Friday, April 6, 2012

Complete DHS Daily Report for April 6, 2012

Daily Report

Top Stories

 A U.S. attorney in Las Vegas announced April 4 that 13 California residents were indicted in Nevada in an identity theft scheme that federal prosecutors said included placing card skimming devices on bank lobby doors. – Associated Press. See item 11 below in the Banking and Finance Sector

 The Utah Department of Health said tens of thousands of Medicaid claims records were accessed by Internet hackers. The files could include client names, birth dates, and Social Security numbers. – KSL 5 Salt Lake City

23. April 4, KSL 5 Salt Lake City – (Utah) Hackers steal Utahns’ personal medical info, 24,000 Medicaid files. April 4, the Utah Department of Health (UDOH) advised Medicaid recipients to monitor their credit and financial accounts following a security breach of thousands of Medicaid claims records by Internet hackers. According to UDOH, the breach occurred March 30 as technicians from the Utah Department of Technology Services (DTS) were exchanging computer servers. Information from about 24,000 files stored on servers like the one that experienced the breach could include client names, addresses, birth dates, Social Security numbers, physician’s names, national provider identifiers, addresses, tax identification numbers, and procedure codes designed for billing purposes. The DTS executive director said the newly installed server had ―weaker controls‖ than the server it was exchanged for, creating a system vulnerability. The affected server has been shut down, and new security measures have since been implemented. Initial tracing of the downloaded information pointed to Eastern Europe, but officials acknowledged the hackers could be working from elsewhere. Source:

 The Los Angeles Police Department radio communications were down for half the day April 3. The communications breakdown caused a delayed response to emergencies and prevented officers from gaining immediate access to information. – Los Angeles Daily News

26. April 4, Los Angeles Daily News – (California) LAPD radio system fails for 12 hours. The Los Angeles Police Department (LAPD) radio communications was down for half the day April 3. A city councilman said he will call for the dismissal of the General Services Department general manager for the power outage at Mount Lee, where all LAPD radio communications equipment is housed. The city councilman said General Services crews were sent to the Mount Lee facility to test a backup generator. He said the test failed and knocked out all power at Mount Lee, shutting down radio communications, placing ―the public and officers at extreme risk.‖ LAPD officials and the Mayor’s Office said backup systems were used that ultimately prevented any serious breakdowns in communication. According to the councilman, the communications breakdown meant a delayed response to emergencies, as 9-1-1 calls had to be answered manually with operators then calling stations to dispatch an officer. For officers, he said, the danger came in the form of an inability to get immediate access to information, such as a driver history based on license plates. Source:

 More than 600,000 Macs were infected with a new version of the Flashback trojan installe on computers due to Java exploits, security researchers from antivirus vendor Doctor Web said April 4. – IDG News Service. See item 28 below in the Information Technology Sector

 Researchers released two new exploits that attack common design vulnerabilities in a computer component used to control critical infrastructure around the world, Wired reported April 5. – Wired See item 29 below in the Information Technology Sector


Banking and Finance Sector

6. April 5, Softpedia – (International) Fake BBB email helps fraudsters steal $100,000 from firm. In December 2011, the Better Business Bureau (BBB) issued an alert regarding malicious e-mails purporting to originate from the BBB, urging recipients to download an alleged complaint that in reality contained malware. There are already a number of victims, one of which lost $100,000, Softpedia reported April 5. According to the Internet Crime Complaint Center, the agency received over 40 complaints, one of which from an organization that claims to have lost the large amount after the malware that came attached to the e-mail allowed the crooks to wire the money from the firm’s bank account. It turns out that this was possible because of a keylogger that installed itself on the system when the attachment was opened and executed. The piece of malware recorded the company’s banking password, giving the fraudsters the opportunity to transfer the money to their own accounts. Security experts found that some variants of the malicious notifications carry a link that redirects users to compromised WordPress sites that host the BlackHole Exploit Kit, which looks for vulnerabilities. Source:

7. April 5, Greenwich Patch – (Connecticut) Two charged for ATM-skimming schemes in Greenwich & Stamford. Two Romanian nationals were charged for their alleged roles in an ATM-skimming scheme based in Greenwich and Stamford, Connecticut, the U.S. attorney’s office announced April 4. The pair were indicted March 19 but have been in custody in New York since August 14, 2011. The two entered not guilty pleas regarding the charges that they and other co-conspirators attached ATM skimming devices at three JP Morgan Chase Bank locations in Greenwich and Stamford. They also placed pinhole cameras at the locations to record users’ personal information. The U.S. attorney’s office alleges the defendants compromised approximately $72,000 from more than 100 customers. They both face charges of conspiracy, bank fraud, and aggravated identity theft. Source:

8. April 4, Infosecurity – (National) IRS security dissing party continues. The U.S. Internal Revenue Service’s (IRS) Computer Security Incident Response Center (CSIRC), set up to monitor IRS networks, is failing to monitor 34 percent of the agency’s servers, according to a Treasury audit, Infosecurity reported April 4. In the audit released March 2012, the Treasury Inspector General for Tax Administration (TIGTA) found that, in addition to not monitoring all of the IRS servers, the CSIRC was not reporting all computer security incidents to the Treasury as required. Also, IRS computer incident response policies, plans, and procedures ―are either nonexistent or are inaccurate and incomplete.‖ To remedy the center’s shortcomings, the TIGTA recommended the IRS’ assistant chief information officer for cybersecurity direct the CSIRC to develop its cybersecurity data warehouse capabilities to correlate and reconcile active servers connected to the IRS network with servers monitored by the host-based intrusion detection system; revise and expand the agreement with the TIGTA to ensure all reportable and relevant security incidents are shared with the CSIRC; collaborate with the TIGTA to create common identifiers to help the CSIRC reconcile its incident tracking system with TIGTA; develop a stand-alone incident response policy or update the policy in the IRS’s manual with current and complete information; develop an incident response plan; and develop, update, and formalize all critical standard operating procedures. Source:

9. April 4, Reuters – (New York; National) CFTC orders JPMorgan to pay $20 million in Lehman case. The U.S. Commodity Futures Trading Commission (CFTC) said April 4 that JPMorgan Chase & Co will pay $20 million to settle charges that it unlawfully handled customer segregated funds at Lehman Brothers Holdings Inc. The action comes as the CFTC and other regulators continue to probe what happened to segregated customer funds in the October 2011 collapse of MF Global Holdings Ltd, a commodity trading firm that also did business with JPMorgan. In the Lehman case, the CFTC said that for about 22 months, ending with Lehman’s bankruptcy in September 2008, JPMorgan had improperly extended intra-day credit to Lehman Brothers based in part on customers’ segregated funds Lehman had deposited at the bank. JPMorgan also violated rules by refusing to release customers’ segregated funds for nearly 2 weeks after the bankruptcy, the CFTC said. Source:

10. April 4, South Florida Sun-Sentinel – (Florida) Broward woman pleads guilty in multimillion-dollar mortgage fraud. A woman pleaded guilty April 4 to her role in two mortgage fraud schemes, worth about $12 million, in Florida’s Broward and Palm Beach counties. She pleaded guilty to conspiring to commit wire fraud and four counts of wire fraud. She was the president of Direct Title & Escrow Services Inc. in Oakland Park. Prosecutors said she conspired with others to obtain high-value mortgages using fraudulent home loan applications and closing statements. Federal agents tracked her down in Jamaica after the fraud was discovered. Source:,0,5835085.story

11. April 4, Associated Press – (California; Nevada) 13 from Calif. indicted in Vegas ID skimming scam. Thirteen California residents were indicted in Nevada in an identity theft scheme that federal prosecutors said included placing card skimming devices on bank lobby doors. A U.S. attorney in Las Vegas announced April 4 that 11 people were arrested in California on a sealed indictment handed up by a grand jury March 13. Two additional people were being sought. The defendants could each face 13 years in federal prison if convicted of conspiracy and aggravated identity theft charges. The indictment alleges that from November 2009 to November 2011 the co-conspirators captured ATM, credit card, and identity information from internal electronics of doors allowing after-hours access to ATM lobbies at Chase Bank branches. The scheme also allegedly involved using pinhole cameras to capture customer ATM personal identification numbers. Source:

12. April 4, – (Alabama) Investigators still looking for source of bank dye packs found near Tuscaloosa Amphitheater. Authorities have not linked two bank dye packs found near the Tuscaloosa Amphitheater the week of March 26 to any known bank robberies, according to police in Tuscaloosa, Alabama. Investigators from the Tuscaloosa Police Department and FBI are looking into the source of the dye packs that were found March 29 on a path near the amphitheater, a police spokesman said. He added that no usable money or a bag was found with the dye packs, which are concealed explosive devices designed to mark stolen money with a bright dye. The dye packs will be sent to the manufacturer for safe deactivation, he said. Source:

Information Technology

28. April 5, IDG News Service – (International) Fast-growing Flashback botnet includes over 600,000 Macs, experts say. More than 600,000 Macs have been infected with a new version of the Flashback trojan being installed on people’s computers with the help of Java exploits, security researchers from antivirus vendor Doctor Web said April 4. Flashback is a family of Mac OS malware that appeared in September 2011. Older Flashback versions relied on social engineering tricks to infect computers, but the latest variants are distributed via Java exploits that do not require user interaction. April 3, Apple released a Java update in order to address a critical vulnerability being exploited to infect Mac computers with Flashback. However, a large number of users have already been affected by those attacks, Doctor Web said in a report issued April 4. The company’s researchers managed to hijack a part of the Flashback botnet through a method known as sinkholing, and counted unique identifiers belonging to more than 550,000 Mac OS X systems infected with the trojan. Over 300,000 of the Flashback-infected Macs, or 56 percent of the total, are located in United States, while over 100,000 are located in Canada, Doctor Web said. The United Kingdom and Australia are next, with 68,000 and 32,000 infected Macs, respectively. The botnet is growing at a rapid rate. Hours after Doctor Web issued its report, one of the company’s malware analysts announced the botnet had grown to over 600,000 infected computers. He also said 274 Macs infected with the new Flashback variant were located in Cupertino, the U.S. city where Apple has its headquarters. Source:

29. April 5, Wired – (International) Researchers release new exploits to hijack critical infrastructure. Researchers released two new exploits that attack common design vulnerabilities in a computer component used to control critical infrastructure. The exploits attack the Modicon Quantum programmable logic controller (PLC) made by Schneider-Electric, which is a key component used to control functions in critical infrastructures around the world, including manufacturing facilities, water and wastewater management plants, oil and gas refineries and pipelines, and chemical production plants. One of the exploits allows an attacker to send a ―stop‖ command to the PLC. The other exploit replaces the ladder logic in a Modicon Quantum PLC so that an attacker can take control of the PLC. The exploits take advantage of the fact that the Modicon Quantum PLC does not require a computer that is communicating with it to authenticate itself or any commands it sends to the PLC — essentially trusting any computer that can communicate with the PLC. Without such protection, an unauthorized party with network access can send the device malicious commands to seize control of it, or simply send a ―stop‖ command to halt the system from operating. The attack code was created by an industrial control systems security researcher with Digital Bond, a computer security consultancy that specializes in the security of industrial control systems. The company said it released the exploits to demonstrate to owners and operators of critical infrastructures that ―they need to demand secure PLC’s from vendors and develop a near-term plan to upgrade or replace their PLCs.‖ The exploits were released as modules in Metasploit, a penetration testing tool owned by Rapid 7 that is used by computer security professionals to quickly and easily test their networks for specific security holes that could make them vulnerable to attack. The exploits were designed to demonstrate the ―ease of compromise and potential catastrophic impact‖ of vulnerabilities and make it possible for owners and operators of critical infrastructure to ―see and know beyond any doubt the fragility and insecurity of these devices,‖ said Digital Bond’s CEO. Source:

30. April 5, The Register – (International) Fake cop trojan ‘detects offensive materials’ on PCs, demands money. Security firms are warning about a rash of police-themed ransomware attacks. The Reveton trojan warns victims illegal content has supposedly been detected on infected machines, displaying a message supposedly from local police agencies demanding payment to unlock machines. To unlock an infected machine, victims are asked to purchase an unlock code. However, control of infected machines can be re-established for free by following a series steps, as outlined by both F-Secure and Microsoft. Trend Micro believes some of the criminals peddling the Reveton trojan were also involved in the high-profile DNSChanger trojan scam, the target of a successful Microsoft takedown operation in November 2011. Source:

31. April 5, Softpedia – (International) ABB refuses to patch vulnerabilities in legacy systems. A pair of researchers identified a buffer overflow flaw in a number of components of the ABB WebWare Server applications that are currently being used in many legacy ABB products. However, because the products are approaching the end of their life cycle, the company said no patches should be expected. According to an Industrial Control Systems Cyber Emergency Response Team advisory, there are still some industrial control systems which rely on products such as ABB’s WebWare Server SDK, ABB Interlink Module, S4 OPC Server, QuickTeach, and RobotStudio Lite. As the researchers highlight, some of the COM and ActiveX components inside them present vulnerabilities in the COM and scripting interfaces. The products are designed to facilitate communications with the robot controller, some provide graphical elements for Web pages, and others are used for human-machine interfaces. If the vulnerabilities from these products were to be exploited successfully, an attacker could cause a denial-of-service state for the application and even execute his/her own malicious code. For the time being, there are no known exploits that target the flaws in the aforementioned components, but developing one requires only a medium skill level. Source:

32. April 4, SecurityNewsDaily – (International) Updated Android malware can take over your phone. A customized variant of Android malware is now worming its way onto nonrooted devices and taking them over, and the weapon requires no interaction from the victim to begin its campaign. Researchers at the mobile security firm Lookout identified the reworked malware as Legacy Native (LeNa), which poses as a legitimate app to gain unauthorized privileges on Android phones. LeNa has long plagued Android users, Lookout said, but in its reworked form, it no longer requires its target phone to be rooted, and can now activate its payload — it connects to remote servers, transmits sensitive phone information, and drops more rigged software onto the phone — without any complicity from the end user. The new Android malware disguises itself in fully functional copies of apps, including ―Angry Birds Space,‖ and hides its malicious payload in the string of code at the end of an otherwise genuine JPEG file, Lookout said. This rogue code exploits the GingerBreak vulnerability, a flaw that enables it to gain control of the phone and trick the victim into purchasing apps from illegitimate app stores. Source:

For more stories, see items 6 and 8 above in the Banking and Finance Sector

Communications Sector

33. April 5, Lincoln Courier – (Illinois) WLLM programs are back on the air. WLLM 1370 AM and 105.3 FM Lincoln, Illinois, announced April 4 the majority of their national and local programs, music, and news were back on the air. An electrical fire March 12 forced station employees to evacuate their building, which interrupted their broadcasting. Music resumed March 19, but other programming was only reinstated the week of April 2. Live programs, such as local church services and the Record Request Show, will return to the air after WLLM has moved back into its building. Station directors are hopeful that normal operations will resume in the next 2 to 3 weeks. Source:

34. April 4, WTOV 9 Steubenville – (Ohio) Phone lines stolen again, residents without service. For the third time in the last several months, someone cut phone lines in Jefferson County, Ohio, to try and take the copper, WTOV 9 Steubenville reported April 4. Police said the lines were cut along along Tweed Avenue early April 4 leaving several homes without service. The Jefferson County sheriff said the thief took about 300 feet of wiring and left about another 200 feet along the road. The lines belong to AT&T, who had crews on scene working to repair the outage. The sheriff said they have a lead on a suspect. As for a restoration time, AT&T had not given one. Source: