Thursday, March 22, 2012

Complete DHS Daily Report for March 22, 2012

Daily Report

Top Stories

• Taiwanese security personnel detained a suspected Chinese spy at a military base that uses sensitive U.S. technology. He was the fourth Taiwanese in 14 months arrested for spying for China. – Associated Press

11. March 21, Associated Press – (International) Spies target Taiwan’s U.S.-made defenses. Taiwanese security personnel detained a suspected spy for China at a top secret military base that utilizes sensitive U.S. technology in February, the Associated Press reported March 21. The air force captain was the fourth Taiwanese in 14 months known to have been picked up on charges of spying for China. While Taiwan’s defense ministry did not disclose details of the alleged offense, his base in the northern part of the island hosts the air force’s highly classified radar system and U.S.-made Patriot surface-to-air missiles. The captain’s arrest followed that of a major general, who had access to crucial information on Taiwan’s U.S.-designed command and control system, and a civilian, who the defense ministry says tried without success to inveigle Patriot-related secrets from an unnamed military officer. A fourth alleged spy was detained on non-defense-related charges. The cases show China is seeking data about systems integral to Taiwan’s defenses and built with sensitive U.S. equipment. Information about the defense systems could also help the People’s Liberation Army understand other U.S. defenses. Source:

• Officials at the agency in charge of America’s nuclear stockpile said they face millions of hacking attempts daily by governments and sophisticated non-state actors. – U.S. News and World Report

13. March 20, U.S. News and World Report – (International) U.S. nukes face up to 10 million cyber attacks daily. According to U.S. News and World Report March 20, the computer systems of the agency in charge of America’s nuclear weapons stockpile are “under constant attack” and face millions of hacking attempts daily, said officials at the National Nuclear Security Administration (NNSA). The head of the agency said it faces cyber attacks from a “full spectrum” of hackers. “They’re from other countries’ [governments], but we also get fairly sophisticated non-state actors as well,” he said. “The [nuclear] labs are under constant attack, the Department of Energy is under constant attack.” A spokesman for the NNSA said the Nuclear Security Enterprise experiences up to 10 million “security significant cyber security events” each day. “Of the security significant events, less than one hundredth of a percent can be categorized as successful attacks against the Nuclear Security Enterprise computing infrastructure,” the spokesman said — which puts the maximum number at about 1,000 daily. The agency wants to increase its cybersecurity budget from about $126 million in 2012 to about $155 million in 2013 and developed an “incident response center” responsible for identifying and mitigating cybersecurity attacks. Source:

• Two California men pleaded guilty to stealing numbers from 94,000 credit- and debit-card accounts. The men used the stolen numbers to withdraw money with from nearly 1,000 card holders’ accounts. – U.S. Department of Justice See item 16 below in the Banking and Finance Sector.

• Storms that hit the south-central United States wiped out a city parks complex and county fairgrounds in Arkansas, and caused flooding that closed bridges and roads in Kansas, Missouri, and Oklahoma. – Associated Press

46. March 21, Associated Press – (National) Storms shuffle through south-central U.S. Storms shuffled through parts of the south-central United States again March 20, bringing more heavy rain, damaging winds, and thunder so loud some people in Oklahoma mistook it for an earthquake. Forecasters said the slow-moving storm system could cause more flash floods, hail, strong winds, and possibly tornadoes in a corridor stretching from Texas east to Louisiana and as far north as Missouri. In Morrilton, Arkansas, strong winds caused extensive damage, including the destruction of the city parks complex along with its concession and exhibit buildings at the Conway County Fairgrounds. Firefighters in Midway, Arkansas, also evacuated storm damaged mobile homes that day. Tornado warnings were issued in eight Arkansas counties, but no tornadoes were immediately confirmed. Officials in southeast Kansas closed several bridges, and workers in Missouri shut down a rural roadway after rain sparked flash flooding. In Arkansas and Oklahoma, the U.S. Forest Service closed campsites in low-lying areas to avoid another catastrophe like the flash flood that killed 20 people at a remote campground in 2010. Storms rattled Tulsa, Oklahoma, with thunder so strong it registered on seismic equipment. Source:

19. March 21, MSNBC;; Reuters; Associated Press – (National) Tornado alerts follow flooding in southern states. A storm system that dumped up to a foot of rain in parts of Louisiana, causing isolated flash flooding, was threatening to spawn tornadoes there and in Mississippi, the National Weather Service warned. Large hail and wind gusts up to 70 mph were also possible in parts of both states through March 21. Flash floods were reported in Louisiana, Arkansas, and eastern Texas in the wake of “widespread heavy rain” March 20 and overnight. “Some roads are already flooded and closed ... and additional heavy rainfall will continue to produce more flash flooding” in northwest Louisiana, the National Weather Service stated. “This is an extremely dangerous situation.” In Natchitoches, Louisiana, several homes were flooded and roads closed after rain overnight ranged from 5 to 10 inches, depending on the area, the service stated. Source:


Banking and Finance Sector

14. March 21, Philadelphia Inquirer – (Pennsylvania) Guilty plea in $31M mortgage fraud. A man pleaded guilty March 20 to conspiracy and fraud charges connected to a mortgage foreclosure rescue scheme involving $31 million in fraudulent loans on 120 properties, the U.S. attorney’s office in Philadelphia said. Through his company, DeMarco REI Inc., the defendant offered to buy the houses of people facing foreclosure, allowing victims to stay in the houses and pay rent until they recovered financially and could buy the house back, according to a 15-count indictment filed in December 2010. In reality, he lined up straw buyers for the houses, used fraudulent documents to obtain mortgage loans, and stole $11 million of homeowners’ equity. Eventually, the new lenders foreclosed on the houses. The scheme operated from mid-2006 into 2009, but most of the fraudulent mortgages from 19 banks were obtained in 2007 and 2008, during the worst of the mortgage crisis. Source:

15. March 21, Help Net Security – (International) Mousetrap Trojan steals money by chain reaction. The chief security researcher at Bitdefender warned of a new trojan that robs bank accounts. The new Mousetrap campaign starts with a Java applet that has been injected into a popular Web site. This malicious applet, disguised as Adobe Flash Player, warns the user the Flash Player plugin on their computer is outdated and needs an update, but, once executed, the applet downloads and installs another malicious executable file on the machine of the Web site visitor. The attackers likely use 0-day vulnerabilities in blogging Web applications or brute-force weak administrator passwords to add their code in the header file. The downloaded file, written in Visual Basic and packed with UPX, is saved in a writeable location on the user’s machine. It downloads and installs a banker from a list (hardcoded in the downloader) of a dozen available links that lead to different banker trojans. To ensure automatic launch, the banker creates a shortcut to itself. Each time the system starts, all programs with shortcuts added in that folder are automatically initiated as well, including the banker. Once on the system, the banker updates itself by downloading newer versions from a second list of links. The updates are hosted on multiple servers so that if one is shut down, the rest can still be accessed. The banker Trojan feeds users with a log-in form and asks them to fill it in. The data entered by the unwary clients is intercepted by crooks and sent to a C&C server. Source:

16. March 20, U.S. Department of Justice – (California; National) Two southern California men plead guilty for their roles in a nationwide breach of credit and debit card terminals at Michaels Stores Inc. Two southern California men pleaded guilty March 20 for their roles in a scheme to defraud nearly 1,000 debit card holders by using stolen bank account information to withdraw money from ATMs, the U.S. Department of Justice and the Secret Service announced. The men were each charged with one count of conspiracy to commit bank fraud, one count of bank fraud, and one count of aggravated identity theft. The pair admitted that in about July 2011 they participated in a scheme to defraud bank account holders and financial institutions by obtaining 952 stolen bank cards and traveling to California to withdraw as much money as possible from ATMs using the stolen accounts. The information charges that these stolen cards were linked to a 2011 theft of a reported 94,000 debit and credit card account numbers from customers buying goods at 84 Michaels Stores Inc. across the United States. The perpetrators of that security breach replaced about 84 authentic personal identification number pads, used by the stores to process debit and credit card purchases, with fraudulent pads from which they downloaded customers’ banking information. After this breach, financial institutions reported tens of thousands of incidents of fraudulent activity linked to customers who had visited the affected Michaels stores. Source:

17. March 20, Richmond Times-Dispatch – (Virginia) Man pleads guilty in real estate investment scam. The owner of a now-defunct Henrico County, Virginia real estate investment company admitted to charges of conspiracy to commit mail fraud in a plea agreement March 20 in U.S. district court. He faces a maximum of 5 years in prison, a fine of $250,000, and 3 years of supervised release. The defendant, who ran Old Dominion Financial Services, acted in collusion with an accomplice, who is serving 10 years and 1 month in prison for running a real estate Ponzi scheme. About 80 Old Dominion victims lost $8.6 million, court records show. The pair, through their companies, solicited money from people in the Richmond area to invest in real estate. The Old Dominion owner funneled money from his investors to the accomplice, a former Henrico police officer, who ran Capital Funding & Consulting. The money was supposed to be used to buy and renovate fixer uppers and rent or flip the properties at a profit. In most cases, the work was never done. At least 136 people, mostly in the Richmond area, who invested through the two companies lost $15.2 million in the scam, prosecutors say. Source:

For another story, see item 40 below in the Information Technology Sector

Information Technology

36. March 21, H Security – (International) Joomla! 2.5 update fixes security vulnerabilities. The Joomla! project released version 2.5.3 of its open source content management system. This is a security update that addresses two “High Priority” vulnerabilities. The first of these is caused by an unspecified programming error that could have allowed a malicious user to gain escalated privileges. The other hole is an error in random number generation when resetting passwords that could be exploited by an attacker to change a user’s password. Versions 2.5.0 to 2.5.2 as well as all 1.7.x and 1.6.x releases are affected. Source:

37. March 21, Threatpost – (International) Firefox users to get secure Google search by default. Mozilla has made a small but important change to the way its Firefox browser handles search queries directed to Google, making the search provider’s encrypted search service the default option. The modification is not in the stable version of Firefox yet, but users who download the daily beta builds can access it now. The switch to using HTTPS for search by default is a major step forward for Mozilla in terms of protecting the privacy of users’ search queries and results. Google has had an option for encrypted search for some time, and the company made secure search the default choice for users who are logged in to their Google accounts in October 2011. However, Google has not made that option the default for its Chrome browser. With the change in Firefox, users of Mozilla’s browser now have an extra layer of protection for their search queries, something that is becoming increasingly important in the age of surveillance, targeted ads, and data sale Source:

38. March 21, Softpedia – (International) Researcher finds code execution flaw in Google Earth. A code execution vulnerability was identified by a Georgian security researcher in Google Earth. He showed how a local attacker could leverage a security hole to execute a piece of malicious code. The flaw can be reproduced by opening the program and clicking on the Placemark button. Instead of a legitimate Place parameter, an arbitrary code can be inserted and run. A proof-of-concept shows how a hacker could run a piece of code or open a Web site. Since the issue affects all versions of Google Earth, the vendor was notified. Source:

39. March 20, Threatpost – (International) Exploit for Ms12-020 RDP bug moves to Metasploit. As the inquiry into who leaked the proof-of-concept exploit code for the MS12-020 RDP flaw continues, organizations that have not patched their machines yet have a new motivation to do so: A Metasploit module for the vulnerability is now available. Such a vulnerability is a typically a good indicator attacks are about to ramp up. The exploit in Metasploit, like the one that has been circulating online, causes a denial-of-service condition on vulnerable machines. Researchers have been working on developing a working remote code execution exploit for the bug, but none has surfaced publicly yet. Source:

40. March 20, H Security – (International) Address spoofing vulnerability in iOS’s Safari. Through a vulnerability in WebKit in the mobile version of Safari, an attacker could manipulate the address bar in the browser and lead the user to a malicious site with a fake URL showing above it. A security researcher published an advisory that explains the problem. Incorrect handling of the URL when the JavaScript method “” is used allows an attacker to “own” HTML and JavaScript code in the new window and, in turn, change the address bar. Fraudsters could use the vulnerability for phishing attacks by sending users to pages that appear to be their bank and asking for account data. The vulnerability affects WebKit 534.46 in the latest iOS version 5.1, though earlier versions of iOS may also exhibit the problem. Users of third party browsers based on WebKit on iOS could also be vulnerable to the address spoofing. The researcher informed Apple of the problem in early March. Source:

41. March 20, Ars Technica – (International) Data breaches increasingly caused by hacks, malicious attacks. A new study of data breaches found criminal and malicious attacks accounted for 37 percent of corporate data breaches in 2011, a 6 percent rise from 2010. The study, performed by Ponemon Institute and sponsored by Symantec, also found that these attacks were much more costly to companies than breaches caused by software or hardware failures or by internal negligence. More than two-thirds of malicious attacks were achieved through some sort of electronic exploit — only 28 percent involved the physical theft of data storage devices. The study also found that 33 percent of criminal and malicious breaches involved insiders. Source:

42. March 20, Wireless Week – (International) Report: In-app ads pose significant security risk. Researchers from North Carolina State University found that in-app advertisements pose privacy and security risks. In a recent study of 100,000 apps in the Google Play market, researchers noticed that more than half contained so-called ad libraries. And 297 of the apps included aggressive ad libraries that were enabled to download and run code from remote servers, which the researchers said raise significant privacy and security concerns. An assistant professor of computer science at the university and co-author of a paper describing the work, said in a statement that running code downloaded from the Internet is problematic because the code could be anything. “For example, it could potentially launch a ‘root exploit’ attack to take control of your phone –- as demonstrated in a recently discovered piece of Android malware called RootSmart,” he wrote. Source:

For more stories, see items 13 above in Top Stories, 15 and 16 above in the Banking and Finance Sector and 43 below in the Communications Sector

Communications Sector

43. March 21, Wireless Week – (National) Virgin Mobile USA hit by national data, SMS outage. Virgin Mobile USA was recovering March 21 from a national outage that left customers across the country without data or text messaging service. The network problems were confirmed by the prepaid provider in posts on its Twitter and Facebook accounts the afternoon of March 20. “We are currently experiencing a national data & text messaging outage,” the company said on its Facebook page. A company spokeswoman said March 21 that the interruption in service has since been resolved and the problem stemmed from one of its servers. “We did have some issues related to a server,” she said. “In most cases, it required customers to remove their battery and restart device.” Virgin Mobile is one of Sprint’s prepaid brands, and runs its voice, data, and SMS service on Sprint’s CDMA EV-DO network. Neither Sprint nor its prepaid brand Boost Mobile has reported any issues. However, Assurance Wireless, another Sprint brand operated by Virgin Mobile, told a customer on its Facebook page who was having problems with text service that “we were experiencing a 3G/MMS/SMS outage yesterday.” Source:

For another story, see item 42 above in the Information Technology Sector