Thursday, June 7, 2012

Complete DHS Daily Report for June 7, 2012

Daily Report

Top Stories

• Pacific Gas & Electric was checking for leaks in 180 segments of its natural gas pipeline system in California that may be vulnerable to corrosion. One area they were testing was part of a line near San Francisco where an explosion killed 8 people and destroyed 38 homes in 2010. – Associated Press

1. June 6, Associated Press – (California) PG&E to check gas pipeline vulnerability. Pacific Gas & Electric (PG&E) was checking for leaks in 180 segments of its natural gas pipeline system in California which may be vulnerable to corrosion — including part of a line near San Francisco where an explosion killed 8 people in 2010. The utility announced June 5 it is conducting emergency leak surveys. A company letter to state regulators said more than half of the 180 segments were found to have corrosion vulnerabilities in 2012. PG&E said among the pipes with corrosion vulnerability is one that ruptured in San Bruno 2 years ago, causing a blast and fire that destroyed 38 homes. The affected section is a 9-mile span north of the blast area that runs into San Francisco. Source: http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2012/06/06/state/n044552D33.DTL

• The operators of the Seabrook Station nuclear power plant in Seabrook, New Hampshire, failed to properly detect a simulated radiological release and failed to advise State emergency planning officials during a test of the emergency preparedness process. – Portsmouth Herald

8. June 5, Portsmouth Herald – (New Hampshire) NRC reports Seabrook nuclear plant failures in emergency test. The operators of the Seabrook Station nuclear power plant in Seabrook, New Hampshire, failed to properly detect a simulated radiological release and also failed to advise state emergency planning officials during a test of the emergency preparedness process held in April, the Portsmouth Herald reported June 5. Plant staff also failed to detect the lapse until Nuclear Regulatory Commission (NRC) inspectors pointed it out, an NRC report dated May 29 indicated. “The finding (by NRC inspectors) is more than minor because it ... affected the ... objective to ensure that the licensee is capable of implementing adequate measures to protect the health and safety of the public in the event of a radiological emergency,” the report read. Multiple errors occurred during the full-scale, biennial emergency planning exercise conducted April 16-17 at the plant, according to the NRC report. The test assigned to the plant’s emergency staff was a large-break loss of reactor coolant. Source: http://www.seacoastonline.com/articles/20120605-NEWS-120609849

• Interviews and documents show a fast-growing Iranian mobile-phone network managed to obtain sophisticated U.S. computer equipment despite sanctions that prohibit sales of American technology to Iran. – Reuters (See item 13)

13. June 4, Reuters – (International) Iranian cell-phone carrier obtained banned US tech. Interviews and documents show a fast-growing Iranian mobile-phone network managed to obtain sophisticated U.S. computer equipment despite sanctions that prohibit sales of American technology to Iran, Reuters reported June 4. MTN Irancell, a joint venture between MTN Group Ltd of South Africa and an Iranian government-controlled consortium, sourced equipment from Sun Microsystems Inc, Hewlett Packard Co, and Cisco Systems Inc, the documents and interviews show. MTN owns 49 percent of the joint venture but provided the initial funding. The procurement — through a network of tech companies in Iran and the Middle East — offers further evidence of the limitations of U.S. economic sanctions. The sanctions are intended to curb Iran’s nuclear program, which Tehran maintains is peaceful. No U.S. company can sell goods or services to Iran unless it obtains special authorization. However, U.S. enforcement has focused on containing Iranian banks, terrorism, Iran’s oil industry, and individuals and companies that Western capitals believe are involved in Tehran’s nuclear development program. Source: http://af.reuters.com/article/topNews/idAFJOE85401820120605

• Business social network LinkedIn said it is investigating reports that more than 6 million passwords were stolen and leaked onto the Internet. – Associated Press See item 41 below in the Information Technology Sector

Details

Banking and Finance Sector

14. June 6, Softpedia – (International) Tutorials teach cybercriminals how to avoid fraud detection systems. Trusteer experts have come across tutorials in an underground hacking forum that detail how fraud detection systems set up by financial and e-commerce providers can be circumvented. The anti-fraud mechanisms usually fingerprint a device to identify signs of misuse. They collect data such as IP address, Web browser type and version, and operating system details. If too many orders from multiple user accounts are placed from one machine, alarm bells go off and the transactions are blocked. However, cybercriminals have found ways to bypass the system through use of virtual private networks (VPN) and proxy services that hide IP addresses. They are also shown how to make the system incorrectly read the fingerprints, making it believe different computers with different browsers and operating systems have been used. The software that performs the task is freely available for download and achieves its objectives by manipulating the information in the Web browser’s User-Agent header. Source: http://news.softpedia.com/news/Tutorials-Teach-Cybercriminals-How-to-Avoid-Fraud-Detection-Systems-274013.shtml

15. June 6, Lake County News – (California; National) Petaluma man arrested for multimillion dollar scam. The California attorney general and a Sonoma County district attorney June 5 announced the arrest of a man who stole more than $20 million from dozens of investors in a Ponzi scheme. He was charged with 167 felony counts of grand theft, securities fraud, and elder abuse. He also was charged with many enhancements that indicate he engaged in a pattern of theft and fraud related crimes that resulted in a loss of more than $3.2 million. The arrest declaration alleges the man used his company, Baccala Realty Inc., to raise millions of dollars from more than 50 investors for ventures in California and other states. Victims of the scheme were promised annual returns of 12 percent or more to invest in projects that were supposed to be secured by a first or second deed of trust. In fact, none of the deeds were ever recorded, and the funds raised were not used as promised. The man also allegedly used investor money in the stock market and to cover margin calls and trading losses. From 2003 to 2008, he lost about $8 million. As his debts grew, he began promising new investors annual returns of up to 27.5 percent. In November 2008, he issued letters to investors stating he would no longer make promised monthly payments. Source: http://www.lakeconews.com/index.php?option=com_content&view=article&id=25390:regional-petaluma-man-arrested-for-multimillion-dollar-scam&catid=1:latest&Itemid=197

16. June 6, U.S. Securities and Exchange Commission – (National) OppenheimerFunds to pay $35 million to settle SEC charges for misleading statements during financial crisis. The U.S. Securities and Exchange Commission June 6 charged investment management company OppenheimerFunds Inc., and its sales and distribution arm with making misleading statements about two of its mutual funds struggling in the midst of the credit crisis in late 2008. The SEC’s investigation found Oppenheimer used derivative instruments known as total return swaps (TRS contracts) to add substantial commercial mortgage-backed securities (CMBS) exposure in a high-yield bond fund called the Oppenheimer Champion Income Fund and an intermediate-term, investment-grade fund called the Oppenheimer Core Bond Fund. The 2008 prospectus for the Champion fund did not adequately disclose the fund’s practice of assuming substantial leverage in using derivative instruments. And when declines in the CMBS market triggered large cash liabilities on the TRS contracts in both funds and forced Oppenheimer to reduce CMBS exposure, it disseminated misleading statements about losses and recovery prospects. Oppenheimer agreed to pay more than $35 million to settle the SEC’s charges. Source: http://www.sec.gov/news/press/2012/2012-110.htm

17. June 5, Knoxville News Sentinel – (Tennessee; Georgia; Alabama) Last defendant in bank fraud scheme using homeless people pleads guilty. A man who helped round up homeless people in Knoxville, Tennessee, to be used in a counterfeit check-cashing scheme involving nearly $200,000 in less than 3 weeks was set to be tried June 5, but instead pleaded guilty to a count of bank fraud conspiracy, records show. He was the last of 32 defendants — 26 of them homeless — still awaiting trial and was identified in court records as one of the key players in a conspiracy in which counterfeit check crafters in Georgia and Alabama recruited homeless people in Knoxville to cash them. The conspiracy first came to light locally when, in October 2010, a Knoxville Police Department officer, who had been alerted to a “rash of incidents involving attempts to cash counterfeit checks at local banks,” began canvassing local motels for rental cars with Georgia plates, court records show. That canvas netted the arrest of two men, who were discovered in a rental car with a homeless woman who told the officer about the scheme. The two men refused to talk but “a wad of approximately 70 counterfeit checks” were found. The homeless people’s names would then be listed as payees on checks drawn on the accounts of legitimate businesses and entities, including the Jefferson County Clerk’s Office, but bearing forged signatures. Authorities said the 20-day scam involved 71 checks totaling $191,537. Source: http://www.knoxnews.com/news/2012/jun/05/last-defendant-in-bank-fraud-scheme-using-people/

18. June 5, U.S. Commodity Futures Trading Commission – (Illinois; National) CFTC orders Morgan Stanley & Co. LLC to pay $5 million civil monetary penalty for unlawful noncompetitive trades. The U.S. Commodity Futures Trading Commission (CFTC) June 5 issued an order filing and settling charges that, over an 18-month period, Morgan Stanley & Co. LLC unlawfully executed, processed, and reported numerous off-exchange futures trades to the Chicago Mercantile Exchange (CME) and Chicago Board of Trade (CBOT) as exchanges for related positions (EFRPs). The CFTC order requires Morgan Stanley to pay a $5 million civil penalty. The order says that because the futures trades were executed noncompetitively and not in accordance with exchange rules governing EFRPs, they were “fictitious sales” and resulted in the reporting of non-bona fide prices, in violation of Commodity Exchange Act and CFTC regulations. The order also finds Morgan Stanley had supervisory and recordkeeping violations. It says that from at least April 18, 2008 through October 29, 2009, Morgan Stanley noncompetitively executed numerous futures trades and improperly reported them as EFRPs, since they did not have the required corresponding cash or over-the-counter derivative positions. The order finds Morgan Stanley’s supervisory systems and internal controls were not adequate to detect and deter the noncompetitive trading of futures contracts improperly designated as EFRPs. Source: http://www.cftc.gov/PressRoom/PressReleases/pr6270-12

Information Technology Sector

41. June 6, Associated Press – (International) LinkedIn investigating reports of stolen passwords. Business social network LinkedIn said it is investigating reports that more than 6 million passwords were stolen and leaked onto the Internet. Although LinkedIn did not confirm if any user data was hacked or leaked, researchers at Web security company Sophos said they confirmed a file posted online does contain, in part, LinkedIn password “hashes” — a way of encrypting or storing passwords in a different form. A consultant with Sophos recommended LinkedIn users change their passwords immediately. LinkedIn contains myriad information on its more than 160 million members, including potentially confidential information related to jobs being sought. Companies, recruiting services, and others have accounts alongside individuals who post resumes and other professional information. There is added concern that many people use the same password on multiple Web sites, so whoever stole the data could use the information to access Gmail, Amazon, PayPal, and other accounts, the Sophos consultant warned. LinkedIn referred repeated requests for comment to the company’s Twitter feed, where it said its team was “looking into reports of stolen passwords.” Two hours later, the company posted a second tweet saying it was still unable to confirm if a security breach occurred. A security researcher warned that LinkedIn users should be cautious about malicious e-mail generated around the incident. The concern is that users, after learning about the incident, would be tricked into following links in those e-mails. Instead of going to the real LinkedIn site to change a password, users would be directed to a scammer, who could then collect the information and use it for criminal activities. Source: http://finance.yahoo.com/news/linkedin-investigating-reports-stolen-passwords-151609357.html

42. June 6, IDG News Service – (International) Yahoo unveils latest antispam defense. Yahoo said it will roll out globally a new antispam specification the week of June 4, intended to make it easier for service providers to confidently discard suspicious e-mail messages. The specification, called Domain-based Message Authentication, Reporting, and Conformance (DMARC), allows e-mail senders to tell receiving services if they are using two other technologies to weed out spam. Many e-mail senders use DomainKeys Identified Mail (DKIM), which wraps a cryptographic signature around an e-mail that verifies the domain name through which the message was sent. The second technology Sender Policy Framework (SPF), allows e-mail senders to indicate which hosts are authorized to send e-mail, allowing receiving organizations to discard messages coming from spoofed “from” addresses. The DMARC specification, which is supported by companies including Google, Facebook, Microsoft and others, lets a sender indicate if they are using SPF, DKIM, or both. It also allows senders to tell the recipient what to do with messages if authentication of some messages fails. Senders can also receive a report from recipients on how they handled the questionable messages. DMARC helps solve the problem of what to do with suspicious messages, which in some cases might have been delivered. The messages could be phishing attempts, or ploys intended to trick recipients into revealing sensitive information or encouraging them to click on malicious links leading to bogus Web sites. Source: http://www.computerworld.com/s/article/9227799/Yahoo_unveils_latest_antispam_defense

43. June 6, Help Net Security – (International) Facebook warns its users infected with DNSChanger. As the date of the shutdown of the interim systems that allow computers infected by the DNSChanger trojan to connect to the Internet draws near, Facebook joined Google in sending out warnings to its infected users: “Earlier this year, Facebook joined the clean up effort by participating in the DNSChanger Working Group, which is comprised of computer security experts from the public, private, and academic sectors,” Facebook said. “As a result of our work with the group, Facebook is now able to notify users likely infected with DNSChanger malware and direct them to instructions on how to clean their computer or networks.” Source: http://www.net-security.org/malware_news.php?id=2137

44. June 6, H Security – (International) Stabilizing update for BIND DNS server. A critical vulnerability in BIND threatened the stability of the DNS server. The problem was discovered while developers were testing experimental DNS record types, when they found it was possible to add records to BIND with zero length data fields. Recursive servers were found to crash or disclose memory content to clients, while secondary servers could crash on restart if they had transferred a zone with these zero-length records. In certain circumstances, master servers could also corrupt zone data if “auto-dnssec” was set to “maintain.” There are currently no known active exploits, though the issue was discussed on public mailing lists. There are also no known workarounds for the problem, but these are being investigated. The only option is to upgrade to the latest BIND versions, 9.6-ESV-R7-P1, 9.7.6-P1, 9.8.3-P1, or 9.9.1-P1 as appropriate. Source: http://www.h-online.com/security/news/item/Stabilising-update-for-BIND-DNS-server-1611764.html

45. June 6, H Security – (International) Multiple security vulnerabilities fixed in Firefox and Thunderbird. The releases of Firefox 13 and Thunderbird 13 close many critical security holes in the open source browser and e-mail client. Mozilla also ported most of these fixes to the Extended Support Release (ESR) versions of both products. Firefox 13 includes seven security fixes, four for critically rated vulnerabilities. Six security problems also affect Firefox ESR. The corrections fix a buffer overflow and a use-after-free problem both found using the Address Sanitizer tool and many other memory safety issues. A critical privilege escalation vulnerability in the Mozilla Updater only affects the current edition of Firefox; the ESR edition is unaffected. The vulnerabilities and fixes are mirrored in the Thunderbird 13 and Thunderbird ESR updates as the browser and e-mail client share a large amount of rendering code. Source: http://www.h-online.com/security/news/item/Multiple-security-vulnerabilities-fixed-in-Firefox-and-Thunderbird-1611791.html

46. June 5, Ars Technica – (Unknown Geographic Scope) Google starts warning users of state-sponsored computer attacks. Google unveiled a service that automatically displays a warning to users who may be the target of State-sponsored phishing or malware attacks. Company representatives did not indicate precisely what criteria is used to determine when a particular attack is sponsored by a government actor, because that information could be used to evade detection. They went on to say the company relies on “detailed analysis” and victim reports that “strongly suggest the involvement of states or groups that are state-sponsored.” The warnings are being implemented after Google users were hit by several high-profile attacks that show evidence of being sponsored by governments in China and Iran. Source: http://arstechnica.com/security/2012/06/google-state-sponsored-attack-warnings/

For more stories, see items 13 above in Top Stories 14 above in the Banking and Finance Sector and 47,and 48 below in the Communications Sector

Communications Sector

47. June 5, Benicia Patch – (California) Repairs to damaged telecommunications systems should be completed Tuesday night. According to an AT&T spokesman, the copper thieves who struck June 2 in Benicia, California, stole about 500 feet of “900 pair cable” — a telecommunications cable holding 900 pairs of copper wire. He said approximately 1,000 AT&T customers were affected by the outage. Repairs were expected to be finished by June 5. A Comcast spokesman said his company still did not know the exact number of customers affected when a Comcast fiber optic line was severed in the theft. “We think it was several thousand customers who were affected,” he said. The cut Comcast line carries the signal into Benicia, It was repaired in 5 hours. The severed line impacted cable television, telephone, and Internet services. Source: http://benicia.patch.com/articles/vandals-and-thieves-strike-utility-lines-leaving-benicians-without-some-services

48. June 5, Keokuk Daily Gate City – (Iowa) Service restored to most Mediacom customers. Most Mediacom customers in Iowa whose Internet and phone service was disrupted June 4 saw their services restored June 5. A remaining set of customers had services restored between 7 a.m. and 9 a.m., as network technicians continued to activate newly-installed equipment that communicates with individual customer modems. According to company officials, network technicians worked throughout the night and were able to re-connect full service to about 85 percent of affected customers. New electronic equipment needed to be installed and configured due to significant fire damage that occurred May 31. The fire was caused by a lightning strike to a tower adjacent to a West Burlington facility used by Mediacom to house equipment that controls telecommunication services delivered to customers in a four-county area of southeast Iowa. The interruption of Internet and phone service affected Mediacom customers in Des Moines, Henry, Lee, and Louisa counties. In the Burlington area, cable television service was out for about 3 hours May 31. Source: http://www.dailygate.com/articles/2012/06/05/news/doc4fce812a5afe8500507746.txt

For more stories, see items 13, above in Top Stories and 41, 42, and 43 above in the Information Technology Sector