Tuesday, May 1, 2012

Complete DHS Daily Report for May 1, 2012

Daily Report

Top Stories

• Workers used mud to plug a well in eastern Wyoming, April 27, ending a 3-day eruption of potentially explosive natural gas that forced 50 people from their homes. – Associated Press

1. April 30, Associated Press – (Wyoming) Chesapeake Energy plugs blown oil well leaking gas. Workers at a blown Chesapeake Energy Corp. oil well in eastern Wyoming took advantage of changing winds April 27 to plug the well with mud and end a powerful, 3-day eruption of potentially explosive natural gas. The blowout of methane gas happened April 24 at the drilling site 5 miles northeast of Douglas. The operation to stem the air pollution and the flow of gas — not to mention risk of an explosion that could destroy a multimillion-dollar drilling rig — took about 90 minutes, according to the supervisor of the Wyoming Oil and Gas Conservation Commission. Workers continued to pump mud down the well, which Oklahoma City-based Chesapeake Energy recently drilled more than 3 miles vertically and horizontally under the rolling prairie. The blowout first occurred April 24, pushing drilling mud to the surface. Clouds of gas blurred the horizon. Authorities issued an evacuation advisory to 67 people in homes within 2.5 miles of the well, and 50 people heeded it. Source: http://www.chem.info/News/2012/04/Safety-Chesapeake-Energy-Plugs-Blown-Oil-Well-Leaking-Gas/

• Tornadoes disabled a power station, damaged homes, and downed power lines making many roads impassable in southeastern Colorado, authorities said. – United Press International

3. April 27, United Press International – (Colorado) Tornadoes heavily damage SE Colorado. Tornadoes heavily damaged homes, disabled a power station, and downed power lines April 27 in southeastern Colorado, authorities said. The Wiley fire chief said the tornadoes were reported south of Lamar, north of Lamar, and near Chivington, but they were not confirmed, KUSA 9 Denver reported. Colorado Emergency Management officials urged people in the Lamar area to exercise caution because of downed power lines. In a statement, the agency said power was knocked out in Lamar, Eads, Chivington, Sheridan Lake, and surrounding areas. The Colorado State Patrol said in a news release tornadoes caused “severe property damage” in the Lamar area, where the power station was disabled. Gas stations in Lamar could not pump fuel, the State Patrol said, urging motorists to avoid Lamar until power was restored. Source: http://www.disasternews.net/news/article.php?articleid=4596

• Hackers stole about 40 gigabytes worth of files with data including locations of U.S. Army Reserve facilities and communication company codes, from the Lake County Sheriff’s Office in Florida. – Softpedia

40. April 28, Softpedia – (Florida) AntiSec hackers steal 40 GB of data from Lake County Sheriff’s Office. Softpedia reported April 28 a massive 40 gigabytes worth of files were stolen by Anonymous hackers operating under the AntiSec banner from the internal networks of the Lake County Sheriff’s Office (LCSO) in Florida. One of the hackers that participated in the operation told Softpedia that out of the 40 gigabytes of data, around 35 gigabytes represent forensic software and other applications used by law enforcement agencies. The other 5 gigabytes are made up of reports that detail LCSO operations such as Op Inmate Intelligence Gathering and Operation Screen Savers. The files also include corporate security IPDR reports from Sprint Nextel that show the telecoms firm hands over private data to the authorities. Phone lists that reveal financial crimes, intelligence bulletins from the FBI, communication codes, and communications equipment are all contained in the data dump. Furthermore, hackers leaked the locations of U.S. Army Reserve facilities, badge numbers, 9-1-1 calls, log-in credentials, manuals, and official bulletins from the Department of Justice. Source: http://news.softpedia.com/news/AntiSec-Hackers-Leak-40-GB-of-Data-from-Lake-County-Sheriff-s-Office-266784.shtml

• Mission-critical routers used to control critical infrastructure are being updated by the manufacturer, RuggedCom, to remove a backdoor that can allow malicious actors to hijack the devices. – Ars Technica See item 48 below in the Information Technology Sector

• St. Louis officials were expected to more closely scrutinize large tents commonly set up near downtown stadiums after one collapsed in high winds, killing one person and injuring dozens of others. – Associated Press

53. April 30, Associated Press – (Missouri) St. Louis tent collapse raises safety questions. St. Louis officials are expected to more closely scrutinize the large tents commonly set up near downtown stadiums after one of the temporary structures collapsed in high winds April 28, resulting in the death of an Illinois man and dozens of injuries after a baseball game. A spokesman for the city’s mayor said it was unclear if adequate regulations were in place and being followed or if the disaster was simply the result of people not paying attention to severe weather warnings. The fast-moving storm ripped a large beer tent at Kilroy’s Sports Bar from its moorings and sent it and debris hurtling through the air about 80 minutes after the end of a St. Louis Cardinals Major League Baseball game. Seventeen people in the tent were taken to hospitals, and up to 100 of the 200 gathered were treated at the scene, which was near Busch Stadium. Source: http://www.weather.com/outlook/weather-news/news/articles/st-louis-tent-collapse_2012-04-28

Details

Banking and Finance Sector

5. April 30, Help Net Security – (International) Phishing email targets Santander clients. Customers of Santander, one of the largest banking groups in the world, are currently being targeted with a phishing e-mail masquerading as a bogus notification of a scheduled software upgrade. According to Hoax-Slayer, the offered link takes users to a spoofed Santander online banking Web site, where they are asked to enter their ID, passcode, customer PIN, mobile number, landline number, and date of birth. Having done that, the site requests users to set up three security questions and answers, which are then misused by the phishers to gain access to the users’ account. In the end, users are redirected to the legitimate Web site of Santander’s United Kingdom branch in order to maintain the illusion that nothing out of the ordinary happened. Source: http://www.net-security.org/secworld.php?id=12834

6. April 28, Associated Press – (Pennsylvania; Arizona) Six men charged in alleged $10 million finance scam. Federal grand jurors in Philadelphia indicted six businessmen on charges they defrauded hundreds of hopeful entrepreneurs out of millions of dollars. The indictment made public April 27 alleged the men associated with Remington Financial Group bilked at least 800 people seeking funds for commercial ventures. According to the grand jury, victims paid thousands of dollars in up-front fees to Remington based on false representations that the company found investors for their projects. Prosecutors said victims collectively lost more than $10 million between 2005 and 2011. The company, which was later renamed Remington Capital, had offices in Arizona and Pennsylvania. Remington’s founder was listed among the defendants. He faces charges including fraud and money laundering. Source: http://www.whptv.com/news/local/story/Six-men-charged-in-alleged-10-million-finance-scam/zuCilQFnPU61g-cW3pmDEw.cspx

7. April 27, Chicago Tribune – (Illinois) 6 charged in skimming scheme at restaurants, Wrigley Field. Six people were accused of stealing bank information from patrons at Chicago restaurants and Wrigley Field, then running up more than $200,000 in purchases on phony cards, the Chicago Tribune reported April 27. A man allegedly paid employees to skim credit card information by using a credit card reader he provided, according to the State attorney general’s office. The employees would swipe the cards and the man would create counterfeit cards to charge up thousands of dollars in purchases, the office said. The employees worked at Wrigley Field, RL Restaurant, Taco Bell, and McDonald’s, officials said. Two defendants were charged with using the phony cards to make illegal purchases, officials said. The suspects, all from Chicago, were each charged with one count of conspiracy to commit a financial crime. Four defendants were also charged with continuing a financial crimes enterprise. Three defendants face an additional identity theft charge. Officials said the bank accounts that were compromised include Chase, U.S. Bank, Citibank, Harris Bank, American Express, Bank of America, and Fifth Third Bank. Source: http://articles.chicagotribune.com/2012-04-27/news/chi-6-charged-in-skimming-scheme-at-wrigley-and-chicago-restaurants-20120427_1_credit-card-wrigley-field-counterfeit-cards

8. April 27, WEWS 5 Cleveland – (National) New email claims to be from FDIC, threatens users confidential and personal data. A fraudulent e-mail offering cash in return for survey information could obtain access to personal and confidential data, WEWS 5 Cleveland reported April 27. The Federal Deposit Insurance Corporation (FDIC) issued a warning to computer users that it received numerous reports of fraudulent e-mails that have the appearance of having been sent by the FDIC. The e-mail contains a subject line “Survey Code: STJSPNUPUT.” It reads “you have been chosen by the FDIC to take part in our quick and easy 5 question survey. In response, will credit $100 dollars to your account just for your time.” The FDIC is warning consumers not to click on the link provided in the e-mail, as it is intended to obtain personal information or load malicious software onto users’ computers. The FDIC reminds consumers that it does not send unsolicited e-mail to consumers or business account holders. Source: http://www.newsnet5.com/dpp/news/local_news/investigations/new-email-claims-to-be-from-fdic-threatens-users-confidential-and-personal-data

Information Technology

44. April 30, Computerworld – (International) Down but not out: Conficker camouflages new Windows infections. Windows PCs infected with Conficker are more likely to be compromised by other malware because the worm masks secondary infections and makes those machines easier to exploit, a security expert found. That is the biggest reason why Conficker, although crippled and seemingly abandoned by its makers, remains a threat and should be eradicated, a senior technologist at Neustar and a cybersecurity adviser to the White House said. Neustar is an information and analytics provider, and one of the corporate members of the Conficker Working Group (CWG), which has been “sinkholing” the Conficker botnet for more than 2 years. The week of April 23, Microsoft said Conficker infected, or tried to infect, 1.7 million Windows PCs in 2011’s fourth quarter. Microsoft called on users to strengthen passwords to stymie the malware. Conficker provides the cover the researcher spoke about because of two defensive tactics designed to keep it alive: the worm disables most antivirus software, including Microsoft’s Windows Defender and Security Essentials, and switches off Windows’ Automatic Updates, the service used by virtually all Windows users to keep their PCs patched. It also blocks access to security product Web sites — preventing signature updates for antivirus software — and to the Windows Update Web site. Without antivirus software, Conficker-infected systems are unlikely to detect and deflect other malware. If Automatic Updates is disabled, the machine will not receive any new security patches from Microsoft, leaving it open to attack by new threats that exploit those underlying vulnerabilities. Source: http://www.computerworld.com/s/article/9226697/Down_but_not_out_Conficker_camouflages_new_Windows_infections?source=rss_security&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+computerworld/s/feed/topic/17+(Computerworld+Security+News)&utm_conte

45. April 30, Help Net Security – (International) Gamex trojan threatens Android users. A new Android trojan that paves the way for the download of other applications has been spotted on third-party Web sites, camouflaged as legitimate file managing, ad blocking, and performance boosting apps. According to Lookout researchers, the Gamex trojan’s functionality is split across three components. Once the downloaded app repackaged with the trojan is granted root access by the user, the malware takes advantage of this permission to install another app onto the device, which then functions as a privileged installation service. “A third component communicates with a remote server, downloads apps, and triggers their installation. Gamex also reports the installation of these applications, along with the IMEI and IMSI, to a remote server,” researchers explained. “We believe that this information is used to operate and/or report installations to a malicious affiliate app promotion network.” Source: http://www.net-security.org/malware_news.php?id=2086&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+HelpNetSecurity+(Help+Net+Security)&utm_content=Google+Reader

46. April 30, Softpedia – (International) Cybercriminals control Android TigerBot via SMS. At the beginning of April, security researchers found a number of Chinese Android stores were pushing applications that masked a piece of malware called TigerBot (ANDROIDOS_TIGERBOT.EVL). Also known as Spyera, the malicious element was analyzed by Trend Micro experts. They discovered the malware was controlled by its masters via SMS or phone calls, being capable of performing a number of tasks, including call recording and GPS tracking. The list of commands accepted by TigerBot includes DEBUG, CHANGE_IAP, PROCESS_LIST_ADD, PROCESS_LIST_DELETE, ACTIVE, and DEACTIVE. Source: http://news.softpedia.com/news/Cybercriminals-Control-Android-TigerBot-Via-SMS-267066.shtml

47. April 29, Computerworld – (International) Snow Leopard users most prone to Flashback infection. Of the Macs infected by the Flashback malware, nearly two-thirds are running OS X 10.6, known as Snow Leopard, a Russian antivirus company said April 27. Doctor Web, which earlier in April was the first to report the largest-ever malware attack against Apple Macs, mined data it intercepted from compromised computers to develop its findings. The company, along with other security vendors, has been “sinkholing” select command-and-control domains used by the Flashback botnet — hijacking them before the hackers could use the domains to issue orders or update attack code — to estimate the botnet’s size and disrupt its operation. April 27, Doctor Web published an analysis of communications between 95,000 Flashback-infected Macs and the sinkholed domains. Those communication attempts took place April 13. Flashback uses a critical vulnerability in Java to worm its way onto Macs. Although Apple, which continues to maintain Java for its OS X users, patched the bug in early April, it did so 7 weeks after Oracle disclosed the flaw when it shipped Java updates for Windows and Linux. Sixty-three percent of Flashback-infected machines identified themselves as running OS X 10.6, or Snow Leopard, the newest version of Apple’s operating system that comes with Java. Snow Leopard accounted for the largest share of OS X in March, according to metrics company Net Applications, making it the prime target of Flashback. Source: http://www.computerworld.com/s/article/9226696/Snow_Leopard_users_most_prone_to_Flashback_infection?source=rss_security&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+computerworld/s/feed/topic/17+(Computerworld+Security+News)&utm_content=Google

48. April 28, Ars Technica – (International) Backdoor that threatens power stations to be purged from control system. Mission-critical routers used to control electric substations and other critical infrastructure are being updated to remove a previously undocumented backdoor that could allow vandals to hijack the devices, manufacturer RuggedCom said April 27. The announcement by the Ontario, Canada-based company comes 2 days after Ars Technica reported the company’s entire line of devices running its Rugged Operating System contained a backdoor with an easily determined password. The backdoor, which cannot be disabled, had not been publicly acknowledged by the company until now, leaving the power utilities, military facilities, and municipal traffic departments using the industrial-strength gear vulnerable to sabotage that could affect the safety of huge populations of people. Source: http://arstechnica.com/business/news/2012/04/backdoor-that-threated-power-stations-to-be-purged-from-control-system.ars

For more stories, see items 5 and 8 above in the Banking and Finance Sector and 49, 50, and 52 below in the Communications Sector

Communications Sector

49. April 29, WHAM 13 Rochester – (New York) Time Warner Cable service restored in Rochester area. Time Warner Cable restored service to customers in the Rochester, New York area after an extended outage April 29. A representative with Time Warner Cable said Internet and television services were back on as of 3 p.m. An equipment failure around 8 a.m. knocked out service to the area. Some businesses and restaurants reported having trouble running credit cards as a result of the outage. Source: http://www.13wham.com/news/local/story/Time-Warner-Cable-Service-Restored-In-Rochester/emg55cuyzEqo1N0lxy8Uew.cspx

50. April 29, Columbia State – (South Carolina) Time Warner Cable crashes Sunday afternoon; Columbia customers affected. Thousands of Time Warner Cable television, telephone, and Internet customers in the Columbia, South Carolina area lost their connections for more than an hour April 29, a spokeswoman said. A large power outage of unknown origin took place at one of Time Warner Cable’s main stations that feeds the Columbia area. “Typically, our backup power switches on and this isn’t an issue,” the spokeswoman said. “But in this case, when it switched on, we experienced a glitch, and it just took the services down.” All Time Warner services — basic cable, digital cable, digital telephone, and high-speed Internet — were interrupted, she said. Source: http://www.thestate.com/2012/04/29/2256023/time-warner-cable-crashes-sunday.html

51. April 27, LaSalle News Tribune – (Illinois) Electrical fire sets back Catholic radio station. An electrical fire knocked an Illinois religious radio station off the airwaves April 27. Standard Fire Department was called to a grass fire, the chief said. Firefighters from Standard and Cedar Point did not see signs of fire near the farmhouse at the given address but eventually located hot spots below a radio tower. A fire began sometime overnight within an insulated metal building containing electrical equipment for the tower, the chief said. The building was already nearly burnt out by the time firefighters arrived. A dry chemical was used on the building to suppress hot spots to protect any electronics that were still functional, the chief explained, but water was used to extinguish any burning grass and wood. The tower is owned by Nexstar and leased by WSOG 88.1 FM Spring Valley, a listener-supported Catholic radio station. The station’s Web site reported it would be off the air for the “foreseeable future,” but an online stream was still available, the station’ operations manager said. He said he hoped to be back on the air in a few weeks, but it could take a few months to replace the equipment. The fire chief said the fire could have resulted from an electrical short or from an animal chewing on wires. Source: http://newstrib.com/main.asp?SectionID=2&SubSectionID=27&ArticleID=18962

52. April 27, Youngstown Vindicator – (Ohio) Thieves disrupt telephone and Internet service to hundreds in Warren today. The theft of 2 60-foot cables strung on utility poles disrupted telephone and Internet service to up to 500 businesses and residents in the northwest quadrant of Warren, Ohio, for much of April 27. A Century Link representative contacted the Warren Police Department about the theft, saying it occurred sometime overnight. The cost to replace the cables, which were 1.5- to 2-inches in diameter will be about $10,000, officials estimated. Because of the cost of the cable, the theft was entered into the report as felony theft, and because of the effect on customers, it was also entered in as a disruption of public services. Source: http://www.vindy.com/news/2012/apr/27/thieves-disrupt-telephone-and-internet-service-hun/?nw

For more stories, see items 45 and 46 above in the Information Technology Sector