Advantage SCI 222 N. Sepulveda Blvd Suite 1780 El Segundo CA 90245 310.536.9876

COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

JANUARY 1 2012

VOLUME 1 ISSUE 1

T A B L E O F C O N T E N T S

ABOUT THIS NEWSLETTER 2

This is Our Inaugural Edition! 2

COUNTERINTELLIGENCE (CI) AND CYBERTRENDS 3

Cyber Alerts for Parents & Kids Tip #1: Be Prudent When Posting Images Online 3

ARRESTS, TRIALS AND CONVICTIONS 5

Chinese National Sentenced to 87 Months for Economic Espionage 5

Coos Bay Company, Its Owner and Six Employees Indicted for Fraud on Defense Contracts 6

Korean Firm Accused of Illegal US Military Exports 7

San Antonio Man Pleads Guilty to Attempting to Export Sensitive Military Equipment 8

TECHNIQUES, METHODS, TARGETS 9

Treasury Designates 10 Shipping Companies and Chief Executive Tied to IRISL and Irano Hind 9

CYBER, HACKING, DATA THEFT, COMPUTER INTRUSIONS AND RELATED 11

Fraud Alert Involving Unauthorized Wire Transfers to China 11

The Dangerous Side of Online Romance Scams 13

Sixteen Persons Charged in International Internet Fraud Scheme 14

Cyber Related Threats Reported in the DHS Daily Open Source Infrastructure Report 16

THE “LIGHTER” SIDE 20

PRODUCTS, SERVICES AND PRESENTATIONS 21

NOTE: Much of the Information contained within this newsletter originates from websites maintained by agencies of the U.S. Federal Government. The original web address from which material has been derived is posted at the beginning of reproduced articles. Readers are always encouraged to visit the web address from where the article has been derived from, in order to view the article in the original form that it was presented in. This newsletter also contains commentary from the editor of the newsletter. Such commentary is solely the opinion of the newsletter editor and does not represent the views of the U.S. Government, nor the agency originally presenting this information on the internet. Questions or comments may be directed to the editor at rhaidle@advantagesci.com or to Richard Haidle at 310-536-9876 x237

2

COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

ABOUT THIS NEWSLETTER

This is Our Inaugural Edition! Welcome to the first issue of the Advantage SCI Counterintelligence and Cyber News and Views.

This newsletter will compile, on a monthly basis, news pertaining to Counterintelligence (CI), Cyber, Security,

Foreign Intelligence Collection and other information of general interest.

The intended audience for this newsletter includes Facility Security Officers, Security Managers, Security Trainers and Educators and other individuals associated with providing security services.

Of equal importance, this newsletter is also designed to serve as an educational tool to inform ALL employees of

the threat environment they face on a daily basis. By using actual examples of arrests for violations of National Security laws, cyber crime and the like, employees will see how these threats most frequently manifest

themselves.

The information within this newsletter is valid whether employees are working under the purview of the National Industrial Security Program Operating Manual (NISPOM) or within businesses and organizations possessing

proprietary information or intellectual property of an unclassified nature.

As reported by the National Counterintelligence Executive (www.NCIX.gov) in its Report to Congress on Foreign Economic Collection and Industrial Espionage, 2009-2011, the threat from countries such as China targets not only

classified information, but proprietary information as well. This is demonstrated by the following example from the

report:

Data exist in some specific cases on the damage that economic espionage or theft of trade secrets has inflicted on individual companies. For example, an employee of Valspar Corporation unlawfully downloaded proprietary paint formulas valued at $20 million, which he intended to take to a new job in China, according to press reports. This theft represented about one-eighth of Valspar‟s reported profits in 2009, the year the employee was arrested.

As a new product, the newsletter will be a work in progress. We will strive to bring you information that is relevant and useful in your daily planning or in keeping your work force up to date on the challenges they face in

protecting information. Your suggestions for future content, or comments on the content of this and future issues

are always welcomed.

Just by way of background, this newsletter is edited by a retired FBI agent/supervisor, with over 33 years of

experience in the counterintelligence and espionage arena. The selection of articles included within the newsletter

will be based not only on what is of high visibility in the news, but also what the editor deems relevant (based on his personal experience) for employees to know. Inclusion of articles that illustrate certain points that are not

always apparent from a news point of view are, in fact, included because of the need for the employees to be aware of a particular threat, trend, methodology or target being used or attacked.

From time to time we will also publish articles providing commentary on events unraveling in the news, and try to

provide an explanation as to the relevance of certain events and how they could impact employees of various

organizations, businesses or entities.

Finally, based on the experience available from employees of Advantage SCI, in the very near future, we will offer

a diverse suite of services specific to NISPOM and other regulatory requirements and mandates. Advantage SCI’s

consulting and training staff includes retired FBI agents, Cyber Security professionals, TSCM Technicians, former DoD Counterintelligence agents, DoD Special Security Office personnel, retired Law Enforcement officers, and

Special Operations Forces. We will be addressing the availability of potential services in future issues.

3

COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

COUNTERINTELLIGENCE (CI) AND CYBERTRENDS

Cyber Alerts for Parents & Kids Tip #1: Be Prudent When

Posting Images Online

The following, reprinted from the FBI’s public website (located at the hyperlink below) discusses the issue of geo-

coordinates being embedded within photographs taken with smart phones and other cameras capable of generating location information when taking a photograph.

The perspective of the author of the below article is that of protecting children from child predators. However, the

issue of geo-coordinates embedded in photographs has applicability across a wide spectrum of personal safety issues. For example, photographs taken at sensitive sites or locations could be used by terrorists or insurgents to

target an otherwise unknown location for an attack. Individuals photographing high value personal possessions

could be unwittingly targeting themselves for a burglary or theft.

Accordingly, the tips included in the below article are relevant for all users of smart phone cameras, for their

consideration of personal security.

http://www.fbi.gov/news/stories/2011/december/cyber_122211/cyber_122211

Geo-coordinates are embedded in the above image, which was transmitted via a smartphone. The data make it easy to plot the sender’s location on a map.

Disabling the Location Function

Disabling the photo geo-tagging function on mobile phones varies by manufacturer, but is generally a straightforward process. On one of the

most popular models, users can simply navigate to the following folders:

Settings > General > Location services

The path to location-based services options varies from phone to phone. Users should take special care when enabling or disabling location

services (which may include navigation functions), or disabling applications (like photos) accessing the GPS data. Consult your phone

manufacturer‟s guidelines for more information.

4

COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

12/22/2011

With the explosive popularity of smartphones and social media platforms, sharing photos has never been easier. Millions of pictures are uploaded to the web every day, and camera-enabled mobile phones are the perennial top-

selling consumer electronic devices. So it’s a safe bet that even more photos will be cropping up on image-hosting

communities and personal websites.

But what exactly is being shared?

In some cases, you might unwittingly be letting others know where you live and work and your travel patterns and habits. These details can be revealed through bits of information embedded in images taken with smartphones

and some digital cameras and then shared on public websites. The information, called metadata, often includes the times, dates, and geographical coordinates (latitude and longitude) where images are taken.

While the geospatial data can be helpful in myriad web applications that plot image locations, it also opens a door for criminals, including burglars, stalkers, and predators. It’s not a stretch to imagine young teens’ images of their

ventures to the mall or beach being culled by web predators and meticulously plotted on online maps.

―It’s not something we think is happening. We know it’s happening,‖ said Kevin Gutfleish, head of the Innocent

Images Intelligence Unit in the FBI’s Cyber Division. The unit provides analysis and assessments of emerging threats for the operational arm of the Innocent Images National Initiative, which targets child pornography and

sexual predators. ―The way that images are being posted in real time allows others who have access to see the metadata and see

where the photos were taken and reveal their location at that time,‖ Gutfleish said.

An intelligence analyst in the FBI Criminal Division’s Crimes Against Children Unit said these details can reveal a

―pattern of life,‖ particularly when images posted over time are clustered in geographic locations.

―It doesn’t have to be in real time to be dangerous,‖ said the analyst. ―Historical data can tell you a lot about individuals’ day-to-day habits and may indicate where they are most likely to be at a certain time.‖

Some popular social media sites automatically scrub metadata from images before they are published. On the other hand, some leverage the data to display location information beside the images. An amateur sleuth could

easily pinpoint a location using the available latitude and longitude coordinates. ―Even if they don’t intentionally say where they are, the photos could reveal that,‖ Gutfleish said. ―And that could

present a potential danger.‖

Gutfleish said he has seen an increase in intelligence reports and complaints about the potential misuse of the

metadata embedded in photos. He said the proliferation of online tools that aggregate personal information from social networking and image hosting sites is enough to urge a level of caution.

He suggests mobile phone users at the very least check the ―options‖ or ―settings‖ on their phones (and any

applicable mobile applications) to see if they are sharing location information. In many cases, the default setting is

to share location information. ―It’s just a best-practice if you don’t want to give out your location,‖ Gutfleish says. ―We simply want to make sure

people know this is happening.‖

This story is the first in an occasional series aimed at providing practical web advice and tips for parents and their

kids.

5

COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

ARRESTS, TRIALS AND CONVICTIONS

Chinese National Sentenced to 87 Months for Economic

Espionage http://www.usdoj.gov/usao/ins/tim.horty@usdoj.gov

HOGSETT ANNOUNCES THAT CHINESE NATIONAL SENTENCED TO 87 MONTHS FOR ECONOMIC ESPIONAGE Successful conclusion of Indiana’s first prosecution for foreign economic espionage

PRESS RELEASE

FOR IMMEDIATE RELEASE CONTACT: TIM HORTY (317) 229-2409

Wednesday, December 21, 2011

INDIANAPOLIS – Joseph H. Hogsett, United States Attorney, announced today that Kexue Huang, 46, a Chinese national and a former resident of Carmel, has been sentenced by U.S. District Judge William T. Lawrence to 87

months (7 years, 3 months) in federal prison following his guilty pleas to one count of economic espionage to benefit a component of the Chinese government and one count of theft of trade secrets.

―The United States Attorney’s Office takes seriously its obligation to protect Hoosier businesses from economic

espionage,‖ Hogsett said. ―I thank the federal agents and prosecutors who helped bring this landmark case to a

successful conclusion.‖

This is the first trade secret prosecution in Indiana under a provision of the Economic Espionage Act that prohibits

trade secret theft intended to benefit a component of a foreign government. Since its enactment in 1996, there

have been a total of eight such cases charged nationwide under the Economic Espionage Act.

In July 2010, Huang was charged in an indictment filed in the Southern District of Indiana for misappropriating and transporting trade secrets to the People's Republic of China (PRC) while working as a research scientist at

Dow AgroSciences LLC. Today, a separate indictment filed in the District of Minnesota was unsealed, charging Huang with stealing a trade secret from a second company, Cargill Inc.

According to court documents, from January 2003 until February 2008, Huang was employed as a research

scientist at Dow, a leading international agricultural company based in Indianapolis that provides agrochemical and biotechnology products. In 2005, Huang became a research leader for Dow in strain development related to

unique, proprietary organic insecticides marketed worldwide.

As a Dow employee, Huang signed an agreement that outlined his obligations in handling confidential information, including trade secrets, and prohibited him from disclosing any confidential information without Dow's consent.

Dow employed several layers of security to preserve and maintain confidentiality and to prevent unauthorized use

or disclosure of its trade secrets.

Huang admitted that during his employment at Dow, he misappropriated several Dow trade secrets. According to plea documents, from 2007 to 2010, Huang transferred and delivered the stolen Dow trade secrets to individuals

in Germany and the PRC. With the assistance of these individuals, Huang used the stolen materials to conduct unauthorized research with the intent to benefit foreign universities that were instrumentalities of the PRC

government. Huang also admitted that he pursued steps to develop and produce the misappropriated Dow trade secrets in the PRC, including identifying manufacturing facilities in the PRC that would allow him to compete

directly with Dow in the established organic pesticide market.

According to court documents, after Huang left Dow, he was hired in March 2008 by Cargill, an international

producer and marketer of food, agricultural, financial and industrial products and services. Huang worked as a biotechnologist for Cargill until July 2009 and signed a confidentiality agreement promising never to disclose any

6

COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

trade secrets or other confidential information of Cargill. Huang admitted that during his employment with Cargill,

he stole one of the company's trade secrets - a key component in the manufacture of a new food product, which he later disseminated to another person, specifically a student at Hunan Normal University in the PRC.

According to Assistant U.S. Attorney Cynthia J. Ridgeway, who prosecuted the case for the government, the plea

agreement states that the aggregated loss from Huang's criminal conduct exceeds $7 million but is less than $20 million. The government’s prosecution team also included trial attorneys Mark L. Krotoski and Evan C. Williams of

the Criminal Division's Computer Crime and Intellectual Property Section, and Assistant U.S. Attorney Jeffrey Paulsen of the District of Minnesota, with assistance from the National Security Division's Counterespionage

Section. Significant assistance was provided by the CCIPS Cyber Crime Lab and the Office of International Affairs

in the Justice Department's Criminal Division.

Coos Bay Company, Its Owner and Six Employees Indicted for

Fraud on Defense Contracts http://www.justice.gov/usao/or/PressReleases/2011/20111220_Bettencourt.html

UNITED STATES ATTORNEY'S OFFICE District of Oregon PRESS ROOM

December 20, 2011

EUGENE, Ore. — A Coos Bay business, its owner, and six employees were arraigned in federal court today on an indictment returned by a federal grand jury on December 14, 2011. The indictment alleges that Kustom Products,

Inc. (KPI), a vehicle parts supply business located in Coos Bay, Oregon, its owner, and six employees committed

fraud on contracts with the United States Department of Defense (DoD) valued at over $7.5 million. The indicted owner is Harold Ray Bettencourt II. The indicted employees are Bettencourt’s former wife (Kathy Sue

Bettencourt), three of his sons (Harold Ray Bettencourt III [Bo], Nicholas Ryan Bettencourt and Peter Tracy Bettencourt), his office manager (Margo Antonette Densmore), and his purchasing agent (Joshua Lee Kemp). The

indictment alleges that KPI, Bettencourt, and the others committed wire fraud, conspiracy to commit wire fraud,

fraud involving aircraft parts, money laundering, and conspiracy to commit money laundering. It also alleges that all proceeds traceable to the fraud are to be forfeited including $365,503.26 in funds from 20 bank accounts, eight

vehicles, one boat, two boat trailers, two jet skis, and three all-terrain vehicles.

Harold Ray Bettencourt II, 57, lives in Coos Bay, Oregon; Kathy Sue Bettencourt, 54, resides in Myrtle Point, Oregon; Bo Bettencourt, 31, Nicholas Ryan Bettencourt, 29, and Peter Tracy Bettencourt, 25, all reside in North

Bend, Oregon. Margo Antonette Densmore, 40, and Joshua Lee Kemp, 37, are from Coos Bay, Oregon.

The indictment alleges that KPI and a predecessor business, Southern Oregon Sterling Parts and Service (SOS), provided nonconforming, defective and counterfeit products to the DOD for the purpose of increasing their profit

margin. It alleges that KPI and SOS committed fraud on at least 392 contracts resulting in payments of $7,523,406.59. The indictment alleges that the various nonconforming and counterfeit products where provided to

the DoD from KPI through DoD supply centers in Columbus, Ohio; Philadelphia, Pennsylvania; and Richmond,

Virginia. Some of the products were critical application items, defined as items essential to weapons systems performance or operation, or the preservation of life or safety of operational personnel. Examples were defective

aviation locknuts for the Kiowa helicopter. These locknuts were used on the main rotor assembly of the Kiowa helicopter and were flight critical because the failure of the main rotary assembly could be catastrophic, resulting

in death or serious injury to military personnel. Other critical application items included clamp loops used in C-5

military transport plane engines and other aircraft.

The indictment alleges that Harold Bettencourt II facilitated the scheme by directing other defendants to carry out actions on behalf of KPI and its predecessor SOS, such as making false representations in contracts, providing

non-conforming and counterfeit products, and providing false documents to the DoD. The indictment includes a number of examples of how the fraud was committed, and explains how some products were counterfeited in

7

COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

Mexico or obtained in China, even though KPI represented them to be from DoD-approved manufacturers in the

United States. The DoD-approved manufacturers whose parts were counterfeited or otherwise misrepresented to be genuine include Caterpillar, Inc., BAE Systems Land and Armaments, Freightliner, Pacific Industrial

Components, Inc., and SPS Technologies. The indictment also alleges that KPI and its predecessor SOS counterfeited heat treatment certifications of Timber Products Inspection, Inc., on wood packaging materials in

order to decrease expenses and increase profits.

The indictment charges all defendants with wire fraud and conspiracy to commit wire fraud. The maximum statutory penalty for wire fraud and conspiracy to commit wire fraud is a 20 year term of imprisonment and a

$250,000.00 fine, followed by a three year term of supervised release. It also charges Harold Ray Bettencourt II,

Nicholas Ryan Bettencourt and Joshua Lee Kemp with fraud involving aircraft parts. The maximum statutory penalty for fraud involving aircraft parts is a 10 year prison term and $250,000.00 fine, followed by a three year

term of supervised release. The indictment also charges Harold Ray Bettencourt II, Kathy Sue Bettencourt, Bo Bettencourt, Nicholas Ryan Bettencourt, Margo Antonette Densmore and KPI with money laundering and

conspiracy to commit money laundering. The maximum statutory penalty for money laundering is a 10 year prison

term and $250,000.00 fine, followed by a three year term of supervised release.

The matter is scheduled for trial before United States District Judge Michael R. Hogan on June 27, 2012. All

defendants were released on conditions pending trial.

Amanda Marshall, United States Attorney for the District of Oregon emphasized the serious nature of the charges:

―The allegation that military personnel were placed in harm’s way for the sole purpose of financial profit warrants vigorous investigation and prosecution.‖

A criminal indictment is only an allegation and not evidence of guilt. All defendants are presumed to be innocent

unless and until proven guilty.

The case is being investigated by the Department of Defense/Office of Inspector General/Defense Criminal Investigative Service, the Army Criminal Investigative Division Major Procurement Fraud Unit, the Federal Bureau

of Investigation, the Internal Revenue Service Criminal Investigation Division, the Social Security Administration/Office of Inspector General, and Immigration and Customs Enforcement. The case is being

prosecuted by Assistant U. S. Attorney Sean B. Hoar.

Korean Firm Accused of Illegal US Military Exports http://www.justice.gov/usao/ohn/news/2011/20dec2011_4.html

News Release U.S. Department of Justice United States Attorney Northern District of Ohio

Steven M. Dettelbach United States Attorney

Robert W. Kern, Justin E. Herdman Assistant U.S. Attorneys

Mike Tobin Public Affairs Specialist 216.622.3651

For Release: Dec. 20, 2011

An indictment was returned by a federal grand jury sitting in Cleveland, Ohio, charging EO System Company, Ltd.

and Seok Hwan Lee, Tae Young Kim and Won Seung Lee, with five counts of knowingly and willfully exporting, causing to be exported, and aiding and abetting the export of defense articles on the U.S. Munitions List without

first obtaining an export license or written authorization from the U.S. Department of State, said Steven M.

Dettelbach, United States Attorney for the Northern District of Ohio, and Stephen D. Anthony, Special Agent in Charge of the Cleveland Field Office, Federal Bureau of Investigation.

8

COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

EO System Company, Ltd. is, a corporation located in Inchon, Republic of Korea (South Korea), while Lee, Kim and

Lee are citizens and residents of South Korea.

―These defendants are charged with violating important regulations designed to protect national security,‖ Dettelbach said.

―The FBI and Department of Justice are committed to the protection of U.S. defense technology, particularly that

which is governed by the International Trafficking in Arms Regulations,‖ Anthony said.

The indictment charges that on or about November 4, 2005, the defendants knowingly exported, caused to be exported, and aided and abetted the export from the United States to the Republic of Korea (South Korea) of five

(5) DRS PN: 42-15-050-003, E3500 system 25.7 mm F/1.0 Telescopes, also described as Infra Red Focal Plane Array detectors and Infra Red camera engines, which were designated as defense articles on the United States

Munitions List.

The indictment charges that the defendants did so without first obtaining an export license or written authorization for such export from the U.S. Department of State.

If convicted, the defendants’ sentences will be determined by the Court after review of factors unique to this case,

including the defendant’s prior criminal record, if any, the defendants’ role(s) in the offense, and the characteristics of the violation. In all cases the sentence will not exceed the statutory maximum and in most cases

it will be less than the maximum.

In a related case, Kue Sang Chun, 67, of Avon Lake, Ohio, previously pleaded guilty to one count of exporting

defense articles on the U.S. Munitions List without first obtaining an export license of written authorization from the State Department, and one count of knowingly making and subscribing a false U.S. individual income tax

return.

He was sentenced to in November to 14 months in prison.

This case is being prosecuted by Assistant U.S. Attorneys Robert W. Kern and Justin E. Herdman of the Cleveland U.S. Attorney’s Office, following an investigation by the Cleveland Office of the Federal Bureau of Investigation.

An indictment is only a charge and is not evidence of guilt. A defendant is entitled to a fair trial in which it will be

the government's burden to prove guilt beyond a reasonable doubt.

San Antonio Man Pleads Guilty to Attempting to Export

Sensitive Military Equipment www.usdoj.gov/usao/txw/index.html

U.S. Department of Justice U.S. Attorney’s Office Western District of Texas

Robert Pitman, U.S. Attorney

Daryl Fields, Public Information Officer (210) 384-7440

FOR IMMEDIATE RELEASE December 15, 2011

United States Attorney Robert Pitman and ICE-HSI Special Agent in Charge Jerry Robinette announced that 53-

year-old Andrew Silcox pleaded guilty to violating the Arms Export Control Act.

Appearing before Chief U.S. District Judge Fred Biery, Silcox pleaded guilty to one count of illegal export of munitions list item.

9

COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

By pleading guilty, Silcox, who is in the business of purchasing surplus Department of Defense equipment and

then reselling it, admitted that beginning in May 2010, he sold one, and subsequently attempted to sell three more, Naval Radar Control Unit AN/SPS-40B/C/D parts, also known as a Sensitivity Time Control Generator

Assembly, for an agreed upon price of approximately $6,500 each to an undercover ICE-HSI agent. These particular units are covered by the U.S. Munitions List and require a State Department license for exportation.

The undercover agent told Silcox he was a broker for a buyer in the United Arab Emirates and inquired as to how

Silcox would get the export license. Silcox admitted in court documents that he knew he needed the license; however, he never attempted to get a license and used false information on the shipping labels to disguise the

actual contents. Silcox was arrested by ICE-HSI agents in San Antonio on October 21, 2011, when he attempted to

sell the other three units.

Silcox faces up to 20 years in federal prison. Sentencing is scheduled for 8:30 a.m. on February 24, 2012. Silcox is currently on bond pending sentencing.

This case was investigated by agents with U.S. Immigration and Customs Enforcement- Homeland Security

Investigations together with the Department of Defense, Defense Criminal Investigative Service (DCIS) and is being prosecuted by Assistant United States Attorney Mark Roomberg.

TECHNIQUES, METHODS, TARGETS

Treasury Designates 10 Shipping Companies and Chief

Executive Tied to IRISL and Irano Hind http://www.treasury.gov/press-center/press-releases/Pages/tg1388.aspx

12/20/2011

WASHINGTON – The U.S. Department of the Treasury today announced the designation of 10 shipping and front companies and one individual based in Malta affiliated with the Islamic Republic of Iran Shipping Lines (IRISL), an

entity facing international sanctions for its involvement in Iran’s efforts to advance its missile programs and transport military cargoes. Today’s action is being taken as IRISL and its subsidiaries have increasingly relied upon

multiple front companies and agents to overcome the impact of U.S. and international sanctions and increased

scrutiny of their behavior.

―As IRISL and its subsidiaries continue their deceptive efforts to escape the grasp of U.S. and international sanctions, we will continue to take action—as we are today—to expose the front companies, agents and managers

working with IRISL and work to stop this illicit business,‖ said Under Secretary for Terrorism and Financial Intelligence David S. Cohen.

The entities and individual designated today are owned or controlled by, or acting or purporting to act for or on

behalf of, directly or indirectly, IRISL, Irano Hind, or ISI Maritime.

IRISL has facilitated shipments of military-related cargo destined for Iran’s Ministry of Defense and Armed Forces Logistics (MODAFL) and its subordinate entities, including organizations designated by the United States for

sanctions pursuant to Executive Order (E.O.) 13382 and listed in United Nations Security Council Resolutions 1737 in 2006, 1747 in 2007, and 1929 in 2010. The Department of State designated MODAFL pursuant to E.O. 13382 in

October 2007, and the Treasury Department designated IRISL in September 2008.

In September 2009, the Treasury Department also designated the IRISL-Shipping Corporation of India joint

venture, Irano Hind. The UN Security Council designated Irano Hind in Resolution 1929 in 2010.

10

COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

Pursuant to E.O. 13382 – which is aimed at freezing the assets of proliferators of weapons of mass destruction

and their supporters, excluding them from the U.S. financial and commercial systems – Treasury today designated?

10 Malta-based IRISL and Irano Hind affiliated shipping companies: BIIS Maritime Limited, ISIM Amin

Limited, ISIM Atr Limited, ISIM Olive Limited, ISIM Sat Limited, ISIM Sea Chariot Limited, ISIM Sea

Crescent Limited, ISIM Sinin Limited, ISIM Taj Mahal Limited, and ISIM Tour Limited.

The Chief Executive and Managing Director of Irano Hind, Jamshid Khalili, who is an Iranian national.

The European Union also sanctioned these companies, per Council Decision 2011/783/CFSP of December

1, 2011, as IRISL front companies:

IRISL Front Companies:

1. BIIS MARITIME LIMITED, 147/1 St. Lucia Street, Valletta, VLT 1185, Malta; c/o Irano Hind Shipping

Company, PO Box 15875, Mehrshad Street, Sadaghat Street, Opposite of Park Mellat, Vali-e-Asr Ave.,

Tehran, Iran; Business Registration Document # C31530 (Malta); Website www.iranohind.com [NPWMD]

2. ISIM AMIN LIMITED, 147/1 St. Lucia Street, Valletta, VLT 1185, Malta; Business Registration Document

# C40069 (Malta) [NPWMD]

3. ISIM ATR LIMITED, c/o Irano Hind Shipping Company, PO Box 15875, Mershad Street, Sadaghat Street,

Opposite of Park Mellat, Vali-e-Asr Ave., Tehran, Iran; 147/1 St. Lucia Street, Valletta, VLT 1185, Malta;

Business Registration Document # C34477 (Malta); Website www.iranohind.com [NPWMD]

4. ISIM OLIVE LIMITED, 147/1 St. Lucia Street, Valletta, VLT 1185, Malta; Business Registration

Document # C34479 (Malta) [NPWMD]

5. ISIM SAT LIMITED, 147/1 St. Lucia Street, Valletta, VLT 1185, Malta; Business Registration Document #

C34476 (Malta) [NPWMD]

6. ISIM SEA CHARIOT LIMITED, 147/1 St. Lucia Street, Valletta, VLT 1185, Malta; Business Registration

Document # C45153 (Malta) [NPWMD]

7. ISIM SEA CRESCENT LIMITED, 147/1 St. Lucia Street, Valletta, VLT 1185, Malta; Business Registration

Document # C45152 (Malta) [NPWMD]

8. ISIM SININ LIMITED, 147/1 St. Lucia Street, Valletta, VLT 1185, Malta; c/o Irano Hind Shipping

Company, PO Box 15875,Mehrshad Street, Sadaghat Street, Opposite of Park Mellat, Vali-e-Asr Ave.,

Tehran, Iran; Business Registration Document # C37437 (Malta); Website www.iranohind.com [NPWMD]

9. ISIM TAJ MAHAL LIMITED, 147/1 St. Lucia Street, Valletta, VLT 1185, Malta; Business Registration

Document # C41660 (Malta) [NPWMD]

10. ISIM TOUR LIMITED, 147/1 St. Lucia Street, Valletta, VLT 1185, Malta; Business Registration

Document # C34478 (Malta) [NPWMD]

IRISL Affiliated Individual:

1. KHALILI, Jamshid, Third Floor, Number 143, Dr. Lavasani Avenue, Farmanieh Avenue, Tehran, Iran;

DOB 23 Sep 1957; nationality Iran; Passport R1451357 (Iran) (individual) [NPWMD]

11

COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

CYBER, HACKING, DATA THEFT, COMPUTER

INTRUSIONS & RELATED

Fraud Alert Involving Unauthorized Wire Transfers to China http://www.ic3.gov/media/2011/ChinaWireTransferFraudAlert.pdf

This product was created as part of a joint effort between the Federal Bureau of Investigation, the Financial Services Information Sharing and Analysis Center (FS-ISAC), and the Internet Crime Complaint Center (IC3).

26 April 2011

The FBI has observed a trend in which cyber criminals — using the compromised online banking credentials of

U.S. businesses — sent unauthorized wire transfers to Chinese economic and trade companies located near the Russian border.

Between March 2010 and April 2011, the FBI identified twenty incidents in which the online banking credentials of small-to-medium sized U.S. businesses were compromised and used to initiate wire transfers to Chinese economic

and trade companies. As of April 2011, the total attempted fraud amounts to approximately $20 million; the actual victim losses are $11 million.

In a typical scenario, the computer of a person within a company who can initiate funds transfers on behalf of the U.S. business is compromised by either a phishing e-mail or by visiting a malicious Web site. The malware harvests

the user’s corporate online banking credentials. When the authorized user attempts to log in to the user’s bank Web site, the user is typically redirected to another Web page stating the bank Web site is under maintenance or

is unable to access the accounts. While the user is experiencing logon issues, malicious actors initiate the unauthorized transfers to commercial accounts held at intermediary banks typically located in New York. Account

funds are then transferred to the Chinese economic and trade company bank account.

Victims

Like most account takeover fraud, the victims tend to be small-to-medium sized businesses and public institutions

that have accounts at local community banks and credit unions, some of which use third-party service providers for online banking services.

Recipients

The intended recipients of the international wire transfers are economic and trade companies located in the

Heilongjiang province in the People’s Republic of China. The companies are registered in port cities that are

located near the Russia-China border.

The FBI has identified multiple companies that were used for more than one unauthorized wire transfer. However, in these cases the transfers were a few days apart and never used again. Generally, the malicious actors use

different companies to receive the transfers. The companies used for this fraud include the name of a Chinese port

city in their official name. These cities include: Raohe, Fuyuan, Jixi City, Xunke, Tongjiang, and Dongning. The official name of the companies also include the words ―economic and trade,‖ ―trade,‖ and ―LTD.‖

The economic and trade companies appear to be registered as legitimate businesses and typically hold bank accounts with the Agricultural Bank of China, the Industrial and Commercial Bank of China, and the Bank of China.

At this time, it is unknown who is behind these unauthorized transfers, if the Chinese accounts were the final

transfer destination or if the funds were transferred elsewhere, or why the legitimate companies received the

12

COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

unauthorized funds. Money transfers to companies that contain these described characteristics should be closely

scrutinized.

Unauthorized Wire Transfers

The unauthorized wire transfers range from $50,000 to $985,000. In most cases, they tend to be above $900,000, but the malicious actors have been more successful in receiving the funds when the unauthorized wire transfers

were under $500,000. When the transfers went through successfully, the money was immediately withdrawn from

or transferred out of the recipients’ accounts.

In addition to the large wire transfers, the malicious actors also sent domestic ACH and wire transfers to money mules in the United States within minutes of conducting the overseas transfers. The domestic wire transfers range

from $200 to $200,000. The intended recipients are money mules, individuals who the victim company has done

business with in the past, and in one instance, a utility company located in another U.S. state. The additional ACH transfers initiated using compromised accounts range from $222,500 to $1,275,000.

Malware

The type of malware has not been determined in every case but some of the cases involve ZeuS, Backdoor.bot,

and Spybot. In addition, one victim reported that the hard drive of the compromised computer that was infected was erased remotely before the IT department could investigate.

— malware that has the capability to steal multifactor authentication tokens, allowing the criminal(s) to log in to victims’ bank accounts with the user name, password, and token ID. This can occur during a legitimate user

log-in session.

— malware that has worm, downloader, keylogger, and spy ability. The malware allows for the criminal(s) to access the infected computer remotely and further infect computers by downloading additional

threats from a remote server.

— an IRC backdoor Trojan which runs in the background as a service process and allows unauthorized

remote access to the victim computer.

Recommendation to Financial Institutions

Raohe, Fuyuan, Jixi City, Xunke, Tongjiang, and Dongning.

unke, Tongjiang, and Dongning should

be heavily scrutinized, especially for clients that have no prior transaction history with companies in the

Heilongjiang province. For recommendations on how businesses can Protect, Detect, and Respond to Corporate Account Takeovers such

as this, please refer to the ―Fraud Advisory for Businesses: Corporate Account Take Over‖ available at http://www.fsisac.com/files/public/db/p265.pdf .

Incident Reporting

The FBI encourages victims of cyber crime to contact their local FBI field office,

http://www.fbi.gov/contact/fo/fo.htm , or file a complaint online at www.IC3.gov

13

COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

The Dangerous Side of Online Romance Scams Intelligence Note Prepared by the Internet Crime Complaint Center (IC3)

http://www.ic3.gov/media/2011/110429.aspx

April 29, 2011

The Dangerous Side of Online Romance Scams

The IC3 is warning the public to be wary of romance scams in which scammers target individuals who search for

companionship or romance online. Someone you know may be "dating" someone online who may appear to be decent and honest. However, be forewarned: the online contact could be a criminal sitting in a cyber café with a

well-rehearsed script that scammers have used repeatedly and successfully. Scammers search chat rooms, dating sites, and social networking sites looking for victims. The principal group of victims is over 40 years old and

divorced, widowed, elderly, or disabled, but all demographics are at risk.

Scammers use poetry, flowers, and other gifts to reel in victims, the entire time declaring their "undying love." These criminals also use stories of severe life circumstances, tragedies, deaths in the family, injuries to

themselves, or other hardships to keep their victims concerned and involved in their schemes. Scammers also ask

victims to send money to help overcome a financial situation they claim to be experiencing. These are all lies intended to take money from unsuspecting victims.

In another scheme, scammers ask victims to receive funds in the form of a cashier's check, money order, or wire

transfer, claiming they are out of the country and unable to cash the instruments or receive the funds directly. The scammers ask victims to redirect the funds to them or to an associate to whom they purportedly owe money. In a

similar scheme, scammers ask victims to reship packages instead of redirecting funds. In these examples, victims risk losing money and may incur other expenses, such as bank fees and penalties, and in some instances face

prosecution.

Victims who have agreed to meet in person with an online love interest have been reported missing, or injured, or

in one instance, deceased. IC3 complainants most often report the countries of Nigeria, Ghana, England, and Canada as the location of the scammers. If you are planning to meet someone in person that you have met online,

the IC3 recommends using caution, especially if you plan to travel to a foreign country, and, at the very least:

•Do not travel alone.

•Read all travel advisories associated with the countries you will visit. Travel advisories are available at http://travel.state.gov/.

•Contact the United States Embassy in the country you plan to visit.

Even though it seems to be contrary to the thought of starting a new romance, do not be afraid to check a new

acquaintance's story online. Remember, like most fraudulent schemes, scammers use whatever personal information you provide to quickly paint themselves as your perfect match. If your new friend’s story is repeated

through numerous complaints and articles on the Internet, it is time to apply common sense over your feelings. To obtain more information on romance scams and other types of online schemes, visit

www.LooksTooGoodToBeTrue.com. Anyone who believes they have been a victim of this type of scam should promptly report it to the IC3's website at www.IC3.gov .

14

COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

Sixteen Persons Charged in International Internet Fraud

Scheme http://www.justice.gov/usao/nv/press/december2011/petroiu12152011.htm

U.S. Department of Justice United States Attorney District of Nevada

Daniel G. Bogden United States Attorney WWW.JUSTICE.GOV/USAO/NV

333 Las Vegas Blvd. South Suite 5000 Las Vegas, NV 89101 (702) 388-6336

FAX (702) 388-6296 NEWS RELEASE PRESS CONTACTS: Natalie Collins, Public Affairs Specialist (702) 388-6508

THURSDAY, DECEMBER 15, 2011

LAS VEGAS – Federal charges have been unsealed against 16 individuals for their involvement in an international internet scheme that defrauded online purchasers of purported merchandise such as automobiles and other items,

announced Daniel G. Bogden, United States Attorney for the District of Nevada.

The defendants are charged with wire fraud, conspiracy to commit wire fraud, conspiracy to commit money

laundering, and criminal forfeiture. Thirteen of the defendants were arrested in Las Vegas yesterday, December 14, 2011. Most of those defendants appeared before United States Magistrate Judge Robert J. Johnston

yesterday, and pleaded not guilty to the charges. Several other defendants are scheduled for initial court appearances today beginning at 3:00 p.m. One individual was arrested at Washington Dulles International National

Airport in Virginia, and appeared before a federal magistrate judge there, and the remaining two defendants have not yet been arrested.

According to the allegations in the indictment, from about December 2008 to December 2011, conspirators

situated outside of the United States listed and offered items for sale on internet sites (such as Craigslist and

Autotrader) and occasionally also placed advertisements in newspapers. The items offered for sale included automobiles, travel trailers and watercraft. The conspirators typically offered the items at attractive prices and

often stated that personal exigencies, such as unemployment, military deployment, or family emergencies, required that they sell the offered items quickly. To gain the confidence of prospective buyers, conspirators

posing as owners of the items instructed buyers that the transactions were to be completed through eBay,

Yahoo!Finance, or similar on-line services, which would securely hold the buyers’ funds until the purchased items were delivered. The conspirators sent e-mails to buyers which appeared or purported to be from eBay,

Yahoo!Finance, or other such entities, and which instructed buyers to remit payment to designated agents of those entities who were to hold the purchase money in escrow until the transactions was concluded. In reality,

the entire transaction was a sham: the conspirators did not deliver any of the items offered for sale; neither eBay, Yahoo! Finance, nor any similar entity participated in these transactions; and the purported escrow agents

designated to receive buyers’ purchase money were actually participants in the scheme who received the funds

fraudulently obtained from buyers on behalf of the conspiracy.

Relying on the schemers fraudulent representations, scores of buyers agreed to purchase items that the schemers offered on-line and in newspaper advertisements. The conspirators kept and converted the fraudulently obtained

purchase money for their own purposes. The defendants and their associates allegedly obtained more than $3 million through the fraud scheme, which they distributed among the conspirators both inside and outside the

United States.

Defendants:

Eduard Petroiu, 28, Las Vegas resident

Vladimir Budestean, 24, Las Vegas resident

Bertly Ellazar, 27, Las Vegas resident

15

COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

Radu Lisnic, 25, Las Vegas resident

Evghenii Russu, 25, Las Vegas resident

Evgeny Krylov, 24, Las Vegas resident

Eugeni Stoytchev, 35, Las Vegas resident

Iavor Stoytchev, 28, Las Vegas resident

Christopher Castro, 27, Las Vegas resident

Delyana Nedyalkova, 23, Las Vegas resident

Oleh Rymarchuk, 21, Las Vegas resident

Melanie Pascua, 25, Las Vegas resident

Manuel Garza, 23, Las Vegas resident

Ryne Green, 25, Las Vegas resident

Michael Vales, 22, Las Vegas resident

Edelin Dimitrov, 20, Las Vegas resident

The indictment identifies Eduard Petroiu as a leader of the conspiracy and six others, including Vladimir

Budestean, Bertly Ellazar, Radu Lisnic, Evghenii Russu, and Eugeni Stoytechev as subordinate managers of the

conspiracy.

If convicted, the defendants face up to 60 years in prison and fines of up to $1 million.

The arrests result from a joint investigation by the FBI and the Las Vegas Metropolitan Police Department as part

of its Nevada Cyber Crime and Southern Nevada Eastern European Organized Crime Task Forces. The case is

being prosecuted by Assistant U.S. Attorney Timothy S. Vasquez.

The public is reminded that an indictment contains only charges and is not evidence of guilt. The defendants are

presumed innocent and entitled to a fair trial at which the government has the burden of proving guilt beyond a

reasonable doubt.

Anyone with information regarding these individuals is urged to call the FBI in Las Vegas at (702) 385-1281 or, to remain anonymous, call Crime Stoppers at (702) 385-5555 or visit www.crimestoppersofnv.com. Tips directly

leading to an arrest or an indictment processed through Crime Stoppers may result in a cash reward. Internet related criminal complaints may also be directed to the Internet Crime Complaint Center at www.ic3.gov .

Addendum: December 30, Associated Press – (Nevada; International) Feds: 6 indicted in Internet based car-

selling scheme that took in over $4 million. A federal grand jury indicted six foreign nationals on charges that they defrauded hundreds of customers out of more than $4 million in bogus Internet car sales, federal prosecutors said

December 29. The 24-count indictment returned December 28 alleges a scheme in which vehicles were offered for

sale on legitimate Web sites that deal in auto trading, according to a statement from the U.S. attorney’s office. The six defendants — from Germany, Russia, Romania and Latvia — are accused of collecting payments from

hundreds of would-be buyers nationwide, siphoning millions of dollars to Europe, and never delivering a vehicle, the indictment said. The alleged leaders of the scam are both in federal custody in Nevada on charges related to

bulk cash smuggling. One of the men monitored the fraudulent bank accounts to determine if funds had been

deposited, the indictment said. The money was then withdrawn — primarily in cash — and delivered to the leaders. The two then allegedly wired the money from the United States to other countries, mailed the funds in

concealed packages to Berlin, or concealed the funds in personal carry-on luggage while traveling to Germany, according to the indictment. At least 110 bank accounts were opened to fraudulently receive the funds, according

to the indictment. From September 4, 2007 until October 5, 2010, victims deposited at least $4 million into the accounts. The defendants face charges including conspiracy to commit bank and wire fraud and money

laundering. If convicted, each could face sentences totaling hundreds of years in federal prison.

Source: http://www.washingtonpost.com/national/feds-6-indicted-in-internet-based-car-selling-scheme-that-took-

in-over-4-million/2011/12/30/gIQABzxmPP_story.html

16

COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

Cyber Related Threats Reported in the DHS Daily Open Source

Infrastructure Report The following are extracts from DHS Daily Open Source Infrastructure Report, located at

http://www.dhs.gov/files/programs/editorial_0542.shtm . These reports link back to more detailed reporting from the original source. Extracted here are extracts pertaining to cyber threats prevalent on a daily basis. Readers

may find practical applications for this material both in their work and in their personal use of computing devices and internet usage.

December 14, The Register – (International) SCADA vulnerability imperils critical infrastructure,

feds warn.

An electronic device used to control machinery in water plants and other industrial facilities contains serious

weaknesses that allow attackers to take it over remotely, the U.S. Industrial Control Systems Cyber Emergency Response Team warned. Some models of the Modicon Quantum PLC used in industrial control systems contain

multiple hidden accounts that use predetermined passwords to grant remote access, the agency said in an advisory issued December 14. Palatine, Illinois–based Schneider Electric, the maker of the device, produced fixes

for some of the weaknesses, and continues to develop additional mitigations. The programmable logic controllers

reside at the lowest levels of an industrial plant, where computerized sensors meet the valves, turbines, or other machinery being controlled. The default passwords are hard-coded into Ethernet cards the systems use to funnel

commands into the devices, and gets temperatures and other data out of them. The Ethernet modules also allow administrators to remotely log into the machinery using protocols such as telnet, FTP, and the Windriver Debug

port. According to a blog post published December 12 by an independent security researcher, the NOE 100 and

NOE 771 modules contain at least 14 hard-coded passwords, some of which are published in support manuals. Even in cases where the passcodes are obscured using cryptographic hashes, they are easy to recover thanks to

documented weaknesses in the underlying VxWorks operating system. As a result, attackers can exploit the weakness to log into devices and gain privileged access to their controls.

Source: http://www.theregister.co.uk/2011/12/14/scada_bugs_threaten_criticial_infrastructure/

December 15, The Register – (International) Stolen, remote-wiped iPhones still get owner's

iMessages.

Victims of iPhone theft have discovered that remotely wiping their device will not stop iMessage content being delivered to the thief, who can continue to respond under the owner's name. The flaw was spotted by a man

whose wife had her iPhone stolen and promptly deactivated the mobile number, remotely wiped the data, and

changed both Apple ID and password. However, despite all the action taken, the husband discovered messages sent using iMessage were being received by the buyer of the stolen handset, in addition to being delivered to his

wife's new handset, and shared the experience with Ars Technica. Not only was the receiver-of-stolen-goods getting messages addressed to the man's wife, but the thief was able to respond to the messages. It appears the

problem is not unique to the couple, but has hit many iPhone users, a problem which will presumably increase as

iMessage gains ground. iMessage works by automatically turning SMS and MMS messages into Internet traffic when a data connection is available at both ends. It only operates where both parties have an iPhone, and are

connected to the Internet, but when activated it does provide a free messaging service.

Source: http://www.theregister.co.uk/2011/12/15/imessage_persistant/

17

COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

December 15, Dark Reading – (International) Old smartphones leave tons of data for digital

dumpster divers.

A recent exploration made by a digital forensics company into a handful of phones found in the smartphone secondary market showed how easy it is to glean information from old or lost phones, even if a factory reset has

been committed. An expert from Access Data gave Dark Reading information on his findings from his informal research and explained some of the repercussions for corporations and consumers who do not pick, manage, or

dispose of their phones wisely. The director of mobile forensics for AccessData said, "I'd guess if you went and

grabbed 10 phones [from recycling companies], 60 percent are going to contain data."

He said at the behest of a customer interested in the data lingering on phones sold by used phone resellers and consumers using Craigslist and eBay, he used AccessData's tools to do an in-depth forensics dive into five

handsets acquired from this market. The phones were the iPhone 3G, Sanyo 2300, HTC Wildfire, LG Optimus, and HTC Hero.

Of those five, the iPhone and the old Sanyo had not been reset and contained what the director called logical data

— active account sign-ons, contacts, and calendar information easily usable by any person who turns on the phone. Even though all of the Android phones had been wiped through a factory reset, four of the five phones

also included data that would take someone with forensics tools and knowledge to extract from more hidden

storage locations. Some of the details available within those phones included user account information, Social Security numbers, geo-location tags, deleted text messages, and a resume.

Source: http://www.darkreading.com/security/news/232300628/old-smartphones-leave-tons-of-data-for-digital-

dumpster-divers.html

December 16, Softpedia – (International) Influential Ukrainian general arrested for international cybercrimes.

The FBI in collaboration with the Romanian Intelligence Service (SRI) apprehended a 54-year-old Ukrainian retired

general and two of his accomplices while they were trying to withdraw $1 million from CEC Bank, money obtained as a result of cyberfraud. The former general, an Israeli business man, and a 37-year-old Moldavian were arrested

December 16 in Iasi, Romania, while they were trying to obtain the money, reports local newspaper Adevarul.

After they managed to obtain Internet banking account credentials belonging to business owners from Italy and the United States, the group transferred large sums of money into the accounts of companies they owned. ―Later,

to wash the money trail, fictitious commercial transactions were made, while in reality the funds were being transferred to other accounts or withdrawn in cash by the members of the criminal group,‖ reads a statement from

Romanian anti-crime and terrorism unit DIICOT. A day before the operation was busted, the three men tried to

withdraw from the same financial institution the sum of $450,000, which they obtained from the accounts of an Italian company. Since the men looked suspicious, the bank postponed the transaction and alerted authorities. The

general, who has been living in Belgium for the past few years, claims the $1 million was given to him by a company that wanted to buy shares at the TV station he owned.

Source: http://news.softpedia.com/news/Influential-Ukrainian-General-Arrested-for-International-Cybercrimes-

241298.shtml

18

COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

December 19, threatpost – (National) USAA warns members of sophisticated phishing scam.

USAA is warning its members about a sophisticated phishing scam that attempts to install a malicious banking

Trojan on members computers. The Texas-based financial services association issued a notice to members December 19 about what it described as an ―aggressive email phishing scam‖ directed at USAA members.

The phishing e-mails have the subject line ―Deposit Posted‖ and even include a randomly generated four digit

―Security Zone‖ number that mimics the customer’s actual USAA member number, the firm said. USAA said the e-mail messages do not contain malicious links, but do ask members to open an attachment that, once opened, will

install a ―malicious banking virus‖ designed to steal user account information and that would ―require a complete reinstall of your computers (sp) operating system.‖

Source: http://threatpost.com/en_us/blogs/usaa-warns-members-sophisticated-phishing-scam-121911

December 20, Auburn Journal – (National) Fraud guilty plea in Lincoln WECO aircraft repair

case.

One of six former employees of Lincoln, California’s WECO Aerospace systems, who prosecutors said needlessly

took safety risks by making bogus airplane repairs, has lodged a guilty plea. The employee pleaded guilty December 15 to a single count of conspiracy to commit fraud involving aircraft parts in interstate or foreign

commerce. He is the first of the six to admit culpability in a case the U.S. Department of Justice (DOJ) alleges was a deliberate attempt from 2004 and 2007 to criminally avoid required procedures during servicing of starter

generators. According to the plea agreement, the employee conspired with others at WECO to conceal facts about repairs from customers and the Federal Aviation Administration (FAA), and was aware WECO’s Burbank division

did not perform some tests necessary to comply with maintenance requirements. He also admitted he was aware

WECO Burbank used parts not approved for service by the FAA, and charged customers for used parts as if they were new. A DOJ spokesperson said total loss to customers at WECO Burbank for repairs and overhauls not done

properly was about $1.38 million between 2004 and 2007. Customers include private aviation companies in California, Florida, Georgia, Pennsylvania, Indiana, and Arizona, as well the City of Los Angeles, and the DHS. The

employee faces a maximum of 15 years in prison and a fine of $500,000. Sentencing is scheduled for May 14 in

Sacramento.

Source: http://auburnjournal.com/detail/195938.html?content_source=&category_id=2&search_filter=&user_id=&event_

mode=&event_ts_from=&event_ts_to=&list_type=&order_by=&order_sort=&content_class=1&sub_type=&town_id=

December 23, Softpedia – (International) Phishing has two sisters: vishing and smishing.

While most Internet users are familiar with the term phishing and its dangerous effects, security researchers are

recording a considerable increase in two related malicious schemes, vishing and smishing. Vishing is a variant of phishing, its name portmanteau of the words voice and phishing, reports the Windows Club. Vishing attacks

involve an unsuspecting user called via phone by someone who pretends to represent an important organization

such as a bank or a utility company. In these situations, the crooks request large amounts of personal information allegedly needed for certain operations, financial or otherwise. An alternative to this method implies an e-mail

which urges the recipient to call a certain phone number. Usually these e-mails come with threats and they are more advantageous for the cybercriminals since they do not have to pay for the calls they make. Smishing involves

SMSs. In these types of schemes, the victim receives an SMS that warns of the fact that he/she has been

automatically enrolled in a paid service. In order to terminate the subscription, the recipient has to visit a URL and select a click a certain button, which instead of canceling the phony subscription, downloads a piece of malware

infecting the phone. >From here on, keyloggers or premium-SMS-sending trojans are free to do as they like. Source: http://news.softpedia.com/news/Phishing-Has-Two-Sisters-Vishing-and- Smishing-242767.shtml

19

COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

December 27, United States Computer Emergency Readiness Team – (International) WiFi protected setup

PIN brute force vulnerability.

The WiFi Protected Setup (WPS) PIN is susceptible to a brute force attack, the United States Computer Emergency Readiness Team (US-CERT) reported December 27 after being notified by a member of the public who uncovered

the vulnerability. A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8

digit PIN is correct. The lack of a proper lock out policy after a certain number of failed attempts to guess the PIN

on some wireless routers makes this brute force attack that much more feasible. The vulnerability affects all major brands of routers.

Source: http://www.kb.cert.org/vuls/id/723755

December 30, Softpedia – (International) Your smartphone from Amazon has shipped

malware-spreading spam.

Softpedia reported December 30 a malware scam involving an e-mail allegedly sent by Amazon to confirm that an electronic device such as a smartphone has already been paid for with the recipient’s credit card. Users who click

on the links contained in the message are taken to a Web site that serves a variant of Cridex, especially designed

to steal personal and financial information from the computer it lands on, according to Hoax Slayer. Win32/Cridex is usually delivered via spammed malware such as variants of Exploit: JS/Blacole and is programmed to spread to

removable drives. Besides banking credentials, it also targets local certificates and it is able to execute files. Once executed, the malicious element drops a copy of the worm as a randomly named file and modifies the registry to

make sure it is executed each time the operating system boots. After the dropper is deleted, Cridex injects itself

into every running process, even ones that are later created.

Source: http://news.softpedia.com/news/Your-Smarthpone-from-Amazon-Has-Shipped-Malware-Spreading-Spam-

243839.shtml

December 30, The Register – (International) Kaspersky claims „smoking code‟ linking Stuxnet

and Duqu.

Researchers at Kaspersky Lab claimed to have found proof that the writers of the Stuxnet and Duqu malware are one and the same, and are warning of at least three new families of advanced malware potentially in circulation,

The Register reported December 30. The chief security expert at Kaspersky Lab said that researchers had examined drivers used in both Stuxnet and Duqu and concluded that a single team was most likely behind them

both, based on the timing of their creation and their methods of interacting with the rest of the malware code. The

researcher’s data suggests both were built on a common platform, dubbed Tilded because it uses many files beginning with the tilde symbol ―~‖ and the letter ―d.‖ The platform was built around 2007 or later, and was

updated in 2010. Kaspersky’s director of global research and analysis told Reuters that the platform and drivers involved would indicate five families of malware had been made using the platform already, and that others may

be in development. The modularity of the systems makes it easy for the malware writers to adapt their creations

to new purposes and techniques.

Source: http://www.theregister.co.uk/2011/12/30/kaspersky_stuxnet_duqu_link/

20

COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

December 29, CNET News – (International) Anonymous targets military-gear site in latest

holiday hack.

In what it is calling another round of ―LulzXmas festivities,‖ an Anonymous-affiliated hacktivst group December 29 claimed to have stolen customer information from SpecialForces.com, a Web site that sells military gear. The

hackers said they breached the SpecialForces.com site months ago, but only just got around to posting the customer data. Even though the site’s data was encrypted, they claim to have 14,000 passwords and details for

8,000 credit cards belonging to Special Forces Gear customers. Special Forces Gear’s founder confirmed that his

company’s Web servers were compromised by Anonymous in late August, resulting in a security breach that allowed the hackers to obtain customer usernames, passwords, and possibly encrypted credit card information in

some cases. He added that the compromised passwords were from a backup of a previous version of the Web site that is more than a year old, and that most of the credit card numbers are expired. No evidence of credit card

misuse was found, and the site no longer stores customer passwords or credit card information.

Source: http://news.cnet.com/8301-1009_3-57349976-83/anonymous-targets-military-gear-site-in-latest-holiday-

hack/?part=rss&subj=latest-news&tag=title

December 29, Help Net Security – (International) Beware of password-protected documents

carrying malware.

Symantec researchers have recently spotted malware masquerading as password-protected document files - Word

documents, spreadsheets, PowerPoint presentations, and PDFs - being delivered as e-mail attachments, Help Net Security reported December 29. ―Attackers are misusing the password feature to encrypt files, most likely to make

it difficult for security products to detect them as malware,‖ said the researchers. ―It also makes reverse-

engineering the files difficult because they need to be decrypted before analysis can be performed.‖ As the contents of the files in question are encrypted, some antivirus solutions might not recognize them for what they

are immediately but only after they are opened with the password.

Source: http://www.net-security.org/malware_news.php?id=1946&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+H

elpNetSecurity+(Help+Net+Security)

THE “LIGHTER” SIDE

Every month we’d like to bring you some fun filled tidbits that we hope might bring a smile to your face.

Much as we are fans of the ―Dilbert‖ comic strip, we can’t reprint any examples of this excellent comic strip here. However, if we could, and if any ―Dilberts‖ existed involving some of the below listed scenarios, imagine the

laughs you’d get if you could see Dilbert’s take on some of these true life examples of government in action:

Two FBI Agents, sitting in a car on a day long surveillance arguing about what to do about lunch:

Agent Slim: ―Let’s go to McDonald’s, at least I can afford a hamburger there!‖ Agent Pudge: ―No! No! No!

I demand we go to Burger King! I want to get the new Simpsons toys that just came out today!‖ Agent

Slim: ―But we just went there yesterday! You got Bart on a skateboard, remember?‖ Agent Pudge: ―Oh

yeah, you’re right! Well, okay. But we have to go to the McDonald’s in Pacoima, got it?‖ Agent Slim: ―Why

Pacoima? We’re sitting here in Santa Fe Springs right now!‖ Agent Pudge: ―Yeah, but the Pacoima

MickeyD’s is brand new! They just opened yesterday! If I eat there my goal of eating at every McDonald’s in

the Los Angeles area will be reduced by one, leaving me only 293 to go!‖

21

COUNTERINTELLIGENCE AND CYBER NEWS AND VIEWS

Two FBI Agents, out on surveillance at 4:30 AM, looking for spies:

Agent Slim: ―Hey isn’t that Leonoid leaving the hotel?‖ Agent Pudge: ―Sure looks like him. The car looks

right too. We need to follow him right now!‖ Agent Slim: ―Let’s go!‖ FIVE HOURS AND 150 FREEWAY

MILES LATER, a radio call from the FBI Office. RADIO: ―Hey Slim and Pudge, aren’t you tailing Leonoid

today?‖ Pudge: ―Yeah, we’ve got him here in Santa Barbara right now! He’s heading up to the Reagan

Ranch in the Santa Ynez Mountains!‖ RADIO: ―Then how come he’s here at the office right now, defecting?‖

Agent Slim: ―Homina Homina Homina?!?‖

Next month, some Green Beret Humor.

PRODUCTS, SERVICES AND PRESENTATIONS As indicated at the beginning of this newsletter, we will address in future issues some of the products and

presentations we will be in position to provide to the defense community. We also intend to provide service to entities concerned about the protection of trade secrets, intelliectual property and proprietary information.

Newsletter Editor: Richard Haidle rhaidle@advantagesci.com 310.536.9876 x237

Advantage SCI 222 N. Sepulveda Blvd Suite 1780 El Segundo, CA 90245 310.536.9876