Thursday, May 19, 2011

Complete DHS Daily Report for May 19, 2011

Daily Report

Top Stories

• Associated Press reports the U.S. Coast Guard May 17 shut down for many hours a 15-mile stretch of the swollen Mississippi River near Natchez, Mississippi, idling barges carrying everything from coal and steel to half of America’s grain exports. (See item 16)

16. May 18, Associated Press – (National) Mississippi River segment shut, then reopened to barges. The U.S. Coast Guard (USCG) reopened the swollen Mississippi River north of New Orleans, Louisiana May 17, allowing cargo vessels on the nation’s busiest waterway to pass one by one in the latest effort to reduce pressure from rising floodwaters. A 15-mile stretch at Natchez, Mississippi, had been closed earlier in the day, blocking vessels heading toward the Gulf of Mexico and others trying to return north after dropping off their freight. Had the channel remained closed, it could have brought traffic to a standstill up and down the mighty river, which moves about 500 million tons of cargo each year. And the interruption could cost the U.S. economy hundreds of millions of dollars for every day that it idled barges carrying coal, timber, iron, steel and more than half of America’s grain exports. USCG officials said wakes generated by passing barge traffic could increase the strain on levees designed to hold back the river. Authorities were also concerned barges could not operate safely in the flooded river, which has risen to the level of some docks and submerged others. It was not clear how long barges would be able to move just one at a time through the section. The river is expected to stay high in some places for weeks. The USCG did not have comprehensive figures on how many vessels were immediately affected, but the agency stopped at least 10 near Natchez. In past closures, those numbers have grown quickly. In 2008, the agency halted 59 ships within a day of shutting down a stretch of the river near New Orleans because of a barge and tanker collision. On a typical day, 600 barges move up and down the river, according to a spokesman for the Mississippi Valley Division of the U.S. Army Corps of Engineers. Source: http://www.desmoinesregister.com/article/20110518/BUSINESS01/105180348/Mississippi-River-segment-shut-then-reopened-barges?odyssey=mod%7Cmostview

• According to WCHM, the U.S. Drug Enforcement Administration suspended the prescription-dispensing licenses of four physicians and a pharmacy because of the large volume of controlled substances they dispensed. (See item 32)

32. May 17, WCMH 4 Columbus – (Ohio) 4 Ohio doctors, 1 pharmacy lose licences for controlled substances. The U.S. Drug Enforcement Administration (DEA) has announced that four doctors and a pharmacy operating in Scioto County, Ohio, have had their DEA Certificate of Registration suspended. The Special Agent in Charge said the DEA served Immediate Suspension Orders (ISO) on four physicians and on Prime Pharmacy of Portsmouth. This administrative action suspends the physicians’ and pharmacy’s authority to prescribe or dispense Schedule II-V controlled substances. The ISOs are based on a preliminary finding by DEA that the continued registration of the doctors and pharmacy constitutes an imminent danger to public health and safety. According to the DEA, one of the doctor’s is one of the largest dispensers of controlled substances in the United States. Two other doctors, both of whom previously worked at Southern Ohio Complete Pain Management in Portsmouth, are responsible for the prescribing of hundreds of thousands of oxycodone products and anti-anxiety medications over the past 2 years. The suspension order at Prime Pharmacy prohibits the employees from continuing to possess, order, or dispense Schedule II – Schedule V controlled substances, such as hydrocodone and oxycodone. In addition, the DEA served notice of an Order to Show Cause on Physicians Pharmacy of Piketon. This is a business that has applied for a DEA Certificate of Registration to handle controlled substances. The physicians and businesses received written notice of the factual and legal basis for this action. All will be given an opportunity for an administrative hearing on the ISOs and the Order to Show Cause. At that time, the physicians, and businesses listed above may contest whether the suspension orders should be lifted, and their certificates of registration should be reinstated. Source: http://www2.nbc4i.com/news/2011/may/17/4-ohio-doctors-1-pharmacy-lose-licence-controlled--ar-492425/

Details

Banking and Finance Sector

12. May 18, Santa Maria Times – (California) Woman faces federal fraud charges. A Nipomo, California woman who ran a bookkeeping service in Santa Maria pleaded not guilty May 16 to 18 federal counts involving fraudulent tax returns, identity theft and fraudulent loan applications. The 39-year-old woman was arrested May 16 by special agents with the Internal Revenue Service (IRS) Criminal Investigation Division and the FBI at her office in Santa Maria. She is charged with eight counts of making false claims to the IRS, three counts of aggravated identity theft, five counts of making false statements on loan applications, and two counts of making false statements to the FBI. The indictment alleges the woman stole several people’s identities, and used their names and Social Security numbers on fraudulent tax returns to obtain refunds from the IRS. The returns allegedly listed income the taxpayers did not earn, and claimed credits for a brother and several children and grandchildren who were not the taxpayers’ dependents. The indictment said the fraudulent tax refunds totaled $27,950, but it does not specify if all that money allegedly went to the woman. She is also charged with submitting false personal and corporate income tax returns to Santa Lucia Bank in applications for $1.64 million in loans. The indictment also charges the woman with lying to the FBI twice in 2007 about collaborating with loan officers to create false tax documents and provide false employment verification for borrowers. Source: http://www.santamariatimes.com/news/local/crime-and-courts/article_9709d43e-8116-11e0-ac91-001cc4c03286.html

13. May 17, The Sacramento Bee – (California) Eight arraigned in Sacramento-area mortgage fraud scheme. An indictment returned May 12 by a federal grand jury in Sacramento, California charges eight Sacramento-area residents with wire and mail fraud in connection with an alleged mortgage fraud scheme that involved multiple properties in the Sacramento area and operated from late 2006 to late 2007. The indictment alleges the defendants were responsible for originating more than $16.3 million in residential mortgage loans on 14 homes purchased through so-called straw buyers. All of the homes went into foreclosure, causing losses of approximately $9.6 million, according to a federal Department of Justice news release. According to the indictment, the suspects prepared loan applications containing materially false information straw buyers’ income, employment, assets and liabilities, and intent to occupy the residences, and a real estate broker presented the fraudulent applications to lending institutions. They then allegedly created shell companies, or used companies that had no connection with the properties, for use in submitting invoices to falsely claim that they had made repairs to the properties. They then received payments from escrow to which they were not entitled, officials said. Source: http://blogs.sacbee.com/crime/archives/2011/05/eight-arraigned.html

14. May 17, Associated Press – (Nebraska) Ex-Nebraska City broker pleads no contest to fraud. The trial of one of two former Nebraska City, Nebraska brokers accused of bilking more than 150 investors out of more than $20 million abruptly ended May 17 when he pleaded no contest to four charges of securities fraud, prosecutors said. One of the suspects originally faced eight felony counts of intentional securities fraud. As part of the plea agreement, prosecutors amended the charges, so they were based on inadvertent omissions of information, not intentional acts. The man and his accomplice were accused of improperly selling risky investments in several interrelated Florida companies to investors. Prosecutors said the two invested clients’ money in high-risk enterprises and never fully explained the risks even though the investors wanted conservative investments because most were near retirement age or already retired. “More than 100 Nebraskans trusted [the two] to invest money they had worked a lifetime to save,” the Nebraska attorney general said in a statement. Last month, a federal judge awarded $30 million to more than 200 investors who claimed they had been defrauded by the pair. That ruling was part of a federal class-action lawsuit investors filed in 2007. Several other lawsuits and arbitration claims have been filed against the former brokers. Source: http://www.businessweek.com/ap/financialnews/D9N9GHVO1.htm

15. May 16, Softpedia – (Alabama) NACHA Spam Gang Starts Using Shortened URLs. The malware distribution gang that sends spam e-mails purporting to come from the Electronic Payments Association (NACHA) has switched to using shortened URLs in its campaigns. Posing as NACHA is not a new technique. It has been used since November 2009, however, a new campaign has been going strong for the past few weeks. The fake e-mails bear many subjects and the same variety is kept for the spoofed addresses. The e-mails tell recipients their ACH (Automated Clearing House) transfers have been canceled or rejected by their financial institution and directs them to an URL for more details. They read: “The ACH transfer (ID: 65388185980), recently sent from your checking account (by you or any other person), was cancelled by the other financial institution. Please click here [link] to view details. If you have any questions or comments, contact us at info@nacha(dot)org. Thank you for using http://www(dot)nacha.org.” The links lead to Web sites that prompt users with updates for Java which are actually variants of the notorious ZeuS baking trojan. According to the director of research in computer forensics at the University of Alabama at Birmingham (UAB), the gang behind this campaign was known for registering hundreds of domain names for each spam run. However, it recently switched tactics and is now abusing almost three dozen URL shortening services, many of which are obscure and are unlikely to respond to abuse reports. The 2mb.eu service was the most abused based on the spam e-mails collected and analyzed by the UAB department. More than 1,000 malicious shortened URLs have been observed in this campaign. Using this method, spammers are able to keep a high level of variation in their e-mails, but a low cost for their campaign. Source: http://news.softpedia.com/news/NACHA-Spam-Gang-Starts-Using-Shortened-URLs-200695.shtml

For another story see item 49 below in the Communications sector

Information Technology

42. May 18, Help Net Security – (International) New vulnerability reporting framework. The Industry Consortium for Advancement of Security on the Internet (ICASI) published of its Common Vulnerability Reporting Framework (CVRF) Version 1.0. CVRF is an XML-based framework that enables stakeholders across different organizations to share critical vulnerability-related information in an open and common machine-readable format. This format replaces the myriad of current nonstandard reporting formats, thus speeding up information exchange and processing. “CVRF represents a true milestone in industry efforts to raise and broaden awareness of security vulnerabilities,” said the president of ICASI and director of IT Policy and Information Security at IBM. “With the use of CVRF, the producers of vulnerability reports will benefit from faster and more standardized reporting. End users will be able to find, process and act upon relevant information more quickly and easily, with a higher level of confidence that the information is accurate and comprehensive.” Source: http://www.net-security.org/secworld.php?id=11041

43. May 18, H Security – (International) Opera 11.11 closes a critical hole. With the update to version 11.11, Opera developers closed a critical security hole that enables attackers to inject malicious code. The vulnerability is found in the code for processing framesets: certain frame constructions cause a memory error that eventually allows attackers to inject malicious code. Source: http://www.h-online.com/security/news/item/Opera-11-11-closes-a-critical-hole-1245275.html

44. May 16, Softpedia – (International) Google denies Chrome sandbox breach. Google Chrome’s security engineers reject the claim that French vulnerability research outfit VUPEN Security broke out of the browser’s reputed sandbox. Google’s experts argued his was not an attack against the Chrome sandbox itself, but against the Flash Player plug-in bundled with the browser. VUPEN’s founder and head of research does not agree with the counter-claims by Google engineers. “Nobody knows how we bypassed Google Chrome’s sandbox except us and our customers, and any claim is a pure speculation,” he said in a statement. VUPEN has already announced that, according to company policy, it will not disclose details about the exploited vulnerabilities to Google. Instead, the company will share the intelligence with its government customers. Such action is received with much criticism from users, however, as many 0-day exploits are being sold in a legitimate manner. Source: http://news.softpedia.com/news/Google-Denies-Chrome-Sandbox-Breach-200585.shtml

45. May 16, Softpedia – (International) Security updates for Adobe Audition, Flash Media Server and RoboHelp. Adobe has released security updates for several products, including Audition, Flash Media Server, and RoboHelp, that address critical vulnerabilities that could compromise systems they run on. Two flaws were patched in Adobe Flash Media Server (FMS) for Windows and Linux, one that could be exploited by attackers to execute arbitrary code on the underlying system. Identified as CVE-2010-3864, the vulnerability is rated as critical and is described as a memory corruption issue. The second flaw, CVE-2011-0612, can lead to a denial of service condition if corrupted XML data is parsed by the server. Adobe said users should install Flash Media Server version 4.0.2 or Flash Media Server version 3.5.6, depending on the branch they are currently running. Two vulnerabilities were also patched in Adobe Audition, the company’s audio editing product, that could be exploited to execute arbitrary code. Identified as CVE-2011-0614 and CVE-2011-0615, the flaws are described as memory corruption issues and were discovered by Zero Science Lab and Core Security Technologies. The vulnerabilities can be exploited by convincing victims to open maliciously-crafted Audition Session (.ses) files. Audition Session (.ses) file format is no longer a supported format beginning with Adobe Audition CS5.5. Only Adobe Audition 3.0.1 and earlier versions for Windows are affected by these vulnerabilities, and the vendor said users should switch to use of the XML session format instead of .ses. Also, a manual patch was released for RoboHelp 8, RoboHelp 7, RoboHelp Server 8, and RoboHelp Server 7, that are affected by a cross-site scripting vulnerability. The flaw, CVE-2011-0613, is rated as important and was reported by Jardine Software Inc. It can be fixed by replacing wf_status.htm and wf_topicfs.htm with the patched versions provided by Adobe. Source: http://news.softpedia.com/news/Security-Updates-for-Adobe-Audition-Flash-Media-Server-and-RoboHelp-200537.shtml

46. May 14, Softpedia – (International) Apache patches denial of service flaw in HTTP server. The Apache Project has released version 2.2.18 of its Web server software package to address a vulnerability that could lead to a denial of service condition. The flaw, identified as CVE-2011-0419, is located in the apr_fnmatch() function of the Apache Portable Runtime. It can be exploited remotely by sending specially crafted requests to Apache Web servers configured with mod_autoindex enabled. The Apache developers encouraged users to upgrade. For those who cannot upgrade, Apache said users can mitigate the risks of the vulnerability by setting the ‘“gnoreClient” option of the “IndexOptions” directive. Because the flaw is actually located in the Apache Portable Runtime (APR), which is also used in other projects in addition to the Apache HTTP Server, third-party developers are also advised to upgrade the runtime to version 1.4.4 in their applications. The Apache HTTP Server is the most widely used Web server software and has played an important role in the growth of the World Wide Web. Source: http://news.softpedia.com/news/Apache-Patches-Denial-of-Service-Flaw-in-HTTP-Server-200418.shtml

47. May 13, Softpedia – (International) Large video game publisher loses data to hackers. Hackers broke into servers belonging to Eidos Interactive, a reputed game publisher now owned by Square Enix, and stole sensitive data. The hackers who instrumented the attack seem to be affiliated with the Anonymous splinter group that recently took over AnonOps, the hacktivist collective’s IRC network. The target appears to be the Deus Ex Human Revolution Web site. The morning of May 12, the first page of the Web site displayed a message listing the handles and names of the hackers who hacked the site. However, according to IRC logs, the real hackers went by the handles of evo and n` (nigg), two Anonymous members. The handles and names placed on the defaced page were intentional and designed to cause problems for those individuals. The logs leaked by someone who monitored the hackers’ chat room reveale vo had particular plans for the deusex.com site. The techniques described are commonly used by cyber criminals to infect computers in drive-by download attacks, which suggests evo might be familiar with this type of activity. Nigg disagreed with the idea because there was not enough time to put it into practice. Instead, they went for the defacement and leaking of captured information. A torrent was uploaded to The Pirate Bay claiming to contain 370 CVs and the Web site’s user database. Square Enix later confirmed eidosmontreal.com, and two product Web sites were compromised by a group of hackers. As a result, the company said, up to 350 CVs and 25,000 e-mail addresses used by people to register for updates were stolen. Source: http://news.softpedia.com/news/Large-Video-Game-Publisher-Loses-Data-to-Hackers-200385.shtml

48. May 12, SC Magazine Australia – (International) AusCERT: Cisco IP phones prone to hackers. Contact centers and businesses using a Cisco Internet phone were at risk of having communications intercepted and confidential information leaked, a hacking group demonstrated. A security consultant said VoIP phone systems could turn on their users, hacked to become networked listening devices or “bugs,” wiretapped remotely, or silenced, blacking out communications. Contact centers that often use Internet-protocol phones because they were cheap to run, were especially at risk, he said. The researcher, director of the penetration tester HackLabs in Sydney, Australia, demonstrated how phone conversations were illictly recorded, injected with sound, or redirected to expensive and elusive offshore premium numbers. Similarly, a distributed denial-of-service attack could take a phone fleet offline, he said, noting he had seen them cripple networks at Australian companies. The weaknesses result from Cisco’s reliance on Web functions that gave users functions at the cost of easier penetration for hackers. A Cisco spokesman said it was serious about security and advised users to apply the relevant recommendations in the manual to secure their systems. Source: http://www.scmagazine.com.au/News/257265,auscert-cisco-ip-phones-prone-to-hackers.aspx

For more stories, see items 49, and 51 below

Communications Sector

49. May 18, Help Net Security – (National) SpyEye Trojan attacks Verizon’s online payment page. Trusteer discovered a configuration of the SpyEye Trojan targeting Verizon’s online payment page and attempting to steal payment card information. The attack took place between May 7 and May 13. The chief technology officer of Trusteer explained that, “SpyEye uses a technique called ‘HTML injection’ to modify the pages presented in the victim’s browser, in this particular case the injected HTML is used to capture credit card related data. The attack is invisible to Verizon customers since the malware waits for the user to logon and access their billing page and only then injects an authentic-looking replica Web page that requests this information. Since the user has logged on and has navigated to the familiar billing page, they have no reason to suspect this request for payment information is suspicious,” she added. This practice allows criminals to commit card non present fraud on the Internet, and also makes it more difficult for banks to identify the source of fraudulent transactions since they cannot trace it back to a specific computer. Source: http://www.net-security.org/malware_news.php?id=1726

50. May 17, Television Broadcast – (National) FCC cracks down on rogue broadcasters. Federal Communications Commission (FCC) agents have been busy in May, issuing more than $250,000 in fines as part of an effort to shut down rogue broadcasters. A majority have targeted pirate radio operations. As of May 17, the FCC had issued $258,000 in fines; $141,000 for operation of unlicensed radio transmitters. On May 5, alone, the commission fined five pirates a total of $50,000. Other violations involve failure to maintain functional Emergency Alert System equipment, inadequately maintained transmitter and tower facilities, excessive power levels, and improper record-keeping. Piracy was most prevalent in the eastern portion of the United States. Source: http://www.televisionbroadcast.com/article/120506

51. May 17, IDG News Service – (International) Some sites struggle to stay up due to Heroku attack. A potential Denial-of-service attack (DDoS) on Heroku, the Ruby platform-as-a-service provider now owned by Salesforce.com, is creating availability issues for its customers. The problems started May 16 when Heroku reported a small number of users, primarily those that point a root domain to Heroku via static Internet Protocol addresses, were getting connection errors. Via its status page, Heroku later told customers it was working with its network service provider to mitigate availability issues coming from what it believed was a distributed DDoS. “The current attack protection procedures have reduced the effects of this attack to intermittent issues,” the status page said. The company Loqize.me, which uses Heroku and had some issues, advised customers via Twitter to try reloading if they were unable to access the site. Another company, Rexly, apologized to customers having trouble using its service due to Heroku’s “hiccups.” NationBuilder.com warned users about issues related to Heroku’s service. Source: http://www.computerworld.com/s/article/9216795/Some_sites_struggle_to_stay_up_due_to_Heroku_attack

52. May 17, Associated Press – (International) US official: solar storms expected to peak in 2013 with potentially devastating effect. A senior official at the U.S. National Oceanic and Atmospheric Administration (NOAA) said solar storms pose a growing threat to critical infrastructure such as satellite communications, navigation systems and electrical transmission equipment. The NOAA Assistant Secretary said the intensity of solar storms is expected to peak in 2013 and countries should prepare for “potentially devastating effects.” Solar storms release particles that can temporarily disable or permanently destroy fragile computer circuits. A former NASA astronaut who in 1984 became the first woman to walk in space, told a United Nations weather conference in Geneva on May 17 that “it is not a question of if, but really a matter of when a major solar event could hit our planet.” Source: http://www.washingtonpost.com/world/us-official-solar-storms-expected-to-peak-in-2013-with-potentially-devastating-effect/2011/05/17/AF9lHh5G_story.htm

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)