Monday, February 6, 2012

Complete DHS Daily Report for February 6, 2012

Daily Report

Top Stories

• The FBI said it launched an investigation into how the hacking group Anonymous broke into and obtained information from a sensitive conference call between the bureau and Scotland Yard. – Fox News; Associated Press (See item 31)

31. February 3, Fox News; Associated Press – (International) Hackers claim to have intercepted call between FBI, Scotland Yard. A sensitive conference call between the FBI and Scotland Yard was recorded by the hacking group Anonymous, it claimed February 3. The group released a roughly 15-minute-long recording of what appears to be a January 17 conference call devoted to tracking and prosecuting members of the loose-knit hacking group. There was no classified information on the call, FBI sources told Fox News, noting unsecure phones are not used for sensitive information. The source indicated those responsible will be held accountable. Names of some of the suspects being discussed were apparently edited from the recording. “The information was illegally obtained and a criminal investigation is underway,” a FBI spokesman told Fox News. Anonymous also published an e-mail purportedly sent by an FBI agent that gave details and a password for accessing the call. Amid the material published by the hackers was a message purportedly sent by an FBI agent to international law enforcement agencies. It invites his foreign counterparts to join the call to “discuss the on-going investigations related to Anonymous ... and other associated splinter groups.” The e-mail contained a phone number and password for accessing the call. The e-mail was addressed to officials in England, Ireland, the Netherlands, Sweden, and France, but only American and British officials can be heard on the recording. Source:

• Half of all Fortune 500 companies and major U.S. government agencies own computers infected with the “DNS Changer” malware that redirects users to fake Web sites and puts organizations at risk of information theft, a security company said. – Computerworld. See item 40 below in the Information Technology Sector.


Banking and Finance Sector

8. February 3, Reuters – (International) U.S. indicts Wegelin bank for helping Americans avoid tax. The United States indicted Wegelin, the oldest Swiss private bank, on charges it enabled wealthy Americans to evade taxes on at least $1.2 billion hidden in offshore bank accounts, the U.S. Justice Department said February 2. The announcement, made by federal prosecutors in Manhattan, New York, represents the first time an overseas bank was indicted by the United States for enabling tax fraud by U.S. taxpayers. The indictment said the U.S. government seized more than $16 million from Wegelin’s correspondent bank, the Swiss giant UBS AG, in Stamford, Connecticut, via a separate civil forfeiture complaint. Because Wegelin has no branches outside Switzerland, it used correspondent banking services, a standard industry practice, to handle money for U.S.-based clients. The charges against Wegelin are fraud and conspiracy. Wegelin “affirmatively decided to capture for Wegelin the illegal U.S. cross-border banking business lost by UBS and deliberately set out to open new undeclared accounts for U.S. taxpayer-clients leaving UBS,” the indictment said. The indictment also accused Wegelin of helping two unnamed Swiss banks “repatriate undeclared funds to their own U.S. taxpayer-clients by issuing checks drawn on Wegelin’s Stamford correspondent account.” The transfers were separated into chunks below the $10,000 threshold at which such transfers are reported to the Internal Revenue Service. Wegelin, the indictment said, “co-mingled” the repatriated funds with other, unrelated funds, to better conceal their origin and nature. The charges against Wegelin were filed as a superseding indictment of three previously charged Wegelin bankers, naming several unindicted co-conspirators. Source:

9. February 2, Chicago Tribune – (National) Motorola Solutions settles securities fraud suit for $200M. Motorola Solutions Inc. will pay $200 million to settle a 2007 securities fraud lawsuit brought by shareholders. Attorneys representing the shareholders disclosed the proposed settlement February 2, which was also filed with a federal court in Chicago where the case was brought. The settlement is subject to court approval. The suit alleged Motorola artificially inflated its stock by misrpresenting the company’s projected revenue for the third and fourth quarter of 2006. Motorola Solutions inherited the litigation after it split in 2011 from the cellphone business now known as Motorola Mobility. In December, the mediator proposed that Motorola Solutions settle for $200 million, which the parties accepted, according to court papers. The plaintiffs were led by the Macomb County Employees’ Retirement System, and St. Clair Shores Police and Fire Pension System. Shareholders who acquired stock between July 19, 2006, and January 4, 2007, may be eligible for a recovery. Source:

10. February 2, Easton Express-Times – (Pennsylvania) Threats to shoot Wells Fargo manager prompt locked doors at Monroe County branch, police say. Staff at a bank in Monroe County, Pennsylvania, locked the doors February 2 and let customers in one at a time after a man made repeated threats that he was going to come in and shoot the bank manager, Pennsylvania State Police said. Troopers located the suspect at his home and took him into custody without incident, according to a news release. He was sent to Monroe County Prison to await arraignment on a charge of making terroristic threats. State police said they were called to a Wells Fargo branch in Chestnuthill Township just before 4:30 p.m. for a report of a man making threatening comments to bank employees. The threats “caused the employees to become frightened and they locked the interior doors and were letting customers in one at a time,” police said in the news release. Source:

Information Technology

35. February 3, IDG News Service – (International) Symantec warns of Android trojans that mutate with every download. Researchers from Symantec identified a new premium-rate SMS Android trojan that modifies its code every time it gets downloaded to bypass antivirus detection. This technique is known as server-side polymorphism and already existed in the world of desktop malware for many years, but mobile malware creators have only now begun to adopt it. A special mechanism that runs on the distribution server modifies certain parts of the trojan to ensure every malicious app that gets downloaded is unique. This is different from local polymorphism where the malware modifies its own code every time it gets executed. Symantec identified multiple variants of this trojan horse, which it detects as Android.Opfake, and all of them are distributed from Russian Web sites. However, the malware contains instructions to automatically send SMS messages to premium-rate numbers from many European and former Soviet Union countries. In some cases, especially when security products rely heavily on static signatures, detecting malware threats that make use of server-side polymorphism can be difficult. Source:

36. February 3, The Register – (International) Satellite phones lift skirt, flash cipher secrets at boffins. Two researchers at the Ruhr-University Bochum managed to extract secret encryption algorithmns used by satellite phones, and discovered they are a lot less secure than one might think.They analyzed firmware updates for popular satellite handsets to extract ciphers used by the Thuraya and Inmarsat networks, which are known as GRM-1 and GRM-2 respectively. The first cipher turned out to be a variant of the already-exploited A5/2 cipher on which GSM used to depend; GRM-2 has not been attacked yet, but the researchers believe it would not be difficult to break. Modern security systems, including SSL and modern GSM networks, use published ciphers that are open to general scrutiny, but there was a point when it was considered better to keep the method by which data is encrypted secret as an additional barrier. Now, however, attackers can identify secret ciphers, and the lack of public analysis made for much weaker ciphers that were subsequently broken. GSM, for example, used secret ciphers that turned out to have exploitable weaknesses, so now (in most places) shifted to the A5/3 cipher, which is widely published, tested, and proved resistant to assault. However, satellite systems have not moved on as quickly, and the researchers’ job was made easier by the short production run of satellite handsets. GSM cryptography is almost all done in hardware, the quantity of GSM phones makes it economical to fabricate specialist silicon for the job, but satellite phones do the same work in software so the ciphers can be found within firmware updates. Source:

37. February 3, IDG News Service – (International) PHP 5.3.10 fixes critical remote code execution vulnerability. The PHP Group released PHP 5.3.10 February 2 to address a critical security flaw that can be exploited to execute arbitrary code on servers running an older version of the Web development platform. The vulnerability is identified as CVE-2012-0830 and was discovered by an independent security consultant and creator of the popular Suhosin security extension for PHP. SecurityFocus classifies the issue as a design error because it was accidentally introduced while fixing a separate denial-of-service (DoS) vulnerability in early January. That vulnerability is known as CVE-2011-4885 and was disclosed in December. It affects a number of Web development platforms, including PHP, ASP.NET, Java, and Python and can be exploited in a so-called hash collision attack. The PHP development team addressed CVE-2011-4885 in PHP 5.3.9, released January 10. The error can be exploited by attackers to remotely execute arbitrary code on a system that runs a vulnerable PHP installation. PHP 5.3.9, along with any older versions for which the hash collision DoS patch was backported are affected, a chief security specialist at Secunia said. Proof-of-concept code that exploits the vulnerability was published online, so the likelihood of attacks targeting CVE-2012-0830 are high. Source:

38. February 2, U.S. Consumer Product Safety Commission – (International) HP recalls fax machines due to fire and burn hazards. The U.S. Consumer Product Safety Commission, in cooperation with Hewlett-Packard (HP) announced a voluntary recall February 2 of about 928,000 HP fax 1040 and 1050 machines. The importer was Hewlett-Packard Co., of Palo Alto, California. The machines were manufactured in China. The fax machines can overheat due to an internal electrical component failure, posing fire and burn hazards. HP is aware of seven reports of machines overheating and catching fire, resulting in property damage, including one instance of significant property damage and one instance of a minor burn injury to a consumer’s finger. Six incidents were reported in the United States. The machines were sold at electronics, computer, and camera stores nationwide, and online at and other Web sites from November 2004 through December 2011. Some of the recalled fax machines were replacement units for a previous recall involving HP fax model 1010 in June 2008. Source:

39. February 2, Wired – (International) Google beefs up Android Market security. Google unveiled a new security service for the Android Market February 2 that aims to auto-scan uploaded Android applications to detect potentially malicious apps more quickly, ideally before users download them. Codenamed Bouncer, the new service searches for threats without requiring any pre-approval process, continuing to keep the Market as “open” as it has always been. The new security service has already been working for the past few months. After finding an app that violates the rules — be it malware or spyware — the Android team takes the application down and bans the developer account from uploading any more apps. Further, Google continues to check new Android developer account sign-ups, so repeat offenders will not continue to upload malicious apps under different user names. Source:

40. February 2, Computerworld – (International) Half of Fortune 500 firms infected with DNS Changer. Half of all Fortune 500 companies and major U.S. government agencies own computers infected with the “DNS Changer” malware that redirects users to fake Web sites and puts organizations at risk of information theft, security company Internet Identity (IID) said February 2. DNS Changer, which at its peak was installed on more than 4 million Windows PCs and Macs worldwide — a quarter of them in the United States alone — was the target of a major takedown organized by the U.S. Department of Justice in November 2011. The takedown and accompanying arrests of six Estonian men, was dubbed “Operation Ghost Click.” As part of the operation, the FBI seized control of more than 100 command-and-control servers hosted at U.S. data centers. According to IID, half of the firms in the Fortune 500, and a similar percentage of major U.S. government agencies, harbor one or more computers infected with DNS Changer. IID used telemetry from its monitoring of client networks, as well as third-party data, to claim at least 250 of the Fortune 500 companies and 27 out of 55 major government agencies had at least one computer or router infected with DNS Changer as of early 2012. Source:

41. February 2, Infosecurity – (International) Oracle patches denial-of-service vulnerability. Oracle pushed out a patch for a denial-of-service vulnerability in the Oracle WebLogic Server, Application Server, and iPlanet Web Server due to hash collisions. Oracle warned in a security advisory the vulnerability might be “remotely exploitable without authentication,” which means it might be exploited over a network without the need for username or password. Hash collisions occur when two distinct pieces of data have the same hash value. The company noted that a fix for the same vulnerability in the GlassFish Server was released in its quarterly patch update in January. In that update, Oracle shipped 78 patches across the full range of its products, including 2 fixes to its Database Server. Source:

For another story, see item 9 above in the Banking and Finance Sector

Communications Sector

42. February 2, United Press International – (New York) 12 charged in cell phone cloning scam. New York City prosecutors charged 12 people in a $250 million cellphone account cloning scam, United Press International reported February 2. A Manhattan U.S. attorney said “tens of thousands” of customer accounts were stolen and used in the black market international calling scam, according to the New York Daily News. The suspects allegedly used customer phone numbers and code numbers associated with the accounts to make cloned cellphones appear to be legitimate to service providers, the U.S. attorney said. Hardware from a Chinese company allowed the suspects to route international calls made with the illegal phones through the Internet at cheap rates, he said. He said five of the suspects were arrested February 1, while the rest remain at large. The investigation came out of a similar investigation by U.S. Secret Service agents that led to the arrest of nine Sprint employees who stole and sold customer information to clone scammers in 2010. Source:

For more stories, see items 35, 36, 38, and 39 above in the Information Technology Sector