Friday, October 7, 2011

Complete DHS Daily Report for October 7, 2011

Daily Report

Top Stories

• The U.S. Nuclear Regulatory Commission (NRC) must act immediately to improve the safety of pools containing radioactive waste stored at U.S. nuclear plants, an internal NRC report said. – Associated Press (See item 8)

8. October 5, Associated Press – (International) Nuclear agency urged to review US spent fuel pools. The U.S. Nuclear Regulatory Commission (NRC) should act immediately to improve the safety of pools containing radioactive waste stored at U.S. nuclear plants, an internal NRC report released October 5 said. The report elevates the importance of spent-fuel pools, stating current regulations do not require instruments measuring water levels to be operable in case of an accident. Water levels at spent-fuel pools were a principal issue after the March 11 earthquake and tsunami that crippled a nuclear plant in Japan. The recommendation on spent-fuel pools is one of eight steps agency staff said the NRC should take "without delay" as it responds to the Japan crisis. The report also recommended immediate reviews of seismic and flooding risks at the nation's 104 nuclear reactors, and suggested plant operators should be required to improve their response to prolonged power blackouts or events that damage more than one reactor at the same time. Source:

• Flash flooding closed dozens of streets, and damaged more than 100 homes, many vehicles, and police and public works equipment in several towns on the North Shore in Massachusetts. – WBZ 4 Boston (See item 22)

22. October 4, WBZ 4 Boston – (Massachusetts) Flash flooding hits North Shore. Heavy rain and flash flooding surprised residents on the North Shore in Massachusetts October 4. In Swampscott, 5.5 inches of rain in 2 hours left basements flooded, cars stranded, and fields swamped. So many streets flooded in Peabody they were forced to cancel school October 4. The mayor declared a state of emergency. The fire department said 10 neighborhoods were flooded, which includes more than 100 homes. The police department’s garage was flooded, and some cruisers and motorcycles were damaged. Trucks at the Massachusetts Highway Depot on Route 1 were also underwater. Swampscott delayed the start of school 2 hours, and Salem State University canceled all classes because of the flooding. Source:


Banking and Finance Sector

11. October 6, Associated Press – (National) Bank of America site appears fixed after 6th day. Bank of America customers had problems accessing their accounts for 6 days. After the site appeared back to normal October 5, the bank blamed the troubles on a system upgrade. The head of online and mobile banking at Bank of America said the slowness and time-outs customers experienced were the result of a "multi-year project" to upgrade its online banking platform. He said testing of certain features and high traffic at the end of the month also contributed to the delays. When the problems first surfaced September 30, he said the bank cast a "wide net" and worked with law enforcement officials to quickly rule out the possibility of third-party interference. In the meantime, the bank said publicly September 30 and afterward that it does not break out causes for Web site problems. The delays meant some customers who normally bank online had to go to branches or ATMs to access their accounts. The head of online and mobile banking said the company was about 60 percent through the upgrade, and did not rule out the possibility of site problems in the future. Bank of America customers also had difficulty accessing their accounts in January and March, and the firm again blamed routine system upgrades. Source:

12. October 5, Bloomberg – (International) Frankfurt Bourse temporarily evacuated amid bomb threat. The Frankfurt Stock Exchange, situated in the center of Germany’s financial capital, was temporarily evacuated October 5 and some trading interrupted amid a bomb threat as police searched the building. The incident occurred at about 5 p.m., exchange operator Deutsche Boerse AG said in an e-mailed statement. Exchange trading in the fully automated Xetra system was not affected though transactions in the Xetra Frankfurt Specialist model, formerly floor trading, were interrupted in all products, it said. Access to the building was restored about an hour later, and trading on the floor was set to resume at 6:30 p.m., Deutsche Boerse said. “We received a bomb threat via telephone,” a police officer at the scene said. The anonymous caller said the bomb would detonate at 5 p.m., he said. Police searched the building but found nothing, he said. Source:

13. October 5, Reuters – (New York) Six charged in $25 mln New York mortgage-fraud bust. Lawyers, loan officers, and a real-estate agent were among six individuals charged October 5 with running a massive mortgage-fraud scheme that bilked $25 million from financial institutions and wholesale mortgage lenders, federal prosecutors said. Six individuals were arraigned federal court in Brooklyn, New York, in connection with the long-running scheme, according to the U.S. Attorney's Office for the Eastern District of New York. Each faces up to 30 years if convicted on the charges, which include conspiracy to commit bank and wire fraud. According to a superseding indictment, the defendants obtained millions in mortgage loans from banks and other lenders by submitting false information on loan applications to make recruited borrowers seem more credit-worthy than they were. They also trumped up other documents that deceived lenders about how much money was disbursed at closings on the properties, located primarily in Queens, prosecutors said. From 2001 until July 2010, the defendants raked in commissions and loan fees from the mortgages, prosecutors said. But when borrowers stopped making payments, their loans went into default costing lenders millions, according to the indictment. Lending institutions hit by the fraud include JP Morgan Chase's Chase Home Finance, Countrywide Financial, Fremont Investment and Loan, IndyMac Bank, National City Corporation, Sun Trust Mortgage Inc., and Wells Fargo & Co., prosecutors said. Wholesale mortgage lenders including Lend-Mor Mortgage Bankers Corporation, Mortgage Lenders Network USA, and New Century Mortgage Corporation also lost money in the scheme. Source:$25_mln_New_York_mortgage-fraud_bust/

14. October 5, KMGH 7 Denver – (Colorado) Police: man steals $100K using skimmer on local ATMs. Boulder County, Colorado, sheriff's deputies October 5 released a picture of a man they said has stolen more than $100,000. Deputies said the man put a skimming device on an ATM to get bank account information. He took more than $11,000 from one person's account, deputies said. As deputies investigated, they said they found other incidents throughout the Denver metropolitan area involving the same man. Some skimmers, like the thief in this case, put a device over the card slot of an ATM, which reads the magnetic strip as the user unknowingly passes their card through it. These devices are often used in conjunction with a miniature camera (inconspicuously attached to the ATM) to read the user's PIN at the same time, deputies said. Source:

15. October 5, Boston Globe – (National) Westwood hedge fund manager sanctioned $300,000 on insider trading. A federal judge in New York approved a former Westwood, Massachusetts hedge fund manager’s offer to settle for $300,000 insider trading charges brought against him as part of a nationwide probe of improper tips on technology stocks, regulators said October 5. The hedge fund manager, who ran a $125 million hedge fund, S2 Capital Management, allegedly violated securities laws on trades he made in Akamai Technologies Inc., the Cambridge Internet traffic manager. According to the Securities and Exchange Commission (SEC), which filed its case in 2009, the manager received a tip in 2008 about disappointing second-quarter earnings on Akamai. The complaint said he “ knew, recklessly disregarded, or should have known” the data he received was not public and had been improperly given to him. Regulators also settled charges they brought against a consultant and investment manager who passed along the insider tip and boasted about it in a conversation captured on tape and played by prosecutors in court. She agreed to pay $540,000 under the agreement. The SEC secured settlements in the millions from others involved in the scheme. The hedge fund manager also received a tip on transactions related to Advanced Micro Devices Inc., a technology company in Sunnyvale, California, with operations in Boxborough, the SEC alleged. The case sprung from an investigation of hedge fund giant Galleon Management, and cast a wide net to other hedge funds, high-tech executives, and consultants who allegedly were paid to provide investors with nonpublic information on public companies. The SEC said it dismissed its case against the manager’s S2 Capital Management, which was based in New York City and had ”ceased operations and is essentially defunct.” He separately pleaded guilty in 2009 to criminal charges related to the securities case in New York, and has been cooperating with investigators. Source:

16. October 5, United States Department of Justice – (International) Superseding indictment filed in $670 million fraud scheme. A Costa Rican company, its president, and its auditor were charged in a superseding indictment filed October 4 in U.S. District Court in Richmond, Virginia, for their alleged roles in a $670-million fraud involving victims throughout the United States, and abroad. The company allegedly sold reinsurance bonds to life settlement companies. The superseding indictment charges Provident Capital Indemnity Ltd. (PCI), and two men each with one count of conspiracy to commit mail and wire fraud, three counts of mail fraud, and three counts of wire fraud. In addition, one man is charged with three counts of money laundering. The superseding indictment also seeks forfeiture of more than $40 million from all three defendants. If convicted, the men face up to 20 years in prison on each fraud count, and up to 10 years in prison on each money-laundering count. The defendants allegedly engaged in a scheme to defraud clients and investors by making misrepresentations and omissions designed to mislead PCI’s clients and potential clients regarding its ability to pay claims when due on the guarantee bonds PCI issued. PCI issued these bonds to companies that sold life settlements or securities backed by life settlements to investors. These companies then used PCI’s bonds to claim they had eliminated one of the primary risks of investing in life settlements, namely the possibility the individual insured by the underlying insurance policy will live beyond her life expectancy. The superseding indictment alleges that from 2004 through 2010, PCI sold about $670 million of bonds to life settlement investment companies in various countries, including the United States, the Netherlands, Germany, and Canada. PCI’s clients, in turn, sold investment offerings backed by PCI’s bonds to thousands of investors around the world. Purchasers of PCI’s bonds were allegedly required to pay up-front payments of 6 to 11 percent of the underlying settlement as “premium” payments to PCI before the company would issue the bonds. Source:

For another story see item 32 below in the Information Technology Sector

Information Technology Sector

32. October 6, Softpedia – (International) Zeus trojan hides in chamber of commerce e-mails. Business owners might easily fall for the latest e-mails that seem to be coming from the U.S. Chamber of Commerce, announcing their intention of helping the victim. What users do not know is the note's attachment actually contains bank-account stealing trojan Zeus. According to AppRiver, the logo in the message's header and its footer's content are taken from the legitimate Web site of the U.S. Chamber of Commerce. As with most malware campaigns, the message is written with a big blue font, revealing vague information that would arouse someone's curiosity. An attachment contains a malicious element that opens a backdoor, giving miscreants access to the device. It then aims to download other aggressive software. Finally, it tries to connect two domains, jokeins(dot)com and agrofond(dot)com, from which it requests a start.exe file that contains Zeus. The trojan takes over the operation and makes a miuf.exe process that creates a keylogger that launches periodic pings to different domains in the effort of receiving further instructions. The piece of malware also sends out UDP packages to announce other components of its presence. Source:

33. October 6, The Register – (International) Facebook scammers exploit Steve Jobs' death. Facebook scammers are exploiting news of the death of Apple's founder as a theme for survey scams. The users targeted by the scam are told an unnamed firm is giving away 50 iPads in memory of the deceased. Applicants are invited to complete an online survey to "qualify" for the prize. The offer is entirely bogus. Even so, more than 15,000 people have already clicked through to the bogus survey site, net security firm Sophos reported. Source:

34. October 6, The Register – (International) Attack on Apache server exposes firewalls, routers and more. Maintainers of the open-source Apache Web server warned their HTTP daemon is vulnerable to exploits that expose internal servers to remote attackers who embed special commands in Web site addresses. The weakness in 1.3 and all 2.x versions of the Apache HTTP Server can be exploited only under certain conditions. For one, they must be running in reverse proxy mode, a setting often used to perform load balancing or to separate static content from dynamic content. And even then, internal systems are susceptible to unauthorized access only when certain types of reverse proxy rewrite rules are used. Nonetheless, the vulnerable reverse proxy configurations are common enough that Apache maintainers issued an advisory October 5 recommending users examine systems to make sure they are not at risk. "When using the RewriteRule or ProxyPassMatch directives to configure a reverse proxy using a pattern match, it is possible to inadvertently expose internal servers to remote users who send carefully crafted requests," the advisory stated. "The server did not validate that the input to the pattern match was a valid path string, so a pattern could expand to an unintended target URL." The vulnerability was reported by Context Information Security. Researchers said the weakness can be exploited to gain unauthorized access to a highly sensitive DMZ, or "demilitarized zone" resources inside an organization that should be available only to validated users. Source:

35. October 6, The Register – (International) Android malware under blog control says Trend Micro. Trend Micro has found a Chinese Android malware that operates partly under the command and control of a blog. The ANDROIDOS_ANSERVERBOT(dot)A malware is disguised as an e-book reader offered on a third-party Chinese app store. It uses two command and control (C&C) servers, one of them served out of a blog with encrypted posts. Posts to the blog identify the URL of the primary C&C server. This presumably gives the malware’s makers a way to move their C&C server around to avoid detection. The blog also hosts new copies of ANDROIDOS_ANASERVERBOT(dot)A which are downloaded when the software connects. The security company also notes that upon installation, the supposed e-book reader asks for an unreasonable number of permissions — should the user allow installation after reading the permission requests, the malware can access network settings and the Internet, control a device’s vibration alert, disable key locks, make calls, read low-level logfiles, read and write contact details, restart apps, wake the device, and use SMS. Targeted at Chinese users, the app also disables security software from Qihoo360 and Tencent, among others. Source:

36. October 5, IDG News Service – (International) Drive-by download attack on Facebook used malicious ads. Antivirus vendor Trend Micro has detected a drive-by download attack on Facebook that used malicious advertisements to infect users with malware. "We encountered an infection chain, wherein the user is led from a page within Facebook to a couple of ad sites, and then finally to a page that hosts exploits," the company's security researchers warned October 4. "When we traced the connection between the ad sites and Facebook, we found the ad providers were affiliated with a certain Facebook application. We checked on the said app, and found that it is indeed, ad-supported." Such "Malvertising" attacks are usually the result of lax background screening practices by ad networks or sale teams. Attackers impersonate legitimate advertisers to get ads approved and later swap them with malicious code. Facebook also dealt with this form of abuse in the past, but in those cases the ads were used to display fake security alerts that led to scareware. Malvertisements that bundle drive-by download exploits for vulnerabilities in popular browser plug-ins, or even the browser itself, are much more dangerous since they do not require any user interaction. In this case, users were directed to a page that loaded Java and ActiveX exploits, but while the attacked ActiveX vulnerability was patched in 2006, the Java ones were more recent, dating from 2010. Source:

37. October 5, threatpost – (International) Malware using white lists, forgery, kernel attacks to stay alive. Rootkit programs are increasingly mimicking antivirus programs: adopting self-protection features and application whitelists to maintain control over the systems they control, according to a presentation at the annual Virus Bulletin Conference. A research scientist at McAfee told an audience of antivirus researchers that self-protection features have become common in many leading families of rootkits, such as the TDSS and TDL4 rootkit. Application white lists that allow only applications approved by the rootkit authors to run are used to disable hostile programs, while built-in monitoring features to shut down anti-malware programs and prevent critical malware components from being disabled have also been observed in newer generation rootkits. The research scientist said McAfee researchers are increasingly finding evidence of attempts to kill antivirus and anti-rootkit drivers using attacks at the kernel level of an infected system. While malware attempts to shut down antivirus programs within the user mode environment have been well documented, kernel mode attacks to snuff out AV programs are a newer development, and much harder to thwart, he said. Source:

For more stories, see items 11 and 15 above in the Banking and Finance Sector and 38 below in the Communications Sector

Communications Sector

38. October 5, IDG News Service – (National) FCC tells retailers to stop selling mobile phone jammers. The Federal Communications Commission (FCC) has issued warnings to 20 online retailers selling illegal mobile phone jammers, GPS jammers, Wi-Fi jammers, and other signal jamming devices, the agency said October 5. The sale and use of devices that jam the signals of authorized radio communications are illegal in the United States, the FCC said in its enforcement action. The agency will "vigorously" prosecute violations going forward, it said in a press release. "Jamming devices pose significant risks to public safety and can have unintended and sometimes dangerous consequences for consumers and first responders," the chief of the FCC's enforcement bureau said in a statement. Jammers, sometimes used in classrooms, theaters and churches, are prohibited because they can prevent individuals from contacting police and fire departments or family members during an emergency, the FCC said. The 20 retailers were marketing more than 200 jamming devices, the FCC said. Among the jammers being sold were GPS blockers for vehicles, high-tech signal blockers with remote control capabilities, and jammers disguised as paintings and cigarette packs, the agency said. The FCC ordered each online retailer to immediately stop marketing signal-jamming devices in the United States. If a retailer gets a second citation from the FCC, it could face fines ranging from $16,000 to $112,500, with a separate penalty possible for each device sold or each day a device is marketed, the agency said. Additional violations could result in the seizure of equipment and prison time, the FCC said. Source:

For more stories, see item 11, above in the Banking and Finance Sector and 35 and 36 in the Information Technology Sector