Thursday, March 1, 2012

Complete DHS Daily Report for March 1, 2012

Daily Report

Top Stories

• In what is being called the largest healthcare fraud case in U.S. history, federal law enforcement officials indicted a Dallas-area physician for allegedly bilking Medicare out of nearly $375 million. – Los Angeles Times (See item 24)

24. February 28, Los Angeles Times – (Texas) $375-million Medicare fraud: Dallas doctor accused in record case. February 28, federal law enforcement officials announced what they called the largest healthcare fraud case in the nation’s history, indicting a Dallas area physician for allegedly bilking Medicare for nearly $375 million in billings for nonexistent home healthcare services. Under the alleged fraud scheme, the doctor and his office manager allegedly sent healthcare “recruiters” door-to-door asking residents to sign forms that had the doctor’s electronic signature and stated he had seen the residents professionally for medical services he never provided. They also allegedly dispatched more “recruiters” to a homeless shelter in Dallas, paying $50 to every street person they coaxed from a nearby parking lot and signed him up on the bogus forms. The long-running ruse allegedly began in 2006 and over 5 years collected more Medicare beneficiaries than any other medical practice in the United States. Top Justice Department officials, working for several years to stem a rampant rise in healthcare fraud around the country, also revealed that 78 home health agencies that were working with the physician will be suspended from the Medicare program for up to 18 months. Source:,0,6359381.story

• A U.S. company posted hacking techniques for disabling programmable logic controllers (PLCs) that manage industrial machinery of four energy and manufacturing firms. – Yomiuri Shimbun (See item 31 below in the Information Technology Sector.

• At least nine people were killed and hundreds were injured February 28 and 29 as a line of tornadoes moved across the Midwest, damaging dozens of businesses and apartment buildings. – Associated Press; MSNBC; NBC News (See item 39)

39. February 29, Associated Press; MSNBC; NBC News – (National) ‘Devastation ... like we’ve never seen’ in twister-hit town. At least 9 people were killed February 28-29 as a line of tornadoes marched across the Midwest. Forecasters warned more twisters could strike the Tennessee Valley and southern Appalachians through February 29. Six of the deaths and nearly 100 injuries occurred in Harrisburg, Illinois, after an EF-4 tornado swept through, destroying at least 200 homes and more than 25 businesses. Three other deaths were reported in Missouri, where storms included a suspected tornado that hit a mobile home park outside the town of Buffalo. One person died in the mobile home park and around a dozen people were injured. Two others died in the Cassville and Puxico areas of Missouri. In Harrisburg, police issued a curfew overnight and the area most impacted was evacuated as a precaution. Some 3,300 customers were without power in the town of about 10,000. About 12 people were injured when an EF-2 tornado ripped through Harveyville, Kansas. At least three of the injured are in critical condition, according to, and 40 percent of the town suffered damage. KSHB 41 Kansas City reported an apartment complex and a church were among the damaged buildings A tornado with a preliminary rating of EF-2 moved through Branson, Missouri, injuring 32 people and heavily damaging the city’s famous theaters and moving up Highway 76, uprooting road signs and scattering debris. The assistant general manager for the 530-room Hilton and adjacent Branson Convention Center, noted windows were shattered and some rooms had furniture sucked away by high winds. Hotel workers were able to get all guests to safety as the storm raged. The owner of the damaged Cakes-n-Creams ‘50s Diner said the theater next to his business “kind of exploded”, and the hotels “on the two sides of me lost their roofs.” Newburgh, Indiana, and Kingsport, Tennessee, also reported storm damage. Source:


Banking and Finance Sector

11. February 28, CBC News – (International) Toronto police charge 7 in ATM skimming fraud. Police in Toronto, Canada, said they have laid 357 charges against seven people accused of skimming ATM and credit card data and using it in several countries. Private information of at least 1,500 cardholders was compromised by the international ring, police told a news conference February 28. The loss to Canadian financial institutions was more than $360,000, a detective said. Police allege Canadian credit card data, obtained with ATM tamper devices in southern Ontario, was used fraudulently in Bulgaria, the United States, Chile, South Africa, the Dominican Republic, and Mexico. In December, Toronto police executed two search warrants at Toronto homes and allegedly uncovered a facility that manufactured and distributed the tamper devices. Police allege the devices have been used in Ontario, the United States, Australia, and Indonesia. The police service’s financial crimes unit worked with U.S. Secret Service and the Canada Border Services Agency on the case. The charges against the 7 men include 33 counts of possessing a credit-card forgery device, 14 counts of fraudulent possession of credit-card data, and 2 counts of making or repairing a credit-card forgery device. Four of the seven have also been charged with participating in a criminal organization. Source:

12. February 28, Bloomberg – (Massachusetts) State Street fined $5 million by regulator over CDO influenced by Magnetar. State Street Corp., the third-largest custody bank, was fined $5 million February 28 by Massachusetts’ top securities regulator for failing to disclose the role of a hedge fund in structuring an investment vehicle that the fund was betting against. State Street, acting as investment manager of Carina CDO Ltd. allowed Magnetar Capital LLC to influence the composition of the vehicle even though it knew the hedge fund was betting on the failure of some or all of the portfolio, according to a statement from the Massachusetts Secretary of the Commonwealth. Carina subsequently defaulted. Magnetar has been linked to 26 collateralized debt obligation (CDO) transactions, according to the statement. Source:

13. February 28, Reuters – (National) Americans lost $1.52 bln to identity theft, scams in 2011. Identity theft and other scams cost Americans $1.52 billion in 2011, the Federal Trade Commission (FTC) said February 28. In a nationwide sampling of consumer complaints, law enforcement, and other agencies received 1.8 million complaints in 2011, up from 1.4 million in 2010 and double the level in 2006, the FTC said in a statement. Identity theft remained the top category. The increase reflects the growing number of agencies that contributed to the Consumer Sentinel Network, a database that is the basis of the report, rather than an upturn in fraud, the head of the FTC’s planning and communications unit told Reuters. Identity theft “has been our No. 1 complaint generator for the past 5 years, and that seems to be consistent” at 15 percent of complaints in 2011, he said. Fraudsters increasingly are using the Internet and e-mail to carry out scams or identity theft rather than by telephone or mail, he said. Source:,0,2334070.story

14. February 28, – (Florida) Fed suit alleges negligence in Cornelia bank failure. Two former bank officials with the Community Bank and Trust (CBT) of Cornelia were listed as defendants in a lawsuit filed in federal court in Gainesville, Florida, February 28. CBT’s former president and chief executive officer (CEO) and CBT’s retail banking group vice president (VP) were listed as defendants in the suit filed by the Federal Deposit Insurance Corporation (FDIC). The FDIC alleges their negligence resulted in an $11 million loss when they ignored bank policy in issuing Home Funding Loan Program (HFLP) loans. The FDIC wants to recover the money on behalf of the bank’s depositors and creditors. CBT closed in January 2010. According to the complaint, the VP breached his fiduciary duties and was negligent in approving HFLP loans, violating bank policy. The president and CEO’s alleged negligence stems from his failure to supervise the VP and implement corrective measures. Source:

15. February 28, Associated Press – (National) Jury convicts 2 in $50M bank fraud conspiracy. A federal jury in Minneapolis, Minnesota, convicted two people February 28 for their roles in a $50 million bank fraud conspiracy that authorities said depended on identity theft by employees of some of America’s largest banks. The two were found guilty of multiple counts, including bank fraud conspiracy and aggravated identity theft. So far, 27 people have either pleaded guilty or been convicted in the scheme, in which customer identities were stolen, then bought and sold, and used to create phony bank and credit card accounts, apply for loans, or get cash. Prosecutors said the conspiracy was carried out from 2006 through 2011 in Minnesota, California, Massachusetts, Arizona, New York, and Texas. According to evidence at trial, one of the defendants possessed and trafficked more than 8,700 stolen identification documents between March 2006 and December 2010. Prosecutors said the other defendant used fraudulent credit cards to obtain cash from banks and buy merchandise from the Mall of America in Bloomington, Minnesota, and Southdale Mall in Edina, Minnesota. Victims included American Express, Associated Bank, Bank of America, Capital One, Guaranty Bank, JP Morgan Chase Bank, TCF Bank, US Bank, Wachovia Bank, Washington Mutual, and Wells Fargo. Source:

16. February 28, Bloomberg – (Florida) TD Bank settles lawsuit with Razorback over fraud in Florida. Toronto Dominion Bank (TD) agreed February 28 to settle a lawsuit with investors who claimed it aided a $1.2 billion Ponzi scheme run by an imprisoned confidence man, a lawyer said in a Fort Lauderdale, Florida court. Barron’s and the Miami Herald reported TD Bank would pay $170 million. A bank attorney told a judge in state court that a draft settlement was reached and is confidential. The accord is with investors known as the Razorback Group. The investors claimed losses of $188 million. The case was scheduled for trial the week of March 5. Razorback’s suit against Gibraltar Private Bank & Trust is still set to go to trial the week of March 5. Gibraltar’s attorney argued February 28the terms of the TD settlement should be made public, including a disbarred attorney serving 50 years in prison for a scheme he ran out of his Fort Lauderdale law firm. He sold stakes to investors in fictitious employment- and sex-discrimination cases. Seven other people have been criminally charged. Source:

17. February 28, The Register – (International) Banking trojan hijacks live chat to run real-time fraud. A new strain of financial malware is hijacking live chat sessions in a bid to hoodwink business banking customers into handing over their banking log-in credentials or into authorizing fraudulent transactions. The attack is being carried out using the Shylock malware platform, using a configuration that runs a browser-based man-in-the-middle attack. The assault –- which targets business banking customers rather than consumers –- kicks in when a victim logs into their online banking application. Sessions are suspended, supposedly to run security checks (on the pretext the “system couldn’t identify your PC”), before a Web-chat screen under the control of hackers is presented to victims. But instead of talking to a customer service rep., the mark is actually chatting to cybercrooks, who will attempt to hoodwink victims into handing over log-in credentials or other data needed to authorize fraudulent transactions. Unbeknownst to the victims, the fraudsters are relaying authorization data to the victim’s bank during their conversation, carrying out a concurrent fraud in real time. Source:

For another story, see item 32 below in the Information Technology Sector.

Information Technology Sector

31. February 29, Yomiuri Shimbun – (International) U.S. firm posts PLC hacking methods online. A U.S. information security company posted hacking techniques for disabling programmable logic controllers (PLCs) on the Internet, the Yomiuri Shimbun learned. A PLC is an electronic control system that enables machinery to work as programmed and is widely used in production systems at factories and in critical infrastructure. Alarmed by the hacking method released online by U.S. firm Digital Bond, Inc., DHS’s Industrial Control Systems Cyber Emergency Response Team issued a warning stating cyberattacks against PLCs could cause a major systemic breakdown. Four companies in the United States, Japan, and France produce PLC control systems for automakers, electric power substations, and others. Digital Bond stated it posted the hacking method to “inform the public of the risks” of PLC breakdowns, arguing companies and governments have been slow to cope with PLCs’ vulnerabilities. About 2 million PLC units per year are manufactured in Japan, approximately 1.4 million of which were exported. While cyberattacks targeting computer control systems have sharply increased overseas, this is the first time a Japanese PLC maker was revealed to be exposed to the risk of a cyberattack. The firms put at risk by Digital Bond’s post are: Japan’s Koyo Electronics Industries Co.; the United States’ General Electric Co. and Rockwell Automation, Inc.; and France’s Schneider Electric SA. After figuring out the design flaws of the companies’ PLCs, Digital Bond posted programs attacking them on the firms’ Web sites February 14, according to the U.S. network security company. Koyo Electronics said it sells several thousands of its PLCs domestically, as well as in the United States and other countries every year. The control systems are mainly used at automobile, semiconductor, and machine tool plants. Should the disclosed hacking techniques be abused, there is a danger the systems involved could be illegally controlled by a remote party. The PLCs made by the remaining three manufacturers feature designs that are different from each other, and are also used at a wide range of factories and transformer stations. Should these systems be hacked using Digital Bond’s methods or other tricks, production and other systems would break down or develop anomalies such as abnormal restarts. However, no direct links to Digital Bond’s post have been confirmed, industry sources said. Source:

32. February 29, Softpedia – (International) Attack can circumvent OpenSSL protection, researchers say. A collaborative team of researchers at the RSA conference in San Francisco planned to reveal an attack method that can be used to bypass the security measures offered by OpenSSL, allowing an attacker to recover the cryptographic key that ensures data is transferred in an encrypted form between users and secure Web servers. According to Quantum Day, a senior lecturer in computer science in the department of computer science at the University of Bristol, one of the members of the collective, will present the findings and show how their attack works. By triggering a bug in the software with the aid of cleverly designed messages sent to the Web servers, the experts managed to recover part of the cryptographic key. If a large number of messages are used, the entire key could be obtained. The approach proposed by the team only works on the 0.9.8g version of OpenSSL and only on certain configurations, but if it works it can represent yet another threat to the integrity of the SSL protocol on which so many businesses rely. In the case of the e-commerce Web sites, whose popularity is constantly growing among Internet users, the exposure of the cryptography key can make the difference between credit card numbers being safe, or ending up in the hands of a profit-driven hacker. Source:

33. February 29, Softpedia – (International),, and hacked by D35m0nd142. Grey hat hacker D35m0nd142 managed to gain unauthorized access to the sites of the United Nations, Skype, and Oracle. On the official Skype site, the hacker found Blind SQL injection vulnerabilities that allowed him to access their Web server. A similar vulnerability was discovered on Oracle’s community site, which can allow hackers to cause serious damage. By leveraging an MSSQL injection flaw, he managed to bypass the security protocols implemented by the United Nations site administrators. In each scenario, the hacker ensured the data he accessed remained unharmed and contacted the ones responsible for the sites to notify them of the presence of the issues. Source:

34. February 28, Government Computer News – (International) Researchers: How ‘leaky’ smart phones give up their crypto keys. Smart phones being used for sensitive transactions leak data that can be used to recover the cryptographic keys securing connections, according to researchers presenting at the RSA Conference. Tests using about $1,000 worth of off-the-shelf equipment were able to pick up power usage information from phones’ CPUs from as far away as 30 feet, said the vice president of technology at Cryptography Research Inc. By analyzing power consumption in the CPU during cryptographic processes, data — including crypto keys — could be extracted. Source:

For another story, see item 17 above in the Banking and Finance Sector.

Communications Sector

35. February 29, IDG News Service – (International) Malware increasingly uses DNS to avoid detection, experts say. The number of malware threats that receive instructions from attackers through domain name system (DNS) is expected to increase, and most companies are not currently scanning for such activity on their networks, security experts said February 28 at the RSA Conference 2012. There are many channels attackers use for communicating with their botnets, ranging from traditional ones such as TCP, IRC, and HTTP to more unusual ones such as Twitter feeds, Facebook walls, and even YouTube comments. Most malware-generated traffic that passes through these channels can be detected and blocked at the network level by firewalls or intrusion prevention systems. However, that is not the case for DNS and attackers are taking advantage of it, said the founder of Counter Hack Challenges and SANS fellow during a presentation on new attack techniques. The DNS protocol is normally used for a precise critical function — the translation of host names into IP addresses and vice-versa. Because of this, DNS traffic does not get filtered or inspected by traffic monitoring solutions and is allowed to flow freely through most networks. As DNS queries gets passed from one DNS server to another until they reach the authoritative servers for the respective domains, network-level IP blocklists are useless at blocking them. Source:

36. February 29, WHIZ 40 Zanesville – (Ohio) Power restored-WHIZ stations back on-air. The early morning storms that rumbled through Zanesville and other parts of southeastern Ohio caused some power outages February 29. The power disruption also knocked WHIZ TV, AM 1240 Radio, Z-92, and Highway 103 off air. American Electric Power told WHIZ News that it was a transmission problem with two sub-stations. After about 3 hours February 29, power was restored to all customers. Source:

37. February 28, Arizona Republic – (Arizona) Cox Communications voice mail is down for some. Cox Communications landline phone customers in metro Phoenix said February 28 they had been without voice-mail service for more than a week. A Cox spokeswoman acknowledged the problem in an e-mail and said the company was working hard to fix it. She would not disclose how many customers were affected by the outage, nor could she give an estimate of when the voice mail service would be restored. Only residential telephone customers were affected, she said, adding that they were still able to make and receive calls. She said customers had the option of setting up call-forwarding service to another phone number. The service would be offered free to affected customers, she said. Source:

For more stories, see items 33 and 34 above in the Information Technology Sector.