Wednesday, September 28, 2011

Complete DHS Daily Report for September 28, 2011

Daily Report

Top Stories

• A 22-year-old man from Russia pleaded guilty in court in New York to his role in a global bank fraud scheme that used malware to steal more than $3 million from U.S. bank accounts. – Federal Bureau of Investigation See item 16 below in the Banking and Finance Sector

• The North American Liberation Press animal-rights group has claimed responsibility for a series of recent attacks, including a September 26 fire in Idaho that destroyed a fur and fireworks store. – Boise Weekly (See item 52)

52. September 26, Boise Weekly – (Idaho; Oregon; International) Animal-rights group claims responsibility for fireworks-fur shop arson. In a letter obtained by the Associated Press, a group called the North American Liberation Press has claimed responsibility for an arson that torched the Rocky Mountain Fireworks and Fur Co., north of Caldwell, Idaho, September 26. The fire broke out around 5 a.m. at the facility on Highway 20-26, damaging the store that sells fireworks and fur. Crews from Caldwell, Eagle, Middleton, Parma, and Star battled the fire, while morning rush-hour traffic was diverted away from Exit 26 of Interstate 84. The FBI, Bureau of Alcohol, Firearms, and Tobacco, and Canyon County Sheriff's Office are investigating. On September 3, the North American Liberation Press claimed responsibility for destroying fencing at an Oregon elk farm. In June, the group targeted a Vancouver, British Columbia, Canada, fur shop, soaking racks of clothing with chemicals. Source: http://www.boiseweekly.com/CityDesk/archives/2011/09/26/animal-rights-group-claims-responsibility-for-fireworks-fur-shop-arson

Details

Banking and Finance Sector

12. September 27, NBC Connecticut – (Connecticut) Bank bomb threat suspect nabbed. Coventry, Connecticut police September 26 arrested a suspect in a series of bomb threats at local banks. Between September 22 and September 23, three reports of bombs were made at Coventry banks, police said. Two were at the First Niagara Bank, at 3534 Main Street, and the other was at First Niagara Bank at 1372 Main Street. Twice, a woman called the banks and said a bomb might be inside. The third complaint was a hand-written letter left in the night deposit box that threatened a bomb. Police identified a 45-year-old Coventry woman as the suspect. A detective and FBI agents found her driving in Coventry, apprehended her, and later arrested her. She was charged with three counts of first-degree threatening, and bond was set at $375,000. Police said similar bomb threats were also made against First Niagara Banks in Mansfield and Cromwell, as well as bomb threats in Manchester. Those incidents are still under investigation. Source: http://www.nbcconnecticut.com/news/local/Coventry-Bank-Bomb-Threat-Suspect-Nabbed-130625243.html

13. September 27, U.S. Securities and Exchange Commission – (Wisconsin) SEC charges RBC Capital Markets in sale of unsuitable CDO investments to Wisconsin school districts. The U.S. Securities and Exchange Commission (SEC) September 27 charged RBC Capital Markets LLC for misconduct in the sale of unsuitable investments to 5 Wisconsin school districts and its inadequate disclosures regarding the risks associated with those investments. According to the SEC’s order, RBC marketed and sold to district-created trusts $200 million of credit-linked notes tied to the performance of synthetic collateralized debt obligations (CDOs). The school districts contributed $37.3 million to the investments with the remainder of the investment coming from funds borrowed by the trusts. The sales took place despite significant concerns within RBC about the suitability of the product for municipalities like the districts. Additionally, RBC's marketing materials failed to adequately explain risks associated with the investments. RBC agreed to settle the SEC’s charges by paying $30.4 million that will be distributed in varying amounts to the districts. Last month, the SEC separately charged St. Louis-based brokerage firm Stifel, Nicolaus & Co. and a former senior executive with fraudulent misconduct in connection with the same sale of CDO investments. RBC consented to the entry of the SEC’s order without admitting or denying the findings. The order censured RBCl and directed that it cease and desist from committing or causing any violations and any future violations of Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933, which among other things prohibit obtaining money by means of an untrue statement of material fact, and engaging in any transaction, practice, or course of business that operates as a fraud or deceit upon the purchaser. RBC agreed to pay disgorgement of $6.6 million, prejudgment interest of $1.8 million, and a penalty of $22 million. Source: http://www.sec.gov/news/press/2011/2011-191.htm

14. September 26, Bloomberg – (Georgia) Carter’s ex-executive Elles pleads not guilty to fraud charges. A former sales executive at Carter’s Inc. September 26 pleaded not guilty in Atlanta, Georgia, to charges he reported inflated sales at the world’s biggest maker of children’s clothing. A U.S. magistrate judge granted $100,000 bail after his arraignment on 32 counts including securities fraud, wire fraud, causing the filing of false financial statements, and falsifying corporate books and records. The 57-year-old former executive vice president “induced” customers such as Kohl’s Corp. to make ”substantial purchases” of Carter’s products at unauthorized millions of dollars in discounts that he did not disclose, according to the indictment filed September 21. He allegedly hid those discounts, causing the company to overstate profit, prosecutors said. He also aided others, some of whom U.S. prosecutors have not identified, according to the indictment. The U.S. Securities Exchange Commission (SEC) sued the ex-executive in December 2010. He faces up to 10 years in prison if convicted, an assistant U.S. attorney said in court. The executive's employment “terminated in March 2009,” Carter’s vice president of investor relations said in an e-mailed statement. Source: http://www.businessweek.com/news/2011-09-26/carter-s-ex-executive-elles-pleads-not-guilty-to-fraud-charges.html

15. September 26, Associated Press – (National) Feds returning funds to online Ponzi scam victims. Federal authorities said September 26 they are returning $55 million to people ripped off by an Internet-based Ponzi scam. The Justice Department and Secret Service announced that they are returning the funds to 8,400 victims who invested on sites run by AdSurf Daily Inc. The company's founder of Quincy, Florida, has been indicted in connection with the investigation but has pleaded not guilty and is awaiting trial. He is accused of drawing in investors by promising returns of 125-150 percent on their money if they would view Web sites for a few minutes each day. The U.S. attorney's office in Washington D.C. obtained money to repay victims through forfeiture of numerous bank accounts, real estate, luxury vehicles, and watercraft. Source: http://www.google.com/hostednews/ap/article/ALeqM5itDhHyJl_Zm41GxHTr3KGXuSx_Pw?docId=e1638f9cc9f949f1b78e76050c210376

16. September 23, Federal Bureau of Investigation – (International) Nikolay Garifulin pleads guilty in Manhattan federal court to involvement in global bank fraud scheme that used “Zeus trojan” to steal millions. The U.S. Attorney for the Southern District of New York announced a 22-year old man from Russia pleaded guilty September 23 to conspiracy to commit bank fraud and possess false identification documents for his role in a global bank fraud scheme that used hundreds of phony bank accounts to steal more than $3 million from U.S. accounts compromised by computer malware attacks. The man was the last of 27 defendants arrested on federal charges to plead guilty to participating in the scheme. The cyber-attacks began in Eastern Europe, and included the use of a malware known as the “Zeus trojan.” It was typically sent as seemingly benign e-mail to computers at small businesses and municipalities in the United States. Once the e-mail was opened, the malware embedded itself in users' computers, and recorded keystrokes as they logged into bank accounts. The hackers used the stolen data to take over the bank accounts, and made unauthorized transfers of thousands of dollars at a time to receiving accounts controlled by co-conspirators. These receiving accounts were set up by a ”money mule organization” responsible for retrieving and transporting or transferring the stolen money overseas. To carry out the scheme, the money mule organization recruited individuals who had entered the United States on student visas, providing them with fake foreign passports, and instructing them to open false-name accounts at U.S. banks. Once these fake accounts were successfully opened and received the stolen funds, the “mules” were instructed to transfer the proceeds to other accounts, most of which were overseas, or to withdraw the proceeds and transport them overseas as smuggled bulk cash. The convict who pled guilty September 23 faces a maximum penalty of 45 years in prison. Source: http://www.fbi.gov/newyork/press-releases/2011/nikolay-garifulin-pleads-guilty-in-manhattan-federal-court-to-involvement-in-global-bank-fraud-scheme-that-used-zeus-trojan-to-steal-millions-of-dollars-from-u.s.-bank-accounts

17. September 23, Federal Bureau of Investigation – (Arizona) Wanted: “Can You Hear Me Now Bandit”. The Phoenix FBI Special Agent in Charge in Arizona announced the FBI’s Bank Robbery Task Force is seeking the public’s assistance in identifying the “Can You Hear Me Now Bandit.” In nine of the robberies, the suspect presented the teller with a demand note. In two other robberies, he made a verbal demand for money. The subject is described as a white or Hispanic male, early 20s to early 30s, 5’3” to 5’10”, 150 to 180 pounds, short black hair, wearing black plastic or aviator sunglasses. He started off wearing jeans with a long sleeve, button-down shirt and a black hat with the “Famous,” ”Etnies,” or “O’Neill” logo on the front, and ”skater”-type shoes. In later robberies, the suspect wore a black suit with a neck tie and a black fedora or cowboy hat. During the last four robberies, he wore a pageboy hat with jeans and a long-sleeve, button-down shirt. In some robberies, the suspect appears to be on a cell phone. Wells Fargo and U.S. Bank are offering up to $10,000 for information leading to the identification and conviction of the robber. Source: http://www.fbi.gov/phoenix/press-releases/2011/wanted-can-you-hear-me-now-bandit?utm_campaign=email-Immediate&utm_medium=email&utm_source=fbi-in-the-news&utm_content=33826

Information Technology Sector

43. September 27, SC Magazine UK – (International) MySQL hack leads to BlackHole exploit. The MySQL Web site was hacked September 26 with a redirect to a malicious domain added. According to a blog post by the CEO of the Web application company Armorize, it redirected to a domain hosting the BlackHole pack that exploits the visitor's browser and plugins to secretly install malware. “The visitor doesn't need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection”, he wrote. According to a security blogger, he was on "a fairly exclusive Russian hacker forum" the week of September 18 and stumbled upon a member selling root access to mysql.com. The blogger noted MySQL is "a prime piece of real estate for anyone looking to plant an exploit kit." It boasts almost 400,000 visitors per day. ”He offered to sell remote access to the first person who paid him at least $3,000 via the site's Escrow service” according to the security blogger. He said it was possible that 120,000 visitors to the site could have been exposed to the exploit kit. Source: http://www.scmagazineuk.com/mysql-hack-leads-to-blackhole-exploit/article/212902/

44. September 27, IDG News Service – (National) Scammers pretend to be friendly office printers. Hackers have found a new hook to trick people into opening malicious attachments: sending e-mails that purport to come from office printers, many of which now have the ability to e-mail scanned documents, IDG News Service reported September 27. The e-mails invariably contain a Trojan downloader that can be used to download other malware or steal documents from the computer. They have the subject line "Fwd: Scan from a HP Officejet" and read "Attached document was scanned and sent to you using a Hewlett-Packard HP Officejet 05701J" and then "Sent by Morton." A senior analyst at Symantec said it is common for the scammers to spoof the sender's name and make it appear the e-mail came from the same domain as the one that belongs to the recipient. The attachment is a ".zip" file, which experts think seems odd. Most printers with e-mail sending ability can't send a ".zip" file; those printers mostly send image files. Although Windows has the ability to open ".zip" files, there is evidence the scammers are trying to obscure the ".zip" extension for those who use third-party tools to unzip the content. In some archiving tools, the malicious attachment appears to have a ".doc" or ".jpg" file extension. Source: http://www.computerworld.com/s/article/9220315/Scammers_pretend_to_be_friendly_office_printers

45. September 26, Ars Technica – (International) Mac trojan pretends to be Flash player installer to get in the door. Hot on the heels of Mac malware posing as a PDF, Ars Technica reported September 26 a new piece of malware posing as a Flash player installer. Security firm Intego was the first to post about the new malware on its blog, noting although the company has only received one report so far from a user who downloaded it, the malware does exist in the wild and may trick Mac users who don't yet have Flash installed. The malware in question is a trojan horse called Flashback (OSX/flashback.A). If those users also have their Safari settings to automatically open safe files, an installer will show up on their desktops as if they are legitimately installing Flash. Continuing through the installation process will result in the trojan deactivating certain types of security software and installing a dynamic loader library (dyld) that can auto-launch, "allowing it to inject code into applications the user launched." The trojan then reports back to a remote server about the user's MAC address, and allows the server to detect whether the Mac in question has been infected or not. Source: http://arstechnica.com/apple/news/2011/09/mac-trojan-pretends-to-be-flash-player-installer-to-get-in-the-door.ars

For more stories, see item 16 above in the Banking and Finance Sector

Communications Sector

46. September 26, KKTV 11 Colorado Springs – (Colorado) Comcast service restored after crash. Things should be back to normal for Comcast customers in Colorado Springs, Colorado, after a September 26 crash near the intersection of Cascade and Harrison led to an outage for 12,000-15,000 customers. It appears a yellow car hit a utility pole and a stone wall. At least four Comcast vehicles responded. Service was expected to be restored by midnight. Comcast said it does not appear Colorado Springs Utilities (CSU) were disrupted, but their fiber was damaged. CSU must repair the pole before Comcast can fix its equipment, a task that could take take up to 2 hours. The cable provider said this affected roughly 10 percent of their customers in Colorado Springs. Affected customers were on the northwest side of Colorado Springs, including the U.S. Air Force Academy, and Rockrimmon area. Source: http://www.kktv.com/news/headlines/Crash_Causes_Comcast_Outage_130600458.html?ref=458

Tuesday, September 27, 2011

Complete DHS Daily Report for September 27, 2011

Daily Report

Top Stories

• Torrential rain September 26 piled water 8-feet high in streets and basements in Colerain Township, Ohio, and led to the rescue of scores of stranded motorists. – Cincinnati Enquirer (See item 20)

20. September 26, Cincinnati Enquirer – (Ohio) Torrential rain, flooding prompts evacuation in Colerain Twp. Torrential rain early September 26 dumped more than 3 inches across Greater Cincinnati, Ohio, and led to flooding and evacuations in a section of Colerain Township. The Colerain Township Fire Department began rescuing and evacuating residents at Blanchetta and Sheldon about 7 a.m. Motorists were pulled from cars after becoming trapped while driving into high water. The water spilled into the street from a flooded creek, a fire spokesman said. Water as high as 8 feet also flooded basements. One person was taken to a hospital for minor injuries. A tornado watch and flood advisory were in effect September 26 as heavy showers and thunderstorms that started falling overnight continued. More than 3.5 inches of rain was recorded between midnight and 6:30 a.m. at Cincinnati/Northern Kentucky International Airport, a meteorologist said. The storms knocked out power to more than 7,400 Duke Energy customers, mostly in Hamilton County, according to the utility’s Web site. North College Hill schools were on a 2-hour delay due to power outages. Source: http://news.cincinnati.com/article/20110926/NEWS01/110926015

• The mayor of Sparks, Nevada, declared a state of emergency and canceled a road rally after a huge brawl September 23 outside a casino led to shootings, one death, and several injuries. – CNN (See item 59)

59. September 25, CNN – (Nevada) Hell's Angels motorcycle club member facing charges in deadly casino brawl. A member of the Hell's Angels motorcycle club was facing charges including assault with a deadly weapon September 25 after a brawl between club members devolved into a gunfight that left one person dead in Sparks, Nevada. Police said the victim of the shooting at John Ascuaga's Nugget Casino Resort was a 51-year-old man who was president of the San Jose, California, chapter of the Hell's Angels. Two other people, both members of the Vagos motorcycle club, were in stable condition at hospitals after being shot in the abdomen and the leg, respectively. A 36-year-old was arrested after surveillance video showed him "shooting into the crowd" during the late September 23 melee, Sparks police said in a statement. The riot occurred during the Street Vibrations Fall Rally, an event that began September 21 and was expected to continue into September 25. After the shootings, however, the Sparks portion of the event was canceled through the weekend, the city announced September 24. The mayor of Sparks also declared a state of emergency. Besides assault with a deadly weapon, the shooting suspect also faces charges of carrying a concealed weapon; aiming a firearm at another; aiming or discharging a firearm where a person is endangered; and possession of stolen property/firearm, jail records show. His bail was set at $500,000 cash only. Authorities reported that as many as 30 people took part in the casino brawl. Police responded with assistance from overhead helicopters. Source: http://www.cnn.com/2011/09/25/justice/nevada-casino-brawl/index.html?eref=rss_topstories&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+rss/cnn_topstories+(RSS:+Top+Stories)

Details

Banking and Finance Sector

14. September 24, Contra Costa Times – (California) Two bay area men charged in $8 million fraud scheme. The Securities and Exchange Commission (SEC) September 23 charged two Bay Area men with fraud in California, claiming they promised investors up to a 6,300 percent return but instead spent millions of dollars on themselves, including luxurious parties and cars. The two are accused of defrauding more than 35 investors out of nearly $8 million, according to SEC documents. The agency's complaint seeks to force the two men to return the money as well as pay civil penalties. The scheme began in 2007 when one of the men, who previously worked in real estate, raised about $4.5 million with the promise of "financial freedom" and "maximum results with minimum risk" in a brochure to investors, the SEC said. In 2008, he teamed up with the second man, an unemployed construction worker with no experience in investing, and continued to promise investors an astronomical return. An additional $3.2 million was raised over the next few years. Instead of investing the money, the SEC claims, the man with real estate experience spent $360,000 on a surprise party for his wife as well as several Mercedes-Benz automobiles, jewelry, and basketball season tickets. He also spent about $2.6 million of investors' funds to make improvements on his 8,000-square-foot Alamo home. Source: http://www.mercurynews.com/news/ci_18971213

15. September 24, Associated Press – (Arizona; Colorado) Tucson man pleads guilty in investment scheme. A Tucson, Arizona man accused of bilking investors out of millions of dollars pleaded guilty September 24 to two felonies, ending 8 years of litigation. Pima County prosecutors said the 70-year-old man pleaded guilty to fraud and illegally conducting an enterprise, and agreed to pay up to $5 million in restitution. He could be placed on probation or be sentenced to between 7 and 21.25 years in prison. The Arizona Daily Star said the man and two other defendants originally were indicted in 2003 on charges they illegally sold promissory notes for a Colorado shopping center north of Denver. By the time the Dacono Mall project collapsed, authorities said about 110 investors had put up more than $5 million between 1995 and 2000. Source: http://www.chron.com/news/article/Tucson-man-pleads-guilty-in-investment-scheme-2187081.php

16. September 24, Hartford Courant – (Connecticut) Bomb threats called in to Mansfield, Coventry bank branches. A woman called in bomb threats to First Niagara bank branches in Mansfield and Coventry, Connecticut September 24, police said. The woman said "an explosion" would occur in the buildings, police said. The state police bomb squad and K-9 teams responded and searched the banks, but found nothing, police said. Coventry police were working with state police and said they had developed leads in the case. They said they are searching for a woman wearing a light-colored top and a ponytail, and released a video showing her talking on the phone in a store. Investigators said she may be driving a green sport utility vehicle, but they did not call her a suspect. Source: http://articles.courant.com/2011-09-24/community/hc-bank-threat-0925-20110924_1_coventry-police-state-police-bomb-threats

17. September 24, DNAinfo.com – (New York) Bomb threat bank robber arrested for string of heists, police say. A Harlem, New York ex-con who threatened bank tellers with bomb threats and claimed to have a gun was arrested for a string of heists around the borough beginning in July, DNAinfo.com reported September 24. The 33-year-old was hit with seven counts of robbery and one count of attempted robbery for the alleged 2-month spree, which included hitting two banks in one day and even trying to rob the same bank twice just days apart. The suspect, who has done stints in state prison for robbery and drug sale, first struck at a Chase Bank at 2030 Broadway, near West 70th Street claiming to have a bomb, police said. But the teller refused to fork over cash and he fled empty handed. Less than 2 hours later, the man, who was released from prison in April, allegedly pulled the same stunt at a Sovereign Bank branch at 250 Lexington Avenue, near East 35th Street. This time, the teller gave him money, although the amount was not clear. On August 15, he returned to the same branch and again made off with cash, police said. During the series of heists, the suspect robbed a Sovereign Bank at 1350 Broadway, near 36th Street, a Sovereign Bank at 1062 Third Avenue, near 63rd Street, an HSBC Bank at 885 Eighth Avenue, near 53rd Stree,t and a Sovereign Bank at 2275 Broadway, near 82nd Street, police said. He last struck September 19, claiming to have a gun at the Capital One Bank on 1536 Third Avenue, near 87th Street. Source: http://www.dnainfo.com/20110924/upper-west-side/bomb-threat-bank-robber-arrested-for-string-of-heists-police-say

18. September 24, Los Angeles Times – (California) Well-dressed bandit hits 10th bank in San Diego area. The FBI in San Diego is asking the public for information about a bank robber with an apparent taste for nice clothing and luxury automobiles. Dubbed the Well-Dressed Bandit, the robber has hit 10 banks and credit unions in San Diego County since May 2010. His latest job was September 23 when he robbed a Chase Bank in the Sorrento Valley area of San Diego — the third time he has robbed the same branch, according to authorities. Witnesses reported seeing him leave in a Lexus or Mercedes. He prefers dark clothing and sometimes wears a cap to cover a balding or shaved head. He is described as black, in his mid-30s, about 6-foot-2 and weighing 220 pounds. Source: http://latimesblogs.latimes.com/lanow/2011/09/well-dressed-bandit-hits-10-banks-in-san-diego-area.html

19. September 23, Financial Advisor – (California) SEC bars former California securities dealer. The Securities and Exchange Commission (SEC) has permanently barred a former California-based broker from the securities industry on charges he fraudulently raised $14.1 million from over 100 investors in a Ponzi scheme disguised as a futures investment, according to a ruling issued by an administrative law judge September 22. The SEC said the man and his firm Axcess Automation LLC devised a scheme in which he solicited friends, neighbors, and business acquaintances to wire transfer funds into bank accounts over which he had sole discretionary authority. The SEC alleged the man prepared and provided false statements to certain investors and misappropriated about $10.7 million from new investors to pay old investors and about $1.1 million for personal use. Source: http://www.fa-mag.com/fa-news/8627-sec-bars-former-california-securities-dealer-.html

Information Technology Sector

48. September 26, Softpedia – (International) Data stealing apps released on Android Market. Five new tools have hit the Android Market, which can be used by app developers who want to make a profit. Bitdefender has identified the threat as Android.Spyware(dot)GoneSixty.Gen. The stealer has to be downloaded and installed to the victim's device first, but after this job is done, the rest of the operation is straightforward. The tool is then capable of uploading to an Internet location all the information found on the phone, such as messages, contact lists, and browser history. The stolen data can be accessed by entering a code on the developer's site and while contact lists are free, the more sensitive information is made available if a $5 fee is paid. Source: http://news.softpedia.com/news/Data-Stealing-Apps-Released-on-Android-Market-223660.shtml

49. September 26, Softpedia – (International) 700,000 InMotion Websites hacked by TiGER-M@TE. InMotion's data center was hit by the hacker that calls himself TiGER-M@TE, leaving a few hundred thousand Web site owners with nonfunctional pages. “At around 4 a.m. EST, our system administration team identified a website defacement attack affecting a large number of customers. We are still investigating, but it appears that files named index.php have been defaced,” InMotion representatives said. The hacker claims to be working alone, his modus operandi narrowing to private exploits and zero-day attacks. It appears he did not do much harm to the sites, only replacing the index file on each with his own. The hosting company already started the repair process, guiding members who possess the necessary knowledge to make the repairs themselves. After a few hours, the company successfully restored 65 percent of the affected pages, urging users to refresh their browsers if they were still viewing the hacked site. Source: http://news.softpedia.com/news/700-000-InMotion-Websites-Hacked-by-TiGER-M-TE-223607.shtml

50. September 26, Softpedia – (International) Alureon trojan uses steganography techniques. A version of the Alureon trojan was discovered hiding command and control (C&C) backup locations in regular jpeg files. The images were posted on random domains so in case the virus could not contact the primary servers, it would make use of these encrypted addresses. Microsoft researchers came across this form of the malware after a period of monitoring in which they determined exactly the way the new Alureon does its job. Win32/Alureon is part of the data-stealing family of trojans. Its multiple functionality allows its master to intercept private data, send distructive commands to the infected device, leaving behind a trail of damaged DNS settings. Keyboard and other drivers might malfunction after an attack from this specific malware. A closer investigation revealed the new variant downloads an extra component file called com32. The new element tries to communicate with many image files hosted on a few blogs. The images contain a string of data interpreted by com32, allowing Alureon to obtain a list of C&C servers it would seek to retrieve in the event the primary hosts' become unavailable. This technique of embedding a hidden code inside a message is called steganography. It appears hackers are using it more often to strengthen their malicious programs. According to the TechNet blog, the configuration files are masqueraded as pictures representing an old woman, a young man, and a bowl of Chinese herbs, and they are posted on Livejournal and Wordpress sites. Source: http://news.softpedia.com/news/Alureon-Trojan-Uses-Steganography-Techniques-223587.shtml

51. September 24, Softpedia – (International) Malware spreads as browser update. A worm has been discovered that when unleashed, takes over DHCP and DNS servers, sending undesired requests to more malware containing locations. Identified by the name of Worm(dot)Ropian.E, it immediately seizes the DNS and DHCP servers. Because these are some of the most important services that control Internet connections, the virus can make sure users are redirected to a single place, no matter what URL they type in the address bar of their Web application. According to Malware City, the malicious destination looks like an error page that alerts “Your browser is no longer supported. Please upgrade to a modern software.” Users might be tempted to believe this message and click on the ”Browser update” button at the bottom of the screen because every single request goes to the same site. If the update button is clicked, the device will be infected even further, acting as a DHCP server for the entire network of computers. To make everything more credible, the worm downloads a file called upbrowsers[date].exe, where the date is a variable that always matches the current date. Once executed, the infection spreads even further, installing a TDSS rootkit that does even more damage. Source: http://news.softpedia.com/news/Malware-Spreads-as-Browser-Update-223486.shtml

52. September 23, Computerworld – (International) Facebook's Timeline will be boon for hackers. Facebook's new Timeline will make it easier for criminals and others to mine the social network for personal data they can use to launch malicious attacks and steal passwords, a researcher said September 23. Timeline, which Facebook unveiled September 22 at a developer conference and plans to roll out in a few weeks, summarizes important past events in a 1-page display. The change has experts at England-based Sophos concerned. "Timeline makes it a heck of a lot easier to collect information on people," said a Sophos security researcher. "It's not that the data isn't already there on Facebook, but it's currently not in an easy-to-use format." Cyber criminals often unearth personal details from social networking sites to craft targeted attacks, he noted, and Timeline will make their job simpler. "And Facebook encourages people to fill in the blanks [in the Timeline]," he said, referring to the tool prompting users to add details to blank sections. Because people often use personal data to craft passwords or security questions and answers, the more someone adds to Timeline, the more they may put themselves at risk, the researcher said. Source: http://www.computerworld.com/s/article/9220240/Facebook_s_Timeline_will_be_boon_for_hackers

53. September 23, The Register – (International) Experts suggest SSL changes to keep BEAST at bay. Cryptographers have described a simple way Web site operators can insulate themselves against a new attack that decrypts sensitive Web traffic protected by secure sockets layer protocol. The suggestions published September 23 by two-factor authentication service PhoneFactor suggest Web sites use the RC4 cipher to encrypt SSL traffic instead of newer, and cryptographically stronger, algorithms such as AES and DES. Google Web servers are already configured to favor RC4, according to this analysis tool from security firm Qualys. A Google spokesman said the company used those settings "for years." In stark contrast, eBay's PayPal payment service favors AES, making the site at least theoretically vulnerable to BEAST, an attack toolscheduled to be demonstrated September 23. Short for Browser Exploit Against SSL/TLS, its creators said it targets a long-documented vulnerability in some encryption algorithms that cryptographers previously believed was not practical to exploit. The researches said they refined the attack enough to decrypt SSL-protected Web traffic using a piece of JavaScript that injects plaintext into the encrypted request stream. They said they plan to prove the attack is practical by using it to recover an encrypted cookie used to access a user account on PayPal. The chosen plaintext-recovery at the heart of BEAST attacks algorithms that use a mode known as CBC, or cipher block chaining, in which information from a previously encrypted block of data is used to encode the next block. CBC is present in both AES and DES, but not in RC4. Source: http://www.theregister.co.uk/2011/09/23/google_ssl_not_vulnerable_to_beast/

54. September 23, Softpedia – (International) Internet Explorer malware plugin also infects Firefox. A new malware threat has been discovered that, after infecting Internet Explorer, drops a piece of spyware onto a user's Firefox. With the aid of Bitdefender, MalwareCity identified the virus as being Trojan.Tracur.C. When Internet Explorer users decide to update their Flash Player, the rogue plug-in that compromises the browser also infects Mozilla Firefox by snapping a malicious add-on to it. Trojan.JS.Redirector.KY monitors all the Web pages loaded in Mozilla's browser. Once the unsuspecting user types the URL address of a search engine, a piece of Java Script code gets injected into the resulting pages, making sure the first link points to a malware containing location. From here on, the infection process continues, victims being subjected to attacks coming from all sorts of threats. According to Sophos, Trojan.Tracur.C affects Windows platforms and it runs automatically in an attempt to establish a communication channel with a remote server via HTTP. It changes Internet Explorer settings by creating registries Trojan.JS.Redirector viruses operate by launching a SQL injection attack that inserts JavaScript into the HTML pages they target. They can also be contained in HTML-based e-mail messages that embed the script or malevolent Web sites and redirect to unwanted locations. Source: http://news.softpedia.com/news/Internet-Explorer-Malware-Plugin-Infects-Firefox-223449.shtml

For more stories, see item 56 below in the Communications Sector

Communications Sector

55. September 26, TG Daily – (California) AT&T restores service after California outage. AT&T customers in southern California experienced a service outage lasting from the afternoon of September 24 through to September 25. The problem, which at its height affected about 1,000 cell towers, is said to have been caused by mechanical problems with the switching equipment that routes calls through the network. Most of the affected towers handled calls to and from Los Angeles County and Orange County. The problem started about 3 p.m. Six hours later, the company confirmed on Twitter: "Los Angeles area AT&T customers may have issues with wireless service. We are working now to resolve. We apologize for any inconvenience." It is not known how many users were affected. Data and text services continued to function normally. Service was restored for most customers by the morning of September 25. Source: http://www.tgdaily.com/mobility-features/58680-att-restores-service-after-california-outage

56. September 26, ARLnow.com – (Virginia) Clarendon/Courthouse Verizon outage continues. Hundreds of Verizon landline phone and DSL Internet customers in the Clarendon and Courthouse area of Arlington, Virginia were still without service September 26, a week after a contractor taking a soil sample struck several cables buried under Rocky Run Park. “Our restoral efforts continue,” a Verizon spokesman told ARLnow.com. ”We’ve replaced and completed work on one of the damaged cables, and we’re at work on the second cable. We also found that a third cable was damaged, and we’ll be replacing a section of that one as well.” The cables contain thousands of individual copper lines, which carry phone conversations and Internet service to hundreds of Verizon customers in the area. Each copper line must be painstakingly spliced together to restore service. Source: http://www.arlnow.com/2011/09/26/clarendoncourthouse-verizon-outage-continues/

For more stories, see items 48 and 52 above in the Information Technology Sector