Monday, March 19, 2012

Complete DHS Daily Report for March 19, 2012

Daily Report

Top Stories

• Utility officials said the “catastrophic failure” of an underground electrical cable led to a transformer explosion and fire March 13 that closed businesses, roads, and transit stations in downtown Boston. – Beacon Hill Patch

1. March 16, Beacon Hill Patch – (Massachusetts) Fire cause: ‘castatrophic failure’ of cable. The “catastrophic failure” of an underground electrical cable connected to a transformer at NStar’s Scotia Street substation in Boston, sparked the four-alarm fire March 13, NStar officials said March 15. Soot buildup in the backout transformer then caused the major blackout that cut off power to 21,000 customers across the Back Bay and surrounding downtown areas. The power was restored March 15. During the outage, NStar partnered with other ulitlity companies to station about 60 generators across the neighborhood as a temporary fix to power homes, hotels, and businesses. Workers had to dig up the street to access the underground cables, and they also re-routed cables from another power station to jump-start the Scotia Street transformers, which were not damaged. Source:

• Researchers have come across a new Android threat designed specifically to steal online banking credentials and create persistent, silent access to the compromised handset. – ZDNet See item 13 below in the Banking and Finance Sector.

• Florence-Carlton school administrators shut down all 3 schools in Florence, Montana, for a few days after an outbreak of acute gastroenteritis sickened more than 100 students. – Associated Press

37. March 15, Associated Press – (Montana) Florence-Carlton school district closed due to gastroenteritis outbreak. Florence-Carlton school administrators shut down all three schools in Florence, Montana, for the rest of the week after about 110 students called in sick March 15. The superintendent said several students went home sick March 14, but more than 10 percent of the student body was sick March 15. Parents were called shortly before noon March 15 to pick up students. The Ravalli County public health director said the health department planned to conduct a communicable disease investigation after students became ill with acute gastroenteritis. The superintendent said health officials instructed him to shut down the elementary school, middle school, and high school, and all school-related activities for the rest of the week. Classes were scheduled to resume March 19. Source:

• The Sarasota, Florida police headquarters and several neighboring businesses were evacuated March 15 after police said a man showed up with a live hand grenade. – WWSB 40 Sarasota

40. March 16, WWSB 40 Sarasota – (Florida) Man brings live grenade to Sarasota police headquarters. The Sarasota, Florida police headquarters was evacuated March 15 after police said a man showed up with a live hand grenade. The man found the grenade inside of a paper bag in his front yard. He transported it to the police department. Once he arrived at the police department, he placed the grenade on top of the hood of his vehicle. As he was approaching the front desk officer, he came into contact with a lieutenant. The man told the lieutenant he had a grenade on the hood of his vehicle, and the lieutenant verified it was in fact a grenade. All surrounding businesses as well as the police department were evacuated. The grenade was detonated in a secure location by the Sarasota Police Department’s Explosive Materials Unit. Source:

• A confirmed working exploit for the MS12-020 RDP vulnerability in Windows is circulating. Experts say it is capable of either crashing or causing a denial-of-service condition on vulnerable machines. – Threatpost See item 44 below in the Information Technology Sector.

• Security companies found multiple malware threats that use stolen digital certificates to sign components to avoid detection. – IDG News Service See item 46 below in the Information Technology Sector.


Banking and Finance Sector

11. March 15, U.S. Securities and Exchange Commission – (California) SEC charges senior executives at California-based firm in stock lending scheme. The Securities and Exchange Commission (SEC) charged two senior executives and their California-based firm March 15 with defrauding officers and directors at publicly-traded companies in an elaborate $8 million stock lending scheme. The SEC alleges that Argyll Investments LLC’s purported stock-collateralized loan business is merely a fraud perpetrated by the executives to acquire publicly traded stock from corporate officers and directors at a discounted price from market value, separately sell the shares for full market value to fund the loan, and use the remaining proceeds from the sale of the collateral for their own benefit. The executives and Argyll lied to borrowers by explicitly telling them their collateral would not be sold unless a default occurred. However, since Argyll had no independent source of funds other than the borrowers’ collateral, it often sold the collateral prior to closing the loan and then used the proceeds to fund it. Also charged in the complaint is AmeriFund Capital Finance LLC and its owner who the SEC alleges violated securities laws by brokering many transactions for Argyll while not registered with the SEC. The SEC alleged the executives induced at least nine corporate officers and directors since 2009 to transfer ownership of millions of shares of stock to Argyll as collateral for purported loans. As a result of the scheme, Argyll reaped more than $8 million in unlawful gains. Source:

12. March 15, Associated Press – (Ohio; National) Ohio man pleads guilty in $17M Amish fraud case. An Ohio man admitted March 15 he defrauded fellow Amish in 29 states out of nearly $17 million. A one-count mail fraud indictment returned in 2011 charged the man with promising investors safe securities but moving money to riskier investments. The indictment said nearly 2,700 people and entities, including an Amish community loan fund, lost about $16.8 million since 2006. His company has filed for bankruptcy protection. The charge carries a maximum 20-year sentence. “[He] told the investors that their money would be used to purchase risk-free U.S. government securities, which would generate returns for the investors,” the Securities and Exchange Commission said in a 2011 civil filing. “In reality, [he] used the money to make speculative investments in high yield (junk) bonds, mutual funds, and stocks.” Source:

13. March 15, ZDNet – (International) Remote-controlled Android malware stealing banking credentials. Security researchers at McAfee have discovered a malicious Android application capable of grabbing banking passwords from a mobile device without infecting the user’s computer. The latest piece of Android Malware, dubbed FakeToken, contains man-in-the-middle functionality to hijack two-factor authentication tokens and can be remotely controlled to grab the initial banking password directly from the infected mobile device. The malicious application targets specific well-known financial entities posing as a Token Generator application. When the application executes, it shows a Web view component that displays an HTML/JavaScript Web page that pretends to be a Token Generator. The page also appears to be from the targeted bank. To get the fake token, a researcher discovered the user must enter the first factor of authentication. “When the user clicks ‘Generate,’ the malware shows the fake token (which is in fact a random number) and sends the password to a specific cell phone number along with the device identifiers (IMEI and IMSI). The same information is also sent to one of the control servers along with further data such as the phone number of the device. The malware finds the list of control servers from an XML file inside the original APK,” he added. He said the malware also contains commands to update itself or spy on the infected machine. The researcher found the FakeToken app can also hijack the list of contacts stored in the device (name and number). Source:

14. March 15, Associated Press – (International) Iran cut off from global financial system. Dozens of Iranian banks were blocked from doing business with much of the world as the West tightens the financial screws on the country. The Belgium-based company that facilitates most international bank transfers took the unprecedented step March 15 of blocking 30 Iranian banks from using its service. The move is likely to hurt Iran’s all-important oil industry and make it difficult for citizens to receive money from relatives living abroad. The move by the Society for Worldwide Interbank Financial Telecommunication (SWIFT) is part of a broader effort by Western nations to isolate Iran financially and force it to demonstrate it is not trying to develop nuclear weapons. The SWIFT said it was forced by recent European Union sanctions to discontinue service to Iranian banks beginning March 17. The SWIFT is a secure private network used by nearly every bank around the world to send payment messages that lead to the transfer of money across international borders. Source:

15. March 15, KGAN 2 Cedar Rapids; KFXA 28 Cedar Rapids – (Iowa) TV producer convicted of fraud in Iowa film tax credit scandal. A Nebraska film and video producer has been convicted in Iowa of taking more than $9 million in state tax credits for a TV series on training horses, KGAN 2 and KFXA 28 Cedar Rapids reported March 15. The defendant was convicted of fraudulent practice in the first degree, and was acquitted of two other charges The state alleged the defendant took more than $9.1 million in film tax credit certificates, and produced just five television shows and DVD’s on horse training. He credited himself as the primary producer and lead on-screen talent for the documents. In January, he was charged with knowingly making false statements to get the tax credits. He faces up to 10 years in prison and a $10,000 fine.


16. March 14, Fort Lauderdale Sun-Sentinel – (Florida) Fugitive Brinks impostor sought for Black Friday robbery. A reward is being offered for information leading to the arrest of a man who posed as an armed Brinks security guard to steal cash from a clothing store at the Sawgrass Mills mall in Sunrise, Florida, November 26, 2011, according to Sunrise police. The suspect walked into the Aeropostale store and walked out with $162,000, investigators said. Sunrise police believe he had inside knowledge of the operation and knew there would be a lot of cash on hand after the busiest shopping day of the year. The robbery went undetected until police found a stolen getaway car with a gun, belt, cap, and the very convincing homemade Brinks uniform the robber used to fool the store manager, detectives said. Source:

Information Technology

42. March 16, Help Net Security – (International) Fake Google Play site serves Android malware. The recent name change of Google’s official Android Market — now called Google Play — has been recently taken advantage of by scammers, Help Net Security reported March 16. According to Trend Micro researchers, fake Russian versions of the redesigned site have already appeared. “Download Google Play for Android Google Play is formerly known as the android market but now a vast and influential old android market combined with a store of books google ebookstore multi-format films and world music google music,” it is explained on the site. Among the suspicious Android apps offered for download is a Google Play application (google-play.apk), which is actually a Trojan that subscribes the victim to premium number services without asking his or her permission. The researchers said even if the Trojan in question is very similar to one discovered in February that has polymorphic abilities, this one does not, but tries to avoid detection by having various innocuous files added to it. Source:

43. March 16, Softpedia – (International) Microsoft addresses Flash component vulnerability in Bing. Three Vulnerability Lab researchers worked together to find and demonstrate a critical editor Flash component vulnerability on Microsoft’s Bing Service Application. The security experts identified the critical severity flaw and reported it to Microsoft February 7. Microsoft responded 2 days later, and March 14 the issue was addressed. If unaddressed, the remotely exploitable Flash component vulnerability may have allowed an attacker to implement malicious persistent comments while the user was editing or posting via Flash. The vulnerable module was the Comments&Edit — Flash Input/Output when swf files created with Action Script were loaded. Source:

44. March 16, Threatpost – (International) MS12-020 RDP exploit found, researchers say code may have leaked from security vendor. There is a confirmed legitimate working exploit for the MS12-020 RDP vulnerability in Windows circulating already and researchers say it is capable of either crashing or causing a denial-of-service (DoS) condition on vulnerable machines, Threatpost reported March 16. Microsoft warned customers about the possibility of the exploit surfacing quickly and advised them to patch the flaw immediately. The researcher who discovered the vulnerability said the packet he included in his original advisory was found in the exploit, raising the specter of a data leak somewhere in the pipeline. The exploit surfaced on a Chinese download site in the last few days and researchers have been able to confirm it causes a blue screen of death (BSOD) on some systems, and a DoS condition on other versions of Windows. Experts said the RDP bug, which was discovered by an Italian researcher, has the potential to be used as the basis for a large-scale worm and the existence of a working exploit is the first step down that road. The exploit will produce a BSOD on Windows 7 and a DoS on Windows XP. Source:

45. March 15, SecurityWeek – (International) ‘Anonymous OS’ taken offline due to security concerns. SourceForge removed a controversial Ubuntu-based operating system from its Web site due to claims the software is laced with trojans. Dubbed “Anonymous-OS,” the operating system was downloaded from SourceForge nearly 40,000 times before it was taken down. Affiliates of the Anonymous collective, however, have been quick to criticize the package. One of the more popular Anonymous Twitter accounts, AnonOps, declared March 14 the so-called AnonOS was fake and “wrapped in Trojans.” Another account, YourAnonNews, warned users the group “can’t vouch for it.” The OS came with pre-installed tools that can be used for password cracking and scanning for database vulnerabilities. It also included tools such as Tor that can be used to disguise someone’s online activities. In a statement on their site, the SourceForge team said it normally does not pass judgment on a download based on what someone using it could possibly do, but decided to act after security experts verified it was a security risk “and not merely a distribution of security-related utilities, as the project page implies.” Source:

46. March 15, IDG News Service – (International) Digitally signed malware is increasingly prevalent, researchers say. Security companies recently identified multiple malware threats that use stolen digital certificates to sign their components in an attempt to avoid detection and bypass Windows defenses, IDG News Service reported March 15. When it was discovered in 2010, the Stuxnet industrial sabotage worm surprised the security industry with its use of rootkit components that were digitally signed with certificates stolen from semiconductor manufacturers Realtek and JMicron. Security experts predicted at the time that other malware creators would adopt the technique to bypass the driver signature enforcement in 64-bit versions of Windows Vista and 7. Given recent developments it appears they were right. A backdoor discovered by Symantec in December 2011 installed a rootkit driver signed with a digital certificate stolen from an undisclosed company. The certificate was revoked by VeriSign at the owner’s request 9 days later. However, the time window available for the malware to remain undetected was larger than that, because Windows operating systems rarely check certificate revocation lists, or do not check them at all, Symantec’s principal software engineer said March 15. Source:

47. March 15, IDG News Service – (International) Tech support scammers target antivirus customers, diversify tactics. Tech support scammers have started targeting antivirus customers and have diversified their techniques, according to reports from antivirus vendors Avast and ESET. According to a March 15 IDG News Service report, cold-calling scams that target English-speaking computer users have been a common occurrence during the past 2 years. The scammers usually pose as tech support engineers who work for Microsoft or Internet service providers in an attempt to trick victims into buying questionable security or PC optimization software. However, it appears these attacks are becoming increasingly more targeted, with callers beginning to impersonate employees from companies that users already entrusted with their computers’ protection. Source:

48. March 15, H Security – (International) Cisco closes holes in its Security Appliances. Network equipment manufacturer Cisco is warning of a critical vulnerability in its ASA 5500 Series Adaptive Security Appliances (ASA) that could be exploited by a remote, unauthenticated attacker to execute arbitrary code and compromise a victim’s system, the H reported March 15. The problem is located in a Cisco port forwarding ActiveX control — distributed to client systems by ASA as part of the Clientless VPN feature — that can be used to cause a buffer overflow. For an attack to be successful, a victim must first visit a specially crafted Web page in Internet Explorer or another Web browser that supports ActiveX technologies. Versions 7.1 and 7.2, as well as 8.0 to 8.6 of the Cisco ASA software are affected. Cisco contacted Microsoft and requested it set a global kill bit for the vulnerable control in a future update, which will disable the exploitable control on affected systems. The company released software updates that address the issue; for those who cannot yet upgrade, workarounds are provided in the Cisco security advisory. Further updates from Cisco fix multiple denial-of-service (DoS) vulnerabilities in ASA 5500 Series appliances and the Catalyst 6500 Series ASA Services Module (ASASM). Another Protocol Independent Multicast (PIM) DoS hole was closed in the Catalyst 6500 Series Firewall Services Module (FWSM). Source:

For more stories, see items 13 above in the Banking and Finance Sector and 49 below in the Communications Sector

Communications Sector

49. March 16, Sanford Herald – (North Carolina) Windstream glitch impacts local customers. A mishap during contract work in northern Lee County left roughly 35,000 Windstream customers in Sanford, Broadway, and the Olivia, North Carolina area without the World Wide Web for hours March 14. A company spokesman said a contractor was boring an underground performing line March 14, when he inadvertently cut a vital fiber line. The mistake cut off Internet in Lee and parts of northern Harnett County over several hours March 14 through March 15. Source:

For more stories, see items 13 above in the Banking and Finance and 42 above in the Information Technology Sector