Friday, April 8, 2011

Complete DHS Daily Report for April 8, 2011

Daily Report

Top Stories

• Reuters reports a Chinese national who previously worked at an L-3 Communications unit in New Jersey was indicted April 6 on charges he illegally took sensitive military technology to China. (See item 9)

9. April 7, Reuters – (International) Former L-3 worker indicted for data breach. A Chinese national who previously worked at an L-3 Communications unit was indicted April 6 on charges he illegally took sensitive military technology to China, the U.S. Justice Department said. The man, 47, was charged with one count of exporting U.S. defense information without a license and two counts of making false statements to U.S. authorities, according to the indictment by a federal grand jury in Newark, New Jersey. He had previously been charged by criminal complaint, but the company was not identified. He has been detained pending a hearing later the week of April 4. The man worked for L-3’s Space and Navigation unit in New Jersey from March 2009 until November 30, 2010 as an engineer on a precision navigation device. On his return from a trip to Shanghai last November, U.S. Customs and Border Protection agents inspected his laptop and discovered hundreds of documents that belonged to the company involving several technology programs, the indictment said. Some of the material found on his computer included technical data related to defense items that are restricted from export without a license and the man did not have one, according to the indictment. During his 2-week trip to Shanghai in 2010, he presented information at a technology conference, but the indictment said L-3 had not given his permission to present information to outsiders. Source: http://www.aviationweek.com/aw/generic/story.jsp?id=news/awx/2011/04/07/awx_04_07_2011_p0-307312.xml&headline=Former L-3 Worker Indicted For Data Breach&channel=defense

• According to the Miami Herald, four south Florida towns agreed to turn off wastewater treatment plant pumps in response to a massive sewage spill expected to disrupt transportation on Miami Beach streets for days. (See item 27)

27. April 7, Miami Herald – (Florida) Road and traffic a mess after sewage line explodes in Miami Beach. The sewage has stopped spewing, but the traffic was still a mess April 7, the day after a river of dark and dirty water flooded the streets in Miami Beach, Florida. Crews worked overnight to make repairs, but the surrounding roads were still closed. On the morning of April 7, the intersection of Harding Avenue and 71st Street was barricaded to traffic. Police are redirecting cars to neighboring streets, a city spokeswoman said. The traffic disruptions will last a few days, she said. Temporary repairs to the sewer line have been made, with work continuing to shore up the problems while the city awaits material to make permanent repairs. Meanwhile, Miami Beach officials have asked residents to try and limit the amount of waste they send down the drain. People in the vicinity of the rupture, which happened shortly after 10 a.m. April 6, said the street shook and abruptly rose up with a boom. Sewage gushed from a gaping hole in the street, chunks of sidewalk flew into the air, and a river of dark and dirty water flooded the streets and lapped onto the sidewalk. No one was hurt. The cause of the break was not immediately determined. As a precaution, Miami-Dade County environmental regulators have advised people to stay out of some of the waters nearby until safety testing can be completed. The 36-inch line pumps sewage from several coastal municipalities south through Miami Beach to the Miami-Dade County wastewater treatment plant on Virginia Key. Because there is no shutoff valve to redirect the wastewater, four towns — Bal Harbour, Bay Harbor Islands, North Bay Village and Surfside — agreed to turn off their pumps. The break did not affect the supply of drinkable water. Potable water tests in the area came up clean. Source: http://www.miamiherald.com/2011/04/06/2154540/sewage-line-explodes-leaving-beach.html

Details

Banking and Finance Sector

12. April 6, Federal Bureau of Investigation – (National) CFO, accountant plead guilty in New Jersey to roles in $880 million Ponzi scheme. The former chief financial officer and an accountant with Capitol Investments USA, Inc., admitted April 6 to assisting a man in the operation of an $880 million Ponzi scheme linked to a fictitious wholesale grocery distribution business, a New Jersey U.S. attorney announced. The father and son duo each pleaded guilty before a U.S. district judge to a count of securities fraud. According to statements, the two used the company to assist the leader of the scheme in fraudulently obtaining about $880 million between January 2005 and November 2009. The pair admitted Capitol had virtually no income-generating business during that time, and that they assisted in operating the Ponzi scheme by using new investor funds to make principal and interest payments to existing investors. In particular, the defendants admitted to creating, or directing others to create, fraudulent documents which falsely touted the profitability of Capitol’s fictitious grocery diversion business. They admitted that more than 50 victim investors lost between $50 and $100 million as a result of the scheme. The securities fraud charge to which the pair pleaded guilty carries a maximum penalty of 20 years in prison and a $5 million fine. Source: http://7thspace.com/headlines/378151/cfo_accountant_plead_guilty_in_new_jersey_to_roles_in_880_million_ponzi_scheme.html

13. April 6, IDG News Service – (International) Windows servers hacked at The Hartford insurance company. Hackers have broken into The Hartford insurance company and installed password-stealing programs on several of the company’s Windows servers, IDG News Service reported April 6. In a warning letter sent in March to about 300 employees, contractors, and a handful of customers, the company said it discovered the infection in late February. Several servers were hit, including Citrix servers used by employees for remote access to IT systems. A copy of The Hartford’s letter was posted earlier the week of April 4 to the Web site of the Office of the New Hampshire Attorney General. The victims were mostly company employees. Less than 10 customers were affected by the malware, the W32-Qakbot trojan, a company spokeswoman said. Qakbot has been around for about 2 years. Once installed, it spreads from computer to computer in the network, taking steps to cover its tracks as it logs sensitive data and opens up back doors for the hackers to access the network. With 28,000 employees worldwide, the 200-year-old Hartford, Connecticut, firm is one of the country’s largest insurance companies. Source: http://www.computerworld.com/s/article/9215582/Windows_servers_hacked_at_The_Hartford_insurance_company

14. April 5, Federal Bureau of Investigation – (National) FBI releases 2010 bank crime statistics. The FBI April 5 released bank crime statistics for calendar year 2010. Between January 1, 2010 and December 31, 2010, there were 5,546 robberies, 74 burglaries, 8 larcenies, and 13 extortions of financial institutions reported to law enforcement. The total 5,628 reported violations represent a decrease from 2009, during which 6,065 violations of the Federal Bank Robbery and Incidental Crimes Statute were reported. Source: http://www.fbi.gov/news/pressrel/press-releases/fbi-releases-2010-bank-crime-statistics

Information Technology

41. April 7, The Register – (International) Popular open source DHCP program open to hack attacks. The makers of the Internet’s most popular open source DHCP program April 5 warned that it is vulnerable to hacks that allow attackers to remotely execute malicious code on underlying machines. The flaw, which is present in Internet Systems Consortium’s (ISC) dynamic host configuration protocol (DHCP) versions prior to 3.1-ESV-R1, 4.1-ESV-R2, and 4.2.1-P1, stems from the program’s failure to block commands that contain certain meta-characters. The vulnerability makes it possible for rogue servers on a targeted network to remotely execute malicious code on the client, ISC warned. ISC advises users to upgrade. Users can in some cases follow workarounds, which include disabling hostname updates or configuring their systems to access only legitimate DHCP servers in settings where access control lists are in place. DHCP is a system for automatically assigning computers IP addresses on a given network and helping administrators to keep track of those assignments. ISC said its DHCP program is the most widely used open source DHCP implementation on the Internet. Source: http://www.theregister.co.uk/2011/04/07/dhcp_remote_vuln/

42. April 6, The Register – (International) Wordpress backup vuln published. A remote execution vulnerability has been discovered in Wordpress backup utility BackWPup. According to Sydney, Australia company Sense of Security, which published the advisory along with a proof-of-concept, the vulnerability allows local or remote PHP files to be passed to a component of the utility. “The input passed to the component wp_xml_export.php via the ‘wpabs’ variable allows the inclusion and execution of local or remote PHP files as long as a ‘_nonce’ value is known. The ‘_nonce’ value relies on a static constant which is not defined in the script meaning that it defaults to the value ‘822728c8d9’,” the advisory stated. Sense of Security said the vulnerability affects at least BackWPup Version 1.6.1 (the platform on which it has been tested), and users should upgrade to Version 1.7.1. Source: http://www.theregister.co.uk/2011/04/06/wordpress_backup_vuln/

43. April 6, Help Net Security – (International) New Chinese bootkit opens the door to multiple infections. A new bootkit — kernel-mode rootkit variant — has been recently spotted by a Kaspersky Lab researchers, and it looks like it is currently targeting Chinese users only. It is being distributed by a downloader trojan, which is picked up by users when they try to download a video from a bogus Chinese adult site. The bootkit saves the old master boot record (MBR) to the third sector and replaces it with its own. It also installs an encrypted driver and the rest of the code from the fourth sector onwards. Once the computer boots, the malicious code executes itself and restores the original MBR so Windows can be loaded without revealing the existence of the bootkit. “Once a specific part of the system has been booted, the bootkit intercepts the function ExVerifySuite. The installed hook replaces the system driver fips.sys with the malicious driver which was written to the start of the hard drive in an encrypted format,” a Kaspersky expert explained. “It should be noted that the driver fips.sys is not required for the operating system to run correctly, so the system won’t crash when it is replaced.” This driver detects a number of AV solutions and prevents them from working as they should. Among them are solutions from Trend Micro, BitDefender, AVG, Symantec, Kaspersky Lab, ESET, and half a dozen Chinese ones. Having done that, the driver compromises the explorer.exe process and injects into the machine a variant of the bootkit that is also a downloader. “The malicious program sends a request to the server in which it communicates information about the victim computer’s operating system, IP address, MAC address, etc,” the Kapersky expert said. Source: http://www.net-security.org/malware_news.php?id=1685

For another story, see item 13 above in the Banking and Finance Sector

Communications Sector

44. April 6, RedOrbit – (National) Twitter finds technical issues with new site. Microblogging site Twitter experienced a service disruption April 5, resulting in the site having to display an older version to some users. Twitter wrote on its Web site: “We’ve temporarily disabled #NewTwitter. Our engineers are working on re-enabling it and we’ll update you shortly.” Twitter announced in March that it moved its infrastructure to a new home at an undisclosed location, which the company said would allow it to constantly “stay abreast” of its capacity needs and provide greater reliability. However, Reuters reported a custom-built datacenter in Utah that was meant to house Twitter’s gear has been plagued with problems, forcing Twitter to move most of the site’s operations to a facility in Sacramento, California instead. April 5’s disruptions meant that some people were using the version of the Twitter site that preceded a redesign unveiled in September. Other users of the microblogging site were unable to log on at all, and were greeted with a page informing them that “something is technically wrong” and promising to have things “back to normal soon.” Source: http://www.redorbit.com/news/technology/2025220/twitter_finds_technical_issues_with_new_site/