Wednesday, March 21, 2012

Complete DHS Daily Report for March 21, 2012

Daily Report

Top Stories

• Taylor, Bean & Whitaker Mortgage Corp.’s former chief financial officer admitted to helping his boss commit a $3 billion fraud that caused one of the country's largest banks to collapse. – Bloomberg See item 11 below in the Banking and Finance Sector.

• Three people were convicted on federal bank fraud charges in connection with an identity-theft scheme where bank insiders helped them steal millions from dozens of victims in four states. – Orange County Register See item 12 below in the Banking and Finance Sector.

• More than two dozen students were recovering at a local hospital March 19 after three school buses crashed in Upper Marlboro, Maryland. – WJLA 7 Arlington

15. March 19, WJLA 7 Arlington – (Maryland) Kids hospitalized in Upper Marlboro crash. More than two dozen students were recovering at a local hospital March 19 after three school buses crashed in Upper Marlboro, Maryland. The buses had just departed Fredrick Douglas High School and were loaded with students going home when the crash occurred near Route 301. Paramedics treated 75 students at the scene. Thirty-four others were transported to the hospital where the triage extended to the outside while parents waited in a separate area. Officials said all the students were treated for only minor injuries. Source: http://www.wjla.com/articles/2012/03/kids-hospitalized-in-upper-marlboro-crash-73951.html

• A tornado and strong storms in the Houston area hurt several workers at a chemical plant and damaged a bank and electric utility station. – KTRK 13 Houston

50. March 20, KTRK 13 Houston (Texas) Strong storms cause damage across Houston

area. The National Weather Service investigated the possibility that at least one tornado caused damage as a line of strong storms moved through the Houston area March 20. Some workers with Lyondell-Basell suffered injuries when high winds toppled a tent. It was not clear how many workers were inside the reinforced, industrial-sized tent of about 50 feet by 100 feet. The workers were in the process of being moved, according to a company spokesman, when the tent became unstable and flipped over. Four workers were checked out at a hospital. The storms are also blamed for a fire at the San Jacinto Steam Electric Station NRG facility in La Porte. A spokesman said it appeared lightning struck the switch yard causing a fire. High winds broke some windows at the Bank of America building on I-10 near Federal. A light pole was knocked down, and some vehicles in the parking lot suffered broken windows and wind damage. An official with Harris County Flood Control District reported several trees and fence lines down. Winds in that area were estimated by radar to be between 55 to 60 mph. Source: http://abclocal.go.com/ktrk/story?section=news/local&id=8586817

13. March 20, KTRK 13 Houston (Texas) Storms strand passengers at Houston

airports. A combination of bad weather in north and central Texas, and storms in

Houston March 20 led to significant delays at Bush Intercontinental Airport, KTRK 13

Houston reported. Delays for travelers were up to 3 hours in many cases. The night of March 19, about 300 people spent the night sleeping on cots in the baggage claim area. The majority of them were supposed to fly to Dallas-Fort Worth International Airport, but the severe weather in north Texas forced those flights to land in Houston. Hotels in the area were all booked and no rental cars were available. Passengers described the scene as chaotic. At one point, a ground stop had been issued for both airports in the Houston area, meaning flights could take off, but could not land at the local airports. Source: http://abclocal.go.com/ktrk/story?section=news/local&id=8587981

Details

Banking and Finance Sector

10. March 20, WFMZ 69 Allentown – (Pennsylvania) Police: Bank robber ID'd. A bank robber, acting as if he had an explosive device, was shot by a police detective in Berks County, Pennsylvania, March 19. The detective was at the M&T Bank by coincidence. He told investigators the suspect walked into the bank and ordered everyone to put their hands up. Police said the man appeared to have something strapped on him that had wires sticking out of it. When the detective approached the man and ordered him to get on the ground, the police chief said he had to act quickly. "The suspect said, 'You want everybody to be blown up?' And at that point, somewhere in between there, as they grappled, [the detective] pulled out his service revolver and shot the suspect," the chief said. The suspect was shot in the stomach. When authorities arrived, they also called the Reading Bomb Squad and the FBI. "The device the suspect used is a fake, it's a hoax," the police chief said. Source: http://www.wfmz.com/news/news-regional-berks/Police-Bank-robber-ID-d-as-Dragos-Ungurean/-/121418/9524554/-/12mfwbs/-/index.html

11. March 20, Bloomberg – (National) Ex-Taylor Bean finance chief admits role in $3 billion fraud. Taylor, Bean & Whitaker Mortgage Corp.’s former chief financial officer (CFO) admitted to helping his boss commit what prosecutors say was one of the largest bank frauds in U.S. history. He pleaded guilty March 20 in federal court in Alexandria, Virginia, to one count of conspiracy to commit bank and wire fraud and one count of false statements in a scheme that contributed to the failures of Montgomery, Alabama-based Colonial Bank and its parent, Colonial BancGroup, once among the nation’s 25 biggest depository banks. He faces as much as 10 years in prison. From 2005 through August 2009, the CFO helped Taylor Bean's ex-chairman and other conspirators misappropriate more than $1.5 billion from Ocala Funding LLC, a financing vehicle used and controlled by Taylor Bean, said a statement of facts filed by prosecutors. The CFO issued false financial reports that masked shortfalls to keep auditors at bay and investors on board, the document states. Taylor Bean was servicing more than 500,000 mortgages, including $51 billion of Freddie Mac loans, when it collapsed in August 2009, according to court records. The CFO admitted to falsifying mortgage loan data so Taylor Bean would meet collateral thresholds set by its lenders, and inflated the assets Taylor Bean supposedly owned, according to the statement of facts. False financial statements were given to Ginnie Mae and Freddie Mac so that Taylor Bean’s authority to sell and service mortgage securities guaranteed by the government-sponsored entities would be renewed, according to the court filing. Source: http://www.businessweek.com/news/2012-03-20/ex-taylor-bean-finance-chief-admits-role-in-3-billion-fraud

12. March 17, Orange County Register – (California; Southwest) 3 convicted in large ID theft ring. An Orange County, California jury found one man guilty and a judge convicted two others on federal bank fraud charges March 16 in connection with one of the largest identity theft schemes in southern California with dozens of victims and millions of dollars in losses. The three defendants faced several counts of attempted bank fraud, conspiracy to commit bank fraud, and aggravated identity theft. For the approximately 6-year duration of the scheme, defendants conspired to cause at least $8 million in losses, with victims in California, Arizona, Texas, and Nevada, prosecutors said. The defendants did everything they could to bypass bank security systems to drain the accounts of victims, many of them unsuspecting seniors, an attorney said in a statement. According to the government, as early as 2005, the defendants and co-conspirators used bank insiders to execute a sophisticated fraud scheme targeting individual bank accounts by obtaining confidential information. Prosecutors said the leader coordinated the scheme from behind state prison doors in partnership with gang members. After obtaining account data, the participants cashed fraudulent checks, prosecutors alleged. When banks called to check on the pending withdrawals, the calls were routed to co-conspirators who previously set up call forwarding with the victims' telephone companies, the attorney said. Source: http://www.ocregister.com/news/fraud-345082-bank-defendants.html

For another story, see item 44 below in the Information Technology Sector.

Information Technology

42. March 20, Threatpost – (International) Newly compiled driver shows Duqu authors still at work. One of the unique things about Duqu is the malware appears to be specifically tailored to each new victim. Rather than writing one piece of malware and spreading it out to a large potential victim base, the crew behind Duqu had a small, specially selected group of targets, each of which got its own specifically crafted components and drivers. Researchers say the number of known victims of Duqu is small, perhaps fewer than 50. In the last several days, researchers at Symantec found a newly compiled driver for Duqu, leading to speculation the attackers are still tweaking and modifying their original work. March 20, one of the researchers who did the initial analysis of Duqu at Kaspersky Lab said while the new driver did not have any new functionality, there are indications it is not just new, but it is also aimed at evading existing detection techniques for Duqu. Source: http://threatpost.com/en_us/blogs/newly-compiled-driver-shows-duqu-authors-still-work-032012

43. March 20, The Register – (International) Facebook 'cloaking' flaw allows unexpected snooping. A University College London research student and the chair of information communication technology told a conference of what they call a "zero day privacy loophole" in Facebook. Facebook users are not told when friends de-activate or re-activate accounts. That means trouble if the account is re-activated, as the newly re-activated friend regains access to anything their connections posted. Once they elicit information, they can de-activate the account again and their friends will almost certainly not know what happened or that they shared information. Source: http://www.theregister.co.uk/2012/03/20/facebook_deactivated_friend_zero_day/

44. March 20, The Register – (International) Trial finds eight ways to defeat Google, PayPal and other SSOs. U.S. security researchers unearthed flaws in the single sign-on (SSO) services operated by a number of portals, including Google and PayPal. Idiosyncratic methods of integrating the APIs, SDKs, and sample code supplied by identity providers are creating exploitable security shortcomings, according to a study by two researchers at Indiana University and one Microsoft researcher. In particular, the researchers said, the process of token exchange is often mangled, which creates the possibility for attackers to sign into targeted accounts without having to crack an intended victim's password. The study — touted as the first field trial of popular Web SSO systems — focused on implementation problems rather than fundamental flaws in the cryptographic techniques at play, which are fundamentally fine. The exercise uncovered eight serious logic flaws in high-profile ID providers and relying party Web sites (which rely on authentication cookies to establish a user session). ID providers affected included OpenID (including Google ID and PayPal Access); Facebook; the JanRain platform; Freelancer; FarmVille; and Sears.com. Every one of the eight flaws allows an attacker to sign in as a targeted user. The researchers contacted the sites involved, which have largely deployed a fix. Source: http://www.theregister.co.uk/2012/03/20/sso_security_shortcomings/

45. March 20, Help Net Security – (International) Beware of fake Google AV. According to GFI researchers, a number of pages offering "Google antivirus" software and threatening to block the users' access to Google services because of an infection have recently appeared, and they are listed among Google and Bing search results. The offered software is actually a rogue AV solution that has nothing to do with Google, and will likely try to bilk money from the victims. Currently, very few AV solutions detect the variant in question. Source: http://www.net-security.org/malware_news.php?id=2040&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+HelpNetSecurity+(Help+Net+Security)&utm_content=Google+Reader

46. March 19, Dark Reading – (International) Duqu code written by seasoned programmers, researchers find. March 19, Kaspersky Lab researchers announced that, with the help of the security community, they were able to unravel the origins of a well-masked programming language used to write the communications module in Duqu, the information-stealing malware that researchers at Kaspersky and other firms say is connected to Stuxnet. They also said that the same group of actors is behind both malware attacks. It turns out the attackers used object-oriented C language compiled with Microsoft Visual Studio 2008 — which indicates it was not a typical malware writer behind it, but more of an "old school" programmer, according to Kaspersky researchers. "This is not common for malware writers, that's for sure," Kapersky's chief malware analyst said. "This looks like a normal style for coding enterprise-wide applications." He said the language used is commonly a tool for professional software developers, which suggests the Duqu writers were not a typical cybercriminal outfit. Earlier in March, Kaspersky asked the security community for assistance in identifying the programming language, which did not appear to be one they ever saw before. Source: http://www.darkreading.com/advanced-threats/167901091/security/vulnerabilities/232602839/duqu-code-written-by-seasoned-programmers-researchers-find.html

Communications Sector

47. March 20, WDIO 10 Duluth – (Minnesota) Power outage knocks out Duluth media. WDIO 10 Duluth and other TV and FM stations in Duluth, Minnesota, were knocked off the air March 20 by a power outage. A cause was not immediately known, nor did officials provide an exact number of customers affected. Eleven of the 16 FM radio stations which transmit from the hillside were off the air. AM stations were unaffected because their transmitters are in different parts of the city. Source: http://www.wdio.com/article/stories/S2545096.shtml?cat=10335

48. March 20, WDSU 6 New Orleans – (Louisiana) Slidell phone systems down after main break. Slidell, Louisiana leaders said the city was experiencing a telephone outage March 19 after an underground main line broke. The city said it was working with AT&T to repair the lines and anticipated that service would be restored within 24 hours. City leaders said that city departments could be reached via e-mail while crews were working to restore the service. Source: http://www.wdsu.com/r/30711868/detail.html

49. March 19, Springfield State Journal-Register – (Illinois) Lincoln radio station will be off the air another 2-4 weeks. WLLM 1370 AM radio in Lincoln, Illinois, will be off the air another 2 to 4 weeks as the result of a March 12 electrical fire, the station's general manager said March 19. The offices have moved temporarily to another location while repairs are made to the station building. The general manager said damage to equipment was minimal and the fire did not reach the transmitter. Cornerstone Community Radio owns the not-for-profit station, which broadcasts at 1370 AM and 105.3 FM. Source: http://www.sj-r.com/breaking/x872948758/Lincoln-radio-station-will-be-off-the-air-another-2-4-weeks

For more stories, see items 43 and 44 above in the Information Technology Sector.

Tuesday, March 20, 2012

Complete DHS Daily Report for March 20, 2012

Daily Report

Top Stories

• Eight people were questioned on counterfeiting charges March 19 after they were found with $100 million in fake U.S. treasury bonds in Poland, authorities said. – Associated Press See item 8 below in the Banking and Finance Sector.

• A winter storm packing heavy snow and gusty winds forced authorities to close 180 miles of Interstate 40 in Arizona. The storm also closed schools and canceled flights in Arizona and New Mexico. – CNN

18. March 18, CNN – (Arizona) Winter storm closes 180 miles of AZ interstate. A winter storm packing heavy snow and gusty winds forced authorities to close 180 miles of Interstate 40 in northern Arizona for many hours, March 18. The road was closed in both directions, said a dispatch supervisor for the Arizona Highway Patrol. The closure stretched roughly from Kingman in western Arizona to eastward to Winslow, including the city of Flagstaff, he said. Portions of Interstate 17 south of Flagstaff were also closed, according to the Arizona Department of Transportation’s Web site, as were several state roads. Flagstaff received 10 to 14 inches of snow, according to the National Weather Service. The city of Prescott had received 8 to 12 inches. Several crashes and reports of stuck vehicles had been reported as of March 18, with one person sustaining minor injuries on I-40. The Flagstaff Unified School District, Northern Arizona University Flagstaff campus, and Coconino Community College Flagstaff and Page campuses announced they would be closed March 19. Source: http://fox8.com/2012/03/18/winter-storm-closes-180-miles-of-arizona-interstate/

2. March 19, Associated Press – (Arizona; New Mexico) Winter storm, strong winds strike NM, Ariz. A winter storm and high winds struck parts of Arizona and New Mexico March 18, causing hazardous driving conditions, power outages, and school cancellations. The fast moving storm forced the National Weather Service to place parts of northern New Mexico under a winter storm warning March 19 as heavy snow and wind from Arizona was expected to quickly blanket the area. The company PNM reported that 33,000 customers were out of power at one point March 19 in the Albuquerque area due to high winds. A spokesman for PNM said emergency crews were working to restore power, and by 9 p.m. the number without electricity was down to 4,500. Heavy winds and blowing dust forced the closure of parts of Interstate 10 in southern New Mexico due to low visibility, but the road was back open later in the day. Source: http://www.lcsun-news.com/las_cruces-news/ci_20204901/winter-storm-strong-winds-strike-nm-ariz

• A report found the Washington, D.C. agency responsible for providing clean drinking water rigged lead-monitoring test results by not conducting tests in known problem areas. – Washington Examiner

26. March 19, Washington Examiner – (Washington, D.C.) D.C. covered up bad water quality tests, report says. The Washington, D.C. agency responsible for providing clean drinking water throughout the city rigged its monitoring of lead in water by not conducting tests in parts of the city known for having higher lead levels, the District of Columbia inspector general (IG) found. The Washington Examiner reported March 19 that for a 26-month span beginning in July 2001, investigators found the D.C. Water and Sewer Authority (DCWASA) knew lead levels were elevated in the water system. Although it notified the Environmental Protection Administration (EPA) and began trying to remove excessive lead, the DCWASA also tried to cover up the extent of the crisis. “DCWASA sought to minimize the problem by sampling water from residences that were unlikely to have elevated lead levels, avoiding additional testing in areas of the District known to have elevated water lead test results,” the IG wrote. Investigators also found that the DCWASA did not use approved testing methods throughout the city and that officials “provided misleading information” during hearings before the city council about lead levels. The EPA required the agency to test more residences to meet federal guidelines that mandated the city have 1,615 acceptable tests. It took the agency about 6,000 tests to meet that standard. A spokesman for the DCWASA said the agency had a leadership overhaul in 2009 and that past problems are not reflective of the agency’s current performance. Scientists are not sure whether lead-laden water is to blame for the diagnoses of lead poisoning in some children in Washington, D.C. Source: http://washingtonexaminer.com/local/dc/2012/03/dc-covered-bad-water-quality-tests-report-says/379566

• Authorities in Johnston City, Illinois, issued a boil water order after two teenagers were arrested for climbing a water tower March 16. – Associated Press

27. March 18, Associated Press – (Illinois) 2 teenagers arrested in southern Illinois for climbing water tower, boil order issued. Authorities in southern Illinois said two teenagers were arrested for allegedly climbing a water tower March 16. The Johnston City police chief said officers received a call around 11:45 p.m. with a report of a man on the tower. After authorities arrived and tried to get the teenagers down, a large glass alcohol bottle was thrown from the top of the tower. Authorities said emergency responders went up the tower and retrieved both teenagers with harnesses. Charges are pending. Officials in Johnston City issued a precautionary boil order after the incident since there was a possible breach of the water tank. Source: http://www.therepublic.com/view/story/18df6358a1784217b0fa75d6824de0e9/IL--Water-Tower-Arrests/

• The Los Angeles Fire Commission allocated emergency funds to fix glitches in the city’s emergency response system that are delaying the dispatch of firefighters and paramedics. – Associated Press

39. March 18, Associated Press – (California) LA fire agency to fix emergency dispatch glitches. The Los Angeles Fire Commission allocated emergency funds to fix glitches in the city’s emergency response system that are delaying the dispatch of firefighters and paramedics, the Associated Press reported March 18. The Los Angeles Times reported March 18 that a woman bled profusely for 45 minutes March 7, while waiting for paramedics after a factory machine sliced off one finger and mangled the others. The delay was caused by a brief failure in the fire department’s dispatching system. Firefighters said the system problems are recurring and have created confusion at fire stations, forcing dispatchers to deploy old backup plans. The fire commission president said the panel planned to address equipment breakdowns and response times at its meeting March 20. Officials said the dispatching system is aging and was recently moved. Source: http://www.fresnobee.com/2012/03/18/2766001/la-fire-agency-to-fix-emergency.html

• A security researcher identified approximately 5 million Internet-accessible Remote Desktop Protocol (RDP) endpoints that are potentially vulnerable to a network worm exploiting a critical Microsoft vulnerability. – Threatpost See item 45 below in the Information Technology Sector.

Details

Banking and Finance Sector

8. March 19, Associated Press – (International) Polish authorities seize $100 million in fake US treasury bonds, arrest 8 people. Eight people are to be questioned on counterfeiting charges March 19 after they were found with $100 million in fake U.S. treasury bonds in their possession, Polish authorities said. The central anti-corruption bureau, a state agency, said the suspects — three Poles, two Italians, two Ukrainians, and a Moldovan woman — were arrested March 18 in regions around Krakow and Lublin, in southern and eastern Poland. A bureau spokesman said the value of the fake bonds was a record seizure for the bureau. No other details were immediately available, and it was not clear if any fake bonds in the scam made it to the market. Source: http://www.washingtonpost.com/world/europe/polish-authorities-seize-100-million-in-fake-us-treasury-bonds-arrest-8-people/2012/03/19/gIQA3gybMS_story.html

9. March 19, Warren Tribune Chronicle – (Florida; National) Man to plead guilty in $14M Ponzi scheme. A Florida man who founded a company that allegedly ran a $14.8 million Ponzi scheme that defrauded 100 investors in 9 states will plead guilty April 5, the Warren Tribune Chronicle reported March 19. He faces up to 20 years in prison and a $5 million fine on 30 counts of conspiracy, mail fraud, wire fraud, securities fraud, and money laundering. According to court records, he created and was the president of A&O Companies. The company’s chief executive officer is facing similar charges and penalties. The indictment alleges that between 2006 and January 20, 2009, the two solicited investors to buy into their real estate ventures. Prosecutors claim they then used the money to pay for employees’ salaries, personal expenses, and to pay off other investors, whom they promised between 20 and 45 percent interest. The men lied to investors, telling them their investment was secured through promissory notes and guaranteed through a lakefront Florida property, the indictment says. The property, however, was promised as collateral on more than $8 million in promissory notes, while the property was purchased for only $425,000. Once they issued the fraudulent notes, they paid some investors the promised interest payments “to give the false impression that there were actual investments,” the charges state. Source: http://www.tribtoday.com/page/content.detail/id/569420/Man-to-plead--guilty-in--14M--Ponzi-scheme.html?nav=5021

10. March 19, Associated Press – (Georgia; National) FDIC sues ex-directors of troubled failed Ga. bank. Federal bank regulators filed a lawsuit March 16 against 10 former directors and officers of a failed Georgia bank that collapsed and led to a wide-ranging criminal investigation and prison time for two of its top officials. The Federal Deposit Insurance Corporation’s complaint accuses the former Omni National Bank officials of negligence and loose lending policies that led to the bank’s March 2009 collapse. It seeks to recover more than $37 million in losses that included loans targeting low-income properties. It names several defendants who have already been charged criminally with their role in the bank’s collapse. The bank’s former vice president (VP) was sentenced to 5 years in prison in 2011 after pleading guilty to cooking the bank’s books. Another Omni executive was sentenced to almost 2 years in prison on charges of taking bribes. The lawsuit claims the VP, executive, and five others approved loans for low-income properties despite “numerous, repeated, and obvious violations” of the bank’s loan policies and procedures. It said the lenders allowed the use of straw borrowers, did not get proper appraisals, and did not make sure the borrowers had proper credit scores or the ability to repay the loans. It accused Omni’s president and its former chief executive of failing to supervise loan officers despite numerous “red flags,” such as reports of prior misconduct by the VP. Between 2003 and 2008, the Atlanta-based bank expanded into seven states and its assets quadrupled to almost $1 billion, fueled mostly by a surge in real estate lending. Source: http://www.thenorthwestern.com/usatoday/article/38820037?odyssey=mod|newswell|text|FRONTPAGE|s

11. March 19, Financial Industry Regulatory Authority – (National) FINRA fines Citi Financial $600,000 and orders restitution of $648,000 for excessive markups and markdowns. The Financial Industry Regulatory Authority (FINRA) announced March 19 that it has fined Citi International Financial Services LLC, a subsidiary of Citigroup, Inc., $600,000 and ordered more than $648,000 in restitution and interest to more than 3,600 customers for charging excessive markups and markdowns on corporate and agency bond transactions, and for related supervisory violations. FINRA found that the markups and markdowns occurred from July 2007 through September 2010. They ranged from 2.73 percent to more than 10 percent, and were excessive given market conditions, the cost of executing the transactions, and the value of the services rendered to customers. In addition, from April 2009 through June 2009, Citi International failed to use reasonable diligence to buy or sell corporate bonds so that the resulting price to its customers was as favorable as possible. During the relevant period, Citi International’s supervisory system regarding fixed income transactions contained significant deficiencies. Citi International was also ordered to revise its written supervisory procedures regarding review of markups and markdowns, and best execution in fixed income transactions. Source: http://www.finra.org/Newsroom/NewsReleases/2012/P125821?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+FINRANews+(FINRA+News)&utm_content=Google+Reader

12. March 19, Associated Press – (New York; National) NY Mets owners settle in Ponzi-related case. The owners of the New York Mets agreed to pay up to $162 million in a settlement announced March 19 with the trustee for fraud victims of a Ponzi scheme. The agreement was announced just as a civil trial was set to begin in a federal court in New York City to determine if the team’s owners might owe as much as $386 million because they were among those who made significantly more than their original investment in the investment company linked to the scheme. The settlement does not require any money to be paid for at least 3 years. It also created the possibility the owners could owe nothing if they can secure $162 million of the $178 million they are seeking in claims of their own against the Ponzi schemer’s estate. The trial was set to showcase what the trustee said was a conscious decision by the Mets owners to ignore warnings the head of the fund was operating a multibillion-dollar fraud over several decades, costing thousands of investors about $20 billion. A trustee originally sought $1 billion from the owners. The judges already had ruled the team’s owners must pay up to $83.3 million in profits they received. That amount would now be included in the $162 million. There remain another 800 lawsuits pending against those who profited from their investments in the fraudulent scheme.

Source: http://www.google.com/hostednews/ap/article/ALeqM5hGeLVQ4bQAfa-HtH-JdPSB7T5N4A?docId=f2133627756b4a588af49bed7493437e

13. March 19, PC Magazine – (International) Linkedin e-mail scam deposits banking trojan. GFI Labs recently discovered a LinkedIn e-mail phishing scam that installs the Cridex banking Trojan. The fake LinkedIn e-mail looks like an authentic e-mail reminder about pending invitations. The phishing scam shares the same IP address (41.64.21.71) as several recent Better Business Bureau and Intuit spam runs. The Cridex bot, also known as Cardep or Dapato, was discovered in the wild in August 2011. It spreads through e-mailed or shared attachments. Once installed, the trojan connects to a remote command and control (C&C) server. Then it injects itself into the target’s Internet Explorer process, where it steals online banking credentials, e-mail accounts, cookies, and FTP credentials, and sends them back to the C&C server. Earlier this month, M86 Labs reported that Cridex currently infects 25,000 machines. Source: http://securitywatch.pcmag.com/security/295538-linkedin-email-scam-deposits-banking-trojan

14. March 17, Associated Press – (Nevada; National; International) Feds say 19 arrested in 9 states in ID theft ring. Nineteen people were arrested in Nevada and eight other states in a Las Vegas-based identity theft and trafficking ring that a federal prosecutor characterized as a sophisticated racketeering organization involving 50 people nationwide. The scheme revolved around the buying and selling of pilfered debit and credit card information on an Internet site called “Carder.su,” a U.S. attorney said March 16. The Secret Service and U.S. Immigration and Customs Enforcement homeland security agents arrested five people March 15 in Las Vegas and 14 more in California, Florida, New York, Georgia, Michigan, New Jersey, Ohio, and West Virginia, according to the statement. The attorney said more arrests were expected as federal agents locate defendants named in three sealed indictments handed up by a federal grand jury in Las Vegas January 10 and March 13. The statement said charges include conspiracy, racketeering, and production and trafficking in false identification documents and access device cards. Members of the ring allegedly traded counterfeit documents and stolen bank account information on organization Web sites. Leaders of the organization allegedly tested and provided reviews of services, including money laundering, and products such as fake identification documents and stolen credit card account data lists from Europe, the Middle East, Asia, and the United States. Source: http://www.foxnews.com/us/2012/03/17/feds-say-1-arrested-in-states-in-id-theft-ring/

15. March 16, U.S. Government Accountability Office – (National) IRS needs to further enhance internal control over financial reporting and taxpayer data. The Internal Revenue Service (IRS) implemented many controls and procedures intended to protect key financial and tax-processing systems; nevertheless, control weaknesses continue to jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer data processed by agency systems, according to a Government Accountability Office statement March 16. Specifically, the IRS continues to face challenges in controlling access to its information resources. For example, it had not always (1) implemented controls for identifying and authenticating users, such as requiring users to set new passwords after a prescribed period of time; (2) appropriately restricted access to certain servers; (3) ensured that sensitive data were encrypted when transmitted; (4) audited and monitored systems to ensure that unauthorized activities would be detected; or (5) ensured management validation of access to restricted areas. In addition, unpatched and outdated software exposed the agency to known vulnerabilities, and the IRS had not enforced backup procedures for a key system. Source: http://www.gao.gov/assets/590/589399.pdf

16. March 16, WTVT 13 Tampa Bay – (Florida; International) Credit card fraud ring busted in Pinellas. Authorities busted an international crime ring that had its headquarters in Pinellas County, Florida, WTVT 13 Tampa Bay reported March 16. The crimes involved luxury cars and credit cards. Authorities targeted 10 men, including the ring leader. The 3-year long joint operation involved the Pinellas County Sheriff’s Office, the U.S. Secret Service, and the Florida Attorney General’s Office.The alleged fraud totaled more than $3 million. Most of the suspects are originally from Bulgaria and Lithuania. The suspects were also accused of setting up phony corporations in Florida to run the cards and keep cash. The Pinellas County Sheriff said the men also made millions by taking out big dollar car loans to buy expensive vehicles with no intention of paying back the money. The cars were allegedly retailed in the state of Illinois and then shipped overseas and sold for double the price. Source: http://www.myfoxtampabay.com/dpp/news/local/pinellas/credit-card-fraud-ring-busted-in-pinellas-03162012

For another story, see item 43 below in the Information Technology Sector.

Information Technology

42. March 19, IDG News Service – (International) New iPad model has already been jailbroken. Hackers claimed to have figured out a way to bypass Apple’s technical restrictions and install unauthorized applications on the company’s latest iPad upon its release March 16. Apple forbids installing applications it has not approved, but hackers have found ways to “jailbreak” devices, or modify the code to allow unauthorized programs from alternative application stores. Source: http://www.computerworld.com/s/article/9225306/New_iPad_model_has_already_been_jailbroken?taxonomyId=17

43. March 19, IDG News Service – (International) Java-based Web attack installs hard-to-detect malware in RAM. Malware that does not create any files on the affected systems was installed onto the computers of visitors to news sites in Russia in a drive-by download attack, according to Kaspersky Lab. The attack code loaded an exploit for a known Java vulnerability, but it was not hosted on the affected Web sites themselves. Instead, it was served to their visitors through banners displayed by a third-party advertising service. The Java exploit’s payload consisted of a rogue dynamic-link library (DLL) loaded and attached on the fly to the legitimate Java process. This type of malware is rare, because it dies when the system is rebooted and the memory is cleared. The malicious DLL loaded into memory acted as a bot, sending data to and receiving instructions from a command and control server over HTTP. In some cases, the instructions given out by attackers were to install an online banking trojan on the compromised computers. “This attack targeted Russian users. However, we cannot rule out that the same exploit and the same fileless bot will be used against people in other parts of the world: They can be distributed via similar banner or teaser networks in other countries,” the researcher said. Source: http://www.computerworld.com/s/article/9225300/Java_based_Web_attack_installs_hard_to_detect_malware_in_RAM?taxonomyId=17

44. March 19, H Security – (International) VLC Media Player 2.0.1 closes security holes. Version 2.0.1 of the open source VLC Media Player has been released, H Security reported March 19. According to a VideoLAN developer, the maintenance update to VLC 2.0 “Twoflower” includes fixes for more than 110 bugs and closes 2 security holes that could be exploited by an attacker to compromise a victim’s system. The update addresses a stack overflow in MMS support as well as a heap-based buffer overflow in Real RTSP support which, its developers say, could lead to arbitrary code execution on most systems. For an attack to be successful, a user must first open a specially crafted file or a malicious Web site. All VLC versions up to and including 2.0.0 are affected; upgrading to 2.0.1 fixes these issues. Source: http://www.h-online.com/security/news/item/VLC-Media-Player-2-0-1-closes-security-holes-1474770.html

45. March 19, Threatpost – (International) Researcher says 5 million machines exposing RDP service online. A network security researcher scanned a large part of the Internet in the wake of the release of the patch for the Remote Desktop Protocol (RDP) bug and the publication of exploit code. He started the scan March 16 and hit 300 million IP addresses. He found there were about 415,000 machines communicating using part of the RDP protocol. “Extrapolating from this sample, we can see that there’s approximately 5 million RDP endpoints on the Internet today ... it’s pretty clear that, yes, RDP is actually an enormously deployed service, across most networks in the world,” he said. “There’s something larger going on, and it’s the relevance of a bug on what can be possibly called the Critical Server Attack Surface. Not all bugs are equally dangerous ... but some flaws are simply more accessible, and RDP — as the primary mechanism by which Windows systems are remotely administered — is a lot more accessible than a lot of people were aware of.” RDP is used widely in enterprise networks and small business environments for remote management of machines. In larger networks that have tight administration and regular patching programs and schedules, the bug likely will be addressed quickly, whether through patching or by disabling RDP on machines if it is unnecessary. Some percentage of those machines were already patched, as the fix has been out now for almost a week. However, in smaller networks that may not have a full-time administrator or IT staff, the problem is more problematic. If the business owners do not even know RDP is enabled or what it is for, they may also not realize the importance of patching the vulnerability. That leaves a large potential target base for attackers, even if the majority of enterprise administrators patch their vulnerable machines. Source: http://threatpost.com/en_us/blogs/researcher-says-5-million-machines-exposing-rdp-service-online-031912

46. March 18, Computerworld – (International) Microsoft blames security info-sharing program for attack code leak. March 16, Microsoft confirmed sample attack code created by the company likely leaked to hackers from a program it runs with antivirus vendors. “Details of the proof-of-concept code appear to match the vulnerability information shared with Microsoft Active Protection Program (MAPP) partners,” a director with Microsoft’s Trustworthy Computing group said in a statement. “Microsoft is actively investigating the disclosure of these details and will take the necessary actions to protect customers and ensure that confidential information we share is protected pursuant to our contracts and program requirements,” he added. Under the MAPP, Microsoft provides select antivirus companies with technical information about bugs before Microsoft patches the flaws. It is meant to give third-party security vendors advance warning so they can craft detection signatures. Among the things Microsoft shares with MAPP members, according to a program FAQ, are “proof-of-concept or repro tools that further illuminate the issue and help with additional protection enhancement.” The acknowledgment by Microsoft was prompted by claims earlier in the day by the Italian researcher who reported the vulnerability in Windows Remote Desktop Protocol in May 2011. Source: http://www.computerworld.com/s/article/9225293/Microsoft_blames_security_info_sharing_program_for_attack_code_leak?taxonomyId=17

47. March 16, Infosecurity – (International) New Imuler trojan variant for the Mac disguises itself as image file. A new version of the Imuler trojan is disguising itself as image files, according to Intego, which first discovered the Trojan September 2011. Intego found two samples of the new version, designated as Imuler.C, on the VirusTotal Web site, which is used by security companies to share malware samples. Inboth samples, an application was included with an icon making it look like an image. Intego said the technique “takes advantage of a default setting in the Mac OS X Finder, whereby file extensions are not displayed. Users double-clicking on the application launch the malware, which quickly deletes itself, replacing the original application witha real JPEG image corresponding to the one that was an application, and displays this image in the user’s default image viewer. There is no visible trace of the application after this point.” The malware then installs a backdoor. “This malware searches for userdata, and attempts to upload it. It also takes screenshots and sends them to the server. It creates a unique identifier for the specific Mac to be able to link the Mac and the data it collects. We have seen this malware is active, as it connects to a remote server and downloads new executables,” Intego related. Source: http://www.infosecurity-magazine.com/view/24606/

48. March 15, V3.co.uk – (International) Symantec warns of 64-bit Windows trojans. Symantec warned of a new Windows 7 trojan that can elevate the privileges of any restricted process to administrator level, without the user’s permission or knowledge. The latest fully patched versions of Windows 7 are vulnerable to the backdoor.Conpee trojan, warned a security response engineer at Symantec. The new trojan targets 32-bit and 64-bit versions of Windows 7, adding to the growing weight ofevidence that malware writers are redesigning their software to bypass security features in 64-bit Windows, he said. The 64-bit version of Windows 7 and Vista included Kernel Mode Code Signing and Kernel Patch Protection, intended to make them less vulnerable to malware. But backdoor.Conpee and the recently-discovered Backdoor.Hackersdoor trojan have both been shown to infect 64-bit operating systems, the researcher said. “What was just a theory not so long ago is now being used in-the-wild by [these] threats,” he warned. The Hackersdoor trojan is able to bypass the driver signing system used in 64-bit Windows using stolen certificates. Symantec first detected this type of infection in December 2011, and while the number of infections seen in the wild since then have been modest, it appears the malware writers have been using it as a test case, the researcher added. Source: http://www.v3.co.uk/v3-uk/news/2159725/symantec-warns-bit-windows-trojans

For more stories, see items 13, 14, and 15 above in the Banking and Finance Sector.

Communications Sector

See item 42 above in the Information Technology Sector.