Friday, June 29, 2012

Complete DHS Daily Report for June 29, 2012

Daily Report

Top Stories

• United Technologies Corp and two of its subsidiaries sold China software enabling Chinese authorities to develop and produce their first modern military attack helicopter, U.S. authorities said. – Reuters

16. June 28, Reuters – (National; International) United Technologies sent military copter tech to China. United Technologies Corp and two of its subsidiaries sold China software enabling Chinese authorities to develop and produce their first modern military attack helicopter, U.S. authorities said June 28. At a federal court hearing in Bridgeport, Connecticut, United Technologies and its two subsidiaries, Pratt & Whitney Canada and Hamilton Sundstrand Corp, agreed to pay more than $75 million to the U.S. government to settle criminal and administrative charges related to the sales. As part of the settlement, Pratt & Whitney Canada agreed to plead guilty to two federal criminal charges — violating a U.S. export control law and making false statements. The charges were in connection with the export to China of U.S.-origin military software used in Pratt & Whitney Canada engines, which was used to test and develop the new Z-10 helicopter. Also as part of the deal, United Technologies and Hamilton Sundstrand admitted to making false statements to the U.S. government about the illegal exports. Hamilton Sundstrand and Pratt & Whitney Canada also admitted they failed to make timely disclosures, required by regulations, to the U.S. State Department about the exports. Source:

• Prosecutors said the brother of the leader of a massive Ponzi scheme will plead guilty June 29 to conspiracy and falsifying records and will forfeit $143 billion, for his role in a massive fraud that destroyed the savings of thousands of investors. – Associated Press See item 20 below in the Banking and Finance Sector

• Eight screeners at Newark Liberty International Airport in New Jersey were fired June 27 after they were caught on video sleeping on the job or failing to follow standard operating procedures for screening checked bags. – WNBC 4 New York

21. June 28, WNBC 4 New York – (New Jersey) 8 TSA workers fired after caught sleeping, not following procedure. Eight screeners at Newark Liberty International Airport in Newark, New Jersey, were fired June 27 after they were caught on video sleeping on the job or failing to follow standard operating procedures for screening checked bags, authorities said. The workers were all transportation security officers who worked in a bag room at Terminal B, the Transportation Security Administration said. They will not be allowed to work again for the agency. The firings are part of an investigation into security operations at Newark following a series of security breaches there in early 2011. The airport’s federal security director was replaced in April 2011. Source:

• The FBI has joined local Colorado authorities in investigating reports an arsonist may have set a wildfire that had burned more than 18,000 acres, destroyed hundreds of homes and other structures, and forced tens of thousands of people to evacuate. – CNN

56. June 28, CNN – (Colorado) Calmer winds may aid Colorado firefighters in epic battle. Calming winds could help Colorado firefighters gain ground June 28 on a wildfire that has burned more than 18,000 acres and chased 36,000 people from their homes near Colorado Springs. However, the Waldo Canyon Fire is only 5 percent contained, and it could be mid-July before it is fully under control, according to the U.S. Forest Service. Still June 28 brought some respite to crews stymied by erratic winds. The incident commander said he expected a much larger percentage of the fire contained by the end of June 28. Officials said they had not completed an inventory of homes and other structures lost or damaged by the fire. The U.S. President will travel to the Colorado Springs area June 29 to survey the damage and thank responders, the White House said. The Denver office of the FBI joined local authorities in investigating reports that the fire may have been set. The fire captured attention because of its proximity to landmarks such as Pikes Peak, the Air Force Academy, and Colorado Springs, a city of about 400,000, the State’s second largest. The Flying W Ranch, a Western-style tourist attraction in Colorado Springs, burned to the ground. Colorado wildfires had consumed 181,426 acres by June 27, according to the Colorado Division of Emergency Management. The largest of the fires was the High Park Fire, which began June 9 and has now consumed 87,284 acres, the U.S. Forest Service said. It was 75 percent contained June 27. The total number of homes burned stood at 257. An estimated $33.5 million has been spent trying to contain the fire. Source:


Banking and Finance Sector

18. June 27, Reuters – (International) U.S. bars business with four in Hezbollah laundering link. The U.S. Treasury Department June 27 banned Americans from doing business with three Lebanese-Venezuelans and a Lebanese man it accused of helping to launder drug money to the benefit of the Lebanon-based Hezbollah militant group. It also designated one Colombian-Lebanese man as a global terrorist for his involvement with Hezbollah fund-raising. The action freezes any assets the man may have in the United States and also bars Americans from doing business with him. The Treasury Department said that the group of men involved with money laundering were linked to a Lebanese drug kingpin who was indicted in December 2011 by a U.S. federal grand jury in Virginia on charges of aiding Mexican drug cartels. Source:

19. June 27, Associated Press – (National) SEC files fraud charges against hedge fund manager. Federal regulators are suing a hedge fund manager and his firm, Harbinger Capital Partners, accusing him of civil fraud for using fund money to pay his taxes and favoring some fund customers at the expense of others, the Associated Press reported June 27. The Securities and Exchange Commission (SEC) also said the manager manipulated bond prices. The SEC is seeking to ban him from serving as an officer or director of any public company, along with unspecified penalties and restitution. The agency said that from 2006 through early 2008, the manager manipulated the market for high-yield, high-risk bonds issued by a company named Maax Holdings Inc. Using two of Harbinger’s funds, he bought up large amounts of the bonds to shrink the supply on the market and drive up prices, the suit alleges. The SEC also said the manager and Harbinger secretly gave “certain strategically important investors” in the fund the right to cash out of their holdings. In exchange, the favored investors gave him and the fund permission to bar the other investors from being able to cash out, according to the SEC. Source:

20. June 27, Associated Press – (National) Ponzi scheme leader’s brother to admit guilt in multibillion-dollar fraud. The brother of the leader of a massive Ponzi scheme will plead guilty June 29 to conspiracy and falsifying records, admitting his role in the multibillion-dollar fraud that destroyed the savings of thousands of investors, prosecutors told a judge June 27. The former chief compliance officer at the private investment arm of the Ponzi leader’s business agreed to serve a decade in prison, they said. He also agreed to the criminal forfeiture of $143 billion, including all of his real estate and personal property. The $143 billion, representing the amount of money believed to have flowed through the business accounts when he was part of the multi-decade Ponzi scheme, was included in a criminal forfeiture agreement. Court papers signed by a federal judge in New York showed the man, who had worked with his brother since 1965, will plead guilty to two criminal counts, admitting his role in a conspiracy to commit securities fraud, falsify records of an investment adviser, falsify records of a broker dealer, make false filings with the Securities and Exchange Commission, commit mail fraud, and obstruct the Internal Revenue Service. Source:

For another story, see item 47 below in the Information Technology Sector

Information Technology Sector

45. June 28, Softpedia – (International) Citadel trojan upgraded to prevent virtual machine analysis. S21sec experts detected two major improvements implemented by malware authors for the Citadel trojan. Its encryption algorithm is changed, but it was also fitted with a mechanism that detects if it is executed inside a virtual machine or a sandbox. The enhancements were already seen in the wild, but they were also advertised on a Russian underground forum. The anti-emulator function is described as being able to protect the botnet against those who might want to perform reverse engineering on them. When the malware is executed, it checks to see if it is run inside applications such as CWSandbox, VMware, or Virtualbox. If it detects their presence, it does not remove itself and it does not stop from working. Instead, it begins to operate in a surreptitious manner. The trojan creates a fake domain name and attempts to connect to it. This strategy should fool the researchers into believing that the command and control (C&C) server cannot be reached and that the bot is dead. By closing all the processes related to VMware, such as vmwareuser.exe and vmwaretray.exe, experts forced the malware to begin working normally and to connect to the real C&C server. Source:

46. June 27, H Security – (International) RSA says that its tokens are secure. After a significantly improved attack on cryptographic hardware was recently reported, an RSA official said the affected SecurID 800 token is secure. The token was not cracked, and the attack is not useful, he explained, adding the attack does not allow private RSA keys to be extracted from the token. The attack does not affect tokens for creating one-time passwords. It affects multi-purpose devices with USB connections that, like smartcards, offer key and certificate storage and are capable of encrypting/decrypting data. RSA emphasized the described attack is not a new one; it is based on a well-known problem and only greatly accelerates previously existing attacks. Even the researchers themselves state the private RSA key on a token used to encrypt a message cannot be compromised using this attack. Source:

47. June 27, Infosecurity – (International) New Zitmo variant has improved functionality, better disguise. A new variant of the Zitmo malware, a mobile version of Zeus, was spotted with improved functionality and a better disguise, according to security firm Damballa. The Zitmo (Zeus in the mobile) malware has been infecting smartphones for several years. It began by infecting smartphones with the Symbian operating system, then switched to Android in 2011 when Symbian lost favor with consumers. Zitmo is used by cybercriminals in tandem with the traditional Zeus keylogging malware on PCs to steal the victim’s banking credentials and ultimately the victim’s money. Zitmo is used to intercept two-factor authentication that banks use to validate the identity of the account holder when logging in. This new variant improves Zitmo’s injection vectors, social engineering techniques, money mule methods, and infrastructure protection. The group behind the variant is the FourStreetAvengers (aka ZiMo_GroupA), Damballa explained. Source:

48. June 27, Threatpost – (International) New crimeware bot Zemra behind DDoS attacks. Zemra, a new crimeware bot that shares traits with the banking trojans Zeus and SpyEye, has been making the rounds lately, according to a recent post on Symantec’s Security Response blog. In the post, a Symantec researcher claims Zemra has been seen executing distributed denial-of-service (DDoS) attacks against organizations and aiming to extort funds as of late. Like Zeus and SpyEye before it, Zemra’s Web-based command and control panel is hosted on a remote server, allowing it to distribute commands to vulnerable computers. The bot is also capable of dynamically updating itself, monitoring devices, downloading and executing binary files, and spreading through USB devices, among other functions, Symantec said. Source:

49. June 27, ZDNet – (International) BlackHole exploit kit experimenting with ‘pseudo-random domains’ feature. According to security researchers from Symantec, the author of the market leading BlackHole Web malware exploitation kit is experimenting with a new feature offered as a trial to selected customers of his kit. Based on their analysis, the kit’s author is experimenting with a pseudo-random client-side exploits serving domain feature. The security researchers were able to decode the algorithm and are currently able to anticipate the exact domains to be registered at a future date, and consequently block access to them. Source:

50. June 26, Dark Reading – (International) New forensics method may nab insider thieves. One of the biggest challenges of forensics investigations into insider theft is that the markers computer forensics investigators use to detect most attacks are typically not present in insider cases where an employee or other authorized user has legitimate access to sensitive data. In July at Black Hat USA in Las Vegas, a presenter will introduce a new methodology that compares normal file access patterns against patterns present when files are copied to detect when insiders copy data inappropriately. Typically, said the presenter, most forensics investigations today depend upon what are called artifacts, which are essentially the markers left on a machine that leave an evidence trail. At its root, the idea behind his method is to compare the relatively random and chaotic time-of-access file usage statistics of a typical user’s machine to the orderly patterns in time-of-access made by a machine when a user makes a wholesale copy of many files at once. Source:

For more stories, see items 16 above in Top Stories and 51 and 52 below in the Communications Sector

Communications Sector

51. June 28, Associated Press – (National) Comcast agrees to pay $800K in settlement with FCC. Comcast Corp. has reached a settlement with federal regulators under which it will pay the government $800,000 and offer a broadband Internet access option to customers who do not subscribe to the cable company’s video cable services. The Federal Communications Commission (FCC) said June 27 that Comcast agreed to take those and other steps as part of a consent decree to settle an investigation by the agency into the company’s compliance with conditions of its NBCUniversal acquisition, which was completed in January 2011. Comcast, the nation’s largest cable TV company, bought a controlling interest in NBCUniversal after the FCC and the Justice Department approved the deal with conditions following a year-long review. One of the conditions called on Comcast to offer stand-alone broadband Internet access services at reasonable prices and with sufficient bandwidth to customers who don’t pay to get Comcast’s cable TV service. The agency launched an investigation after it received information suggesting that Comcast was not adequately marketing the service. Source:

52. June 27, CNET – (International) Latest hacker dump looks like Comcast, AT&T data. A group of hackers posted to the Web June 27 data that appears to include Comcast employee names, ages and salaries, as well as e-mails and passwords associated with AT&T VoIP service accounts. Proclaiming the kickoff of “#WikiBoatWednesday ... when all the members from @TheWikiBoat fight corruption, leak data, and bring down websites,” the hackers released the data in two different posts to the Pastebin Web site. One of the Twitter handles used by the group is @AnonymousWiki but the connection to the larger, decentralized collective known as “Anonymous” is unclear. As with many data dumps, it is unclear whether the data is what the hackers claim it is, whether it is current, who actually stole it, and how. Source:

For another story, see item 47 above in the Information Technology Sector