Tuesday, March 20, 2012
Complete DHS Daily Report for March 20, 2012
Daily Report
Top Stories
• Eight people were questioned on counterfeiting charges March 19 after they were found with $100 million in fake U.S. treasury bonds in Poland, authorities said. – Associated Press See item 8 below in the Banking and Finance Sector.
• A winter storm packing heavy snow and gusty winds forced authorities to close 180 miles of Interstate 40 in Arizona. The storm also closed schools and canceled flights in Arizona and New Mexico. – CNN
18. March 18, CNN – (Arizona) Winter storm closes 180 miles of AZ interstate. A winter storm packing heavy snow and gusty winds forced authorities to close 180 miles of Interstate 40 in northern Arizona for many hours, March 18. The road was closed in both directions, said a dispatch supervisor for the Arizona Highway Patrol. The closure stretched roughly from Kingman in western Arizona to eastward to Winslow, including the city of Flagstaff, he said. Portions of Interstate 17 south of Flagstaff were also closed, according to the Arizona Department of Transportation’s Web site, as were several state roads. Flagstaff received 10 to 14 inches of snow, according to the National Weather Service. The city of Prescott had received 8 to 12 inches. Several crashes and reports of stuck vehicles had been reported as of March 18, with one person sustaining minor injuries on I-40. The Flagstaff Unified School District, Northern Arizona University Flagstaff campus, and Coconino Community College Flagstaff and Page campuses announced they would be closed March 19. Source: http://fox8.com/2012/03/18/winter-storm-closes-180-miles-of-arizona-interstate/
2. March 19, Associated Press – (Arizona; New Mexico) Winter storm, strong winds strike NM, Ariz. A winter storm and high winds struck parts of Arizona and New Mexico March 18, causing hazardous driving conditions, power outages, and school cancellations. The fast moving storm forced the National Weather Service to place parts of northern New Mexico under a winter storm warning March 19 as heavy snow and wind from Arizona was expected to quickly blanket the area. The company PNM reported that 33,000 customers were out of power at one point March 19 in the Albuquerque area due to high winds. A spokesman for PNM said emergency crews were working to restore power, and by 9 p.m. the number without electricity was down to 4,500. Heavy winds and blowing dust forced the closure of parts of Interstate 10 in southern New Mexico due to low visibility, but the road was back open later in the day. Source: http://www.lcsun-news.com/las_cruces-news/ci_20204901/winter-storm-strong-winds-strike-nm-ariz
• A report found the Washington, D.C. agency responsible for providing clean drinking water rigged lead-monitoring test results by not conducting tests in known problem areas. – Washington Examiner
26. March 19, Washington Examiner – (Washington, D.C.) D.C. covered up bad water quality tests, report says. The Washington, D.C. agency responsible for providing clean drinking water throughout the city rigged its monitoring of lead in water by not conducting tests in parts of the city known for having higher lead levels, the District of Columbia inspector general (IG) found. The Washington Examiner reported March 19 that for a 26-month span beginning in July 2001, investigators found the D.C. Water and Sewer Authority (DCWASA) knew lead levels were elevated in the water system. Although it notified the Environmental Protection Administration (EPA) and began trying to remove excessive lead, the DCWASA also tried to cover up the extent of the crisis. “DCWASA sought to minimize the problem by sampling water from residences that were unlikely to have elevated lead levels, avoiding additional testing in areas of the District known to have elevated water lead test results,” the IG wrote. Investigators also found that the DCWASA did not use approved testing methods throughout the city and that officials “provided misleading information” during hearings before the city council about lead levels. The EPA required the agency to test more residences to meet federal guidelines that mandated the city have 1,615 acceptable tests. It took the agency about 6,000 tests to meet that standard. A spokesman for the DCWASA said the agency had a leadership overhaul in 2009 and that past problems are not reflective of the agency’s current performance. Scientists are not sure whether lead-laden water is to blame for the diagnoses of lead poisoning in some children in Washington, D.C. Source: http://washingtonexaminer.com/local/dc/2012/03/dc-covered-bad-water-quality-tests-report-says/379566
• Authorities in Johnston City, Illinois, issued a boil water order after two teenagers were arrested for climbing a water tower March 16. – Associated Press
27. March 18, Associated Press – (Illinois) 2 teenagers arrested in southern Illinois for climbing water tower, boil order issued. Authorities in southern Illinois said two teenagers were arrested for allegedly climbing a water tower March 16. The Johnston City police chief said officers received a call around 11:45 p.m. with a report of a man on the tower. After authorities arrived and tried to get the teenagers down, a large glass alcohol bottle was thrown from the top of the tower. Authorities said emergency responders went up the tower and retrieved both teenagers with harnesses. Charges are pending. Officials in Johnston City issued a precautionary boil order after the incident since there was a possible breach of the water tank. Source: http://www.therepublic.com/view/story/18df6358a1784217b0fa75d6824de0e9/IL--Water-Tower-Arrests/
• The Los Angeles Fire Commission allocated emergency funds to fix glitches in the city’s emergency response system that are delaying the dispatch of firefighters and paramedics. – Associated Press
39. March 18, Associated Press – (California) LA fire agency to fix emergency dispatch glitches. The Los Angeles Fire Commission allocated emergency funds to fix glitches in the city’s emergency response system that are delaying the dispatch of firefighters and paramedics, the Associated Press reported March 18. The Los Angeles Times reported March 18 that a woman bled profusely for 45 minutes March 7, while waiting for paramedics after a factory machine sliced off one finger and mangled the others. The delay was caused by a brief failure in the fire department’s dispatching system. Firefighters said the system problems are recurring and have created confusion at fire stations, forcing dispatchers to deploy old backup plans. The fire commission president said the panel planned to address equipment breakdowns and response times at its meeting March 20. Officials said the dispatching system is aging and was recently moved. Source: http://www.fresnobee.com/2012/03/18/2766001/la-fire-agency-to-fix-emergency.html
• A security researcher identified approximately 5 million Internet-accessible Remote Desktop Protocol (RDP) endpoints that are potentially vulnerable to a network worm exploiting a critical Microsoft vulnerability. – Threatpost See item 45 below in the Information Technology Sector.
Details
Banking and Finance Sector
8. March 19, Associated Press – (International) Polish authorities seize $100 million in fake US treasury bonds, arrest 8 people. Eight people are to be questioned on counterfeiting charges March 19 after they were found with $100 million in fake U.S. treasury bonds in their possession, Polish authorities said. The central anti-corruption bureau, a state agency, said the suspects — three Poles, two Italians, two Ukrainians, and a Moldovan woman — were arrested March 18 in regions around Krakow and Lublin, in southern and eastern Poland. A bureau spokesman said the value of the fake bonds was a record seizure for the bureau. No other details were immediately available, and it was not clear if any fake bonds in the scam made it to the market. Source: http://www.washingtonpost.com/world/europe/polish-authorities-seize-100-million-in-fake-us-treasury-bonds-arrest-8-people/2012/03/19/gIQA3gybMS_story.html
9. March 19, Warren Tribune Chronicle – (Florida; National) Man to plead guilty in $14M Ponzi scheme. A Florida man who founded a company that allegedly ran a $14.8 million Ponzi scheme that defrauded 100 investors in 9 states will plead guilty April 5, the Warren Tribune Chronicle reported March 19. He faces up to 20 years in prison and a $5 million fine on 30 counts of conspiracy, mail fraud, wire fraud, securities fraud, and money laundering. According to court records, he created and was the president of A&O Companies. The company’s chief executive officer is facing similar charges and penalties. The indictment alleges that between 2006 and January 20, 2009, the two solicited investors to buy into their real estate ventures. Prosecutors claim they then used the money to pay for employees’ salaries, personal expenses, and to pay off other investors, whom they promised between 20 and 45 percent interest. The men lied to investors, telling them their investment was secured through promissory notes and guaranteed through a lakefront Florida property, the indictment says. The property, however, was promised as collateral on more than $8 million in promissory notes, while the property was purchased for only $425,000. Once they issued the fraudulent notes, they paid some investors the promised interest payments “to give the false impression that there were actual investments,” the charges state. Source: http://www.tribtoday.com/page/content.detail/id/569420/Man-to-plead--guilty-in--14M--Ponzi-scheme.html?nav=5021
10. March 19, Associated Press – (Georgia; National) FDIC sues ex-directors of troubled failed Ga. bank. Federal bank regulators filed a lawsuit March 16 against 10 former directors and officers of a failed Georgia bank that collapsed and led to a wide-ranging criminal investigation and prison time for two of its top officials. The Federal Deposit Insurance Corporation’s complaint accuses the former Omni National Bank officials of negligence and loose lending policies that led to the bank’s March 2009 collapse. It seeks to recover more than $37 million in losses that included loans targeting low-income properties. It names several defendants who have already been charged criminally with their role in the bank’s collapse. The bank’s former vice president (VP) was sentenced to 5 years in prison in 2011 after pleading guilty to cooking the bank’s books. Another Omni executive was sentenced to almost 2 years in prison on charges of taking bribes. The lawsuit claims the VP, executive, and five others approved loans for low-income properties despite “numerous, repeated, and obvious violations” of the bank’s loan policies and procedures. It said the lenders allowed the use of straw borrowers, did not get proper appraisals, and did not make sure the borrowers had proper credit scores or the ability to repay the loans. It accused Omni’s president and its former chief executive of failing to supervise loan officers despite numerous “red flags,” such as reports of prior misconduct by the VP. Between 2003 and 2008, the Atlanta-based bank expanded into seven states and its assets quadrupled to almost $1 billion, fueled mostly by a surge in real estate lending. Source: http://www.thenorthwestern.com/usatoday/article/38820037?odyssey=mod|newswell|text|FRONTPAGE|s
11. March 19, Financial Industry Regulatory Authority – (National) FINRA fines Citi Financial $600,000 and orders restitution of $648,000 for excessive markups and markdowns. The Financial Industry Regulatory Authority (FINRA) announced March 19 that it has fined Citi International Financial Services LLC, a subsidiary of Citigroup, Inc., $600,000 and ordered more than $648,000 in restitution and interest to more than 3,600 customers for charging excessive markups and markdowns on corporate and agency bond transactions, and for related supervisory violations. FINRA found that the markups and markdowns occurred from July 2007 through September 2010. They ranged from 2.73 percent to more than 10 percent, and were excessive given market conditions, the cost of executing the transactions, and the value of the services rendered to customers. In addition, from April 2009 through June 2009, Citi International failed to use reasonable diligence to buy or sell corporate bonds so that the resulting price to its customers was as favorable as possible. During the relevant period, Citi International’s supervisory system regarding fixed income transactions contained significant deficiencies. Citi International was also ordered to revise its written supervisory procedures regarding review of markups and markdowns, and best execution in fixed income transactions. Source: http://www.finra.org/Newsroom/NewsReleases/2012/P125821?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+FINRANews+(FINRA+News)&utm_content=Google+Reader
12. March 19, Associated Press – (New York; National) NY Mets owners settle in Ponzi-related case. The owners of the New York Mets agreed to pay up to $162 million in a settlement announced March 19 with the trustee for fraud victims of a Ponzi scheme. The agreement was announced just as a civil trial was set to begin in a federal court in New York City to determine if the team’s owners might owe as much as $386 million because they were among those who made significantly more than their original investment in the investment company linked to the scheme. The settlement does not require any money to be paid for at least 3 years. It also created the possibility the owners could owe nothing if they can secure $162 million of the $178 million they are seeking in claims of their own against the Ponzi schemer’s estate. The trial was set to showcase what the trustee said was a conscious decision by the Mets owners to ignore warnings the head of the fund was operating a multibillion-dollar fraud over several decades, costing thousands of investors about $20 billion. A trustee originally sought $1 billion from the owners. The judges already had ruled the team’s owners must pay up to $83.3 million in profits they received. That amount would now be included in the $162 million. There remain another 800 lawsuits pending against those who profited from their investments in the fraudulent scheme.
13. March 19, PC Magazine – (International) Linkedin e-mail scam deposits banking trojan. GFI Labs recently discovered a LinkedIn e-mail phishing scam that installs the Cridex banking Trojan. The fake LinkedIn e-mail looks like an authentic e-mail reminder about pending invitations. The phishing scam shares the same IP address (41.64.21.71) as several recent Better Business Bureau and Intuit spam runs. The Cridex bot, also known as Cardep or Dapato, was discovered in the wild in August 2011. It spreads through e-mailed or shared attachments. Once installed, the trojan connects to a remote command and control (C&C) server. Then it injects itself into the target’s Internet Explorer process, where it steals online banking credentials, e-mail accounts, cookies, and FTP credentials, and sends them back to the C&C server. Earlier this month, M86 Labs reported that Cridex currently infects 25,000 machines. Source: http://securitywatch.pcmag.com/security/295538-linkedin-email-scam-deposits-banking-trojan
14. March 17, Associated Press – (Nevada; National; International) Feds say 19 arrested in 9 states in ID theft ring. Nineteen people were arrested in Nevada and eight other states in a Las Vegas-based identity theft and trafficking ring that a federal prosecutor characterized as a sophisticated racketeering organization involving 50 people nationwide. The scheme revolved around the buying and selling of pilfered debit and credit card information on an Internet site called “Carder.su,” a U.S. attorney said March 16. The Secret Service and U.S. Immigration and Customs Enforcement homeland security agents arrested five people March 15 in Las Vegas and 14 more in California, Florida, New York, Georgia, Michigan, New Jersey, Ohio, and West Virginia, according to the statement. The attorney said more arrests were expected as federal agents locate defendants named in three sealed indictments handed up by a federal grand jury in Las Vegas January 10 and March 13. The statement said charges include conspiracy, racketeering, and production and trafficking in false identification documents and access device cards. Members of the ring allegedly traded counterfeit documents and stolen bank account information on organization Web sites. Leaders of the organization allegedly tested and provided reviews of services, including money laundering, and products such as fake identification documents and stolen credit card account data lists from Europe, the Middle East, Asia, and the United States. Source: http://www.foxnews.com/us/2012/03/17/feds-say-1-arrested-in-states-in-id-theft-ring/
15. March 16, U.S. Government Accountability Office – (National) IRS needs to further enhance internal control over financial reporting and taxpayer data. The Internal Revenue Service (IRS) implemented many controls and procedures intended to protect key financial and tax-processing systems; nevertheless, control weaknesses continue to jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer data processed by agency systems, according to a Government Accountability Office statement March 16. Specifically, the IRS continues to face challenges in controlling access to its information resources. For example, it had not always (1) implemented controls for identifying and authenticating users, such as requiring users to set new passwords after a prescribed period of time; (2) appropriately restricted access to certain servers; (3) ensured that sensitive data were encrypted when transmitted; (4) audited and monitored systems to ensure that unauthorized activities would be detected; or (5) ensured management validation of access to restricted areas. In addition, unpatched and outdated software exposed the agency to known vulnerabilities, and the IRS had not enforced backup procedures for a key system. Source: http://www.gao.gov/assets/590/589399.pdf
16. March 16, WTVT 13 Tampa Bay – (Florida; International) Credit card fraud ring busted in Pinellas. Authorities busted an international crime ring that had its headquarters in Pinellas County, Florida, WTVT 13 Tampa Bay reported March 16. The crimes involved luxury cars and credit cards. Authorities targeted 10 men, including the ring leader. The 3-year long joint operation involved the Pinellas County Sheriff’s Office, the U.S. Secret Service, and the Florida Attorney General’s Office.The alleged fraud totaled more than $3 million. Most of the suspects are originally from Bulgaria and Lithuania. The suspects were also accused of setting up phony corporations in Florida to run the cards and keep cash. The Pinellas County Sheriff said the men also made millions by taking out big dollar car loans to buy expensive vehicles with no intention of paying back the money. The cars were allegedly retailed in the state of Illinois and then shipped overseas and sold for double the price. Source: http://www.myfoxtampabay.com/dpp/news/local/pinellas/credit-card-fraud-ring-busted-in-pinellas-03162012
For another story, see item 43 below in the Information Technology Sector.
Information Technology
42. March 19, IDG News Service – (International) New iPad model has already been jailbroken. Hackers claimed to have figured out a way to bypass Apple’s technical restrictions and install unauthorized applications on the company’s latest iPad upon its release March 16. Apple forbids installing applications it has not approved, but hackers have found ways to “jailbreak” devices, or modify the code to allow unauthorized programs from alternative application stores. Source: http://www.computerworld.com/s/article/9225306/New_iPad_model_has_already_been_jailbroken?taxonomyId=17
43. March 19, IDG News Service – (International) Java-based Web attack installs hard-to-detect malware in RAM. Malware that does not create any files on the affected systems was installed onto the computers of visitors to news sites in Russia in a drive-by download attack, according to Kaspersky Lab. The attack code loaded an exploit for a known Java vulnerability, but it was not hosted on the affected Web sites themselves. Instead, it was served to their visitors through banners displayed by a third-party advertising service. The Java exploit’s payload consisted of a rogue dynamic-link library (DLL) loaded and attached on the fly to the legitimate Java process. This type of malware is rare, because it dies when the system is rebooted and the memory is cleared. The malicious DLL loaded into memory acted as a bot, sending data to and receiving instructions from a command and control server over HTTP. In some cases, the instructions given out by attackers were to install an online banking trojan on the compromised computers. “This attack targeted Russian users. However, we cannot rule out that the same exploit and the same fileless bot will be used against people in other parts of the world: They can be distributed via similar banner or teaser networks in other countries,” the researcher said. Source: http://www.computerworld.com/s/article/9225300/Java_based_Web_attack_installs_hard_to_detect_malware_in_RAM?taxonomyId=17
44. March 19, H Security – (International) VLC Media Player 2.0.1 closes security holes. Version 2.0.1 of the open source VLC Media Player has been released, H Security reported March 19. According to a VideoLAN developer, the maintenance update to VLC 2.0 “Twoflower” includes fixes for more than 110 bugs and closes 2 security holes that could be exploited by an attacker to compromise a victim’s system. The update addresses a stack overflow in MMS support as well as a heap-based buffer overflow in Real RTSP support which, its developers say, could lead to arbitrary code execution on most systems. For an attack to be successful, a user must first open a specially crafted file or a malicious Web site. All VLC versions up to and including 2.0.0 are affected; upgrading to 2.0.1 fixes these issues. Source: http://www.h-online.com/security/news/item/VLC-Media-Player-2-0-1-closes-security-holes-1474770.html
45. March 19, Threatpost – (International) Researcher says 5 million machines exposing RDP service online. A network security researcher scanned a large part of the Internet in the wake of the release of the patch for the Remote Desktop Protocol (RDP) bug and the publication of exploit code. He started the scan March 16 and hit 300 million IP addresses. He found there were about 415,000 machines communicating using part of the RDP protocol. “Extrapolating from this sample, we can see that there’s approximately 5 million RDP endpoints on the Internet today ... it’s pretty clear that, yes, RDP is actually an enormously deployed service, across most networks in the world,” he said. “There’s something larger going on, and it’s the relevance of a bug on what can be possibly called the Critical Server Attack Surface. Not all bugs are equally dangerous ... but some flaws are simply more accessible, and RDP — as the primary mechanism by which Windows systems are remotely administered — is a lot more accessible than a lot of people were aware of.” RDP is used widely in enterprise networks and small business environments for remote management of machines. In larger networks that have tight administration and regular patching programs and schedules, the bug likely will be addressed quickly, whether through patching or by disabling RDP on machines if it is unnecessary. Some percentage of those machines were already patched, as the fix has been out now for almost a week. However, in smaller networks that may not have a full-time administrator or IT staff, the problem is more problematic. If the business owners do not even know RDP is enabled or what it is for, they may also not realize the importance of patching the vulnerability. That leaves a large potential target base for attackers, even if the majority of enterprise administrators patch their vulnerable machines. Source: http://threatpost.com/en_us/blogs/researcher-says-5-million-machines-exposing-rdp-service-online-031912
46. March 18, Computerworld – (International) Microsoft blames security info-sharing program for attack code leak. March 16, Microsoft confirmed sample attack code created by the company likely leaked to hackers from a program it runs with antivirus vendors. “Details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protection Program (MAPP) partners,” a director with Microsoft’s Trustworthy Computing group said in a statement. “Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements,” he added. Under the MAPP, Microsoft provides select antivirus companies with technical information about bugs before Microsoft patches the flaws. It is meant to give third-party security vendors advance warning so they can craft detection signatures. Among the things Microsoft shares with MAPP members, according to a program FAQ, are “proof-of-concept or repro tools that further illuminate the issue and help with additional protection enhancement.” The acknowledgment by Microsoft was prompted by claims earlier in the day by the Italian researcher who reported the vulnerability in Windows Remote Desktop Protocol in May 2011. Source: http://www.computerworld.com/s/article/9225293/Microsoft_blames_security_info_sharing_program_for_attack_code_leak?taxonomyId=17
47. March 16, Infosecurity – (International) New Imuler trojan variant for the Mac disguises itself as image file. A new version of the Imuler trojan is disguising itself as image files, according to Intego, which first discovered the Trojan September 2011. Intego found two samples of the new version, designated as Imuler.C, on the VirusTotal Web site, which is used by security companies to share malware samples. Inboth samples, an application was included with an icon making it look like an image. Intego said the technique “takes advantage of a default setting in the Mac OS X Finder, whereby file extensions are not displayed. Users double-clicking on the application launch the malware, which quickly deletes itself, replacing the original application witha real JPEG image corresponding to the one that was an application, and displays this image in the user’s default image viewer. There is no visible trace of the application after this point.” The malware then installs a backdoor. “This malware searches for userdata, and attempts to upload it. It also takes screenshots and sends them to the server. It creates a unique identifier for the specific Mac to be able to link the Mac and the data it collects. We have seen this malware is active, as it connects to a remote server and downloads new executables,” Intego related. Source: http://www.infosecurity-magazine.com/view/24606/
48. March 15, V3.co.uk – (International) Symantec warns of 64-bit Windows trojans. Symantec warned of a new Windows 7 trojan that can elevate the privileges of any restricted process to administrator level, without the user’s permission or knowledge. The latest fully patched versions of Windows 7 are vulnerable to the backdoor.Conpee trojan, warned a security response engineer at Symantec. The new trojan targets 32-bit and 64-bit versions of Windows 7, adding to the growing weight ofevidence that malware writers are redesigning their software to bypass security features in 64-bit Windows, he said. The 64-bit version of Windows 7 and Vista included Kernel Mode Code Signing and Kernel Patch Protection, intended to make them less vulnerable to malware. But backdoor.Conpee and the recently-discovered Backdoor.Hackersdoor trojan have both been shown to infect 64-bit operating systems, the researcher said. “What was just a theory not so long ago is now being used in-the-wild by [these] threats,” he warned. The Hackersdoor trojan is able to bypass the driver signing system used in 64-bit Windows using stolen certificates. Symantec first detected this type of infection in December 2011, and while the number of infections seen in the wild since then have been modest, it appears the malware writers have been using it as a test case, the researcher added. Source: http://www.v3.co.uk/v3-uk/news/2159725/symantec-warns-bit-windows-trojans
For more stories, see items 13, 14, and 15 above in the Banking and Finance Sector.
Communications Sector
See item 42 above in the Information Technology Sector.
No comments:
Post a Comment