Tuesday, August 23, 2011

Complete DHS Daily Report for August 23, 2011

Daily Report

Top Stories

• A hurricane that flooded streets and knocked out power to more than 1 million customers in Puerto Rico was headed toward the southeast U.S. coast August 22. – msnbc.com; Reuters; Associated Press (See item 1)

1. August 22, msnbc.com; Reuters; Associated Press – (Puerto Rico; International; National) Hurricane Irene grows on path to US Southeast. Hurricane Irene could be a major storm with winds above 110 mph when it reaches the Southeast U.S. coast, the U.S. National Hurricane Center warned August 22 as Puerto Rico cleaned up and the Dominican Republic geared up. Puerto Ricans awoke to flooded and debris-strewn streets following the overnight passage of Hurricane Irene, which was moving just north of the Dominican Republic as a Category 1 hurricane. The first hurricane of the 2011 Atlantic season flooded streets, knocked down trees throughout the island, caused several rivers to overflow their banks and left more than 1 million Puerto Ricans without power. But there were no immediate reports of any deaths. Most computer forecast models show Irene swinging up parallel to Florida's east coast starting August 25 with possible eventual landfall on the Georgia or South Carolina coast August 27. Forecasters said a low pressure trough over the eastern United States was expected to shift Irene's track to the east, reducing the risk of a direct landfall in densely populated South Florida. After landfall, Irene could still be felt farther north as a hurricane or tropical storm. "Irene has the potential to implicate millions from the Southeast coast to the New England coast," a Weather.com meteorologist wrote. Source: http://www.msnbc.msn.com/id/44218395/ns/weather/?GT1=43001#.TlKbp2Eg2Tw

• Flash flooding on a main street in Pittsburgh killed 4 people, stranded dozens of vehicles, and prompted emergency officials to rescue 11 people August 19. – Associated Press (Seeitem 23)

23. August 20, Associated Press – (Pennsylvania) 4 dead after flash floods in Pittsburgh. Searchers August 20 found the body of a woman who was reported missing in flash flooding in Pittsburgh that killed three other people. The body was found following a search by about 40 rescue workers, said the deputy director of the Pittsburgh Office of Emergency Management. The flash floods August 19 sank more than a dozen vehicles. Paramedics in boats plucked people from water up to 9 feet high. The other victims were a woman and two children who died after their vehicle was submerged and pinned to a tree, authorities said. A pair of storms pounded the city, overwhelming the drainage system and causing manhole covers to pop off the road, officials said. Water rose to 9 feet in some places along Washington Boulevard, a main road that runs near the Allegheny River. Some 2.1 inches of rain fell in an hour during the evening rush, said a National Weather Service meteorologist. But an earlier storm meant the region was drenched by 3 to 4 inches of rain overall August 19. The rainfall overwhelmed a pair of pipes 9 feet in diameter with a force powerful enough to blow off 60-pound manhole covers, the deputy director said. The police chief said 18 vehicles were stranded in the high water, and 11 people were rescued. People were clinging to trees, poles, and car roofs, KDKA 2 Pittsburgh reported. The water receded by the evening of August 19, but the mud-caked road remained closed August 20 as emergency crews worked to clear the stranded cars. Source: http://www.msnbc.msn.com/id/44211953/ns/weather/

Details

Banking and Finance Sector

13. August 20, KABC 7 Los Angeles – (California) Triple threat bandit' hits 3 OC banks in 90 minutes. A brazen robber hit three different Orange County, California banks within 90 minutes August 19, earning him the nickname "triple threat bandit." Police said the man first hit the Orange County Credit Union on South Harbor Boulevard in Fullerton, then the Union Yes Federal Credit Union on West Chapman Avenue in Orange, then the U.S. Bank on Beach Boulevard in Buena Park. The three robberies were all conducted in a 90-minute span starting at 9:30 a.m. The suspect was described by witnesses as a black man in his 30s, weighing over 200 pounds with a muscular build. He was seen wearing a white polo-style shirt with blue jeans and may have been carrying a black backpack. In each robbery, he approached the teller and passed a note demanding large bills in 100s and 50s. No weapon was seen during the robberies. Source: http://abclocal.go.com/kabc/story?section=news/local/orange_county&id=8317700

14. August 19, Federal Bureau of Investigation – (National) Real estate agent indicted in $50 million mortgage fraud scheme. A federal grand jury in Brooklyn, New York, returned an indictment August 19 charging a realtor with participating in a mortgage fraud scheme where he and others fraudulently obtained more than $50 million in loans. The indictment alleges the defendant conspired to defraud financial firms, including Bank of New York, JP Morgan Chase, Citibank, N.A., Countrywide Financial, Flushing Savings Bank, Fremont Investment and Loan, HSBC Bank USA, N.A., IndyMac Bank, One West Bank, U.S. Bank, and Wells Fargo & Company, and wholesale mortgage lenders, including New Century Mortgage Corporation and Ocwen Financial Corporation. He was charged with one count of conspiracy to commit bank and wire fraud, and 10 counts of bank fraud. As detailed in the indictment, from 1995 to 2009, the suspect was a licensed real estate broker in New York, and also acted as a loan officer. As part of the alleged scheme, he submitted false loan applications and supporting documents to make borrowers of mortgage loans appear to be more creditworthy than they actually were. Additionally, at the closings, he prepared and submitted documents that falsely misrepresented whether the borrowers actually made any payments to the sellers, and understated the amounts of his real estate commissions and loan fees. In doing so, the suspect prevented the financial institutions from discovering that his fees exceeded those permitted by the institutions. Many of the homes involved were ultimately lost in foreclosures because the borrowers could not afford to make their mortgage payments. Source: http://www.fbi.gov/newyork/press-releases/2011/real-estate-agent-indicted-in-50-million-mortgage-fraud-scheme

15. August 19, Omaha World-Herald – (International) Hackers steal $217,000 from MECA. Computer hackers broke into the Metropolitan Entertainment and Convention Authority's (MECA) computer and payroll systems last month and stole $217,000, according to a computer security blogger who detailed the crime in an online post. The MECA August 18 acknowledged it was a victim in July of what it called an "Eastern European based cyber scheme." But the agency that runs the CenturyLink Center Omaha and TD Ameritrade Park declined to discuss the case in detail. Although $217,000 was stolen, the MECA was able to reverse a $147,000 fraudulent transfer, leaving $70,000 unrecovered. In its statement, the MECA said was in close contact with the FBI, and the local FBI office said it is investigating. MECA's chief financial officer said the problems started when an employee opened an e-mail attachment infected with a virus that steals passwords. After gaining entry, the hackers used the MECA's own online banking credentials to add at least six people, so-called money mules, to the payroll, according to a post on Krebsonsecurity.com. The post said the MECA has since added security features to its online banking account. The MECA, in its statement, said it retained a national security technology firm and ran an extensive forensic analysis that determined the incident was isolated to one computer. No personal information about employees or guests was compromised, the MECA said. Source: http://www.omaha.com/article/20110819/NEWS97/708199921

16. August 19, Nextgov.com – (National) Auditors: IRS plan compromises security for e-payment users. The Internal Revenue Service (IRS) glossed over computer security in planning for a new tax return law that applies to e-payment processors, government investigators said in a report released August 18. The agency's strategy for applying the law "does not consider the security of the computer systems being planned and changed or the new data being received," the Treasury Inspector General for Tax Administration's (TIGTA) deputy inspector general for audit wrote in a July 26 report released August 18. The new provision will require the IRS to store the names, addresses, and taxpayer identification numbers, or TINs, of the sellers that each third-party processor submits. Small vendors often use their Social Security numbers as their TINs, so the reporting could put them at greater risk of identity theft, say some privacy groups, such as the Center for Democracy and Technology. On August 19, a TIGTA spokesman said the IRS has since informed auditors that, after the review, the agency added particulars on computer security to its roll-out plan. Source: http://www.nextgov.com/nextgov/ng_20110819_2747.php

17. August 19, New York Daily News – (New York; Indiana) Bank robber that threatened to 'shoot anybody' nabbed on Greyhound bus. A bank robber wanted in four armed heists in New York City was captured August 19 in Indiana on a Greyhound bus, authorities said. The man's welcoming party at a bus depot in Terre Haute, Indiana, included FBI agents and Indiana state police officers. The bust was about 800 miles from New York and just a day after authorities say he robbed two Chase bank branches — one in Manhattan and the other in the Bronx. The suspect, according to the feds, marched into a Chase bank on Fifth Avenue near E. 27th St. about 11:45 a.m. August 18. He took out a gun, passed a note to a teller, and demanded cash, police said. In the note, he threatened to "shoot anybody," a source said. A little more than an hour after the Manhattan robbery, he walked into a bank on W. 225th Street near Broadway, in Marble Hill. He pulled out a gun and passed a note to a teller — again demanding cash, police said. It is not clear how much cash he got away with. At one of the robberies, he left behind a note threatening law enforcement, a federal investigator said. The suspect is wanted for two similar heists at the Chase bank on Broadway near W. 90th Street June 8, and another on Broadway near W. 109th Street July 27.The suspect will be extradited back to New York where he faces federal bank robbery charges, officials said. Source: http://www.nydailynews.com/news/ny_crime/2011/08/19/2011-08-19_bank_robber_that_threatened_to_shoot_anybody_nabbed_on_greyhound_bus.html

18. August 18, Department of Treasury – (International) President Obama signs new Executive Order isolating the government of Syria from the U.S. financial system, imposes sanctions against Syria’s energy sector. The U.S. President signed an Executive Order (EO) imposing additional sanctions against the Government of Syria August 18, freezing any assets of the Government of Syria in the United States and banning the importation into the United States of petroleum or petroleum products of Syrian origin. Responding to the continuing escalation of violence against the people of Syria, the EO reflects the ongoing commitment of the United States to ensure any assets of the Syrian government subject to U.S. jurisdiction cannot be used to further the Syrian regime’s campaign of violence and repression against Syrian citizens. The EO significantly escalates financial pressure on the Government of Syria, which includes its agencies, instrumentalities, and controlled entities, by denying it access to the U.S. financial system, and prohibiting U.S. persons from engaging in transactions or dealings with it. Source: http://www.treasury.gov/press-center/press-releases/Pages/tg1280.aspx

Information Technology Sector

39. August 22, Softpedia – (International) New DroidDreamLight variant found in Android Market. Security researchers from Trend Micro identified a new variant of the DroidDreamLight trojan posing as an APK management app in Google's official Android Market. The trojanized app is called App Installer and had been downloaded 50 to 100 times before being removed by Google's staff. Upon installation, the app registers a service called AppUseService that is started every time a phone call is initiated or received. The app sends device identification data such as model, IMEI, IMSI, language, and country to a command and control server. A list of installed apps together with their version is also uploaded. This variant uses another name for the encrypted configuration file, however, the DES encryption key is the same as in previous versions. Because the trojan does not use a root exploit to deploy its components, the Trend Micro researchers believe that it employs social engineering to trick users into installing it. Source: http://news.softpedia.com/news/New-DroidDreamLight-Variant-Found-in-Android-Market-217851.shtml

40. August 22, threatpost – (International) Serious crypto bug found in PHP 5.3.7. The maintainers of the PHP scripting language warned users about a serious crypto problem in the latest release and advised them not to upgrade to PHP 5.3.7 until the bug is resolved. PHP 5.3.7 was released the week of August 15, and that version contained fixes for a slew of security vulnerabilities. But now a serious flaw has been found in the new release related to the way one of the cryptographic functions handles inputs. In some cases, when the crypt() function is called using MD5 salts, the function will return only the salt value instead of the salted hash value. The problem does not occur when using Blowfish or DES, only with MD5. The initial bug report on the problem in the PHP system appeared August 17, the day before the public stable release of PHP 5.3.7. "If crypt() is executed with MD5 salts, the return value consists of the salt only. DES and BLOWFISH salts work as expected,," the report said. Several other users reproduce the problem on various other platforms. The PHP Group, which maintains the scripting language, said in a bug report on the crypt () problem that it has fixed the issue in an intermediate build, and plans to release a new stable version of PHP soon. PHP is one of the more widely used scripting languages and is a frequent attack vector for Web-based attacks. Because of its popularity, PHP vulnerabilities and attacks can potentially affect millions of users. Source: http://threatpost.com/en_us/blogs/serious-crypto-bug-found-php-537-082211

41. August 22, Ubergizmo – (International) Nokia Developer forum hacked. A hacker by the name of mrNRG recently broke into the Nokia Developer forum, and defaced it by redirecting anyone who visited it to another page with his own message. Nokia removed the redirection and got the site back up and running. It is unknown if the company implemented any new security measures or if anything was stolen, but developers who use the forum are advised to change their forum passwords and the passwords of their other Internet accounts if they are the same. Source: http://www.ubergizmo.com/2011/08/nokia-developer-forum-hacked/

42. August 20, Softpedia – (International) Some mobile trojans are part of commercial spying services. Security researchers from Trend Micro identified a commercial service offered by a Chinese Web site that allows people to distribute a mobile trojan and receive the data stolen by it. The service's customers have the ability to customize the trojan and input the victim's phone number. This will lead to a malicious MMS being sent to the targeted individual. If the trojan is successfully deployed, the attacker can see the information sent back to the command and control service through the Web portal. The stolen data includes SMS messages, phone calls, GPS location, and e-mail messages. According to the Trend Micro researchers, the service costs $300 to $540. The trojan currently works on Symbian and Windows Mobile, but security experts are expecting an Android version to be launched too, especially since trojans with similar characteristics have been observed on Google's platform. Source: http://news.softpedia.com/news/Some-Android-Trojans-Are-Part-of-Commercial-Surveillance-Services-217726.shtml

43. August 20, Softpedia – (International) UK man accused of attacking multiple Facebook servers. A 25-year-old British man has been charged with hacking into multiple Facebook servers that handled internal and external services. The student from York is accused of repeatedly bypassing Facebook's security and accessing its protected systems. He was arrested by Metropolitan Police Central e-Crime Unit officers in early June on suspicion of serious offenses under the Computer Misuse Act. At his first court hearing the week of August 15, prosecutors claimed the man repeatedly hacked into what was described as a "Facebook puzzle server" between April 27 and May 9. The company uses such servers to issue challenges to programmers. The man's intrusions has led to service disruptions. The man also attempted to hack a server running the mailman mailing list software April 29. The company used the server for both internal and external purposes. The week of May 2, the man hacked into a so-called Facebook phabricator server that is designed to help developers design games and other apps. The prosecution also claims the suspect "made, adapted, supplied or offered to supply" a program that hacked this Phabricator server. Source: http://news.softpedia.com/news/UK-Man-Accused-of-Attacking-Multiple-Facebook-Servers-217675.shtml

44. August 19, Softpedia – (International) Fake inter-company invoice e-mails carry malware. Security experts warn of a new wave of e-mails carrying malicious attachments and posing as invoices from various companies. The subject of the rogue e-mails says: "Re: Inter-company inv. from [company name]" or "Re: Corp. invoice from [company name]." Beazer Homes, KPMG, Miltek, Kraft Foods, and Safeco are some of the companies named in the fake messages. The attachments bear names such as Inv._08.8_D7.zip, Corpinvoice_08.10_N47.zip, or Invoice_08.4_D6.zip, and contain trojan installers. Security vendors have reported a huge spike in the quantity of spam e-mails with malicious attachments since the beginning of August. Source: http://news.softpedia.com/news/Fake-Inter-Company-Invoice-Emails-Carry-Malware-217673.shtml

For more stories, see items 15 and 16 above in the Banking and Finance Sector and 46 below in the Communications Sector.

Communications Sector

45. August 19, Aviation Week – (International) ViaSat-1 launch delays ripple around globe. An anomaly on a satellite launched by Telesat Canada in May is having a ripple effect through the global satellite industry, delaying a mid-summer launch of the $400 million ViaSat-1 satellite to September, and gumming up International Launch Services’ (ILS) busy manifest. Broadband-service provider ViaSat’s cutting-edge Ka-band satellite was slated to blast off in April from Baikonur Cosmodrome, Kazakhstan, and begin commercial operations this summer. But the launch was delayed when manufacturer Space Systems/Loral (SS/L) discovered a ruptured hydraulic line had leaked fluid onto the ViaSat-1 spacecraft, prompting the Palo Alto, California-based company to push the launch date while it cleaned and retested the 130-Gbps broadband satellite. A second delay occurred when a solar array onboard Telesat’s Telstar 14R communications satellite failed to fully deploy in orbit following its May 21 launch. Like ViaSat-1, Telstar 14R was built by SS/L, and the two spacecraft share a number of solar-array elements. When the company convened a failure review board to investigate the on-orbit malfunction, subsequent inspections and testing of similar satellites built by SS/L, including ViaSat-1, forced ILS to disrupt its launch schedule. Source: http://www.aviationweek.com/aw/generic/story.jsp?id=news/awst/2011/08/15/AW_08_15_2011_p38-357929.xml&headline=ViaSat-1 Launch Delays Ripple Around Globe&channel=space

46. August 18, Sophos Naked Security – (International) Twitter is not charging in October, there is no petition, you’re being phished. Another scam to steal Twitter users credentials was making the rounds August 18. The tweets being sent out read "Twitter might start to charge in October, sign this petition to keep the service free! -URL-." The official Twitter account, @safety, has warned people about the threat and it appears that the Twitter team is having partial success extinguishing this one. The site is a near perfect duplicate of the real Twitter log-in site, and it masquerades as a message that user's session has timed out. The fake message requires users to "reauthenticate" and hand over identification information "immediately." Source: http://nakedsecurity.sophos.com/2011/08/18/twitter-is-not-charging-in-october-there-is-no-petition-youre-being-phished/

For more stories, see items 39, 41, and 42 above in the Information Technology Sector