Tuesday, April 24, 2012

Complete DHS Daily Report for April 24, 2012

Daily Report

Top Stories

A Costa Rican company agreed to plead guilty in court in Virginia to a $670 million global insurance fraud scheme. – Associated Press See item 11 below in the Banking and Finance Sector

• More than 160,000 bridges in the United States are either structurally deficient or functionally obsolete, according to a new report by a national civil engineers’ group.Homeland Security News Wire

14. April 23, Homeland Security News Wire – (National) U.S. aging bridges in critical condition. There are an estimated 18,000 bridges in the United States which are classed as fracture-critical bridges, requiring continual inspections, Homeland Security News Wire reported April 23. The need for increased inspection and maintenance runs against shrinking state and federal budgets for infrastructure improvements. The American Society of Civil Engineers’ (ASCE) most recent report card gave the condition of bridges in the U.S. a grade of C. The ASCE notes 26 percent of U.S. bridges are either structurally deficient or functionally obsolete. They note that as of 2008, the year of the most recent pre-report card survey, one in four bridges in rural areas was deficient, while one in three urban-area bridges are in the same class. Under ASCE definition, structurally deficient bridges, though not unsafe, must post speed and weight restrictions because of limited structural capacity. A functionally obsolete bridge, though not unsafe either, has older design features and geometrics, and cannot accommodate current traffic volumes, vehicle sizes, and weights. Source: http://www.homelandsecuritynewswire.com/dr20120423-u-s-aging-bridges-in-critical-condition

• Contrary to recent reports, the Flashback botnet that mounted the first ever successful malware attack against Apple’s OS X is growing. The infection count was estimated to be 650,000 machines as of April 20.Computerworld (See item 43) below in the Information Technology Sector

• After two deadly booby traps were discovered by a U.S. Forest Service officer along a popular walking trail in Provo Canyon in Utah, two men were taken into custody.NewsCore

51. April 23, NewsCore – (Utah) 2 arrested for allegedly planting deadly booby traps on Utah walking trail. Two men were in custody in Utah after deadly booby traps were uncovered along a popular walking trail in Provo Canyon, NewsCore reported April 23. The suspects were charged April 21 with reckless endangerment, a misdemeanor. A statement issued by the Utah County Sheriff’s Office said a U.S. Forest Service officer discovered the two booby traps inside a makeshift shelter built from dead tree limbs while on foot patrol along the Big Springs walking trail April 16. “As he investigated the shelter he noticed what appeared to be a trip wire near the ground at an entrance. Upon further investigation he discovered that the trip wire led to a booby trap device which was made with a large rock, sticks sharpened at both ends, and was held together with rope,” the statement read. “This device was situated in such a way that when contact was made with the trip wire it would swing toward an unsuspecting hiker or camper,” the statement added. A second booby trap was also discovered, also triggered by a trip wire. “This wire was configured so as to trip a person, possibly causing them to fall forward onto sharpened sticks placed in the ground,” the statement said. Police said the pair confessed to placing the deadly traps in the makeshift enclosure. Source: http://www.foxnews.com/us/2012/04/23/2-arrested-for-allegedly-planting-deadly-booby-traps-on-utah-walking-trail/


Banking and Finance Sector

9. April 23, Financial Crimes Enforcement Network – (National) FinCEN reports mortgage fraud SARs increased in 2011 even as fourth quarter level decreased. The Financial Crimes Enforcement Network (FinCEN) April 23 released its full year 2011 update of mortgage loan fraud reported suspicious activity reports (MLF SARs) that showed financial institutions submitted 92,028 MLF SARs in 2011, a 31 percent increase over the 70,472 submitted in 2010. The increase can primarily be attributable to mortgage repurchase demands. Financial institutions submitted 17,050 MLF SARs in the 2011 fourth quarter, a 9 percent decrease in filings over the same period in 2010 when financial institutions filed 18,759 MLF SARs. The fourth quarter of 2011 was the first time since the fourth quarter of 2010 when filings of MLF SARs had fallen from the previous year. FinCEN also updated its SAR data sets used in the report. Source: http://www.fincen.gov/news_room/nr/html/20120423.html

10. April 22, KCEN 6 Temple – (Texas) Four Houston banks robbed within 4 hours. Houston police officers along with the FBI searched for five bank robbery suspects April 21 after detectives said four banks were robbed in the span of 4 hours. “The first robbery took place around 11:05 a.m. at [a] Wells Fargo,” an FBI spokeswoman said. “Two men used weapons to threaten the employees and customers inside another Wells Fargo, which was robbed at 11:30 a.m. At the same time 8 miles away, a man stormed into a Compass Bank with a gun and pointed his weapon at the teller demanding cash, investigators said. According to officers he fired one shot before running out of the bank. The fourth robbery took place near the Galleria at a Chase Bank around 2:30 p.m. As a suspect was running away, the dye pack exploded in the parking lot, but the thief was able to get away on foot before police arrived. In all four cases the suspects got away with cash. Source: http://www.kcentv.com/story/17653492/four-houston-banks-robbed-within-4-hours

11. April 21, Associated Press – (Virginia; International) Costa Rican firm pleading guilty in $670M scam. A Costa Rican company agreed to plead guilty to a $670 million global insurance fraud scheme. Provident Capital Indemnity Ltd. entered a plea agreement April 20 in a U.S. district court in Richmond, Virginia, where its majority owner and president is scheduled for a jury trial starting April 23. He is charged with conspiracy, wire fraud, mail fraud, and money laundering. According to court papers, Provident agreed to plead guilty to a single count of mail and wire fraud conspiracy. A half-dozen mail fraud and wire fraud counts will be dropped. Provident sold bonds guaranteeing funding for life settlement companies, which buy life insurance policies from insured people at less than face value and collect the benefits when those people die. The government claimed Provident misled investors about its financial stability, its credit rating, and whether its financial statements had been audited. The U.S. Securities and Exchange Commission also filed a civil complaint against Provident in 2011, and a judge froze the company’s assets and enjoined it from doing business. Source: http://www.businessweek.com/ap/2012-04/D9U9I0PO0.htm

12. April 21, Reuters – (International) Italy police seize $5 billion of U.S. securities. Italy financial police have seized U.S. securities with face values of about $1.5 billion and gold certificates worth above $3.96 billion as part of an investigation into a possible international financial scam. The police said April 21 the “million dollar” operation was a last step in the probe, which centered on the use of bearer Federal Reserve debt securities dating back to the 1930s as a guarantee for loans or other opaque cross-border transactions. Rome police seized the securities from a man, who held them in a briefcase along with documents about financial operations, the police said in a statement. Police said they were carrying out checks, helped by the U.S. Central Bank and the U.S. embassy in Rome, over the authenticity and origin of the securities, as well as over possible links between the man and criminal organizations. Source: http://www.reuters.com/article/2012/04/21/us-italy-police-seize-idUSBRE83K08F20120421

13. April 20, KTVK 3 Phoenix; KASW Phoenix 6 – (Arizona) ‘Bearded Bandit’ wanted in 7 bank robberies. Police have asked for information from the public in the Phoenix area as they continue to search for a bank robber dubbed the “Bearded Bandit.” The suspect robbed seven banks in the Phoenix metropolitan area between December 22 and April 3, according to police. In each case, the suspect walked up to the tellers and demanded money then fled on foot with the cash. Police have described the suspect as a white male who has worn a fake beard and wig in the robberies. Source: http://www.azfamily.com/news/Bearded-Bandit-wanted-in-7-bank-robberies-148280855.html

Information Technology

39. April 23, Computerworld – (International) Microsoft yanks Office for Mac 2011 upgrade. April 20, Microsoft removed a major update for Office for Mac 2011 from its upgrade servers, acknowledging bugs that corrupted the Outlook database on some machines. Office for Mac 2011 Service Pack 2 (SP2) was released April 12. That same day, users who upgraded began reporting problems on Microsoft’s support site, saying they were unable to run Outlook, the suite’s e-mail client. April 17, Microsoft confirmed the SP2 upgrade could in some cases corrupt the Outlook identity database, and offered workarounds to prevent that from happening for those who did not yet install the service pack, as well as a step-by-step guide to reconstructing the database for those affected by the bug. Three days later, Microsoft took more drastic action, shutting down the delivery of Office for Mac 2011 SP2 through the company’s automatic upgrade service. Source:


40. April 23, H Security – (International) WordPress fixes file upload security problems. The developers of the popular open source blog engine WordPress released a security update for the software, the H Security reported April 23. WordPress 3.3.2 fixes unspecified bugs in three external file upload libraries used in the software and other security problems with the application. The bugs affect both WordPress’s current file uploading library Plupload as well as the SWFUpload and SWFObject libraries; these were bundled with older versions of the application and might still be in use by certain plugins on the current versions of WordPress. The developers did not go into detail about the specifics of the security holes but thanked three people from the WordPress community for responsibly disclosing them. Three more fixes address a privilege escalation in the blog engine’s multi-site system and two cross-site scripting vulnerabilities in the core components of WordPress. Source: http://www.h-online.com/security/news/item/WordPress-fixes-file-upload-security-problems-1545416.html

41. April 23, The Register – (International) Security bug stalls new dot-word TLD land grab again. The Internet Corporation for Assigned Names and Numbers (ICANN) was forced to delay its new top-level domain (TLD) expansion by another week as its IT personnel attempt to analyze the fallout of a security vulnerability. Its TLD Application System (TAS), which companies worldwide were using since January to confidentially apply for gTLDs was down for 10 days due to a bug that enabled some applicants to see information belonging to others. While ICANN maintains it fixed the problem, it now says it needs at least another week to sift through all of its TAS logs, to figure out which applicants’ data was visible to which other applicants. ICANN received reports about the bug since at least March 19, but only issued the delay April 12, just 12 hours before the final application submission deadline, when it realized the severity of the problem. The organization initially hoped to get the system fixed by April 17, but when that deadline passed, it promised to give users an update on the timing by April 20. However, that update, which arrived over the the weekend of April 21, only promised to provide yet another update before the end of April 27. Source: http://www.theregister.co.uk/2012/04/23/security_bug_delays_new_gtld_launch_again/

42. April 21, Softpedia – (International) Experts find control panel for Ransomlock powered ransomware. Ransomware infections have become more popular among cybercriminals, and security researchers discovered another trojan that fuels such campaigns. The novelty in this scenario is the control panel being utilized in the scheme was found. Identified by Symantec as Trojan.Ransomlock.K, the malicious element communicates with a command and control server from which it receives orders. The interface that allows the cybercrooks to communicate with their trojan is called Silent Locker Control Panel and according to experts, it is somewhat similar to other control panel used for malware such as Zeus and SpyEye. The Russian variant of Silent Locker offers many options. It tracks the infected computer’s location and date, information that can be used for billing. Also based on the location, the cybercriminal can choose what picture the ransomware displays when it takes over a computer. If notifications that rely on the reputation of a law enforcement agency do not work, the fraudsters can turn to fake Windows Security Checks or other scams that may convince victims their device is being blocked for performing illegal activities, or even because of some phony system errors. While experts have not found a trojan builder for Ransomlock.K, they believe the kit most likely comes with one. Source: http://news.softpedia.com/news/Experts-Find-Control-Panel-for-Ransomlock-Powered-Ransomware-265732.shtml

43. April 20, Computerworld – (International) Flashback botnet not shrinking, huge numbers of Macs still infected. Contrary to reports by several security companies, the Flashback botnet is not shrinking, according to the antivirus firm that first reported the massive infection 3 weeks ago. Dr. Web, which earlier in April was the first to report the largest-ever successful malware attack against Apple’s OS X, said April 20 the pool of Flashback-infected Macs still hovers around the 650,000 mark, and infections are continuing. Also April 20, the manager of operations at Symantec’s security response center confirmed Dr. Web’s numbers were correct. Dr. Web’s tally and its contention infections are ongoing flew in the face of other antivirus companies’ assertions. Kaspersky Lab and Symantec, which each “sinkholed” select domains — hijacked them before hackers could use them to issue orders to compromised machines — used those domains to count the Macs that try to communicate with the malware’s command-and-control centers. Earlier the week of April 16, Symantec said the botnet shrunk to 142,000 machines. April 19, Kaspersky claimed its count registered only 30,000 infected Macs. Source: http://www.computerworld.com/s/article/9226429/Flashback_botnet_not_shrinking_huge_numbers_of_Macs_still_infected

44. April 20, Inquirer – (International) 100 million users might be affected by a social network vulnerability. Do-it-yourself social networking company Ning is reportedly suffering from a security problem that could affect 100 million users. Ning lets people set up their own social networking channels. According to a Dutch report, a problem with its security could leave them wide open to account hijackers. A Dutch Web site called Web Wereld said two students exploited cookies to gain log-in control over Ning user accounts. They used a proof-of-concept that showed they could access 90,000 accounts and 100 million users, but had no intention of exploiting it for malicious purposes. They did suggest that if others were able to use it, then they could take over Ning accounts. The students told Ning about the exploit in March, and since then the firm has worked to fix it. Source: http://www.theinquirer.net/inquirer/news/2169403/100-million-users-affected-social-network-vulnerability

For another story, see item 45 below in the Communications Sector

Communications Sector

45. March 23, The Register – (International) Plumbers of the interwebs vow to kill IP hijacking. The Internet Engineering Task Force (IETF) aims to strengthen the basic protocols of the Internet, with a way to stop route, or IP, hijacking, The Register reported April 23. IETF experts say the proposed fix is simpler to implement than previous suggestions. IP hijacking exploits a fundamental weakness of the Internet — data and messages sent across the Internet are transmitted via routers, and those routers are blindly trusted. No measures are in place to verify if they have been tampered with to re-direct or intercept traffic. At an IETF meeting in March, a working group proposed a solution that seeks to safeguard the integrity of networking kit. The proposal involves publishing preferred routes to sites in DNS records before applying a second step, using utilities to verify the instructions are trustworthy. This latter step would use DNS Security Extensions, a separate security mechanism being rolled out as a defense against cache-poisoning attacks. The whole scheme is called ROVER, or BGP Route Origin Verification (via DNS). Rover calls for the use of reverse DNS records to periodically publish route announcements, a process that would be done by sites themselves, before carrying out real-time verifications of BGP route announcements. Rover uses “best effort” data retrieval with worldwide data distribution, redundancy, and local caching. If the data is unreachable, the default is that routing would proceed as normal but without any checks. Source: http://www.theregister.co.uk/2012/04/23/ip_hijack_prevention/

For more stories, see items 39, 41, and 44 above in the Information Technology Sector