Monday, February 27, 2012

Complete DHS Daily Report for February 27, 2012

Daily Report

Top Stories

• More than one in three counties in the United States are at risk for extreme shortages of fresh water for drinking, farming, and other uses due to climate change, a new study found. – Homeland Security Newswire (See item 25)

25. February 24, Homeland Security Newswire – (National) U.S. water shortages loom. More than one in three counties in the United States could face a “high” or “extreme” risk of water shortages due to climate change by the middle of the twenty-first century, according to a new study in the American Chemical Society’s (ACS) journal Environmental Science & Technology. Homeland Security Newswire said February 24, the new report concluded 7 in 10 of the more than 3,100 U.S. counties could face “some” risk of shortages of fresh water for drinking, farming, and other uses. An American Chemical Society release reports that population growth is expected to increase the demand for water for municipal use and for electricity generation beyond existing levels. Global climate change threatens to reduce water supplies due to decreased rainfall and other factors compared to levels in the twentieth century. The group developed a “water supply sustainability risk index” that takes into account water withdrawal, projected growth, susceptibility to drought, projected climate change, and other factors in individual U.S. counties for the year 2050. It takes into account renewable water supply through precipitation using the most recent downscaled climate change projections and estimates future withdrawals for various human uses. The team used the index to conclude climate change could foster an “extreme” risk of water shortages that may develop in 412 counties in southern and southwestern states and in southern Great Plains states. Source:

• A former McAfee cybersecurity researcher used a previously unknown hole in smartphone browsers to deliver malware that can commandeer the device, record calls, pinpoint its location, and access messages. – Los Angeles Times. See item 44 below in the Information Technology Sector.


Banking and Finance Sector

12. February 24, WOAI 4 San Antonio – (Texas) Secret Service arrests three men accused of using fake credit cards. February 22, the Secret Service in San Antonio arrested 3 men who they said had more than 150 fake credit cards in their possession. February 23, the Secret Service said three foreign nationals were accused of going into local businesses and buying merchandise using counterfeit credit cards. Agents said they were arrested while picking up a package at FedEx and were found with more than 150 credit cards on them. Source:

13. February 23, Associated Press – (National) ‘Fake Beard Bandit’ admits robberies in 4 states. An Oklahoma man nicknamed the “Fake Beard Bandit” pleaded guilty to eight bank robberies in Arkansas, Missouri, Oklahoma, and Kansas. He entered his plea February 23 in federal court in Fort Smith, Arkansas. He was arrested August 26, 3 days after a Liberty Bank in Fort Smith was robbed. Court records show he was accused of taking more than $70,000 from banks in Fort Smith; Oklahoma City and Coweta, Oklahoma; Shawnee and Olathe, Kansas; and Joplin, Missouri. Prosecutors said he entered the banks wearing a large, fake beard. He demanded money while brandishing what police later learned was a BB gun that looked like a handgun. Source:

14. February 23, U.S. Department of the Treasury – (International) Treasury imposes sanctions on leading members of Indonesia-based terrorist group. February 23, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) designated three individuals for acting for or on behalf of the terrorist group Jemmah Anshorut Tauhid (JAT) pursuant to Executive Order (E.O.) 13224. These individuals include JAT’s acting Emir, a spokesperson, and a JAT leader involved in recruiting and fundraising activities. This action coincides with the action taken February 23 by the U.S. Department of State to designate JAT as a Foreign Terrorist Organization. JAT is an Indonesia-based group responsible for multiple coordinated attacks that have killed civilians, police, and military personnel. JAT’s founder and leader is co-founder of Jemaah Islamiya (JI), a Southeast Asia-based designated terrorist network with links to al-Qa’ida. Since 2002, more than 20 JI terrorists have been designated pursuant to E.O. 13224. As a result of the February 22 action, all property in the United States or in possession or control of U.S. persons in which the designees have an interest is blocked, and U.S. persons are prohibited from engaging in transactions with them. Source:

15. February 23, Arizona Republic News – (Arizona) ‘Bearded Bandit’ still being sought in Phoenix-area bank robberies. A man described as the “Bearded Bandit” is still on the loose after his latest bank robbery at a Chase Bank in Phoenix February 22, authorities said. The man was also suspected of robbing M&I Banks in Peoria and Gilbert, a Chase Bank in Avondale, and a Washington Federal Bank in Litchfield all in Arizona since late December, a FBI special agent said. Source:

For another story, see item 41 below in the Information Technology Sector.

Information Technology

41. February 24, The Register – (International) New password-snatching Mac trojan spreading in the wild. Security watchers warned February 24 that a new variant of a Mac-specific password-stealing trojan is spreading in the wild. Flashback-G initially attempts to install itself via one of two Java vulnerabilities. Failing that, the malicious applet displays a self-signed certificate (claiming to be from Apple) in the hope users just install the malware. Once in place, the malware attempts to capture the log-in credentials users enter on bank Web sites, PayPal, and many others. OS X Lion did not come with Java preinstalled, but Snow Leopard does, so users of Mac’s latest OS are more at risk of attack. Mac security specialist Intego warns the variant is infecting Mac users and spreading in the wild. Symptoms of infection can include the crashing of browsers and Web applications, such as Safari and Skype. Source:

42. February 24, H Security – (International) PacketFence 3.2.0 brings new features, closes XSS hole. The PacketFence development team has published version 3.2.0 of its open source network access control system. The update includes fixes for 18 bugs. It addresses a “high” priority vulnerability in the Web Admin printing system (printer.php) that can be exploited by an attacker to conduct cross-site scripting attacks. Source:

43. February 23, – (International) Philips Electronics suffers website security breach as hackers strike. Philips Electronics has become the latest high-profile company to be hit by hackers after huge amounts of data stored on its internal systems were compromised, according to reports. According to the Hacker News, the hackers, named ‘bch195’ and ‘HaxOr,’ claimed to have compromised a server owned by the company that contained huge swaths of data, including 200,000 e-mail addresses, that they intend to try and sell. The firm also posted links to screen grabs of the information it hacked on Pastebin. A spokesperson for the company told it was aware of the incident and has taken action to minimize its impact. Source:

44. February 23, Los Angeles Times – (International) Smartphone security gap exposes location, texts, email, expert says. A former McAfee cybersecurity researcher has used a previously unknown hole in smartphone browsers to deliver an existing piece of China-based malware that can commandeer the device, record its calls, pinpoint its location, and access user texts and e-mails. He conducted the experiment on a phone running Google’s Android operating system, although he said Apple’s iPhones are equally vulnerable. He is scheduled to demonstrate his findings February 29 at the RSA conference in San Francisco. The researcher said he and his team commandeered an existing piece of malware called Nickispy, a remote access tool identified in 2011 by anti-virus firms as a trojan. The malware was disguised as a Google+ app that users could download. However, Google quickly removed it from its Android Market app store, which meant few users were hit. The researcher and his team reversed engineered the malware and took control of it. He then conducted an experiment in which malware was delivered through a “spear phishing” attack — in this case, a text message from what looks like a mobile phone carrier. He said he exploited a zero-day vulnerability in smartphone browsers to secretly install the malware. “The minute you go the site, it will download a real-life Chinese remote access tool to your phone,” he said. “The user will not see anything. Once the app is installed, we’ll be intercepting voice calls. The microphone activates the moment you start dialing.” The malware also intercepts texts and e-mails and tracks the phone’s location, he said. In theory, it could be used to infiltrate a corporate network with which the phone connects. There is no security software that would thwart it, he said. Source:,0,4645028.story

45. February 23, Dark Reading – (International) New Oracle ERP vulnerabilities unmasked. Researchers issued security advisories February 23 for eight vulnerabilities, some of them critical, in a popular Oracle enterprise resource planning (ERP) application — but they do not expect many users to actually apply the patches for them. The flaws discovered by researchers at security firm Onapsis range from holes that could allow an attacker to access all business information and files, query for passwords, and alter business information processed by the ERP, essentially taking complete control of the system. Patches for the vulnerabilities were included in Oracle’s latest Critical Patch Update release, and these are the first public details of the flaws. Source:

Communications Sector

46. February 24, WDTV 5 Bridgeport – (West Virginia) Major outage in downtown Morgantown. Some people had a tough time getting work done in Monongalia County, West Virginia, February 23. They were left without phone and Internet service for several hours. Frontier officials said around 1,500 feet of cable was pulled out of the ground the morning of February 23. Mon Power was trying to set a new power pole when one of its machines ripped the line out of the ground. Frontier was still working on getting the problem fixed the evening of February 23 and they hoped to have it back on that night. Source:

For another story, see item 44 above in the Information Technology Sector.

Friday, February 24, 2012

Complete DHS Daily Report for February 24, 2012

Daily Report

Top Stories

• Federal inspectors found “significant performance issues” at the Fort Calhoun Nuclear Power Plant near Blair, Nebraska. The issues would have caused the plant to close had it not been shut down for refueling and flooding. – WOWT 6 Omaha (See item 9)

9. February 22, WOWT 6 Omaha – (Nebraska) ‘Significant performance issues’ at OPPD’s Fort Calhoun Plant. According to the Nuclear Regulatory Commission (NRC), there were “significant performance issues” at the Omaha Public Power District’s (OPPD) Fort Calhoun Nuclear Power Plant near Blair, Nebraska, WOWT 6 Omaha reported February 22. Although all involved stated the plant is safe, new issues surfaced as the OPPD worked to bring the plant back online. A 2011 flood shut down the plant, but did not compromise its operations. However, in the early days of the flooding, there was a fire in a breaker room. It brought the NRC in and inspectors discovered many performance issues, dating back long before the fire or the flood. Inspectors said that if Fort Calhoun had not already been offline, it would have been shut down based on what they found. One of the commissioners said it appears there is a problem with “safety culture” within the OPPD. The NRC’s regional public affairs spokesman said the OPPD is still evaluating the breadth of the performance problems, noting the plant could be subject to more oversight from the NRC. He also said Fort Calhoun will not be able to restart until that is complete. Source:

• Two military helicopters collided over the California desert during nighttime training exercises, killing seven U.S. Marines in the latest of several similar accidents in the area in the past year. – Associated Press (See item 33)

33. February 23, Associated Press – (California) 7 Marines killed in collision of 2 helicopters in Calif. desert during night training exercise. Two military helicopters collided over the California desert during nighttime training exercises, killing seven U.S. Marines in the latest of several similar accidents in the area. The service members with the 3rd Marine Aircraft Wing were based at Camp Pendleton north of San Diego, a Lieutenant with Miramar Air Base in California said February 23. The crash happened February 22 and involved an AH-1W Cobra that carried two crew members and a UH-1 Huey utility helicopter carrying the other five. The aircraft collided in a remote portion of the Yuma Training Range Complex on the California side of the Chocolate Mountains close to the Arizona border, she said. The exact location had not been confirmed. The desert area is favored by the U.S. military and its allies for training because the hot, dusty conditions and craggy mountains replicate Afghanistan’s harsh environment, and the clear weather allows for constant flying. Several accidents have happened in the past year involving Marine training in Southern California. Source:


Banking and Finance Sector

13. February 23, Newark Star-Ledger – (New Jersey) 8 people accused of bank fraud for alleged stolen check scheme. An alleged 26-month scheme that hinged on a U.S. letter carrier lifting boxes of blank checks from people’s mail and funneling them to eight accomplices who illegally converted the checks into hundreds of thousands of dollars appears to have come crashing down, prosecutors said February 22. Federal prosecutors charged six men and two women from Union, Newark, and Irvington, New Jersey, with conspiracy to commit bank fraud. According to authorities, the scheme was so successful the defendants deposited about $1.5 million in fraudulent checks stolen from 122 victims into 258 different bank accounts, between December 2009 and February 2012. The result, authorities allege, was $625,000 in losses. The defendants and co-conspirators “would endorse those checks for certain sums, usually under $5,000” and deposit them into legitimate accounts they opened at victims’ banks. The defendants would then withdraw the funds before the victims discovered their checks had been stolen and/or the banks discovered the checks were fraudulently endorsed, an attorney said. The banks involved included TD Bank, Bank of America, Capital One Bank, Garden State Community Bank, Hudson City Savings Bank, PNC Bank, and Valley National Bank. In all, 27 bank branches were involved, authorities said. Source:

14. February 23, Charlotte Observer – (National) 4 more indicted in Black Diamond Ponzi scheme case. A grand jury in Charlotte, North Carolina, indicted four more men charged with operating the $40 million Black Diamond Ponzi scheme, the Charlotte Observer reported February 23. The indictment alleges the men falsely claimed they were operating a legitimate hedge fund called Black Diamond. According to the government, the group solicited money from investors, using false and fraudulent claims about Black Diamond and the hedge funds they purported to run. Black Diamond eventually collapsed without paying out any money, but the conspirators continued to bring in new investors to pay off old investors and to support their own lifestyles, according to the government. The men are all charged with four counts related to an investment fraud conspiracy. The indictment also says that, as Black Diamond began collapsing, the defendants and others created a new Ponzi scheme with a separate Ponzi account that one of them administered. The accused men then used money from new victims to make payments to people involved in the Black Diamond scheme and fund their lifestyles. Source:

15. February 22, KTVZ 21 Bend – (Oregon) Desert Sun co-founder pleads guilty to $19 million scam. The co-founder and chief executive officer (CEO) of now-defunct Desert Sun Development, pleaded guilty to a variety of federal mortgage and loan fraud charges arising out of the collapse of his company, including conspiracy, bank fraud, and money laundering, prosecutors said February 22. He entered the pleas February 21 before a U.S. district judge in Oregon. From 2004 through 2008, the company built homes and commercial property in Oregon. According to the indictments, Desert Sun principals and other defendants caused financial institutions to lose more than $19 million. Court documents say the CEO and others knowingly submitted fraudulent documents, including false financial statements, to various banks to obtain financing to develop and construct many commercial projects. Once the loans were approved, the CEO and others submitted additional false documents, including fictitious contracts and invoices, to the banks to obtain loan proceeds for construction costs claimed to be associated with the fraudulent documents. Six defendants who are charged in related cases previously pleaded guilty and are pending sentencing. Five others are due to go on trial September 5. Source:

Information Technology

36. February 22, Threatpost – (International) Waves of attacks target Adobe Reader bug from 2010. A recent string of attacks has been discovered targeting an Adobe vulnerability from 2010. The vulnerability is a flaw in Reader and Acrobat that can be exploited remotely. At the time of the first reports about the CVE-2010-0188 bug, there were active attacks against it and exploit code was circulating online. However, the situation did not involve widespread attacks. Also, the vulnerability has been patched for a long time now. Still, researchers at Symantec found there are attacks ongoing against the bug, which affects Reader and Acrobat on all of the major platforms. The attacks involve highly obfuscated JavaScript, and the end result is that once the resultant shell code is on the victim’s machine, it attempts to download a malicious executable from a remote server. The attacks against this bug have been coming in waves for the last month or so, and Symantec researchers said the company has seen more than 10,000 such attacks in just the last few weeks. Source:

For another story, see item 37 below in the Communications Sector

Communications Sector

37. February 22, Computerworld – (International) Feds request DNS Changer extension to keep 400K users online. Officials with the U.S. government asked a New York judge to extend an impending deadline that could sever ties to the Internet for hundreds of thousands of users infected with the “DNS Changer” malware, Computerworld reported February 22. DNS Changer, which at its peak was installed on more than 4 million Windows PCs and Macs worldwide — a quarter of them in the United States — was the target of a major takedown November 2011 organized by the U.S. Department of Justice. As part of “Operation Ghost Click,” the FBI seized more than 100 servers hosted at U.S. data centers. To replace those servers — and allow infected computers to use the Internet — a federal judge approved a plan where substitute DNS servers were deployed by the Internet Systems Consortium (ISC), the non-profit group that maintains the popular BIND DNS open-source software. Without that move, DNS Changer-infected systems would have been immediately cut off from the Internet. The week of February 13, authorities filed a request with a federal court asking that the replacement servers operate until July 9. Previously, a judge said the ISC must pull the plug on the stand-in servers March 8, which was thought to leave sufficient time for consumers, enterprises, and Internet service providers to scrub systems of the malware and restore valid DNS settings. According to the extension request, the substitute DNS servers were keeping an average of 430,000 unique IP addresses connected to the Web in January 2012. The FBI also needs additional time to finish notifying victims in foreign countries, the filing said. Source: