Friday, August 19, 2011

Complete DHS Daily Report for August 19, 2011

Daily Report

Top Stories

• Three boys were arrested for placing an object on railroad tracks and causing an August 13 train derailment in Martinsville, Virginia. – Associated Press (See item 24)

24. August 18, Associated Press – (Virginia) Virginia: Three boys charged in train derailment. Three boys were charged in a train derailment in Henry County, Virginia, the Associated Press reported August 18. Media outlets indicated a tip led authorities to the boys, ages 12, 13, and 14. They were charged with placing an object on the tracks that led to the derailment of a Norfolk Southern Corp. train August 13 near the Martinsville Speedway in Martinsville. The Henry County Sheriff declined to identify the object. The train was hauling agricultural products. No one was injured in the derailment. The three boys have been released to their families. Source:

• Hackers attacked a Web site of a San Francisco area police union August 17 and seized and posted online personal information of Bay Area Rapid Transit police officers. – Associated Press (See item 39)

39. August 18, Associated Press – (California) Hackers gain access to transit police union site. Hackers August 17 seized and posted personal information of Bay Area Rapid Transit (BART) police online — carrying out another Web site attack against a California agency that turned off some cell phone service to thwart a potential protest. The latest attack came as BART found itself in the middle of a debate about free speech following its decision the week of August 8 to curtail wireless communication in some of its stations. This time, hackers gained access August 17 to the Web site operated by The Bay Area Rapid Transit Police Officers’ Association, posting personal details of more than 100 officers. The officers’ home and e-mail addresses were leaked along with passwords. The hackers group Anonymous announced the most recent breach on Twitter, and published the address of the Web site where the information could be found. However, by late August 17, Anonymous had not claimed responsibility for the hack, as it did when it broke into BART’s marketing Web site the week of August 8 and released the personal information of more than 2,000 customers. The union’s Web site was disabled later in the day. The two hacks came in apparent retaliation for BART cutting cell phone service in its San Francisco stations August 11 to quell a brewing protest over a police shooting. The Federal Communications Commission is looking into BART’s action while the FBI is investigating the hack of the week of August 8. Source:


Banking and Finance Sector

14. August 18, Spokane Spokesman-Review – (National) FBI believes suspect is ‘Bad Hair Bandit’. The FBI announced August 17 they arrested a 47-year-old woman believed to be the serial robber nicknamed the “Bad Hair Bandit,” who has been on the FBI’s most-wanted list since June, and is suspected in at least 20 robberies in 4 states. The suspect was arrested August 15 after a bank robbery near Sacramento, California. Her husband also was taken into custody. The husband is a convicted felon on parole for forgery and fraudulent use of a credit card in Bonner County, Idaho. The suspect, a registered nurse, worked at the Kootenai County jail in Idaho from April to August 10, 2011, as an employee of Correctional Healthcare Co. The FBI believes she robbed at least eight banks during that time, including a May 9 robbery at a Chase Bank in Spokane, Washington. She is suspected in robberies that began in Tacoma, Washington, in December 2010, and included robberies in April in Ellensburg and Moses Lake. The robber also hit banks July 1 in Lake Oswego, Oregon, and July 18 in Richland, before authorities reported a similar robbery at a bank in Butte, Montana, August 11. The FBI believes the same woman may also have robbed two banks in Spokane in June and August 2010. Source:

15. August 17, Softpedia – (International) Fake blocked credit card e-mails carry malware. Security researchers from Sophos have intercepted a new malware distribution campaign that generates e-mails posing as blocked credit card notifications from MasterCard. The rogue e-mails bear titles like “Your credit card is blocked” or “Your credit card has been blocked”, and have spoofed headers to appear as originating from a @mastercard(dot)com address. Their content claims the recipient’s credit card was charged in a fraudulent manner which led to it being blocked. The messages signed by MASTERCARD(dot)com Customer Services read: “Dear Customer, Your credit card is blocked! Your credit card was withdrawn $#### Possibly illegal operation!” The e-mails instruct users to open the attached document to learn more information and contact their respective banks as soon as possible. The attachments, ZIP archives with random numerical names, contain installers for Bredolab variants. Trojans from the Bredolab family act as malware distribution platforms so victims may get multiple infections. Security researchers note similar e-mails purporting to come from VISA or other credit card companies have also been spotted. Source:

16. August 17, Associated Press – (Texas) Former CEO guilty in ‘Ponzi’ scheme. The former CEO of an Austin, Texas-based investment firm was found guilty August 17 on federal charges that he schemed and defrauded investors out of millions of dollars. The CEO of Triton Financial was named in a 39-count indictment alleging he used former NFL stars and church contacts to raise $50 million fraudulently from investors. The counts against the former CEO included money laundering, wire fraud and securities fraud. He is accused of using the money from investors “to support an expanding Ponzi scheme”, and to enrich himself and the chief financial officer of his firm. Evidence showed that from December 2005 and December 2009, he devised a scheme to obtain money from investors under false pretenses. He represented to investors, including members of the Church of Jesus Christ of Latter Day Saints, business leaders as well as professional football players, that Triton was purchasing properties, businesses and other assets, when, in fact, he was using their money to satisfy the needs of other ventures and the need to pay quarterly dividends or redemptions to prior investors. Testimony also revealed he used prominent former National Football League players and Heisman Trophy winners to solicit and encourage additional investors. The Securities and Exchange Commission filed a securities lawsuit against the firm in 2009, prompting a judge to place the firm in receivership. Source:

17. August 17, WTEN 10 Albany – (New York) Albany man pleads guilty to bank fraud. An Albany, New York man pleaded guilty August 17 to committing bank fraud and mail fraud over the course of 4 years. The 62-year-old pleaded guilty to one count of conspiracy to commit bank fraud and mail fraud in the U.S. district court in Syracuse. He admitted that from 2003 to 2007, while working at PB Enterprises of Albany, he executed a scheme to defraud and obtain 74 different loans totaling $5 million from financial institutions. The convict said he and others would arrange secure excessive mortgages for residential properties through the use of fraudulent loan applications, settlement statements, and other false statements, and divert mortgage funds for their own personal use, without disclosure to the banks and other mortgage lenders. He provided checks for short term loans giving the false impression that they were creditworthy enough for a loan. It was never disclosed to the lending institutions the funds were repaid after closing. The convict faces up to 5 years in prison, 3 years post supervision, a $250,000 fine, and he must repay the victims. Source:

18. August 17, San Gabriel Valley Tribune – (California) Tri-Cities bandit strikes again in Pasadena, possibly in La Verne. A serial bank robber dubbed the “Tri-Cities Bandit” struck for the second time in Pasadena, California, August 17, authorities said, and may have expanded his range to a fourth city — La Verne. The bandit walked into the Bank of the West, 2500 E. Colorado Boulevard., about 3:30 p.m. and handed a note to a teller demanding cash, a Pasadena police lieutenant said. After receiving about $900, he fled the bank. A second robbery was carried out at a La Verne bank by a man with a similar description just before 5 p.m., however authorities could not say definitively August 17 if the Tri-Cities Bandit was responsible. The robber walked into the U.S. Bank, 1933 Foothill Boulevard., and handed a teller a demand note and ran off with an unknown amount of cash, a La Verne police lieutenant said. In both heists, the robber was described as a Latino man in his 30’s, of thin build, with a mustache. No weapons were seen in either robbery. The crime in Pasadena was the second time the Tri-Cities Bandit has visited the city in a month, police and FBI officials said. He tried, but failed, to rob a Wells Fargo Branch, 82 S. Lake Avenue July 19. According to the FBI, the Tri-Cities bandit is also being sought for a July 20 robbery at a Wells Fargo in Glendale, and a June 13 robbery at a Citibank in Burbank. Source:

19. August 17, BankInfoSecurity – (National) New FDIC phishing attack. The Federal Deposit Insurance Corporation has fallen victim to a phishing attack through fake e-mails that urge business owners to click links purporting to provide FDIC data about their financial institutions. Fraudulent e-mails are being sent from alert@fdic(dot)gov with the subject line: “FDIC: Your business account.” In a consumer alert, the FDIC said the scheme’s wording varies slightly from other scams. Some e-mails begin with “Dear Business Owner,” instead of “Dear Business Customer.” The e-mails also say, “We have important news regarding your bank,” instead of, “We have important news regarding your financial institution.” Fake e-mails are also coming from subscriptions@fdic(dot)gov. The fraudulent e-mails say business accounts and loans might be affected by acquiring-bank relationships, offering vendors information about how they can file claims against the receivership. “The FDIC does not issue unsolicited e-mails to consumers or business account holders,” the FDIC alert states. Source:

20. August 15, New York Times – (New York) Former FrontPoint manager pleads guilty to insider trading. A former portfolio manager for the hedge fund FrontPoint Partners pleaded guilty August 15 to insider trading. He admitted before a federal judge in Manhattan, New York, he had avoided $30 million in losses by trading on tips leaked by a consultant for an expert network about the results of a clinical drug trial. He also admittedhe and the consultant agreed to mislead the Securities and Exchange Commission. The convict faces as much as 5 years in prison for the one count of conspiracy to commit securities fraud and obstruct justice and will pay a $5 million fine. The consultant was connected to the portfolio manager through an expert network that sets up meetings between industry executives and Wall Street for a fee to help money managers understand a given field. News of the scheme surfaced last November, when the consultant was arrested and pleaded guilty after being charged with leaking private data about the results of a clinical drug trial to a hedge fund. Shortly after, it became clear FrontPoint was the hedge fund. In January 2008, the consultant told the portfolio manager of a major setback in the trial before the data became public. The manager told one of his traders to sell all of its shares, a move that saved the hedge fund $30 million when the data became public and the stock sank. Source:

Information Technology Sector

43. August 18, IDG News Service – (International) Google highlights trouble in detecting Web-based malware. Google issued a new study August 17 detailing how it is becoming more difficult to identify malicious Web sites and attacks, with antivirus software proving to be an ineffective defense against new ones. The company’s engineers analyzed 4 years worth of data comprising 8 million Web sites and 160 million Web pages from its Safe Browsing service, which is an application programming interface (API) that feeds data into Google’s Chrome browser and Firefox and warns users when they hit a Web site loaded with malware. Google said it displays 3 million warnings of unsafe Web sites to 400 million users a day. The company scans the Web, using several methods to figure out if a site is malicious. The detection process is becoming more difficult due to a variety of evasion techniques employed by attackers that are designed to stop their Web sites from being flagged as bad, according to the report. Source:

44. August 17, Network World – (International) Dropbox cloud was a haven for data thieves, researchers say. Files entrusted to cloud-storage provider Dropbox were susceptible to unauthorized access via three attacks devised by security researchers, but the provider has since closed the vulnerabilities. Dropbox could also be used as a place to store documents clandestinely and retrieve them from any Dropbox account controlled by an attacker. Researchers who presented their work at USENIX Security Symposium said they developed the exploits in 2010, but gave Dropbox time to fix the problems before making the exploits public. Source:

45. August 17, H Security – (International) Firefox, SeaMonkey and Thunderbird updates address critical errors. Mozilla released updates to Firefox, SeaMonkey, and Thunderbird, including legacy versions, to address a number of critical errors in the browsers and e-mail clients. As the projects share code, different projects can be affected by the same bugs. For example, Mozilla released Firefox 3.6.20 –- the latest update to the last of the old style release versions of Firefox –- to address five critical and two high severity flaws in the browser. According to the advisory, these include memory safety hazards that corrupt memory, dangling pointer issues in SVGTextElement.getCharNumAtPosition and the appendChild method, and privilege escalations in event handlers and when dropping a tab element into a content area. Only one of these errors, the SVGTextElement error, applied to the five critical and two high severity errors fixed in Firefox 6. The Firefox 6 advisory notes a number of memory safety hazards with WebGL, JavaScript, and Ogg reader crashes, unsigned scripts being able to call into signed JAR files, a buffer overrun while using WebGL shaders, and a heap overflow in the ANGLE library used by Mozilla’s WebGL. The fixes in Firefox 6 also apply to SeaMonkey 2.3, which shares the Gecko 6 rendering engine, giving it a very similar advisory to the browser update. Source:

46. August 17, IDG News Service – (International) Intel posts fix for bug that crashes SSD 320 drives. Intel issued a firmware upgrade August 17 that fixes a bug that caused its SSD 320 solid-state drives to crash and lose data, months after the issue first came to light. The firmware update addresses the Bad Context 13x Error, a bug in which power losses caused Intel’s SSD 320 drives to crash. When rebooting, the bug also prevented the drive from being accessed and resulted in the system BIOS reporting a SSD 320 unit as having only 8MB of storage capacity. Source:

47. August 17, Softpedia – (International) New mass injection attack infects over 20K Websites. Researchers from Armorize detected a new mass injection attack that affected over 22,000 Web sites so far, and directs users to drive-by download exploits. The researchers were able to determine the number of affected domains because the attackers originally forgot a script tag, rendering their code inactive. This meant search engine crawlers were able to index the code as regular text and make it searchable, allowing Armorize to find it on over 536,000 unique pages. The attackers have since fixed their injection. It is probable at least the 22,000 Web sites were reinfected with the proper code. When accessing a page compromised by this attack, visitors are redirected to a Web site hosting an installation of the BlackHole exploit pack. BlackHole executes exploits that target vulnerabilities in outdated versions of Java, Adobe Reader, Flash Player, and Windows itself. These attacked are called drive-by downloads and are generally transparent to victims. If they are successful, malware is download and installed on targeted computers. According to Armorize, the malware here is a fake antivirus application that uses the names “XP Security 2012” under Windows XP, “Vista Antivirus 2012” under Windows Vista, and “Win 7 Antivirus 2012” under Windows 7. The researchers believe attackers are using FTP credentials stolen from infected computers to compromise Web sites and inject code into their pages. Source:

For more stories, see items 15 above in the Banking and Finance Sector, 39 above in Top Stories and 48, 49, and 51 below in the Communications Sector

Communications Sector

48. August 17, PC Magazine – (National) Microsoft’s Office 365 Email service knocked offline. Microsoft suffered an outage with its Office 365 online service August 17, according to the company’s Twitter feed and messages from customers. The outage appears to have taken place from roughly 2 p.m. until 4 p.m., according to Microsoft’s Office 365 Twitter feed. “Services restoration beginning and being verified. Understand that Service Health Dashboard was intermittent. Pls try again,” the company wrote. Outages were reported in Chicago, Denver, and New York City, among other locations. Users were unable to access their e-mail, and IT administrators were unable to manage accounts, according to affected users. Microsoft launched Office 365 at the end of June, and the company touted it as a means for businesses and IT administrators to save costs, although businesses also had concerns about how Office 365 would interact with line-of-business apps. Microsoft’s Hotmail Webmail service appeared unaffected. Source:,2817,2391315,00.asp

49. August 17, FierceEnterprise Communications – (National) Data center power outage caused massive Ooma outage Wednesday. Popular VoIP provider Ooma saw its entire network collapse August 17, but the company said it was back up some 7 hours later. During the outage, no inbound or outbound calls were possible, nor were any forwarding numbers working. Ooma initially said it was unsure what caused the problem, but later in the day clarified its service was interrupted following a network outage due to an “extremely rare power failure” at a portion of its data center. The power failure, Ooma said on its blog, also affected several other companies. The company said it, and its data service provider, are “taking steps to ensure this will not happen again.” Ooma said the actual network outage only lasted 3 hours, but said the service interruption caused excessive traffic to the Ooma corporate site causing a brief denial of service. Source:

50. August 17, Burbank Leader – (California) Hundreds of AT&T customers in Burbank lose service after cable is cut. At least 352 AT&T customers in Burbank, California, have been without phone service since August 13 after construction crew accidentally cut a cable while working on Front Street, said a company spokeswoman. AT&T plans to restore service by August 19, she said, adding that while wireless service remained untouched, it was unclear what other services were affected. “Anything being carried through a phone line could be affected,” she said. “There are currently 352 complaint tickets, but it’s impossible to know exactly how many people were affected.” AT&T crews had to dig 12 feet down to replace the affected cables, the spokeswoman said. “Phone lines are being restored every hour as they make repairs,” she said. Source:,0,7343456.story

51. August 17, WTVR 6 Richmond – (Virginia) Verizon blames sabotage for some phone outages. Some Verizon customers found themselves without home phones, Internet, and television service, and the company blamed sabotage for some of the trouble. Two Verizon service boxes in Chesterfield County, Virginia, were broken into and the wires inside cut. The last one, on Coalfield Road August 16, left 100 Fios customers without service. But in Prince George County, some of the 800 customers without service are businesses, and they say they are losing money every day their phone lines are down. The problem is creedit and debit cards need an active phone line to be swiped, and since August 14, lines along a section of Route 10 have been down. Verizon said the damage in Prince George comes from a shotgun blast that damaged two cables that are now in the process of being replaced. Fios customers in Chesterfield County had their service restored the afternoon of August 17. Prince George customers can expect service restored by the afternoon of August 18, officials said. Source:,0,7012182.story