Thursday, May 3, 2012

Complete DHS Daily Report for May 3, 2012

Daily Report

Top Stories

• A plant in Canadian, Texas, that processes about 80 million cubic feet of natural gas daily closed after a fire and explosion. It was not known May 1 when the plant would reopen. – Associated Press

1. May 1, Associated Press – (Texas) Nobody hurt in Texas Panhandle gas plant explosion. A fire linked to an explosion that closed a natural gas processing plant in Canadian, Texas, burned itself out. May 1, a spokesman for Eagle Rock Energy Partners L.P. said nobody was hurt in the accident at the Phoenix-Arrington Ranch plant. He said about a dozen contract workers and employees of Houston-based Eagle Rock were at the plant when the explosion happened. A company investigative team will try to determine what caused the blast. The damage is in the inlet header system, or the main receipt point for raw natural gas. There were no further details May 1 on damage or when the plant will reopen. The unit processes about 80 million cubic feet of natural gas daily. Source:

• Officials arrested a man in Portland Oregon, suspected of soliciting more than $100 million in bogus donations from people in 41 states. – Cleveland Plain Dealer See item 11 below in the Banking and Finance Sector

• A big rig carrying highly explosive chemicals overturned May 2 near Winnie, Texas, prompting an evacuation of some residents and the closure of a major highway. – KHOU 11 Houston; KFDM 6 Beaumont

16. May 2, KHOU 11 Houston; KFDM 6 Beaumont – (Texas) I-10 closed in both directions after big rig carrying explosive chemicals overturns. A big rig carrying highly explosive chemicals overturned May 2, prompting an evacuation of some residents in Winnie, Texas. The tank ruptured, causing methanol alcohol to leak from the trailer after it flipped ab out 10 miles west of Beaumont. Two compartments ruptured on the fully-loaded tanker, causing 1,500 gallons of methanol alcohol to leak from the trailer. The dangerous chemical – which is an irritant to the eyes, lungs and skin — can cause breathing problems. A shelter-in-place for nearby Hampshire Fannett High School was issued, and residents within a 2-mile area of the accident site were asked to evacuate. Both directions of I-10 were shut down for most of the day until HAZMAT crews could clear the scene. According to KFDM 6 Beaumont, the truck driver was transported to a hospital. Source:

• A New York City man was convicted of plotting with two of his former high school classmates to strap on bombs and blow themselves up at rush hour on Manhattan subway lines. – Associated Press

18. May 1, Associated Press – (New York) NYC man convicted in thwarted subway bomb plot. A man was convicted May 1 of plotting an aborted suicide mission against New York City subways in 2009 — a case that featured the first-time testimony from admitted homegrown terrorists about al-Qa’ida’s fixation with pulling off another attack on American soil. A jury found the man guilty of all counts for his role in the terror plot. The government’s case was built on the testimony of four men: two other men from Queens who pleaded guilty in the subway plot, a British would-be shoe bomber, and a man originally from Long Island who gave al-Qa’ida pointers on how best to attack a Walmart store. Both were former high school classmates of the convicted man and told jurors the scheme unfolded after the trio traveled to Pakistan in 2008. They were encouraged to return home for a suicide-bombing mission intended to spread panic and cripple the economy. Among the targets considered were the New York Stock Exchange, Times Square, and Grand Central Terminal, the men testified. In a later meeting, the plotters decided to strap on bombs and blow themselves up at rush hour on Manhattan subway lines. Source:

• The April freeze that destroyed countless apple blooms will easily cost growers in western North Carolina millions in lost fruit, officials said. – Asheville Citizen-Times

25. May 1, Asheville Citizen-Times – (North Carolina) Apple crop freeze will cost Henderson County growers millions. The April freeze that destroyed countless apple blooms will easily cost growers in western North Carolina millions of dollars in lost fruit, the Asheville Citizen-Times reported May 1. Experts do not want to put an exact percentage on the crop loss, but some growers said it could approach 50 percent. Henderson County is the state’s top apple-producing county, with 5,000 acres in orchards that typically produce a crop worth about $24 million. An unusually warm March spurred trees to bloom early, leaving them susceptible to the freeze. The director of the Henderson County office of the N.C. Cooperative Extension Service said he is “leery of giving a percentage” of the overall loss but termed it “substantial.” The losses will easily reach into the millions of dollars, he said. “Some growers don’t have any fruit, some growers have got some fruit, and in some blocks there’s a full crop,” he said, adding that all growers were touched by the freeze at least somewhat. “We had a few growers who used overhead irrigation system for frost protection, and that did help.” The county also has about 150 acres of blackberries, typically grown by apple farmers, and they were “hit hard” too, the director said. Source:


Banking and Finance Sector

11. May 2, Cleveland Plain Dealer – (Ohio; National) Man accused of running fake U.S. Navy veterans charity arrested. A man who once conferred with Washington, D.C.’s political elite on behalf of a bogus veterans’ charity was arrested April 30 in Portland, Oregon, by U.S. marshals from northern Ohio. He collected millions of dollars that authorities said he fleeced from donors to the U.S. Navy Veterans Association. He disappeared in 2010 when investigators first started closing in. His real name is still unknown. Members of the task force tracked the man as he traveled to at least eight states. Late May 1, a judge in Portland ordered the man sent to Cuyahoga County, Ohio, where he was first indicted, a U.S. marshal said. The man is charged with fraud, aggravated theft, corrupt activity, identity theft, and money laundering. The Ohio attorney general said the man solicited donations in 41 states. Reported estimates of those donations reached upwards of $100 million. The Ohio attorney general said the man collected nearly $2 million from Ohioans from 2005 to 2010. Authorities said he ran the charity out of Tampa, Florida, listing fictitious officers of state chapters with false addresses and fake testimonials and used a string of bank accounts and rented mailboxes. The woman who handled Ohio donations for the charity pleaded guilty to theft and other charges in June 2011. Source:

12. May 1, Associated Press – (North Dakota) Defendants agree to plea deal in N.D. bank fraud case. A former North Dakota bank vice president and her husband signed plea agreements in a scheme to bilk hundreds of thousands of dollars from trust accounts, the Associated Press reported May 1. Court documents accused the former vice president of defrauding Bank of the West customers out of nearly $800,000 while she was working as a trust officer. The woman and her husband are facing federal charges of conspiracy to commit bank fraud. The plea agreement in the criminal case calls for Bank of the West to be paid back $790,893. The fraud dates back to 2001, according to court documents. Source:

13. May 1, Dow Jones Newswires – (Puerto Rico; National) UBS Puerto Rico unit to pay $26.6 million to settle fraud charges. UBS AG’s Puerto Rico unit agreed to pay $26.6 million to settle fraud charges leveled by the U.S. Securities and Exchange Commission (SEC) against the financial services unit and two of its executives, Dow Jones Newswires reported May 1. The vice chairman and former chief executive as well as the head of capital markets for UBS Financial Services Inc. of Puerto Rico was previously accused of misleading investors, concealing a liquidity crisis, and masking control of the secondary market for 23 proprietary closed-end mutual funds. A UBS spokeswoman said in a statement UBS estimated any realized losses incurred by investors who bought fund shares through UBS during the 2008-09 period and sold them were less than $5 million. As of March 31, the aggregate market capitalization of the funds was almost $5 billion, she said. Source:

14. May 1, KABC 7 Los Angeles – (California) ‘Explosives Threat Bandit’ arrested. The FBI arrested the so-called “Explosives Threat Bandit,” suspected in a string of bank robberies in the West Covina and West Hollywood, California areas. He was arrested by the Los Angeles Police Department (LAPD) and charged in an eight-count indictment returned by a federal grand jury May 1. In each case, the suspect left a fake bomb behind and threatened to blow the bank up. After every robbery, a bomb squad rendered the device safe. The arrest was the culmination of a joint investigation with Santa Monica Police, the Los Angeles Sheriff’s Department, the LAPD, Baldwin Park Police, and El Monte Police. Source:

Information Technology

38. May 2, H Security – (International) Firefox add-on exposes visited URLs. A Sophos researcher reported that the ShowIP add-on for Mozilla’s Firefox browser sends the URLs of visited Web pages to a Web service called in unencrypted form. Apparently, the browser extension does not restrict this behavior to the normal browsing mode — it also transmits URLs accessed via HTTPS and any sites visited while in “Private Browsing” mode. ShowIP displays the IP addresses (IPv4/IPv6) of the current Web page in the browser’s status bar and gives access to querying services. The extension is particularly popular with network administrators and developers; according to Mozilla, the add-on has been installed by nearly 170,000 Firefox users. The described behavior was first observed in version 1.3 of the GPLv2-licensed add-on, which was published April 19, and remains in newer releases. Many users complained about the privacy violation on Mozilla’s add-on page; the ShowIP Dev Team, the developer of the add-on, responded by explaining that the add-on sends the URL to the server “to access the ip2location database” and promised HTTPS will be added as soon as possible. Mozilla responded by rolling back the available version of ShowIP on the Mozilla Add-ons site to version 1.0, and said it is working with the developer to address the issues. Source:

39. May 2, IDG News Service – (International) Microsoft detects new malware targeting Apple computers. Microsoft detected a new piece of malware targeting Apple OS X computers that exploits a vulnerability in the Office productivity suite patched nearly 3 years ago. The malware is not widespread, a researcher from Microsoft’s Malware Protection Center said. However, the malware shows hackers pay attention to people not applying patches when fixes are released, which puts their computers at a higher risk of becoming infected. The security update Microsoft released in June 2009, MS09-027, addressed two vulnerabilities that could be used by an attacker to gain remote control over a machine and run other code. Both vulnerabilities could be exploited with a specially-crafted Word document. The exploit discovered by Microsoft does not work with OS X Lion, but does work with Snow Leopard and prior versions. The researcher said it is likely attackers have knowledge about the computers they are attacking, such as the victim’s operating system version and patch levels. The malware delivered by the exploit is written specifically for OS X and is essentially a “backdoor,” or a tool that allows for remote control of a computer. Microsoft advised those who use Microsoft Office 2004 or 2008 for Mac or the Open XML File Format Converter for Mac to ensure those products applied the patch. Source:

40. May 2, H Security – (International) Oracle makes SSL use in database clusters free. A recent exposure of a vulnerability in current Oracle databases made Oracle issue a new advisory and offer SSL support to particular customers for free. The vulnerability allows an attacker to listen in on database queries and has no appropriate patches. An Oracle blog post provides the background to why the company issued the new advisory — Oracle Security Alert for CVE-2012-1675 directs customers to two support notes, one for customers without Oracle Real Application Clusters (RAC) and one for those with Oracle RAC. For those without RAC, Oracle recommends limiting registration of new listeners to the local node and IPC protocols; instructions are provided in the Oracle Support note “Using Class of Secure Transport (COST) to Restrict Instance Registration.” For those with RAC or Exadata, the problem is more complex and the use of COST in those situations also means the use of SSL/TLS Encryption as detailed in the support note. The issue was SSL/TLS encryption was sold at extra cost as Oracle Advanced Security. However, Oracle has now updated its licensing so customers can use the SSL/TLS mechanisms to protect themselves against the vulnerability. With the change in licensing and the availability of an effective workaround, it is unlikely Oracle will be producing a patch for its databases in the near future. Oracle is, however, emphatic that users should fix the problem. The advisory indicates the problem affects Oracle Database 11gR2 and, 11gR1, and 10g,, and Users of Oracle Fusion Middleware, Enterprise Manager, or E-Business Suite should also be aware of the issue as these products include the vulnerable Oracle Database software. Source:

41. May 1, Infosecurity – (International) Trusteer finds new ransomware variant. Ransomware is malware that locks-up computers and demands payment for their release. A common ruse is to pretend the malware is actually a “seizure” by law enforcement agencies. Trusteer recently discovered a new variant. Using the Citadel malware platform — a descendant of the Zeus trojan — the new malware is called Reveton and claims to have come from the U.S. Department of Justice. It locks the computer and displays a warning screen claiming the IP address of the computer was detected accessing child pornography sites. A fine of $100 is payable. It advises how the payment should be made in order to unlock the computer. Source:

42. May 1, Krebs on Security – (International) Service automates boobytrapping of hacked sites. One aspect of hacks seldom examined is the method by which attackers automate the booby-trapping and maintenance of their hijacked sites. This is another aspect of the cybercriminal economy that can be outsourced to third-party services. Often known as “iFramers,” such services can simplify the task of managing large numbers of hacked sites that are used to drive traffic to sites that distribute malware and browser exploits. A decent iFramer service will allow customers to verify large lists of file transfer protocol (FTP) credentials used to administer hacked Web sites, scrubbing lists of invalid credential pairs. The service will then upload the customer’s malware and malicious scripts to the hacked site, and check each link to ensure the trap is properly set. Currently, a huge percentage of malware in the wild has the built-in ability to steal FTP credentials from infected PCs. This is possible because those who administer Web sites often use FTP software to upload files and images, and allow those programs to store their FTP passwords. Thus, many modern malware variants will simply search for popular FTP programs on the victim’s system and extract any stored credentials. Some services offer a menu of extras to help customers maintain their Web-based minefields. Source:

43. April 30, Threatpost – (International) New Flashback variant using Twitter as backup C&C channel. The latest version of the Flashback malware infecting Macs has a new command-and-control (C&C) infrastructure that uses Twitter as a fallback mechanism in the event the normal C&C system is not available. This version of Flashback, which infects Macs through exploitation of Java vulnerabilities, has the ability to communicate with two separate tiers of C&C servers. The first type is used as a relay for redirecting traffic from compromised machines. Those servers allow the attackers behind the Flashback botnet to hijack Web search traffic and push it to servers they control. The second tier is used to send commands to infected machines to perform specific actions on Macs. Analysts at Dr. Web, a Russian security firm, found that when infected Macs connect to the second type of C&C server, if they do not receive a correctly formatted reply, they will perform a search on Twitter for a specially formatted string. Source:

44. April 30, SecurityWeek – (International) Attackers place command and control servers inside enterprise walls. Skilled attackers are burrowing their command and control (C&C) servers inside the networks of compromised businesses to circumvent security measures, according to a security expert familiar with the innovative new attack method. Trend Micro observed dozens of incidents where these tactics were used. In many cases, the compromised servers being used for C&C were compromised in previous attacks and hackers were able to maintain access, the researcher said. The technique helps attackers remain stealthy as they exfiltrate data, as very little C&C traffic leaves the network. Also, the cyber criminals that conduct these types of attacks were seen applying software patches to the compromised systems to ensure other attackers are kept out and the systems are not potentially red-flagged. Source:

For another story, see item 45 below in the Communications Sector

Communications Sector

45. May 1, Baxter Bulletin – (Arkansas) Internet outage repaired. An Internet outage affecting Internet users and long-distance telephone service was reported statewide in Arkansas May 1, according to a CenturyLink official. An equipment failure at Hardy caused an Internet interruption in the Twin Lake Area. It initially was reported as a “severe” outage, which disrupted service. A spokesman for CenturyLink said workers were able to locate the problem, repair it, test the repair, and restore service in 33 minutes. Source:

For another story, see item 43 above in the Information Technology Sector