Wednesday, November 16, 2011

Complete DHS Daily Report for November 16, 2011

Daily Report

Top Stories

• Information security deficiencies at the IRS put sensitive taxpayer data at risk, according to a financial audit by the Government Accountability Office. – threatpost See item 14 below in the Banking and Finance Sector

• The California Department of Transportation fired two employees amid investigations into faulty — and in some instances falsified — structural testing on bridges and highway projects across the state. – Los Angeles Times (See item 21)

21. November 15, Los Angeles Times – (California) Caltrans fires two over structural testing issues. The California Department of Transportation (Caltrans) has fired two employees amid investigations into faulty — and in some instances falsified — structural testing on bridges and highway projects across the state, including a carpool lane connector and an under-crossing retaining wall in the Los Angeles area. During a news conference November 14, Caltrans officials identified the employees as a former technician who tested bridge and freeway structures, and the head of the agency’s foundation testing unit who supervised him. The firings coincide with investigations by the Sacramento Bee newspaper, the Federal Highway Administration (FHA), and Caltrans. Agency officials said the technician was terminated because of fabrications, and the supervisor was fired for “misusing state materials.” The Bee reported November 12 that at least three fabrications and other errors by the technician raised questions about the integrity of dozens of bridges and freeway structures in California, including the main tower of the new San Francisco-Oakland Bay Bridge. The acting Caltrans director said the agency reexamined the Bay Bridge tower, as well as projects with fabricated test data, and concluded they are structurally sound. In Southern California, the technician reportedly falsified 2007 test data for a retaining wall at the Braddock Drive under-crossing for the San Diego Freeway in West Los Angeles. After questions were raised, Caltrans officials said, the wall was rebuilt. The technician also fabricated test results in 2008 for a ramp on the Riverside Freeway at La Sierra Avenue in Riverside, the Bee reported. The falsification was discovered and the ramp was satisfactorily retested. Source:,0,295565.story


Banking and Finance Sector

13. November 15, Middletown Times Herald-Record – (New York; International) State police charge NYC man in ID theft case with local ties. New York State police have charged a man with felony identity theft following an investigation involving stolen credit card information, Russian computer hackers, and a Smoker’s Choice cigarette store, the Middletown Times Herald-Record reported November 15. The suspect was arrested right after being released from Columbia County Jail in connection with a victim whose credit card number was used at a Walmart in Greenport to buy gift cards. Police said that more than 200 residents in the Columbia County area had credit card numbers stolen in August and used illegally. After investigating, police said they found a Columbia County Smoker’s Choice cigarette store in Greenport was involved. State police said the business fully cooperated and let them review computers at the firm’s headquarters. Analysis showed the computers were broken into by hackers in Russia. Police are investigation the suspect’s connection to the hackers. In September, the suspect pleaded guilty to felony attempted second-degree criminal possession of a forged instrument after trying to buy gift cards from a Wallkill Walmart with forged credit cards. Source:

14. November 15, threatpost – (National) IRS security deficiencies may put taxpayer data at risk. Information security failings are making it impossible for the U.S. Internal Revenue Service (IRS) to get its financial house in order and could be putting taxpayers’ sensitive information at risk, according to a financial audit of the agency by the Government Accountability Office (GAO) released November 10. Deficiencies in information security continued to constitute material weaknesses in the IRS’s internal control over the 2010-2011 fiscal year, as the IRS made meager progress addressing security concerns identified in previous audits. The GAO estimates the IRS corrected only 15 percent of the 105 previous security related recommendations from previous reviews. Past audits have revealed the IRS has difficulty maintaining control over and access to automated systems and software it uses to process financial transactions, produce internal and external financial reports, and safeguard related sensitive data. The “IRS was limited in its ability to provide reasonable assurance that ... proprietary financial and taxpayer information was appropriately safeguarded,” the GAO found. According to the audit, the GAO claims material weaknesses in security limited the IRS’s ability to reasonably ensure financial statements are fairly presented in conformity with generally accepted accounting principles, that financial information relied upon by management in day-to-day decision making is current, complete, and accurate, and that proprietary data being processed by automated systems is appropriately safeguarded. “These issues increase the risk of unauthorized individuals accessing, altering, or abusing proprietary IRS programs and electronic data and taxpayer information,” the report states. Source:

15. November 14, U.S. Federal Trade Commission – (Nevada) FTC wins $29.8 million judgment in bogus government grant case. The Federal Trade Commission (FTC) has won a $29.8 million judgment against the remaining defendants behind a deceptive marketing operation known as Grant Connect, the FTC announced November 14. The court’s order also permanently bans the defendants from promoting a variety of products and services similar to those they deceptively pitched to consumers around the country. The FTC charged the defendants with deceiving consumers by making misleading and unsubstantiated claims about bogus products and services, including one that supposedly would help them get free government grants. The U.S. District Court for the District of Nevada found the defendants marketed their grant products using pictures of the U.S. President and the American flag to bolster the impression billions of dollars in free government grants were available quickly and easily for personal needs. The court also found the defendants: deceptively marketed dietary supplements using claims unsupported by scientific research; failed to adequately disclose their credit offers were merely memberships to a shopping club; made unsupported claims consumers could earn thousands of dollars per month with a work-from-home business opportunity; failed to adequately disclose consumers who bought their products or services would be enrolled in continuity plans with significant monthly fees, often for a variety of unrelated products; used fake testimonials to promote products; and debited consumers’ bank accounts on a recurring basis without obtaining consumers’ permission. The court order grants the FTC’s motion for summary judgment against seven defendants, and 18 affiliated companies. Source:

16. November 14, U.S. Securities and Exchange Commission – (National) SEC charges Philadelphia-based business owner for defrauding investors through an offering scheme involving U.S. Treasury STRIPS. The Securities and Exchange Commission (SEC) November 14 filed a complaint in federal court in the Southern District of New York charging a businessman and his company TL Gilliams, LLC (TLG) with fraud for misappropriating about $5 million from investors through an offering scheme involving U.S. Treasury Separate Trading of Registered Interest and Principal Securities (STRIPS). According to the complaint, the businessman and TLG, from at least June 2010 through April 2011, claimed to have a STRIPS Trading Program. The businessman claimed he would pool and use investor money to engage in large purchases and sales of STRIPS, and that the program would yield weekly returns of 5 percent and was virtually risk-free. The complaint alleges he did not invest any funds received from investors in Treasury STRIPS, but rather used the money to support his lavish lifestyle. In February 2011, the complaint alleges he filed paperwork with the SEC indicating TLG’s intent to raise an “indefinite” amount of funds from investors in connection with the “Black Fox Fund,” an unregistered entity he created. The complaint also alleges he used a series of middlemen who had access to investors or who controlled investment funds. He promised the middlemen finder fees, and paid some of them from the $5 million he ultimately obtained. He provided the middlemen and potential investors detailed data about his own experience trading STRIPS and his purported STRIPS Trading Program, including information regarding investment minimums, the expected trading frequency, and the expected rate of returns. According to the complaint, nearly all of the data was false. The SEC seeks injunctive relief, disgorgement, prejudgment interest, and civil penalties. The U.S. Attorney’s Office for the Southern District of New York also filed an indictment November 14 charging the man with wire fraud and securities fraud. Source:

17. November 10, Salt Lake Tribune – (Utah; California; West Viriginia) Utah man pleads guilty to mortgage fraud. A Utah man pleaded guilty November 10 in West Virginia federal court to criminal charges in connection with a mortgage fraud scheme. The man pleaded guilty to conspiracy to commit wire fraud and bank fraud involving properties in Hurricane, West Virginia. He also pleaded guilty to mail fraud stemming from dealings in Modesto, California. The defendant operated a company called “The Gift Program” in the early and mid-2000s that he claimed completed deals where sellers paid down payments and initial mortgage payments on real estate. However, he admitted he instead used it to defraud lenders by obtaining inflated appraisals and not informing them that part of the loan was going to down payments and initial mortgage payments. Also, he admitted an associate was part of the scheme, the U.S. attorney’s office in Charleston, West Virginia said in a news release. The associate allegedly found investors to purchase properties at fraudulently inflated prices, and the defendant then used The Gift Program to fund the transaction. Investors eventually defaulted on the loans, costing the lender $2 million. The defendant also admitted he illegally flipped 20 properties in Modesto with losses in excess of $5.5 million. He faces up to 60 years in prison, and a $2 million fine. Source:

18. November 10, KNBC 4 Los Angeles – (California) Geezer Bandit strikes again. The “Geezer Bandit” appeared to be back in familiar territory in the San Diego-area, KNBC 4 Los Angeles reported November 10. The bandit entered a Wells Fargo Bank linside a La Jolla Vons at 7544 Girard Avenue September 30 at about 6:30 p.m., the FBI said. He was armed with a black revolver and wearing large glasses with a gray suit over his thin build. The FBI reminded the public about a $20,000 reward to help nab the “Geezer,” so named because he appears to be older. He is suspected of robbing 15 banks in California. The original reward came after the bandit struck for the 14th time at a bank in Morro Bay in May, the FBI said. He is suspected of pulling off 10 other San Diego-area heists in cities including Poway, Santee, and Carmel Valley since 2009. His image has been caught on surveillance videos in banks in Temecula, Bakersfield, and Goleta. Witnesses describe the bandit as an older man who appeared to be in his 60s or 70s. Police, however, believe the suspect may be using a disguise to age his appearance. The robber, who had threatened bank tellers with what appeared to be a revolver, has also been seen carrying an oxygen tank, according to the FBI. Source:

Information Technology

34. November 15, Network World – (International) Researchers find new way to hide messages in VoIP. Researchers have devised a new scheme for hiding secret data within VoIP packets, making it possible to carry on legitimate voice conversations while stolen data piggybacks on the call undetected, making its way to thieves on the outside. Called transcoding steganography or TranSteg, the method calls for setting a larger-than-necessary payload space in VoIP packets and using the extra room to carry covert messages. In their experiment, the researchers could send 2.2MB of covert data in each direction during an average 7-minute phone call. Source:

35. November 15, Softpedia – (International) Worm comes as Office Genuine Advantage Checker on IM. An executable file that usually comes through instant messaging applications, pretending to be an Office Genuine Advantage (OGA) Checker, turns out to be a malicious worm that opens a backdoor to allow attackers to take over a machine. Bitdefender researchers report the file, programmed in Visual Basic, comes as an executable called office_genuine(dot)exe and even though Microsoft retired its OGA program almost a year ago, the application that pretends to check the legitimacy of Office products is still circulating. The piece of malware, identified as Win32.Worm.Coidung.B, is also paired with a file infector detected as Win32.Virtob. It is not yet certain if they were combined on purpose or if the latter was attached by mistake. As soon as it is executed, the worm disables the operating system’s firewall and opens a gateway through which further commands are issued. After gaining control of the system, the attacker can do anything from DoS to data theft. By copying itself into several hidden locations, including the registries and the start-up folder, the virus makes sure that every time the computer starts, it can perform its malicious functions. Source:

36. November 14, – (International) Google overtakes Microsoft in reported security vulnerabilities. Google overtook Microsoft in having the largest number of reported vulnerabilities in its products, according to the latest quarterly Threat Roundup from Trend Micro. Total reported vulnerabilities increased from 901 in the second quarter of 2011 to 990 in the third quarter, and Google’s quota jumped from 65 to 82 to put the company into the top spot ahead of Oracle and Microsoft. The number of reported Microsoft vulnerabilities fell from 96 to 58, while Oracle saw a spike from 50 to 63, placing it in second place. Trend Micro explained the jump in Google security problems was caused mainly by the Chrome browser, but that none of the flaws in Chrome was as severe as those in Microsoft products. Source:

37. November 14, threatpost – (International) TDSS rootkit and DNSchanger: An unholy alliance. One of the newer jobs the TDSS rootkit has been assigned is to deliver the DNSchanger trojan. The malware’s main function is to hijack the victim’s Web traffic by changing the DNS settings on the infected machine, redirecting the user to malicious sites rather than whichever ones he/she is aiming to visit. Once the trojan has changed the DNS configuration on the machine, DNS queries from the PC will be redirected to the attacker-controlled DNS servers, allowing the attackers to force the user to visit malicious sites. The attackers can use that traffic for a number of things, including installing other pieces of malware or as part of a pay-per-click ad fraud scheme. Researchers at Dell’s Secureworks unit said they have been seeing between 600,000 and 1 million unique IP addresses infected with the DNSchanger trojan in recent weeks, and they have seen TDSS downloading and installing the trojan. Source:

38. November 14, Softpedia – (International) Anonymous’ Fawkes Virus found on Facebook. Researchers from Bitdefender stumbled upon what they believe to be the Fawkes Virus, advertised by Anonymous recently in a video. Not long after the video announcement was launched online, experts from the security company came across a Facebook scam that promised a New Facebook Video Chat with Voice Features and an Arabic description. The links from the advertisement led to a file called scan_facebook(dot)zip. The innocent looking archive actually contained a variant of the malicious software detected by Bitdefender back in July as Backdoor-Bifrose-AAJX. This appears to be the Fawkes Virus since it comes via Facebook and it acts as described in the clip. “[It] injects itself in IE process, provides a remote attacker unhindered access to the compromised system, records keystrokes and kills several processes of known antimalware solutions, if installed on the computer,” the researchers revealed. Even though the malware does not have a self-replication component, it seems to request a connection to a remote server in Egypt, a fact not mentioned in the announcement. Since the threat maintains a low profile and since it inowhere close to the intensity described by Anonymous, there are two plausible scenarios: either the virus exists on the social network but it does not spread quite likethe group claimed, or the whole thing is fabricated and there is no actual worm. Source:

For another story, see item 41 below in the Communications Sector

Communications Sector

39. November 14, KWES 9 Midland/Odessa – (Texas) Phone service slowly returning to normal in Andrews, Seminole. Phone service was slowly returning to Andrews and Seminole, Texas, after a day-long outage, KWES 9 Midland/Odessa reported November 14. The phones went down in Andrews the morning of November 14. Residents reported having no land lines or cell phones. Windstream, which services Andrews, said they had 6,000 customers without phones, and the problem occurred on AT&T’s network when a fiber optic line was cut. Windstream said late November 14 that its customers should have been back up and running. Andrews City Hall said they were receiving some calls but still could not make outbound calls. Source:

40. November 14, Medford Mail Tribune – (Oregon) KSKQ experiencing power outage. The power was out to the antenna transmitting community radio station KSKQ’s 89.5 FM broadcast across the Rogue Valley in Oregon, the Medford Mail Tribune reported November 14. A propane generator, which has been providing power to the antenna on Table Mountain near Hyatt Lake since June 2010, ran out of gas the morning of November 14. The radio station has been waiting months for a response from U.S. Cellular, which owns an antenna on the same mountain, about its request to connect its antenna to a transformer U.S. Cellular uses there. With no word from U.S. Cellular, the station decided to send a propane truck to refill its tank November 11. The truck got stuck in the snow before making it to the top of the mountain, and the propane ran out between 6:30 a.m. and 8 a.m. November 14, killing the station’s FM broadcast. The radio station broadcast was still streaming live online, and could be heard at its Web site. “KSKQ directors and staff are hoping for the best response when the (U.S. Cellular) letter arrives, and the electricity will be turned on in a day or two after receiving the word — even if the electrician has to go to the site on a snow sled,”a press release said. Source:

41. November 14, Forbes – (International) Earthlink follows Blackberry with widespread e-mail outages. First Blackberry, now Earthlink. The $730 million Internet service provider experienced “severe” e-mail outages all day November 14, the company announced. Its online support chat system was overloaded, telling callers the next available support staff would be available within the next 70 minutes. The company’s Twitter page was not updated with any news about the outages, but Earthlink subscribers were tweeting about the outage since 11 a.m. Source:

For another story, see item 34 above in the Information Technology Sector