Thursday, May 10, 2012

Complete DHS Daily Report for May 10, 2012

Daily Report

Top Stories

• A report found criminals who steal identities and file fake tax returns could make $26 billion in 5 years because the IRS cannot keep up with the fraud. – CNN See item 17 below in the Banking and Finance Sector

• Tree fruit and other crop losses caused by mid-April hailstorms are in the tens of millions of dollars and counting for California farmers, according to Kings County agricultural officials. – California Farm Bureau Federation

25. May 9, California Farm Bureau Federation – (California) Tree fruit harvest to be cut as result of April hailstorms. Four weeks after their orchards and fields were pounded by intense mid-April hailstorms, San Joaquin Valle, California farmers continued to tally losses but said tree fruit and other harvests will be reduced, the California Farm Bureau Federation reported May 9. Agricultural commissioners’ in affected counties such as Kings and Tulare said crop losses to agriculture were in the tens of millions of dollars and counting. The Kings County Agricultural Commissioner requested a U.S. Department of Agriculture disaster declaration for damaged crops due to what is being for the declaration, farmers must have experienced a 30 percent loss of a particular crop, countywide. He reported $20.5 million worth of crop losses in Kings County, with the hardest-hit crop, plums, suffering $5.7 million in damage. Losses to nectarines were nearly as high, at $5.3 million. Additional crops that took a hit include peaches, apricots, and cherries, as well as almonds, cotton, and kiwifruit. Tulare County continued to work with farmers to analyze crops damaged in the mid-April storms, according to the county’s deputy agricultural commissioner. So far for Tulare, impacted crops include stone fruit, nuts, grapes, forage crops, and some citrus. Source:

• Authorities arrested 10 alleged members of a white supremacist group training near Orlando, Florida. Officials said the group was experimenting with the biological toxin ricin and had plotted a disturbance at Orlando City Hall. – Reuters

36. May 9, Reuters – (Florida) Florida nabs white supremacists planning ‘race war’. Ten alleged members of a white supremacist group training near Orlando for a “race war” were rounded up in a series of arrests in central Florida, authorities said May 8. The arrests were based on evidence from a confidential informant who infiltrated the neo-Nazi organization known as the American Front (AF) 17 months ago, according to an arrest affidavit. It said the group’s alleged local ringleader operated a heavily fortified paramilitary training center for the AF on his isolated property in St. Cloud, Florida. It said he recently plotted a disturbance at Orlando City Hall and a confrontation against a rival skinhead group in coastal Melbourne in a bid to garner media attention, but was also experimenting with the potential manufacture of the biological toxin ricin. The investigation into the AF was conducted by the FBI’s Joint Terrorism Task Force and local law enforcement agencies. Source:

• Beginning in mid-2011, a widespread series of cyberattacks targeted technology firms, transportation and agriculture groups, and government organizations with links to policies of interest to China. – Dark Reading See item 53 below in the Information Technology Sector

• The mayor of Star, Idaho, declared a state of emergency May 8 in response to two levee breaches along the Boise River. – KBOI 2 Boise

60. May 9, KBOI 2 Boise – (Idaho) Star mayor declares state of emergency due to flooding. The mayor of Star, Idaho, declared a state of emergency May 8 in response to two levee breaches along the Boise River. The water flooded over some canals into some nearby fields and ditches in the area. The declaration allows the city to be eligible for more funding and aid, but the mayor said flood crews in Ada County repaired the breaches without additional help. Some flooding remained in the fields and ditches but no buildings were damaged as of May 9. The Boise River was flowing at 8,000 cubic feet per second (cfs) and expected to remain at that level as the U.S. Army Corps of Engineers continues to release water from the upstream reservoirs. Flood stage is considered 7,000 cfs. Source:


Banking and Finance Sector

12. May 9, Associated Press – (North Carolina) 5 people arrested at Bank of America demonstration. Five people were arrested May 9 as they tried to force their way into the annual Bank of America shareholders’ meeting in Charlotte, North Carolina, and police used a new ordinance to declare the gathering an extraordinary event subject to special restrictions. Hundreds gathered on the streets as dozens of police officers worked to contain the protest. If a gathering is deemed an extraordinary event, authorities can designate areas where people are not allowed to carry backpacks, magic markers, and other items. The measures were adopted in advance of the Democratic National Convention in Charlotte. Source:

13. May 9, Fort Worth Star-Telegram – (Texas) Two Arlington companies indicted. Two Arlington, Texas companies accused of being part of a $13 million mortgage fraud scheme in north Texas were indicted on criminal charges, the Fort Worth Star-Telegram reported May 9. The companies, Sierra Developers and homebuilder Genesis Homes of Texas, are accused of generating more than $400,000 from fraudulent loans in December 2004. The loans were handled by a lending company run by a mortgage broker who has since pleaded guilty to engaging in organized criminal activity and money laundering. Seventeen defendants were convicted in the scheme, including two who were alleged to be “straw buyers” of homes built by Genesis, the prosecutor said. The corporate indictments, handed down quietly in December 2011, accuse Sierra and Genesis of providing false payoff information to the lending company for monetary gain. Sierra is accused of providing false information on a federal Department of Housing and Urban Development settlement statement. Sierra and Genesis homes were the sellers in the transaction, according to officials. Source:

14. May 9, U.S. Securities and Exchange Commission – (Michigan) SEC charges former Detroit officials and investment adviser to city pension funds in influence peddling scheme. The U.S. Securities and Exchange Commission (SEC) May 9 charged a former Detroit mayor, city treasurer, and the investment adviser to the city’s public pension funds involved in a secret exchange of gifts to peddle influence over the funds’ investment process. The SEC alleged the former mayor and treasurer, who were trustees to the pension funds, solicited and received $125,000 in perks paid for by MayfieldGentry Realty Advisors LLC, an investment adviser whose chief executive officer (CEO) was recommending to the trustees the pension funds invest approximately $117 million in a real estate investment trust (REIT) controlled by the firm. Neither the officials nor the CEO and his firm informed the boards of trustees about the perks and the conflicts of interest they presented. The funds ultimately voted to approve the REIT investment, and MayfieldGentry received millions of dollars in management fees. According to the SEC’s complaint, members of the mayor’s administration began to exert pressure on the CEO in early 2006. The former treasurer met with the CEO in February 2006 and the CEO appeared before the boards of trustees for the pension funds throughout 2007, recommending the REIT investment. Meanwhile, MayfieldGentry began footing the bills for trips taken by city officials that extended beyond city business. Source:

15. May 8, Orange County Register – (California) ‘Snowboarder Bandit’ charged in 10 bank robberies. A Riverside, California man who authorities suspect of being the “Snowboarder Bandit” was charged May 8 with 10 bank robberies in which he is alleged to have stolen about $30,000. He is facing 10 felony counts of second-degree robbery, as well as 2 felony counts of attempted robbery, according to a statement from the Orange County district attorney’s office. Authorities have tied him to 10 holdups at 9 Orange County banks. Authorities also believe he attempted to rob two other banks in Irvine, but left without receiving money. Source:

16. May 8, Reuters – (New York; National) Trader in free-riding fraud case admits guilt. A Florida man accused of operating a “free-riding” fraud, in which he bought and sold $64 million of stock with money he did not have, pleaded guilty May 7 in New York to 10 criminal counts. He admitted to grand larceny, securities fraud, and scheming to defraud. According to his prepared allocution, the defendant conducted “paired trades” more than 200 times at more than 36 brokers using accounts that named bogus shell companies and hedge funds. He said this let him buy publicly traded securities between July 2009 and September 2010 despite lacking sufficient funds. Among the brokerages that he stole from were Barclays Capital, Lazard Capital Markets, and Morgan Keegan & Co., according to the prepared allocution. A U.S. attorney said the defendant induced brokerages to open accounts by misrepresenting his net worth and his alleged control of a $20 million hedge fund. He also said the defendant raised money by falsely telling investors to expect high returns, only to use the bulk of the funds to repay earlier investors or on personal expenses. Among the companies in which he traded were Baidu Inc, CME Group Inc., Netflix Inc., and Inc., according to the SEC. Source:

17. May 8, CNN – (National) Identity thieves could rake in $26 billion in tax refunds. Criminals who file fraudulent tax returns by stealing people’s identities could rake in an estimated $26 billion over the next 5 years because the Internal Revenue Service (IRS) cannot keep up with the amount of the fraud, the U.S. Department of the Treasury Inspector General for Tax Administration (TIGTA) said May 8. “Our analysis found that, although the IRS detects and prevents a large number of fraudulent refunds based on false income documents, there is much fraud that it does not detect,” the inspector general said in prepared testimony before a joint hearing of two House subcommittees. The TIGTA report is the first detailed analysis of the tax refund fraud problem, which could affect any taxpayer. His projection of $26 billion was larger than any other estimate of identity theft tax fraud. In 2011, according to TIGTA, the IRS reported that of the 2.2 million tax returns it found to be fraudulent, about 940,000 returns totaling $6.5 billion were related to identity theft. In the investigation, the inspector general said auditors found another 1.5 million undetected tax returns with more than $5.2 billion in fraud. As of April, the IRS reported it had stopped the issuance of $1.3 billion in potentially fraudulent tax returns. Source:

For another story, see item 54 below in the Communications Sector

Information Technology

45. May 9, Help Net Security – (International) Phishing impersonating email service providers spikes. Phishing attacks impersonating e-mail service providers increased 333 percent from Q4 2011 to Q1 2012. IT security firm Internet Identity (IID) attributes this spike to spammers needing unsullied e-mail addresses since many major spamming botnets have been shut down, and Internet service providers have become more successful at identifying and blocking e-mail from botnets and other known spam sources. During the first quarter of 2012, spammers increasingly tried to hijack “good” e-mail addresses at large Web mail services by impersonating those e-mail service providers and phishing for e-mail account log-in credentials. Despite the dramatic jump in e-mail service provider phishing, other industries on average witnessed a decrease in phishing attacks. IID found phishing attacks dropped 2 percent when comparing statistics from Q1 2011 to Q1 2012. Source:

46. May 9, Help Net Security – (International) Java drive-by generator used in recent attack. A malware delivery campaign that doubles infection efforts to ensure users are compromised was recently spotted by F-Secure researchers. One discovered a Web site that poses as a “Gmail Attachment Viewer,” which attempts to make the visitor run the offered application. The pop-up warning from Windows identifies it as a “Microsoft” application, but says the app’s digital signature cannot be verified and that the app’s publisher is “Unknown.” If the user does choose to run the app, he/she is faced with a Cisco Foundation invitation to attend a conference, while the download and the quiet installation of a malicious binary is performed in the background. The message contains an embedded link that, if clicked, again tries to download the same malware. The researcher does not mention how she ended up on the site in question in the first place, and what type of malware is actually pushed onto the user, but points out that the infection is generated using iJava Drive-by Generator. “The generator allows the attacker to use random names or specify their own preference for both the Java file and the dropped Windows binary,” the researcher explains, and notes the tool also indicates to the attackers how many infections the delivered malware effected. Source:

47. May 9, H Security – (International) Thousands of Twitter passwords allegedly exposed. About 55,000 Twitter account names and passwords, it was claimed May 8, were published on Pastebin May 7. Twitter confirmed it was investigating the situation and said it was resetting the passwords of affected accounts. Later examination of the list by Twitter revealed it contained 20,000 duplicates, suspended spam accounts, and incorrect log-in credentials. It is unclear where the data came from — Mashable said hackers affiliated with Anonymous were involved, but no apparent announcement from the hackers was made. It does not appear Twitter’s systems were compromised. A random sampling of a number of the accounts by a Hacker News reader found them to typically have several followers and to be following thousands of other Twitter users — a common footprint of a Twitter spam account. An analysis by an Eset blogger found that even after deduplicating the list, 25,000 entries in the remaining list were e-mail addresses. This leaves around 9,000 apparent Twitter spam accounts. Eset compared the accounts with previous leaks and found the e-mail ones apparently matched a June 2011 LulzSec leak and also found some of the spam accounts posted in an April 2012 forum post. Source:

48. May 9, H Security – (International) Microsoft Patch Tuesday more extensive than anticipated. Microsoft released 7 bulletins to close 23 vulnerabilities on its May Patch Tuesday. The total number of bulletins belies the scope of the patches, however, as the combined update MS12-034 closes holes in numerous products. The reason for this is a critical hole in the code for processing TrueType fonts exploited by the Duqu spyware in 2011. The hole was closed in the Windows kernel on the December Patch Tuesday; however, Microsoft has since used a code scanner to track the vulnerable code in many other components; among them is the gdiplus.dll library, which is used by various browsers to render Web fonts. Some of the vulnerable files contained further holes Microsoft also patched within the same bulletin — meaning this update fixes many other flaws as well as the original vulnerability. It closes holes in all currently supported versions of Windows (from XP SP3 onwards, including Server), Office, the .NET framework, and Silverlight. These “bonus” holes include three privilege escalation problems in the Windows kernel, including flaws in the code for processing keyboard layouts. Bulletin MS12-029 closes a critical hole in the code for processing RTL documents. It affects Office 2003, 2007, as well as Office Compatibility Packs SP2 and 3. The vulnerability was also closed in Office for Mac 2008 and 2011. Bulletin MS12-035 addresses two critical holes in the .NET framework. The remaining four bulletins fix holes that have the second highest threat rating by Microsoft, “important.” These vulnerabilities affect Office, Visio Viewer 2010, the Windows partition manager, and the Windows firewall and TCP stack.


49. May 9, H Security – (International) PHP team makes another attempt to close critical CGI hole. The PHP development team made another attempt to fix the critical vulnerability in the interaction with CGI. In CGI mode, PHP interprets certain URL parameters as command line parameters. This can cause affected servers to return the source code of a page if the ?-s character string is attached to the end of a URL. The details of the vulnerability were made public when developers accidentally marked the relevant entry in the bug tracking system as “public.” The vulnerability is being actively exploited for attacks. Originally, the problem was supposed to be fixed in versions 5.3.12 and 5.4.2, released the week of April 30. However, it was soon found the updates provided an incomplete solution and further ways of exploiting the hole appeared to exist. Security experts also say the rewrite rule initially published as a workaround could easily be bypassed. With the release of versions 5.3.13 and 5.4.3, the developers renewed their promise that the hole is fixed. A buffer overflow in the apache_request_headers function was also fixed in the 5.4 branch. A security expert said the vulnerability involves a stack buffer overflow that can only be exploited on systems that run PHP in CGI mode. Reportedly, the vulnerability can be exploited in combination with components such as the lighttpd Web server. Source:

50. May 9, IDG News Service – (International) Police-themed ransomware targets U.S., Canadian users. A ransomware application that locks computers and asks their owners to pay fines for allegedly violating several laws through their online activity is targeting U.S. and Canadian users, malware experts from security firm Trend Micro said May 9. The Trend Micro researchers refer to this particular ransomware — malware that disables system functionality and asks for money to restore it — as the “Police Trojan,” because it displays rogue messages claiming to originate from law enforcement agencies. The “Police Trojan” appeared in 2011 and originally targeted users from several countries in Western Europe, including Germany, Spain, France, Austria, Belgium, Italy, and the United Kingdom. The rogue message displayed after locking down a victim’s computer is localized in the victim’s language and claims to be from a national law enforcement agency from the victim’s country. The owners of the locked-down computers are told their IP addresses were involved in illegal activities and are asked to pay a fine using prepaid cards like Ukash or Paysafecard. The malware’s authors prefer these payment services because transactions cannot be reversed and are hard to trace. When investigating new command and control servers recently used by this malware, Trend Micro researchers found message templates designed for U.S. and Canadian users. This suggests the malware’s scope was extended to these two countries. Source:

51. May 8, CNET – (International) Plaxo shuts back door spammers used to access Google accounts. Contact list management application maker Plaxo told CNET May 8 that it shut a back door spammers were using to stealthily access Google accounts. “A malicious party has obtained on their own, not through Plaxo, a set of Google account credentials,” said a general manager at Plaxo. “They’ve used our server, which is meant to allow customers to access their own Google accounts, to gain access to those accounts they already had. That made it difficult for Google to detect that (unauthorized) activity because they came through our IP address as a proxy.” Google has been fighting off an attack from this source for some time, the general manager said. Source:

52. May 8, Threatpost – (International) Adobe patches 13 flaws in Photoshop, Flash Professional and other apps. Adobe released patches for a series of vulnerabilities in its product line, including Photoshop, Illustrator, Flash Professional, and Shockwave. Several of the vulnerabilities can be used to take complete control of affected machines. The highest-priority vulnerabilities among those patched May 8 is a group of five flaws in Shockwave that can be used to run malicious code on vulnerable machines. The update applies to both Windows and Mac machines and Adobe is recommending that users upgrade to version The bug patched in Flash Professional May 8 is separate from the one that Adobe patched in Flash the week of April 30, which is currently being used in targeted attacks. Source:

53. May 8, Dark Reading – (International) Targeted attack infiltrates at least 20 companies. Beginning in mid-2011, a widespread series of cyberattacks targeted a number of private firms, think thanks, and government organizations with links to policies of interest to China. While attributing attacks to a specific actor is difficult, the attackers used a common command-and-control server to manage the exploitation and control of computers within each victim’s network. In its research into the attacks — dubbed Project Enlightenment — security intelligence firm Cyber Squared managed to infiltrate the attackers’ communications channel and gather information on the attacks. The targets of the attacks were diverse: a mining corporation with interests in the automotive industry; Canadian judicial offices handling the extradition of a Chinese national; a major law firm with clients all over the globe; and an international maritime group with connections to the United Nations. Source:

For another story, see item 57

Communications Sector

54. May 9, KITV 4 Honolulu – (Hawaii) Service cut to thousands of cell phone users. A cracked sewer line led to cell phone coverage being cut for thousands around the Hawaii islands. Work began May 8 to repair a cracked 6-inch sewer line in Aiea. But when city crews dug up the damaged pipe, they also cut a critical fiber-optic line underneath. The fiber-optic cable was used for a many businesses, from banks to cell phone companies. The line was connected to Hawaiian Telecom’s Aiea central office and allowed cell phone towers from many companies to connect to their networks. But after the cut, many could not get through. “For us, a large chunk of our north shore coverage and Mililani were impacted, along with partial impacts up the Waianae Coast,” the chief technical officer for Mobi PCS said. The connection troubles not only affected Oahu. Some on the Big Island, Maui, and Kauai were without service. Hawaiian Telecom said crews were able to reroute some connections after the break, but thousands still felt the effects of the cut cable. By the early evening May 8, Hawaiian Telecom crews were able to cut out the damaged part of the cable and began splicing in a new section. Customers were gradually connected, but the repair work continued throughout the night. Source:

55. May 8, LaSalle News Tribune – (Illinois) Phone service restored to Granville area. Residents of Granville, DePue, and McNabb, Illinois, experienced some disruption of telephone service May 8, but service has been restored, according to a Frontier Communications general manager. He said the outage was due to a power surge at the Granville office, which damaged some rectifiers. The surge occurred early May 8, he said, and the company had to first locate the source of the problem and then acquire replacement parts. The dial tone was restored in about 10 hours, he said. Communication between villages was limited, however, due to additional damage to fiber optics termination cards. The cards were diagnosed, identified and delivered to the site. The new cards were installed and tested around about 6 hours later. “Those inter-office links were then brought back up,” he said. Source:

For another story, see item 45 above in the Information Technology Sector

Commercial Facilities Sector

57. May 8, Internet Crime Complaint Center – (International) Malware installed on travelers’ laptops through software updates on hotel Internet connections. Recent analysis from the FBI and other government agencies demonstrates that malicious actors are targeting travelers abroad through pop-up windows while establishing an Internet connection in their hotel rooms, the Internet Crime Complaint Center reported May 8. Recently, there have been instances of travelers’ laptops being infected with malicious software while using hotel Internet connections. In these instances, the traveler was attempting to setup the hotel room Internet connection and was presented with a pop-up window notifying the user to update a widely-used software product. If the user clicked to accept and install the update, malicious software was installed on the laptop. The pop-up window appeared to be offering a routine update to a legitimate software product for which updates are frequently available. The FBI recommended that all government, private industry, and academic personnel who travel abroad use extra caution before updating software while connected to hotel Internet connections. Source: