Thursday, May 24, 2012

Complete DHS Daily Report for May 24, 2012

Daily Report

Top Stories

• A new variant of SpyEye malware allows cybercriminals to monitor potential bank fraud victims by hijacking their Web cams and microphones, according to security researchers. – IDG News Service See item 10 below in the Banking and Finance Sector

• Federal investigators said a Florida man pleaded guilty to heading a multi-million dollar identity theft ring that stole thousands of credit card numbers and stretched from Florida to Canada and Eastern Europe. – WFOR 4 Miami See item 11 below in the Banking and Finance Sector

• Missouri climatologists and farmers said a quick burst of dry heat has parched plants and is threatening crops and livestock across the State. – St. Louis Post-Dispatch

19. May 23, St. Louis Post-Dispatch – (Missouri) Missouri farmers battling ‘flash drought’. Missouri climatologists and farmers are calling it a “flash drought” — a quick burst of dry heat that is parching plants and threatening the State’s crops. “It’s rapidly emerging across the state,” said the University of Missouri extension’s State climatologist May 22. “It started in the Bootheel, but over the past, two or three weeks, much of Missouri has seen negligible rain. We’ve had a lot of above-normal temperatures, low humidity and lots of sunshine. The moisture has just evaporated out of the vegetation.” The conditions threaten the State’s vulnerable, young corn crop, and could mean a tough summer for all crop producers, as well as cattle ranchers and dairy farmers. “If it stays dry for the next two to three weeks, we’re going to see some die-offs,” the climatologist said. Temperatures across Missouri were 4 to 6 degrees above normal and rainfall south of Interstate 70 is below normal for the first half of May. The Bootheel is already experiencing moderate to severe drought, but those conditions are creeping northward. This could be the second summer in a row farmers in the State have struggled with dry weather. In 2011, the U.S. Department of Agriculture designated 101 Missouri counties natural disaster areas because of drought conditions. The loss to the State’s grain farmers was an estimated $350 million, with corn farmers losing roughly 24 million bushels of yield and soybean farmers about 20 million. Cattle ranchers were particularly hard hit because grassland and hay were in short supply. Source:

• A 40-year-old jet fuel spill threatening Albuquerque, New Mexico’s water supply could be as large as 24 million gallons, environment officials said. – Associated Press

28. May 22, Associated Press – (New Mexico) New Mexico says jet fuel spill could be larger. A 40-year-old jet fuel spill threatening Albuquerque, New Mexico’s water supply could be as large as 24 million gallons, or twice the size of the oil spill from the Exxon Valdez, environment officials said May 22. They previously estimated the spill from Kirtland Air Force Base to be 8 million gallons, however, a state geologist recently estimated it could be up to three times larger. The head of the New Mexico Environment Department’s resource protection division called the newest calculation a “first-order estimate” based on new data from Air Force monitoring wells. He emphasized the calculations have not been reviewed, and said no one will really know how large the spill is until it has been remediated. He was confident the spill can be cleaned. The leak was discovered in 1999. In 2007, the Air Force found the fuel had reached the water table and was moving off the base, beneath Albuquerque neighborhoods and toward the city’s water wells. Officials believe no contamination will reach city wells for at least 5 years, and the Air Force removed about 400,000 gallons with hopes that broader remediation targeting the largest concentration of the spill could begin in summer 2012. Source:


Banking and Finance Sector

8. May 22, Dallas Morning News – (Texas; Mississippi) Richardson man known as ‘Handsome Guy Bandit’ pleads guilty in string of bank robberies. A bank robber dubbed the “Handsome Guy Bandit” for the latex mask he wore during heists has admitted his role in a spree of 11 bank robberies in Texas in 2011. He pleaded guilty May 22 to charges of brandishing a firearm during or in relation to a crime of violence and one count of using, carrying, and brandishing a firearm during or in relation to a crime of violence, according to the U.S. attorney’s office. The spree ended in December 2011 when authorities said the man walked into a Compass Bank in Richardson, Texas. Richardson officers pulled up just as he exited the bank. He opened fire on the squad car, shattering the windshield, and escaped. He turned up the next morning in Jackson County, Mississippi, where he led authorities on a chase that ended when the sheriff shot out his tire. He also committed robberies in Dallas, Plano, and Irving. Source:

9. May 22, Dow Jones Newswires – (International) Treasury says Belarus’s CredexBank is money-laundering concern. The U.S. Department of the Treasury May 22 named a Belarus-based bank as a “primary money-laundering concern,” a step that could cut off its access to the U.S. financial system. JSC CredexBank’s uncertain ownership, business activities and customers put U.S. financial institutions at risk, Treasury said. Treasury made the designation under Section 311 of the USA Patriot Act. The under secretary for terrorism and financial intelligence, in a call with reporters, said the announcement puts U.S. banks on notice to assess any exposure they have to Credex and takes steps to protect themselves. Treasury also has proposed measures to prohibit U.S. banks from conducting most transactions with Credex, cutting off access to the U.S. financial system. He said Credex had engaged in “highly suspicious” transactions, but did not say that the bank had violated any sanctions, or name any individuals who might be behind its operations. Source:

10. May 22, IDG News Service – (International) Banking malware spies on victims by hijacking webcams, microphones, researchers say. A new variant of SpyEye malware allows cybercriminals to monitor potential bank fraud victims by hijacking their Web cams and microphones, according to security researchers from Kaspersky Lab May 21. SpyEye is a computer trojan that specifically targets online banking users. Like its older cousin, Zeus, SpyEye is no longer being developed by its original author but is still widely used by cybercriminals. SpyEye’s plug-in-based architecture allows third-party malware developers to extend its original functionality, a Kaspersky Lab malware researcher said. This is exactly what happened with the new Web cam and microphone spying feature, implemented as a SpyEye plug-in called flashcamcontrol.dll, he said. As suggested by the DLL’s name, the malware accesses the two computer peripherals by leveraging Flash Player, which has Web cam and microphone control functionality built in. Under normal circumstances, users get prompted to manually allow Web sites to control their computers’ Web cam and microphone via Flash. However, the SpyEye plug-in silently whitelists a list of online banking Web sites by directly modifying Flash Player configuration files. Source:

11. May 22, WFOR 4 Miami – (Florida; International) Feds bust multi-million dollar identity theft ring. Homeland Security investigators said they found a laptop computer, a credit card reader, and other evidence in the southwest Miami-Dade, Florida home of a man accused mastermind of a multi-million dollar identity theft ring stretching from south Florida to Canada and eastern Europe, WFOR 4 Miami reported May 22. A federal agent said the man made tons of phony credit cards out of his home — realistic even down to the foil markings on the back of the card. Agents said he made the cards with thousands of stolen credit card numbers purchased from criminal groups in Canada and Eastern Europe. It is believed the stolen numbers were acquired through a myriad of ways, including home break-ins and through large scale rip-offs of data. The federal agent said the man had his employees buy prepaid gift cards with the phony credit cards, which made it more difficult to trace his operation. She said those gift cards were then sold at a discount online. Investigators believe the operation made at least $4 million. When the feds searched the man’s house, they found small bags crammed full of fraudulent credit cards and a hard drive with a trove of credit card numbers. Federal investigators said the man pleaded guilty to the charges. Source:

12. May 22, Reuters – (National) Man ordered to pay ex-partners $35 mln. The founder of a hedge fund was found May 22 to have defrauded his former partners and was ordered to pay them $35 million. The man, a one-time JPMorgan Chase & Co trader, was ordered by a Delaware Court of Chancery judge to compensate his partners for their contributions to starting Paron Capital Management LLC and for lost future earnings. According to the May 22 36-page opinion, the partners left lucrative jobs at financial firms in 2010 and teamed up with the defendant to market his quantitatively based trading program, which was producing returns of 25-38 percent. Less than a year after founding Paron, the two learned the defendant had forged account statements and investment statements and had hidden personal debts. Accounts the defendant claimed held $24 million in fact held $40, according to the judge. “Many of the representations [he] made about his track record, employment history, and personal financial situation were outright lies,” the judge wrote. The defendant filed for bankruptcy in California in February. The partners are also looking to collect from Rothstein, Kass & Co, and Yulish & Associates, which had performed independent audits of the man’s track record. Source:

Information Technology

36. May 23, The Register – (International) CompSci eggheads to map Android malware genome. Mobile security researchers are teaming up to share samples and data on malware targeting the Android platform. The Android Malware Genome Project, led by a computer science researcher at North Carolina State University, aims to boost collaboration in defending against the growing menace of mobile malware targeting smartphones from companies such as HTC and Samsung that are based on Google’s mobile operating system platform. The North Carolina State team was the first to identify dozens of Android malware programs, including DroidKungFu and GingerMaster. The project is designed to facilitate the sharing of Android malware code between security researchers, along the same lines as the long-standing malware sample sharing projects already set up by Windows antivirus software developers. The project has already collected more than 1,200 pieces of Android malware. Source:

37. May 23, H Security – (International) Wireshark updates close DoS security holes. Versions 1.6.8 and 1.4.13 of the open source Wireshark network protocol analyzer were released, fixing bugs and closing security holes. The maintenance and security updates to the cross-platform tool address three vulnerabilities that could be exploited by an attacker to cause a denial-of-service (DoS) condition. These include a memory allocation flaw in the DIAMETER dissector, infinite and large loops in eight other dissectors, and a memory alignment flaw when running on SPARC or Itanium processors. For an attack to be successful, an attacker must inject a malformed packet onto the wire or convince a victim to read a malformed packet trace file. Versions 1.4.0 to 1.4.12 and 1.6.0 to 1.6.7 are affected; upgrading to 1.4.13 or 1.6.8 corrects these problems. Source:

38. May 23, Threatpost – (International) Anatomy of a LulzSec attack ‘singles out’ Web 2.0 weakness. A new report analyzing a recent attack on a military dating site underscores the need for stronger safeguards on social networks. As part of its Hacker Intelligence Initiative, database and application security provider Imperva deconstructed a March attack by the hacker collective LulzSec on By bypassing simple checks and filters, the group was able to steal sensitive data, including passwords on more than 170,000 members of the dating site. The “reborn” group posted the attack on Pastebin March 26. The attackers took advantage of a vulnerable area in developing social applications: consumer-created content. In the case of, attackers leveraged the picture upload functionality. Hackers also took advantage of the dating site’s password management. Members’ secret codes were hashed with a weak MD5 algorithm and no additional salting to thwart a dictionary attack. Source:

39. May 22, Computerworld – (International) Windows Vista infection rates climb, says Microsoft. Microsoft said the week of May 14 that a skew toward more exploits on Windows Vista can be attributed to the demise of support for the operating system’s first service pack. Data from the company’s newest security intelligence report showed that in the second half of 2011, Vista Service Pack 1 (SP1) was 17 percent more likely to be infected by malware than Windows XP SP3, the final upgrade to the nearly 11-year-old operating system. That is counter to the usual trend, which holds that newer editions of Windows are more secure, and thus exploited at a lower rate, than older versions such as XP. Some editions of Windows 7, for example, boast an infection rate half that of XP. The director of Microsoft’s Trustworthy Computing group attributed the rise of successful attacks on Vista SP1 to the edition’s retirement from security support. Microsoft stopped delivering patches for Vista SP1 in July 2011. For the bulk of the reporting period, then, Vista SP2 users did not receive fixes to flaws, including some that were later exploited by criminals. Vista SP2 will continue to be patched until mid-April 2017. Source:

40. May 22, CNET News – (International) Google will alert users to DNSChanger malware infection. Google began to notify about half a million people their computers are infected with the DNSChanger malware. The effort, which began May 22, is designed to let those people know their Internet connections will stop working July 9, when temporary servers set up by the FBI to help DNSChanger victims are scheduled to be disconnected. “The warning will be at the top of the search results page for regular searches and image searches and news searches,” a Google security engineer said. Source:

41. May 22, TechSpot – (International) Blizzard: account theft increase normal, hacking not issue. Blizzard responded to the recent upswing of stolen accounts since the release of Diablo III. Although critics might be tempted to blame Blizzard’s security, the game company said every complaint it investigated led to a single conclusion: the thief had the user’s password. Although the true origins of recent account intrusions remain uncertain, it is highly probable that phishing, untrustworthy third-party software, and poorly protected passwords led to unauthorized account access. Source:

42. May 22, Dark Reading – (International) Malware ‘licensing’ could stymie automated analysis. The Flashback trojan, which started spreading in September 2011, consists of a number of components, including a downloader that infects systems and modules fetched from Internet hosts to add functionality to the trojan. Such a division of labor is standard for botnets and trojan downloaders. However, the attack tool’s use of encryption to bind downloaded modules to the infected system — similar to how digital-rights-protected content is licensed and bound to a single playback device — is new. The problem for security firms and researchers is that encrypted malware makes automated malware analysis much harder, said a research scientist at the Georgia Institute of Technology’s Information Security Center. Source:

For more stories, see items 10 and 11 above in the Banking and Finance Sector

Communications Sector

See items 36 and 38 above in the Information Technology Sector