Wednesday, January 18, 2012

Complete DHS Daily Report for January 18, 2012

Daily Report

Top Stories

• Many of the 146 people sickened with norovirus in Wheeling, Illinois, may have been exposed at Bob Chinn’s Crab House, the Cook County Health Department said. – Food Safety News (See item 25)

25. January 14, Food Safety News – (Illinois) 146 norovirus cases linked to Illinois restaurant. Many of 146 people sickened with norovirus in Wheeling, Illinois, may have been exposed at Bob Chinn’s Crab House, the Cook County Health Department said January 13. Bob Chinn’s, which bills itself as the nation’s fourth busiest restaurant, closed its doors January 10, after receiving complaints from customers who said they had become sick, and then reopened January 11. “We worked with the [Cook County Department of] Public Health to clean and sanitize the restaurant,” said a restaurant spokesman. “We’ve satisfied all of the requirements, and they’ve allowed us to reopen.” A health department spokeswoman said her agency received dozens of calls from people who said they became sick after eating at the restaurant, but that it is unclear whether the eatery is the source of illness in all of those cases. Source:

• Popular online shoe retailer said January 15 that hackers accessed its network and stole account information from as many as 24 million customers. – Fox News (See item 52)

52. January 16, Fox News – (International) Hackers zap Zappos: Info from 24 million users stolen. Popular online shoe retailer said January 15 that hackers accessed its network and stole account information from as many as 24 million customers. Credit card information was not stolen, the company CEO said in a statement sent to users, but e-mail addresses, billing, and shipping addresses, phone numbers, the last four digits from credit cards — and more — may have been compromised. The company said it already reset the passwords for existing customers to prevent abuse of the stolen data. Source:


Banking and Finance Sector

9. January 16, Reuters – (International) Israel rattled as hackers hit bourse, banks, El Al. Hackers disrupted online access to the Tel Aviv Stock Exchange (TASE), El Al Airlines, and three banks January 16 in what the government described as a cyber-offensive against Israel. The attacks came just days after an unidentified hacker, proclaiming Palestinian sympathies, posted the details of thousands of Israeli credit card holders and other personal information on the Internet in a mass theft. Stock trading and El Al flights operated normally despite the disruption, which occurred as Israeli media reported pro-Palestinian hackers had threatened to shut down the TASE stock exchange and airline Web sites. While apparently confined to areas causing only limited inconvenience, the attacks caused particular alarm in a country that depends on high-tech systems for much of its defense against hostile neighbors. Officials insisted, however, that they pose no immediate security threat. The First International Bank of Israel (FIBI) and two subsidiary banks, Massad and Otzar Hahayal, said their marketing sites had been hacked but that sites providing online services to clients were unaffected. Israel’s third-largest bank, Discount, said it had been spared attack, but that it was temporarily shutting down foreign access to its Web site as a precaution. The Tel Aviv bourse Web site could only be accessed intermittently, but screen-based trading was not hit. There was no claim of responsibility for the incidents. Source:

10. January 16, – (New Jersey) PSE&G warns about payment scam targeted to Spanish-speaking customers. Public Service Electric and Gas Company (PSE&G) is alerting its customers not to be defrauded by a scam in which individuals misrepresenting themselves as PSE&G employees threaten to turn off electric and gas service if payment is not made to them that day, reported January 16. The scam involves payments using Green Dot MoneyPaks and seems to be targeting Hispanic neighborhoods in PSE&G’s service territory. A Spanish-speaking individual pretending to be a PSE&G employee calls customers saying they “work for PSE&G in the disconnect collection department.” They tell customers their account is in arrears and their utility service will be discontinued unless they make a payment using a prepaid debit card. Customers are told to purchase a Green Dot MoneyPak at any convenience store, use cash to put money onto the card, and then provide the number on the card to the person who called them. Customers are advised that if they do not immediately call back and provide the MoneyPak information, their service will be turned off that day. Typically, after the customer provides that MoneyPak number, the scammer transfers the funds to a prepaid card, and cashes it in at an ATM. PSE&G is working with law enforcement to investigate the matter, and is also reaching out to its contacts at local community service agencies asking them to spread the word to their clients. The Better Business Bureau also is warning customers to be on guard for a rising tide of scams involving MoneyPaks, which can be used to fund PayPal accounts and to pay phone, cable, or other utility bills, or credit card bills. Source:

11. January 13, Courthouse News Service – (Texas) Oilman pleads guilty to securities fraud. An oil company executive pleaded guilty in a Dallas court to felonies in his operation of Western Pipeline Corp., federal prosecutors said the week of January 9. The defendant was the fifth defendant convicted in the case. He pleaded guilty to conspiracy to commit securities fraud and securities fraud. He faces up to 5 years in prison and a $250,000 fine on each count. He was majority owner of Western Pipeline from October 2006 to July 2007. He raised money from investors by selling and causing others, including four co-conspirators to sell investments in purported oil and gas development projects, the U.S. attorney’s office said in a statement announcing the plea. Prosecutors said the owner and his co-conspirators misled, deceived, and defrauded investors by misrepresenting and failing to disclose material facts. The co-conspirators assumed false identities when communicating with prospective investors and posed as investors in past Western Pipeline oil and gas development projects that supposedly had been successful. The co-conspirators have all pleaded guilty to securities fraud or conspiracy charges, the U.S. attorney’s office said. In 2008, investors sued Western Pipeline and several of the co-defendants in Dallas County Court, claiming they had been swindled out of $18 million. Source:

12. January 13, New York Times – (National) Ex-S.E.C. official settles conflict-of-interest case. A former enforcement official for the Securities and Exchange Commission (SEC) who was accused of blocking or closing at least three investigations into the activities of the Stanford Financial Group, which authorities claim was a $7 billion Ponzi scheme, has settled civil charges brought by the Justice Department accusing him of violating conflict-of-interest rules by later representing Stanford before the commission, the New York Times reported January 13. A U.S. attorney in Texas announced January 13 that the former official, who from 1998 to 2005 served as the enforcement director for the SEC’s Fort Worth, Texas regional office, had agreed to a civil settlement that would result in payment of a $50,000 fine. That is the maximum fine for a violation of federal conflict-of-interest rules. A separate civil case involving the employee continues at the SEC. Government officials said at a Congressional hearing last May the official was the subject of a criminal investigation into his work for Stanford, which was also the subject of much of a 150-page report by the SEC’s inspector general issued in March 2010. That report found he frequently discouraged or halted further investigation into Stanford Financial by SEC staff, and that he subsequently represented the firm in talks with SEC officials about other or continuing investigations. Source:

13. January 13, U.S. Department of Justice – (Florida) Altamonte Springs man convicted of bank fraud. A U.S. attorney announced January 13 that a federal jury in Florida January 11, found a man guilty of one count of conspiracy to commit bank fraud, six counts of bank fraud, and one count of making a false statement. He faces a maximum penalty of 30 years in prison. According to evidence, the members of the conspiracy set up bank accounts over the Internet using stolen identities. Those accounts were then funded by unauthorized wire transfers made from accounts at other banks. Before the banks could detect the scheme, the conspirators sent the fraud proceeds to accounts in central Florida either by wire transfer or a check that would be deposited. The defendant participated in the scheme by withdrawing some of the fraud proceeds into a central Florida bank account. He also recruited other individuals in central Florida to provide their bank accounts to be used for receipt of the proceeds from the scheme. After funds were transferred to those accounts, he took the individuals he recruited to multiple bank locations, and over the course of several days, supervised them in the withdrawal of thousands of dollars in fraudulent proceeds. The six bank fraud counts represent more than $396,000 in fraudulent transactions. Two men connected to the scheme have each pled guilty to one count of conspiracy to commit wire and bank fraud, and one count of aggravated identity theft. Source:

For more stories, see items 46 below in the Information Technology Sector and 52 above in Top Stories

Information Technology

43. January 17, H Security – (International) Apache Tomcat developers advise updates to avoid DoS. The Apache Tomcat developers are advising users of the 7.0.x, 6.0.x, and 5.5.x branches of the Java servlet and JSP container to update to the latest released versions 7.0.23, 6.0.35, and 5.5.35. Recent investigations revealed inefficiencies in how large numbers of parameters and parameter values were handled by Tomcat. Analysis of the recent hash collision denial-of-service vulnerability allowed the developers to identify “unrelated inefficiencies” which could be exploited by a specially crafted request, causing large amounts of CPU to be consumed. To address the issue, the developers modified the code to efficiently process large numbers of parameters and values. Source:

44. January 16, H Security – (International) Critical hole in McAfee products still open after more than 180 days. Zero Day Initiative (ZDI) released information on a security problem in McAfee’s Security-as-a-Service products (SaaS). The vulnerability broker said it told McAfee about the hole in April 2011, and it now decided to publicly release the information because the vendor still has not provided a patch. The flaw is contained in the myCIOScn.dll program library. In this library, the MyCioScan.Scan.ShowReport() method insufficiently filters user input and executes embedded commands within the context of the browser. The flaw can be exploited when a user opens a specially crafted file or Web page. ZDI rates the issue as very severe and has given it a CVSS score of 9 –- maximum severity is 10. ZDI’s advisory does not state exactly which products are affected. McAfee’s range of SaaS products includes “SaaS Email Encryption” for encrypting e-mails, and “Vulnerability Assessment SaaS,” which checks software for potential vulnerabilities. Source:

45. January 16, H Security – (International) Linux developers fix a homemade network problem. Linux kernels 3.0.17, 3.1.9, and 3.2.1 fix a problem with the handling of IGMP packets that was introduced with updates in Linux 2.6.36. An IGMPv3 protocol packet being processed soon after the processing of an IGMPv2 packet could lead to a system crash caused by a kernel panic. On January 6, a researcher reported strange crashes of his Linux notebook in the Debian bug database. A Debian developer found the problem was caused by a division by 0 that can occur with IGMP packets that have a Maximum Response Time of 0. As a result, Linux systems running a kernel version from 2.6.36 or later, up until the patched versions, can be crashed remotely using certain IGMP packets if a program has registered to receive multicast packets from the network. Typical examples for such programs include the avahi mDNS server or media players, such as VLC, that support RTP. Active attacks should technically only be possible within local networks, because IGMP broadcasts are usually not routed beyond network boundaries. However, the Debian developer pointed out particular unicast packets may serve for attacks via the Internet unless they are blocked by a firewall. As a fix was released, distributors should soon offer updated kernel packages that no longer contain the vulnerability. Source:

46. January 13, IDG News Service – (International) Facebook chat phishing attack impersonates Facebook security team. A new phishing attack spreading through Facebook chat modifies hijacked accounts to impersonate the social network’s security team. The attackers replace the profile picture of compromised accounts with the Facebook logo and change their names to a variation of “Facebook Security” written with special Unicode characters, said a Kaspersky Lab expert. Facebook claims changing the profile name can take up to 24 hours and is subject to confirmation. However, in the expert’s tests the change occurred almost instantly and required only the password. This was also confirmed by a victim whose profile name was modified within 5 minutes of their account being compromised, he said. After the victim’s profile name and picture get changed, the attackers send out a chat message to all of their contacts informing them their accounts will be suspended unless they re-confirm their information. The rogue messages appear to be signed by “The Facebook Team” and contain a link to a phishing page hosted on an external domain. The Web page mimics Facebook’s design and asks for name, e-mail, password, security question, country, birth date, and other information needed to hijack the account. However, the attack does not stop there. According to the expert, a second form asks users for their credit card details and billing address. This is unusual for Facebook phishing attacks, the majority of which target only social networking account information. Source:

47. January 13, Infosecurity – (International) Open Automation Software plugs DoS flaw in ICS application. Open Automation Software issued a patch for a vulnerability to its OPC Systems.NET industrial control system application that could be used for a denial of service attack. The vulnerability is remotely exploitable by sending a malformed .NET remote procedural call packet to cause a denial of service through Port 58723/TCP, explained the U.S. Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in an advisory. All versions of OPC Systems.NET prior to version 5.0 are affected. There are public exploits that target this vulnerability, which requires a moderate skill level to exploit, the advisory said. OPC Systems.NET is a human-machine interface application deployed across several sectors, including manufacturing, information technology, energy, water and wastewater, defense, and others. A researcher publicly reported the vulnerability in OPC Systems.NET along with proof-of-concept exploit code. This report was released without coordination with Open Automation Software, ICS-CERT, or any other coordinating entity known to ICS-CERT, the advisory noted. ICS-CERT worked with Open Automation Software to fix the security hole, a fix which the researcher confirmed is effective, the advisory said. Source:

48. January 13, – (International) Popular live-blogging site says data files were breached. CoveritLive, a popular, Web-based live-blogging program used worldwide, said January 13 it discovered “certain proprietary data files” of its users “were accessed without authorization,” but “no financial account information has been compromised. We have not yet determined if, or to what extent, CoveritLive account information (i.e., user names, email addresses and/or passwords) was accessed,” Demand Media, which bought CoveritLive in 2011, said in an e-mail to its users. Those users include bloggers, journalists, and mainstream media organizations, including,, ESPN, and the BBC. Many people use CoveritLive’s free services, but there are premium accounts. Live-blogged events hosted by CoveritLive draw more than 60 million people every month, the company says, 60 percent of whom are from outside the United States. CoveritLive said the files were breached “starting on or about” January 7, and an investigation is “ongoing.” In the meantime, as a “precautionary measure,” all users were asked to re-set their passwords January 14. Source:

49. January 13, Threatpost – (International) Smashing the Linux heap. A researcher found there is a heap allocator in the Linux kernel that is extremely exploitable. The security consultant at Virtual Security Research, who does work on Linux kernel research, investigated heap allocators in the operating system’s kernel. There are three main allocators: SLUB, SLAB, and SLOB. The researcher focused on SLOB, mainly because there has not been as much research done on it. In a talk at the Infiltrate conference, the researcher said he found virtually nothing in the way of methods to mitigate exploit attempts. SLOB is mainly used in embedded systems, favored there because of its small footprint, he said. Any given system will only have one allocator, and SLOB is used in Linux systems on many routers and switches and also in some firmware systems. In his talk, he presented several possible overflow scenarios that could be exploitable, ranging from the simple to the highly complex. Source:

For more stories, see items 9 above in the Banking and Finance Sector, 50 below in the Communications Sector and 52 above in Top Stories

Communications Sector

50. January 17, H Security – (International) T-Mobile USA hacked. A group of hackers that goes by the name “TeaMp0isoN” claims to have obtained access credentials belonging to staff at US Deutsche Telekom subsidiary T-Mobile USA, H Security reported January 17. To back up their claim, the hackers posted data to the Pastebin anonymous text hosting service. One member of the group told Softpedia the hack involved exploiting SQL injection vulnerabilities on the and Web sites. According to T-Mobile, the problem was limited to the T-Mobile USA newsroom. This would limit the scale of any problems arising as a result –- the intruders may be able to publish fake press releases. Based on the information provided, private customer data was never at risk. Most of the passwords consist of a simple six-digit number composed of two numbers repeated such as “112112.” T-Mobile USA said it has now fixed the vulnerabilities. Source:

51. January 13, IDG News Service – (National) Federal body concludes LightSquared can’t work with GPS. A key federal agency involved in testing the proposed LightSquared Long-Term Evolution (LTE) network has concluded there is no practical way to solve interference between that network and the Global Positioning System (GPS), possibly dealing a crippling blow to the startup carrier’s hopes for a terrestrial mobile network. In a memo released January 13, the National Space-Based Positioning, Navigation, and Timing Executive Committee (PNT ExComm) said the nine federal agencies that make up the body had concluded unanimously that none of LightSquared’s proposals would overcome significant interference with GPS. LightSquared in 2010 received a waiver from the Federal Communications Commission (FCC) allowing it to operate a terrestrial LTE network on frequencies that have until now been devoted to much weaker satellite signals. The PNT ExComm has been involved in testing and results analysis at the request of the FCC and the National Telecommunications and Information Administration (NTIA). Both the original and modified proposals by LightSquared would cause harmful interference to many GPS receivers, the PNT ExComm chairs said in the memo. The agency also said a Federal Aviation Administration analysis had concluded the network would be incompatible with aircraft safety systems. Source:

For another story, see item 46 above in the Information Technology Sector