Friday, February 10, 2012

Complete DHS Daily Report for February 10, 2012

Daily Report

Top Stories

• U.S. states reached a landmark $25 billion deal February 9 with the nation’s biggest mortgage lenders over abuses that require five of the largest banks to reduce loans for about 1 million households at risk of foreclosure. – Associated Press. See item 11 below in the Banking and Finance Sector.

• Researchers are planning a February 14 release of tools — including one for cracking passwords — that make it easy to test and exploit vulnerable programmable logic controllers (PLCs) and other industrial control systems. – Threatpost. See item 37 below in the Information Technology Sector.


Banking and Finance Sector

9. February 9, Associated Press – (New York; North Carolina) NYC murder suspect faces check fraud charges. A New York City murder suspect arrested after turning up on a North Carolina sports arena’s jumbo screen is now facing new financial crime charges for his role as a leader of a 37-person check fraud ring accused of stealing more than $150,000, prosecutors have said. He was awaiting arraignment February 9 in the latest of a series of check fraud and identity theft cases brought by the Manhattan district attorney’s office. Fourteen others were arraigned February 8 in the new case. In the check fraud case, prosecutors said the man and other ringleaders offered to pay people to let their bank accounts be used in the scheme. Then members of the group deposited counterfeit checks drawn on at least 30 unwitting victims’ bank accounts into other accounts held by accomplices, prosecutors said. Finally, the man and others — including two of his relatives — used the accomplices’ ATM cards to withdraw money, or their debit cards to buy money orders before the victims realized what was going on. “Over 250 United States Postal money orders were purchased by members of this criminal organization,” an assistant district attorney told a judge. Source:

10. February 9, Federal Bureau of Investigation – (Maryland; Washington, D.C.) Conspirator pleads guilty in scheme to fraudulently obtain over $1.399 million from Baltimore Housing Authority account. A man pleaded guilty in a Maryland district court February 9 to conspiring to commit bank fraud in connection with a scheme to fraudulently obtain over $1.399 million from a Baltimore Housing Authority (BHA) bank account in just a few months. According to the plea, the defendant agreed to provide his identity in a scheme to steal money from the BHA. In May 2010, a co-conspirator used his identity to obtain a fraudulent driver’s license in his name, but bearing the co-conspirator’s photograph. The co-conspirator used the fake driver’s license to open a bank account for an entity called Keith Daughtry Contracting LLC. Shortly thereafter, substantial amounts of funds illegally diverted by the conspirators from a BHA bank account were electronically transferred into the Daughtry LLC account. These transfers were unlawful because Daughtry never provided any services to the BHA requiring compensation. Investigators have determined the conspirators were responsible for transferring at least $1.399 million stolen from BHA’s account between July and September 2010. The conspirators then drained these stolen funds from Daughtry’s account by initiating electronic transfers from that account onto debit cards in other individuals’ names; through electronic transfers into accounts at other banks; and through in-person cash withdrawals in the Washington, D.C. area. The defendant admitted he was responsible for more than $1 million in losses as a result of his participation in the conspiracy. He has agreed to the entry of an order to pay restitution of at least $1,399,700. Source:

11. February 9, Associated Press – (National) States, banks reach foreclosure-abuse settlement. U.S. states reached a landmark $25 billion deal February 9 with the nation’s biggest mortgage lenders over foreclosure abuses. The deal requires five of the largest banks to reduce loans for about 1 million households at risk of foreclosure. The lenders will also send checks of $2,000 to about 750,000 Americans who were improperly foreclosed upon. The banks will have 3 years to fulfill the terms of the deal. Federal and state officials announced at a news conference that 49 states had joined the settlement. Oklahoma announced a separate deal with the five banks. Under the deal, the states said they will not pursue civil charges, however homeowners can still sue lenders in civil court, and federal and state authorities can pursue criminal charges. Critics note the settlement will apply only to privately held mortgages issued from 2008 through 2011. Mortgage held by Fannie Mae and Freddie Mac are not covered by the deal. Lenders that violate the deal could face $1 million penalties per violation and up to $5 million for repeat violators. Bank of America will pay the most as part of the deal — nearly $8.6 billion. Wells Fargo will pay about $4.3 billion, JPMorgan Chase roughly $4.2 billion, Citigroup about $1.8 billion, and Ally Financial $200 million. Those totals do not include $5.5 billion that the banks will reimburse federal and state governments for money spent on improper foreclosures. The deal also ends a separate investigation into Bank of America and Countrywide for inflating appraisals of loans from 2003 through most of 2009. Under the deal, banks are barred from foreclosing on a homeowner who is being considered for a loan modification. The banks and U.S. state attorneys general agreed to the deal late February 8 after 16 months of contentious negotiations. Source:

12. February 8, Miami Herald – (Florida) Uncle pleads guilty to fraud in $1 billion Ponzi scheme. The alleged co-conspirator closest to a convicted $1 billion Ponzi schemer pleaded guilty to fraud in Florida federal court February 8 and faces up to 5 years in prison. He was charged in December with conspiring with the lawyer who ran the scheme to falsify his law firm’s trust account records at Toronto Dominion Bank. The goal: to induce investors to buy bogus legal settlements. They collectively lost more than $350 million. The conspirator handled accounting, banking, and other tasks for his nephew at the now-defunct 70-attorney Fort Lauderdale firm, Rothstein Rosenfeldt Adler. He is the eighth person to be prosecuted in the massive schemet. According to the charges, the conspirator was accused of providing investors with falsely inflated balance statements of the law firm’s trust accounts at TD Bank, where the lawyer held money for clients and investors. He also was accused of assisting TD Bank employees to prepare “envelopes” for the false account balance statements as well as cover letters. Dozens of investors were tricked into buying settlements at a discount in the belief they would be paid in full over a span of years, according to prosecutors. Source:

13. February 8, U.S. Commodity Futures Trading Commission – (Texas) CFTC charges Texas resident in foreign currency fraud action. The U.S. Commodity Futures Trading Commission (CFTC) February 8 announced the filing of an enforcement action against a Texas man charging him with solicitation fraud, issuing false account statements, misappropriating pool participants’ funds, and failing to register in connection with an off-exchange foreign currency (forex) fraud. According to the complaint, from at least June 2008 through at least October 2011, the man solicited prospective pool participants to provide funds for a pooled investment in forex. In soliciting prospects, he allegedly falsely told them he had never experienced a losing month or year trading forex. During the period from June 2008 through September 2010, he allegedly solicited about $7.07 million from pool participants and lost about $4.17 million of the pool’s funds trading forex. He also allegedly misappropriated about $1.26 million. Most, if not all, of the profits, losses, and account balances he reported were also false. From October 2010 through October 2011, he allegedly solicited an additional $6.95 million. During this period, he transferred about $1.81 million to accounts at three foreign firms, losing all but $1,600. He later transferred $1.56 million to three additional foreign firms during this period. He also failed to properly register as a commodity pool operator. In the litigation, the CFTC seeks restitution, disgorgement, civil monetary penalties, trading and registration bans, and a permanent injunction prohibiting further violations of federal commodities laws. Source:

14. February 8, WBBM 2 Chicago – (Illinois) ‘Wicker Park Bandit’ nabbed, charged with bank heist. A man suspected of being the so-called “Wicker Park Bandit,” wanted for robbing as many as 10 banks on Chicago’s North Side, has been arrested and ordered held without bail, WBBM 2 Chicago reported February 8. The suspect was arrested outside a Chicago Housing Authority building. He reportedly surrendered without incident. So far, he has only been charged with a bank robbery in River North, but is suspected in at least nine other robberies: Since the second week in December, the suspect is believed to have robbed as many as 10 banks, mostly in Wicker Park and in surrounding neighborhoods. In each of the heists, the robber would walk up to a teller and hand over a note demanding money. He would imply he was armed, but an actual weapon was never shown. Source:

15. February 7, Reuters – (National) JPMorgan settles overdraft fee case for $110 million. JPMorgan Chase & Co. has agreed to pay $110 million to settle consumer litigation accusing it of charging excessive overdraft fees, Reuters reported February 7. The bank joined Bank of America Corp. and several smaller lenders in settling their portion of the nationwide litigation over the fees, which are typically assessed when customers overdraw checking accounts. Consumers had accused more than 30 lenders of routinely processing transactions from largest to smallest rather than in chronological order. This can cause overdraft fees, typically $25 to $35, to pile up because account balances fall faster when larger transactions are processed first. JPMorgan’s settlement in principle was disclosed in a February 3 filing with federal court in Miami. The settlement requires negotiation of final documentation and approval by a federal judge, and calls for an unspecified change to JPMorgan’s overdraft practices. Source:

For another story, see item 33 below in the Information Technology Sector.

Information Technology

31. February 9, IDG News Service – (International) Foxconn said to have been hacked by group critical of working conditions. Hackers claimed to have stolen internal data from Apple supplier Foxconn, and leaked the information online, in response to media reports of poor working conditions at the electronics manufacturer’s factories in China. The hacker group, Swagg Security, announced the attack in a Twitter message February 8, and also leaked data stolen from the Foxconn site to The Pirate Bay. It said the data included user names and passwords. Foxconn declined to comment on the attack. Two service Web sites used by Foxconn’s customers to place orders were down February 9. Source:

32. February 9, Help Net Security – (International) Apple iWork passwords cracked. ElcomSoft can now recover passwords protecting Apple iWork documents. This makes Distributed Password Recovery the first tool to recover passwords for Numbers, Pages, and Keynote apps. “The recovery process is painfully slow,” comments ElcomSoft’s CTO. “Apple used strong AES encryption with 128-bit keys, which makes password attack the only feasible solution. We’re currently able to try several hundred password combinations per second on an average CPU. This is slow, and thus only distributed attacks can be used to achieve a reasonable recovery time. However, the human factor and our product’s advanced dictionary attacks help recover a significant share of these passwords in a reasonable timeframe.” Source:

33. February 9, The Register – (International) Google Wallet PIN security cracked in seconds. A researcher discovered Google Wallet’s PIN protection is open to a brute-force attack that takes seconds to complete. The attack is limited to instances where physical access is available, or the phone has been previously “rooted” by the user. Once the assault succeeds, the attacker can read the contents of the wallet including credit card numbers and other details such as the transaction history. Google cannot address the flaw without shifting responsibility for the PIN onto the banks, which might not want it. Source:

34. February 8, Computerworld – (International) Google ships Chrome 17, touts more malware alerts and page preloads. Google patched 20 vulnerabilities in the desktop edition of Chrome February 8, and added new anti-malware download warnings to version 17. The company called out a pair of new features in Chrome 17, including the expansion of anti-malware download warnings and prerendering of pages suggested by the address/search bar’s auto-complete function. One of the 20 vulnerabilities patched was rated “critical.” Eight were marked “high,” while five were labeled “medium” and six were tagged “low.” Source:

35. February 8, CNET News – (International) iPhone bug enables FaceTime, shows names on locked phones. iPhones that have been password-protected and have voice dialing deactivated can still make FaceTime video calls, as well as disclose basic information about a person’s list of contacts. The security loophole, which is present in the latest version of Apple’s iOS 5.0.1 software, was discovered earlier the week of February 6 by a Canadian tech writer. CNET confirmed it working on three different iPhones, including the iPhone 4 and 4S. Source:

36. February 8, H Security – (International) Path iOS app uploads address book to its servers. When analyzing the Path app for iOS — the mobile application for the photo sharing and messaging service — a software developer discovered an API call that uploads a user’s address book without first requesting permission to do so. He used mitmproxy to analyze what traffic was being created by the app and found that an API call, specifically a POST request to https://api(dot)path(dot)com/3/contacts/add, sends the entire address book, including full names, e-mail addresses, and phone numbers, over HTTPS to the Path servers as an unencrypted plist file. Source:

37. February 8, Threatpost – (International) New tool will automate password cracks on common SCADA product. Researchers are planning a February 14 release of tools that make it easy to test and exploit vulnerable programmable logic controllers (PLCs) and other industrial control systems. Among the releases will be a tool for cracking passwords on ECOM programmable logic controllers by Koyo Electronics, a Japanese firm, said a researcher at Digital Bond. Writing February 8, he said a February 14 release would include a “module to brute-force” passwords for ECOM and ECOM100 PLCs. Researchers revealed those devices have limited password space (forcing customers to implement short, weak passwords) and no lockout or timeout feature to prevent multiple log-in attempts used in brute force attacks. The Koyo ECOM models were among many popular PLC brands analyzed by top supervisory control and data acquisition security researchers as part of Project Basecamp. Their work revealed significant security issues with every system, with some PLCs too brittle and insecure to even tolerate security scans and probing. The Koyo ECOM100 modules were foundto come with a bundled Web server that contained denial of service and cross site scripting vulnerabilities, and an administrative panel that could be accessed without authentication. Organizers already released two modules for the Metasploit and Nessuvulnerability testing tools that can search for vulnerabilities discovered in D20 PLCs made by GE and promised more in February. Source:

38. February 8, Dark Reading – (International) ‘Factory outlets’ selling stolen FacebooTwitter credentials at discount rates. Stealing credentials via trojans has become so simple and prevalent that cybercriminals are finding themselves with a surplus: Two cybercrime gangs are now advertising bulk-rate Facebook, Twitter, and cPanel credentials in order to clean out their inventory. Researchers at Trusteer said these credential factory outlets are a way for the bad guys to cash in on other credentials thepilfered while stealing online banking credentials. It is like making money off the chafthat comes along with the valuable online banking credentials lifted by trojans and keyloggers: “They harvest a lot of things” unrelated to the stolen online banking credentials, said the vice president of marketing for Trusteer. “This is how they monetize the [leftover] assets they harvest.” The ads were running in underground forums infiltrated by the researchers from Trusteer. Trusteer believes attackers could lure users to those sites via phishing e-mails and social networking messages. Source:

Communications Sector

See items 33, 35, 36, and 38 above in the Information Technology Sector.