Friday, December 9, 2011

Complete DHS Daily Report for December 9, 2011

Daily Report

Top Stories

• Security researchers at Symantec confirmed December 7 that hackers used an unpatched Adobe Reader vulnerability to target people who worked at defense, telecommunications, chemical, and computer hardware companies. – Computerworld (See item 12)

12. December 7, Computerworld – (International) Symantec confirms Flash exploits targeted defense companies. Security researchers at Symantec confirmed December 7 that exploits of an unpatched Adobe Reader vulnerability targeted defense contractors, among other businesses. "We've seen [this targeting] people at telecommunications, manufacturing, computer hardware and chemical companies, as well as those in the defense sector," said a senior security manager in Symantec's security response group. Symantec mined its global network of honeypots and security detectors — and located e-mail messages with attached malicious PDF documents — to reach that conclusion. Adobe warned Reader and Acrobat users hackers were exploiting a "zero-day" bug on Windows PCs December 6, crediting Lockheed Martin's security response team and the Defense Security Information Exchange (DSIE), a group of major defense contractors that share information about computer attacks, with reporting the vulnerability. Symantec found attack e-mails dated November 1 and November 5. It also published an image of a redacted e-mail of the attack's bait — the promise of a 2012 guide to policies on new contract awards — that it said was a sample of the pitches that tried to dupe recipients into opening the attached PDF. Opening the PDF also executed the malicious code — likely malformed 3-D graphics data — compromising the targeted PC and letting the attacker infect the machine with malware. That malware, Symantec's senior security manager said, was identical to what was used in early 2010 by hackers exploiting a then-unpatched bug in Microsoft's Internet Explorer 6 (IE6) and IE7. Symantec labeled the malware "Sykipot" in 2010. "[The malware] is a general-purpose backdoor. One of the interesting things about it is it uses a form of encryption of the stolen information, which helps the attack hide what information is stolen," the security manager said. Sykipot encrypts the pilfered data after it has been retrieved, but while it is still stored on the company's network, as well as when it is transmitted to a hacker-controlled server. Those command-and-control servers are still operating, the manager said. Because of the similarities — using Sykipot, which is not widely in play, and exploiting zero-day vulnerabilities — Symantec suspects the same group of hackers who launched the attacks against IE6 and IE7 in 2010 were also responsible for the Reader-based attacks seen in November. Source:

• A gunman who killed a police officer December 8 after being pulled over in a traffic stop at Virginia Tech University in Blacksburg, Virginia, is believed to be dead, a law enforcement official said. – Associated Press (See item 32)

32. December 8, Associated Press – (Virginia) Official: Virginia Tech gunman who killed cop believed to be dead. The gunman who killed a police officer December 8 after being pulled over in a traffic stop at Virginia Polytechnic Institute and State University (Virginia Tech) in Blacksburg, Virginia, is believed to be dead, a law enforcement official told the Associated Press. Virginia Tech officials said on the school’s Web site that a weapon was recovered near a second body found in a parking lot on campus. It was not immediately clear if the second body was that of the gunman. School officials also said there was no longer an active threat that afternoon and that normal activities could resume. The officer’s shooting prompted a lockdown that lasted for hours. As police hunted for the killer, the school applied the lessons learned nearly 5 years ago, warning students and faculty members via e-mail and text message to stay indoors. It was the first gunfire on campus since 33 people were killed in the deadliest mass shooting in modern U.S. history. The university sent updates about every 30 minutes, regardless of whether they had any new information, a school spokesman said. The campus was quieter than usual because classes ended December 7 and students were preparing for exams, which were to begin December 9. The school postponed those tests. The shooting came soon after the conclusion of a hearing where Virginia Tech was appealing a $55,000 fine by the U.S. Education Department in connection with the university’s response to the 2007 rampage. Since the massacre, the school expanded its emergency notification systems. Alerts now go out by electronic message boards in classrooms, by text messages, and other methods. Other colleges and universities have put in place similar systems. Universities are required under the Clery Act to provide warnings in a timely manner and to report the number of crimes on campus. During about a 1-hour period during the December 8 incident, the university issued four separate alerts. Source:


Banking and Finance Sector

13. December 8, Pasadena Star-News – (California) Tri-Cities Bandit pleads guilty. A serial robber pleaded guilty to six bank heists which included banks in Pasadena and La Verne, California, officials said December 7. The robber, who was dubbed by the FBI as the "Tri-Cities Bandit," entered his plea December 6 at a Los Angeles federal court. His alleged accomplice and getaway driver has a trial set for January 10. The FBI created the moniker because the bandit initially robbed banks in Pasadena, Glendale, and Burbank. He started robbing banks in June and presented tellers a note demanding large bills. He was charged with 10 bank robberies and 2 attempted robberies in communities that included Pasadena, Los Angeles, Chino Hills, La Verne, and Glendale. Court documents estimated the amount taken at $21,229. Both the robber and getaway driver were arrested by deputies after robbing the First California Bank in Westlake Village August 19. Source:

14. December 8, Associated Press – (International) Letter bomb sent to Deutsche Bank chief. German authorities said December 8 a letter bomb addressed to the chief executive of Deutsche Bank in Frankfurt, Germany, contained a fully functional bomb, capable of exploding had it not been intercepted in the bank's mailroom. The bomb was intercepted after a routine X-ray screening December 7 in the mailroom of the bank's Frankfurt headquarters, prosecutors and police from Hesse state said in a joint statement. The authorities refused to give details on the matter, citing an ongoing investigation. A Deutsche Bank spokesman said the bank alerted police immediately after the package came to the attention of mailroom workers during a routine screening. The New York City Police Department (NYPD) said it was alerted to the scare late December 7, causing the department to dispatch patrols to the bank's offices in the city "solely as a precaution." A NYPD spokesman said the return address on the letter was the European Central Bank — the governing body for the 17-nation common European currency, which has its headquarters just across the park from Deutsche Bank in downtown Frankfurt. Source:

15. December 8, Softpedia – (Massachusetts; International) Jeanne D’Arc Credit Union insider breach discovered after one year. A recent security incident involving a Massachusetts financial institution called Jeanne D’Arc Credit Union shows it is not necessary for hackers to be involved for data leaks to occur, Softpedia reported December 8. More precisely, one of their employees that left the company in December 2010 took with her some files that contained private data belonging to customers, including Social Security numbers and loan account numbers, reported DataBreaches. The incident would not have been discovered if the woman's latest employer did not notice the information after she left her new job. She claimed the data was taken on a USB drive to be used in her new job, and the files were never copied to other computing devices. "We have recovered the thumb drive device that contained the computer files in question. We have obtained a sworn affidavit from our former employee indicating that she made no unauthorized use or further disclosure of the disclosed personal information," reads a letter sent by the organization to the state attorney general's office. Jeanne D’Arc also stated their former employee and her new employer assured them the data would not be disclosed to other parties, and they implemented new systems to prevent such incidents in the future. All individuals were notified on the breach and they were advised on how to monitor their bank accounts. Source:

16. December 8, U.S. Securities and Exchange Commission – (National) SEC charges Wachovia with fraudulent bid rigging in municipal bond proceeds. The Securities and Exchange Commission (SEC) December 8 charged Wachovia Bank N.A. with fraudulently engaging in secret arrangements with bidding agents to improperly win business from municipalities and guarantee itself profits in the reinvestment of municipal bond proceeds. The SEC alleges Wachovia generated millions in illicit gains during an 8-year period when it fraudulently rigged at least 58 municipal bond reinvestment transactions in 25 states, and Puerto Rico. Wachovia won some bids through a practice known as "last looks" in which it obtained information from bidding agents about competing bids. It also won bids through "set-ups" where the bidding agent deliberately obtained non-winning bids from other providers to rig the field in Wachovia’s favor. Wachovia facilitated some bids rigged for others to win by deliberately submitting non-winning bids. It agreed to settle the charges by paying $46 million to the SEC that will be returned to affected municipalities or conduit borrowers. Wachovia also entered into agreements with the Justice Department, Office of the Comptroller of the Currency, Internal Revenue Service, and 26 state attorneys general that include the payment of an additional $102 million. The settlements arise out of long-standing parallel investigations into widespread corruption in the municipal securities reinvestment industry in which 18 individuals have been criminally charged by the Justice Department’s Antitrust Division. Source:

17. December 7, Associated Press – (New York) Nearly 100 people charged in New York check fraud ring. Nearly 100 people formed a check fraud ring in New York that systematically exploited a banking loophole to steal more than $450,000 by depositing bogus checks and withdrawing money before they bounced, prosecutors said December 7. With a handful of bosses recruiting dozens of people to carry out the scheme — and even driving them to out-of-state casinost — the group methodically overdrew TD Bank accounts, a Manhattan district attorney (DA) said as he announced 94 people were indicted. The bank noted no customer account data were compromised. Three main bosses, aided by six other leaders, enlisted people to open savings accounts at TD locations with nominal sums and then had them deposit worthless checks, the DA said. The accounts were not subject to policies that prevent money deposited into checking accounts from being available immediately and the ringleaders knew that The suspects quickly transferred the money to TD checking accounts they also opened, prosecutors said. Then, they withdrew as much as they could at cash machines, sometimes getting as much as $5,000 at once, by traveling to casinos in Connecticut and Atlantic City, New Jersey, where the machines had high or no limits on the size of withdrawals. The group's leaders would escort the complicit account-holders to the casinos one by one. The account-holders then made themselves scarce when the bank tried to contact them to discuss the overdrawn accounts, which were opened under their real names, prosecutors said. The recruiters got most of the stolen money, generally paying each account-holder a few hundred dollars, prosecutors said. The DA said prosecutors believe the bank's losses may be more than $1 million. The bank spotted the pattern, which dates at least to August 2009, and brought in authorities. The U.S. Postal Inspection Service aided the 18-month investigation, which involved video and physical surveillance, computer forensics, and extensive analysis of credit card, banking, and phone records, authorities said. Each defendant faces grand larceny or conspiracy charges, or both. Source:

18. December 7, Orange County Register – (California) O.C. pair nabbed in $6 million loan-mod scam. Two Orange County, California men were arrested December 7 on charges of theft and conspiracy in what state prosecutors called a $6 million mortgage modification scam that victimized thousands of financially troubled homeowners across the nation. Both pleaded not guilty at an arraignment in Orange County Superior Court December 7 and were expected to post bail later. They face a maximum of 36 years in state prison if convicted on all counts. A third man, a disbarred Tennessee lawyer, also was charged in the case, state prosecutors said. According to the 37-count felony complaint, the Orange County men operated Green Credit Solutions in Irvine, which charged thousands of homeowners facing foreclosure $3,500 apiece in up-front fees in exchange for attorney services that never were provided. Instead, state prosecutors maintain, Green Credit and its related companies did little, if anything, on behalf of its clients. The mortgage-aid firm also maintained falsely it had a lawyer on staff and was affiliated with a law firm with a network of attorneys, state prosecutors said. According to the attorney general's office, Green Credit later was renamed as Guardian Credit Services and Get My Credit Grade as complaints to the California Department of Real Estate, the California State Bar, and the Better Business Bureau began piling up. The state bar successfully petitioned to have the mortgage-aid firms shut down in January 2010, along with four other firms affiliated with the men: Green Credit Services, Erickson Law Group, Green Credit Law, and PacWest Funding. Source:

19. December 7, San Antonio Express-News – (Texas) S.A. couple indicted in mortgage fraud. A San Antonio couple was indicted December 7 on allegations of helping out in a mortgage fraud scheme that resulted in $50 million in losses to lenders. They face federal charges of bank fraud, engaging in a monetary transaction in property derived from unlawful activity, and conspiracy. They are the latest to be charged in a sweep called "Operation Stolen Dreams" by the Justice Department, FBI, and Internal Revenue Service. According to court records, the couple is accused of aiding a mortgage scam by a man who ran Supreme Mortgage Group LLC, one of several entities used in a scheme blamed primarily on a Dallas man. The man and his wife are among 22 people indicted in San Antonio in June 2010 on charges they conspired in a flipping scheme that caused $50 million in loans to go into default. That indictment said that from May 17, 2005, through February 21, 2008, the man obtained properties at or about market value, then offered people $10,000 to $25,000 each to act as straw buyers for the homes at inflated prices. Using falsified documents, he obtained mortgage loans for the straw buyers and then let the mortgages go into default. The scheme, the indictment alleges, was aided by appraisers, title officers, escrow officers, mortgage processors, and others who helped submit false documentation and information to lenders. Source:

Information Technology

40. December 7, Computerworld – (International) Facebook disables bug used to expose Zuckerberg photos. A spokeswoman for Facebook confirmed December 7 a flaw was discovered in the mechanism that allows the social network's users to report photos on the site that violate the company's terms of service. Before it was disabled, the flaw was used to gain access to users' photos, including private photos. "The bug allowed anyone to view a limited number of another user's most recently uploaded photos irrespective of the privacy settings for these photos," the company said in a statement. "This was the result of one of our recent code pushes and was live for a limited period of time. Upon discovering the bug, we immediately disabled the system, and will only return functionality once we can confirm the bug has been fixed," the statement added. Source:

41. December 6, Sophos – (International) Beware Adobe software upgrade notification – malware attached! Cybercriminals have widely spammed out a malware attack posing as upgrades for Adobe Acrobat Reader and Adobe X Suite Advanced. The e-mails, which pretend to come from Adobe, have a ZIP file attached that contains a version of the Zeus trojan, designed to steal banking information from compromised computers. The risk is that less technical-savvy computer users might believe the e-mail is legitimate, and be tricked into installing malware onto their computer thinking it is an official Adobe update. Each e-mail is slightly different, incorporating different reference numbers in the subject line, attached filename, and message body. The samples seen so far by Sophos all carry malware in the file "Adobe Systems Software Critical Update Dec 2011.exe" contained within the ZIP. Source:

For more stories, see items 12 above in Top Stories and 42 below in the Communications Sector

Communications Sector

42. December 8, CNET – (National) Verizon says 4G LTE back up and running. Verizon Wireless said December 8 it restored 4G LTE service to customers across the country who got stuck on a slower connection for the past day and a half. The company's network operations team resolved a technical issue the night of December 7, but did not disclose the cause of the problem, which forced some customers off its high-speed network and on to the slower 3G service since late December 6. Some customers complained of losing 3G access as well, dropping down to the 2G level, which is primarily designed for voice and text messages. For this outage, Verizon noted customers were still able to make calls, send and receive text messages, and use 3G data. The outage appeared to be intermittent, with customers affected at random times and locations. Source:

For more stories, see items 12 above in Top Stories and 40 above in the Information Technologies Sector

Thursday, December 8, 2011

Complete DHS Daily Report for December 8, 2011

Daily Report

Top Stories

• Hundreds of customers who used their debit cards at a California supermarket chain had money stolen from their bank accounts while company executives diligently checked self-checkout terminals at the chain's 233 stores. – Santa Rosa Press Democrat See item 10 below in the Banking and Finance Sector

• Adobe confirmed December 6 an unpatched vulnerability in Adobe Reader is being exploited by hackers in attacks that may be targeting defense contractors. – Computerworld See item 32 below in the Information Technology Sector


Banking and Finance Sector

10. December 7, Santa Rosa Press Democrat – (California) Outwitted by high-tech scammers, Lucky delayed warning customers of security breach. Lucky Supermarket executives, foiled by criminals using wireless technology to download customer financial information from self-checkout terminals in Petaluma, California, and across the Bay Area, delayed notifying customers because they thought they had prevented a security breach, the Santa Rosa Press Democrat reported December 7. However, as officials took 3 weeks to diligently check each terminal at the company's 233 stores, criminals continued to access debit card and pin numbers and then began draining cash from bank accounts of Lucky customers. Most debit and credit card skimmers store data and then are physically retrieved by someone who downloads the information, the chief financial officer (CFO) of Lucky's corporate owner, Save Mart Supermarkets, said. Because Lucky officials seized the devices, they believed any data in them was secure. On December 6, reports from Petaluma residents who discovered unauthorized withdrawals from their bank accounts after shopping at Lucky continued to pour into the Petaluma Police Department and swelled to 112, a Petaluma police lieutenant said. Also, more reports of suspicious bank withdrawals flooded the company's customer service hotline, company officials said. Officials eventually learned the devices transmitted financial data using Bluetooth wireless technology. The U.S. Secret Service is investigating what appears to be a widespread scheme. They sent the device for analysis to a unit with special technology skills, the CFO said. Lucky Supermarkets maintenance crews first noticed a suspicious device November 3 in a self checkout terminal at a Mountain View store, company officials said. On November 11, technicians began examining terminals at the company's stores across California and Nevada. They discovered out-of-place computer boards at 15 stores and removed them that day. The last suspicious device was removed November 16, and by November 22 technicians had checked all of the company's 233 stores. The computer devices had been installed in one terminal per store. On November 23, the company posted an alert about the breach on its Web site, which it updated to include all 23 stores December 6. Source:

11. December 6, KMOV 4 St. Louis – (Missouri) 'Logo bandit' connected to multiple bank robberies in St. Louis area. The FBI believes there is a serial bank robber working in the St. Louis area, and agents are calling him the "logo bandit," KMOV 4 St. Louis reported December 6. The suspect has been connected to four area bank robberies. The robberies happened over the last 3 months. In each case, officials said the suspect had a similar physical description, a similar method of operation of using a demand note but no weapon, and each time he was seen wearing clothing or a baseball cap with a logo. Source:

For another story, see item 28 below in the Information Technology Sector

Information Technology

27. December 7, IDG News Service – (International) Cross-site scripting flaws plague Web apps, report says. Cross-site scripting flaws are the most prevalent vulnerabilities found in Web applications, posing a risk to data and intellectual property, according to a study of thousands of applications by vendor Veracode released December 7. Veracode analyzed more than 9,900 applications that were submitted to its cloud-based scanning service over the last 18 months. For Web applications, 68 percent contained cross-site scripting flaws, Veracode found in its study. Cross-site scripting is an attack in which a script drawn from another Web site is allowed to run even though it should not, and it can be used to steal information or potentially cause other malicious code to run. Veracode also found that 32 percent of Web applications contained a SQL injection problem, a type of issue where commands entered into Web-based forms are executed, potentially returning sensitive data. Other prevalent flaws Veracode found were CRLF (Carriage Return Line Feed) injection issues, which can allow an attacker to control a Web application or steal information, the report said. Source:

28. December 7, Help Net Security – (International) Fake Verizon notification carries malware. A spam e-mail campaign aiming to infect users with a banking trojan is currently underway and is targeting mobile carrier customers, Microsoft has warned, Help Net Security reported December 7. The e-mail purports to be coming from Verizon, and tries to make the recipient feel a sense of urgency by claiming it contains important account information from Verizon Wireless. The message starts with the unusual greeting of "Hello Dear!," and proceeds to try and convince the users they have to pay a rather large bill (the amount varies from $250 to over $1,500). "View all your recent bills in application materials," says the e-mail, and offers an attached ZIP file named, with random numbers used in the name. The archive contains a similarly named executable, which is detected as a variant of the Zeus banking trojan, and Microsoft warns a similar campaign carrying the same payload has already been started using e-mails pretending to deliver a critical update for Adobe Acrobat Reader and Adobe X Suite. Source:

29. December 7, H Security – (International) XSS vulnerabilities can affect embedded browsers in mobile apps. A security researcher has noted the use of embedded browsers in mobile applications can make those applications vulnerable to cross site scripting (XSS) attacks, H Security reported December 7. Developers of mobile software found it can be effective to embed a smartphone operating system's Web browser and then create their user interface using HTML, CSS, and JavaScript. The user interface is then more portable to other devices and is easier to customize using CSS. However, this convenience comes at a cost. A researcher, who is presenting his findings at TakedownCon, found some developers do not clean the data being sent to their HTML-based user interface. Source:

30. December 6, The Register – (International) CNET slammed for wrapping Nmap downloads with cruddy toolbar. CNET has come under fire for wrapping downloads of the popular Nmap network analysis tool and other open-source software packages with a toolbar of dubious utility. Nmap is a popular open-source network auditing and penetration-testing tool that allows sysadmins to run network troubleshooting and penetration tests. Over the last few days, users who downloaded the tool from CNET popular site have been, by default, offered it in conjunction with the Babylon Toolbar. Sysadmins can opt out of receiving the toolbar, which changes their browsing experience, home page, and default search engines, but they are clearly directed towards accepting the software, Sophos demonstrates. The developer of Nmap cried foul over the way the toolbar has been pushed, objecting in a post to the North American Network Operators' Group mailing list. He added that consumers downloading VLC, the popular open-source media player software, are also being offered the Babylon toolbar, via what he described as a a "trojan installer." Several anti-virus firms apparently agree with this assessment because CNET's Nmap installer is already detected as a trojan by BitDefender and F-Sc and as a potentially unwanted program by Panda, McAfee, and others, according to VirusTotal. Source:

31. December 6, IDG News Service – (International) Symantec says spam levels fall to lowest in three years. Global spam fell to the lowest level in 3 years in a sign that spammers may be getting a better rate of return by hitting social-media Web sites instead, according to the latest figures released December 6 from Symantec. About 70.5 percent of all e-mail was spam, a still-high figure but one that is much lower than a few years ago, when it was well over 90 percent. Symantec calculated the percentage by analyzing some 8 billion messages it processed a day in November, according to the company's latest MessageLabs Intelligence Report. Spam volumes dipped in March after Microsoft, law enforcement, and other companies joined forces to take down Rustock, a large botnet responsible for sending up to 30 billion spam messages per day. Source:

32. December 6, Computerworld – (International) Hackers exploit Adobe Reader zero-day, may be targeting defense contractors. Adobe confirmed December 6 an unpatched vulnerability in Adobe Reader is being exploited by criminals. Those attacks may have been aimed at defense contractors. Adobe promised to patch the bug in the Windows edition of Reader and Acrobat 9 no later than the end of the week of December 12. "A critical vulnerability has been [found] in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for Unix, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh," Adobe said in an early-warning e-mail. "This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system." The company issued a security advisory with what information it was willing to share. Adobe acknowledged the vulnerability is being exploited in what it called "limited, targeted attacks" against Reader 9.x on Windows, but did not provide any additional information about where and when the attacks were occurring, or who had been targeted. Adobe identified the bug as a "U3D memory corruption vulnerability." U3D (universal 3D) is a compressed file format standard for 3-D graphics data promoted by a group of companies, including Adobe, Intel, and Hewlett-Packard. Reader vulnerabilities are typically exploited by attackers using malicious PDF documents that are attached to e-mail messages with baited subjected heads that try to dupe recipients into opening the document. Doing that also executes the malicious code — in this case, likely malformed U3D data — hidden in the PDF, compromising the victim's PC and letting the attacker infect the machine with other malware. The attacks exploiting the unfixed flaw may have targeted U.S. defense contractors: Adobe originally credited the security response teams at both Lockheed Martin and MITRE with reporting the vulnerability. Source:

For more stories, see items 10 above in the Banking and Finance Sector and 33 and 34 below in the Communications Sector

Communications Sector

33. December 7, WLFI 18 Lafayette – (Indiana) Cut fiber behind Frontier outage. A cut fiber was to blame for a service outage for Frontier Communications customers in the Lafayette, Indiana area December 6. A Frontier Communications manager said the fiber was cut somewhere between Lafayette and Milford. He said the cut fiber impacts high speed and long-distance customers. As of 6:45 p.m. December 6, he said some service had already been restored. Source:

34. December 7, Associated Press – (South Dakota) Outage hits AT&T wireless customers in central South Dakota; cut fiber optic line is blamed. A cut Century Link fiber optic line was blamed for an outage that affected AT&T wireless customers in South Dakota December 6. KCCR 1240 Pierre reported voice and data services were disrupted for about 7 hours December 6. Police in Pierre said there was no apparent disruption to the emergency 911 system in the capital city. The state public utilities commission gathered information December 7 about the outage that ended about 11 p.m. December 6. Source:,0,4108517.story

For another story, see item 28