Monday, October 31, 2011

Complete DHS Daily Report for October 31, 2011

Daily Report

Top Stories

• An alleged radical Islamist gunman was wounded and taken to a hospital after a 30-minute attack that involved firing a Kalashnikov assault rifle at the U.S. Embassy in Bosnia. – Reuters (See item 30)

30. October 28, Reuters – (International) Gunman fires at U.S. embassy in Bosnia. A gunman fired on the U.S. Embassy in Bosnia October 28 in a 30-minute assault blamed by state television on a radical Islamist from neighboring Serbia, Reuters reported. The gunman was wounded by a police sniper during the attack in Sarajevo's busy downtown, in which a police officer was seriously wounded and shop workers scrambled for cover. Bosnian television identified the man who was carrying a Kalashnikov assault rifle, as a Serbian citizen. It said he had been visiting a community of hardline Islamists in northern Bosnia. The Muslim member of Bosnia's tripartite presidency, condemned the attack, saying the United States was a "proven friend" of Bosnia. A police spokesman said the gunman had been taken to a hospital for treatment, but that his injuries were not life-threatening. Embassy officials said the building had gone into "lockdown" during the assault, and no one in the embassy had been hurt. The police spokesman said one police officer was seriously wounded. He said police believed the gunman had acted alone, but that the investigation would reveal more. Source:

• Several New York City police officers pleaded not guilty October 28 to corruption charges in a sweeping probe that began with an investigation into whether a Bronx officer had ties to a drug dealer. – Associated Press (See item 34)

34. October 28, Associated Press – (New York) NYC officers plead not guilty in corruption probe after lengthy ticket-fixing investigation. New York City police officers pleaded not guilty October 28 to a range of corruption charges in a sweeping probe touched off by an investigation into whether a Bronx officer had ties to a drug dealer. In total, 16 officers were arraigned. The halls were swarmed with people, and hundreds of officers carrying signs stood outside the courthouse and applauded as the accused officers walked through. The Bronx officer pleaded not guilty to drug and other charges. An internal affairs lieutenant pleaded not guilty to charges she leaked information to union officials about the probe. The rest of the officers pleaded not guilty to charges including official misconduct and obstructing governmental authority after prosecutors said they abused their authority by helping family and friends avoid paying traffic tickets. The case evolved from a 2009 internal affairs probe of the Bronx officer, who owned a barber shop and was suspected of allowing a friend to deal drugs out of it. Prosecutors said he also transported drugs in uniform. While listening to his phone, investigators caught calls from people seeing if he could fix tickets for them. The conversations led to more wiretaps that produced evidence of additional officers having similar conversations. Many of those arrested include high level members of the union, the Patrolmen’s Benevolent Association, the department’s most powerful with 22,000 members. In terms of the number of officers facing criminal or internal administrative charges, the probe represents the largest crackdown on police accused of misconduct in recent memory. Dozens of other officers may face internal charges. Source:


Banking and Finance Sector

13. October 27, St. Paul Pioneer-Press – (Minnesota) Former Centennial mortgage exec pleads guilty to bank fraud. Appearing in Minneapolis before a U.S. district judge, a chief financial officer at Centennial Mortgage and Funding Inc. pleaded guilty October 27 to federal bank fraud charges, admitting to "material misrepresentations" to mortgage lenders that led to losses of between $7 million and $20 million. His corporate position involved deciding what lender funds could be used for. Centennial lined up "double funding" for clients' mortgage loans but did not tell its lenders about the extra cash generated in the transactions. He concealed information from the lenders, as did others at Centennial, he said. Others working at the mortgage firm concealed loan defaults from lenders. No one else has been charged in the case. The convict also admitted he participated in a check-kiting scheme — in which one checking account was falsely inflated with funds from another account to keep checks from bouncing. Source:

14. October 27, Federal Bureau of Investigation – (New Jersey) Leader of $200 million real estate investment scam charged in 45-count indictment with fraud and money laundering. A New Jersey U.S. attorney announced a man was indicted October 27 by a federal grand jury in Newark on charges alleging he ran an investment fraud scheme that caused losses of at least $200 million. According to the indictment and other documents filed in federal court, from June 2004 through August 2011, the defendant, with the help of others, orchestrated a real estate investment fraud scheme that induced victims to invest after making various types of materially false and misleading statements and omissions. For example, they represented to victims they had inside access to certain real estate opportunities that allowed the defendant to buy particular properties at below-market prices. They told victims their money would be used to purchase a specific property, and the property would be quickly resold — or “flipped" — to a third-party purchaser lined up by the defendant. Victims were also told their money would be held in escrow until closing of a purported real estate transaction. The group produced various fake documents, including ”show checks," which led victims to believe the group represented investments in specific transactions but were never deposited; forged checks, which had actually been negotiated for small amounts, but were altered to appear worth millions; operating agreements, which showed victims had ownership interests in specific properties they did not; and various kinds of forged legal documents, including leases, mortgages, and deeds. The group initially targeted victims from the Orthodox Jewish community, to which the defendant belonged, exploiting his standing in and knowledge of the customs and practices of the community to further the scheme. The 45-count indictment charges the defendant with one count of conspiracy to commit wire fraud, 29 counts of wire fraud, two counts of wire fraud while on pretrial release, one count of bank fraud, and 12 counts of money laundering. Source:

Information Technology Sector

37. October 28, – (International) Apple fixes security flaws in Windows version of QuickTime. Apple is advising Windows users to update their systems following the release of a patch for the QuickTime media player tool. The company said in a security advisory that QuickTime 7.7.1 addresses 12 vulnerabilities in the Windows version of the platform, but does not affect Mac OS X users. Ten of the flaws could be targeted by way of a maliciously crafted PICT or FlashPix movie file to cause an application crash and allow remote code execution. The update also fixes a cross-site scripting flaw that could allow an attacker to insert code into an HTML file, and a vulnerability which could allow an attacker to view a user's memory contents by way of malformed movie file. Apple urged Windows users to install the 7.7.1 update, which can be obtained through the Apple Software Update utility or manually downloaded from the Apple support site. The update supports Windows versions from XP to Windows 7. Source:

38. October 28, Help Net Security – (International) Facebook spammers trick users into sharing anti-CSRF tokens. Symantec researchers have spotted a new Facebook spamming technique they expect to be used a lot in the near future. Scammers make the victim's account post messages by executing a Cross-site Request Forgery (CSFR) attack after the victim has been tricked into sharing her anti-CSRF token generated by Facebook. Once they have the anti-CSRF token, the crooks can generate a valid CSRF token, which allows them to re-use an already authenticated session to the Web site to post the offending message unbeknownst to the user. The attack begins with a typical message inviting users to see an "amazing video" or similar content. A click on the link takes the user to a fake YouTube page, and when he wants to see the video, a window pops up telling him he must pass the "Youtube Security Verification". When he clicks on the Generate Code link, a request is sent to, which returns JavaScript code containing the session's anti-CSRF token in a separate window. After the user has copied and pasted the generated code into the empty field and pressed the "Confirm" button, he has sent the code to the attacker who extracts the anti-CSRF token, creates a CSRF token and inserts his own piece of code that executes the CSRF attack and posts the malicious message and link on the user's Facebook Wall. Source:

39. October 27, IDG News Service – (International) Researcher finds major flaw in Facebook. A security penetration tester discovered a major flaw in Facebook that could allow a person to send anyone on the social-networking site malicious applications. A senior security penetration tester at technology consultancy CDW, discovered the vulnerability and publicly disclosed it October 27 on his blog. The flaw was reported to Facebook September 30, which acknowledged the issue October 26, he wrote. The security tester wrote Facebook does not normally allow a person to send an executable attachment using the "Message" tab. If you try to do that, it returns the message "Error Uploading: You cannot attach files of that type." He wrote an analysis of the browser's "POST" request sent to Facebook's servers showed a variable called "filename" is parsed to see if a file should be allowed. But by modifying the POST request with a space just after the file name, an executable could be attached to the message. A person would not have to be an approved friend of the sender, as Facebook allows people to send messages to anyone. The danger is a hacker could use social engineering techniques to coax someone to launch the attachment, which could infect their computer with malware. Source:

40. October 27, Associated Press – (International) Phishing scam masked as email from StubHub lands in inboxes; company warns customers to avoid. An e-mail scam masked as an order confirmation from StubHub landed in countless mailboxes October 27, the Associated Press reported. The San Francisco-based online ticket broker was deluged with phone calls within a few hours, said a spokesman. The company placed a warning notice on its home page advising recipients not to click on any link in the e-mail. The e-mail looks like a receipt for an order for two tickets to a boxing match in Las Vegas November 12. It appears to be sent by StubHub, and the charge is $2,766.95. The spokesman said no accounts have been charged. The e-mail apparently went to StubHub users and individuals who have never purchased tickets from the site. The fake e-mail seeks to dupe recipients into clicking on the embedded links to obtain sensitive information like credit card account numbers, and passwords. StubHub does not display credit card details on its site, but the spokesman said it is possible to order tickets from an established account with stored payment data. The fake StubHub e-mail appears to have originated in Eastern Europe, the spokesman said. Source:

Communications Sector

41. October 28, Homeland Security Today – (National) FCC issues final guidelines for nationwide EAS test. The Federal Communications Commission has posted its final Emergency Alert System (EAS) handbook for the nation’s first EAS test that's scheduled for November 9th. The handbook was prepared as a guide to broadcasters, cable television systems, wireless cable systems, wireline video providers, satellite digital audio radio service providers, and direct broadcast satellite service providers, all of whom are required by law to participate in the test. The handbook supersedes all previous EAS handbooks only during the operation of the nationwide EAS test. The emergency exercise of the EAS will take place November 9 at 1 p.m. Central Standard Time, or 2 p.m. Eastern Standard Time. Source:

For more stories, see items 38 and 39 above in the Information Technology Sector