Friday, March 30, 2012

Complete DHS Daily Report for March 30, 2012

Daily Report

Top Stories

• The former superintendent of a southern West Virginia mine where an explosion killed 29 workers pleaded guilty March 29 to a federal fraud charge. Prosecutors said he manipulated the mine ventilation system during inspections, and he disabled a methane monitor a few months before the fatal explosion. – Associated Press

1. March 29, Associated Press – (West Virginia) Ex-super pleads guilty in W.Va. mine blast case. The former superintendent of a southern West Virginia mine where an explosion killed 29 workers pleaded guilty March 29 to a federal fraud charge. The highest-ranking Massey Energy official charged in connection with the blast faces up to 5 years in prison when sentenced August 9. Prosecutors said the man manipulated the mine ventilation system during inspections to fool safety officials, and disabled a methane monitor on a cutting machine a few months before the explosion April 5, 2010. It was not clear from court papers whether the device was ever fixed. Prosecutors accused Massey of violating many safety laws out of a desire to put production and profits first. Three investigations concluded the firm allowed highly explosive methane and coal dust to build up inside the mine, where it was ignited by a spark from an improperly maintained piece of cutting equipment. Clogged and broken water sprayers then allowed what could have been just a flare-up to become an epic blast, the investigations found. Source:

• A special agent in charge of Homeland Security investigations warned counterfeit airbags were being sold in the Detroit market and could cause injuries in the event of deployment. – WDIV 4 Detroit

9. March 28, WDIV 4 Detroit – (Michigan) Homeland Security warns counterfeit airbags being sold in Metro Detroit. A special agent in charge of Homeland Security investigations in Michigan and Ohio warned that counterfeit airbags are being sold in the Detroit market and could cause injuries in the event of deployment. “The bag literally explodes, sending shrapnel and dangerous items into the passenger,” he said. Many of the faulty airbags can be bought online for a few hundred dollars, while a real airbag is priced closer to $1,000. The counterfeits either do not deflate when they need to, or they deflate or inflate with such force that the parts become projectiles. Source:

• The head of the National Security Agency and Cyber Command told a U.S. Senate panel that China stole a great deal of the U.S. military’s intellectual property from defense contractors. – CNET News (See item 10)

10. March 28, CNET News – (International) China nabbing ‘great deal’ of U.S. military secrets. Testifying before the U.S. Senate Armed Services Committee March 27, the head of the National Security Agency (NSA) and Cyber Command said China is stealing a “great deal” of the U.S. military’s intellectual property, adding that the NSA sees “thefts from defense industrial base companies.” He confirmed speculation that China was behind 2011’s attacks on RSA. Those attacks proved extremely troublesome for U.S. defense contractors. In 2011, Chinese hackers allegedly stole data related to RSA’s SecurID two-factor authentication devices. Soon after, that information was used to break through security safeguards at defense contractors Lockheed Martin, L-3 Communications, and Northrop Grumman. Source:

• Four U.S. Navy employees and three defense contractors pleaded guilty to a scheme that involved awarding millions of dollars in aircraft maintenance contracts in exchange for bribes. – Associated Press (See item 11)

11. March 28, Associated Press – (California) Navy employees, contractors plead guilty to fraud involving $1 million in bribes in Calif. Four U.S. Navy employees and three defense contractors working near San Diego pleaded guilty to participating in a wide-ranging corruption scheme in which the contractors won millions of dollars in military orders after offering officials massage chairs, bicycles, flat screen TVs, and other bribes, federal officials announced March 28. The civilian employees who worked for a Navy aircraft maintenance program accepted a total of more than $1 million in bribes, a U.S. attorney said. It was unclear if the scheme put national security or military operations at risk. An assistant U. S. attorney said the Navy employees worked for a program tasked with ensuring aircraft were combat ready at the Naval Air Station North Island in Coronado, near San Diego. The four Navy employees worked for the Navy’s Fleet Readiness Center and were assigned to maintaining the Navy’s Grumman E-2 Hawkeye, an early warning aircraft, and the C-2 Greyhound, a derivative of the E-2 that has a widened fuselage with a rear loading ramp. Officials said the Defense Department paid more than $5.5 million in connection with fraudulent invoices submitted by the three defense contractors. Source:

• Firefighters rescued two people who passed through an unlocked gate and scaled several fences to break into a pump house at a water treatment plant in Sacramento, California. – KOVR 13 Sacramento (See item 33)

33. March 28, KOVR 13 Sacramento – (California) Two rescued from pump house near Sac State. A man and a woman who broke into a pump house on the American River near the Sacramento State campus in Sacramento, California, were rescued by fire personnel March 27 and the man was arrested. Sacramento firefighters were dispatched to the pump house after two people became trapped inside after scaling several fences to access the five-story building connected to the Fairbairn Water Treatment Plant. The woman apparently fell into a suction pool inside the pump house and the man was unable to get her out. The woman was taken to a hospital after suffering from hypothermia, and a warrant request for trespassing was submitted for her arrest, according to police. Fire officials said the two appeared to be intoxicated. The water treatment plant has had several security upgrades because water treatment facilities were classified as potential terrorist targets after the September 11th attacks. Firefighters said they walked in through an unlocked gate, but city officials would not say how they got inside and did not comment on security at the facility. Source:


Banking and Finance Sector

12. March 29, Empire State News – (New York) Stolen credit card information use to purchase $100,000 worth of E-ZPass tags. Charges were filed March 28 in New York against two defendants for engaging in a $6 million Internet-based credit card fraud scheme. As part of their scheme, the defendants used stolen credit cards to purchase $100,000 worth of E-ZPass tags and credits, which they then re-sold. They also caused fraudulent charges to be made on stolen credit and debit cards and created a bogus Web site that lured customers into purchasing products that they never received. In total, the pair compromised more than 1,400 credit and debit cards, attempting to charge more than $6 million to these accounts. Both suspects were arrested March 28 at their home in Brooklyn. Source:

13. March 29, Forest Hills Patch – (New York) Alleged Queens Blvd. bandit arrested. Police in the Queens borough of New York City have announced the arrest of a suspect wanted in connection with five bank robberies, three of which happened on Queens Boulevard, the Forest Hills Patch reported March 29. The suspect was arrested and charged with five counts of robbery for his alleged role in a February crime spree that struck four Chase Bank branches and one Capital One Bank. Police have been seeking a suspect since the first incident February 3. Every incident was similar, with the suspect handing a note to the teller then fleeing, with or without cash. Source:

14. March 28, U.S. Department of the Treasury – (International) Treasury announces additional sanctions against Iranian engineering and shipping firms. The U.S. Department of the Treasury announced March 28 additional sanctions against two entities connected to the network of the Islamic Revolutionary Guard Corps (IRGC) and two individuals and two entities affiliated with Iran’s national maritime carrier, the Islamic Republic of Iran Shipping Lines (IRISL). Pursuant to Executive Order 13382 Treasury designated several entities. The order is aimed at freezing the assets of proliferators of weapons of mass destruction and their supporters and thereby isolating them from U.S. financial and commercial systems. Entities designated by Treasury include: Iran Maritime Industrial Company SADRA (SADRA), an entity owned by the IRGC; Deep Offshore Technology PJS, a subsidiary of SADRA; Malship Shipping Agency Ltd., an IRISL affiliate; and Modality Limited, an IRISL affiliate. Source:

15. March 28, West Hawaii Today – (Hawaii) HCFCU admits member information breached. Hawaii Community Federal Credit Union employees improperly accessed the names, addresses, and last four digits of Social Security numbers (SSNs) of “several hundred” Hawaii Community Federal Credit Union members, the credit union’s president said March 27. The data breach happened nearly a year ago. The credit union did not notify members until the week of March 26, while an attorney conducted an investigation, the president said. The credit union posted a letter on its Web site March 23, and mailed it to credit union members late the week of March 19, informing them of the data breach, which the president said happened in April 2011. The credit union has about 40,000 members. Fewer than 500 had their account information accessed, the president said. He said account information and full SSNs were not accessed. A credit union member filed a complaint in 2011 after becoming suspicious. The president said a “handful” of employees were involved in the breach. Disciplinary actions were “up to and including termination,” he added. Information from the investigation has been forwarded to federal authorities, he said. Credit union employees will go through new training to reinforce policies that bar accessing member data. Officials are also reviewing policies and procedures, the president said. Credit union employees will also be able to anonymously report suspicions they have about co-workers who may be improperly accessing information via a new Web site, he added. Source:

16. March 28, U.S. Department of Justice – (National) Justice Department sues national tax preparation firm and franchisees to stop alleged pervasive tax fraud. The United States has filed civil injunction lawsuits in five cities seeking to shut down both the company that operates Instant Tax Service (ITS) as well as five owners of ITS franchises, the Justice Department (DOJ) announced March 28. The government’s complaint accuses ITS Financial and its owner of deliberately ignoring systemic and pervasive fraud by ITS franchisees. The complaints allege franchisees across the country intentionally prepare and file fraudulent tax returns to maximize refunds. They do this so ITS Financial and its franchisees can extract large tax preparation fees and charges. The government claims the fees are outrageously high and are often not disclosed. The franchisees named in the complaints allegedly invent phony businesses, fabricate deductions, falsify filing statuses, claim bogus dependents, and disregard rules for claiming the earned income tax credit. The DOJ alleges ITS employees at these franchises have little tax preparation experience, and that the franchise owners encourage them to prepare fraudulent tax returns. The complaint against ITS Financial states that the estimated tax losses from allegedly fraudulent return preparation in 2011 at ITS locations in St. Louis, the Kansas City area, Chicago, Indianapolis, and Las Vegas exceed $16 million. Source:

17. March 28, U.S. Department of Justice – (Texas) Justice Department seeks to shut down Texas tax return preparer. The United States has sued a tax preparer, seeking to bar him from preparing any federal tax returns for others, the Justice Department announced March 28. The civil injunction suit alleges the DeSoto, Texas man claimed fraudulent deductions and expenses on his customers’ tax returns. He allegedly claimed fake mortgage interest deductions, illegally deducted Social Security taxes as state and local taxes, and fabricated employee business expenses, among other fraudulent items, on his customers’ returns. According to the complaint, the harm to the United States from the preparer’s misconduct could be $7.8 million or more. Source:

18. March 28, Fort Worth Star-Telegram – (Texas) Ex-Bank of America branch manager pleads guilty to fraud. A former Bank of America branch manager in River Oaks, Texas, accused of stealing more than $2 million from customers’ accounts over a 9-year period pleaded guilty March 28 in federal court to one count of bank fraud. She faces anywhere from probation to 30 years in prison and could be ordered to pay a $1 million fine and restitution. Prosecutors allege the former manager used the money she stole for personal expenses, including vacations, clothing, jewelry, and land purchases. According to court documents, the woman was hired at the River Oaks branch in 1996, and was later promoted to personal banker, then assistant branch manager and finally branch bank manager. Her positions gave her full access to customers’ bank accounts. Beginning around 2002 until April 2011, she withdrew cash from customers’ bank accounts, sometimes forging signatures on withdrawal slips. She would inform tellers that she was withdrawing cash for the customer, sometimes lying by saying the customer was waiting inside her office. Prosecutors said she avoided having to fill out mandatory bank reports by never withdrawing more than $10,000 per transaction. She targeted customers with whom she had had a longstanding relationship, knowing they would likely report any uncovered improper transactions directly to her. She would then refund their accounts with money stolen from other customers’ accounts. Court documents state she prevented bank statements from being sent to customers’ home by entering codes into the bank’s data system indicating the customers’ addresses were unknown. Source:

19. March 28, Portland Oregonian – (Michigan; National) Portland man ordered to pay back profits from fraudulent investment schemes. A man has been ordered to return profits made from activities that resulted in a series of securities law violations, including his role in a Ponzi scheme that raised $72.6 million from 3,000 investors, the Portland Oregonian reported March 28. A federal judge in Michigan ordered the man to repay investors $4.1 million and to pay a $100,000 civil fine. According to the U.S. Securities and Exchange Commission (SEC), the man had promoted himself on his Web site,, as a trustworthy investment reviewer since 1997. He recommended some business opportunities, did not recommend others, and warned visitors how to spot and avoid a scam. Starting in 2006, the SEC alleged he promoted a series of fraudulent schemes, including the Ponzi scheme orchestrated by a Swartz Creek, Michigan man, who paid the defendant $3.8 million for his participation. He promoted other schemes and guaranteed large returns, but had no basis for the claim, the SEC said. Source:

20. March 27, Federal Bureau of Investigation – (National) FBI releases bank crime statistics for third quarter of 2011. During the third quarter of 2011, there were 1,094 reported violations of the Federal Bank Robbery and Incidental Crimes Statue, a decrease from the 1,325 reported violations in the same quarter of 2010, according to statistics released March 27 by the FBI. There were 1,081 robberies, 11 burglaries, 2 larcenies, and 1 extortion of a financial institution reported between July 1, 2011 and September 30, 2011. These statistics were recorded as of October 28, 2011. Source:

Information Technology

40. March 29, H Security – (International) Chrome 18 improves graphics performance, closes security holes. Google released version 18 of Chrome. The new Stable channel release, labelled 18.0.1025.142, closes nine security holes, of which three are rated as “High severity.” These include high-risk use-after-free errors in SVG clipping, an off-by-one problem in OpenType Sanitizer, and memory corruption bugs in Skia. Other closed holes include five medium-severity problems such as out-of-bounds reads in SVG text and text fragment handling, a cross-site scripting bug, a SPDY proxy certificate checking error, and an invalid read in the V8 JavaScript engine. A low-severity bug used by the hacker “Pinkie Pie” during the Pwn2Own competition at CanSecWest was also closed. A Google employee said some of the fixes “represent the start of hardening measures based on study of the exploits submitted to the Pwnium competition.” Source:

41. March 29, The Register – (International) Kelihos zombies erupt from mass graves after botnet massacre. Security researchers warned that the resurrected Kelihos botnet taken down March 28 is still active. Experts not involved in the operation said the miscreants behind the network of compromised Windows computers are working on their comeback. The zombie PC army was taken offline in September 2011, they said, yet later resurfaced. Seculert reports Kelihos-B, which was distributed as a Facebook worm over recent weeks, is still active and spreading — even after the shutdown attempt by CrowdStrike and Kaspersky Labs March 28. Seculert views this botnet as the undead remnants of Kelihos-B rather than the spawn of a new variant of the malware. The findings suggest sink-holing 109,000 backdoored machines infected with the spam-spewing and credential-stealing Kelihos trojan may not have disabled the entire bot network. Source:

42. March 28, eWeek – (International) iPhone passcodes can be cracked as quickly as XRY. The four-digit password on Apple’s iPhone is no match for Micro Systemation’s XRY application, according to experts. The password on the popular smartphone can probably keep a regular person who finds the device from breaking into it. However, the software from the Swedish company, which it sells to law enforcement agencies, can crack the code on an iPhone or a smartphone running Google’s Android mobile operating system within minutes. XRY essentially jailbreaks the device in the same manner that regular jailbreakers do. It then runs every combination of four-digit passcodes until it hits the right one. Once that happens, all the data on the phone can be accessed, according to the company. Source:

43. March 28, SecurityWeek – (International) Attackers using Taidoor trojan to target think tanks and US-Taiwan interests. In 2008, the Taidoor trojan made its first appearance on the Web. It started by attacking government agencies, but the group behind it expanded their reach by targeting a wide range of victims. Now, based on research from Symantec, it appears the group running Taidoor is interested in think tanks, especially those tfocused on Taiwan. While Taidoor started out by targeting governments, between 2009 and 2010, the malware shifted gears. Government victims were counted among those in the media, financial, telecom, and manufacturing sectors. The length of the attack, almost 4 years now, shows the group responsible for Taidoor is persistent if nothing else. Based on the collected data, Symantec said that since May 2011, there has been a substantial increase in activity. The malware’s current targets are primarily private industry and international think tanks with a direct involvement in United States and Taiwanese affairs. Facilities in the services sector these organizations may use are also targeted. Source:

44. March 28, Dark Reading – (International) Cybercriminals’ love affair with Havij spells SQL injection trouble. Today’s exponential increase in attack volume and complexity can largely be attributed to cybercriminal working smarter with powerful, automated tools. In the database-cracking world, Havij stands as one of the most popular of these tools: and as such, it should be on the radar of any security professional seeking to prevent costly data breaches within their environments. “If you’re talking about databases and the tools that are used to perform SQL injection, Havij is one of the most common,” a senior security strategist at Imperva said. Havij was developed by Iranian hackers in the spring of 2010. The tool has so captured the hearts and minds of the black hat community, that groups like Anonymous frequently train on how to wreak havoc using it, said the chief technology officer at Application Security, Inc. Favored by hacktivists and financially motivated attackers, Havij automates criminals’ SQL injection attacks by automatically detecting the database behind a targeted Web site, detecting whether it uses a string or integer parameter type, and testing different injection syntaxes. Unlike a lot of penetration tools, Havij can not only point to potential vulnerabilities, it can also carry out data extraction and harvesting. Source:

45. March 28, Computerworld – (International) Duqu malware resurfaces after four-month holiday. Duqu is back, security researchers said March 28. After a several-month sabbatical, the Duqu makers recompiled one of the trojan’s components in late February, said the manager of operations at Symantec’s security response team. The system driver, which is installed by the malware’s dropper agent, is responsible for decrypting the rest of the already-downloaded package, then loading those pieces into the PC’s memory. Symantec captured a single sample of the driver, which was compiled February 23, 2012. Before that, the last time the Duqu gang updated the driver was October 17, 2011. Duqu has been characterized by Symantec and others as a possible precursor to the next Stuxnet, the ultra-sophisticated worm that sabotaged Iran’s nuclear fuel enrichment program by crippling critical gas centrifuges. The Symantec manager said the functionality of the new driver was “more or less the same” as earlier versions, including the one spotted October 2011 and another from late 2010 that later surfaced. March 27, the leader of Kaspersky’s global research and analysis team said the Duqu driver was probably modified to evade security software and Duqu detection programs. Source:

46. March 27, U.S. Federal Trade Commission – (International) FTC charges that security flaws in RockYou game site exposed 32 million email addresses and passwords. The operator of a social game site agreed to settle charges that, while touting its security features, it failed to protect the privacy of its users, allowing hackers to access the personal information of 32 million users. The Federal Trade Commission (FTC) also alleged in its complaint against RockYou that the company violated the Children’s Online Privacy Protection Act Rule (COPPA Rule) in collecting information from about 179,000 children. The proposed FTC settlement order with the company bars future deceptive claims by the company regarding privacy and data security, requires it to implement and maintain a data security program, bars future violations of the COPPA Rule, and requires it to pay a $250,000 civil penalty to settle the COPPA charges. Source:

For more stories, see items 10, above in Top Stories and 47 and 48 below in the Communications Sector

Communications Sector

47. March 28, CSO – (International) Operation Global Blackout: Real danger or irrelevant? Will the hacker group Anonymous make good on its threat to take down the Internet March 31? Probably not. But it could slow it down, according to many security experts. It may depend in part on how unified Anonymous is about the attack. Anonymous threatened retaliation for the arrests of about 25 of its members in February, and is also focused on what its members believe is a continuing threat by Congress to censor the Internet through anti-piracy legislation. Anonymous is daring anyone to stop Operation Global Blackout — the group announced March 31 as the date of the attack, along with the method they intend to use — disabling the Domain Name Service (DNS) through distributed denial of service attacks on the root servers of the DNS with a tool called “ramp,” or “reflective amplification.” Even with the advance warning, a professor in the department of computing at the University of Surrey believes Anonymous could do some damage. In a piece for BBC, he said the top-level DNS systems are in different countries, are monitored by different organizations, and run on different technologies. He said Anonymous could bring a server down with ramp, in which an army of bots spoof the IP address of a target system and, “cause the DNS to flood the very network it is supposed to be serving.” Source:

48. March 28, Biloxi Sun Herald – (Mississippi) Cut cable silences C Spire phone service. C Spire Wireless customers in south Mississippi lost service March 29 when a fiber-optic cable was cut. A C Spire Wireless spokesman said an independent third party was found to have cut an underground cable, between Seminary and Hattiesburg, resulting in a service outage sometime before noon. Shortly before 4 p.m., he said service had been restored to virtually 100 percent of customers. He could not estimate how many customers lost service. “The primary impact was voice service, although we have gotten some scattered reports from some customers (saying) that they also couldn’t text,” he said. Source:

For more stories, see items 42 and 46 above in the Information Technology Sector