Monday, April 2, 2012

Complete DHS Daily Report for April 2, 2012

Daily Report

Top Stories

• An audit revealed that more than $7 million in taxpayer-purchased fuels for Los Angeles city vehicles has gone unaccounted for in recent years. – Los Angeles Times

2. March 30, Los Angeles Times – (California) L.A. officials were warned in 2009 of gaps in tracking of fuel. Los Angeles city officials were warned by auditors 3 years ago about gaps in the way the city tracks millions of gallons of taxpayer-purchased fuel. However, according to a new audit released March 29 by the city controller, not enough was done to fix the problems. The audit highlights that more than $7 million in gasoline and other fuels has gone unaccounted for in recent years. Each year, Los Angeles spends close to $29 million on 14 million gallons of gasoline, natural gas, and diesel fuel to run garbage trucks, helicopters, police cruisers, and other vehicles. Every transaction is supposed to be tracked, manually or electronically. However, there are ways to bypass tracking systems. Bypass mechanisms are supposed to be employed only when normal systems fail, but auditors found they were used to dispense millions of gallons of fuel over a 22-month period beginning in 2009. The unexplained transactions occurred despite a $12-million fuel-tracking system and accountability measures put in place after a 2009 audit. During the course of the 2009 audit, general services established a task force to address the fuel-tracking problems and develop the Web site. However, few departments actually monitor the online reports. With more oversight, an auditor said, the unexplained transactions might have been caught sooner. Source:,0,7891840.story

• Global Payments Inc, an Atlanta-based payments processor, was broken into by hackers, leaving more than 50,000 Visa and MasterCard accounts potentially compromised, according to news reports March 30. – Wired. See item 11 below in the Banking and Finance Sector

• Colorado authorities investigated problems with an emergency notification system March 30 because some residents who signed up never got a warning about a dangerous wildfire. Two people were killed in the fire and more than 900 homes were evacuated. – Associated Press

40. March 30, Associated Press – (Colorado) Colo. sheriff notes problems with fire warnings. Colorado authorities said March 30 they were investigating problems with an emergency notification system because some residents who signed up never got a warning about a wildfire March 26. A Jefferson County sheriff’s spokesman said that an unknown number of people who signed up were not called. The company that provides the system, FirstCall Network Inc., said everyone who signed up for the system did get a call. The company’s president said the county can determine which phones, if any, were not called by comparing phone numbers in the system with mapping and telephone data. He said FirstCall was working with county officials. Sheriff’s officials said a couple found dead in the fire zone got a call, as did a woman who remains missing, but it was not immediately clear when the calls came. About 500 firefighters were working March 30 to contain more of the 6-square-mile wildfire, which was apparently sparked by a state controlled burn that sprang to life because of strong winds. It had damaged or destroyed at least 25 homes, and March 30, crews had cleared lines around 45 percent of its 8.5 mile perimeter. Residents of about 180 homes remained evacuated March 30. At the height of the fire threat, residents of about 900 homes were told to flee. Source:

• Scrap metal thieves targeting fiber optic cables shut down 9-1-1 service in Ohio’s Appalachian region and left thousands of residents, banks, and other businesses without telephone and Internet services. – Associated Press. See item 48 below in the Communications Sector


Banking and Finance Sector

11. March 30, Wired – (International) Hackers breach credit card processor; 50K cards compromised. Global Payments Inc, an Atlanta-based payments processor, was broken into by hackers, leaving more than 50,000 card accounts potentially compromised, according to news reports March 30. The breach occurred sometime between January 21 and February 25 according to notices that Visa and MasterCard sent to banks recently. The extent of the breach and damages are still unknown, but it appears to be rather small based on initial reports from the Wall Street Journal and elsewhere. A notice sent by credit union service organization PSCU to its customers indicated Visa alerted it March 23 that 46,194 Visa accounts might have been compromised. However, that number was downgraded to just 26,000 after eliminating duplicate account numbers and cards with invalid expiration dates, according to the Journal. Only about 800 accounts are known to have had fraudulent activity on them so far, according to a security blogger who broke the story and reported that Track 1 and Track 2 data had been taken, making it easy for criminals to clone the cards and use them for fraudulent activity. The number of accounts showing fraudulent activity could rise, however, as the investigation continues. Source:

12. March 30, Aspen Daily News – (Colorado; National; International) Local credit-card fraud cases reach into the hundreds. The number of credit-card fraud cases reported to the Aspen, Colorado Police Department (APD) surpassed more than 100 within in a month’s time, and local law enforcement is now working with the Secret Service and the FBI to solve the crimes, the Aspen Daily News reported March 30. There are likely more instances than that, as many banking customers have not reported their cards being compromised to police or the sheriff’s office, the latter of which is reporting 20 active cases. In many instances, the bank informs customers their debit or credit-card numbers have been run in other cities across the country without their authorization; some have been charged outside the United States. In response, area banks have issued hundreds of new debit and credit cards. Several city employees’ purchasing cards have been compromised in the past month as well. The APD also is working with senior investigators at merchant service companies, which process credit and debit cards, to find a common thread to see where charges may have originated. Local police thus far have not been able to determine a connection between the cases, which appear to be originating from Aspen. Source:

13. March 30, WRAL 5 Raleigh – (North Carolina) Cary police arrest two men accused of using fake credit cards. Police in Cary, North Carolina, arrested two men March 29 at Cary Town Mall accused of using counterfeit credit cards to make purchases at various department stores over the last 3 weeks. Police said the pair admitted to using the fake credit cards to purchase clothing, electronics, and other items. Officers recovered more than 100 counterfeit cards in their possession. The man are charged with felony conspiracy, possession of a counterfeit instrument, obtaining property by false pretenses, and unlawfully obtaining credit cards. Source:

14. March 29, U.S. Department of Justice – (California) Federal court permanently bars San Diego accountant from preparing tax returns that understate income. A federal court has permanently barred a certified public accountant from San Diego from providing tax advice or preparing federal tax returns that illegally attempt to reduce customers’ taxable income, the Justice Department announced March 29. The order also bars him from providing tax advice to, or preparing the federal tax returns of, any individual or entity that he knows is a customer of his co-defendant. The government complaint in the case alleged the man worked with his co-defendant, a San Diego tax lawyer, to help clients evade income taxes and illegally circumvent pension plan rules. According to the civil injunction suit, the co-defendant promoted schemes that helped customers evade taxes through the use of bogus deductions, while the accountant prepared the customers’ tax returns. The government alleged that the Internal Revenue Service audited more than 1,000 tax returns as a result of the pair’s alleged tax schemes, and it estimated that the harm to the U.S. Treasury from the schemes exceeded $10.8 million. Source:

15. March 29, U.S. Department of Justice – (Indiana) Justice Department asks federal court to bar Indiana firm from preparing tax returns. The United States has asked a federal court to bar a tax preparation firm and its owner from preparing tax returns for others, the Justice Department announced March 29. According to the complaint, the owner’s business, Quick Sam Tax Refund of Gary, Indiana, has repeatedly prepared tax returns that unlawfully understate customers’ income tax liabilities by fabricating expenses, creating false losses, and claiming bogus dependents. According to the complaint, Quick Sam guarantees its customers they will receive the largest refund by getting their taxes prepared at Quick Sam. To deliver on this promise, the complaint alleges Quick Sam employees fabricate business expenses, claim improper tax credits, and report fictitious dependents to increase customers’ tax refunds illegally. The owner and Quick Sam allegedly give bonuses to employees for engaging in these fraudulent practices. The complaint said that over 96 percent of Quick Sam returns examined by the Internal Revenue Service (IRS) contained deficiencies requiring IRS adjustments. The complaint alleges the total harm to the government caused by the illegal conduct could exceed $35 million. The complaint also states that four former Quick Sam return preparers have recently pleaded guilty to tax-related crimes. Source:

16. March 28, U.S. Federal Trade Commission – (National) FTC takes action against bogus precious metals investment scheme. The U.S. Federal Trade Commission (FTC) has taken action to halt a telemarketing operation that allegedly took millions of dollars from senior citizens by conning them into buying precious metals on credit without clearly disclosing significant costs and risks, including the likelihood that consumers would subsequently have to pay more money or lose their investment, according to a March 28 press release. According to the FTC filing, the operation has taken in almost $9 million from consumers in the past 2 years. The court ordered a stop to the defendants’ allegedly deceptive practices pending a hearing, froze their assets, and appointed a receiver to oversee the business. The FTC charged Premier Precious Metals Inc., Rushmore Consulting Group Inc., PPM Credit Inc., and the companies’ principal and owner promised consumers they could earn large profits quickly and safely by investing in precious metals. Allegedly using high-pressure sales tactics, telemarketers told consumers they were offering lucrative investments certain to earn consumers significant profits, with very little risk of loss. However, the leveraged investments were typically not profitable and carried a high risk of loss. As alleged in the FTC complaint, the defendants did not clearly disclose the total costs of investments, including the hefty fees, commission, and interest charges consumers had to pay to buy and maintain the investments. Source:

For another story, see item 48 below in the Communications Sector

Information Technology

42. March 30, H Security – (International) Cisco patch day fixes nine IOS vulnerabilities. As part of its bi-annual patch day, Cisco published nine security advisories for its IOS network operating system. These advisories address many vulnerabilities, one of which (CVSS 8.5) could allow unauthorized remote users to gain administrative access via a privilege escalation exploit. The other eight advisories cover denial-of-service (DoS) vulnerabilities. Several bugs in Cisco’s IOS Zone-Based Firewall which left it vulnerable to DoS attacks. Other issues involve DoS problems when initiating NAT sessions, during Internet Key Exchange, establishing reverse SSH sessions, performing traffic optimization, handling multicast source discovery, or while using IOS’s Smart Install feature. Source:

43. March 30, H Security – (International) Wireshark updates fix DoS vulnerabilities. The Wireshark development team released versions 1.4.12 and 1.6.6 of its open source network protocol analyzer; these are maintenance updates that focus on fixing bugs and closing security holes found in the previous builds. The updates to the cross-platform tool address several vulnerabilities that could be exploited by an attacker to cause a denial-of-service condition. These include a memory allocation flaw in the MP2T dissector that could cause it to allocate too much memory, a bug when trying to read ERF data using the pcap and pcap-ng file parsers, and a problem in the ANSI A dissector. To succeed, an attacker must inject a malformed packet onto the wire or convince a victim to read a malformed packet trace file. Versions 1.4.0 to 1.4.11 and 1.6.0 to 1.6.5 are affected; upgrading to the new releases corrects these problems. Another security bug affecting only the 1.6.x branch that could cause the IEEE 802.11 dissector to go into an infinite loop causing Wireshark to crash was also fixed. Source:

44. March 30, CNET News – (International) Turning in an old Xbox? Consider hard drive data, report says. Microsoft’s Xbox 360 might not be protecting user data after the console is restored to factory settings, according to a new report. In an interview with gaming blog Kotaku, a researcher at Drexel University in Philadelphia said when Xbox 360 owners trade in their consoles after restoring the device to factory settings, their personal data might be left open to malicious hackers. “Microsoft does a great job of protecting their proprietary information,” she told Kotaku. “But they don’t do a great job of protecting the user’s data.” She, along with other researchers at the university, bought a refurbished Xbox 360 in 2011. Soon after, they downloaded some modding software, took aim at the device’s hard drive, and eventually accessed the previous owner’s credit card information. Source:

45. March 29, IDG News Service – (International) Do-it-yourself plan to take down Sality botnet outlined on public mailing list. A method that anyone can use to hijack a massive multipurpose botnet called Sality was described in detail on a public mailing list March 27. Sality is a file-infecting virus that has been around for 9 years. More than 100,000 computers are infected with the malware and form a large peer-to-peer botnet used for various cybercriminal activities. An individual described how the Sality botnet can be destroyed or hijacked in an e-mail sent to the Full Disclosure mailing list. The e-mail’s author linked to a Python script that can be used to determine update URLs queried by the botnet and said a Sality removal utility developed by antivirus firm AVG could be hosted on one of them to be downloaded and executed by the infected computers. Sality updates are usually hosted on compromised Web sites, so to replace them with the removal utility, someone would have to hack into those Web sites, like the Sality creators did, or persuade owners to willingly host the tool. There is a chance the plan may work, although the result would be unpredictable because each computer can have software and hardware particularities that come into play when the botnet is instructed to do something, said the principal manager at Symantec Security Response. Furthermore, forcing botnet clients to download and execute the removal tool is illegal because it involves modifying software on other people’s computers without authorization. So the public availability of the takedown instructions is more likely to help cybercriminals who wish to hijack the botnet rather than legitimate researchers who want to disable it. Cybercriminals are probably already trying to use the information in the e-mail to their advantage, the Symantec researcher said. However, Symantec has not seen any changes in the botnet since the takedown plan was posted online. Source:

46. March 29, Dark Reading – (International) Bit9 sees a 150 percent increase in targeted domain controller attacks. March 28, Bit9 announced it saw a 150 percent increase in the number of attacks on domain controllers year-over-year. Attackers, largely nation states and cyber criminals, are targeting intellectual property on these servers — everything from chemical formulas and vaccines to military data, and reports on global economic conditions. Rather than directly attacking servers that house the data, the attackers are specifically targeting domain controllers to gain access to all systems within the company. Because domain controllers store authentication data for everyone at an organization, they have become highly strategic targets for cyber criminals intent on stealing business critical data and conducting protracted attacks. In less than 15 minutes, cyber criminals can break in to domain controllers — also called Active Directory servers — to gain access to all user logins and passwords across an organization. While this information is typically encrypted, using new tools available on the Internet, often for free, cyber criminals can reverse engineer large stores of passwords and credentials within minutes. Source:

47. March 29, Softpedia – (International) Compromised OpenX ad servers lead users to malware. Sophos researchers discovered a number of OpenX ad servers were compromised and altered to redirect users to sites that push dangerous pieces of malware. Experts found that when the OpenX ad content is requested by the browser, an iframe is also loaded, executing a malicious JavaScript identified as Troj/JSRedir-EF. The iframe added by the script loads content from a traffic directing server (TDS), controlled by a group called BlackAdvertsPro, which appears to be specializing in compromising Web sites to direct traffic to their own TDS. This traffic can be worth a lot of money if sold to criminals who run exploit sites. In one instance, the traffic was routed to an exploit site that served scareware called Smart Fortress 2012 (Mal/ExpJS-AF) by exploiting Java vulnerabilities. The BlackAdvertsPro crew seems to be checking IP addresses to ensure each visitor is directed only once to the exploit sites. “This supports the theory that they are selling the traffic to others running the exploit sites. (Attackers have no interest in paying for the same machine getting redirected to their exploit site multiple times.)” a principal virus researcher said. Ad content poisoning is a very popular technique among cybercriminals because it allows them to control large amounts of traffic. As many administrators and security enthusiasts are aware, traffic, especially high volumes, has high value on the underground markets. Source:

For more stories, see items 48 and 50 below in the Communications Sector

Communications Sector

48. March 30, Associated Press – (Ohio) Southern Ohio loses 9-1-1, ATM, data service when thief steals fiber-optic cable. Scrap metal thieves targeting fiber optic cables shut down 9-1-1 service in Ohio’s Appalachian region and left thousands without telephone and Internet services. WBNS 10 Columbus reported four counties in southern Ohio were affected by the outage, which started late March 28 and lasted until the afternoon of March 29. Frontier Communications said fiber optic cables were cut and stolen, affecting 8,000 customers in Pike, Scioto, Jackson, and Lawrence counties at Ohio’s southern tip. Credit card readers and ATMs also were affected. Frontier Communications said state police are investigating. Source:

49. March 30, Aurora Beacon-News – (Illinois) Copper stolen from 3 Verizon cell towers. Large amounts of copper was stolen from three communication towers throughout Kendall County, Illinois, in March, according to reports March 29 from the Kendall County Sheriff’s Department and Oswego Police. Copper valued at $1,000 was stolen between March 3 and March 28 from a communications tower in Oswego, police said. Two other incidents occurred between March 15 and March 29. Silver-colored copper “busbars” valued at $4,000 were stolen from a communications tower and similar copper pieces, valued at $8,000, were stolen from a tower in Yorkville, the sheriff’s office said. All three towers are owned by Verizon Wireless. Source:

50. March 29, KOKI 23 Tulsa – (Oklahoma) AT&T service restored in Mayes County. An AT&T fiber optic cable was cut in Mayes County, Oklahoma, March 29 forcing almost 50,000 people in Green County to communicate without cell phones or the Internet. AT&T crews said a man was burying his trash off Highway 20 and 427 Road when his tractor cut through the fiber optic cable. The Mayes County 911 center had to route their calls through to Rogers County’s 800 radio system, and then send them back to Mayes County dispatchers. By 8 p.m., crews had finished repairing the fiber optic line. Source: