Wednesday, June 20, 2012

Complete DHS Daily Report for June 20, 2012

Daily Report

Top Stories

• Powerful storms in the Minneapolis and St. Paul area cut power to 72,000 residents, downed trees that damaged vehicles and homes, and closed many roads. The storms also impacted drinking water and a water plant, and closed some businesses. – Minneapolis Star Tribune; Associated Press

2. June 19, Minneapolis Star Tribune; Associated Press – (Minnesota) Storms cause headaches across the Twin Cities. About 72,000 residents lost power in the Minneapolis and St. Paul, Minnesota area, June 19 after violent storms rumbled through the area. The powerful storms also knocked out power to the Burnsville water treatment plant, as well as downed trees that fell on homes and vehicles and blocked many streets in Burnsville, Hastings, and Lakeville. Residents in part of West St. Paul were told not to drink their tap water because electrical outages caused low pressure in part of the system, making it easier for harmful bacteria to enter the system. The Burnsville water plant was operating on an emergency generator, and city officials stressed the water was safe for drinking. Xcel Energy said that by the early afternoon it had cut the number of residents without power to 20,500, but noted that some areas of Washington County could take as long as 2 days to receive restored power. The storms also knocked out power to Battle Creek Waterworks, and as a result the water park was closed June 19. Source: http://www.startribune.com/159546515.html

• Thousands of gallons of mineral oil, which helps cool transformers, was stolen from two substations in South Carolina. A Duke Energy spokesman said the company may bolster security measures as a result. – Spartanburg Herald-Journal

4. June 18, Spartanburg Herald-Journal – (South Carolina) Thieves steal thousands of gallons of mineral oil from Duke Energy in Blacksburg. A Duke Energy spokesman said thousands of gallons of mineral oil, which helps cool transformers, was discovered stolen from two locations in South Carolina’s Cherokee County. In the most recent theft, reported June 14, thousands of gallons of oil were stolen from a transformer in Blacksburg. There was also a spill of several hundred gallons, which required clean-up by a contracted hazardous materials crew. The oil did not pose an environmental threat. A theft was reported June 12 from six transformers from a substation adjacent to a vacant manufacturing plant. A spokesman said someone apparently used a large hose, similar to a fire hose, to siphon the gas, likely into a tanker truck. Duke said costs of damage and clean up are in the thousands. Duke Energy officials are familiar with copper thefts from substations, but mineral oil theft is unusual. The thefts are under investigation by the Cherokee County Sheriff’s Office. “We do have adequate security at our substations,” the Duke spokesman said. “But after this, we will take steps to assess the situation and look at other measures.” Source: http://www.goupstate.com/article/20120618/ARTICLES/120619649?p=all&tc=pgall

• A federal agency found that scores of first responders at New York City’s John F. Kennedy Airport were not qualified to handle emergencies. – DNAinfo.com

20. June 18, DNAinfo.com – (New York; New Jersey) First responders at JFK Airport unqualified to handle emergencies, feds say. A federal agency found scores of first responders at New York City’s John F. Kennedy (JFK) Airport were not qualified to handle emergencies, DNAinfo.com reported June 18. Federal Aviation Administration (FAA) investigators found the overwhelming majority of the nearly 200 cops at JFK either lacked the proper certification to respond to such emergencies or had seen their certifications expire, sources said. The FAA’s revelation forced the Port Authority of New York and New Jersey to pull the unqualified officers and force the certified personnel to work overtime to cover the gaps, sources said. They said similar issues were found at New York City’s LaGuardia and New Jersey’s Newark International Airport, but they were not as severe as the ones found at JFK. The problem at JFK was discovered around April, when the FAA conducted an annual review to determine if the airport had enough properly trained officers to handle any emergency. A spokesman for the FAA said it “is currently reviewing a discrepancy in training records for aircraft rescue and firefighting training at John F. Kennedy International Airport.” Source: http://www.dnainfo.com/new-york/20120618/new-york-city/first-responders-at-jfk-airport-unqualified-handle-emergencies-feds-say

• New evidence suggests a Web site hosting software updates for life-saving medical equipment may have been redirecting visitors to a site distributing attacks and malware for months before the company became aware of the compromise. – Threatpost

30. June 18, Threatpost – (International) Infections at medical device firm lasted for months. New evidence suggests a Web site hosting software updates for life-saving medical equipment was the victim of a massive SQL injection attack and may have been redirecting visitors to a site distributing attacks and malicious software for months before the company became aware of the compromise, Threatpost reported June 18. The Web site viasyshealthcare(dot)com was infected for more than 2 months — from March 23, 2012 to May 31, 2012 — according to data from the anti-spam Web site Clean MX. The length of the compromise makes it likely that CareFusion’s customers — hospitals and other medical offices — were exposed to Web based attacks when they attempted to download software updates for the firm’s medical devices. Viasyshealthcare(dot)com is a Web property that belongs to health care equipment maker CareFusion and used to distribute software updates for CareFusion’s Alaris-brand infusion pumps and AVEA, AirLife, and LTV series ventilation and respiratory products. The infection on CareFusion’s software update site was detected after an assistant professor at the University of Massachusetts, Amherst, noticed their Web site offering an update was blocked by Google’s Safe Browsing service because it was distributing malicious content. The assistant professor contacted CareFusion, the Department of Homeland Security (DHS), and the Food and Drug Administration. While the exact source of the attack is unknown, an analysis by DHS revealed CareFusion was lax in updating the software used to host viasyshealthcare(dot)com. Some of CareFusion’s Web sites were relying on 6-year-old versions of ASP.NET and Microsoft Internet Information Services version 6.0, released with Windows Server2003. Both platforms have known, critical vulnerabilities and are highly susceptible to compromise if not patched and properly managed. DHS’s Industrial Control System Computer Emergency Response Team is working with CareFusion to address the widespread infection. Source: http://threatpost.com/en_us/blogs/infections-medical-device-firm-lasted-months-061812

• Wind-powered wildfires torched hundreds of acres in, and forced closure of some state parks, closed many roads, and forced the evacuation of a small hospital on the Hawaiian islands of Maui and Hawaii. – Honolulu Star-Advertiser

46. June 19, Honolulu Star-Advertiser – (Hawaii) Homes damaged, hospital evacuated due to brush fires on Maui, Hawaii Island. Wind-powered wildfires torched hundreds of acres in and forced the closure of some state parks, closed many roads, and forced the evacuation of a small hospital on the Hawaiian islands of Maui and Hawaii, June 18. On Maui, residents in Kula were evacuated, said a Maui Fire Department fire services chief. Meanwhile, firefighters from the State Department of Forest and Wildlife battled a separate fire in the Makawao State Forest Reserve above the Kahakapao reservoir near Olinda. About 4 acres were burned, said a State Department of Land and Natural Resources spokeswoman. State officials closed the Kula State Forest Reserve, including Polipolii Spring State Park, due to high winds and danger caused by falling trees and branches. About 10 individuals camping at the park or other parts of Haleakala National Park were evacuated. In Hawaii County, more than 50 firefighters were battling fires on two fronts totaling an estimated 650 acres in Pahala, on the southern end of the island, an assistant fire chief said. Mamalahoa Highway was shut down for 7 hours. Firefighters were more concerned about a fire that burned near a community hospital, which was evacuated to the Naalehu Community Center. Source: http://www.staradvertiser.com/news/breaking/159522115.html

Details

Banking and Finance Sector

13. June 19, BankInfoSecurity – (California) Settlement reached in ACH fraud case. A lingering legal dispute over a corporate account takeover incident at an escrow company in Redondo Beach, California finally came to a close, BankInfoSecurity reported June 19. Village View Escrow Inc., which in March 2010 lost nearly $400,000 after its online bank account with Professional Business Bank was taken over by hackers, reached a settlement with the bank for an undisclosed amount, according to Village View’s owner and president. As a result of the settlement, Village View recovered more than the full amount of the funds that had been fraudulently taken from the account, plus interest, the company said in a statement. More details about the settlement were expected to be issued in coming weeks. Source: http://www.bankinfosecurity.com/settlement-reached-in-ach-fraud-case-a-4872

14. June 19, IDG News Service – (International) Fake Android antivirus app likely linked to Zeus banking Trojan, researchers say. A recently discovered fake Android security application is most likely a mobile component of the Zeus banking malware, security researchers from antivirus firm Kaspersky Lab said June 18. Called Android Security Suite Premium, the rogue app is capable of stealing SMS messages and uploading them to a remote server. When launched, the app displays a shield image that long associated with Windows fake antivirus programs. However, this might not be a mobile scareware app, but a new variant of ZitMo — Zeus in the Mobile, a Kaspersky Lab senior malware analyst said. Their purpose is to steal mobile transaction authorization numbers (mTANs) sent by banks to customers via SMS messages. Without mTANs, fraudsters would not be able to authorize transactions initiated with stolen credentials. The registration information for the domain names where Android Security Suite Premium uploads stolen SMS messages matches the registration information for 2011 Zeus command-and-control domains. This, coupled with the app’s SMS-stealing functionality makes it likely that this is a new ZitMo version. Source: http://www.networkworld.com/news/2012/061912-fake-android-antivirus-app-likely-260331.html

15. June 18, Federal Bureau of Investigation – (Texas; Alabama) Three Houston men charged in $68M bank fraud. The FBI announced June 18 the indictment of three Houston-area men on federal conspiracy, wire fraud, and bank fraud charges, and a guilty plea by another man for an information charging conspiracy to make a false statement to a bank. Two of the men were senior figures at H and H Worldwide Financial Service Inc., while another was an attorney in the Houston area, and the final member a stockbroker employed by Tri-Star Financial Services. In February 2005, the H and H director began soliciting loans from the Federal Land Bank of South Alabama. He falsely claimed he had a large bond portfolio that could serve as collateral for the loans and submitted documents that concealed his plan to use about half the loan proceeds to purchase the bonds that were going to serve as collateral. The stockbroker provided documents to the bank to support the bond ownership claim. The bank made two loans to H and H totaling $68.5 million. H and H used more than half the money to buy the bonds that were to serve as collateral. A significant amount of the loan proceeds were used for the personal benefits of the conspirators. Source: http://www.loansafe.org/three-houston-men-charged-in-68m-bank-fraud

16. June 18, IDG News Service – (International) Data in possible credit card breach appears to be old. A batch of names, addresses, e-mails, and phone numbers of credit card customers around the world released June 18 indicated a breach of a payment processor, but the data appeared old, IDG News Service reported. A hacker nicknamed “Reckz0r” posted a link to the data dump on Pastebin, and wrote on Twitter he had “penetrated over 79 large banks” and holds 50GB of data on MasterCard and Visa cardholders. No card numbers were released, however. Attempts to reach some of the U.S. cardholders affected were unsuccessful, since many of the phone numbers were disconnected or incorrect. But another person on the list in Australia said the information was very old. The home address published for him is 7 years out of date, and an e-mail address published at least 4 years old, the man said in a phone interview. The majority of the data appeared to come from U.S. cardholders, although other people listed purportedly live in countries including Egypt, Cambodia, Israel, Turkey, Pakistan, and elsewhere. The data includes only five digits of the credit card numbers and no expiration dates or three-digit security codes. The mix of international addresses indicates the target could have been an international payment processor, according to the head of CloudeyeZ, a security consultancy. Source: http://www.computerworld.com/s/article/9228222/Data_in_possible_credit_card_breach_appears_to_be_old

17. June 18, Legal Times – (International) Feds: Millions of dollars intentionally damaged in criminal scheme. The U.S. Secret Service seized more than $4.24 million in currency that investigators believe was part of a money laundering scheme to acquire new bills in exchange for damaged dollars, the Legal Times reported June 18. Federal investigators said in a search warrant affidavit that more than a dozen packages of money submitted in a 2-year span since 2010 contained bills intentionally damaged through burning and chemical agents. Most of the money came from a bank in Argentina that agents did not identify in court papers unsealed the week of June 11 in U.S. District Court for the District of Columbia. The damaged cash was transmitted to the U.S. Treasury Department’s Bureau of Engraving and Printing, which runs a money replacement program. A Secret Service agent said in an affidavit the currency scheme was an attempt to use the printing bureau’s redemption system as a “money laundering machine.” Investigators said they found two fragments of a single bill in two separate packages, indicating the person wanted to receive, from the federal government, two new bills from one $100 bill. The fragments were identified through the serial number. Some of the bills appeared as if they were damaged by chemical means to make them appear older and more worn than they actually were. Source: http://legaltimes.typepad.com/blt/2012/06/feds-millions-of-dollars-intentionally-damaged-in-criminal-scheme.html

Information Technology Sector

36. June 19, H Security – (International) Joomla 2.5.5 security updates arrives with added features. Joomla! developers released version 2.5.5 of the open source content management system. The new version includes two security updates and fixes several bugs. Joomla! 2.5.5 allows users to copy templates under a new name and modify them later on. A new plugin for user profiles allows administrators to show terms of service agreements and require users to sign off on them. Administrators can also restrict which user names are available and how often users can request to reset theirpasswords during a given amount of time. Source: http://www.h-online.com/security/news/item/Joomla-2-5-5-security-updates-arrives-with-added-features-1621098.html

37. June 18, Infosecurity – (International) Opera plugs six security holes in latest version of web browser. Opera released version 12 of its Web browser, which includes fixes for six security holes as well as the addition of a Do Not Track feature. Opera fixed the following security issues: hidden keyboard navigation that could allow cross-site scripting or code execution; a combination of clicks and key presses that could lead to cross-site scripting or code execution; cross-domain JSON resources that may be exposed as JavaScript variable data; carefully timed reloads, redirects, and navigation that could spoof the address field; pages that could prevent navigation to a target page, spoofing of the address field; and a “moderate severity issue,” details of which will be disclosed at a “later date.” Source: http://www.infosecurity-magazine.com/view/26405/

For more stories, see items 13, 14, and 16, above in the Banking and Finance Sector and 30 above in Top Stories

Communications Sector

38. June 18, WALB 10 Albany – (Georgia) Thieves steal equipment from Christian radio station. Thieves knocked a Christian radio station in Tifton, Georgia, off the air June 18. They broke into the station and stole thousands of dollars worth of equipment from Hook FM, specifically targeting production equipment and leaving other valuable items behind. There was no sign of forced entry. The station spent several hours off air. Police found the Hook FM vehicle about a mile from the station. The thieves used the vehicle to transport the thousands of dollars in production equipment taken from inside, including cameras to special computers. A popular country station was also hit, the sister station WTIF 107.5, which is located in the same building as Hook FM. Shortly after disc-jockeys informed listeners about what happened, a person from Ashburn found some of the equipment behind Ole Times Country Buffett. Employees said it was the only piece of equipment taken that had a Hook FM logo on it. Source: http://www.walb.com/story/18818572/a-tifton-christian-radio-station

For another story, see item 14 above in the Banking and Finance Sector

No comments: