Monday, November 21, 2011

Complete DHS Daily Report for November 21, 2011

Daily Report

Top Stories

• On at least two occasions, hackers took over U.S. satellites and targeted their command-and-control systems, a report by the U.S.-China Economic and Security Review Commission revealed. – ABC News (See item 29)

29. November 16, ABC News – (International) US satellites compromised by malicious cyber activity. On at least two occasions, hackers took over U.S. satellites and targeted their command-and-control systems, a report by the U.S.-China Economic and Security Review Commission revealed November 16. The incidents involved two Earth observation satellites. While it may be difficult to trace who hacked the satellites, U.S. officials acknowledged the incidents had to come from a nation power. U.S. officials cannot clearly trace the incidents to China, but the report released by the Congressionally mandated commission noted Chinese military writings made reference to attacks on ground-based space communications facilities. The report noted some of the malicious cyber activity targeting the satellites involved NASA’s Terra EOS satellite being targeted in June 2008, and again in October 2008. The June incident resulted in the satellite being interfered with for 2 minutes, and the October incident lasted at least 9 minutes. The report noted that in both instances, “The responsible party achieved all steps required to command the satellite but did not issue commands.” NASA confirmed the incidents in a separate statement. The report noted the Landsat-7 satellite operated by the U.S. Geological Survey experienced similar interference and events in 2007 and 2008, but added the entity behind that incident did not achieve the ability to control the satellite. The report mentions the serious implications the intrusions could have on the satellite systems, particularly if they were directed against more sensitive systems such as military or communications satellites. Source:

• About 10,000 people in the Reno, Nevada area were forced to evacuate from a massive, sudden wildfire that destroyed scores of homes, closed at least 90 schools, and disrupted transportation. – Associated Press (See item 39)

39. November 18, Associated Press – (Nevada) Man dies in massive Reno fire; 20 homes destroyed. Thousands of Nevadans fled their homes through roads cloaked with heavy smoke and rollicking flames as a massive and sudden wildfire consumed the Sierra Nevada foothills and spread to the valley floor November 18. At least 90 schools were closed for the day to clear the roads of school traffic and make way for emergency workers. Hundreds of families filled shelters set up at two area schools. School buses were on standby to help with evacuations. The blaze raged through more than 400 acres, claimed at least one life, injured several others, destroyed 20 homes, and blanketed the Reno area in a fiery curtain as violent winds sidelined firefighters and rescue helicopters. The fire ignited around 12:30 a.m. in the Caughlin Ranch area. In all, nearly 10,000 people were sent from their homes as gusts of up to 60 mph drove the flames farther into Reno. Several people suffered from smoke inhalation. A fire chief said roughly 400 firefighters were on the ground, but they were having a difficult time getting ahead of the wind-fueled fire. He said he expected the fire to burn through November 19. The National Weather Service was calling for west winds of 20 to 30 mph with gusts up to 45 mph the evening of November. The governor and the Federal Emergency Management Agency declared the fire a major disaster. Source:


Banking and Finance Sector

8. November 18, WLEX 18 Lexington – (National) Feds join in hunt for 'Nike Hat Bandit'. The FBI has joined local and state authorities in the hunt for a bank robber dubbed the "Nike Hat Bandit," WLEX 18 Lexington reported November 18. Investigators said the man robbed at least seven banks in five states, including Kentucky. On November 10, the man, wearing his signature black Nike ball cap, robbed two banks in Kentucky, one in Richmond and one in Lexington. Investigators said the suspect hit banks in two other states since. Police said they have no idea why the man always wears the same hat, but it certainly makes him recognizable. Federal authorities said the robber could face hundreds of thousands of dollars in fines and decades in prison if caught and convicted. Source:

9. November 18, Reuters – (California) Anti-Wall Street protesters arrested at L.A. bank. Throngs of anti-Wall Street demonstrators snarled traffic by blocking a downtown Los Angeles street November 17, and later pitched tents outside a bank tower before police advanced to make arrests. Hundreds of protesters first marched through the Los Angeles financial district, and then a small group stood in a circle and held hands on a major downtown street, blocking it, before police advanced. Throughout the day, at least 73 protesters were arrested in the city in separate marches and rallies downtown, with the largest number being taken into custody for trespassing outside a Bank of America tower, police said. The Los Angeles march came as cities across the country have taken police action in recent days to dismantle protest camps set up as part of the Occupy movement against economic inequality and excesses of the financial system. Later in the day, protesters marched to a Bank of America tower in downtown Los Angeles, where some set up tents on a plaza. A total of 47 protesters were arrested there, on grounds that are considered private property, police said. Source:

10. November 18, WNBC 4 New York – (New York; Connecticut; New Jersey) Steakhouse waiters busted in alleged identity theft ring. More than two dozen current and former waiters and their associates from some of New York City's top steakhouses have been arrested in an alleged identity theft ring, accused of stealing credit card numbers from wealthy customers, NBC New York reported November 18. Several suspects are from top city restaurants like Smith and Wollensky, Capital Grille and Wolfgang Steak, as well as Morton’s in Stamford, Connecticut and the Bicycle Club in New Jersey, sources said. The alleged scam targeted customers who often paid with American Express Black cards and other high-limit credit cards, according to sources. Law enforcement sources said some restaurant workers used handheld scanners to copy the credit card information as they walked away to process the bill. Later, that information would be sent to leaders of the alleged fraud ring, who would forge new credit cards with the stolen information and test them out on taxis. If the cards worked, the suspects would go on major shopping sprees, buying up expensive goods like Chanel goods and Jimmy Choo shoes. The thieves would then re-sell the luxury brand items for cash. Officials estimate profits totaled at least $1 million, sources said. Source:

11. November 17, U.S. Securities and Exchange Commission – (National) SEC halts scam touting access to pre-IPO shares of Facebook and Groupon. The Securities and Exchange Commission (SEC) November 17 filed an emergency enforcement action to stop a fraudulent scheme targeting investors seeking stock in Internet and technology companies like Facebook and Groupon in advance of a public offering. The SEC alleges a Florida man and several other individuals carried out the scam using a newly minted hedge fund named The Praetorian Global Fund. They falsely claimed the fund and affiliated Praetorian entities owned shares worth tens of millions of dollars in privately-held companies expected to soon hold an initial public offering (IPO). Taking advantage of investor interest in pre-IPO shares that are virtually impossible for company outsiders to obtain, the man and others solicited funds and gave investors a false sense of comfort their money was protected by telling them an escrow service was receiving their money. In reality, according to the SEC’s complaint filed in federal court in Manhattan, the man and his cohorts never owned the promised pre-IPO shares. Three men were each actively involved in providing false documents and information to broker-dealer representatives in pitching their clients to invest in the Praetorian entities. They raised at least $12 million from investors across the country during the past 15 months. Source:

12. November 17, KXLY 4 Spokane – (National; International) Ponzi scheme ringleader indicted. A woman who allegedly ran a payday loan business as a front for a Ponzi scheme that bilked millions from investors pleaded not guilty November 17 to a far-ranging list of charges handed up November 16 by a grand jury in federal court in Spokane, Washington. Her arrest and indictment came in the wake of a federal investigation that culminated in April 2010 with a raid on the woman's office, Team Spirit America. FBI and Internal Revenue Service (IRS) agents raided her office and seized all company files and her personal assets as part of their investigation of the woman, who allegedly ran a Ponzi scheme, bilking hundred of investors out of about $126 million to finance her lavish lifestyle. The indictment includes 110 separate counts of wire fraud, mail fraud, and international money laundering. It said the woman started her payday loan business in British Columbia, Canada, in 1997 and moved to Spokane County around 2001. Two years later, she shut all of her storefronts and began operating the business entirely online using many limited liability corporations incorporated in Washington, Nevada, and Utah. Beginning in May 2000 and continuing through March 2009, her Ponzi scheme took in $126 million from 800 investors worldwide through promises of high returns on investments, which would be obtained through profits in the payday loan business. She never disclosed those businesses were not profitable and ultimately caused more than $40 million in losses to those investors. As more individuals began investing, the money taken from later investors was distributed to earlier investors with the woman allegedly taking a percentage of those funds. In July 2009 a group of investors filed an involuntary bankruptcy petition against the woman's businesses, which was quickly followed by the woman filing for bankruptcy in late July in Nevada. She faces up to 20 years in prison, if convicted, on each individual count in the 110-count indictment, as well as a $250,000 fine on each count. Source:

13. November 17, Associated Press – (Rhode Island) Two R.I. men charged in $25M investor fraud. A Rhode Island estate planner and one of his employees have been charged in a $25 million investment scheme authorities said was orchestrated by stealing the identities of the terminally ill and the elderly, according to an indictment released November 17. Federal prosecutors said a 66-count indictment was filed against an attorney, the president and chief executive officer (CEO) of Estate Planning Resources in Cranston, and one of his employees. The men were accused of lying to terminally ill and elderly patients to access their personal information and then using it to purchase "death-put" bonds. Prosecutors said the scheme generated more than $25 million from insurance companies and bond insurers. Authorities said the men advertised in a Catholic newspaper to find victims. Source:

14. November 17, Associated Press – (Utah) Man charged after tossing fire bomb at Utah bank. A Utah man has been charged after throwing Molotov cocktails at a Wells Fargo branch in West Jordan, Utah, November 17. He faces one federal count of attempting to destroy a building used in interstate commerce. Police arrested the suspect the morning of November 17 outside the West Jordan bank, about 15 miles south of Salt Lake City. Authorities said the man began planning to bomb a bank about 2 months ago after ordering explosive chemicals. He decided instead to use Molotov cocktails. Authorities said he called police immediately before throwing the first Molotov cocktail, which failed to ignite. A second one bounced off a window and ignited a bush, which he extinguished by dousing it with gasoline. Source:

15. November 17, Portland Oregonian – (Oregon) Occupy Portland: N17 action against bank closes downtown branches; 48 arrested; police use pepper spray. Six weeks old and building momentum, Occupy Portland in Oregeon swept through downtown streets November 17 and took its street theater directly to national banks that protesters say engineered the economic downturn and took government bailouts strictly to feed their bottom lines. There were about 1,000 demonstrators, including union members, grandparents and workers. Downtown through the day, bank branch after bank branch locked their doors, and the protesters cheered every time their efforts shut down business. As night fell, police used pepper spray. Dozens of office workers gazed down from building windows at sidewalks where about chanting, singing demonstrators marched to the Wells Fargo branch. Inside the branch, police arrested nine people. Several protesters held a paper cutout of the bank's stagecoach logo with the words "funding prisons for profit," a jab at Wells Fargo's stock ownership of private-prison companies. Later, about 10 people approached the Bank of America branch at Southwest Second Avenue and Morrison Street, and bank officials locked the doors. Source:

16. November 17, KPIC 4 Roseburg – (Oregon) Occupy protesters arrested at Eugene banks. Eugene, Oregon police arrested four protestors blocking the back entrance to the downtown Bank of America November 17, and made another eight arrests at Chase Bank. A police sergeant told KVAL News the four people at Bank of America refused to move and asked to be arrested. They were taken into custody without incident. Another group at the bank's front door moved on when police asked them to leave. The arrests came as groups of Occupy Eugene protestors moved around downtown from bank to bank. One protestor put a padlock on the door of Chase Bank at 11th Avenue & Willamette Street. It was removed after about an hour. Just after 3 p.m., police made eight arrests at Chase Bank. By 5 p.m., police said 17 people had been arrested, including a juvenile. Source:

For another story, see item 35 below in the Information Technology Sector

Information Technology

35. November 18, Help Net Security – (International) Backdoor trojan pushed via versatile Facebook campaign. Microsoft recently spotted a versatile social engineering campaign used to trick Facebook users into installing a backdoor trojan with keylogging capabilities. The messages used to lure in users vary, but they all lead to fake YouTube pages. Once there, the user is urged to download a new version of "Video Embed ActiveX Object" to play the video file. However, the offered setup.exe file is the Caphaw trojan, which bypasses firewalls, and installs an FTP, a proxy server, and a keylogger. "It also has built-in remote desktop functionality based on the open source VNC project," said a Microsoft researcher. "We received a report that a user found this in his computer and also discovered that money had been transferred from his bank account by an unknown party. The keylogging component, coupled with the remote desktop functionality, makes it entirely possible for this to have happened." Source:

36. November 18, H Security – (International) Compromised certificates: Revocations alone are insufficient. Revoking a digital certificate does not automatically invalidate, for instance, software signatures made with the certificate. What matters is the revocation date, which determines the point in time after which a signature will no longer be validated. According to a report from anti-virus specialist Norman, the signatures of several recently discovered trojans were validated by Windows as a result,and no warning was issued before installing the malware. The trojans were signed with a key stolen from a Japanese company. The corresponding certificate was reported as compromised July 29, 2011, and revoked by its issuing Certificate Authority (CA), VeriSign, which is now part of Symantec. However, that date was also entered as the revocation date. However, the trojans were signed with the key April 13, 2010, July 3, 2010, and January 22, 2011 –- long before the revocation date. Because of this, the signature code remained valid for the older signatures, and systems would only invalidate signatures made after the revocation date. Norman believes the issue is down to CAs being overly cautious when setting the revocation date, and that they tend to choose a date that is too late over one that is too early. One of the likely reasons for thisis CAs want to avoid invalidating software and documents that have been signed by legitimate customers. In the aforementioned case, after being notified by Norman, Symantec changed the revocation date to April 12, 2010, which invalidated the trojans' signatures. Source:

For another story, see item 37 below in the Communications Sector

Communications Sector

37. November 18, Denver Post – (Colorado) Open Range tells its subscribers to find other phone, Internet provider. Several Open Range Communications subscribers in Colorado reported their phone service was cut off the night of November 16 and then restored November 17 after they received a recorded call telling them to find another provider, the Denver Post reported November 18. The bankrupt broadband provider posted this message on its Web site: "Open Range will discontinue providing service in the coming days. Please seek another Internet service provider NOW. If you are an Open Range telephone service customer, contact another provider WITHOUT DELAY to be able to retain your telephone number." Open Range's president said November 17 that "we're having some difficulties." Open Range, which provides phone and high-speed wireless Internet service in 12 states including Colorado, filed for bankruptcy October 6. Source:

38. November 17, Baldwin-Whitehall Patch – (Pennsylvania) Verizon landline telephone outage affecting Baldwin-Whitehall area. Allegheny County Emergency Services in Pennsylvania was notified by Verizon of an issue with a fiber optic cable affecting landline telephone service in the Baldwin-Whitehall area November 17. Residents in that area without a dial tone who needed emergency services were instructed to use a cell phone to call 9-1-1. Allegheny County officials notified public safety agencies in the Baldwin-Whitehall area, including county police, local police, fire departments, and emergency medical personnel. Source:

For another story see item 35 above in the Information Technology Sector