated Press – (Pennsylvania) Philly-area man set for plea in $17M ponzi scheme. A Philadelphia, Pennsylvania man serial con man pleaded guilty August 15 to running a $17 million real-estate Ponzi scheme. The 55-year-old of Berwyn promised 16 percent returns at his company, Life's Good Inc., but instead wiped out the retirement savings of many small investors, prosecutors said. They said the man used other people's money to rent a mansion, take lavish vacations and buy a pair of $66,000 Mercedes just before his November arrest. Officials said he also showered family and friends with gifts. The indictment said the convict lured about 260 investors through a cold-calling operation and brochures that failed to note his two bankruptcies; five prior convictions in Delaware, New Jersey and Pennsylvania; and a U.S. Securities and Exchange Commission ban. The state and federal convictions for various fraud schemes date back to 1986. The convict, who remains in custody, faces about 30 years in prison on money laundering, fraud and other charges. Source:

16. August 12, Sacramento Business Journal – (California) Sacramento man pleads guilty in $2.2M ponzi scheme. A Sacramento, California man who took $2.2 million from investors in an investment club ponzi scheme pleaded guilty to wire fraud, the U.S. attorney’s office said August 12. The man was the president of Millenium Capital Group, one of several related investment clubs that were operating from 2003 to 2008 in the region. He admitted his investment club took in $2.2 million from people who expected to be investing in land and construction. The convict used investor money to pay bogus returns to earlier investors. He faces a maximum statutory penalty of 20 years in prison for each count, and a $250,000 fine, although the sentence will be determined at the discretion of the court. Source:

17. August 12, Bloomberg – (New York) Operator of fake hedge fund Koifman sentenced to 63 months in prison. The man who pleaded guilty to conspiracy for his role in a scheme to cheat investors with a phony New York-based hedge fund was sentenced to 5 years and 3 months in prison. He and a partner ran A.R. Capital Global Fund LP, an unregistered investment adviser, and ARC Global Fund, a hedge fund that said it invested in equity of international real estate, according to prosecutors in the office of a Manhattan, New York U.S. attorney. Prosecutors claimed that from 2004 to 2006, the two men engaged in a scheme with co-conspirators to get at least 70 investors to invest about $20 million in the ARC Global Fund by making false statements. The man was also sentenced to 3 years’ supervised probation, and ordered to pay restitution of $7 million. The same probation and restitution would be ordered for his business partner, the judge said. Source:

Information Technology Sector

44. August 15, Softpedia – (International) New Android spyware threat disguises itself as Google+ app. Security researchers from Trend Micro warn of a new information stealing Android trojan that disguises itself as an app for Google's new social product Google+. This latest threat is a variant of a recently discovered trojan called ANDROIDOS_NICKISPY which is able to record phone calls. This new version stands apart from the rest because it is capable of answering incoming calls if the phone's screen is turned off and if the calls originate from a number predefined by the attackers. "From the looks of it, the developer of this app went for the more real-time kind of eavesdropping as well, apart from the one ANDROIDOS_NICKISPY.A used, which involved recording calls," the Trend Micro researchers wrote. "The 'auto-answering' function of this malicious Android app works only on Android 2.2 and below since the MODIFY_PHONE_STATE permission was disabled in Android 2.3," they added. In addition to phone call answering and recording, the trojan has a full set of spyware features, such as stealing text messages and call logs or monitoring the GPS location. The increasing sophistication and prevalence of Android malware reinforces the need of antivirus products for such devices. There are several free solutions from vendors such as AVG, Lookout, BitDefender, or Symantec. Source:

45. August 13, Computerworld – (International) Suspected Chinese spear-phishing attacks continue to hit Gmail users. Months after Google said Chinese hackers were targeting the Gmail accounts of senior U.S. government officials, attempts to hijack Gmail inboxes continue, a researcher said August 12. "Once compromises happen and are covered in the news, they do not disappear and attackers do not give up or stop. They continue their business as usual," said an independent security researcher based in Washington, D.C., on her Contagio Malware Dump Web site. In early June, Google announced it had disrupted a targeted phishing campaign designed to compromise Gmail accounts belonging to senior U.S. and South Korean government officials, military personnel, Chinese activists, and journalists. Google said it had traced the attacks to Jinan, China, a city in eastern China that has been linked to other hacking campaigns, including one in late 2009 against Google's own network. China denied accusations its government played a role in the attacks that accessed hundreds of accounts. And the attacks have not stopped. "Attackers ... continue their efforts with very slight modifications to the original themes," said the researcher. The latest campaign baits the scam with the promise of a report titled "Blinded: The Decline of U.S. Earth Monitoring Capabilities and its Consequences for National Security" from the Center for a New American Security (CNAS), a Washington D.C. think tank. In fact, CNAS offers that report as a free PDF download. The e-mails are customized for each recipient, and appear aimed at people associated with political and international affairs. Source:

46. August 13, The Register – (International) Attack targeting open-source Web app keeps growing. An attack targeting sites running unpatched versions of the osCommerce web application keeps growing virally, more than 3 weeks after a security firm warned it was being used to install malware on the computers of unsuspecting users. When researchers from Armorize first spotted the exploit July 24, they estimated it had injected malicious links into about 91,000 Web pages. By early last week, The Register reported it had taken hold of almost 5 million pages. As of August 13, Google searches suggested that the number exceeded 8.3 million. Armorize said attackers were exploiting three separate vulnerabilities in the open source store-management application, including one discovered last month. The lead developer of osCommerce said there is only one vulnerability that is being exploited, but he said no one on his team had spoken to anyone at Armorize to reconcile the difference of opinion. He said a fix has been available since November's release of osCommerce Online Merchant v2.3. Source:

47. August 12, Infosecurity – (International) Out-of-date browser plug-ins are attractive targets for cybercriminals. Out-of-date browser plug-ins were prime targets for cyberattacks against enterprise browsers, according to Zscaler’s State of the Web report for the second quarter of 2011. For example, Adobe Reader is installed in 83 percent of enterprise browsers, and 56 percent of those installations are out of date, according to the report, which is based on a review of enterprise Web traffic flowing through Zscaler’s cloud-based Web and e-mail security product. “That is a huge attack surface ... This is really what the attackers are going after," commented the vice president of research at Zscaler ThreatLabZ. The Blackhole exploit kit has picked up on this and includes a variety of payloads designed to target recent Adobe Reader vulnerabilities, the report noted. The State of the Web report also found Apple iOS has taken the lead in the workplace, with 42.4 percent of the mobile device usage on corporate networks, followed by Blackberry with 40.2 percent, and Android with 17.4 percent. The report found that social networking made up a whopping 53.3 percent of the browsed Web applications in the enterprise. Webmail was a distant second, with 15.7 percent of the browsed Web applications, followed by instant messaging with 9.3 percent, streaming media with 7.55 percent, and Web search with 2.26 percent. Source:

Communications Sector

48. August 15, Oklahoma City Oklahoman – (Oklahoma) Standoff with man on Tulsa communications tower enters fifth day. A standoff between police and a 25-year-old man who climbed a communications tower in Oklahoma City, Oklahoma August 11 entered its fifth day. The man, who police said has a history of mental illness, was reportedly chased off the roof of the Clear Channel Communications building near 27th Street and Memorial Drive, August 10. He returned August 11 and has been on Clear Channel’s communications tower since 11 a.m. August 11. As of 10 a.m. August 15, he had been on the tower for 95 hours. Police offer him food, water, and cigarettes three to four times an hour, but he continues to decline them, a police captain said. Source:

For more stories, see items 44, 45, and 47 above in the Information Technology Sector