Tuesday, February 22, 2011

Complete DHS Daily Report for February 22, 2011

Daily Report

Top Stories

• According to Reuters, gunmen claiming to represent a powerful drug cartel have threatened to attack isolated natural gas well drillers unless they pay to operate in parts of northern Mexico. (See item 5)

5. February 15, Reuters – (International) Mexican drug gangsters menace natural gas drillers. Gunmen claiming to represent a powerful drug cartel have threatened to attack isolated natural gas well drillers unless they pay to operate in parts of northern Mexico, two industry sources said February 15. The gunmen warned workers they would be killed unless their employer paid protection money to Zetas, a feared drug gang, a senior executive of the company overseeing the construction of the wells told Reuters. The threats are a new twist in Mexico’s bloody drug war, which is hitting businesses near the United States-Mexico border. In one case, the suspected drug gang demanded 10 percent of what Pemex was paying for the gas contract, the company executive said. Security at the well sites is under review, but no drilling has gone ahead there, the executive said. An external consultant employed at Pemex’s Mexico City headquarters confirmed the events. There are believed to be other gangs threatening gas fields, but only the instances involving gunmen identifying themselves as Zetas have been confirmed by company sources. Source: http://news.yahoo.com/s/nm/20110215/wl_nm/us_mexico_drugs_energy

• Ruidoso News reports subzero temperatures damaged pipes causing Ruidoso, New Mexico, to lose 15 million gallons of water and suffer about $1.7 million in infrastructure damage. (See item 37)

37. February 15, Ruidoso News – (New Mexico) Water losses amount to $1.7 million; village working with FEMA. Over the week from February 8 to 15, Ruidoso, New Mexico, lost 15 million gallons of water and suffered about $1.7 million in infrastructure damage, the village’s top administrative official said. “We’re working with the Federal Emergency Management Agency and (the village’s total) puts the state over the $2.3 million threshold, so they will request a national disaster declaration,” the village manager said February 15. By 10:30 a.m. February 15, members of the New Mexico National Guard were on the road back to their bases in Hobbs, Las Cruces, Roswell, and Carlsbad, having completed several days of duty helping the village detect water leaks, shut-off service and reestablish service. While water was turned back on to the Upper Canyon, Black Forest, Flume, Brady, Perk, and Johnson Canyon area, some homes across the entire village will not have service until absentee owners return and request it. As a precaution, water was turned off at homes that appeared to be seasonally occupied. The total water loss estimated for the past week since sub-zero record low temperatures damaged pipes stands at 15 million gallons. The 5 million gallon water storage tanks stayed steady at 38.5 feet depth, as village officials watched for a climb back to the normal 50-foot depth. The village will send out a letter in monthly utility bills informing customers that water was turned off in unoccupied houses because of the freezing temperatures. Source: http://www.istockanalyst.com/article/viewiStockNews/articleid/4896611


Banking and Finance Sector

17. February 18, New York Daily News – (New York) NYPD Commissioner Kelly urges banks to ramp up security against ‘Holiday Bandit’ Marat Mikhaylich. The New York City Police Department (NYPD) police commissioner urged banks to ramp up security with bigger partitions around tellers as authorities intensified their hunt February 17 for the 6-foot-5 “Holiday Bandit.” The robber has pulled seven stickups since early December — including two heists the week of February 14 alone, officials said. He has been hitting branches in Queens, Brooklyn and Staten Island where the barriers around tellers are barely chest-level. “Some of them have bandit barriers, but they are not fully extended to the ceiling and he is tall ... and he can sort of tower over it,” the NYPD commissioner said. The partitions can be a deterrent if they are extended higher, the commissioner added. Two years ago he pushed for a bill to mandate better bank partitions in every bank branch in the city, but city council lawmakers — worried the barriers would scare off customers — nixed the plan. Source: http://www.nydailynews.com/news/ny_crime/2011/02/18/2011-02-18_raise_bank_walls_to_deter_goon_kelly_sez.html

18. February 17, Bakersfield Now – (California) FBI arrest man accused of Bakersfield bank robberies. The FBI has arrested a man accused of robbing 12 banks in California and Arizona, including two in Bakersfield, California. Federal agents informed Bakersfield police February 17 that a 49-year-old male was arrested in Fresno, California. The man will face charges in Arizona first, then face charges in California, police said. The suspect is accused of robbing the Kern Schools Federal Credit Union branch on Ming Avenue December 6 and the Chevron Valley Credit Union on Granite Falls Drive and Coffee Road January 31. It is unknown if he was armed during either robbery, but police said he threatened a teller at Chevron Valley Credit Union. Source: http://www.bakersfieldnow.com/news/local/116443964.html

19. February 17, Freedom Communications, Inc. – (Florida) Bomb threat note left in Wachovia bank drive-through. A bomb threat note was found stuffed in the drive-through window of the Wachovia bank near Destin Commons in Destin, Florida February 17. The threat was reported to the Okaloosa County deputies around 6 p.m, a spokesman with the sheriff’s office said. Deputies did not find any signs of explosives when they checked the premises, the spokesman said. Bomb squads were not called to the scene, he said. Source: http://www.thedestinlog.com/news/bomb-16829-through-destin.html

20. February 17, Softpedia – (National) Fake FDIC emails distribute trojan. M86 Security warned of a new spam run that generates malware-carrying e-mails purporting to come from the Federal Deposit Insurance Corporation (FDIC). M86 said the e-mails are sent by Cutwail, a spam botnet, which at its peak accounted for more than 40 percent of the daily junk mail traffic. The rogue notifications bear a subject of “Important information for depositors of Federal Deposit Insurance Corporation” and carry an attachment called FDIC_Document(dot)zip. The message contained within reads: “Attention! Dear Depositor, this message was sent to you as you had indicated this e-mail address as a contact, by opening an account in your bank department. In order to inform you about the news concerning current business activity of the Company on a timely basis, please, look through the last important changes in current regulations of endowment insurance procedure. Please, refer to more detailed information in the attached document.” One giveaway the e-mails are fake is the From field lists a (at)ups(dot)com address, a remnant from a fake UPS campaign the spammers forgot to change. The malicious executable found inside the attached archive is a variant of SpyEye, a sophisticated banking trojan used to steal financial and personal data from victims. Source: http://news.softpedia.com/news/Fake-FDIC-Emails-Distribute-Trojan-184761.shtml

21. February 17, IDG News Service – (International) Romanian pleads guilty to role in $2.7M eBay scam. A Romanian man has pleaded guilty February 17 to participating in a well-organized scam that took in about $2.7 million from unsuspecting users of online marketplaces such as eBay, Craigslist, and AutoTrader(dot)com. The man, from Bucharest, pleaded guilty to conspiracy, bank fraud, and money laundering charges in U.S. District Court for the District of Illinois, the Department of Justice said February 17. Prosecutors said the man was a money mule whose job was to pick up cash wired to him by online buyers who thought they were purchasing cars, RVs, and motorcycles from legitimate sellers. He is one of 11 people charged in the scam, which dates back to November 2004. The man and his crew used a variety of tricks to fool people into sending their money, typically via Western Union. They hijacked legitimate eBay accounts, sent buyers fake “second chance” offers, or pretended people’s money would be held in escrow until the goods they bought were delivered. Source: http://www.computerworld.com/s/article/9210158/Romanian_pleads_guilty_to_role_in_2.7M_eBay_scam?taxonomyId=18

Information Technology

50. February 18, Softpedia – (International) Security researchers find VoIP account cracking botnet. Security researchers from Symantec have identified a piece of malware designed to brute force the password of VoIP accounts in a distributed manner. The trojan, which Symantec describes as a SIP cracker, after the Session Initiation Protocol (SIP) used by VoIP systems, is being installed on computers by Sality. Sality is a family of file infectors with botnet capability that spread by appending their malicious code to executable files, sometimes corrupting them in the process. The Sality botnet is commonly used as a malware distribution platform in a pay-per-install style operation where other cybercriminals pay to have their creations spread. The SIP cracker has been distributed by Sality for months now with few people noticing, and it is noteworthy because it is the first such malware to be found in the wild. The SIP crackers contact their command and control (C&C) server and ask for an IP range to probe. It then performs some checks on IP addresses in that range to determine if any correspond to a SIP server. When a server is identified, the bot tries to register an account on it using a list of usernames and passwords received from the C&C. If any of the attempts is successful, it reports back with the information. Source: http://news.softpedia.com/news/Security-Researchers-Find-VoIP-Account-Cracking-Botnet-184990.shtml

51. February 17, Softpedia – (International) New Steam phishing campaign spotted. Security researchers from Sophos warned that Steam users were being targeted in a new phishing attack that produces fake e-mails threatening them with account suspension. The e-mails bear a subject of “Warning! Your steam account will be suspended?” and have a forged “From” field to appear as if they originate from support(at)steampowered(dot)com. The attackers are probably abusing a legit Steam e-mail template, because the body has a well designed header and footer, displaying the Steam and Valve logos. The lure used in this phishing attack is a traditional one, the threat of something happening with the recipient’s account. The link included to “reconfirm” the account appears to point to a location on the support(dot)steampowered(dot)com Web site, but in reality take users to a phishing page that tries to steal log-in credentials. Steam is the largest gaming digital distribution platform with more than 30 million monthly active users and more than 1,200 games available for purchase and download. Steam accounts can be valuable to cybercriminals because they can be associated with payment information. Source: http://news.softpedia.com/news/New-Steam-Phishing-Campaign-Spotted-184984.shtml

52. February 17, Softpedia – (International) Java security update fixes critical vulnerabilities. Oracle has released security updates for Java SE and Java for Business to address multiple vulnerabilities, some of which allow attackers to take control over computers. The update addresses a total of 21 vulnerabilities in JDK and JRE 6 Update 23 and earlier, JDK 5.0 Update 27 and earlier, and SDK 1.4.2_29 and earlier. Nineteen of the flaws can be exploited remotely without any need for authentication and can affect the confidentiality, integrity and availability of data to various degrees. Eight vulnerabilities carry the highest possible CVSS base score of 10.0, which means they have a critical impact and can be exploited to execute arbitrary code. The impact is higher on Windows than on Linux or Solaris, because by default Java runs with administrative privileges on the former. Vulnerabilities normally rated with 10.0, have a 7.5 score if Java runs under a non-admin user. By exploiting lower impact flaws that do not allow for arbitrary code execution, attackers can still access sensitive information, bypass restrictions, or trigger denial of service conditions. The vulnerabilities are caused by errors in a wide array of components, including Deployment, Sound, Swing, HotSpot, Install, JAXP, 2D, JDBC, Launcher, Networking, XML Digital Signature, and Security. Source: http://news.softpedia.com/news/Java-Security-Update-Fixes-Critical-Vulnerabilties-184935.shtml

53. February 17, Computerworld – (International) Microsoft downplays threat of new Windows zero-day. Microsoft February 16 downplayed the threat posed to Windows users by a recently-revealed vulnerability, saying that it was unlikely the bug could be exploited to compromise a computer. The flaw in the Windows Server Message Block network and file-sharing protocol was disclosed February 14 by someone identified only as “ Cupidon-3005” on the Full Disclosure security mailing list. Cupidon-3005 posted proof-of-concept code to the list. French and Danish researchers later said hackers might be able to exploit the bug to hijack Windows PCs. Microsoft said February 16 this was not so. “Based on our initial investigation, this vulnerability cannot be leveraged for remote code execution on 32-bit platforms,” a general manager in the Microsoft Security Response Center said. “We are still investigating the possibility of code execution on 64-bit platforms, but so far have not found a likely scenario that would result in reliable code execution.” Source: http://www.computerworld.com/s/article/9210058/Microsoft_downplays_threat_of_new_Windows_zero_day

54. February 17, Help Net Security – (International) Moderately critical MS Windows vulnerability revealed. Information about a critical Microsoft Windows SMB browser election request parsing vulnerability turned up February 15 on the Full Disclosure mailing list and further investigation into the matter led Secunia to rate it as “moderately critical”. According to the company’s security advisory, the vulnerability affects various editions of Windows Server 2003 and Windows Storage Server 2003, and can be used by malicious users to orchestrate a denial of service or even compromise a vulnerable system. “The vulnerability is caused due to an integer underflow error when processing a Browser Election request. This can be exploited to cause a buffer overflow via an overly long Server Name string sent in a specially crafted packet,” explains Secunia. The flaw can be exploited from a local network, but requires the target system to be a Master Browser. There is currently no patch available, so users are advised to restrict access within a broadcast domain to trusted hosts only. Source: http://www.net-security.org/secworld.php?id=10622

For another story, see item 21 above in the Banking and Finance Sector

Communications Sector

55. February 18, Denver Post – (National) Powerful solar flare disrupts ground communications. A powerful solar flare that has triggered one of the largest space weather storms in at least 4 years has disrupted some ground communications, University of Colorado-Boulder (CU) scientists said. Solar coronal mass ejections, such as February 15’s Class X flare, can cause a variety of socioeconomic and safety issues such as disruption of airline navigation systems, satellite operations, power grids and safety of airline crews and astronauts. “The sun is coming back to life,” the director of CU’s Laboratory for Atmospheric and Space Physics said. The National Oceanic and Atmospheric Administration said several more strong ejections may reach Earth’s atmosphere by the end of the week of February 14. “We understand much more about what is happening and can build more robust systems to withstand the effects,” the director said. “It will be interesting to see how well our technological systems will withstand the rigors of space weather as the sun gets back to higher activity levels.” Source: http://www.denverpost.com/breakingnews/ci_17422606

56. February 17, DoD Buzz – (National) New wireless tech jams GPS. The Deputy Secretary of Defense has raised concerns with the Federal Communications Commission (FCC) about a new technology used by a company called LightSquared that jams military and civilian Global Positioning System (GPS) signals. The Federal Aviation Administration (FAA) shares the Pentagon’s worries. The head of Air Force Space Command disclosed these concerns at the Air Force Association winter conference February 17. He told reporters an unnamed GPS company had tested its gear and found that LightSquared’s towers built to generate a 4G wireless network completely jammed reception. FCC recently granted a conditional license to the company to begin building its network using L-band spectrum, “right next to” the GPS signal, he said. The conditional license requires Light Squared to prove it does not jam other signals. The company would operate only in the United States. FCC has told the company to work with the federal government and the GPS industry in a working group to find answers to the jamming problems. The members and goals of the working group are to be presented to FCC by February 25. Source: http://www.dodbuzz.com/2011/02/17/new-wireless-tech-jams-gps/