Monday, May 7, 2012

Complete DHS Daily Report for May 7, 2012

Daily Report

Top Stories

• A man pleaded guilty to stealing confidential data from Internet users and then using it to drain more than $1.3 million from bank accounts. – Federal Bureau of Investigation See item 6 below in the Banking and Finance Sector

• The outbreak of a rare, typhoidal Salmonella strain that originated in North Carolina’s Buncombe County grew to 40 confirmed illnesses May 3. Officials expect that number to increase. – Food Safety News

15. May 4, Food Safety News – (North Carolina; National) Rare Salmonella Paratyphi outbreak grows as investigation continues. The outbreak of a rare, typhoidal Salmonella strain that originated in North Carolina’s Buncombe County grew to 40 confirmed illnesses May 3 as the State and county health departments continued their investigation and anticipate additional infections will surface. According to a Buncombe County Department of Health spokeswoman, many of those sickened contracted their infections through person-to-person contact. April 30, Smiling Hara recalled 12-ounce packages of unpasteurized tempeh as a cautionary measure after a sample of the company’s soybean tempeh tested positive for Salmonella. The tempeh remains a potential outbreak source until further tests. More than half of the cases involve individuals who said they did not consume tempeh during the outbreak window, the health spokeswoman said. The health departments continue to investigate other potential sources, she said, though it is clear that infections have come from “several different routes of transmission.” Illnesses were reported in North Carolina, South Carolina, Tennessee, and New York. Source:

• A Florida-based crime ring that stole at least $80 million worth of prescription drugs as well as goods from warehouses and tractor trailer vehicles, was broken up, federal authorities said. – Associated Press

24. May 3, Associated Press – (Connecticut; Florida; New Jersey) Feds break up major Florida-based drug theft ring. A Florida-based crime ring that stole at least $80 million worth of prescription drugs, including pulling off one of the nation’s biggest heists in Connecticut in 2010, was broken up following a 3-year undercover FBI probe, federal authorities said May 3. A total of 22 people were charged by federal authorities in New Jersey, Connecticut, and Miami, where the group was based, a Miami U.S. attorney said. The thieves hit warehouses and stole tractor-trailers around the country, often from highway rest stops, and brought the drugs to South Florida and New Jersey in an attempt to sell them. The medications included antidepressants, anti-psychotics, and treatments for cancer, acne, epilepsy, arthritis, and autoimmune disorders, and even aspirin and Flintstones children’s vitamins, authorities said. “This investigation represents the largest takedown in U.S. history involving cargo theft,” the chief of the Miami FBI office said. Besides the drugs, the U.S. attorney said the ring stole more than $20 million in other goods, including thousands of bottles of Johnnie Walker Scotch whiskey, thousands of cases of cigarettes from an Illinois warehouse, 64,000 cell phones, and 200 inflatable boats. Source:

• The updates to PHP versions 5.3.12 and 5.4.2 released May 3 do not fully resolve the vulnerability accidentally disclosed online that allows attackers to execute code on affected servers. – H Security See item 33 below in the Information Technology Sector


Banking and Finance Sector

6. May 3, Federal Bureau of Investigation – (National) Man admits role in $1.3 million phishing fraud scheme. A man admitted his role in an Internet fraud ring that stole more than $1.3 million after “phishing” confidential account information from Internet users, a New Jersey U.S. attorney announced May 3. The man pleaded guilty to one count each of wire fraud conspiracy, wire fraud, aggravated identity theft, and conspiracy to gain unauthorized access to computers. The ring employed phishing attacks using fraudulent Web pages that mimicked the legitimate Web pages of e-commerce companies such as banks and payroll processors. Stolen identifiers were then used to make unauthorized withdrawals from victims’ accounts. Some of the stolen data was used to create fake driver’s licenses for the conspirators to use to impersonate victims at bank branches. The man admitted he worked with others to hire “soldiers” to go into banks and impersonate real customers using fake licenses made with the soldiers’ pictures. The ring also used the information to gain access to online accounts, where they could view victim signatures on check images to forge them on checks and withdrawal slips. The man admitted he used stolen identifiers to intercept and respond to e-mails to impersonate real account holders. He also admitted he impersonated company payroll officers in conversations with ADP, a national payroll processing company. Chase Bank, Bank of America, ADP, and Branch Bank & Trust Co. together lost about $1.3 million to the fraud ring. Source:

7. May 3, Chicago Tribune – (Illinois) Justice Department indicts seven on mortgage fraud. The U.S. Department of Justice announced indictments May 3 against seven people, including a Chicago police officer who allegedly committed mortgage fraud involving Chicago condominium buildings between 2006 and 2008. The alleged fraud involved illegally obtaining 35 mortgages that totaled more than $8.8 million from various lenders. According to the indictment, one of the men purchased four condo units in the city’s Bronzeville neighborhood, and with help from other defendants, allegedly fraudulently qualified to receive mortgage loans from four different banks that totaled almost $622,000. He then received payments from another man indicted in the scheme, the indictment stated. Two of the conspirators allegedly were each involved in the separate, fraudulent purchase of eight condo units. Two other were charged with allegedly helping the buyers secure the fraudulent loans. In 2010, the Illinois Department of Financial and Professional Regulation announced a series of disciplinary actions against manyl companies and individuals, some of whom are named in the indictment, related to a mortgage fraud investigation involving a 27-unit building. At the time, all of the units were in foreclosure. Source:

8. May 3, Federal Bureau of Investigation – (Illinois) ‘InvestForClosures’ operator pleads guilty to $7 million mail fraud scheme. A man pleaded guilty May 3 in federal court in Rockford, Illinois, to conducting a $7 million mail fraud scheme. The defendant co-owned and operated a business, known as InvestForClosures, with his business partner. In his plea, the man admitted he fraudulently obtained more than $7 million from investors. According to the plea agreement, he represented to potential investors that the business bought distressed houses, rehabilitated those houses, and sold them for a profit. He admitted in his plea that he and his employees made various representations to potential investors, including: their investments would be safe because they would be backed by real estate; InvestForClosures used the majority of investors funds to purchase real estate; and because of the business’ efficient cash flow from buying and selling houses, InvestForClosures Financial never failed to make an interest payment on time or return an investor’s principal when requested. He admitted that each of these representations was false. About $1,711,711.18 of the approximately $7,238,506.40 fraudulently obtained from investors was paid back through Ponzi-type payments. Source:

9. May 3, Baltimore Sun – (Maryland) Builder pleads guilty in investment scheme. A Baltimore home builder pleaded guilty May 3 in connection with a construction investment scheme that defrauded victims of more than $14 million, the Maryland U.S. attorney’s office said. The defendant spent at least 2 years — from 2009 to 2011 — targeting people with money to invest in construction projects or who needed financing for their own projects, including a hotel in Bowie, Maryland. The defendant told the investors to put “large sums of money” in an escrow bank account to prove liquidity for purposes of getting financing, and that they would receive a high rate of return for their efforts, according to his plea agreement. Instead, the defendant and co-conspirators “fraudulently” removed the money — typically within 2 weeks — to pay off debts or to make “lulling” payments to other victims. A co-defendant, an attorney from Phoenix, also pleaded guilty The defendant operated several companies, including the McCloskey Group LLC and Kellen Property & Investment LLC. Source:

Information Technology

33. May 4, H Security – (International) PHP patch quick but inadequate. The updates to PHP versions 5.3.12 and 5.4.2 released May 3 do not fully resolve the vulnerability accidentally disclosed online, according to the flaw’s discoverer. The bug in the way CGI and PHP interact with each other leads to a situation where attackers can execute code on affected servers. The issue remained undiscovered for 8 years. Currently, the best protection requires setting up filter rules on the Web server. However, the RewriteRule workaround described on is also inadequate. The discoverer suggests a slightly modified form of the rule as an alternative. Because the PHP interpreter for CGI does not comply with the specifications laid out in the CGI standard, URL parameters can, under certain circumstances, be passed to PHP as command line arguments. Servers which run PHP in CGI mode are affected; FastCGI PHP installations are not. The PHP patch is supposed to ensure parameter strings beginning with a minus sign, and which do not contain an equals sign, are ignored. According to the discoverer, this can be bypassed easily. A new, slightly modified patch which uses query_string instead of decoded_query_string for one comparison was already submitted to the bug tracking system. Users can determine whether they are affected by the bug by appending the string ?-s to a URL. If the server returns PHP source code, rapid action is required. A Metasploit module that opens a remote shell for executing arbitrary code on vulnerable servers is already available. Source:

34. May 4, H Security – (International) VMware address critical issues in Workstation, Player, ESXi and ESX. VMware has published a security advisory that addresses critical security flaws in the company’s Workstation, Player, Fusion, ESXi, and ESX products. There are five flaws detailed in the advisory. ESX 3.5 to 4.1 and ESXi 3.5 to 5.0 are affected by a host memory overwrite vulnerability in the handling of RPC commands and data pointers that means a guest user could crash a VMX process. VMware notes the issue can be worked around by configuring virtual machines that use less than 4GB of memory. The workaround though is not an effective remedy for a similar issue with RPC and function pointers. Both issues could be exploited without root/administrator access. Another issue, again only affecting ESX and ESXi, means a flaw in the handling of NFS traffic can overwrite memory and can be used to execute code on an ESX/ESXi system without authentication; however the issue only occurs with NFS traffic. A floppy device out-of-bounds memory write and an unchecked SCSI device memory write issue both affect Workstation 8.x, Player 4.x, and Fusion 4.x, as well as ESXi and ESX; removing the virtual floppy drive or SCSI device from virtual machines will work around the problem. Both issues require root/administrator access to exploit. Source:

35. May 4, H Security – (International) Adobe Flash Player update closes critical object confusion hole. Adobe released a security advisory relating to an object confusion vulnerability that allows an attacker to crash its Flash Player or take control of an affected system. Adobe said there are reports of this vulnerability being exploited in the wild as part of targeted e-mail-based attacks that trick the user into clicking on a malicious file; this exploit only targets Flash Player on Internet Explorer on Windows, though the vulnerability exists on Windows, Mac OS X, Linux, and Android versions of the player. An update to Adobe Flash Player on Windows, Mac OS X, and Linux should be applied by any user running version or earlier. Source:

36. May 3, Government Computer News – (International) 105 Top Level Domain applicants had info exposed. The Internet Corporation for Assigned Names and Numbers (ICANN) began notifying 105 applicants for new generic Top Level Domains (gTLDs) that some of their information was exposed through a glitch in the online application system. The system was taken offline April 12, which was to be the closing day for applying for new gTLD names, and remained offline for 3 weeks. At some point after the notifications are complete, ICANN will announce the reopening of the system and a new deadline for filing applications. ICANN’s chief security officer said there is no indication the problem was the result of a malicious intrusion or that any information other than some user names and file names was exposed. The system was taken offline through an abundance of caution, he said. Source:

37. May 3, ZDNet – (International) Microsoft kicks Chinese company out of vulnerability sharing program. Microsoft removed a Chinese security company from its Microsoft Active Protections Program (MAPP) vulnerability information sharing program following a recent leak of proof-of-concept code for a serious security hole in all versions of Windows. Microsoft identified the company as Hangzhou DPTech Technologies Co., Ltd, a Chinese outfit that describes itself as a “high-tech company integrating research and development, manufacturing and sales in the network security industry.” After an investigation into the proof-of-concept leak, Microsoft said Hangzhou DPTech Technologies breached the strict non-disclosure agreement meant to ensure sensitive data does not fall into the wrong hands. Source:

38. May 3, MSNBC – (International) Infected users get legit warning about July 9 ‘Internet Doomsday’. Two companies, OpenDNS and CloudFlare, have put together a message alert system to help more than a half-million U.S. users who are believed to have the DNSChanger malware on their computers and do not know it, and who may not have heard about it in recent weeks. Infected users will see a message appear on their computer screen. The message says, in part, that the user’s Domain Name Server settings suggest “you probably have the DNSChanger malware.” Users are then directed to an OpenDNS Web site which has instructions on how to switch DNS to OpenDNS’s trusted servers. The message also has a link to the FBI’s Web site for more information. Source:

39. May 3, InformationWeek – (International) Anonymous, LulzSec case in U.S. expanded by feds. A federal grand jury handed down a superseding indictment in the case against alleged LulzSec and Anonymous leaders that adds a sixth person to the list of people charged, InformationWeek reported May 3. The revised indictment now lists a man, known as Anarchaos, burn, POW, ghost, and anarchaker, amongst other aliases, as a defendant, and accuses him of participating in LulzSec and Anonymous hacks involving the Web sites of the Arizona Department of Public Safety, and Stratfor. Source:

For another story, see item 6 above in the Banking and Finance Sector

Communications Sector

40. May 4, Aspen Times – (Colorado) Major phone problems hit Pitkin County. Land-based phone lines and some cellphone services went down across Pitkin County, Colorado, May 3. The extent of the outage, which started around 9:30 p.m., was unknown, according to a statement from the county. All non-emergency and 9-1-1 lines for the 9-1-1 Center in Aspen were down. Emergency calls were rerouted to Vail Public Safety Communications. Century Link was aware of the problem and worked to resolve the issue late May 3. Source:

For more stories, see items 35, 36, and 38 above in the Information Technology Sector