Friday, March 9, 2012

Complete DHS Daily Report for March 9, 2012

Daily Report

Top Stories

• Residents from about 10 homes were evacuated for about 5 hours after a train derailment in Abbeville, South Carolina, March 8 that resulted in chemicals leaking from some railcars. – Associated Press

7. March 8, Associated Press – (South Carolina) Train carrying methanol derails in Abbeville. Residents were being allowed to return home after a train derailment in Abbeville, South Carolina, March 8 resulted in chemicals leaking from some railcars, and prompted the evacuation of a half-mile area. A car carrying propanediol leaked after the crash that saw two dozen cars of the CSX train go off the tracks. The thick liquid is used in laminates and coatings, but is not a risk to the public, a local fire chief said. Another car was carrying methanol, which can be dangerous, but a CSX spokesman said there was no indication it leaked. HAZMAT crews were working to contain the leak, which the fire chief said could contaminate waterways if it reached a stream. About 10 homes were evacuated, said an emergency preparedness official. The fire chief noted that the first engine arriving at the scene backed out when firefighters’ eyes started burning. The train was headed from Atlanta to Hamlet, North Carolina, the CSX spokesman said. Source:

• An expert panel recommended the United States customize emergency plans for each of the nation’s 65 nuclear power plants. The change would expand the standard 10-mile evacuation zone that has been in place for more than 3 decades. – Associated Press

10. March 8, Associated Press – (National) Expert panel: 10-mile evacuation zone may not be adequate for some nuclear power plants. The United States should customize emergency plans for each of the nation’s 65 nuclear power plants, a change that in some cases could expand the standard 10-mile evacuation zone in place for more than 3 decades, an expert panel recommended in a report that was to be released March 9. That’s one of the lessons to emerge in a 40-page report set to be released 3 days before the 1-year anniversary of Japan’s nuclear disaster from a committee that examined the incident for the American Nuclear Society. The panel included a former chairman of the Nuclear Regulatory Commission, a fellow at a Department of Energy laboratory, and seven other nuclear scientists. The report concluded U.S. nuclear power oversight is adequate to protect public health and safety but that emergency zones ―should not be based on arbitrary mileage designations.‖ Under rules in force since 1978, communities near nuclear plants must prepare federally reviewed evacuation plans for those living within 10 miles of the facility. Source:

• At least five people were shot, including a police officer, in the lobby of Western Psychiatric Institute and Clinic in Pittsburgh March 8, and officers were searching for a possible second shooter. Officers found one suspect dead. – Pittsburgh Tribune-Review

28. March 8, Pittsburgh Tribune-Review – (Pennsylvania) Several people, including officer, shot at Western Psych; one suspect dead. At least five people were shot, including a police officer, in the lobby of Western Psychiatric Institute and Clinic in Pittsburgh, March 8, and officers were searching for a possible second shooter. Officers found one suspect dead. Police evacuated people from Western Psychiatric and took them to Scaife Hall across the street. Police said the officer was hit in the leg and taken next-door to a hospital. A police union official said the officer works for the University of Pittsburgh. Authorities did not disclose the conditions of any other victims. Police closed down nearby DeSoto Street with more than 20 cruisers and a SWAT vehicle while officers yelled at people to stay inside surrounding buildings. Western Psych was in complete lockdown, a spokeswoman said. The neighboring University of Pittsburgh sent out an automatic e-mail alert indicating an active shooter. Five neighboring K-12 schools were ordered to go on lockdown. Source:

• A man was arrested March 7 after he opened fire outside the Tulsa County Courthouse in Tulsa, Oklahoma, wounding a deputy and a bystander before being wounded himself. – MSNBC; Associated Press

30. March 8, MSNBC; Associated Press – (Oklahoma) Dramatic shootout outside Tulsa courthouse. A man was arrested March 7 after he opened fire outside the Tulsa County Courthouse in Tulsa, Oklahoma, wounding a deputy and a bystander before being wounded himself, police said. The gunman was in critical condition after being shot by police. Police said the man walked into the plaza outside the courthouse and Tulsa City-County Library and began firing into the air. He then sat on a cement bench at the plaza, according to KJRH 2 Tulsa. Three deputies reportedly arrived moments later and exchanged fire with the suspect. One deputy was shot in the hand. The deputy is in serious condition with non-life-threatening injuries. Deputies fired five rounds at the suspect, striking him in the face and body. He was taken into surgery and was in critical condition as of March 7. It is not clear if a bullet from the gunman or from police struck the bystander, who is in fair condition. A police spokesman said the suspect was considered to be in police custody, but had not been formally charged. The courthouse was set to be open as usual March 8. The Tulsa World reported that a wedding ceremony had just taken place in the plaza when the gunfire erupted. Source:

• Police investigating a marijuana scent at a Long Island, New York home found an arsenal of guns, grenades, and bomb-making material that would have been enough to blow up an entire block. – NBC New York; Associated Press

53. March 7, NBC New York; Associated Press – (New York) Police: House has enough explosives to ‘blow up the entire block’. Police investigating a marijuana scent at a Long Island, New York home discovered an arsenal of guns, grenades, and bomb-making material that would have been enough to ―blow up the entire block,‖ NBC New York reported. Police officers went to the home in Woodmere after an alarm went off March 7 and found a man there without identification. A Nassau County police inspector said responding officers saw a semi-automatic handgun and two military-style grenades as soon as they opened the door. Police took the man into custody and evacuated about 20 homes on the block as a precaution while they searched the rest of the home. During their search, police discovered a massive cache of weapons, including 100 handguns, 20 rifles, 15 pipe bombs, 15 handmade grenades, and 50 pounds of bomb-making material, police said. In addition to the weapons, police found a marijuana greenhouse as well as a pit in the backyard with a wire that extended into the house. Police believe the man used the pit to test explosives. The home is owned by the man’s parents, who live in Florida during the winter. Police said they were not sure the parents knew the man was living in the house. Authorities said they do not know of any motive the man had for developing the arsenal or what he planned to do with it. Source:


Banking and Finance Sector

15. March 8, Associated Press – (Texas; International) Jury deciding if feds can seize $330 million from accounts of convicted fraudster. A Houston jury was to begin deciding March 8 if federal authorities can seize $330 million from nearly 30 accounts controlled by a convicted Texas tycoon and others. Prosecutors allege the funds are proceeds from a massive Ponzi scheme and can be traced back to investors who lost billions. They are part of a brief criminal forfeiture proceeding that ended March 7. It followed the tycoon’s conviction March 6 by the same jury on 13 of 14 fraud-related counts for orchestrating a scheme that took more than $7 billion over 20 years from investors. Source:

16. March 7, Salt Lake Tribune – (Utah; Colorado; National) Utahns among six sanctioned over Ponzi scheme. Federal regulators imposed sanctions on six Utah and Colorado men for their involvement with a Utah County man who pleaded guilty to fraud charges for running a Ponzi scheme that took in about $18 million from investors on promises of returns of 2 percent or more a month, the Salt Lake Tribune reported March 7. The Securities and Exchange Commission (SEC) said the six solicited millions of dollars of investor money that went to the Ponzi schemer using false claims about where the money would go and about the security of the investments. In recent administrative actions, the SEC barred the six from participating in investment sales, services, and promotions, including penny stocks. In a 2009 lawsuit, the SEC said the 6 had raised about $41 million from 150 investors in various states. Of that, about $18 million went to the Ponzi schemer, who used about half of it to make interest payments to initial investors so it appeared his operation was profitable. The schemer, who is serving a 10-year prison sentence, misappropriated another $8 million for personal use, including buying a large collection of luxury and antique motor vehicles, with another $650,000 going to his then-wife. Source:

17. March 7, Chicago Tribune – (Illinois) FDIC sues former officers of Broadway Bank. The Federal Deposit Insurance Corporation (FDIC) filed a $104 million lawsuit March 7 in connection with the April 2010 failure of Chicago-based Broadway Bank. Among those named was the bank’s former president. The FDIC alleges gross negligence, negligence, and breaches of fiduciary duty by seven former directors and two former officers who approved loans that sank the fast-growing bank. The regulator is seeking to recover $104 million in losses from 17 bad loans. The suit said the defendants approved two of the worst loans June 24, 2008 — immediately after bank regulators ordered Broadway to improve its lending operations. The two loans resulted in a combined loss to the bank of $12 million. Underwriting was perfunctory or non-existent, and loans were made without proper appraisals and sometimes to borrowers who had already stiffed the bank, the suit said. The $1.06 billion-asset bank failed in April 2010. The estimated loss to the insurance fund is $391.4 million. Source:

18. March 7, U.S. Securities and Exchange Commission – (National) SEC charges CEO of Las Vegas-based penny stock company and several consultants in pump-and-dump scheme. The Securities and Exchange Commission (SEC) charged a Las Vegas-based food and beverage company and its chief executive officer (CEO) March 7 with conducting a fraudulent pump-and-dump scheme and charged several consultants for their illegal sales of company shares into the markets. The SEC alleges Prime Star Group Inc. under the direction of its CEO issued false and misleading press releases that touted lucrative agreements for the company’s products. Furthermore, certain Prime Star reports filed with the SEC understated the company’s net losses or overstated its cash balance. The SEC suspended trading in Prime Star in June 2011 due to questions about the adequacy and accuracy of information about the company. ―Prime Star and [its CEO] used backdated consulting agreements and forged attorney opinion letters as a means to issue millions of shares to the consultants who then dumped them on unsuspecting investors,‖ the director of the SEC’s Miami Regional Office said. The SEC alleges the CEO and Prime Star’s fraudulent promotional activities caused Prime Star’s stock price and trading volume to increase markedly. For instance, March 16, a prior day press release caused trading volume to spike to more than 16 million shares, which was 10 times more than the previous day’s trading volume. Prime Star’s stock price plummeted the following day. Source:

Information Technology

40. March 8, The Register – (International) Chinese tech firms fingered for military collaboration. The People’s Liberation Army is actively arming and developing its soldiers with advanced information warfare capabilities which would represent a ―genuine risk‖ to U.S. military operations in the event of a conflict, a new report alleges. Contractor Northrop Grumman’s report for the U.S. government on the cyber threat posed by China was released March 8. The contractor asserts the People’s Republic believes information warfare and computer network operations are a vital part of any military operation and are integrating them with traditional components under a framework known as ―information confrontation.‖ It argues the Chinese military is constantly evaluating U.S. command and control infrastructure and will therefore likely ―target these system with both electronic countermeasures weapons and network attack and exploitation tools‖ in the event of a conflict. The report also warns that joint ventures of the Symantec Huawei type could lead to a risk of intellectual property theft and long-term erosion of competitiveness for Western firms. The close relationship between China’s large multinational telecoms and hardware-makers and the PLA also creates a potential for state-sponsored or directed attacks against the supply chain for equipment used by military, government, and private industry, the report warns. Source:

41. March 8, Softpedia – (International) Hackers find flaws in Microsoft, Dell and TBS sites. A security researcher that goes by the online handle Flexxpoint found a cross-site scripting (XSS) vulnerability in Microsoft’s main site. The official sites of Dell Australia and Turner Broadcasting System were identified as containing security holes by the grey hat hacker team known as BlitzSec. E Hacking News reports Flexxpoint discovered the XSS issue in the products page and demonstrated his findings with a simple proof of concept code. If successfully exploited, the vulnerability could allow a hacker with a malicious plan to steal cookies and even launch phishing attacks. The same expert recently identified a similar weakness in the official site of Ubuntu. The other two Web sites that were appointed as being vulnerable by BlitzSec hackers are also susceptible to XSS attacks, one of which is the official site of Dell Australia. With TBS, the situation is slightly different. The site was previously named as being easy to compromise by TeamHav0k and its administrators were notified on these issues at the time. Since the Web site remained unsecured, cookie stealing, XSS Tunnels, and XSS attacks using Metasplot (XSSF) can be performed by hackers who exploit the high severity flaws. Source:

42. March 8, H Security – (International) Apple closes security holes with iOS 5.1 and iTunes update. Alongside the launch of the ―new iPad,‖ Apple released iOS 5.1 for the iPhone 3GS, 4 and 4S, the 3rd generation iPod touch, and iPad and iPad 2. The update includes fixes for 91 issues with CVE identifiers. The majority, 66 of the issues, are described as ―unexpected application termination or arbitrary code execution‖ in WebKit due to memory corruption. These flaws were mostly found by Apple or members of the Google Chrome Security Team, while a number were found by a Chrome special reward winner. Two screen lock bypass issues are fixed, including one, a race condition with slide to dial gestures that could bypass the passcode lock, discovered by a researcher from the German Federal Ministry of Economics and Technology, and an uncredited discovery that Siri’s lock screen could be used to forward messages to an arbitrary user. Another error, which allowed a malicious program to bypass the sandbox by exploiting an error in the handling of debug calls, was fixed, with the error’s discovery credited to the ―2012 iOS Jailbreak Dream Team.‖ A flaw in Private Browsing in Safari that recorded JavaScript pushState and replaceState methods in browser history was also fixed. Other flaws fixed include information disclosure in CFNetwork with maliciously crafted URLs, an integer underflow when mounting disk images, an integer underflow when processing DNS records, and cross-origin issues with cookies and content which could enable cross-site scripting attacks. Source:

43. March 8, Softpedia – (International) Scareware demands ransom after making files and folders invisible. Bitdefender came across a piece of scareware that makes victims believe something may have happened to all the files and folders stored on their computers. The user is then requested to pay $80 for a tool that allegedly addresses the problem. Identified as Trojan.HiddenFilesFraud.A, the rogue disk repair utility starts operating by informing the user of certain issues that affect the computer. Since many users are accustomed to fake antivirus, this malicious application is programmed to make everything look more realistic. It changes the attributes of all files and folders, setting them as Hidden, so the user may believe everything was deleted from the hard drive. Certain key shortcuts are also disabled to induce more panic. Also, the worm that downloads HiddenFilesFraud.A, Win32.Brontok.AP@mm, ensures the files’ attributes cannot be modified from Windows Explorer back to their original state. After displaying the numerous ―errors‖ that affect the system, the scareware advertises a repair utility that costs $80. However, the so-called utility does absolutely nothing. Brontok.AP@mm, the element responsible for installing Trojan.HiddenFilesFraud.A, quickly copies itself on removable media drives to ensure it spreads without difficulty from one computer to another. Source:

44. March 8, Softpedia – (International) Avast identifies subscription traps as malicious. A number of Web sites that offer software trick unsuspecting users into installing toolbars and other unwanted applications. Avast revealed its intentions of appointing downloads originating from these types of sites as being malware. The week of February 27, the German government issued a law against the Internet scammers that dupe users into subscribing to paid services while trying to download applications that are supposedly free. Until this law is extended to cover sites that bundle their products with unsolicited toolbars and other features Avast decided to catalogue these downloads as malware. An example of a site that relies on such schemes to serve undesired content is winload(dot)de. If users download an application before verifying the checkboxes above the Download button, they end up with a toolbar that allows the operator to change the default search engine in the Internet browser and change the homepage. Once the toolbar is installed its operators are permitted to install updates on the affected PC, send notifications to the user, collect location-based data, add a different ―page not found‖ functionality, and even collect information from the user’s social network account. The customer is warned the toolbar will be installed, but not with a notification message, rather a piece of text written somewhere above the Download button. These types of scams do not target only German users, instead this is an example of a situation that can happen to anyone worldwide. Source:

45. March 8, H Security – (International) Raspberry Pi delayed by manufacturing mix-up. Delivery of the Linux-powered tiny computer Raspberry Pi was further delayed by a problem with the manufacturing of the device. The factory producing the boards included the wrong type of network jack in the first few batches which meant those devices did not have a working network connection. The problem was known to the Raspberry Pi team for a few days but was only announced March 8 after further tests were run to make sure the network jack was the only component affected. Since the problem was discovered before the product was shipped to customers, the factory producing the device is now swapping out the wrong part for the correct one. The Raspberry Pi team is working to source more of the required magnetized Ethernet jacks as their existing stockpile is composed entirely of the non-magnetized ones that do not work with the rest of the Raspberry Pi hardware. It is not currently known when the fixed batches of devices will be delivered to consumers who already pre-ordered the Linux computer. Source:

46. March 8, H Security – (International) Chrome hackers strike Pwnium. Google’s Chrome fell to two separate zero-day attacks at the CanSecWest conference, as researchers took on the browser in the Pwn2Own competition and in Google’s own vulnerability hunt, Pwnium. Chrome first fell in Google’s Pwnium competition, when a researcher bypassed Chrome’s sandbox using only native Chrome code. The fall of Chrome in the Pwnium contest was followed by a fall in the Pwn2Own contest. This time, a team from Vupen Security, who are believed to have leveraged the embedded Adobe Flash Plugin in their exploit, broke out of the Chrome sandbox. Source:

47. March 8, U.S. Consumer Product Safety Commission – (National) Lenovo recalls ThinkCentre desktop computers due to fire hazard. March 8, the U.S. Consumer Product Safety Commission, in cooperation with the Lenovo, announced a voluntary recall of the about 50,500 Lenovo ThinkCentre M70z and M90z computers. The manufacturer/importer of the computers was Lenovo, of Morrisville, North Carolina. The computers were manufactured in Mexico. A defect in an internal component in the power supply can overheat and pose a fire hazard. The firm received reports of one fire incident and one smoke incident in the United States. Only certain of the M70z and M90z computers built in this time frame are affected. Consumers will need to check the serial number on their computer with Lenovo to determine if it is subject to this recall. The computers were sold online at Lenovo’s Web sites, by telephone, and direct sales through Lenovo authorized distributors nationwide from May 2011 through January 2012. Source:

48. March 7, Wired – (International) Researchers seek help in solving DuQu mystery language. DuQu, the malicious code that followed in the wake of Stuxnet, has been analyzed nearly as much as its predecessor. However, one part of the code remains a mystery, and researchers are asking programmers for help in solving it. The mystery concerns an essential component of the malware that communicates with command-and-control servers and has the ability to download additional payload modules and execute them on infected machines. Researchers at Kaspersky Lab are unable to determine the language in which the communication module is written. While other parts of DuQu are written in the C++ programming language and are compiled with Microsoft’s Visual C++ 2008, this part is not, according to the chief security expert at Kaspersky Lab. He and his team also determined it is not Objective C, Java, Python, Ada, Lua, or many other languages they know. While it is possible the language was created exclusively by DuQu’s authors for their project and has never been used elsewhere, it is also possible it is a language that is commonly used, but only by a specific industry or class of programmers. Kaspersky is hoping someone in the programming community will recognize it and come forward to identify it. Identification of the language could help analysts build a profile of DuQu’s authors, particularly if they can tie the language to a group of people known to use this specialized programming language or even to people who were behind its development. DuQu was discovered in 2011 by Hungarian researchers at the Laboratory of Cryptography and System Security at Budapest University of Technology and Economics. Source:

49. March 7, IDG News Service – (International) Spam leads Google to disable interop of its IM network with AOL AIM. AOL hopes to issue a fix soon to a spam surge in its AIM service targeting Google IM users, a situation that prompted Google to temporarily shut down the interoperability between the two instant messaging networks. Google suspended the IM federation between its IM network and AIM about a week and a half ago in order to shield Gmail Chat and Google Talk users from the high level of AIM spam. ―Our backend servers were sending too many spam messages to Google federation gateways,‖ said the senior director of messaging products at AOL. AOL has been working intensely on the problem and expected to issue a fix maybe as soon as March 8. Once the problem is fixed and the interoperability restored, Google and AIM users will again be able to engage in IM sessions, each communicating from their respective networks. Source:

50. March 7, IDG News Service – (International) DDoS botnet clients start integrating the Apache Killer exploit. The latest version of a distributed denial-of-service (DDoS) bot called Armageddon integrates a relatively new exploit known as Apache Killer, DDoS mitigation vendor Arbor Networks said March 6. The Apache Killer exploit was released in August 2011. It exploits a vulnerability in the Apache Web server by sending a specially crafted ―Range‖ HTTP header to trigger a denial-of-service condition. The attack is particularly dangerous because it can be successfully executed from a single computer and the entire targeted machine needs to be rebooted in order to recover from it. ―The Kill Apache attack abuses the HTTP protocol by requesting that the target web server return the requested URL content in a huge number of individual chunks, or byte ranges,‖ said an Arbor research analyst March 6. ―This can cause a surprisingly heavy load on the target server.‖ The vulnerability exploited by Apache Killer is identified as CVE-2011-3192 and was patched in Apache HTTPD 2.2.20, a week after the exploit was publicly released. Apache 2.2.21 contains an improved fix. This is the first time Arbor researchers have seen the exploit being integrated into a DDoS botnet client that is actively being used by attackers, the researcher said. Armageddon is a Russian malware family exclusively designed to launch DDoS attacks. Because it is sold as a toolkit on underground forums, there is more than one Armageddon-powered botnet on the Internet. Source:

Communications Sector

Nothing to report