Wednesday, February 8, 2012

Complete DHS Daily Report for February 8, 2012

Daily Report

Top Stories

• Law enforcement officials believe an organized group is responsible for stealing weapons, including AR-15 assault rifles, bulletproof vests, and ammunition, from patrol cars in several counties in Alabama. – Gadsden Times (See item 31)

31. February 6, Gadsden Times – (Alabama) Patrol cars targeted in break-ins; weapons taken. Law enforcement officials believe an organized group is responsible for stealing weapons, bulletproof vests, and ammunition from several patrol cars in several counties in Alabama, the Gadsden Times reported February 6. At least 11 weapons, including AR-15 assault rifles, were taken from law enforcement vehicles since December 2011, the sheriff said. Seven patrol vehicles were broken into, including five the weekend of February 4. The weapons were stored in the patrol cars’ trunks, and the cars’ windows were broken out to gain access to open the trunk. The vehicles broken into over the weekend were from one side of the county to the other, prompting law enforcement officials to believe the group split up and hit some of the vehicles about the same time. The sheriff said the FBI, the U.S. Bureau of Alcohol, Tobacco, Firearms, and Explosives, and the U.S. Marshals Gulf Coast Regional Fugitive Task Force are assisting in the investigation. Source:

• The Industrial Control Systems Computer Emergency Readiness Team reported many organizations have seen secure shell scans of their Internet-facing control systems, including an electric utility that was hit by brute force attempts against its networks. – Dark Reading. See item 34 below in the Information Technology Sector.


Banking and Finance Sector

9. February 6, Vancouver Columbian – (Washington) Alleged ‘Elmer Fudd’ bank bandit goes to court. An alleged prolific Clark County, Washington robber dubbed the “Elmer Fudd” bandit because of his signature hunting clothes made his first appearance in court February 6. The bandit stands accused of seven robberies in east Vancouver over the past 2 months, while a woman is alleged to have been an accomplice to five. The pair was caught by police February 2 fleeing a Bank of America branch. Police found money and a money tracker on them. During an interview with investigators, the two admitted to the other robberies, a prosecutor said. Police have said the bandit was responsible for robberies in December and January east of Interstate 205 in Vancouver. Source:

10. February 6, Bloomberg – (New York) Ex-Jefferies Paragon Fund manager ordered to pay $8.3 million. An ex-Jefferies Paragon Fund money manager must pay $8.3 million in a U.S. Securities and Exchange Commission (SEC) insider-trading suit, a judge has ruled. The judge granted the SEC summary judgment in a New York district court in a February 3 order, citing the facts proved at an earlier criminal trial. The money manager was accused of illegally trading on inside tips about bids for Albertsons Inc. supplied by an investment banker who was the government’s chief witness in the trial. He was convicted of securities fraud and conspiracy in a scheme that federal authorities said netted more than $7 million in illegal profits. The investment banker, who worked at UBS AG, testified he passed him nonpublic information regarding efforts by Cerberus Capital Management LP, to acquire Albertsons, which was then the second-biggest U.S. grocer. Source:

11. February 6, New York Times – (International) The U.S. President imposes freeze on Iran property in U.S. The White House moved to enforce tightened sanctions against Iran February 6 because of the country’s suspect nuclear program, freezing all property of the Central Bank of Iran, other Iranian financial institutions, and the Iranian government in the United States. The new restrictions also raised new warnings to financial institutions in other nations that they could face big penalties in the United States if they did business with Iran’s central bank. The actions were announced in an executive order signed by the U.S. President that started the enforcement process for a tough measure he signed into law at the end of 2011. In a statement, the White House said the executive order “re-emphasizes this administration’s message to the government of Iran — it will face ever-increasing economic and diplomatic pressure until it addresses the international community’s...concerns regarding the nature of its nuclear program.” Many countries buy oil from Iran through its central bank, and their financial institutions could be blocked from the American market if they continue to do so. Documents accompanying the executive order said foreign financial institutions risked American sanctions “if they engage in certain significant financial transactions” with Iran’s central bank rather than “arms-length” transactions. In a statement, the Treasury Department said the executive order “blocks all property and interests in property of the government of Iran, the Central Bank of Iran and all Iranian financial institutions (regardless of whether the financial institution is part of the government of Iran) that are in the United States, that come within the United States or that come within the possession or control of U.S. persons.” The statement did not further specify the exact properties that apply. Source:

12. February 4, Bradenton Herald – (Florida) Ex-Orion Bank president pleads guilty to bank fraud. The former president of the now defunct Naples, Florida-based Orion Bank, with branches in Manatee and Sarasota counties, pleaded guilty February 3 to conspiracy to commit bank fraud and making false statements to federal regulators. He faces a maximum penalty of 15 years in federal prison. The former president participated in a conspiracy with top Orion executives and a former Orion borrower to mislead state and federal regulators that Orion was in a better capital position than it was in truth and fact, a U.S. attorney said. The conspiracy had two goals: to finance the sale of promissory notes secured by mortgages held by Orion on distressed properties, creating the illusion that non-performing loans were performing loans, and to conceal financing for the sale of Orion Bancorp, Inc., creating the illusion of a legitimate capital infusion into the bank, authorities said. The conspirators accomplished this by falsifying the books and records of Orion, and deceiving state and federal regulators over 7 months from May 2009 until November 2009. As part of the scheme, the president directed executives to increase loans-in-process to nominee entities associated with the borrower, to $82 million, including a $26.5 million line of credit, prosecutors said. Within the lines of credit, the president concealed $15 million of financing for the borrower’s purchase of Orion Bancorp, Inc. stock, despite knowing banking laws and rules prohibited the bank from financing the purchase of its, or its affiliates,’ own stock. Source:

Information Technology

32. February 7, H Security – (International) RealPlayer update closes critical holes. RealNetworks released an update to RealPlayer to close many holes in its media player application. Version 15.02.71 of RealPlayer addresses seven remote code execution vulnerabilities, rated as highly critical by Secunia, which could be exploited by an attacker to compromise a victim’s system. These include errors when processing RMFF Flags, VIDOBJ_START_CODE and RealAudio coded_frame_size, as well as RV10 Encoded Height/Width, RV20 Frame Size Array and RV40 content. A remote code execution problem in Atrac Sample Decoding was also fixed, but is not found in the 15.x.x branch of the media player; this issue affects Mac RealPlayer but is reportedly not found in version Source:

33. February 7, IDG News Service – (International) Anonymous claims to have released source code of Symantec’s pcAnywhere. Hacker group Anonymous claimed February 6 the source code of Symantec’s pcAnywhere was uploaded on The Pirate Bay site. Symantec could not immediately comment on whether the hackers indeed released the source code of its product. Earlier February 6, an e-mail string posted on Pastebin referred to negotiations over payment for the source code between a purported Symantec employee and a person named Yamatough. The name of the hacker is similar to the Twitter handle of YamaTough in Mumbai who is associated with the hacker group, Lords of Dharmaraja, that earlier claimed it had access to the source code of some Symantec products. Source:

34. February 6, Dark Reading – (International) Utilities facing brute-force attack threat. The Industrial Control Systems Computer Emergency Readiness Team (ICS-CERT) reported February 3 that many organizations have been witnessing secure shell (SSH) scans of their Internet-facing control systems, including an electric utility that told ICS-CERT it was hit by some brute force attempts against its networks that were “unsuccessful.” The attackers are probing Port 22/TCP, the default SSL listening port, to look for SSH. Once the attackers get a response from the probe, they can execute a brute-force attack for log-in credentials to acquire remote access. SSH is an attractive attack vector because many control-system devices on networks run it by default. ICS-CERT recommends monitoring network logs for port scans and access attempts. Source:

35. February 6, Threatpost – (International) Flash with sandbox in the works for Firefox. Adobe is making a major change to Flash, adding a sandbox to the version of the player that runs in Firefox. The sandbox is designed to prevent many common exploit techniques against Flash. Flash, which is perhaps the most widely deployed piece of software on the Internet, has been a common attack vector for several years now, and attacks in some cases have been used to get around exploit mitigations that were added by the browser vendors. The sandbox is designed to prevent many of these attacks by not allowing exploits against Flash to break out into the browser itself. The version of Flash for Firefox that includes a sandbox is now in beta form, and is only available to developers and not end users. The final version should be available for users later in 2012, Adobe said. Source:

36. February 6, H Security – (International) Joomla! updates close information disclosure holes. Versions 1.7.5 and 2.5.1 of the open source Joomla! content management system (CMS) have been released to address two information disclosure vulnerabilities. These include one medium severity problem in Joomla! 1.7.x that could allow an unauthorized user to gain access to the error log stored on a victim’s server, and, in both versions, an inadequate validation problem that could be exploited to gain access to private data. The update to Joomla! 2.5, which arrived in January, also fixes 30 bugs, including one that caused batch processing to break. Version 2.5.0 and the 1.7.x branch up to and including 1.7.4 are affected; upgrading to 2.5.1 and 1.7.5 fixes these problems. However, the developers remind users the 1.7.x branch will reach its end of life February 24. Source:

37. February 6, Ars Technica – (International) Google to strip Chrome of SSL revocation checking. Google’s Chrome browser will stop relying on a decades-old method for ensuring secure sockets layer (SSL) certificates are valid after one of the company’s top engineers compared it to seat belts that break when they are needed most. The browser will stop querying certificate revocation lists and databases that rely on online certificate status protocol, a Google researcher said February 5. He said the services, which browsers are supposed to query before trusting a credential for an SSL-protected address, do not make end users safer because Chrome and most other browsers establish the connection even when the services are unable to ensure a certificate has not been tampered with. “So soft-fail revocation checks are like a seat-belt that snaps when you crash,” he said. “Even though it works 99 percent of the time, it’s worthless because it only works when you don’t need it.” SSL critics have long complained the revocation checks are mostly useless. Attackers who have the ability to spoof the Web sites and certificates of Gmail and other trusted Web sites typically have the ability to replace warnings that the credential is no longer valid with a response that says the server is temporarily down. Source:

38. February 6, The Register – (International) Cisco recalls suicidal UCS blade servers. The week of January 30, Cisco Systems put out a field notice to customers using its Unified Computing System B440 server blades, stating the failure of a MOSFET power transistor on the blade can “cause the component to overheat and emit a short flash which could lead to complete board failure.” The company said “in extreme circumstances it could affect the other blades in the chassis by disrupting power flow.” Cisco warned customers something was wrong with the MOSFETs July 12, and said at that time there was “no indication of a systemic issue with the MOSFET components, and the observed failure in the field is considered to be a random component failure.” To that end, Cisco’s system engineers could issue a firmware fix for the blade to keep the MOSFET from overheating and flashing, causing the system board to fail. On January 26, Cisco notified customers using the B440 servers the firmware patch did detect MOSFET failures and prevent a “potential thermal event,” but since the firmware was distributed, another B440 in the field failed. As a result, Cisco made hardware modifications to the B440 system board and is now replacing all machines currently used by customers. Cisco said in the field notice no other UCS B Series blade servers or C Series rack servers are affected by this MOSFET failure issue. For users with these B440s in production, Cisco recommends upgrading to the most recent UCS blade management controller software, which has the patch for monitoring the B440 MOSFETs, and arranging to get replacement blades as soon as possible. Source:

For another story, see item 39 below in the Communications Sector.

Communications Sector

39. February 7, Pueblo Chieftan – (Colorado) Phone, Internet outage hits region. Residents in the Spanish Peaks area of Colorado and the San Luis Valley (SLV) were without long distance telephone and Internet services for most of the day February 6. CenturyLink officials said there was an inadvertent fiber cut about 10:45 a.m. between Pueblo and Colorado Springs that affected long distance, wireless, and Internet service south of Pueblo near Walsenburg, and a good part of the SLV. Phone service came back in Walsenburg and Trinidad the afternoon of February 6, but not for everyone. All services were back up and running a little after 6 p.m. Officials said 911 service was not affected by the outage. Verizon phone customers also reported an outage February 6. Source:

40. February 6, WAAY 31 Huntsville – (Alabama) Technical issue resolved, WAAY back on air on charter. Due to a technical issue with Charter Communications, many WAAY 31 Huntsville, Alabama viewers using that cable service provider were unable to see that station for a lengthy period of time over the February 4 weekend. The outage stretched across much of the WAAY 31 viewing area. The issue was fixed the morning of February 6 by Charter. Source:

41. February 6, Los Angeles City News Service – (California) 4 Wildomar men caught stealing microwave tower. Four men were allegedly caught stealing a microwave tower from a Wildomar, California property February 6, causing several thousand dollars in damage. The men were arrested around 5:45 a.m. after allegedly dismantling the transmission tower, according to the Riverside County Sheriff’s Department. Deputies were called to the location to investigate a report of trespassing and caught the suspects in the act, a police sergeant alleged. He said the owner of the microwave transmitter, American Tower, estimated the damage to be in excess of $3,000. All of the men were booked on suspicion of commercial theft and vandalism. Source:

Tuesday, February 7, 2012

Complete DHS Daily Report for February 7, 2012

Daily Report

Top Stories

• Most families returned to a housing complex outside a remote U.S. Marine training base February 5 in Coleville, California, 2 days after a propane gas explosion that killed 1, and displaced 38 families. – Associated Press (See item 32)

32. February 6, Associated Press – (California) Most families return after Calif. base explosion. Most families returned to a military housing complex outside a remote U.S. Marine training base February 5 in Coleville, California, 2 days after a propane gas explosion that killed a Marine’s wife and critically burned two other people. A total of 38 families were displaced from the military neighborhood that serves the U.S. Marine Corps Mountain Warfare Training Center. Twenty families had returned by February 5, and 18 remained displaced, a Marine Corps spokesman said. The explosion destroyed only one house at the center of the blast, but left 11 uninhabitable. The explosion was related to the housing area’s propane distribution system and was not associated with activities at the Marine base, which is about 30 miles away. After safety inspections February 4, inspectors began testing the propane distribution system house-by-house for leaks or any other signs of trouble, and ensuring that gas-powered appliances are re-lit and functioning properly. Source:

• The basic security model for supervisory control and data acquisition systems for industrial processes is completely inadequate, researchers said in findings presented at a recent security analyst conference. – eWeek, See item 41 below in the Information Technology Sector.


Banking and Finance Sector

13. February 6, The Register – (International) Hackers may be able to ‘outwit’ online banking security devices. An investigation by BBC Click underlines possible shortcomings in the extra security provided by banking authentication devices such as PINSentry from Barclays and SecureKey from HSBC. Hackers could set up a fake banking Web site and prompt users attempting to log into their account for both their online log-in credential and, for example, a PINSentry code. This information would allow cybercrooks to log onto the genuine banking Web site, posing as a customer, before authorizing fraudulent transfers or other payments. This variant of a classic man-in-the-middle-attack is know in security circles as a man-in-the-browser attack. Isolated incidents of this type of fraud have cropped up over recent years. While the attack is not new, it is doubtful that many consumers are aware of it. Source:

14. February 3, New York Times – (International) Anonymous says it knocked Citigroup sites offline. Hackers claiming to be members of the loose hacking collective Anonymous took credit for knocking the Citigroup and Citibank Web sites offline February 3. At times the sites were only sporadically available, and some attempts to log into banking accounts were met with an error message. A Citigroup spokesman confirmed Citigroup’s consumer site had experienced a temporary outage, but said the bank was able to restore Web site operations within ` hour and was continuing to monitor its systems. This was part of a recent string of attacks by hackers who call themselves Anonymous Brazil. In posts on Twitter, the hackers said their attacks were intended to fight corruption. By February 3, they had at various times taken down the Web sites of Banco BMG, Banco Bradesco, Banco de Brasil, Banco Panamericano, Citigroup, HSBC Holdings, Itau Unibanco Banco Multiplo, and Febraban, Brazil’s banking federation. Source:

Information Technology

39. February 6, Softpedia – (International) PHP 5.3.9 regression allows HTTP header attacks and 32/64-bit OS detection. After the PHP Group fixed the hash collision issue by releasing a patch to mitigate attacks, the fix turned out to be problematic, with xperts identifying a remote code execution vulnerability. Now, it turns out the same variant opened up the possibility of a new class of HTTP header attacks. The security expert who found the remote code execution flaw also uncovered this second issue. He believes the max_input_vars variable initially limited to a maximum number of 1,000 to mitigate hash collision attacks allows the identification of 32-bit and 64-bit operating systems introducing the possibility of this header attack that eventually leads to remote code execution. Knowing this information, allows attackers of remote memory corruption vulnerabilities to better prepare for the target he said. While the issue affects nearly all PHP applications, he claims Suhosin Extension users are safe from this issue, and a new feature will be added to protect against HTTP header attacks. Source:

40. February 6, H Security – (International) Backdoor in TRENDnet IP cameras. Consolecowboys blogger someLuser identified a security vulnerability in some TRENDnet IP cameras that permits inquisitive Web users access without authentication. He discovered the vulnerability while exploring the firmware on his TV-IP110w camera using a tool called binwalk. Lengthy lists of freely accessible video streams are already circulating. Random sampling by H Security’s associates at heise Security found most of the cameras were freely accessible, providing views of offices, living rooms, and children’s bedrooms. For demonstration purposes, someLuser put together a Python scriptDirect download that uses server search engine Shodan to find cameras. Navigating to a camera Web server URL displays the video stream recorded by the camera — this occurs whether or not a password is set. TRENDnet already responded by providing a firmware update promising “improved security,” which can be downloaded from its support page. Many other TRENDnet cameras also appear to be affected — according to someLuser, the firmware for the company’s TV-IP121W, TV-IP252P, TV-IP410WN, TV-IP410, TV-IP121WN, and TV-IP110WN models was updated. Source:

41. February 5, eWeek – (International) State of SCADA security worries researchers. Recent reports painted a bleak picture of the security issues plaguing industrial control systems, but the situation is exacerbated by the fact administrators are naive about the dangers, researchers said. Researchers presented some alarming findings about the state of security for supervisory control and data acquisition (SCADA) systems at the Kaspersky Security Analyst Summit February 3. SCADA systems are used across varied industries such as oil, water systems, electric grids, controlling building systems, and the basic security model underlying these systems is completely inadequate, they said. Source:

42. February 4, Softpedia – (International) Hijacked sites redirect to scam in DreamHost hack aftermath. The week of January 30, DreamHost notified customers the firm suffered a data breach. It appears the information obtained by the hackers was put to use and some sites were already compromised and altered to redirect visitors to a Russian scam. Zscaler researchers identified many sites hosted by DreamHost that contained a PHP file designed to redirect users to a scam page. The scam site, otvetvam(dot)com, advertises a “make money from home” scam by displaying several fake testimonials allegedly written by people who already made a lot of money. The site even features Google ads that lead to a YouTube-style site that promotes other schemes, including an online gambling site. The site replicates a popular Russian site,, to make everything more legitimate looking. Furthermore, other malicious domains were recently set up to serve the same purpose. Source:

43. February 4, Softpedia – (International) Kelihos not resurrected, new malware used to create botnet. After Kaspersky revealed the Kelihos botnet they terminated back in September in partnership with Microsoft and Kyrus Tech Inc. may have returned, Microsoft came forward with clarifications, arguing it is actually a new version of Kelihos being used to create a new botnet. The new malware variant is called “Backdoor:Win32/Kelihos.B” and appears to be based on the initial malware’s code, but it is slightly updated and there is no evidence that the botnet that was taken down previously returned to the control of the cybercriminals. Further, it is believed this variant is based partly on Waledac, a botnet ended by Microsoft at the beginning of 2010. “Analysis of these samples and continuing observations of Kelihos-infected computers have demonstrated no known re-employment of the original Kelihos botnet by botherders,” a senior attorney at Microsoft Digital Crimes Unit said. Currently, neither Microsoft nor Kaspersky can provide precise numbers on the size of this potentially new botnet, but Kaspersky’s analysis reveals the size of the old botnet dropped by 25 percent in the past 2 months. It is estimated that the old botnet’s size is far smaller than initially thought, less than 10,000 computers being infected. Source:

44. February 3, IDG News Service – (International) Facebook malware scam takes hold. A large number of Facebook users were sharing a link to a malware-laden fake CNN news page reporting the United States attacked Iran and Saudi Arabia, security firm Sophos said February 3. If users who follow the link click to play what purports to be video coverage of the attack, they are prompted to update their Adobe Flash player with a pop-up window that looks like the real thing. Those who accept the prompt unwittingly install malware. Within 3 hours of the scam’s appearance, more than 60,000 users followed a link to the spoofed CNN page, according to a Sophos senior security adviser. Facebook removed that link, but others were still being shared. In a statement, Facebook said it was “in the process of cleaning up this spam now, and remediating any affected users.” Source:

For more stories, see items 13 and 14, above in the Banking and Finance Sector and item 45 below in the Communications Sector

Communications Sector

45. February 6, – (International) Firms could see PCs lose internet access in DNSChanger switch off. Firms were warned that some of their users could shortly lose the ability to connect to the Internet or access e-mails, as law enforcers turn off a DNS-rerouting system. The system was established to help victims of the Rove Digital cybercrime syndicate, which distributed malware capable of changing victims’ DNS settings to point to rogue servers run by the group. The FBI managed to close down the DNSChanger criminal operation, and secured funding to run the malicious servers until March 8, using the servers to point those with infected machines to their intended destination. The DNSChanger Working Group (DCWG) is currently deliberating whether to seek an extension to its funding. A decision to withdraw the service could see 450,000 users — many of them in large multinational enterprises — losing their ability to connect to the Internet. Source:

46. February 5, Richmond Times-Dispatch – (Virginia) Transmitter problems beset WCVE (88.9 FM). Transmitter problems put the public radio station WCVE (88.9 FM) off the air for many listeners. The problems began February 3 around 4:45 p.m., said an operations manager for WCVE Public Radio. “Engineers were able to restore the signal but at a greatly reduced power setting,” the station said in a statement. “Because of this you may be experiencing a very weak signal or, in some cases, no signal at all.” WCVE’s vice president and general manager said the station probably would not be back at full strength until February 6 or 7, after transmitter parts arrive from an out-of-town supplier. Listeners can still hear the station online at Source:

For another story, see item 44 above in the Information Technology Sector