Wednesday, May 23, 2012

Complete DHS Daily Report for May 23, 2012

Daily Report

Top Stories

• More than 500 fires sparked at a chemical plant in Port Allen, Louisiana, May 21 forcing the evacuation of about 250 people and closing roads for miles. – WAFB 9 Baton Rouge

8. May 22, WAFB 9 Baton Rouge – (Louisiana) Plant fire out, crews begin to inspecting and removing cylinders. Most of the 500 or more fires that sparked May 21 at a chemical plant in Port Allen, Louisiana, were out. The fires forced the evacuation of about 250 people and closed roads for miles. Workers returned to the scene May 22 and assessed the condition of the cylinders containing acetylene, a highly flammable gas used mainly for welding, at the Air Liquide plant. They were forced to call off the assessment May 21 because of safety concerns. A Louisiana State Police captain said only three fires were still burning May 22. However, the plant remained closed. The captain said crews would first move all unaffected cylinders away from the site of the fire. Workers then would evaluate all of the cylinders that were burned to ensure their stability. Once a cylinder is deemed stable, it will be removed. The captain said there are about 1,000 total cylinders and hundreds were affected by the fire. U.S. 190, which closed down when the fire ignited May 21 remained closed in both directions at LA 983 May 22. Troopers said the highway was not expected to re-open until late May 22 at the earliest. People in homes and businesses evacuated within a 1-mile wide radius had not been allowed to return as of late the morning of May 22. The evacuation forced some to flee to one of the two community centers being used as shelters in Erwinville and Port Allen. Source:

• The U.S. Securities and Exchange Commission charged two individuals who provided the biggest influx of investor funds into a more than $157 million Ponzi scheme run out of Florida. – U.S. Securities and Exchange Commission See item 13 below in the Banking and Finance Sector

• The U.S. government filed three lawsuits against large banks seeking about $92 million in restitution for losses on soured mortgage debt purchased by two small Illinois banks that failed in 2009. – Reuters See item 15 below in the Banking and Finance

• About 30 or so people were forced to abandon their cars and walk out of a tunnel near the Capitol in Washington, D.C. after a big, empty bus being used by the military exploded. – WUSA 9 Washington, D.C.

22. May 21, WUSA 9 Washington, D.C. – (Washington, D.C.) Bus fire fills 3rd St Tunnel with smoke, drivers have to abandon cars. A big, empty yellow school bus being used by the military exploded in flames May 21 in the 3rd Street Tunnel by the Capitol in Washington, D.C. The bus was hooked to a tow truck and started burning in the tunnel, with dozens of cars trapped in the tunnel with it. Three Capitol Police officers who inhaled a ton of smoke were all released from the hospital. The police ordered 30 or so people out of their cars and up the ramp. “We could not advance, smoke was into the car. The bus could explode any moment,” said a driver who was stuck. Police finally let the drivers back down to get their cars. After a few hours cleaning up the mess, the District of Columbia Department of Transportation finally re-opened the tunnel. Source:

• Malware writers used Crossrider, a cross-browser extension development framework, to build a click-fraud worm that spreads on Facebook, Kaspersky Lab researchers said. – IDG News Service See item 42 below in the Information Technology Sector

• A researcher devised a method that attackers could use to clone a software token that about 40 million people use to access confidential data belonging to government agencies, military contractors, and corporations. – Ars Technica See item 43 below in the Information Technology Sector

• Computer scientists identified a vulnerability in the network of AT&T and at least 47 other cellular carriers that allows attackers to surreptitiously hijack the Internet connections of smartphone users and inject malicious content into the traffic passing between them and trusted Web sites. – Ars Technica See item 44 below in the Information Technology Sector

• Fires in rugged, mountainous areas of Arizona, New Mexico, and Colorado, forced the evacuation of several small towns and torched more than 65 square miles of forest, brush, and grass. – Reuters

53. May 21, Reuters – (Arizona; Colorado; New Mexico) Crews gain upper hand battling wildfires in southwest. Fires in rugged, mountainous areas of Arizona, New Mexico, and Colorado forced the evacuation of several small towns and torched more than 65 square miles of forest, brush, and grass in the U.S. southwest, Reuters reported May 21. More than 1,100 firefighters in Arizona made progress against the Gladiator Fire, which charred about 22 square miles of ponderosa pine and brush some 40 miles north of Phoenix. Crews battling the 25-square-mile Sunflower Fire in Arizona succeeded in reinforcing control lines May 21, although authorities cautioned that dead trees burning sporadically in the remote, rugged Tonto National Forest could lead to long-term fire operations and smoke in nearby communities. In New Mexico, crews said two lightning-caused fires in the Gila Wilderness grew gradually overnight May 20. The Baldy Fire and Whitewater Fire have together consumed over 6 square miles of steep, rugged terrain in mixed conifer. In Colorado, crews had the 12-square mile Hewlett Fire burning in the Roosevelt National Forest almost completely contained, fire officials said May 21. Source:


Banking and Finance Sector

13. May 22, U.S. Securities and Exchange Commission – (Florida) SEC charges two feeders for one of south Florida’s largest-ever Ponzi schemes. The U.S. Securities and Exchange Commission (SEC) May 22 charged two individuals who provided the biggest influx of investor funds into one of the largest-ever Ponzi schemes in south Florida. The SEC alleges the 2 men raised more than $157 million from 173 investors in less than 2 years by issuing promissory notes from a company owned by one of the men, and interests in a private investment fund they operated. They used investor funds to purchase discounted legal settlements from a former Florida attorney through his law firm Rothstein, Rosenfeldt, and Adler PA. However, the settlements the attorney sold were not real and the supposed plaintiffs and defendants did not exist; the attorney simply used the funds in a Ponzi scheme. The scheme collapsed in October 2009, and its leader is currently serving a 50-year prison sentence. The SEC alleges the two men misrepresented to investors that they had procedural safeguards in place to protect investor money when in fact they often purchased settlements without first seeing any legal documents or doing anything to verify the settlement proceeds were actually in the firm’s bank accounts. Moreover, as the Ponzi scheme was collapsing, the pair sought new investor money while falsely touting the continued success of their strategy. The SEC’s complaint seeks disgorgement of ill gotten gains, financial penalties, and permanent injunctive relief against the men to enjoin them from future violations of federal securities law. Source:

14. May 22, Help Net Security – (International) Trojan stealing money in German online banking scam. Trusteer came across a complex new criminal scheme involving the Tatanga trojan that conducts an elaborate Man in the Browser (MitB) attack to bypass SMS based transaction authorization to commit online banking fraud. The scam targets online banking customers of several German banks. When the victim logs on to the online banking application, Tatanga uses a MitB webinject that alleges the bank is performing a security check on their computer and ability to receive a Transaction Authorization Number (TAN) on their mobile device. In the background, Tatanga initiates a fraudulent money transfer to a mule account. It even checks the victim’s account balance and will transfer funds from the account with the highest balance if there is more than one to choose from. The victim is asked to enter the SMS-delivered TAN they receive from the bank into the fake Web form as a way to complete the security process. By entering the TAN in the injected HTML page, the victim is approving the fake transaction originated by Tatanga. Once the victim enters the TAN in the fake form and hits submit, the funds are transferred to the fraudster’s account. Meanwhile, Tatanga modifies the account balance reports in the online banking application to hide the fake transaction. Source:

15. May 21, Reuters – (National) FDIC sues big banks over mortgage debt losses. The U.S. government filed three lawsuits against large banks over losses on soured mortgage debt purchased by two small Illinois banks that failed in 2009, Reuters reported May 21. Acting as receiver for Citizens National Bank and Strategic Capital Bank, the Federal Deposit Insurance Corp (FDIC) sued many banks including Bank of America Corp., Citigroup Inc., Deutsche Bank AG, and JPMorgan Chase & Co. Seeking a combined $92 million, the lawsuits accuse the banks of misrepresenting the risks of residential mortgages they packaged into securities, causing losses for investors once the poor quality and defective underwriting became evident. Two FDIC lawsuits were filed in New York federal court and seek a combined $77 million, while a third filed in Los Angeles seeks $15 million. Bank of America and Citigroup were the only banks named as defendants in all three cases. Deutsche Bank and JPMorgan were defendants in two cases, and Ally Financial Inc., Credit Suisse Group AG, HSBC Holdings Plc., Royal Bank of Scotland Group Plc., and UBS AG in one. Citizens National and Strategic Capital, based in Macomb and Champaign, Illinois, respectively, had roughly $1 billion of combined assets when they were closed May 22, 2009. Source:

16. May 21, Parker Chronicle – (Colorado) Parker man indicted for securities fraud. A Parker, Colorado man faces more than 40 criminal charges on suspicion of orchestrating a scheme that authorities said bilked more than $5 million from unsuspecting clients, the Parker Chronicle reported May 21. The Colorado Attorney General’s Office said the man offered high rates of return for those who invested in gas and well drilling operations. However, instead of putting the money into accounts that would grow, he is accused of using his two firms, Geodynamics Exploration Inc. and Geodynamics Inc., to redirect the money into his own accounts. He allegedly proceeded to drain the accounts by renting out a private Learjet and buying personal vehicles. The indictment said more than 60 investors fell for the fake operation. He faces 19 counts of theft and 22 counts of securities fraud. The Office of the Attorney General investigated the case and secured the indictment with the help of the Colorado Division of Securities and the U.S. Securities and Exchange Commission. Source:

17. May 21, Bloomberg – (New York; International) Nasdaq chief blames software for delayed Facebook debut. Nasdaq OMX Group Inc. blamed “poor design” in the software it uses for driving auctions in initial public offerings (IPOs) after shares of Facebook Inc. were hit by delays and mishandled orders on its first day. Computer systems used to establish the opening price were overwhelmed by order cancellations and updates, Nasdaq’s chief executive officer (CEO) said May 20. Nasdaq’s systems fell into a “loop” that kept the operator from opening the shares on time. The U.S. Securities and Exchange Commission said it will review the trading. Nasdaq will use an “accommodation pool” that may total $13 million to pay back investors who should have received executions in the opening auction, the CEO said. Media reports that brokers may lose $100 million repaying investors whose orders were mishandled are credible, the chief executive of Knight Capital Group Inc. said May 21. Problems surfaced at 11:11 a.m May 18 after one of the stock’s underwriters completed its role in setting the price for the trade in Nasdaq’s opening auction. Trade requests received during the 5 milliseconds it took to operate the auction disturbed the process, leading to an imbalance of buys and sells and sending the program into a loop. Exchange officials manually intervened to allow the auction to occur at 11:30 a.m. The IPO software “didn’t work” even after thousands of hours of testing for “a hundred scenarios” aimed at anticipating problems, the CEO said. Responding to the malfunction, Nasdaq altered its IPO procedures May 21. Orders totaling 30 million shares were submitted into the opening auction between 11:11 a.m. and 11:30 a.m., the CEO said. About half of them may involve “some level of dispute.” Source:

18. May 18, Oklahoma City Oklahoman – (Oklahoma) Oklahoma City police seek help from Secret Service after finding fraudulent bank documents. A drug arrest prompted the Oklahoma City Police to call for help from the U.S. Secret Service after a search of the suspects’ car uncovered hundreds of blank checks and equipment used to forged corporate checks. The two suspects were arrested on drug complaints, and police turned over the investigation into the financial documents to the Secret Service, according to a police report released May 17. Police were called May 13 to a hotel on a report of a suspicious group of people. They found two men in a car and questioned them. Police found hundreds of bank documents in the trunk of the car, including blank checks from individuals and businesses, as well as corporate documents that would be needed to print out a fake corporate check. Police called in the federal agency because of the volume of documentation, the report stated. Source:

For more stories, see items 39 and 44 below in the Information Technology Sector

Information Technology

39. May 22, SC Magazine UK – (International) Social engineers breach billing service WHMCS. Thousands of passwords and credit card details were exposed online after social engineers breached the billing platform WHMCS. Attackers obtained the data after masquerading as the platform’s lead developer, and managed to con the company’s hosting provider to release administrator credentials. The developer’s details were then used to access WHMCS’s database and steal hashed customer credit card numbers and passwords, usernames, and support tickets. Along with that data, they also made public a 1.7GB cache that included the WHMCS control panel and Web site information. Almost a day’s worth of data was erased from the compromised servers, while links to the cache and other smaller files were hijacked. The lead developer said attackers from the group UGNazi provided correct answers to identity verification questions. Source:

40. May 22, Help Net Security – (International) Zeus Trojan variant comes with ransomware feature. The recent popularity of ransomware as a tactic for tricking users into paying money resulted in an unexpected malware combination. F-Secure researchers recently spotted a new Zeus 2.x variant that includes a ransomware feature. Once this particular piece of malware is executed, it first opens Internet Explorer and directs it toward a specific URL — Simultaneously, the users are blocked from doing anything on their computer. The site in question is offline, so it is difficult to be sure of what it contained, but a guess would be an extortion message. The command for “unlocking” the computer is present on the computer, in the registry, so it is possible to do so without paying the ransom. Source:

41. May 22, Government Computer News – (International) After 6 weeks offline, ICANN reopens TLD application system. The Internet Corporation for Assigned Names and Numbers (ICANN) reopened its Top Level Domain Application System for a 8-day window in which registered users can review and finalize applications. ICANN announced May 21 that the system, which was offline for nearly 6 weeks because of security problems, has reopened. It will remain open through midnight May 30. The deadline for registering to use the system was in March, and only users already registered will be able to complete applications. No new applications slots can be requested. Source:

42. May 21, IDG News Service – (International) Cross-browser worm spreads via Facebook, security experts warn. Malware writers used Crossrider, a cross-browser extension development framework, to build a click-fraud worm that spreads on Facebook, Kaspersky Lab researchers said May 21. Crossrider is a Javascript framework that implements a unified application programming interface (API) for building Firefox, Chrome, and Internet Explorer extensions. The API allows developers to write code that will run inside different browsers and, by extension, on different operating systems. The framework is still in beta testing and its creators plan on adding support for Safari soon. The new piece of malware is called LilyJade and is being sold on underground forums for $1,000. Its creator claims the malware can infect browsers running on Linux or Mac systems, and since it does not have any executable files, no antivirus program is designed to detect it. The malware’s purpose appears to be click fraud. It is capable of spoofing rogue advertisement modules on Yahoo, YouTube, Bing/MSN, AOL, Google, and Facebook, a Kapersky malware expert said. When users view or click on these ads, the malware’s creators earn money through affiliate programs. To spread, the malware leverages control over infected browsers to piggyback on active Facebook sessions and send spam messages on behalf of authenticated Facebook users. The links included in LilyJade’s Facebook spam direct users to compromised sites that load the Nuclear Pack exploit kit into a hidden iframe. Exploit kits like Nuclear Pack attempt to exploit vulnerabilities in outdated software — usually browser plug-ins like Java, Flash Player, or Adobe Reader — to infect computers with malware. Source:

43. May 21, Ars Technica – (International) RSA SecurID software token cloning: A new how-to. A researcher devised a method that attackers with control over a victim’s computer could use to clone the software token RSA’s SecurID uses to generate one-time passwords. The technique, described May 17 by a senior security analyst at a firm called SensePost, has important implications for safekeeping of the tokens. By reverse engineering software used to manage the cryptographic software tokens on computers running Microsoft’s Windows operating system, he found the secret “seed” was easy for people with control over the machines to deduce and copy. He provided step-by-step instructions for others to follow to demonstrate how easy it is to create clones that mimic verbatim the output of a targeted SecurID token. An estimated 40 million people use these to access confidential data belonging to government agencies, military contractors, and corporations. Source:

44. May 21, Ars Technica – (International) Smartphone hijacking vulnerability affects AT&T, 47 other carriers. Computer scientists identified a vulnerability in the network of AT&T and at least 47 other cellular carriers that allows attackers to surreptitiously hijack the Internet connections of smartphone users and inject malicious content into the traffic passing between them and trusted Web sites. The attack, which does not require an adversary to have any man-in-the-middle capability over the network, can be used to lace unencrypted Facebook and Twitter pages with code that causes victims to take unintended actions, such as post messages or follow new users. It can also be used to direct people to fake banking sites, and to inject fraudulent messages into chat sessions in some Windows Live Messenger apps. Source:

45. May 21, SecurityWeek – (International) Yahoo strengthens mail filters after attempted JavaScript attack. Yahoo! strengthened its Web mail filters after researchers at Trend Micro detected a JavaScript attack the week of May 14 that was targeting its users. In the past, vulnerabilities within Web mail platforms were used to compromise accounts maintained by journalists and activists. May 18, Trend Micro said they detected several e-mails being used in targeted attacks that contained JavaScript in the “From” field. The code was attempting to launch a DOM-based cross-site scripting (XSS) attack, which would presumably yield access to the victim’s account to the attacker. Source:

46. May 21, Threatpost – (International) Report: Diablo III users find accounts hacked, gold stolen and new ‘mystery’ friends. Blizzard Entertainment’s update to the mega-popular Diablo game franchise hit a major snag the weekend of May 19, after users started peppering support boards and the company with reports of raided accounts, missing virtual “gold,” and mysterious new friends. Many report being the victims of account takeovers while they were online, suggesting hackers may be taking advantage of a vulnerability in Blizzard’s software or gaming platform. Source:

47. May 21, Government Computer News – (National) Critical industries don’t grasp IT risks, study shows. A study by cybersecurity researchers at Carnegie Mellon University in Pittsburgh found that top corporate executives too often are disengaged from management of cyber risks to their organizations and that operators of critical infrastructure tend to lag behind the more highly regulated financial services industry in overseeing cybersecurity and privacy protection. The report, “How Boards & Senior Executives are Managing Cyber Risks,” found that despite some improvements during the 4 years since the researchers’ first study, there still is a lack of understanding of the importance of IT risks in overall enterprise risk management. Source:

For more stories, see items 14 and 17 above in the Banking and Finance Sector

Communications Sector

48. May 22, Lake Powell Life – (Utah) Power outage Sunday affects KXAZ transmitter. Listeners missed hearing KXAZ 93.3 FM Page, Arizona, May 20. A power outage by Garkane Power in southern Utah took the transmitter down until an emergency transmitter could get the Page FM radio station back on the air. As of May 22, full transmission power had been restored. Source:

For more stories, see items 41, 42, 44, and 45 above in the Information Technology Sector