Friday, March 23, 2012

Complete DHS Daily Report for March 23, 2012

Daily Report

Top Stories

• A fire and explosion at a chemical plant in Ascension Parish, Louisiana, released hazardous chemicals, led to the closure of several roads, and forced hundreds of residents to shelter in place. – Baton Rouge Advocate

3. March 22, Baton Rouge Advocate – (Louisiana) Westlake plant fire extinguished. A fire at Westlake Chemical’s Geismar Vinyls Complex was extinguished and a 1-mile shelter in place order was lifted after a few hours for hundreds of residents in Ascension Parish, Louisiana, March 22, authorities said. Also, a section of the Mississippi River near the plant was closed, said a parish government spokesman. An explosion and fire occurred at the vinyl chloride monomer (VCM) part of the facility, said Westlake’s environmental health and safety manager. VCM is feedstock for polyvinyl chloride, which is used to make plastic pipes and other home products, she said. The cause of the fire and explosion is unknown and is under investigation, she added. She said both access roads into the plant were closed. The sheriff said state and federal agencies were conducting air monitoring, noting a white cloud erupted from the facility. The state department of environmental quality said the plant was releasing VCM, hydrochloric acid (HCL) and HCL solution, and chlorine. The lines involved in the release were shut in. The sheriff’s office said the fire forced the closure of parts of La. 73, La. 30, River Road, and La. 3115 for many hours. Six area emergency services agencies responded. Source: http://theadvocate.com/home/2387679-77/westlake-chemical-plant-in-geismar

• Authorities interviewed at least 13 people with ties to Iran’s government who were seen taking pictures of New York City landmarks, such as the Brooklyn Bridge, since 2005. The cases are considered pre-operational surveillance in preparation for a possible terrorist attack, a senior city police official said. – Associated Press

13. March 21, Associated Press – (New York) NYPD says Iran has conducted surveillance in NYC. Authorities interviewed at least 13 people since 2005 with ties to Iran’s government who were seen taking pictures of New York City landmarks such as the Brooklyn Bridge, a senior New York City Police Department (NYPD) official said March 21. Police consider these instances to be pre-operational surveillance, bolstering their concerns Iran or its proxy terrorist group could be prepared to strike inside the United States, if provoked by escalating tensions between the two countries. The NYPD’s director of intelligence analysis told Congress that New York’s international significance as a terror target and its large Jewish population make the city a likely place for Iran and Hezbollah to strike. He testified before a House homeland security panel about the potential threat. Much of what he said echoed his previous statements on the potential threat, but he offered new details March 21 about past activities in New York. In May 2005, tips led the NYPD to six people on a sight-seeing cruise who were taking pictures and movies of city landmarks. In September 2008, police interviewed three people taking pictures of railroad tracks. In September 2010, federal air marshals saw four people taking pictures and videos at a New York heliport. Interviews with law enforcement revealed all the people were associated with the Iranian government, but they were ultimately released and never charged, the director said. Source: http://online.wsj.com/article/AP365b220a2c5349aabb17ab386703ff77.html

• Leesville, Louisiana’s city council declared a state of emergency March 21 after flooding caused two sewer stations to become non-operational and closed many roads. – Associated Press; Alexandria Daily Town Talk

20. March 21, Associated Press; Alexandria Daily Town Talk – (Louisiana) Storm wreaks havoc in Central La., dumps nearly 16 inches of rain on Leesville. Leesville, Louisiana’s city council declared a state of emergency March 21 after two sewer stations became non-operational after a storm dumped nearly 16 inches of rain March 20 and 21. The sewer system was back online March 21, but downed trees, road closures, and flooded areas were seen in hard-hit areas of Cenla. Officials in Beauregard, Natchitoches, and Vernon parishes, along with several parishes not in Cenla, declared emergencies, the governor’s office of homeland security and emergency preparedness said. Vernon, Natchitoches, Beaurgeard, and Sabine parishes were under flood warnings March 20 and 21, while flash flood watches were in effect for many other parishes, including Rapides, Grant, and Winn. The Beauregard Parish Sheriff’s Office and Office of Emergency Preparedness closed sections of Louisiana Highways 110, 1147, and 1146 as well as many smaller roads March 21 due to high water. Officials predicted waters around Bundick Lake would reach 8 to 10 feet above flood stage. Additionally, schools in Vernon, Natchitoches, and Sabine were closed March 21. Source: http://www.thetowntalk.com/article/20120322/NEWS01/203220308

• Government network security experts told a U.S. Senate panel federal networks are thoroughly penetrated by foreign spies. They said current perimeter-based defenses that attempt to curb intrusions are outdated and futile. – Threatpost

24. March 21, Threatpost – (International) Experts tell Senate: Government networks owned, resistance is futile. Network security experts from across the U.S. government told a U.S. Senate Armed Services subcommittee March 20 federal networks have been thoroughly penetrated by foreign spies and current perimeter-based defenses that attempt to curb intrusions are outdated and futile. Speaking before the Senate Armed Services Subcommittee on Emerging Threats and Capabilities, the experts said the U.S. government had to abandon the notion it could keep outsiders off its computer networks. “We’ve got the wrong mental model here,” the director of the Information Systems Analysis Center at Sandia National Laboratories, testified. “I don’t think that we would think that we could keep spies out of our country. And I think we’ve got this model for cyber that says, ‘We’re going to develop a system where we’re not attacked.’ I think we have to go to a model where we assume the adversary is in our networks. It’s on our machines, and we’ve got to operate anyway. We have to protect the data anyway.” Source: http://threatpost.com/en_us/blogs/inadequate-pay-outdated-approaches-and-bureaucracy-all-contribute-foreign-ownership-federal-sy

• Officials in California said that after 5 years, they are still struggling to build and deploy an earthquake warning system that would give cities time to prepare for and mitigate the impact of a massive earthquake. – Los Angeles Times

26. March 21, Los Angeles Times – (California) California struggles to set up early quake warning system. California has struggled to build and deploy an earthquake warning system that would give cities time to prepare for the impact of a massive earthquake, the Los Angeles Times reported March 21. California is spending only a fraction of what other countries have devoted, and scientists said the progress is so slow they cannot say when the state might complete its system. One reason for the lack of interest, some experts said, is that unlike Mexico, Japan, and the other countries with early warning systems, California has not experienced a truly catastrophic earthquake in more than a century. Officials in California have been working on a system for about 5 years. Alerts of coming earthquakes in California could be sent via Twitter and other forms of social media, with scientists hoping to get out word as broadly as possible. Alerts also would go up on TV and radio. With the warning, scientists hope that emergency crews would have time to open fire station doors, protect nuclear power plants, slow down trains, and take other measures before the quake would be felt. Source: http://www.latimes.com/news/local/la-me-03-22-quake-warning-20120322,0,7059435.story

Details

Banking and Finance Sector

5. March 22, Missoula Missoulian – (Montana) ‘Motorcycle bandit’ pleads guilty to 5 western Montana bank robberies. The man accused of being northwestern Montana’s “motorcycle bandit” pleaded guilty in federal court March 21 to robbing four banks – one of them twice – and using a gun during one of those robberies. Each conviction of bank robbery carries a term of up to 25 years in prison and a $250,000 fine. An assistant U.S. attorney said a plea agreement in the case calls for restitution of $88,012. In most of the cases, the man wore a motorcycle helmet and fled on a motorcycle or four-wheeler. He pleaded guilty to robbing the First Interstate Bank in Bigfork September 24, 2010; a Glacier Bank in Lakeside November 10, 2010; a First Valley Bank in Seeley Lake April 5, 2011; a Mullan Trail Bank in St. Regis May 31, 2011; and the Glacier Bank in Lakeside again September 28, 2011. Those heists netted varying amounts of money, from $6,553 during the first incident, to $46,000 in the second. Source: http://missoulian.com/news/local/motorcycle-bandit-pleads-guilty-to-western-montana-bank-robberies/article_0d2d57c6-7388-11e1-86ad-001871e3ce6c.html

6. March 22, Orange County Register – (California) ‘Snowboarder Bandit’ robs Irvine bank, authorities say. A man police call the “Snowboarder Bandit” is suspected of robbing an Irvine, California bank branch March 21, marking the 10th hold-up tied to the robber. A man wearing a black motorcycle helmet with the shade pulled up walked into a U.S. Bank branch inside a Pavilions supermarket, a FBI spokeswoman said. He handed an employee a note that read, “empty drawer, do not touch alarm. High powered gun, 15 seconds,” she said. The Snowboarder Bandit is suspected in a series of recent robberies, including hold-ups at bank branches in Irvine, Laguna Hills, Anaheim Hills, Ladera Ranch, and Corona del Mar. He earned his nickname due to his youthful appearance and the ski-type clothes he wore during earlier robberies. Source: http://www.ocregister.com/news/bandit-345734-snowboarder-bank.html

7. March 22, H Security – (International) Embarrassing security failure at PayPal. Until just a few days ago, Web sites belonging to the world’s largest online payment service contained a security vulnerability in a key component that could have been exploited by fraudsters to steal information from customers, H Security reported March 22. PayPal fixed the vulnerability shortly after being notified of its presence by heise Security. A heise Security reader noticed he search function on PayPal Web pages was not filtering user input correctly, making it simple to inject code into PayPal pages via a crafted URL. The problem affected pages at paypal.com, which use SSL security. Customers log in to the site from these pages and use them to make payments. PayPal emphasizes its security credentials in its advertising and presents itself as a certified payment system. Source: http://www.h-online.com/security/news/item/Embarrassing-security-failure-at-PayPal-1477905.html

8. March 21, New York Daily News – (New York) Scammer pleads guilty to illegally fixing bad credit scores. A sophisticated scammer pleaded guilty March 21 in New York City to illegally fixing bad credit scores, and agreed to pay $9.3 million in restitution for loans made to the deadbeats he cleaned up. He faces up to 6 and a half years in prison for conspiracy to commit bank fraud. A Manhattan U.S. attorney said the man and three others fraudulently boosted the credit scores of thousands of people from 2007 to 2009. They netted more than $1 million by charging people hundreds — and sometimes thousands — to fix their poor credit, the feds said. Through two fake companies — Highway Furniture and New York Funding — the man furnished phony data about his customers to two credit bureaus, Experian and TransUnion. By claiming to have extended credit to their customers and then declaring the loans were repaid promptly, they upgraded their credit scores. The man and his alleged henchmen were also able to delete negative credit data from a computer system Highway Furniture and New York Funding had access to as “furnishers” of information to the credit bureaus. Prosecutors said the customers whose credit scores were falsely fixed went out and obtained $9.3 million in loans. The feds said neither Highway Furniture nor New York Funding were real businesses. Source: http://www.nydailynews.com/new-york/scammer-pleads-guilty-illegally-fixing-bad-credit-scores-article-1.1048572?localLinksEnabled=false

9. March 20, Atlanta Journal-Constitution – (Georgia; National) Former Carter’s Inc. exec indicted on federal charges. The former president of children’s apparel maker Carter’s Inc. was indicted March 20 on federal securities fraud and other charges in the wake of a scandal that involved alleged doctoring of the Atlanta company’s books. The former president left Carter’s in December 2009 after an internal investigation into accounting irregularities. Federal authorities said he became aware of and hid a scheme from other Carter’s executives, auditors, and shareholders that involved falsifying financial records and providing improper rebates to retailers. He was also indicted on charges of causing the filing of false financial statements and falsifying books and records of a public company, said a news release from the U.S. attorney’s office in Atlanta. Another Carter’s executive the former president supervised pleaded not guilty in 2011 to more than 30 federal counts related to the alleged wrongdoing. That executive allegedly enticed Carter’s largest wholesale customer, Kohl’s, to buy more Carter’s products by giving the retailer larger discounts than Carter’s had budgeted, prosecutors said. He was also accused of altering the time frame when those larger discounts were reported in Carter’s earnings, making them appear to be related to sales in future quarters, causing Carter’s costs to be higher than reported. Prosecutors said Carter’s failed to report $16 million in expenses from 2006 to 2009 that had been hidden as a result of the fraud, resulting in overstatements of earnings. Source: http://www.ajc.com/business/former-carters-inc-exec-1392201.html

10. March 20, WRC 4 Washington, D.C. – (Maryland; Texas) Arrest in nuclear threat bank robberies. U.S. marshals have arrested a man suspected of robbing Maryland banks under the threat of setting off a nuclear bomb, according to Prince George’s County Police. The suspect was arrested March 19 in Donna, Texas, near the Mexican border, police said. He allegedly robbed two banks in Prince George’s County by passing a note to the teller threatening to set off a bomb if the teller did not give him the money, police said. He is at a Texas jail awaiting extradition to Maryland. Source: http://www.nbcwashington.com/news/local/Nuke-Threat-Bank-Robbery-Arrest-143589716.html

11. March 20, U.S. Department of Justice – (Nevada) Justice Department seeks to bar Las Vegas couple from preparing federal tax returns. The United States has sued a Las Vegas couple seeking to bar them from preparing federal tax returns for others, the U.S. Department of Justice announced March 20. According to the government complaint, the couple, who do business as Tax Factory Inc. and/or Myst Inc., repeatedly prepared tax returns that included false or inflated deductions for personal or business expenses to fraudulently reduce their customers’ federal income tax liabilities. Among the allegations cited in the complaint, the couple advised customers to form corporations and then claim false or grossly exaggerated deductions for purported business expenses on the corporate tax returns they prepared. The complaint said an Internal Revenue Service (IRS) investigation revealed the couple claimed refunds for customers on nearly 90 percent of the returns they prepared. The suit alleges they attempted to hide their improper return-preparation activity by repeatedly failing to identify themselves as preparers. The IRS was able to identify nearly 1,000 federal tax returns allegedly prepared by the couple since 2001. The complaint alleges the defendants’ misconduct may have cost the U.S. Department of the Treasury tens of millions of dollars. Source: http://www.justice.gov/tax/2012/txdv12346.htm

For another story, see item 31

Information Technology

28. March 22, The Register – (International) CA reveals ARCserve DDOS threat. CA Technologies found a flaw in flagship backup software ARCServe. The flaw goes back to version 10 of the product, which just reached v.16. CA said the problem “can allow a remote attacker to cause a denial of service condition” and “รข€¦occurs due to insufficient validation of certain network requests. An attacker can potentially use the vulnerability to disable network services.” Many versions of ARCserve can fix the bug with a patch, but CA’s advisory said the solution for ARCserve Backup for Windows r12.0 is to “Update to CA ARCserve Backup for Windows r16 SP1.” Source: http://www.theregister.co.uk/2012/03/22/arcserve_ddos_flaw/

29. March 22, H Security – (International) Chrome 17 update fixes high-risk vulnerabilities. Google released version 17.0.963.83 of its Chrome Web browser, a maintenance update that fixes issues with Flash games and closes several security holes. The Stable channel update addresses nine vulnerabilities, six of which are rated as “high severity.” These include an integer issue in libpng (the official PNG reference library), a memory corruption problem in WebGL canvas handling, and a cross-origin violation related to “magic iframe,” as well as use-after-free errors in first-letter handling, CSS cross-fade handling, and block splitting. One medium-risk invalid read in the V8 JavaScript engine, and two low-risk problems related to WebUI privileges and unpacked extension installation were also fixed. Source: http://www.h-online.com/security/news/item/Chrome-17-update-fixes-high-risk-vulnerabilities-1477749.html

30. March 22, IDG News Service – (International) Most web masters don’t know how their sites got hacked, report says. Most owners of compromised Web sites do not know how their sites got hacked into, and only 6 percent detect the malicious activity on their own, according to a report released March 22. The new “Compromised Websites: An Owner’s Perspective” report is based on a survey of more than 600 Web site administrators and owners that was carried out over several months by security vendor Commtouch, and StopBadware, a nonprofit organization that helps Web masters identify, remediate, and prevent Web site compromises. The leading cause of compromises appears to be outdated content management software. This was cited as a reason for Web sites being hacked by 20 percent of respondents. Twelve percent of Web masters said a computer used to update their Web site was infected with malware, 6 percent said their credentials were stolen credentials, and 2 percent admitted logging in while using wireless networks or public PCs. However, 63 percent of respondents did not know how their Web sites were compromised. Source: http://www.computerworld.com/s/article/9225442/Most_web_masters_don_t_know_how_their_sites_got_hacked_report_says?source=rss_security&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+computerworld/s/feed/topic/17+(Computerworld+Security+News)&utm_

31. March 22, IDG News Service – (International) ‘Hacktivists’ steal more than 100M online records in 2011, says Verizon. More than half of data stolen from companies in 2011 was a result of hacktivist actions, even though the majority of data breaches were still caused by financially motivated cybercriminals, Verizon said in its 2012 Data Breach Investigations Report released March 22. The report spans 855 data breach incidents investigated by the company and several law enforcement agencies. These incidents resulted in 174 million compromised records, the second-highest volume of compromised records since Verizon began compiling data breach statistics in 2004. Up to 98 percent of data breach incidents covered by the new report were caused by external agents and the vast majority of them, 83 percent, were organized criminal groups. Hacktivists were responsible for only 3 percent of data breaches. However, they had the biggest impact in terms of compromised records, over 100 million of the 174 million. Source: http://www.computerworld.com/s/article/9225425/_Hacktivists_steal_more_than_100M_online_records_in_2011_says_Verizon?taxonomyId=17

32. March 22, V3.co.uk – (International) IBM warns hackers wising up to firms’ security policies. Hackers are adapting to the security policies firms are putting in place to steal corporate data and infiltrate systems, according to new research by IBM. The firm made the warning in its X-Force 2011 Trend and Risk Report, which explored the public vulnerability disclosure findings from over 4,000 clients. The report also warned there was a marked increase in the number of attacks targeting mobile devices and social networks. Notably, the authors reported a 19 percent rise in publicly-released mobile exploits, indicating hackers are increasingly targeting mobile devices as they grow in prominence in the work place. An X-Force strategy and threat intelligence manager said the growing bring your own device trend in many companies posed several risks by making it hard for IT staff to ensure employees devices are correctly patched with the latest security software, offering a potential goldmine of unsecured personal information to hackers. The report also warned attacks taking place on social media sites are also increasing, with many hackers using such sites to help develop new techniques to steal data. IBM also warned that cloud computing is a major security issue, because some companies pushed the technology out without taking adequate measures to protect the stored data. Source: http://www.v3.co.uk/v3-uk/news/2162563/ibm-warns-hackers-wising-firms-security-policies

33. March 22, Threatpost – (International) Mass WordPress compromise fuels CRIDEX worm outbreak. There are many compromised sites on the popular blogging platform, WordPress, which, according to a Trend Labs report, are actively infecting users with the CRIDEX worm. The infections are part of a social engineering campaign that lures users with e-mails purporting to come from trusted sources including LinkedIn and the Better Business Bureau (BBB), Trend Labs warned. E-mails purporting to come from the BBB informs recipients of a (non-existent) complaint against the business. The e-mail includes a link to the “Complaint Report,” which leads to one of the infected WordPress sites. Phony LinkedIn e-mails pose as invitation notifications and pending messages. They include many links, all of which lead to compromised WordPress sites. According to Trend researchers, users who click the links are subject to Web-based attacks that target a vulnerability in Adobe’s Reader and Acrobat software and a common Windows Help Center vulnerability. After exploiting the vulnerabilities, attackers push copies of the Blackhole exploit kit to infect users with CRIDEX. Trend Labs reports that WORM_CRIDEX.IC is generating many random domains using domain generating algorithms. The technique is commonly used to evade law enforcement and botnet take-downs. The behavior of the sample is dependent upon the specific configuration file, which, in Trend Labs case, was unavailable to them. However, based on their static analysis, the malware is capable of executing and deleting files and retrieving certificates from a certificate store. Source: http://threatpost.com/en_us/blogs/mass-wordpress-compromise-fuels-cridex-worm-outbreak-032212

34. March 21, InformationWeek – (International) LulzSec announces April Fool’s end to retirement. March 17, the hacktivist group formerly known as LulzSec — affiliated with Anonymous and AntiSec — posted a video on YouTube in which they announced they will resume their attacks April 1. The video stated, “Lulzsec will start targeting governments, corporations, agencies, and quite possibly the people watching this video.” The announcement was previewed 1 day prior via the FawkesSecurity Twitter channel in a tweet that read, “Expect something BIG and rather Lulzworthy very soon. CIA, FBI, Interpol, you’re all on teh (sic) list.” March 21, tweets from the same Twitter channel promised “Anonymous will target national infrastructure” and create a “global financial meltdown” as part of what has been dubbed “Project Mayhem.” Source: http://www.informationweek.com/news/security/attacks/232602962

35. March 20, The Register – (International) Report: Feeble spam filters catch less junk mail. Enterprise spam filters are blocking less junk mail, according to independent tests from Virus Bulletin. During a comparative of 20 corporate e-mail filtering products, several missed more than twice as much spam as in previous editions of the VBSpam tests. Virus Bulletin believes the drop in performance might be down to improved tactics by spammers rather than a dip in the capabilities in the filtering products it put through their paces. “This is a worrying trend,” says VB’s anti-spam test director. “There have been many news stories highlighting a global decline in spam in recent months, but if spam filter performances decline too, the situation for the end-user doesn’t improve at all. It is hard to say what exactly caused filters to miss more spam, but it looks like spammers are doing a better job at avoiding IP- and domain-based blacklists. It may be a sign that they are increasingly using compromised legitimate systems to send their messages,” he added. Source: http://www.theregister.co.uk/2012/03/20/spam_filters_performance_dip/

For more stories, see item 7 above in the Banking and Finance Sector

Communications Sector

36. March 22, Dow Jones Newswires – (National) DOJ sues AT&T, alleging improper billing of services for hearing impaired. The U.S. Department of Justice (DOJ) said March 22 it has sued AT&T Inc. on allegations the telecommunications giant improperly billed the Federal Communications Commission (FCC) for services it provided to the hearing-impaired. The lawsuit, brought under the federal False Claims Act, is focused on AT&T’s providing of a text-based communications service that allows the hearing-impaired to place telephone calls by typing messages over the Internet. The DOJ said AT&T sought FCC reimbursement for services it provided to international callers who were ineligible for the service and sought to use it for fraudulent purposes. The government alleges AT&T received “millions” from the improper billing. Source: http://www.nasdaq.com/article/doj-sues-att-alleging-improper-billing-of-services-for-hearing-impaired-20120322-00839

For more stories, see items 32 and 35 above in the Information Technology Sector