Wednesday, January 25, 2012

Complete DHS Daily Report for January 25, 2012

Daily Report

Top Stories

• A burst of radiation on the sun’s surface triggered a geomagnetic storm on Earth January 24 that caused rerouting of flight routes, may have disrupted satellite communications and the Global Positioning System. – San Francisco Chronicle (See item 31)

31. January 24, San Francisco Chronicle – (International) Solar flare may hit satellite communications, GPS. A burst of radiation on the sun’s surface may trigger a geomagnetic storm on Earth January 24 that could disrupt satellite communications and the Global Positioning System by mid-morning, scientists at the Space Weather Prediction Center said January 23. The eruption — called a solar flare — has also sent billions of tons of matter streaming toward Earth from the sun’s surface at millions of miles per hour in what scientists call a coronal mass ejection, according to a physicist at the center in Boulder, Colorado. The radiation storm could create unusually intense flares of the aurora borealis — the northern lights — and has caused some international airlines to divert planes from polar routes to courses where radio communication is less likely to be affected, the physicist said. A new National Aeronautics and Space Administration satellite called the Solar Dynamics Observatory is vastly improving the ability of scientists to predict the violent magnetic storms that threaten Earth and to understand the mysterious nature of solar physics, the physicist said. Source:

• A researcher located and mapped more than 10,000 industrial control systems hooked up to the public Internet, and found many were open to easy hack attacks because of lax security. – Wired. See item 37 below in the Information Technology Sector.


Banking and Finance Sector

6. January 24, Charlotte Observer – (North Carolina) 6 charged in Charlotte-area mortgage scheme. Federal prosecutors filed charges against six Charlotte, North Carolina-area defendants over mortgage fraud-related offenses and a “builder kickback” scheme, the latest fallout from the housing market bust, the Charlotte Observer reported January 24. The defendants are accused of working with Charlotte home builder Tara Properties to sell houses by offering kickbacks to straw buyers. The kickbacks were not disclosed to lenders or included on loan applications, according to documents filed last week in federal court. The scheme resulted in hundreds of sales between January 2005 and February 2008, with Tara paying more than $5 million in kickbacks, the filings say. The conspirators fraudulently caused lenders to provide more than $42 million in loans, prosecutors allege. Tara specialized in building homes priced between $100,000 and $200,000 and the company offered kickbacks of 15 percent of the sales price. Defendants lied on loan applications about income and assets, employment, debts, and anticipated debts, and intent to occupy the home as a primary residence, court documents say. Some applications also contained false or forged documents such as bogus payroll stubs and bank statements. The straw buyers recruited by the promoters and mortgage brokers generally were unqualified to obtain the loans, and the “vast majority” of homes lapsed into foreclosure, according to prosecutors. The six defendants indicted the week of January 16 in connection with the builder-kickback scheme have been charged with mortgage fraud conspiracy, and money laundering conspiracy. Source:

7. January 23, Birmingham Business Journal – (Alabama) Wells Fargo, Regions branches among businesses damaged in Center Point. Banks and several other businesses in Center Point, Alabama, were damaged by storms that swept through Jefferson County January 23. The Wells Fargo and BBVA Compass branches on Center Point Parkway were heavily damaged and were closed the morning of January 23. Representatives from Wells Fargo said the downtown branch would open at 10:30 a.m. A spokesperson from BBVA Compass said the bank sustained only minor damage and was expected to reopen January 24. Regions Bank ‘s Center Point branch was also closed due to minor damage. Regions’ Deerfoot Parkway and Pinson branch locations were closed due to road and power issues in those areas. A Regions representative said there were power outages in market areas outside of Birmingham that have been impacted by the severe weather, and that isolated branch closings would be possible. Source:

8. January 23, U.S. Department of Treasury – (International) Treasury designates major Iranian state-owned bank. The U.S. Department of the Treasury January 23 designated Iran’s third-largest bank, Bank Tejarat, for providing financial services to several Iranian banks and firms already subject to international sanctions for involvement in Iran’s weapons of mass destruction (WMD) proliferation activities. With the January 23 action, 23 Iranian-linked financial institutions, including all of Iran’s largest state-owned banks, have been sanctioned by the United States based on their involvement in Iran’s illicit activities. Bank Tejarat was designated pursuant to Executive Order (E.O.) 13382 (Blocking Property of WMD Proliferators and Their Supporters) for providing financial services to Bank Mellat, the Export Development Bank of Iran (EDBI), the Islamic Republic of Iran Shipping Lines (IRISL), and the Ministry of Defense for Armed Forces Logistics (MODAFL), all of which were previously designated by Treasury or the Department of State for involvement in Iran’s WMD proliferation activities. Trade Capital Bank also was designated January 23 for providing financial services to EDBI, and for being owned or controlled by Bank Tejarat. Bank Tejarat has nearly 2,000 branches throughout Iran, as well as foreign branches in France and Tajikistan. Trade Capital Bank is a Belarus-based bank owned by Bank Tejarat. Bank Tejarat has directly facilitated Iran’s illicit nuclear efforts. For example, in 2011, Bank Tejarat facilitated the movement of tens-of-millions of dollars in an effort to assist the Atomic Energy Organization of Iran’s ongoing effort to acquire uranium. Source:

9. January 23, WCMH 4 Dublin – (Arizona; Ohio) 2 plead guilty to $15 million mortgage fraud scheme. Two central Ohio men pleaded guilty in connection with a $15 million mortgage fraud scheme that cost lenders more than $6 million, WCMH 4 Columbus reported January 23. The men pleaded guilty to fraudulently obtaining about $15 million in mortgage loans to finance the purchase of 26 real estate properties in Maricopa County, Arizona. The guilty pleas were entered January 17 and January 20. Officials said that between August 2006 and May 2007, the two men applied for loans using false income, assets, and occupancy statements on the applications. The loans were inflated to allow the man to use the excess mortgage proceeds to generate cash kickbacks payable to co-conspirators that were undisclosed to the lenders. The co-conspirators then provided the money to the men via interstate wire transfers, investigators said. They said the men used a mortgage brokerage company they co-owned, Vanguard Mortgage, in Westerville, to finance the purchases of the properties. Each man inflated his income, minimized his assets, failed to disclose his ownership of several other properties on which he held loans, and concealed the fact he intended to receive substantial cash kickbacks after the closing of three properties. All 26 of the Arizona properties were subsequently sold short or foreclosed upon due to borrowers being unable to pay the monthly payments. Each man pleaded guilty to one count of money laundering, which is punishable by up to 10 years in prison, a fine of up to $250,000 or twice the value of the property involved, whichever is greater, and restitution to the victims. Source:

10. January 23, Kansas City Business Journal – (International) Euronet faces first criminal computer breach of secure payment data. Euronet Worldwide Inc., a Leawood, Kansas company that provides secure payment services, has reported a criminal computer security breach. Euronet said the breach targeted a “small portion” of its European business in late 2011, according to a January 23 filing with the Securities and Exchange Commission. The event marks the global electronic payments provider’s first data breach, the company’s chief executive officer (CEO) said. “(We), like hundreds of thousands of other companies, have been hacked into, but we were able to find it early, plug the hole ... and our breach has been contained for well over a month,” the CEO said. He said the breach affected card data in Euronet’s electronic fund transfer division, a European unit that makes up 17 percent of its business. Third-party forensic investigators confirmed the breach did not affect Euronet’s other business units, including its epay division, ATM networks, or money-transfer operations, the company reported in the filing. The CEO said that of the electronic fund transfer division, 90 percent of the data on card transactions remained protected. He partially credited a highly secure microchip that appears on most European debit and credit cards. The chip requires a verification PIN for access. The 10 percent of data that became exposed stemmed from older cards that had not yet been updated with the chip, he said. Source:

11. January 23, Sacramento Bee – (California) Three Sacramento women arrested in false tax return scheme. Three Sacramento, California women were arrested January 23, accused of stealing taxpayers’ identities and their tax refunds. According to federal court documents, the women have been charged in a conspiracy to defraud the United States through the filing of false tax returns using TurboTax, an income tax preparation software and filing service. The women are charged with executing a mail fraud scheme to obtain Green Dot debit cards, a service offered through the TurboTax software, loaded with the tax return money of taxpayer victims. In addition to the conspiracy, one of the women is charged with 15 counts of filing false tax returns, 20 counts of mail fraud, and eight counts of aggravated identity theft. Another is charged with five counts of filing false tax returns, 15 counts of mail fraud, and one count of aggravated identity theft, according to a federal Department of Justice news release. The alleged fraudulent tax return claims filed by the three women amount to more than $1,366,427, with an actual paid Internal Revenue Service (IRS) loss of about $962,079. The scheme involved more than 280 false tax returns and numerous victim taxpayers, officials said. Source:

12. January 23, Computerworld Australia – (International) Researcher traces ‘Gameover’ malware to maker of Zeus. The “Gameover” malware that the FBI warned users about earlier in January 2012 is a preview of the next version of the even-more-notorious Zeus money-stealing trojan, a security researcher said January 23. “Gameover represents the latest and greatest source code package from the Zeus author,” a senior security researcher with Dell SecureWorks’ counter-threat unit said. “[New features] in Gameover will be rolled into the final Zeus version 3, which is in beta and will wrap up soon if it hasn’t already.” Two weeks ago, the FBI warned of increased action by Gameover, including rounds of spam that tried to dupe recipients into infecting their PCs with the malware, which like Zeus, is designed to pillage individuals’ and companies’ bank accounts. The security researcher, who has been tracking the Zeus malware and its developer for years, said Gameover posed a new and more dangerous threat because it had been created by the maker of Zeus specifically at the behest of one of his biggest clients. “The crew using Gameover has requested a lot of changes in the Zeus functionality,” he said, adding the hacker crew using Gameover has direct access to Zeus’ maker because it pays him well and often for support. “The Zeus author now has only three or four major clients,” he said. The criminal coder abandoned all his “small fish” to focus on supporting a handful of customers who pay top dollar for his work. The additions demanded by the Gameover gang, which the Zeus developer quickly created, included a new, more distributed form of command-and-control (C&C) that uses a peer-to-peer function to update infected machines when or if a botnet’s single C&C server is discovered by authorities and taken offline. Gameover also supports the use of complex Web injections that allow criminals to bypass multi-factor authentication now used by many financial institutions to stymie account plundering. And the crew apparently asked for changes to Zeus that would let the gang rent third-party botnets that specialize in conducting distributed denial-of-service (DDoS) attacks, the researcher added. Source:

For another story, see item 40 below in the Information Technology Sector.

Information Technology

37. January 24, Wired – (International) 10K reasons to worry about critical infrastructure. A security researcher was able to locate and map more than 10,000 industrial control systems hooked up to the public Internet, including water and sewage plants, and found many could be open to easy hack attacks, due to lax security practices. Infrastructure software vendors and critical infrastructure owners have long maintained industrial control systems — even if rife with security vulnerabilities — are not at risk of penetration by outsiders because they are not online. However, a computer science doctoral student from Cambridge University developed a tool that matches information about industrial control systems connected to the Internet with information about known vulnerabilities to show how easy it could be for an attacker to locate and target them. To debunk the myth industrial control systems are never connected to the Internet, the student used the SHODAN search engine, which allows users to find Internet-connected devices using simple search terms. He then matched that data to information from vulnerability databases to find known security holes and exploits that could be used to hijack the systems or crash them. He used Timemap to chart the information on Google maps, along with red markers noting brand devices that are known to have security holes in them. The student found 10,358 devices connected through a search of 2 years worth of data in the SHODAN database. However, he was unable to determine how many of the devices uncovered were actually working systems, nor was he able to determine in all cases whether the systems were critical infrastructure systems installed at power plants and other significant facilities. The student also found only 17 percent of the systems he found online asked him for authorization to connect, suggesting administrators either were not aware their systems were online or had simply failed to install secure gateways to keep out intruders. Source:

38. January 24, Help Net Security – (International) Researchers discover network of 7,000 typo squatting domains. A network of some 7,000 typo squatting domains is being used by scammers to effectively drive traffic towards their sites, some of which get so much traffic that they managed to enter Alexa’s top 250 list of sites with the largest Web traffic, according to Websense researchers. The typo squatting domains take advantage of visitors to popular Web sites such as Google, Twitter, Gmail, YouTube, Wikipedia, Victoria’s Secret, Craigslist, and many more, and redirect them to spam survey sites. From there, the users are taken to sites with spam advertisements and greyware masquerading as free downloads of legitimate software such as movie downloaders. Websense researchers said currently these sites are not offering malware for download. “However, if these networks are resold to underground groups, then the potential outcome could be even more damaging than the 0-day exploit security attacks,” they point out. Users are mostly in danger of handing over their private information and other sensitive data when completing the surveys. Source:

39. January 24, H Security – (International) Chrome 16 update closes security holes. Google released version 16.0.912.77 of Chrome which closes several security holes in the WebKit-based Web browser. The update addresses a total of four vulnerabilities, all of which are rated as “high severity.” These include use-after-free holes in DOM selections and DOM handling, an uninitialized value in the Skia 2D graphics library, and a buffer overflow in tree builder. Four bugs that were detected using AddressSanitizer were also been fixed. The developers note a critical use-after-free issue in Safe Browsing navigation was corrected in version 16.0.912.75 but was “accidentally excluded from the release notes.” Additional details of the vulnerability are being withheld until “a majority of users are up-to-date with the fix.” Source:

40. January 23, Wired – (International) I spy your company’s boardroom. Researchers from Rapid7 discovered they could remotely infiltrate conference rooms in some of the top venture capital and law firms across the country, as well as pharmaceutical and oil companies and even the boardroom of Goldman Sachs — all by calling in to unsecured videoconferencing systems they found by doing a scan of the Internet. One of the researchers found he was able to listen in on meetings, remotely steer a camera around rooms, as well as zoom in on items to discern paint flecks on a wall or read proprietary information on documents. Despite the fact the most expensive systems offer encryption, password protection, and the ability to lock down the movement of cameras, the researchers found administrators were setting them up outside firewalls and failing to configure security features to keep out intruders. Some systems, for example, were set up to automatically accept inbound calls so users did not need to press an “accept” button when a caller dialed into a videoconference, opening the way for anyone to call in and eavesdrop. Using a program the researchers wrote, they found the conference rooms by scanning the Internet for videoconference systems set up outside firewalls and configured to automatically answer calls. In less than 2 hours, they found systems installed in 5,000 conference rooms, including an attorney-inmate meeting room at a prison, an operating room at a university medical center, and a venture capital company where prospects were pitching their companies while laying out their financial details on a screen in the room. Companies sometimes set up systems outside firewalls so other companies can easily call into the videoconferencing system without having to set up complex, but safer configurations. As a result, the researchers found they could easily hijack systems, and also access systems they otherwise could not find through an Internet scan. Source:

41. January 23, IDG News Service – (International) HP pays $425,000 to settle claims over hazardous laptop batteries. Hewlett-Packard (HP) will pay $425,000 to settle a claim that it knowingly sold laptops with hazardous batteries that could overheat or catch fire, the U.S. Consumer Product Safety Commission announced January 23. HP learned of about 22 incidents involving the batteries by September 2007, but it failed to report the problem until 10 months later, according to the Commission. The lithium-ion battery packs were shipped in new HP laptops or sold as accessories and spare parts. Because of the defect, they could overheat, posing fire and burn hazards, the Commission said. Soon after it reported the problem, HP and the Commission recalled about 32,000 lithium-ion battery packs. Around the same time, Dell and Toshiba also recalled lithium-ion battery packs, which were manufactured by Sony. In agreeing to the settlement, HP denied the batteries posed an unreasonable risk or that it violated federal reporting requirements. With respect to the recall, it acted “in accordance with the CPSA and in its customers’ best interests,” HP said in the agreement. Source:

For more stories, see items 10 and 12 above in the Banking and Finance Sector, 31 above in Top Stories, and 44 below in the Communications Sector.

Communications Sector

42. January 23, Charlotte Observer – (North Carolina) Power glitch hushes radio stations. A power failure followed by a generator malfunction knocked five Charlotte, North Carolina radio stations off the air for about 4 hours January 21. An operations manager for Clear Channel Radio’s five local stations said January 23 that the stations went silent at 11:23 a.m. January 21 when electricity went out in the studios’ neighborhood. An emergency generator to power the stations kicked on, but then shut down, he said. Three company engineers came in, backed up a truck used for remote broadcasts to the door of the building and were able to power up key broadcast components from it. By 3 p.m., they had the five stations — WKKT-FM 96.9, WHQC-FM 96.1, WLYT-FM 102.9, WEND-FM 106.5, and WRFX-FM 99.7 — back on the air. Source:

43. January 23, KARK 4 Little Rock – (Arkansas; Texas; Oklahoma) AT&T wireless service temporarily disrupted in AR, TX & OK. Some AT&T wireless customers in Arkansas and two neighboring states were affected by a service disruption January 23. It happened for at least a couple of hours during the morning, but all appeared to be back to normal by around 9 a.m. During the disruption, some customers were unable to send or receive text messages. The company released the following statement about the problems: “Earlier today, some customers in North Texas and parts of Oklahoma and Arkansas may have experienced a service disruption with wireless data service. AT&T technicians quickly worked to address the issue, and service is currently running normally.” Source:

44. January 22, Santa Fe New Mexican – (New Mexico) Damaged cable disrupts Internet service. Many CenturyLink customers in Santa Fe and other parts of New Mexico were without Internet service for several hours January 23 while Sprint and Virgin Mobile customers across the state were hit by service disruptions through the weekend due to a cut fiber optics cable. Reports of Internet loss began as early as midnight in parts of Santa Fe. CenturyLink reported electrical equipment failure at the Santa Fe office that affected service at 12:45 a.m. January 23, according to CenturyLink’s market development manager for Northern New Mexico. By 9 a.m., the system was rebooted, and by 10 a.m. most customers were able to access the Internet again. Sprint and Virgin Mobile customers in Santa Fe, Albuquerque, Farmington, and Los Alamos also were frustrated by interrupted service January 21 through January 22. The culprit was a cut interstate fiber optics cable that affected CenturyLink, according to a regional Sprint communications representative. She said Sprint leases cable space from the cable line in some areas to link service. She confirmed an interstate fiber optics line was cut in Texas, affecting New Mexico. “It impacted the entire state,” she said. Source: News/Damaged-cable-disrupts-Internet-service

For more stories, see item 31 above in Top Stories and item 38 above in the Information Technology Sector