Friday, May 11, 2012

Complete DHS Daily Report for May 11, 2012

Daily Report

Top Stories

• Canadian police said May 9 they broke up an international fraud ring involving dozens of people that drained $100 million from the accounts of unsuspecting bank card holders. – Agence France-Presse See item 15 below in the Banking and Finance Sector

• A massive break in a Flint, Michigan water main leaked millions of gallons of water for more than a year, costing the city more than $800,000. The leak, theft, and use of water to battle fires have caused water and sewer rates to spike. –

26. May 10, – (Michigan) Massive water leak, theft contribute to Flint water rate increases, officials say. For more than a year, a massive break in a Flint, Michigan water main leaked millions of gallons of water underground before workers were able to detect and fix it, officials said May 10. Flint leaders estimated the recently repaired break cost more than $800,000 in lost water, not including the cost of repairs. In addition, the city estimated that more than 30 percent of the water it buys from Detroit is never billed for by Flint. Leaks, stolen water, and water to fight the city’s high rate of structure fires are all included in the unmetered category. Flint’s development and infrastructure director said there is no way to quantify how much unmetered water is stolen, but he said his office has received numerous photos of cut meters as well as allegations of residents bypassing water meters or businesses stealing from hydrants. City officials list the water losses as one of many contributors to the 25 percent water and sewer rate increase that has angered Flint residents. The rate increase is expected to go into effect in June and follows two double-digit rate hikes in 2011. The cause of the massive water main break was still being investigated. Source:

• Medicare paid $5.6 billion to 2,600 pharmacies with questionable billings in 1 year, according to a government report. – Associated Press

28. May 10, Associated Press – (National) Report: Suspect billings at 2,600 drugstores. May 10, the Associated Press reported that Medicare paid $5.6 billion to 2,600 pharmacies with questionable billings, including a Kansas drugstore that submitted more than 1,000 prescriptions each for 2 patients in just 1 year, government investigators found. A new report by the inspector general of the Health and Human Services department found the corner drugstore vulnerable to fraud, partly because Medicare does not require the private insurers that deliver prescription benefits to seniors to report suspicious billing patterns. The analysis broke new ground by scrutinizing every claim submitted by the nation’s 59,000 retail pharmacies during 2009 — more than 1 billion prescriptions. Investigators were able to reveal contrasts between normal business practices and potential criminal behavior. “The findings call for a strong response to improve (program) oversight,” the report said. In written comments, a Medicare administrator said the agency mostly agrees with the inspector general’s call to action. Source:

• The FBI took over the investigation into cases of white powder being mailed to 9 locations in north Texas, including 7 preschools and a church. – KTVT 11 Fort Worth

52. May 9, KTVT 11 Fort Worth – (Texas) FBI takes lead in white powder investigation after 9th found. May 9, the FBI took lead of the investigation into 9 white powder scares in 2 days in north Texas cities. The latest suspicious package was found at the Mi Escuelita Preschool in Dallas. This marks the seventh Headstart school in 2 days targeted with envelopes containing a “white powdery” substance. An employee of the Mi Escuelita Headstart school opened the mail May 9 when she noticed a white substance spill out of one of the envelopes. Employees said the envelope did not have a return address. Dallas police secured the scene while Plano’s HAZMAT team was called in to handle the envelope. Officials evacuated the building where the envelope was opened, including a classroom with 18 children. Schools in Mesquite, Garland, and Irving received similar suspicious mailings. Two other locations, including a church, also received envelopes. All of them were determined to be non-hazardous. Source:

• State and federal land managers imposed bans on open fires and other activities across much of southeastern Arizona because of high fire danger that has already resulted in numerous wildfires. – Associated Press

54. May 8, Associated Press – (Arizona) State, feds impose fire bans in So. Arizona. State and federal land managers imposed bans on open fires and other activities across much of southeastern Arizona because of high fire danger. Orders from the federal Bureau of Land Management and the Arizona State forester took effect May 7. They ban fires outside developed campgrounds, smoking outside a building or vehicle, welding, and off-road driving. The orders cover BLM-managed federal lands in Pima, Pinal, Cochise, Santa Cruz, Graham, Greenlee, Apache, and Navajo counties, and parts of Gila County. A severe fire season in the southwestern United States was predicted because of an ongoing drought. Exceptionally hot and dry weather has already led to numerous wildfires in southeastern Arizona. The largest consumed more than 1,000 acres. Source:


Banking and Finance Sector

10. May 10, Norfolk Virginian-Pilot – (Virginia) Ex-VP of Bank of the Commonwealth admits to fraud. A former vice president at Virginia’s Bank of the Commonwealth pleaded guilty May 9 to a fraud charge as part of the government’s investigation of wrongdoing at the failed bank. The defendant served as the bank’s commercial loan officer. He admitted participating in a $5 million fraud involving loans to Tivest Development & Construction for two construction projects that ultimately failed. A vice president at Tivest faces a similar charge. Federal authorities are investigating the role that wrongdoing by top executives of Bank of the Commonwealth played in the bank’s failure, according to court filings. The investigation also led to charges against two developers. Court records allege they obtained more than $40 million in fraudulent loans from the bank for dozens of commercial and residential properties. The defendant’s lawyer said his client did not benefit financially in the scheme. To keep his job, he did as the top executives instructed him to do in approving millions of dollars in questionable loans, the lawyer said. The bank closed in 2011 amid losses totaling more than $260 million. Source:,0,2096586.story

11. May 10, U.S. Securities and Exchange Commission – (National; International) SEC charges Scotland-based firm for improperly boosting hedge fund client at expense of U.S. fund investors. The U.S. Securities and Exchange Commission (SEC) May 10 charged a Scotland-based fund management group for fraudulently using one of its U.S. fund clients to rescue another client, a China-focused hedge fund struggling in the midst of the global financial crisis. Martin Currie agreed to pay about $14 million to the SEC and the United Kingdom’s Financial Services Authority to settle the charges it steered a U.S. publicly traded fund called The China Fund Inc. into an investment to bolster the hedge fund. Martin Currie directly alleviated the hedge fund’s liquidity problems by deciding to use the China Fund in a bond transaction that reduced the hedge fund’s exposure. In response to the hedge fund’s problems, Martin Currie used the China Fund to purchase $22.8 million in convertible bonds from a subsidiary of Jackin International, a Chinese company in which Martin Currie held $10 million of unlisted illiquid bonds. The subsidiary instantly lent $10 million of the proceeds to Jackin, which in turn redeemed $10 million in otherwise-illiquid bonds held by the troubled hedge fund. The bond transaction closed in April 2009. According to the SEC’s order, Martin Currie officials were aware the China Fund’s involvement presented a direct conflict of interest. In April 2011, the China Fund sold its bond investment in the Jackin subsidiary for a loss of $11.5 million. Source:

12. May 10, Associated Press – (New Mexico) 400 fake credit cards seized at NM-Mexico border. Two Mexican nationals were arrested at the Santa Teresa, New Mexico port of entry after U.S. border officials said they tried to smuggle more than 400 counterfeit credit cards and gift cards into the United States, the Associated Press reported May 10. U.S. Customs and Border Protection officers seized 422 counterfeit credit cards and gift cards and arrested two people from Chihuahua City, Mexico earlier the week of May 7. Officials said the seizure was made May 8 when a vehicle entered the port from Mexico. Federal officers found 1 person was carrying 411 fraudulent cards, with 11 additional counterfeit cards being carried by another person. Source:

13. May 9, WBRZ 2 Baton Rouge – (Louisiana; Mississippi) Suspect connected to multiple bank robberies. Detectives with the Baton Rouge Police and the East Baton Rouge Sheriff’s Office (EBRSO) in Louisiana have arrested a man in connection with a string of bank robberies around the area, WBRZ 2 Baton Rouge reported May 9. Authorities arrested the suspect in suspicion of 3 bank robberies and a bank burglary, all committed over the past 3 months. An EBRSO spokesperson said deputies pulled the suspect’s vehicle over and saw strands of a red wig inside. Surveillance video from one of the bank robberies showed the robber wearing a red wig. Detectives linked the suspect to bank robberies March 21, April 29 and 30, and May 7. They also linked him to an attempted bank robbery April 27. The spokesperson said the suspect is also on parole for robbery in Jackson, Mississippi. Source:

14. May 9, Federal Bureau of Investigation – (Oregon) Former Key Bank branch manager guilty of identity theft, bank fraud. A former manager of a Key Bank branch in Springfield, Oregon, pleaded guilty to identity theft and bank fraud in federal court May 9. He admitted that in January 2007, while serving as a bank manager and with the intent to deceive Key Bank, he used a Social Security number of a previous Key Bank account holder to open up a bank account at Key Bank without their authorization. He also admitted that in May 2007, he transferred the names, dates of birth, and Social Security numbers of 2,937 present or previous account holders of Key Bank to his personal e-mail account. He admitted he transferred this data without authorization, intending to use it for his personal financial gain. As a result of his conduct, Key Bank incurred $44,937.66 in expenses, including credit monitoring services to affected account holders. The defendant agreed to pay restitution in that amount to Key Bank. Source:

15. May 9, Agence France-Presse – (International) Canada busts international bank card fraud ring. Canadian police said May 9 they broke up an international fraud ring that drained some $100 million from the accounts of unsuspecting bank card holders. Authorities arrested 45 people in a series of raids by members of the Royal Canadian Mounted Police, mostly in the Montreal, Quebec region, but also in Ottawa, Ontario, and Vancouver, British Columbia, a police spokesperson said. Arrests warrants were issued for 61 people, all but one of whom were Canadian citizens, according to police. Authorities said the network was active in Britain, Australia, New Zealand, Malaysia, and Tunisia. The fraudsters divided their labors among various members, with some specializing in filming and modifying ATM machines. Other units of the crime ring specialized in stealing PIN numbers or hacking into computer terminals in stores, while other cells forged counterfeit cards for illegal withdrawals. In some cases, they modified point-of-sale machines from businesses and restaurants, rigging them using Bluetooth technology to read the credit and debit card information contained on the computer processors of the devices. They then transferred the information onto blank debit and credit cards, which they later tapped to drain the rightful bank customers’ bank accounts. The suspects face charges of racketeering, fraud, making counterfeit cards, and identify theft. Source:

For another story, see item 46 below in the Information Technology Sector

Information Technology

43. May 10, IDG News Service – (International) Twitter blog post says company leaked no user data. None of the recently leaked Twitter logins and passwords came from within the company, according to a message posted on Twitter’s Japanese blog May 10. “We have confirmed that no one’s information has been leaked from Twitter,” the blog said, after apologizing to users for their concerns. The comments came after 58,978 login and password combinations were published May 7 to Pastebin, a Web site designed to share programming code but often used by hackers to show off stolen data. The company already said much of the account information posted was duplicates, unmatched log-in credentials, and spam accounts. In its Japanese blog posting, Twitter said account data was likely leaked from a different site, and it sent password reset requests to users on the list. It also warned users to avoid “fishing” Web sites, which try to con log-in information out of unwary users, and to use strong passwords that are unique for separate sites. Source:

44. May 10, H Security – (International) Apple closes numerous holes in Mac OS X and Safari. With the 10.7.4 Mac OS X Lion update and security update 2012-002 for 10.6, Apple closed numerous critical vulnerabilities in Mac OS X and its components. The most prominent fix in this update stops Lion from storing plain text passwords. Due to a mistake in the previous update, Lion stored the passwords of users who mounted their home/user directory from a network volume in the system log unencrypted and readable by anyone with administrative or physical access. Those who continued to use the first version of the FileVault encryption after upgrading from Snow Leopard to Lion were also affected. Further vulnerabilities were fixed in components such as the LoginUIFramework, where a race condition allowed guest users of Lion to log in as another user without having to enter a password. Apple also closed a hole in the HFS filesystem that allowed Lion systems to be infected with malicious code by mounting a specially crafted disk image. Curl is now protected against problems such as the “BEAST” attacks on encrypted connections. One fix, specifically for Mac OS X 10.6, Snow Leopard, is for the Samba server which, if active, allowed remote attackers to inject malicious code into a system without providing any valid access credentials. The Samba server is not a user in Mac OS X 10.7. Apple also released a security update for its Safari browser for Mac OS X and Windows. Source:

45. May 10, H Security – (International) Critical vulnerability in vBSEO patched. The developers of the vBSEO extension to the vBulletin forum software closed a critical vulnerability in their plugin. The vBSEO plugin adds search engine optimization (SEO) functionality to the vBulletin core code. The vulnerability — a SQL injection flaw that allows attackers to execute commands and manipulate the contents of the forum’s database — comes only a short time after the developers patched another flaw, which was recently misused to attack online forums en masse. Affected users can download the patched versions of 3.3.x, 3.5.x, and 3.6.0 from the download area of the vBSEO Web site. The vBSEO forum also provides instructions on how to close the security hole manually. Since an exploit was already found in the wild, users should update their installations immediately. Source:

46. May 9, Infosecurity – (International) Research uncovers IRC bot malware for Android. McAfee Labs researchers discovered Android malware that acts as an Internet relay channel (IRC) bot. The Android malware, which masquerades as the Madden NFL 2012 video game, has three embedded modules that perform various malicious activities, explained a researcher with McAfee Labs. The main component is a dropper that installs a set of other components — a rooting exploit, IRC bot, and SMS trojan — onto the compromised Android device. The researcher warned that if the user of a compromised Android device receives a message from his/her bank using a two-way authentication code, that message along with the mobile number is sent to the remote attacker, who can use it to compromise bank transactions. Source:

47. May 9, Network World – (National) Security of industrial control systems questioned at DHS conference. Operators of America’s power, water, and manufacturing facilities use industrial control systems (ICS) to manage them. However, the security of these systems, increasingly linked with Microsoft Windows and the Internet, is now under intense scrutiny because of growing awareness that they could be attacked and cause massive disruptions. Industrial facility operators are making efforts to follow security procedures, such as using vulnerability-assessment scanning tools to check for needed patches in Windows. However, ICS environments present special problems, said managers who spoke on the topic at a conference organized by the DHS. Currently, energy and manufacturing facilities are being openly warned by DHS and its Industrial Control Systems Computer Emergency Response Team that they are being targeted by attackers who will often try to infiltrate business networks, often through spear phishing attacks against employees, in order to also gain information about ICS operations. Source:

48. May 9, National Journal – (International) ICANN sets target date for re-opening database. The Internet Corporation for Assigned Names and Numbers (ICANN), the group that runs the Internet’s address system said it is aiming to re-open the application process for those seeking to launch a new domain name by May 22. If it meets this goal, ICANN said the application process would remain open for 5 business days, not counting Memorial Day, and would close May 30. ICANN shut down its application database in April after discovering a glitch that exposed some information about applicants. The group denied its system was hit by a cyberattack. ICANN said it took the database offline to find out what caused the problem and to ensure it would not happen again. The week of April 30, ICANN said that of the 1,268 registered users and 95,000 file attachments in the applications system, about 455 might have been viewed by another applicant. An ICANN spokesman said the group is trying to review all the relevant data before re-opening the application process. It launched its program in January allowing for the introduction of almost any new top-level domain name to compete with the 22 existing generic domain names. The application process for the program was originally scheduled to close April 12. ICANN eventually suspended the application process after discovering the database problem. Source:

For another story, see item 15 above in the Banking and Finance Sector

Communications Sector

See items 43, 46, and 48 above in the Information Technology Sector