Friday, January 6, 2012

Complete DHS Daily Report for January 6, 2012

Daily Report

Top Stories

• Sub-freezing temperatures cracked rail lines and affected train cars, closing and delaying rail service for many hours in the Washington D.C., New York, and Philadelphia metro areas. – Washington Post (See item 18)

18. January 4, Washington Post – (National) Cracked rails from fast chill cause widespread delays on DC Metro system. Sub-freezing temperatures caused rush-hour delays on four of Washington Metropolitan Area Transit Authority’s (Metro) five lines January 4, cracking sections of rail along two stretches of track and turning an already cold commute into a frigid marathon for some riders in Washington, D.C., Maryland, and Virginia. Temperatures in the region went from 60 degrees January 1 to the 40s January 2 and then dropped to 17 degrees by January 4, according to the National Weather Service. That caused a shock to the steel rails on Metro’s tracks, said Metro’s chief spokesman. On the Yellow Line, a 4-inch gap opened in a rail along the bridge across the Potomac River, he said, and a quarter-inch gap was found in a rail on the Red Line near the Takoma station. It can be unsafe to run trains over cracked rail lines, so rail service had to be suspended, and inbound and outbound trains shared a single track on both the Yellow and Red lines, the spokesman said. A nearly 40-foot piece of rail was replaced on the Yellow Line after rush hour, he said. The Red Line crack was temporarily bridged with a “splice bar” that held the pieces together so trains could use that section of track. By 1 p.m., a piece of 40-foot rail went into place on the Red Line to permanently replace the cracked rail. On January 3, in Long Island, New York, broken rail lines due to the cold weather caused 30-minute delays, said a spokesman for the Long Island Rail Road. A spokesman for the Southeastern Pennsylvania Transportation Authority said his transit system has not had cracked-rail problems, but noted sudden changes in temperatures can cause other issues. The change in weather the week of January 2 caused problems with the rail car doors in Philadelphia, which tend to stick when the temperature swings, he said. Source:

• A bank account-raiding worm is spreading on Facebook, having stolen log-in credentials from more than 45,000 users as it moves across the site, security researchers said. – The Register. See item 39 below in the Information Technology Sector.


Banking and Finance Sector

10. January 5, Tampa Bay Business Journal – (Massachusetts) SEC charges Palm Harbor man with accounting fraud. The U.S. Securities and Exchange Commission (SEC) January 4 filed an action, accusing JBI Inc. of engaging in a scheme to commit securities and accounting fraud. The complaint also names JBI’s chief executive officer and its former chief financial officer. The defendants are accused of stating materially false and inaccurate financial data on the financial statements of JBI for two reporting periods in 2009, and using the overvalued statements in two private capital-raising efforts that raised more than $8.4 million, a statement said. The SEC is seeking permanent injunctions, disgorgement, and civil penalties. Source:

11. January 4, Cerritos-Artesia Patch – (California) Puffy Coat Bandit strikes Cerritos-area bank. Four days after taking cash from Union Bank in Glendora, California, the Puffy Coat Bandit has hit another bank, reportedly in Cerritos and has shed his signature jacket, the Cerritos-Artesia Patch reported January 3. The bank robber hit a Chase Bank about 1:45 p.m., according to officials. He operated under the same tactics, carrying a similar binder, wearing a similar knit cap, issuing a demand note and wearing the same expression on his face, an FBI spokeswoman said. There were two changes to the robber’s appearance, however. He allegedly was clean shaven and switched out his “puffy coat” for a different type. The robber took an undisclosed amount of cash from the Cerritos bank. Source:

12. January 4, KMSP 9 Minneapolis-Saint Paul – (Minnesota) Bank robber caught, possibly ‘Man in Black’. The FBI is investigating whether a bank robbery suspect arrested near St. Peter, Minnesota, is the serial robbed dubbed the “Man in Black.” The suspect was arrested by St. Peter police after he was seen driving a vehicle suspected in the robbery of Rolling Hills Bank in the town of Brewster January 3. He will be formally charged in connection with the Brewster robbery while the FBI works to determine if he is in fact the man who has committed several bank robberies in the Twin Cities metro. Over the past 2 months, the Man in Black has earned a reputation as the most prolific and elusive serial bank robber in Minnesota since the Fishing Hat Bandit, pulling off half a dozen heists since early November. Source:

13. January 4, Reuters – (Illinois) SEC says adviser defrauded investors using LinkedIn. Securities regulators charged an Illinois-based investment adviser January 4 with using LinkedIn and other social media networking Web sites to lure investors by offering more than $500 billion in fake securities. The Securities and Exchange Commission (SEC) alleged the adviser made the fraudulent offers to sell securities through two sole proprietorships — Anthony Fields & Associates (AFA) and Platinum Securities Brokers. It said the man provided false and misleading information about clients, assets under management and even the history of his firm’s business. The SEC said he lied on forms he filed with the commission by claiming to have $400 million in assets under management — when in fact he had none. The SEC also alleged he violated numerous other securities regulations by failing to maintain adequate books and records or carry out proper compliance procedures. He held himself out as a broker-dealer even though he never properly registered with the SEC, the agency said. The SEC’s enforcement action against the adviser comes as it has increased scrutiny of the use of social media in the financial services industry. The SEC January 4 used the enforcement case against the adviser as an opportunity to make an example of the issue by warning investors about the dangers of online scams. It also urged investment advisers to be more cautious about their use of social media to attract clients. Source:

14. January 4, IDG News – (International) SpyEye malware borrows Zeus trick to mask fraud. A powerful bank-fraud software program, SpyEye, has been seen with a feature designed to keep victims in the dark long after fraud has taken place, according to a January 4 report from security vendor Trusteer. SpyEye is notable for its ability to inject new fields into a Web page, a technique called HTML injection, which can ask banking customers for sensitive information they normally would not be asked. The requested data can include logins and passwords or a debit card number. It can also use HTML injection to hide fraudulent transfers of money out of an account by displaying an inaccurate bank balance. Trusteer found SpyEye also hides fraudulent transactions even after a person has logged out and logged back into their account. SpyEye does this by checking its records to see what fraudulent transactions were made with the account, then deleting them from the Web page, said Trusteer’s chief executive officer (CEO). The account balance is also altered. It appears SpyEye has borrowed from Zeus, a famous piece of banking malware now commonly available and considered its parent. Trusteer has seen the technique used when a fraudster uses SpyEye to capture debit card details. When that data is obtained, the fraudster conducts a purchase over the Web or phone, and SpyEye masks the transaction, the CEO said. It does not affect, however, the bank’s ability to see the fraud, he said. Source:

15. January 4, Reuters – (Connecticut) Possible data breach by Wells Fargo investigated. Connecticut’s attorney general is investigating a possible data breach in which Wells Fargo & Co may have disclosed customer Social Security numbers as part of a fraud investigation, Reuters reported January 4. The possible breach is the latest wrinkle in a probe into whether state employees falsified financial data on applications submitted for food benefits issued in the aftermath of Hurricane Irene, which struck the east coast last fall. The state department of social services had sent subpoenas to Wells Fargo seeking financial records as part of the investigation, according to a news release issued by the state attorney general (AG). The fourth-largest U.S. bank then may have provided customers copies of the subpoenas, which included Social Security numbers of multiple individuals, according to the statement. The AG sent a letter to Wells Fargo asking for an explanation of why the bank may have disclosed the information. A Wells Fargo spokesman said the bank’s focus is on its customers and other individuals who were affected. The bank will offer them the option of signing up for identity theft protection, he said. The Connecticut governor in December announced an investigation into the benefits, which were made available to low-income Connecticut residents who incurred disaster-related expenses from Irene. An attorney, who represents some of the state employees under investigation, raised questions about the subpoenas in a news conference January 3. He said he knows of two customers who received subpoenas containing a total of 130 names and Social Security numbers. Source:,0,2305175.story

For another story, see item 39 below in the Information Technology Sector.

Information Technology

36. January 5, The Register – (International) Sites knocked offline by OpenDNS freeze on Google. Innocent Web sites were blocked and labelled phishers January 4 following an apparent conflict between OpenDNS and Google’s Content Delivery Network (CDN). OpenDNS — a popular domain name lookup service — sparked the outage by blocking access to, Google’s collection of useful scripts and apps for Web developers. According to reports, a flood of errors hit pages that used Google-hosted jQuery and hundreds of thousands of sites fell over. Visitors to Web sites were confronted with a message saying: “Phishing site blocked. Phishing is a fraudulent attempt to get you to provide personal information under false pretenses.” Other visitors were greeted with a 404 error. Web design and hosting specialist Brit-Net told The Register the outage lasted nearly 3 hours. As sites and service providers struggled to get back online, they employed fallback scripts and re-routed traffic to CDN. The cause of the problem with OpenDNS seemed to be the security certificates, according to a Brit-Net researcher. Source:

37. January 5, Threatpost – (International) New version of OpenSSL fixes six flaws. A new version of the OpenSSL package has been released, fixing six vulnerabilities, including a plaintext recovery attack on the DTLS implementation. There are two other cryptographic flaws fixed in OpenSSL 1.0.0f, and a few other less-serious problems. The most problematic of the vulnerabilities fixed in the new version is the one that enables the plaintext recovery attack, which was discovered by a pair of security researchers who found a way to extend the CBC padding oracle attack. The attack enables someone to exploit the problem with OpenSSL’s DTLS implementation to recover the plaintext version of an encrypted message. Source:

38. January 5, Softpedia – (International) New AOL Instant Messenger raises privacy concerns, EFF reports. The Electronic Frontier Foundation (EFF) analyzed the preview version of the latest AOL Instant Messenger and concluded users should not install it due to serious privacy concerns. The first issue is conversation logs are stored by default and secondly, all private instant messages are scanned for URLs, which means all the chats are fetched to AOL’s servers in Virginia. AOL’s decisions to move some of their services to the cloud, where data is usually stored in a plain text form, raises serious concerns because cybercriminals and law enforcement agencies could access it if they have a warrant. The customers’ privacy is at stake because in both scenarios their private conversations may become exposed even without their knowledge. Regarding the fact conversations are fetched to their servers to be scanned for URLs raises concerns with the EFF because AOL gives no clear indication on how this process occurs in their terms of service or privacy policies. The foundation believes the company should not only give users initial notice with an opt-in check box, but also explain to them in clear and specific terms how information is handled. AOL promised to disable this functionality for conversations that are marked to be “off the record.” However, the “off the record” feature is available only for customers who utilize the latest version of the program. Source:

39. January 5, The Register – (International) Worm slurps 45,000 Facebook passwords. A bank account-raiding worm has started spreading on Facebook, stealing log-in credentials as it moves across the site, security researchers said. Evidence recovered from a command-and-control server used to coordinate the evolving Ramnit worm confirms the malware already stole 45,000 Facebook passwords and associated e-mail addresses. Experts from Seculert, who found the controller node, supplied Facebook with a list of all the stolen credentials found on the server. Most of the victims are from either the United Kingdom or France. Ramnit differs from other worms that use Facebook to spread because it relies on multiple infection techniques, and it only recently extended onto social networks. “Ramnit started as a file infector worm which steals FTP credentials and browser cookies, then added some financial-stealing capabilities, and now recently added Facebook worm capabilities,” the CTO at Seculert said. “We suspect that they use the Facebook logins to post on a victim’s friends’ wall links to malicious Web sites which download Ramnit,” he added. Ramnit first appeared in April 2010. By July 2011, variants of the malware accounted for 17.3 percent of all new malicious software infections, according to Symantec. In August 2011, Trusteer reported variants of Ramnit were packing sophisticated banking log-in credential snaffling capabilities — technologies culled from the leak of the source code of the Zeus cybercrime toolkit at around the same time. The new Ramnit configuration was able to bypass two-factor authentication and transaction-signing systems used by financial institutions to protect online banking sessions. The same technology might also be used to bypass two-factor authentication mechanisms to gain remote access to corporate networks, Seculert warns. Source:

40. January 4, H Security – (International) Apache Struts update closes critical holes. The Apache Struts developers released version of their open source framework for Java-based Web applications. The update closes critical holes in Struts 2, fixing four old and well-known security vulnerabilities that could be exploited by an attacker to circumvent restrictions by using dynamic method invocation (DMI) to inject and execute malicious Java code. Versions 2.1.0 to 2.3.1 of Struts are affected; upgrading to corrects the issues. Alternatively, the security advisory provides instructions for changing a configuration file that mitigates the problem.Source:

For another story, see item 14 above in the Banking and Finance Sector.

Communications Sector

41. January 3, New Orleans Times-Picayune – (Louisiana) Ex-AT&T employee accused of stealing copper wire from company sites. An ex-AT&T employee who had been allegedly stealing spools of copper wire from his former employer for weeks was arrested after being caught inside a storage site near Covington, Louisiana, a spokesman from the St. Tammany Parish Sheriff’s Office said January 3. Deputies have booked the man with breaking into the telecommunication firm’s facilities on the north shore at least 17 times and pilfering the equipment during 16 of those occasions, an agency spokesman said. Investigators began probing a series of copper thefts from AT&T complexes at the beginning of November, the spokesman said. Many sheriff’s divisions subsequently staked out the company’s site. On December 28, the suspect was supposedly spotted in the storage yard. He allegedly threw a punch at a deputy who confronted him before he was subdued, the spokesman said. The sheriff’s office jailed the suspect in connection with the break-ins, the thefts, and resisting arrest. It expects to add more counts as the investigation develops. Investigators suspect the man was selling the copper to recycling businesses. The suspect worked at AT&T 4 years ago, but no other details of his employment were available. Source:

For another story, see item 38 above in the Information Technology Sector.