Wednesday, May 16, 2012

Complete DHS Daily Report for May 16, 2012

Daily Report

Top Stories

• Vandals throwing big rocks and other debris onto Chicago-area expressways damaged more than a dozen vehicles in at least five separate incidents in recent days. – Chicago Sun-Times

16. May 15, Chicago Sun-Times – (Illinois) Fifth rock-throwing incident in a week damages cars on expressways. Vandals throwing debris onto Chicago-area expressways damaged more than a dozen vehicles in at least five separate incidents in recent days, including two May 14. A white Toyota utility vehicle windshield was broken during the first incident May 14 on the Eisenhower Expressway near Pulaski Road, a State Police District Chicago trooper said. Illinois Department of Transportation crews found the projectile was thrown from the top of the overpass. Two drivers were examined, but neither suffered serious injuries. Less than 4 hours later, witnesses saw kids throwing rocks at cars on I-57 from a bridge. May 13, five cars were damaged by rocks. Prosecutors charged two teens May 10 for allegedly throwing rocks at vehicles on the Chicago Skyway, May 9. They were charged with one count of felony vehicular endangerment and six counts of misdemeanor criminal damage to property, police said. Seven vehicles were hit with projectiles that damaged hoods and windshields, Calumet Area police said. Source:

• Sensitive personal data for more than 700,000 people who provide or receive home care for the elderly and disabled may have been compromised when payroll data disappeared in the mail, according to California officials. – Los Angeles Times

30. May 12, Los Angeles Times – (California) Personal data for home care workers, recipients lost in the mail. Sensitive personal information for more than 700,000 people who provide or receive home care for the elderly and disabled may have been compromised when payroll data went missing in the mail, California officials revealed May 11. The breach occurred when Hewlett-Packard, which handles the payroll data for workers in California’s In-Home Supportive Services program, was shipping information including Social Security numbers to an office in Riverside in April. The package arrived damaged and incomplete. Advocates and union officials expressed alarm not only at the breach, but also at the procedure for transporting sensitive personal data — a package of microfiche sent via the U.S. Postal Service. The State opened an internal investigation and notified law enforcement, said a spokesman for the California Department of Social Services. Notices will be sent to everyone who may be affected, and officials were reviewing policies to prevent future problems. Source:,0,1683191.story

• U.S. military officials confirmed a wide-ranging investigation has uncovered a criminal conspiracy involving dozens of members of the Armed Forces. Officials recovered nearly $2 million in guns and combat gear that soldiers and civilians stole and sold to gangs in the United States and foreign countries. – Jacksonville Daily News

35. May 14, Jacksonville Daily News – (North Carolina; National; International) Officials: Nearly $2 million in guns, combat gear sold to gangs. U.S. military officials confirmed a wide-reaching investigation by authorities in Jacksonville, North Carolina, uncovered a criminal conspiracy within the Armed Forces to steal and sell nearly $2 million in guns and combat gear to gangs in the United States and foreign countries including China, the Jacksonville Daily News reported May 14. Commanders from Camp Lejeune and II Marine Expeditionary Force were working closely with the Naval Criminal Investigative Service (NCIS) during the investigation, said the deputy director of public relations for Marine Corps Installations East. The probe began more than a year and a half ago. NCIS recovered $1.8 million in stolen guns and combat gear. Those involved are accused of stealing, over-ordering, or otherwise obtaining equipment and selling guns locally and other gear over the Internet. With cooperation from Marine and Navy officials, NCIS was able to conduct 66 investigations involving 47 active duty Marines and sailors and 21 civilians who are now in various stages of prosecution. NCIS agents identified stolen property from the Army and Air Force which launched numerous investigations involving soldiers and airmen, military officials confirmed. Source:

• After stopping for several weeks, jamming of York County, Maine emergency radio transmissions started again. A May 12 incident of jamming delayed emergency response to a mobile home fire and resulted in extensive damage to four homes. – Associated Press

36. May 15, Associated Press – (Maine) Radio jamming again a problem in York County. Authorities thought the threat of a federal investigation finally stopped the person jamming Maine’s York County emergency radio transmissions, often delaying responses, but after several weeks without a problem the mystery jammer is apparently back at work. The Lebanon fire chief said the latest incident occurred May 12 as firefighters called for mutual aid to battle a mobile home fire in Lebanon. Firefighters were unable to communicate with dispatchers. The chief said response was delayed by 5 to 10 minutes. The mobile home was destroyed, and three others nearby were damaged. Source:

• Three of the most popular brands of closed-circuit surveillance cameras used by banks, hotels, hospitals, and other industries are sold with remote Internet access enabled by default and with weak password security, according to new research. – Wired See item 40 below in the Information Technology Sector

• Federal authorities joined the investigation after police in Palm Springs, California, found six crude pipe bombs near mobile home parks and other homes over a 5-day period. – Associated Press

50. May 14, Associated Press – (California) 6th discarded pipe bomb found in Palm Springs. Six crude pipe bombs found scattered on desert streets over a 5-day period have Palm Springs, California police and residents on edge as federal authorities join the investigation, a police spokesman said May 14. The pipe bombs, crudely fashioned out of plastic or steel pipe, were clearly assembled by an amateur rather than a terrorist, a police official said. The police department called in the Riverside County Sheriff’s Bomb Squad to handle disposal. The police department, FBI, and Bureau of Alcohol, Tobacco, Firearms and Explosives partnered to offer a $15,000 reward for information leading to the arrest and conviction of whoever is responsible. All of the devices were found scattered on north Palm Springs streets within 1 mile of the first pipe bomb discovery May 8. The locations were near homes, mobile home parks, and the open desert. “This is taxing our resources, and they are dangerous,” a police official said. The first bomb was found by a man on his morning walk who took it home His son spotted it in his garage and said he thought it was a pipe bomb. The son took the device to the police department, which had to be evacuated until the sheriff’s bomb squad showed up to disarm what turned out to be a live bomb, a police sergeant said. Source:


Banking and Finance Sector

11. May 15, Softpedia – (International) P2P ZeuS variant used to steal debit card details. As revealed by security experts, Visa, MasterCard, Facebook, Gmail, Hotmail, and Yahoo all have a peer-to-peer (P2P) variant of the Zeus platform in common, Softpedia reported May 15. For each platform, cybercriminals have made a clever scenario, Trusteer reported. When targeting Facebook users, attackers use a Web inject to push an offer that urges users to link their Visa or MasterCard debit cards to their social media account. By doing so, the victim allegedly earns cash every time he/she purchases Facebook credits. The attacks against Gmail, Hotmail, and Yahoo customers start with the advertisement of a new authentication service called 3D Secure, allegedly connected to the Verified by Visa and MasterCard SecureCode programs. The Hotmail scheme is somewhat similar with the potential victims being informed of the fact that “Windows Live Inc” is concerned about their security, offering a “100% secure, fast and easy” method of preventing fraud by linking the account to the debit card. In each scenario, the customer is presented with a number of textboxes in which he must enter his debit card number, expiration date, security code, and even the PIN. Source:

12. May 15, Help Net Security – (International) Sophisticated bogus PayPal emails lead to phishing. PayPal users are being targeted with e-mails purportedly coming from the e-payment giant and asking for their help. The e-mail contains a link that will supposedly take users to PayPal’s log-in page but lands them on a spoofed one. Once users “log in,” they are asked to fill in personal and financial data, including name, birth date, phone number, home address; debit/credit card type, number, expiration date, and card verification number; Social Security number and two security questions and answers. Once submitted, this information is sent to the scammers who can use it to hijack the PayPal account and perform identity theft. Hoax-Slayer warns this scam is a bit more sophisticated than previous ones, as the text of the scam message is rather accurate, and the address of the fake Web site includes “paypal” along with a long string of numbers and letters. “The fake site includes all of the elements and navigation links familiar to PayPal users. However, clicking these links does not lead to another part of the site as expected but simply reloads the same scam form,” a researcher pointed out. Source:

13. May 14, Reuters – (National; International) SEC charges China Natural Gas, chairman with fraud. A China-based natural gas company and its chairman were charged with fraud by the U.S. Securities and Exchange Commission (SEC) for concealing loans designed to benefit the chairman’s family. In January 2010, the chairman and former chief executive (CEO) of China Natural Gas Inc. (CNG) arranged for two improper loans totaling $14.3 million, and then lied about them to the company’s board, investors, and auditors, the SEC said May 14. According to the SEC, the former CEO concealed a $9.9 million loan made through a sham borrower to a real estate firm owned by his son and nephew. It said he also concealed a $4.4 million loan to Shaanxi Juntai Housing Purchase Co. The SEC said the CEO told CNG directors the loans involved senior Chinese government officers in charge of a liquid natural gas project, and “repeated this lie” to investors on a quarterly earnings conference call. It also said CNG did not properly report a $19.6 million acquisition made in the fourth quarter of 2008. The lawsuit seeks civil fines and a ban on the CEO from acting as an officer and director of a public company. In September 2011, CNG announced the CEO’s resignation and said it would restate some financial results. Source:,_chairman_with_fraud/

14. May 14, Washington, D.C. Examiner – (Virginia) Suspects wanted in 4 Virginia bank robberies. Investigators believe the same culprits are behind four armed bank robberies in central Virginia, the Washington, D.C. Examiner reported May 14. The robberies happened in Sussex and Chesterfield counties in March and April. The FBI said in May that authorities determined the heists are linked based on statements from witnesses and a review of surveillance photographs from the robberies. One robber entered the bank in the first two heists; two suspects were seen in the other two robberies, according to the FBI. The suspects brandished handguns in all of the incidents, and a shot was fired during one robbery. Source:

15. May 14, Housingwire – (National) Suspected mortgage fraud tops FinCen list. Potential mortgage fraud reports recorded in 2010 and 2011 accounted for 37 percent of all suspicious mortgage-related activity filings in the past decade, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) said in a new study. Between the years 2010 and 2011, suspicious activity reports (SARs) citing potential mortgage fraud shot up 31 percent, hitting 92,028 filings in 2011, compared to 70,472 in 2010. Suspected mortgage fraud is now the most popular subject for a SAR, outstripping suspected check fraud for the number one spot. FinCEN suggested the recent 2-year spike in fraud reports is directly tied to mortgage repurchase demands filed by financial firms that are now questioning the initial underwriting and other issues associated with the original mortgage. Source:

For another story, see item 40 below in the Information Technology Sector

Information Technology

40. May 15, Wired – (International) Popular surveillance cameras open to hackers, researcher says. Three of the most popular brands of closed-circuit surveillance cameras are sold with remote Internet access enabled by default, and with weak password security — a classic recipe for security failure that could allow hackers to remotely tap into the video feeds, according to new research. The cameras, used by banks, retailers, hotels, hospitals, and corporations, are often configured insecurely — thanks to these manufacturer default settings, said a senior security engineer at Gotham Digital Science. As a result, he says, attackers can seize control of systems to view live footage, archived footage, or control the direction and zoom of adjustable cameras. The researcher and his team were able to view footage as part of penetration tests they conducted for clients to uncover security vulnerabilities. Source:

41. May 15, The Register – (International) Apple scrubs old Leopards of Flashback trojan infections. Apple released patches that defend users of its older Mac OS X 10.5 Leopard operating system against security threats. The May 14 security fixes help defend Mac users on the 2-year-old operating system against assaults by the Flashback trojan. Users of the newer Snow Leopard (10.6) and Lion (10.7) operating systems received equivalent fixes in April. Apple’s Leopard Flashback Removal Security Update is designed to clean Macs running the legacy OS that are not yet running an anti-virus package. In addition, the security update disables Safari’s Java plugin by default. Leopard Security Update 2012-003 disables older versions of Adobe Flash Player, encouraging users to get the latest version directly from Adobe’s Web site. Both updates can be applied via the Software Update feature built into Mac OS X, but will only work if the latest version of that particular track of the operating system, Mac OS X Leopard version 10.5.8, has already been applied. Apple is acting to prevent users of legacy versions of its operating system from harboring the Flashback trojan. Such support is unlikely to continue indefinitely and is likely to disappear entirely once Apple updates Mac OS X 10.7 Lion. Source:

42. May 15, Softpedia – (International) ‘How to Earn Money’ apps hide fraud trojan. Cybercriminals are starting to focus their attention on scams that advertise methods and products that rely on applications. Experts from Bitdefender discovered a piece of software called “How to Earn Money,” which can allegedly help users make cash without a hassle. In reality, the shady app hides malware, identified by Bitdefender as Trojan.Fraud.A. Once installed, the program places itself in the Program Files folder, it creates shortcuts, and starts pushing HTML pages that advertise a tool that can help users earn tens of thousands of dollars in just over a month. To gain possession of the tool, users must pay a fee of $37 or $47. Source:

43. May 15, H Security – (International) Fraunhofer Institute finds security vulnerabilites in cloud storage services. The Fraunhofer Institute for Secure Information Technology tested seven cloud storage service providers and published its results in a report. The authors of the report found vulnerabilities affecting registration and login, encryption, and shared access to data for several services. The study looked at CloudMe, CrashPlan, Dropbox, Mozy, TeamDrive, Ubuntu One, and Wuala. The functions examined by Fraunhofer were copying, backup, synchronization, and sharing. Only TeamDrive and Wuala offer all four of these features. CrashPlan and Mozy only offer a backup service — a service not offered by CloudMe, Dropbox, or Ubuntu One. Source:

44. May 15, H Security – (International) Avira AV update hangs systems. A faulty update for Avira’s paid-for anti-virus software blocks harmless processes and may, in some cases, stop computers from booting. The update results in the ProActiv behavioral monitoring component becoming oversensitive in treatment of executable files. According to user reports, ProActiv blocks trusted system processes such as cmd.exe, rundll32.exe, taskeng.exe, wuauclt.exe, dllhost.exe, iexplore.exe, notepad.exe, and regedit.exe. In some cases, this results in Windows failing to boot properly. It also appears to be blocking non-OS applications such as Microsoft Office, the Opera Web browser, and Google’s Updater. All versions that include the ProActiv monitoring component are affected, including Avira Antivirus Premium 2012 and the enterprise version; only 32-bit systems are affected, as ProActiv does not currently support 64-bit operating system. Users who installed the update are advised to disable ProActiv. In a statement to the H’s associates at heise Security, Avira confirmed the problem and said developers are working on an automatic update to resolve the bug. The potential scale of the bug is huge — according to Avira, the faulty update was already downloaded more than 70 million times (this figure includes those running the free version of Avira which is not affected). The company stopped distributing the update. Source:

45. May 14, SecurityWeek – (International) Trend Micro reveals top document attack vectors from April. Trend Micro researchers recently revealed just how prevalent the use of certain document types is among attackers. By far, the two most popular document formats for hackers targeting Microsoft Office software are Word and Excel files, which were used in a combined 90 percent of attacks on Microsoft Office in April. The biggest reason for this is that the two most reliable exploits used by hackers targeted CVE-2010-3333 and CVE-2012-0158, which are both Word vulnerabilities. Source:

For more stories, see items 11 and 12 above in the Banking and Finance Sector and 47 below in the Communications Sector

Communications Sector

46. May 15, Naples Daily News – (Florida) WGCU back on the air after lightning strike. After a day and a half of silence, WGCU 90.1 FM Fort Myers, Florida, was back on the air May 15. A lightning strike May 13 to a radio tower near Florida Gulf Coast University disrupted service to the public broadcasting station for 38 hours. The station relied on Internet radio and mobile device applications to continue programming WGCU’s companion television station was not affected during the outage, nor was its radio affiliate, WMKO 91.7 FM Marco Island. Source:

47. May 15, PCWorld – (National) Debut of cut-rate mobile plan marred by alleged malicious attack. The launch of a cut-rate unlimited mobile plan offered by upstart Voyager Mobile was marred May 15 by what the company claims is “a malicious network attack to its primary website.” The company now says it is postponing the launch of its budget plan until an unspecified date. Voyager posted a note to its Web site: “Due to the network outage, Voyager Mobile is postponing its launch to a time and date in the very near future.” Voyager declined to comment when asked about the alleged attack, and it is unclear why any group or individual would target this company. Source:

No comments: