Tuesday, August 14, 2012 

Daily Report

Top Stories
 • A man whose jet ski failed him in New York‘s Jamaica Bay swam to John F. Kennedy International Airport in New York City, where officials said he was easily able to penetrate the airport‘s state-of-the art security system. – ABC News 

17. August 13, ABC News – (New York) Jet skier breaks through JFK Airport’s $100 million security system. A man whose jet ski failed him in New York‘s Jamaica Bay swam to John F. Kennedy International Airport (JFK) in New York City, where he was easily able to penetrate the airport‘s state-of-the art security system. He was able to swim up to and enter the airport grounds August 10, past an intricate system of motion sensors and closed-circuit cameras designed to to safeguard against terrorists, authorities said. The man climbed an 8-foot barbed-wire perimeter fence and walked undetected through the airport‘s Perimeter Intrusion Detection System and across two runways into Delta‘s terminal 3. He was eventually spotted by a Delta employee, and police charged him with criminal trespassing. Port Authority of New York and New Jersey officials responded saying they ―took immediate action to increase its police presence with round the clock patrols of the facility‘s perimeter and increased patrols by boat of the surrounding waterway.‖ In 2011 at JFK, there was a huge uproar over the same perimeter fence, when it was knocked out by weather and remained down for days. Source: http://abcnews.go.com/US/jet-skier-breaks-jfk-airports-100-million-security/story?id=16992190#.UCkNpqDl-ra

 • Three people were killed and many others were injured after a gunman opened fire blocks away from Texas A&M University August 13 in College Station, Texas. – Raycom News Network

35. August 13, Raycom News Network – (Texas) Officer, suspect among 3 killed in shooting near Texas A&M. Three people have been killed and many others were injured after a gunman opened fire just blocks away from Texas A&M University August 13 in College Station, Texas. Police confirm two have died, including one civilian and a constable. TV stations KBTX 3 Bryan/College Station and KHOU 11 Houston reported the suspect had also been killed, citing the College Station Police Department (CSPD). Witnesses told KBTX the constable arrived to evict the shooter from his home. Other responding officers were met with gunfire. A CSPD spokesman said those officers called for backup and ended up shooting the gunman. One officer was shot in the leg and was in stable condition. A third officer suffered non-life threatening injuries, and a second civilian was in surgery because of her wounds. Witness reports indicated the scene was active for about half an hour. Police said the area, which was just blocks from campus and near Kyle Field, the football stadium, was secured. Source: http://www.wbtv.com/story/19265000/multiple-shot-near-texas-am-1-person-in-custody

 • A West Frankfort, Illinois man who allegedly threatened to take the life of police officers and blow up a police station was arrested in possession of homemade explosive devices, firearms, and ammunition. – Carbondale Southern Illinoisan

41. August 11, Carbondale Southern Illinoisan – (Illinois) Cops: Explosives, guns found after threats. A West Frankfort, Illinois man who allegedly threatened to take the life of police officers and blow up a police station was arrested August 9 in possession of homemade explosive devices, firearms, and ammunition, the West Frankfort police chief said. He was charged with weapons and explosive-related offenses after police were tipped off August 9. The investigation by police led to his arrest in a vehicle. Two homemade explosive devices were found inside the vehicle, the chief said. When officers served a search warrant at his home, they found another homemade explosive device. Several items associated with manufacturing explosive devices were located and seized. Several firearms including handguns, shotguns, and assault-style rifles, as well as several hundred rounds of ammunition also were seized. While the firearms appeared to be legal, attachments made to some of them were not legal, the chief said. The suspect also did not have a state-required valid firearm owner ID card. He was taken to Franklin County Jail and charged with weapons and explosive-related offenses. Source: http://thesouthern.com/news/local/cops-explosives-guns-found-after-threats/article_8bc1f6b0-e36c-11e1-9310-0019bb2963f4.html

 • Two former U.S. Border Patrol agents face 50 years in prison and millions in fines after they were found guilty August 10 of smuggling hundreds of people into the United States in Border Patrol vehicles. – Associated Press

42. August 10, Associated Press – (International) Border agents accused in smuggling ring convicted. Two former U.S. Border Patrol agents were found guilty August 10 of smuggling hundreds of people into the United States in Border Patrol vehicles. They were convicted of charges that they brought illegal immigrants into the country for money and received bribes by public officials, and counts of conspiracy to launder money. Prosecutors said one agent started a ring that smuggled in Mexicans and Brazilians and made his older brother and a fellow agent, one of his first recruits. Both brothers pleaded not guilty in one of the highest-profile corruption cases to sting the Border Patrol since it went on a hiring spree during the last decade. The brothers were scheduled to be sentenced November 16. They face a maximum of 50 years in prison and at least $1.25 million in penalties. Another defendant in the case was also found guilty August 10 of charges of smuggling illegal immigrants for money, bringing illegal immigrants into the United States, and conspiracy to launder money. Source: http://www.ktul.com/story/19251528/guilty-verdict-in-border-patrol-smuggling-case


Banking and Finance Sector

11. August 13, Help Net Security – (International) Nationwide phishing emails hit inboxes. Customers of Nationwide Building Society, a British mutual financial institution and the largest building society in the world, are being targeted with phishing emails purportedly coming from the company, GFI Labs reported August 13. The emails ask recipients to either validate their Internet banking profile or to solve an ―unusual conflict between the customer number and profile details associated with their account. If they follow the offered links, the victims are redirected through many compromised sites to one that hosts the phishing page designed to look like it belongs to Nationwide. They are then asked to share security information that will allow the phishers to compromise their account. Source: http://www.net-security.org/secworld.php?id=13417

12. August 11, Minneapolis Star Tribune – (Minnesota) No bomb, but threat shook up part of downtown. The actions of a man whom police described as ―disgruntled‖ triggered a midday disruption August 10 along Nicollet Mall in Minneapolis, Minnesota. The man, who had a book bag with him, entered the M&I Bank and said he had either a bomb, a gun, or both, police said. The alleged bomb threat and apprehension prompted the evacuation of Gaviidae Common and the closure of several surrounding streets for about an hour. The suspect was being held in the Hennepin County jail on suspicion of kidnapping and terroristic threats, said a Minneapolis police spokesman. He did not have a bomb or gun, the spokesman said. The incident began earlier that day, when the suspect went to the studios of WCCO 4 Minneapolis and was turned away after asking to speak with a reporter. Soon afterward, the station reported, a man believed to be the same person called WCCO and repeated his request to speak with a reporter. He added that if his story was not heard, the station would hear about it. Source: http://www.startribune.com/local/minneapolis/165748606.html?refer=y

13. August 10, V3.co.uk – (International) Zeus-like Dorifel malware spotted in Europe. A malware infection believed to be linked to the Zeus crimeware family has been reported on systems in Europe, V3.co.uk reported August 10. Kaspersky Lab said the attack, known as ―Dorifel,‖ displays a pattern of odd behavior such as encrypting downloaded information and establishing secured network connections. Researchers are not sure of the exact aim of the infection or its behaviors, but Kaspersky Lab believes the attack is financial in nature and possibly related to Zeus. Researchers studying the infection found that servers hosting the control components for Dorifel hosted a number of other malware attacks and also stored stolen financial data. Kaspersky Lab said that thus far most of Dorifel‘s attacks have occurred in the Netherlands, though infections have been spotted throughout Europe. Source: http://www.v3.co.uk/v3-uk/news/2198222/zueslike-dorifel-malware-spotted-in-europe

14. August 10, New Castle News Journal – (Delaware) Discover employee faces terroristic threatening, criminal trespassing charges. An employee who was told not to return to work after being reprimanded was arrested August 9 after he showed up on Discover Card Bank property in New Castle, Delaware, New Castle County police said in a release. He was charged with felony terroristic threatening, terroristic threatening, criminal trespassing, and possession of marijuana, said a police official. The incident forced the evacuation of employees in the building after a report that an employee was on the property and possibly was armed with an AK-47. The suspect was on the top deck of the garage headed for the front door, the official said. Bomb dogs were called to the scene to sweep his vehicle because he had allegedly mentioned to a colleague about bringing an AK-47 to work and shooting the place up. Officers learned the suspect had been placed on administrative leave August 8 because of an unreported incident in which he allegedly threatened an employee. As a result of that, the suspect was told not to return to work or enter the property until he was contacted by the company. Upon seeing him on the property the morning of August 9, security personnel placed the building on lockdown as a precaution and notified police. Source: http://www.delawareonline.com/article/20120810/NEWS01/308100077/Discover-employee-faces-terroristic-threatening-criminal-trespassing-charges?odyssey=tab|topnews|text|Home

15. August 10, IT PRO – (International) Trusteer hails discovery of ‘Son of Silon’ financial malware. Security vendor Trusteer uncovered a type of financial malware that it claims is capable of avoiding detection by most types of anti-virus software, IT PRO reported August 10. The Trojan, dubbed Tilon, uses the so-called ‗Man in the Browser‘ (MitB) technique: The malware injects itself into the software and is then in full control of the traffic traveling between the browser and the Web server. ―[Tilon] has an impressive list of supported browsers — Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and probably others,‖ said the chief technology officer at Trusteer. Tilon, which is related to the Silon malware Trusteer detected in 2009, is specifically targeted at online banking customers protected by two factor authentication systems, according to the security expert. It is able to gain access to all log-in credentials and transactions, the company said, by capturing all form submissions and sending them to its command and control server. The firms claims Tilon shares similarities with other financial malware, such as Zeus, SpyEye and Shylock, but it is its evasion mechanisms that make it stand out. Source: http://www.itpro.co.uk/642223/trusteer-hails-discovery-of-son-of-silon-financial-malware

16. August 9, Queens Times Ledger – (Pennsylvania) FBI arrests Bayside man for alleged death threats. The FBI arrested a Bayside, New York man August 7 for allegedly threatening to kill employees of a Pennsylvania bank, authorities said. According to a criminal complaint filed by an FBI agent, the man faxed a threatening note to a Sovereign Bank in Pottsville, Pennsylvania. An FBI agent said the man held a loan with the bank that may have blocked him from selling his home while he still owed about $179,000 on the loan. Law enforcement officials had reason to take his threats seriously as he also had a shotgun registered in his name, the criminal complaint said. ―The 2nd Amendment to the National Constitution authorized the use of deadly force to protect my interests as a national citizen,‖ the suspect said in the faxed letter in which he tried to terminate the loan he owed. ―I believe I have a basis to act in that manner.‖ At his arraignment in Brooklyn federal court August 8, the judge refused his requests to represent himself and ruled he was a danger to the community and was to be held without bail. According to the FBI, the man identifies himself as part of the sovereign citizen movement. Source: http://www.timesledger.com/stories/2012/32/chung_web_2012_08_09_q.html

Information Technology Sector

45. August 13, ZDNet – (International) Blizzard passwords could be theoretically reverse engineered. As a researcher explained on his blog, the information stolen from Blizzard is likely to be the server-side database used as part of the Secure Remote Password (SRP) protocol. If Blizzard‘s implementation of SRP is standard, its stolen SRP database contains the username and salts for each account and their hashed password verifiers. In his post, the researcher drew on a previous paper, written by a leading researcher of SRP, who stated if certain data were known — such as the password verifiers that were stolen from Blizzard — an attacker would be able to perform a dictionary attack. Although an attacker cannot ―unhash‖ the information, in simplistic terms, they can still attempt to combine a username with a dictionary list of common passwords, and then attempt to use the salts in the database to generate a verifier. These generated verifiers can then be matched up against stolen verifiers. The presence of the salts in the stolen information means the additional strength normally provided to mitigate weak passwords is hampered. Additionally, Blizzard passwords are case-insensitive, which significantly reduces the number of passwords that must be tested. Source: http://www.zdnet.com/blizzard-passwords-could-be-theoretically-reverse-engineered-7000002497/

46. August 13, IDG News Service – (International) Swiss scientists develop algorithm to sniff out source of malware, spam attacks. Swiss scientists developed an algorithm that can be used to locate spammers as well as the source of a computer virus or malware. The algorithm finds the source by only checking a small percentage of the connections in a network, said a postdoctoral researcher at the Audiovisual Communications Laboratory of the Swiss Federal Institute of Technology August 13. If a researcher would like to find the source of a virus, malware, or spam-attack, it is impossible to track the status of all nodes on the Internet, he said. Instead, he and his colleagues devised an algorithm that shows it is possible to estimate the location of the source from measurements collected by sparsely placed observers or sensors. By using the algorithm, the specific computer in the network from which the spam mail is being sent can be found so the network provider can shut it down, for instance, he said. Using the same method, the first computer where a virus was injected could be pinpointed, he added. Source: http://www.computerworld.com/s/article/9230199/Swiss_scientists_develop_algorithm_to_sniff_out_source_of_malware_spam_attacks

47. August 13, Softpedia – (International) ‘Fusking’ exposes private Photobucket pictures. Photobucket is not as popular as it used to be, but it is still used by a number of Internet users, and it is also utilized by Twitter for hosting images. It was discovered that there is a serious vulnerability in the service that allows almost anyone to gain access to private pictures. According to BuzzFeed FWD, all an attacker needs is a fusking application — a piece of software able to extract images from a Web page. The issue is not entirely new — it has been used on many occasions to obtain adult pictures from the accounts of unsuspecting female users. Many of the ―secret‖ pictures posted on 4chan are obtained by using these methods and several tutorials on how they can be obtained are posted, some of them dating as far back as 2009. However, many people are unaware of the issue, and Photobucket has not done much to mitigate the vulnerability. Source: http://news.softpedia.com/news/Fusking-Exposes-Private-Photobucket-Pictures-286317.shtml

48. August 10, Threatpost – (International) Researchers release detection tool for Gauss malware’s Palida Narrow font. One of the many mysteries around the discovery of the Gauss malware is why the tool installs a new font called Palida Narrow on infected machines. Researchers have been unable to figure out yet what the purpose of the font is, but as its presence on a PC is a good indicator of a Gauss infection, CrySyS Lab and Kaspersky Lab released a tool to detect it August 10. The detection tool can be found on the Securelist site and also on the CrySyS Lab site. The two main questions surrounding Gauss are why Palida Narrow is installed, and what is inside the encrypted payload Gauss installs on infected machines. Researchers have many theories, with one being that Palida Narrow is used as a kind of brand to mark infected PCs for command-and-control servers. Source: http://threatpost.com/en_us/blogs/researchers-release-detection-tool-gauss-malwares-palida-narrow-font-081012

49. August 10, Krebs on Security – (International) ‘Booter shells’ turn Web sites into weapons. Hacked Web sites are not just used for hosting malware anymore. Increasingly, they are being retrofitted with tools that let miscreants harness the compromised site‘s raw server power for attacks aimed at knocking other sites offline. It has long been standard practice for Web site hackers to leave behind a Web-based ―shell,‖ a tiny ―backdoor‖ program that lets them add, delete, and run files on compromised server. However, in a growing number of Web site break-ins, the trespassers also are leaving behind simple tools called ―booter shells,‖ which allow the miscreants to launch future denial-of-service attacks without the need for vast networks of infected zombie computers. According to Prolexic, with booter shells distributed denial-of-service attacks can be launched more readily and can cause more damage, with far fewer machines. Source: http://krebsonsecurity.com/2012/08/booter-shells-turn-web-sites-into-weapons/

50. August 10, Quincy Patriot Ledger – (Massachusetts) Hazmat and FBI officials investigate suspicious letter. HAZMAT and FBI officials began a formal investigation after a letter containing a powdery substance was received August 10 at NTT DATA, in Rockland, Massachusetts. The powder was tested on-site and initially determined to be benign, but was sent to the HAZMAT lab in Boston for further testing. It could take up to 5 days to obtain results. A Rockland Police lieutenant said the letter was addressed to a specific employee at the company. He described the letter as ―somewhat threatening in nature.‖ The building was evacuated. The FBI plans to conduct a forensic investigation. Source: http://www.patriotledger.com/topstories/x181548295/Hazmat-and-FBI-officials-investigate-suspicious-letter

For more stories, see items 13 and 15 above in the Banking and Finance Sector

Communications Sector

See item 47 above in the Information Technology Sector