Monday, May 21, 2012

Complete DHS Daily Report for May 21, 2012

Daily Report

Top Stories

The security breach at credit card processing company Global Payments likely existed for well over a year, compromising a little less than 1.5 million card numbers, according to new reports. – H Security See item 8 below in the Banking and Finance Sector

• Twenty-five communities in eastern Washington’s Columbia River basin could have their municipal wells go dry within a decade, according to a study of the underground aquifer that supplies their groundwater. – Associated Press

24. May 16, Associated Press – (Washington) Wash. advising 25 cities about dwindling water. Twenty-five communities in eastern Washington’s arid Columbia River basin could have their municipal wells go dry within a decade, according to a study of the underground aquifer that supplies their groundwater. State officials said the looming problem could affect areas stretching from Odessa to Pasco, a combined population of 200,000 people. A project from 1942 intended to deliver water to 1 million acres from the reservoir behind the Grand Coulee dam was never fully completed. Many farmers received permission to dig wells to irrigate their crops from the Odessa aquifer, the same underground aquifer those cities and towns drill into for water, beginning a steady and precipitous decline. Some wells have gone dry, and the solution has generally been to just drill a deeper well, said the executive director of the Columbia Basin Groundwater Management Area. But a study by the group shows deeper water will not be usable in the future. Washington approved a drawdown of Lake Roosevelt, the reservoir behind the dam, to allow more farmers to irrigate with surface water in hopes that will stabilize the declining aquifer for remaining water users. Some farmers also have rotated their crops during the dry, summer months to use less water. In 2011, the ecology department estimated that municipal demand will increase by 24 percent by the year 2030, while demand from agricultural irrigators will increase 10 percent. Conversely, supply is expected to increase 3 percent. Researchers attributed the increased demand to influences of climate change, population growth, and economic trends. In the meantime, the State ecology and health departments are working with cities and towns to better understand their municipal water systems and their water needs. Source:

• A Minnesota man with suspected ties to white supremacist groups planned to attack the Mexican consulate in St. Paul, to stir debate on immigration amnesty issues ahead of the 2012 Presidential election. – Associated Press

27. May 17, Associated Press – (Minnesota) Minn. man targeted Mexican consulate. A Minnesota man with suspected ties to white supremacist groups planned to attack the Mexican consulate in St. Paul, believing it would stir debate on immigration amnesty issues ahead of the 2012 Presidential election, according to a federal affidavit recently unsealed in federal court and obtained May 17 by the Associated Press. He was indicted in April on drug charges, though authorities had been watching him and another man since 2010 as part of a domestic terrorism probe. The affidavit said he had amassed weapons and wanted to attack minorities, people with left-leaning political beliefs, and government officials. “We consider him a threat, and we believe he had the capacity to carry these threats out,” an FBI spokesman said in an interview May 17. In the plot against the consulate, the suspect allegedly told an undercover agent he wanted to load a pickup truck with barrels of oil and gas, drive it into the consulate, allow the mixture to spill, then set it ablaze with a road flare. He also suggested placing hoax explosive devices along the May Day parade route in the Twin Cities, saying he had video of prior parades so he could identify parade participants. Source:

Chinese company ZTE, the world’s fourth-largest handset vendor, said one of its mobile phone models sold in the United States contains a vulnerability researchers said could allow others to control the device. – Reuters See item 31 below in the Information Technology Sector

• More firefighters are heading to a fire that burned across more than 11 square miles in northern Colorado and is approaching a reservoir for the city of Greeley. – Associated Press; CBS News

39. May 18, Associated Press; CBS News – (Colorado) Colo. Hewett wildfire grows to 7,300 acres. More firefighters are heading to a fire that has burned across more than 11 square miles in northern Colorado and is approaching a reservoir for the city of Greeley. A U.S. Forest Service official said the blaze about 20 miles northwest of Fort Collins had scorched 1.5 square miles of land but rapidly expanded May 17 fueled by erratic winds. As of late May 17, the Hewlett Fire had burned 7,300 acres, according to KCNC 4 Denver. Authorities ordered evacuations of about 80 homes near Poudre Canyon May 17. Residents of about 65 of those homes were allowed to return by early evening, with instructions to be ready to leave again if conditions change. Some 400 firefighters were on the scene. Fire officials said more firefighters would be arriving May 18. Source:


Banking and Finance Sector

8. May 18, H Security – (National) Global Payments breach reportedly worse than expected. The security breach at credit card processing company Global Payments extends back further than was previously believed, H Security reported May 18. According to BankInfoSecurity, the incident is now thought to go back as far as January 2011 — it was originally believed to have taken place between January 21 and February 25, 2012, but was later dated to early June 2011. While initial reports of the breach suggested more than 10 million accounts were compromised, Global Payments later said fewer than 1.5 million card numbers were taken. Source:

9. May 18, Associated Press – (Louisiana; Ohio) Plaquemines woman booked in counterfeit operation. The Plaquemines Parish Sheriff’s Office in Louisiana arrested a woman May 16, saying she was involved in a counterfeiting operation involving a couple million dollars in counterfeit money orders and cashier’s checks. She was arrested after Plaquemines Parish detectives, along with other agencies, staged a delivery of counterfeit materials to her home that she accepted. Plaquemines Parish deputies said DHS intercepted an international package that included $83,380 in counterfeit money orders and cashier’s checks in Ohio May 13. Deputies said the package was to be delivered to the woman. Source:

10. May 17, U.S. Department of the Treasury – (International) Treasury imposes sanctions on individuals linked to the Taliban and Haqqani Network. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) May 17 designated two individuals pursuant to Executive Order (E.O.) 13224. A Haqqani Network communications official was designated for acting for, or on behalf of, a Haqqani Network commander and a Taliban financier was designated for providing financial support for, and or financial services to, the Taliban. The Haqqani Network commander was previously designated by the U.S. Department of State in May 2011 under E.O. 13224. The United States listed the Taliban as a Specially Designated Global Terrorist entity in July 2002. As a result of the May 17 actions, all property in the United States or in the possession or control of U.S. persons in which the two designated men have an interest is blocked, and U.S. persons are prohibited from engaging in transactions with them. Source:

11. May 17, Idaho Statesman – (Idaho) Credit card scam hits Boise. Two men were charged with felony burglary after police in Boise, Idaho, said they caught the men May 16 with dozens of fake credit cards and hundreds of dollars worth of clothes and other items they bought with those cards. Boise police began their investigation of the men after officers working on an unrelated case saw them leave a store in the Boise Towne Square mall area with multiple bags and items that did not seem to match what men their age would buy. Officers quickly figured out the men appeared to be using fake credit cards. Police warned employees at another store right before the men tried to use the fake cards again, a crime prevention unit supervisor for the Boise police said. Officers pulled the pair over moments later and found dozens of cards in their car. Police said the men, both from southern California, appear to have been in the Boise area since May 14. Police said the scam involves identity theft, stolen credit card numbers, and fake IDs. Source:

12. May 17, Reuters – (Washington, D.C.) Ex-U.S. Army Corps manager and son plead guilty to bribery scheme. A former program manager for the U.S. Army Corps of Engineers and his son pleaded guilty May 17 to participating in a plot involving possibly more than $30 million in bribes and kickbacks to steer a government contract to a favored bidder. The defendant, whom U.S. prosecutors call the ringleader of the scheme, said he was guilty of federal charges of bribery and conspiracy to commit money laundering. His son also pleaded guilty to one count of simple conspiracy for assisting his father for a period of time, according to the attorney who represented both men. The plea, which requires the defendant cooperate with the prosecutors, could also help the government as it continues to investigate what it has called one of most brazen corruption schemes in federal contracting history. Prosecutors have said that beginning in 2006 the defendant, along with another former Army Corps program manager, agreed to direct government contracts to companies that paid them bribes, mostly through inflated invoices. Several men leading contractor and subcontractor companies have already pleaded guilty. Source:

13. May 17, Reuters – (Washington) Fraud charges for former financial advisory chief. A federal grand jury indicted a former chairman of a national financial planning association with fraud May 17 for funneling more than $46 million of his clients’ money into risky ventures he co-founded. A former chairman of the National Association of Personal Financial Advisors (NAPFA) diverted the funds, which clients expected to be invested in publicly traded instruments, into his technology ventures instead, the U.S. Department of Justice said. The U.S. Securities and Exchange Commission (SEC) also announced parallel civil charges. The alleged fraud began in 2003 and continued through 2011, the SEC said. The man and his advisory firm, The Spangler Group (TSG), diverted funds from several private investment funds he managed into two cash-poor technology companies, prosecutors said. The two companies in turn paid TSG “financial and operational support” fees of $830,000, essentially from customer funds. One firm went bankrupt, after receiving nearly $42 million from the investment funds, the SEC said. He only disclosed the relationship in 2011, when he placed TSG and the funds he managed into state court receivership. He faces 23 criminal counts including fraud and money laundering. Source:

For another story, see item 32 below in the Information Technology Sector

Information Technology

29. May 18, Help Net Security – (International) Spam with malicious attachments rising. While the volume of spam messages is falling, the number of messages containing malicious attachments increased, meaning spam is growing more dangerous even as it becomes less prevalent, according to a Bitdefender study. The number of malicious attachments in January 2012 rose 4 percent from the same period in 2011, even as the overall number of spam messages sent dropped by more than 16 percent in the first quarter of 2012 from the last quarter of 2011, Bitdefender research shows. Of the 264.6 billion spam messages sent daily, 1.14 percent carry attachments — about 300 million of which are malicious. After increasing in January, the growth of malicious attachments leveled-off amid an apparent pause in spam campaigns even though spam continued to fall overall. Attachments may come in the form of phishing forms that trick users into typing in credit card credentials for scammers to use whenever they want. Or, they may pack malware such as trojans, worms, and viruses that can eventually cause trouble for users. Source:

30. May 18, H Security – (International) British hackers get jail terms. Two separate cases in the United Kingdom saw hackers receive jail terms of 12 and 18 months. In one case, a British man from West Sussex pleaded guilty to hacking into a U.S. citizen’s Facebook account and gaining access to that person’s e-mail account in January 2011. The Metropolitan Police Service’s Police Central e-Crime Unit was informed of the breach via the FBI and arrested the man in July 2011 under the Computer Misuse Act. In the other case, a hacker was found using a Call of Duty “patch,” which was in fact a trojan carrying a keylogger and other malware. The hacker is said to have acquired users’ credentials and sold them for $1 to $5 on an online market; the proceeds were transferred to a Costa Rica-based account. However, his online activities were not detected until after he was caught attempting to burgle Walmer Science College in Deal in March 2012. Source:

31. May 18, Reuters – (National) ZTE confirms security hole in U.S. phone. ZTE, the world’s fourth-largest handset vendor and one of two Chinese companies under U.S. scrutiny over security concerns, said one of its mobile phone models sold in the United States contains a vulnerability researchers said could allow others to control the device. The hole affects ZTE’s Score model that runs on Google’s Android operating system. The hole, or backdoor, allows anyone with the hardwired password to access the affected phone, a researcher for cybersecurity firm CrowdStrike said. ZTE and Chinese telecommunications equipment manufacturer Huawei Technologies were stymied in their attempts to expand in the United States over concerns they are linked to the Chinese government, though both companies denied this. Most concerns centered on the fear of backdoors or other security vulnerabilities in telecommunications infrastructure equipment rather than in consumer devices. Reports of the ZTE vulnerability first surfaced the week of May 14 in an anonymous posting on a code-sharing Web site. Since then, others alleged different ZTE models, including the Skate, also contain the vulnerability. The password is readily available online. ZTE said it confirmed the vulnerability on the Score phone, but denied it affected other models. The CrowdStrike researcher said his team analyzed the vulnerability and found the backdoor was deliberate because it was being used as a way for ZTE to update the phone’s software. It is a question, he said, of whether the purpose was malicious or just sloppy programming. While security researchers highlighted security holes in Android and other mobile operating systems, it is rare to find a vulnerability apparently inserted by the hardware manufacturer. Source:

32. May 18, Softpedia – (International) Spammers promote fake luxury goods on hijacked Joomla and WordPress sites. Security experts found many compromised WordPress and Joomla Web sites used by spammers to advertise sketchy diet pills and counterfeit luxury goods. The owners of these sites are most likely unaware of what is going on. Web masters often fail to check their sites’ subdirectories for signs of malicious files and Web pages, thus allowing cybercriminals to use the domain’s reputation to host their scams, Unmask Parasites reported. Attackers often brute-force administrator passwords to gain access to a site’s back end. Once the criminals gain access, they inject a Web shell into an existing plugin by utilizing the Theme Editor. The shell is leveraged to create a subfolder to which a WordPress installation package is uploaded. After obtaining the MySQL credentials from the wp-config.php or configuration.php files, depending on whether the site is Joomla or WordPress-based, the attacker is able to install their own theme and make a fully operational Web site. These sites represent “doorways” that point unsuspecting visitors to malicious domains. Experts discovered around 3,000 compromised Web sites that stored such doorway blogs. Reportedly, some of the blogs that advertise slimming and luxury goods were created in March 2012, but there were a few created 1 year ago. The hijacked sites also host phishing pages that try to trick users into disclosing online banking credentials and other sensitive data. Source:

33. May 17, SecurityWeek – (International) NCC Group maps source of global hack attempts during Q1. Using data collected from DShield, the NCC Group mapped out its latest report on the origin of computer hacking attempts for the first quarter of 2012. NCC noted the top 10 changed significantly since its previous report 3 months ago. Italy, France, and India dropped off the top 10 list, while the Ukraine in fifth, South Korea in ninth, and the United Kingdom made the list. Russia showed a large increase, with more than 12 percent of global hacks originating from the country, putting it in third place, behind the United States and China. There was also a rise in hacks appearing to originate from the Netherlands, up from 3.1 percent to over 11 percent, moving it into fourth place in the hacking chart. Source:

For another story, see item 8 above in the Banking and Finance Sector

Communications Sector

34. May 17, – (International) Monster sunspot’s solar flare strong enough to confuse satellites. An enormous sunspot unleashed a powerful solar flare May 16, triggering a radiation storm intense enough to interfere with some satellites orbiting Earth, space weather experts said. The flare erupted from monster sunspot complex AR 1476, which stretches about 60,000 miles from end to end, at 9:47 p.m. The flare spawned a class S2 solar radiation storm around Earth, said the Space Weather Prediction Center (SWPC), a branch of the U.S. National Oceanic and Atmospheric Administration. A SWPC description classifies S2 solar radiation storms as moderate, with the potential to cause infrequent “single-event upsets” in Earth-orbiting satellites. People aboard aircraft flying at high latitudes may also be exposed to elevated radiation levels during such events. The flare also caused limited radio blackouts on the sunlit side of Earth, SWPC researchers said, adding that the storm appears to be subsiding. Scientists described the May 16 eruption as a class M5, or intermediate, solar flare. Source:

For another story, see item 31 above in the Information Technology Sector