Wednesday, January 4, 2012

Complete DHS Daily Report for January 4, 2012

Daily Report

Top Stories

• Multi-car pileups in 3 states caused by snow squalls damaged hundreds of vehicles and injured more than 20 people. – CBS (See item 17)

17. January 3, CBS; Associated Press (National) Snow wreaks havoc: Multi-car pileups in

3 states. Multi-car pileups in 3 states on a snowy January 3 injured more than 20 people and temporarily shut major highways. Police said 8 people were hurt in a 41-vehicle pileup that shut southbound Interstate 75 for hours when scattered snow showers pelted northern Kentucky. Kentuckys Kenton County police department said six of the injured were taken to hospitals, but none of the injuries were life-threatening. It said cars and other vehicles collided on southbound lanes just south of Cincinnati, Ohio. Police said 23 vehicles had to be towed before southbound lanes reopened. Authorities said the cause is under investigation. Authorities in western Pennsylvania are blaming a snow squall for a 21-car pileup that closed Interstate 80 for about 8 hours. The eastbound lanes reopened late January 2 after crews cleaned up the crash involving six tractor-trailers and 15 other vehicles in Washington Township area of Jefferson County. Seventeen people were reported injured. State police said several of those injured were in serious condition. The Jefferson County emergency management director said a tanker carrying liquid nitrogen was involved but no spill occurred. A burst of snow across central Indiana January 2 caused multicar-pileups that temporarily closed three major highways around Indianapolis. A 12-vehicle crash closed all eastbound lanes of Interstate 70 on the citys east side. Crashes also closed the eastbound lanes of Interstate 465 on the south side and southbound lanes of Interstate 65. All three highways opened to traffic again later January 3, state police said. Indiana State Police troopers worked more than 80 crashes around Indianapolis over about 4 hours.

Source: http://www.cbsnews.com/8301-500202_162-57351125/snow-wreaks-havoc-multi-car- pileups-in-3-states/

• Authorities arrested a German man January 2 in connection with dozens of suspected arson attacks that destroyed parked cars, scorched buildings, and rattled much of Los Angeles. – Associated Press (See item 41)

41. January 3, Associated Press (California) 24-year-old arrested in Los Angeles arson spree. Authorities arrested a German man January 2 in connection with dozens of suspected arson attacks that destroyed parked cars, scorched buildings, and rattled much of Los Angeles over the New Year’s weekend. The suspect was booked for investigation of arson of an inhabited dwelling and was being held without bail, authorities said. The suspect is a German national, but authorities said they did not know how long he has been in the United States. Fires were reported in nearly two dozen locations in Hollywood and the neighboring city of West Hollywood during a 4-hour period before dawn December 30. In nearly every case, the fire started in a parked car. Several more cars burned December 31 in the North Hollywood area, and authorities investigated if they were connected. More than 50 blazes had flared since December 30 in Hollywood, neighboring West Hollywood and the San Fernando Valley, causing about $3 million in damage. Firefighters have not responded to any other suspicious fires since the suspect was detained. The fires forced many apartment dwellers from their homes. One of the fires December 31 occurred at the Hollywood and Highland entertainment complex, a popular tourist destination bordered by the Walk of Fame in a neighborhood that includes Graumans Chinese Theatre. Hundreds of investigators, police officers, and firefighters raced to deal with the fires.

Source: http://www.foxnews.com/us/2012/01/02/la-authorities-respond-to-as-many-as-eight- new-fires-amid-arson-spree/

Details

Banking and Finance Sector

12. January 3, KDAF 33 Dallas - (Texas) North Texas police search forHandsome Guy Bandit bank robber. Police said a suspected bank robber is on the run after he fired shots at an officer December 31 following a robbery at the Compass Bank in Richardson, Texas. The man, known as the Handsome Guy Bandit,” is accused of robbing half a dozen banks in the North Texas area. He got the name, Handsome Guy Bandit,” because of the realistic-looking mask covering his head during robberies.

Source: http://www.the33tv.com/news/kdaf-north-texas-police-search-for-handsome-guy- bank-robber-20120103,0,441189.story

13. January 3, Legal Newsline - (National) Financial services firm pleads guilty to municipal bond fraud. Beverly Hills, California-based Rubin/Chambers, Dunhill Insurance Services (also known as CDR Financial Products), and its founder and owner pleaded guilty December 30 to bid-rigging and fraud conspiracies involving investment of municipal bond proceeds and other related municipal finance contracts. CDR and its founder pleaded guilty to participating in separate bid-rigging and fraud conspiracies with various financial institutions and insurance companies and their representatives. They offered a type of contract, known as an investment agreement, to state, county, and local governments and agencies across the country. CDR was hired to act as a broker and conduct a supposed competitive bidding process for contracts for investing municipal bond proceeds. The firms founder admitted that, from 1998 until 2006, he and other co-conspirators supplied information to providers to help them win bids, solicited intentionally losing bids, and signed certifications that contained false statements regarding whether the bidding process for certain investment agreements complied with relevant Treasury Regulations, the announcement said. He also admitted he and other co- conspirators solicited fees from providers, which were in fact payments to CDR for rigging or manipulating bids for certain investment agreements so a particular provider would win that agreement at an artificially determined price.

Source: http://www.legalnewsline.com/news/234784-financial-services-firm-pleads-guilty-to- municipal-bond-fraud

14. December 31, San Gabriel Valley Tribune - (California) Puffy Coat Bandit robs bank in Glendora. A serial bank robber dubbed thePuffy Coat Bandit” robbed a Union Bank in Glendora, California, January 30, authorities said. A Glendora police lieutenant said the suspect presented a note demanding money to one of the tellers. He also simulated having a weapon during the heist. The suspect took the cash and left. The robber was believed to be a serial bandit the FBI is calling thePuffy Coat Bandit” due to the ski jacket-type outerwear he has sported during several area heists in recent weeks, an FBI spokeswoman said. The bandit has been linked to three other bank robberies since December 20. They include: a December 28 robbery at Mission Oaks Bank in Lake Elsinore; a December 22 heist at Premier Services Bank in Corona; and December 20 at U.S. Bank in Chino. Source: http://www.sgvtribune.com/technology/ci_19649129

15. December 31, DoD Live - (International) Aggressive phishing attack targets military. A recent phishing attack is making the rounds in an e-mail which appears be from USAA, a financial services company that serves military members, their families, and veterans, DoD Live reported December 31. The e-mail subject begins with Deposit Posted.” Members are asked to open a Zeus-infected attached file. Once opened, it launches a malicious virus that could provide access to personal information and may require a complete reinstall of the computer operating system.

Source: http://www.dodlive.mil/index.php/2011/12/aggressive-phishing-attack-targets-

military/

Information Technology

36. December 30, Softpedia Stuxnet, Duqu and others created with Tilded platform by the same team. After an extensive analysis of a large number of Stuxnet and Duqu drivers, Kapersky Lab experts concluded the two trojans, along with other pieces of malware, were created by the same team, using a platform called Tilded, created around 2007-2008. They believe Tilded (named so because its authors tend to use file names that start with the symbol tilde followed by a letter d (~d)) was utilized to create the two now infamous trojans, which may have been the results of simultaneous projects. The details indicate other spyware modules and programs are based on the same platform. Now, researchers present a precise timeline to show the connection between Duqu and Stuxnet, but also to show the evolution of their drivers from one year to the other. Their studies show a driver called jmidebs.sys is the connecting link between mrxcls.sys and the drivers later used in Duqu. The drivers from the still unknown malicious programs cannot be attributed to activity of the Stuxnet and Duqu Trojans. The methods of dissemination of Stuxnet would have brought about a large number of infections with these drivers; and they cant be attributed either to the more targeted Duqu Trojan due to the compilation date,” the chief security expert at Kapersky Lab said. We consider that these drivers were used either in an earlier version of Duqu, or for infection with completely different malicious programs, which moreover have the same platform and, it is likely, a single creator-team.” In mid-2010, Tilded went through some changes that may have resulted from the need to better avoid detection by antivirus software, but also because its code could be improved.

Source: http://news.softpedia.com/news/Stuxnet-Duqu-and-Others-Created-with-Tilded- Platform-by-the-Same-Team-243874.shtml

37. December 30, Softpedia Microsoft releases security update for DoS issue in ASP.NET. Microsoft rushed to release an out-of-band security update to resolve a denial-of- service (DoS) issue that affected ASP.NET versions 1.1 and later on all supported variants of the .NET framework. A large number of Web platforms are affected by the hash collision problem, but the company was among the first to act on it. The MS11-100 security bulletin fixes a vulnerability that exists in the way ASP.NET hashes specially crafted requests. The hash collisions that occur when malicious data is inserted into hash tables could overwhelm a servers CPU resulting in a DoS condition. Besides this, other weaknesses are resolved in the latest security update. A phishing attack could be launched by a hacker using a spoofing vulnerability that verifies return URLs during the form authentication process. By exploiting this flaw, an attacker can redirect a user to a malicious Web site set up to obtain private data. An authentication bypass vulnerability that exists in ASP.NET forms is more difficult to exploit, but if an attacker manages to register an account on the application and knows the name of the targeted account, he could utilize a special Web request to initiate any action, including code execution, using the targeted account. Finally, an authentication ticket caching weakness allows for a cybercriminal to execute arbitrary code due to the way cached content is handled by the framework when Forms Authentication is used with sliding expiry. Combined with some social engineering, an attacker could send potential victims, ones with elevated privileges, a specially crafted link. Microsoft is not aware of any attacks taking place in the wild using these vulnerabilities, but to prevent any unfortunate incidents, users are advised to install the update.

Source: http://news.softpedia.com/news/Microsoft-Releases-Security-Update-for-DoS-Issue- in-ASP-NET-243764.shtml

38. December 30, H Security Host storage devices vulnerable with KVM Linux virtualization. According to a kernel update advisory by Red Hat, root users in a guest system virtualized with KVM (Kernel-based Virtual Machine) can, in certain circumstances, gain read and write access to the Linux hosts storage devices. The advisory said the hole exists when a host makes available partitions or LVM volumes to the guest as raw disks via virtio. Privileged guest users can send SCSI requests to such volumes the host will execute on the underlying storage device – which allows the guest system to access all areas of the device rather than just permitted partitions or volumes. The hole has been rated as important” and is listed under CVE ID 2011-4127. Further background information is available in an entry in Red Hats bug database and in a blog posting by a Red Hat developer. Meanwhile, kernel developers are discussing the most suitable way to fix the problem; a patch suggested by another Red Hat developer has not met the approval of Linuxs developer. He also thinks the patch is too dangerous to be integrated into the Linux main development branch at this point; the main development branch is expected to produce version 3.2 of the Linux kernel in early January.

Source: http://m.h-online.com/security/news/item/Host-storage-devices-vulnerable-with-

KVM-Linux-virtualisation-1402022.html

Communications Sector

39. January 3, New York Daily News -- (New York) 150 Bronxites still without Verizon service more than two weeks; firm hopes to restore most customers by Tuesday. About 150 Bronx, New York Verizon customers remain without phone and Internet service more than 2 weeks after a contractor’s mishap severed underground cables. Some customers regained service December 22 only to lose it again December 28. About 2,500 customers initially lost service December 15 when Kelco Construction Co., a contractor not working for Verizon, cut through nine cables, a Verizon spokesman said. The snafu near Westchester Square affected Verizon users all over the Bronx. Some customers with restored service lost it again during heavy rains because water flowed into open manholes and areas where workers were making repairs. The spokesman said Verizon initially estimated fixing everyone’s service would take until middle or late January. Now it is expected nearly everyone will have service by the first week of January.

Source: http://www.nydailynews.com/new-york/bronx/150-bronxites-verizon-service-weeks- firm-hopes-restore-customers-tuesday-article-1.999966

40. January 2, KATU 2 Portland (Washington) Outage causes more than 1,600 to go without phone service. A power outage January 2 in Washington County, Oregon knocked out phone service to more than 1,600 people. Officials from Frontier Communications said there is a phone outage out of the Aloha Central office. Officials said there are up to 1,637 customers currently without phone service. Technicians are currently working to resolve the situation, but there is no current estimated time of repair. Company officials urged impacted citizens to find an alternate means of communication, such as a wireless phone, in case they have an emergency and need to call 911.

Source: http://www.katu.com/news/local/Outage-causes-more-than-1600-to-go-without-phone-service-136552473.html