Friday, January 28, 2011

Complete DHS Daily Report for January 28, 2011

Daily Report

Top Stories

• An overnight lockdown, triggered when a vial of the deadly VX nerve agent went temporarily missing, was lifted January 27 at Utah’s sprawling, 801,000-acre Dugway Proving Ground. (See item 13)

13. January 27, Salt Lake Tribune – (Utah) Missing vial of nerve agent triggers Dugway shutdown. An overnight lockdown, triggered when a vial of the deadly VX nerve agent went temporarily missing, was lifted January 27 at Utah’s sprawling, 801,000-acre Dugway Proving Ground. Officials at the remote Army installation, 90 miles southwest of Salt Lake City, ordered gates closed at 5:24 p.m. January 26. Up to 1,500 employees of Dugway — military personnel, contractors and civilian workers — were forced to stay the night. A Dugway spokeswoman said the lockdown was ordered after a “routine inventory of sensitive material in the chemical laboratory ... discovered a discrepancy between the records and the agent on-hand. As a precaution, the commander immediately locked down the installation and began efforts to identify the cause of the discrepancy.” The vial was located, uncompromised, at 3 a.m. January 27 within the facility. Dugway officials did not specify exactly where the vial, containing less than 1 milliliter, or roughly a quarter-teaspoon of the agent, was found — nor did they detail how the vial had gone missing in the first place, or whether anyone was being disciplined as a result of the incident. Dugway houses small amounts of various chemical and biological warfare agents for defense testing purposes; it also is a prime Army base for testing of an array of conventional military weaponry and ammunition. Source:

• A snowstorm walloped the East Coast, stranding thousands of air, road and air travelers, knocking out power to more than 500,000 households, and closing down schools, government offices, and courts. (See items 21, 1)

21. January 27, Associated Press – (National) Snowstorm wallops Northeast, piling on the misery. A storm that had been predicted for days caught much of the East Coast off guard with its ferocity, January 26 and 27, tearing through with lightning, thunder, and tons of wet snow, stranding thousands of road, rail, and air travelers. New York got 19 inches, while Philadelphia received 17 inches. In Massachusetts, travel was made trickier with high winds. Gusts of 46 mph were reported in Hyannis, 45 mph in Rockport, and 49 mph on Nantucket January 27. New York declared a weather emergency for the second time since the December 26 storm, which trapped hundreds of buses and ambulances. The city shuttered schools and some government offices, and federal courts in Manhattan closed. New York’s Long Island Rail Road, the nation’s largest commuter rail line, operated on a reduced schedule. At Penn Station, about half the trains listed on the Amtrak departure board were delayed or canceled. Two major New York-area airports, Newark and Kennedy, closed for snow removal but were scheduled to begin taking flights at 10 a.m. Hundreds of flights were canceled at both airports. LaGuardia Airport had 168 cancellations. About 1,500 passengers were stranded overnight at Philadelphia International Airport. Northeast of New York in New Canaan, Connecticut, a Metro-North commuter train ran off the tracks, suspending service. Its two passengers and crew members were not injured. The Philadelphia area’s transit agency, the Southeastern Pennsylvania Transportation Authority, suspended nearly all bus service, and road crews worked through the night to gets tons of snow off major arteries. Source:

1. January 27, Washington Post – (Maryland; District of Columbia; Virginia) Washington stumbles to its feet after hard-hitting storm. The Washington, D.C. metro region struggled to regain its footing January 27 after a winter storm that caused at least one death and left the area icy and snowed-under, prompting local governments and schools to close for the day, public transportation to limit service and repair crews to scramble to restore electricity for hundreds of thousands left in the dark by snapped power lines. Though the day dawned to clear skies, morning brought an unwelcome chill to about 422,000 households without power in the region served by Pepco, Dominion Virginia and Baltimore Gas and Electricity (BGE). The Virginia Department of Transportation encouraged people to stay home the morning of January 27 until the roads could be cleared of snow, abandoned cars, trees, and power lines. Major highways, such as Interstate 66 westbound, became filled with cars, trucks and SUVs abandoned on the shoulder, some stuck out into traffic lanes just enough to pose a danger. After a drizzly, dreary start January 26, the storm struck with fury beginning at mid-afternoon, causing whiteout conditions across the region and casting a wintry glaze on roads and sidewalks that sent cars spinning and people tumbling. It is unknown when all power will be returned to customers. Source:


Banking and Finance Sector

17. January 27, Port Clinton News Herald – (Ohio) Perrysburg man charged with eight robberies at five banks. The FBI’s Violent Crimes Task Force has concluded its investigation into a series of bank robberies in the Toledo, Ohio, area and charged a Perrysburg man with robbing five banks a total of eight times. The U.S. Attorney’s Office in Cleveland announced January 26 that the 45 year-old male was charged with the robberies, two of which were committed at the Huntington National Bank branch on Main Street in Genoa. The suspect was already at the Lucas County Jail when the charges were filed. According to the U.S. Attorney for the Northern District of Ohio, the suspect robbed the bank in Genoa May 21 and September 23 last year. The U.S. Attorney said the suspect began robbing Toledo-area banks in November 2009. According to an indictment issued January 24, the suspect took $100,436 in the first seven robberies, including $19,194 during the first Genoa heist. The sum taken from the Genoa bank during the second robbery was not disclosed. The suspect was charged with robbery and kidnapping in Lucas County in November, and pleaded guilty to both counts last week, according to Lucas County Clerk of Courts records. He is scheduled to be sentenced February 1. Source:

18. January 27, Contra Costa Times – (California) Man robs 3 SoCal banks in 30 minutes. A suspect dubbed the “fuzzy-face bandit” held up three banks in Anaheim in about a half-hour January 26, but only came away with cash from one of the heists, authorities said. The man’s crime spree started about 10:45 a.m. at the Wells Fargo branch at 1135 N. State College Blvd., an FBI special agent. The suspect walked into the bank, gave the teller a note saying he had a gun, and demanded money, the Special Agent said. When the teller did not provide the money fast enough, the robber stormed out and went next door to a Bank of America at 1141 N. State College Blvd., the Special Agent said. He did the same thing at that branch, leaving empty-handed when the teller did not give up the money fast enough. The suspect then went to a Chase bank branch at 5791 E. Santa Ana Canyon Road at 11:17 a.m., and this time left with an undisclosed amount of cash. He was described as a light-skinned Latino man with a husky build, in his late 20s or early 30s and standing 5-foot-7. He was wearing a dark-colored hooded sweatshirt and some sort of dark head covering such as a hat or cap. Source:

19. January 27, WGME 13 Portland – (Maine) Long-time credit union employee accused of embezzling $519K. A female credit union employee, recently honored for being an outstanding employee by Atlantic Regional Federal Credit Union, is now accused of stealing over a half a million dollars from that same employer. The suspect has been named in a civil suit filed by her former employer that accuses her of stealing $519,000 from the credit union where she worked for 23 years. Court papers said the suspect was allegedly taking money belonging to the credit union and putting it in her account and accounts of her friends and family members. She is accused of taking $519,000, but as the FBI investigates, that total is expected to increase. The dredit union CEO believes the suspect was embezzling money for at least 6 years, but possibly even longer, dating back to 1990. The CEO also says internal changes have been made to ensure something like this does not happen again. Source:

20. January 26, WTXF 29 Philadelphia – (New Jersey; Pennsylvania) Former cop accused of 7 bank heists. Authorities said a former Bridgeton, New Jersey, police officer who served prison time for official misconduct is in federal custody for allegedly committing at least seven bank robberies in Pennsylvania and New Jersey. The list of suspected heists includes the December 9 robbery of a TD Bank on the 1400 block of Valley Forge Road in Towamencin, according to police in that Montgomery County township. The 33-year-old suspect, who resides in Vineland, New Jersey, was stopped and taken into custody by police in White Haven, Pennsylvania. A witness to a bank robbery in that area November 18 identified a suspect vehicle and contacted police. He reportedly fit the physical description of the suspect in the previous White Haven robbery, and confessed to the other robberies as well, Towamencin police reported in a news release. The suspect was turned over to the FBI and transported to the federal courthouse for the Middle District of Pennsylvania in Scranton to be arraigned. The suspect remains in federal custody, and the U.S. Attorney’s Office is prosecuting the case. Source:

Information Technology

45. January 27, IDG News Service – (International) Hackers turn back the clock with Telnet attacks. A new report from Akamai Technologies showed hackers appear to be increasingly using the Telnet remote access protocol to attack corporate servers over mobile networks. Akamai, which specializes in managing content and Web traffic, issues quarterly reports on Internet traffic trends. The latest report, which covers the third quarter of 2010, showed that 10 percent of attacks from mobile networks are directed at Port 23, which Telnet uses. That marks a somewhat unusual spike for the aging protocol. Telnet is a remote access tool used to log into remote servers, but it has been gradually replaced by Secure Shell (SSH). Administrators are generally advised to disable Telnet if the protocol is not used to prevent attacks targeting it, but some forget. Although those attacks originated from mobile networks, Akamai said it did not appear mobile devices were the source. Source:

46. January 27, IDG News Service – (International) Smart cards no match for online spies. The U.S. government has been stepping up its use of smart cards to help lock down its computer networks, but hackers have found ways around them. Over the past 18 months, security consultancy Mandiant has come across several cases where determined attackers were able to get onto computers or networks that required smart cards and passwords. In a report released January 27, Mandiant calls this technique a “smart card proxy.” The attack works in several steps. First, the criminals hack their way onto a PC. Often they will send a specially crafted e-mail message to someone at the network they are trying to break into. The message will include an malicious attachment that, when opened, gives the hacker a foothold. After identifying the computers with card readers, the criminals install keystroke logging software on them to steal the password typically used in concert with the smart card. When the victim inserts the smart card into the hacked PC, the criminals then try to log into the server or network that requires the smart card for authentication. When the server asks for a digital token from the smart card, the criminals redirect that request to the hacked system, and return it with the token and the previously stolen password. Source:

47. January 27, Help Net Security – (International) Multiple vulnerabilities in Symantec products. Multiple vulnerabilities have been reported in Symantec products, which can be exploited by malicious people to cause a Denial of Service attack and compromise a vulnerable system, according to Secunia. The first is an error in the Intel AMS2 component when processing certain messages can be exploited to cause a buffer overflow via specially crafted packets sent to TCP port 38292. The second is an error in the Intel AMS2 component when processing certain messages can be exploited to run arbitrary commands via specially crafted packets sent to TCP port 38292. The third is an error in the Intel AMS2 component when processing certain messages can be exploited to create arbitrary events (e.g. launch a program or send an e-mail) via specially crafted messages sent to TCP port 38292. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. The fourth is an error in the Intel AMS2 component when processing certain messages can be exploited to crash the Intel Alert Handler service via specially crafted packets sent to TCP port 38292. The vulnerabilities are reported in Symantec AntiVirus Corporate Edition Server 10.x. and Symantec System Center 10.x. Source:

48. January 27, H Security – (International) Opera 11.01 closes critical hole. The new version of the Opera Web browser closes the critical hole reported early the week of January 23; this vulnerability allows attackers to gain control of a computer. The problem was caused by a flaw in the code for processing HTML documents that contain select elements with a large number of child elements. In combination with further tricks, this flaw allows arbitrary code to be injected and executed. The vulnerability affects not only the Windows version, but also those for Mac and Unix, and has been closed in all versions. The updates for all operating systems also correct a browser configuration click-jacking vulnerability and a another that allows Web pages to read out local files. Source:

49. January 27, Help Net Security – (International) 5 men busted in relation to Anonymous DDoS attacks. Five men believed to have taken part in recent Anonymous’ DDoS attacks were arrested in the United Kingdom January 27, during a series of raids coordinated by the Metropolitan Police Service’s Police Central e-Crime Unit. The arrested males — aged 15, 16, 19, 20, and 26 — have been taken to their local police stations in West Midlands, Northants, Herts, Surrey, and London, and are currently in custody, police said. The suspects are likely to be charged with offenses under the Computer Misuse Act 1990. They were probably tracked down by the police because they were using Anonymous’ LOIC tool to DDoS various sites — a tool that actually does not completely anonymize its users’ involvement. The arrests are the results of a months’ old investigation the Metropolitan Police has mounted with the help of law enforcement agencies from the United States and various European countries. Source:

50. January 25, Network World – (International) Low-cost SSL proxy could bring cheaper, faster security; defeat threats like Firesheep. Researchers have found a cheaper, faster way to process SSL/TLS with off-the-shelf hardware, a development that could let more Web sites shut down cyber threats posed by the likes of the Firesheep hijacking tool. The technology, dubbed SSLShading, shows how SSL proxies based on commodity hardware can protect Web servers without slowing down transactions, according to a presentation scheduled at the USENIX Symposium on Networked Design and Implementation in Boston March 30 through April 1, 2011. SSL/TLS — the cryptographic protocols used to protect online Web transactions — encrypts traffic from visitors’ machines all the way to Web servers. That makes it impossible to pick up data such as session cookies by preying on unencrypted wireless networks, which is what Firesheep does. Based on an algorithm devised by researchers in Korea and the United States, SSLShading is software that directs SSL traffic being proxied either to a CPU or a graphics processing unit, whichever is most appropriate to handle the current load. The researchers will discuss the algorithm in their paper “SSLShader: Cheap SSL Acceleration with Commodity Processors.” Source:

51. January 24, Darkreading – (International) Active ‘Darkness’ DDoS botnet’s tool now available for free. A free version of a fast-growing and relatively efficient DDoS botnet tool has been unleashed in the underground. The so-called Darkness botnet is best known for doing more damage with less — its creators boasting that it can take down an average-sized site with just 30 bots. Researchers are keeping a close eye on the botnet, which has been very active the past few months. In just the past 3 weeks, for example, Darkness has attacked an average of 1.5 victim sites per day, and about 3 per day in the fourth quarter of 2010, according to data gathered by a research analyst with Arbor Networks’ Asert team. The DDoS botnet appears to originate out of Russia. “It tends to go after targets primarily in Europe, and to a lesser extent, the U.S.,” he said. The director of Shadowserver, revealed January 23 that an older version of the bot code, version 6m, had become available for free in various underground forums as of late December 2010, and that Shadowserver was already seeing new Darkness botnet command and control servers waging DDoS attacks. “Darkness requires fewer infected systems, which makes it more efficient,” he said. Source:

Communications Sector

52. January 26, Reuters – (National) Verizon struggles with BlackBerry data traffic. Some Verizon Wireless customers using BlackBerrys have been limited to making voice calls on Research In Motion’s (RIM) smartphone for as long as a week, but Verizon said January 26 the issue was fully resolved. Contributors to a BlackBerry support forum said they had trouble connecting to the Internet, using Internet-based apps and had delayed e-mail delivery since January 25. RIM routes BlackBerry data traffic through its own servers via a carrier’s network, a method not replicated by other smartphones. The company said its service has been operating normally. “There is no outage, and there hasn’t been one,” a Verizon Wireless spokesman said. “Our engineers discovered that a small number of customers in a limited geographic area had technical glitches that resulted in their e-mail being delayed up to an hour,” he said. The Verizon glitch was fully resolved January 25, he said, declining to provide further technical details or say how many customers were affected or where they were located. Source:

53. January 26, Wall Street Journal – (National) Smartphones get more airwaves. The Federal Communications Commission (FCC) approved a request January 26 to allow a satellite broadband start-up funded by investment firm Harbinger Capital Partners to lease its airwaves for traditional mobile phones. The agency approved a request by LightSquared to drop a requirement that airwaves set aside for satellite-phone use aren’t primarily used instead for ground-based phone networks. The FCC’s action means LightSquared can lease its airwaves to companies that offer normal smartphones such as the iPhone, and not pricier satellite-enabled phones. Source:

54. January 26, WTNH 8 New Haven – (Connecticut) Wallingford building evacuated after roof sags. Fire crews in Wallingford, Connecticut, are on the scene of an AT&T building January 26, where there were concerns about the safety of the roof. The building, located on Research Parkway, was evacuated as fire personnel and engineers looked at the sagging roof structure. Other workers were told not to come in to work January 26. Crews were raking the snow off the roof to lighten the weight load. Engineers said the building was structurally safe, and workers could return to their jobs January 27. Source:

55. January 24, Aviation Week – (International) Errant satellite to be back in business soon. Intelsat appears poised to recoup use of Galaxy 15, the wayward “Zombie Sat” that terrorized telecom satellite neighborhoods around the globe until it was brought under control in late December. Intelsat reported January 13 that Galaxy 15 appeared to be in good health following recovery of control in late December, after a 6-month trek that took it past 15 geostationary communications spacecraft. The incident, which occurred April 5, did not lead to substantial interference or service loss. Galaxy 15 arrived at 93 deg. W. Long. January 15 for a complete checkout, including validation of three control-and-command software patches uploaded in December to ensure the incident did not recur. Intelsat said engineers are focusing on firmware in the baseband equipment (BBE) command unit as the source of the Galaxy 15 incident, and they hope further testing will enable them to narrow down and complete the failure review board inquiry initiated under the control of Orbital Sciences Corp., which built the spacecraft. OSC has also uploaded the software patches, which were validated in orbit in October, on other Intelsat spacecraft that use the same Star 2 bus employed in Galaxy 15. Source: Satellite To Be Back In Business Soon