Wednesday, August 15, 2012 


Daily Report

Top Stories

 • Officials said contamination was found on the outside of a trailer used to transport fuel at a nuclear plant in Pennsylvania. – Wilkes-Barre Citizens’ Voice

8. August 14, Wilkes-Barre Citizens’ Voice – (Pennsylvania) Radioactive contamination found inside PPL plant’s trailer. Radioactive contamination was unexpectedly found the week of August 6 on the outside of a trailer used to transport fuel at PPL’s nuclear power plant in Salem Township, Pennsylvania, the U.S. Nuclear Regulatory Commission (NRC) reported August 13. The 32-tire trailer is used to move spent nuclear fuel rods in 100-ton containers from the plant to long-term storage sites. The contaminant cesium, found in the grease of the trailer, is a byproduct of the nuclear fuel burning process that can seep out of leaky containers holding fuel rods. Because of PPL Susquehanna Nuclear Power Plant’s ―good history‖ in preventing leaks and the fact that it sometimes loans the trailer out to other plants, the contaminant is thought to have come from another plant, an NRC spokesman said. The contamination levels were very low and not dangerous, said a spokesman for the plant, but still above those deemed acceptable to be in a public space by the Department of Transportation. The trailer was most recently leased to a Michigan nuclear plant in 2011 and returned in June. Source: http://citizensvoice.com/news/radioactive-contamination-found-inside-ppl-plant-s-trailer-1.1358209

 • The founder of a bankrupt Iowa-based brokerage was indicted by a federal grand jury on 31 counts of making false statements to regulators in connection with a $200 million fraud scheme that could impact 24,000 customers. – Associated Press See item 11 below in the Banking and Finance Sector

 • The Citadel trojan was responsible for an attack targeting VPN-using employees at a major international airport, according to security researchers. – Infosecurity (See item 16)
16. August 14, Infosecurity – (National) Citadel trojan targeting major international airport hub. The Citadel trojan is best known for its recent delivery of the Reveton ransomware. Now, Trusteer discovered a Citadel-based man-in-the-browser attack aimed against VPN-using employees at a major international airport, Infosecurity reported August 14. The airport was notified and the VPN-based remote access by employees disabled. The fact that remote access has now been disabled for a week indicates the airport authorities are taking the matter very seriously. The attack combines form grabbing and screen capture ―to steal the victim’s username, password, and the one-time passcode generated by a strong authentication product,‖ according to Trusteer. This strong authentication provides either dual-channel (a PIN delivered by SMS or separate mobile device) or single channel methods, selectable by the user. It is the latter option that is attacked. It combines the user’s static password with a system-generated 10 digit CAPTCHA to produce a one-time password for the session. A Trusteer director of product marketing indicated the motivation could be any one of the primary criminal motivations: hacktivism (there are many environmental activists opposed to airports in general); fraud (via access to the payroll); drug trafficking (by finding loopholes in the airport’s physical security); or, terrorism. Source: http://www.infosecurity-magazine.com/view/27580/

 • Two days after shots from a pellet gun were fired into a Morton Grove, Illinois mosque, an Islamic school in the Chicago area reported it was the target of an acid bomb August 12. – WMAQ 5 Chicago

37. August 13, WMAQ 5 Chicago – (Illinois) Acid bomb thrown at Lombard Islamic school. Two days after shots from a pellet gun were fired into a Morton Grove, Illinois mosque, an Islamic school in the Chicago area reported it was the target of an acid bomb August 12. ―This is not an isolated incident,‖ said a spokesman for the Council of Islamic Organizations of Greater Chicago (CIOGC) in a statement. ―A few days ago another CIOGC member institution, the Muslim Education Center was also attacked.‖ Worshipers at the College Preparatory School of America heard a loud bang the night of August 12 during evening Ramadan prayers. They went outside to find an empty soda bottle that had been thrown at the window of the school. It was ―filled with acid and other unspecified materials,‖ said the Council on American-Islamic Relations, which has called on the FBI to investigate. They are also calling on authorities to increase security during the final days of Ramadan, which ends August 19. Source: http://www.nbcchicago.com/news/local/Bomb-Thrown-at-Lombard-Islamic-School-166042736.html

 • More than 60 wildfires, including 16 new large fires were burning in five western states, destroying scores of homes and other buildings, and leading to evacuations of hundreds of people. – CNN

56. August 14, CNN – (West) Wildfires blaze through Western states. A wildfire in central Washington State scorched 26,500 acres and destroyed at least 60 homes, officials said August 14. The fire raging near Cle Elum is one of several devastating Western states the week of August 13. Colorado was affected earlier in the summer. Now, new wildfires are burning in California, Oregon, Nevada, Washington, and Idaho. In all, 62 fires, including 16 new large fires, were burning as of August 14, the U.S. Forest Service reported. They destroyed dozens of homes and threaten many more. Washington’s Taylor Bridge Fire began as a brush fire August 13. By August 14, it grew to 16,500 acres, or 41 square miles. Authorities already evacuated more than 400 people near the Taylor Bridge Fire, according to the incident commander. In Idaho, a blaze killed a firefighter, and two other firefighters were injured in Oregon and California. More than 750 firefighters and support personnel were working in Oregon and Nevada to corral the 418,235-acre Holloway Fire, the largest of the Western wildfires ignited by a lightning strike August 5. An injured firefighter was rushed by helicopter to a hospital and was treated and released. In California, a pair of fires north of San Francisco in Lake County burned 7,000 acres and were 30 percent contained as of August 14, according to the California Department of Forestry and Fire Protection. Two buildings were destroyed and one was damaged, KGO 7 San Francisco reported. An additional 480 homes were threatened, and a firefighter was injured while battling the flames, said a representative of the State’s forestry and fire department. Source: http://www.cnn.com/2012/08/14/us/western-wildfires/index.html

Details

Banking and Finance Sector

11. August 14, Associated P case. The founder of a bress – (Iowa) Brokerage CEO indicted in $200 million fraud ankrupt Iowa-based brokerage was indicted by a federal grand jury August 13 on 31 counts of making false statements to regulators in connection with a $200 million fraud scheme. The Peregrine Financial Group Inc. CEO was arrested in July while hospitalized in Iowa City, Iowa, after a failed suicide attempt outside Peregrine’s office in Cedar Falls. Authorities said he left a detailed suicide note in which he confessed to a 20-year scheme to commit fraud and embezzle customer funds. Regulators said his company cannot account for more than $200 million in customer funds that it was supposed to be holding. Peregrine has filed for bankruptcy and is liquidating its assets, meaning more than 24,000 customers who used the company to invest in commodities ranging from corn to gold do not have access to their funds. The indictment alleges that he submitted false financial documents for his company to the U.S. Commodity Futures Trading Commission that overstated the value of Peregrine’s customer money, which was supposed to be held separate from other funds, by ―at least tens of millions of dollars.‖ The 31 counts represent the number of such documents that Peregrine submitted between January 2010 and May 2012. Source: http://www.omaha.com/article/20120814/NEWS/708149956/1016

12. August 13, Bloomberg News – (National) California man gets 27 years in prison in $50 million fraud. A California man was sentenced to 27 years in prison for his role in a $50 million bank fraud that operated in six States and involved 500 victims worldwide, federal prosecutors in Minnesota said August 13. Another person, of New York, was sentenced to more than 22 years behind bars, a Minnesota U.S. attorney said in a statement. ―Crooked bank insiders bartered the personal financial information of their patrons,‖ the attorney said. U.S. juries convicted the men in February of participating in a ring that bought and sold stolen bank customer data, which they used to open bank and credit card accounts and apply for loans between 2006 and 2011, according to court papers. Among the victims of the scheme were JP Morgan Chase & Co., Wells Fargo & Co., and American Express Co. One of the men was convicted of identity theft, bank fraud, and conspiracy. The other was found guilty of those and other counts including mail fraud and money laundering. Nine other people were charged in the case. Six pleaded guilty and three remain fugitives, prosecutors said. The plot operated in California, New York, Texas, Minnesota, Massachusetts, and Arizona. Source: http://www.businessweek.com/news/2012-08-13/california-man-gets-27-years-in-prison-in-50-million-fraud

13. August 12, Gannett News Services – (Michigan) Scammers hit ATMs in county. For weeks, at least five men have placed skimming devices on ATMs in Livingston, Wayne, and Oakland counties in Michigan to steal more than $500,000 from the bank accounts of hundreds of unsuspecting customers, authorities said, Gannett News Services reported August 12. Police warn that others may have been victimized and not realize it yet. To pull off the scam, the men attach a device to ATMs that captures data off bank cards when they are inserted into the machines, said the Oakland County Sheriff’s Department substation commander in Commerce Township. The device is hard to detect and has a tiny camera that captures people punching in PINs, he said. Officials believe the skimmers have carried out crimes since at least June 28 at dozens of banks. The Secret Service and 16 police agencies are working together on the case. Source: http://www.livingstondaily.com/article/20120812/NEWS01/208120328/Scammers-hit-ATMs-county

14. August 12, Associated Press – (Alaska; International) Suspect in $4.3 million Alaska bank heist still in custody in Mexico. A federal prosecutor said a former Anchorage, Alaska bank employee accused of stealing $4.3 million from the vault of the establishment remains in custody in Mexico, Associated Press reported August 12. According to the Anchorage Daily News, the money also remains in the custody of Mexican authorities. Authorities said the suspect was a Key Bank vault manager until he disappeared after the July 2011 theft. An assistant U.S. attorney said Key Bank and federal prosecutors are still working to get the cash and suspect back to Alaska. Source: http://newsminer.com/view/full_story/19784919/article-Suspect-in--4-3-million-Alaska-bank-heist-still-in-custody-in-Mexico?instance=home_news_window_left_bullets

Information Technology Sector

44. August 14, Softpedia – (International) Multiple Web vulnerabilities identified in SonicWALL email security. Researchers from Vulnerability Lab identified security holes in SonicWALL Email Security 7.3.5.6379. The company was notified of the existence of the flaw in May, but since it failed to respond within the 90-day period, the security firm decided to publicly reveal the problem. The first vulnerability is a persistent input validation — estimated as being high risk — which allows a remote attacker (or a local attacker with low privileges) to inject malicious code into the software. The bug can be leveraged for session hijacking, phishing, and ―stable persistent module context manipulation.‖ The Compliance and Virus protection procedures module is affected, the vulnerability being triggered when unsanitized inputs are loaded. Many client-side cross-site scripting (XSS) flaws were also detected in the application. According to the researchers, they can be leveraged by a remote attacker to manipulate appliance requests on the client side. Catalogued as being low risk, the vulnerabilities can be exploited with medium user interaction. ―Successful exploitation results in session hijacking, account steal, client side phishing requests or manipulated context execution on client side requests,‖ reads an advisory published by the experts. ―The vulnerabilities are located on the `from`- & `row` page listing values.‖ Source: http://news.softpedia.com/news/Multiple-Web-Vulnerabilities-Identified-in-SonicWALL-Email-Security-Video-286435.shtml

45. August 14, The H – (International) BackTrack 5 R3 adds tools for Arduino and Teensy attacks. The third release of version 5 of the BackTrack Linux security distribution fixes several bugs discovered since the R2 release in March and adds more than 60 new tools. Several of the new tools were released as part of presentations at the recent Black Hat and DEFCON conferences. The distribution also added a completely new category of software for ―physical exploitation.‖ This category includes libraries and an IDE for the Arduino and the Kautilya toolkit that provides payloads for the Teensy USB development board. BackTrack can be run as a live CD for added security and flexibility or can be permanently installed on a system. The distribution is developed with security researchers and penetration testers in mind and offers one of the most comprehensive collections of Linux-based security software. Source: http://www.h-online.com/security/news/item/BackTrack-5-R3-adds-tools-for-Arduino-and-Teensy-attacks-1666994.html

46. August 14, The H – (International) Magento shops attacked through Zend vulnerability. A critical vulnerability in the Zend Framework can be exploited by remote attackers to access arbitrary files from online shops using the eBay-owned Magento eCommerce platform. This is because the Zend XML-RPC component used by Magento is vulnerable to XML eXternal Entity injection attacks; exploiting the hole can allow an attacker to read private information such as database configuration and customer data including complete order histories. While the problem has already been publicly known for nearly 2 months, many shop owners have yet to update or patch their software. The Magento developers fixed the problem in version 1.7.0.2 of the open source Community Edition and in version 1.12.0.2 of the Enterprise Edition of their software. Patches are provided for older versions of the Community Edition, while workarounds are offered for Enterprise Edition versions prior to 1.8.0.0. Zend closed the hole in versions 1.11.12 and 1.12.0 of the Framework; the fifth beta for 2.0.0 also fixes the problem. Source: http://www.h-online.com/security/news/item/Magento-shops-attacked-through-Zend-vulnerability-1667008.html

47. August 14, The H – (International) Oracle releases unscheduled fix for critical vulnerability. At the recent Black Hat conference in Las Vegas, a security expert revealed a zero day exploit in Oracle’s database server. Oracle plugged this vulnerability with an unscheduled patch. Server versions 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, and 11.2.0.3 are all affected, though the July 2012 patch update contained a fix for the latter two. The bug enables attackers to obtain the privileges of the SYSDBA user. To do so, they require a user name, password, CREATE TABLE and CREATE PROCEDURE privileges, and EXECUTE privileges for the DBMS_STATS package. The Oracle Text package also must be installed, which is typically the case. Oracle advised users to install the patch as soon as possible, with exploits for the vulnerability already publicly available. According to Oracle, the bug may also be present in older versions that are no longer supported; the company will not be releasing a fix for these versions. Oracle describes the bug, cataloged as CVE-2012-3132, only in general terms. A little more detail can be found in a blog posting by a researcher from Team Shatter. He said normal database users should not possess the required privileges, but developers generally do. Source: http://www.h-online.com/security/news/item/Oracle-releases-unscheduled-fix-for-critical-vulnerability-1666898.html

48. August 14, IDG News Service – (International) Microsoft patches critical security holes in Windows, Office, IE. Microsoft fixed 26 vulnerabilities in its software products, including several considered critical, the company said August 14 in its monthly security patch report. The security holes, described in five critical and four important bulletins, affect multiple products, including Windows, Internet Explorer, Exchange, SQL Server, and Office. In the worst-case scenarios, exploits could give attackers control of affected systems. Source: http://www.computerworld.com/s/article/9230281/Microsoft_patches_critical_security_holes_in_Windows_Office_IE

49. August 13, Government Computer News – (International) Typical Web app is attacked 274 times a year, study finds. A typical Web site application experiences an average of 274 attacks, on an average of 120 days, each year, with some getting as many as 2,766, according to the latest Imperva Web Application Attack Report. Imperva based its finding on observation and analysis of traffic going to 50 Web apps between December 2011 and May 2012, and although the security company did not specify which apps it studied, past studies found government sites vulnerable to the kinds of attacks Imperva found. Source: http://gcn.com/articles/2012/08/13/web-app-attacks-battle-days-imperva-study.aspx

50. August 13, Help Net Security – (International) Bogus ‘MS Cyber-Crime Department’ warnings lead to phishing. Emails purportedly sent by the Microsoft Cyber-Crime Department warning all Internet users their email account may be deleted from the ―world email server has been hitting inboxes around the world. The phishers used the official logo of the Microsoft Digital Crimes Unit to lend the email an aura of legitimacy. Following the embedded email will take the victims to a page where they are asked to supply their email address, username, and password. The inputted information is sent directly to the phishers. Source: http://www.net-security.org/secworld.php?id=13418

For another story, see item 16 above in Top Stories
Communications Sector

51. August 14, Door County Daily News – (Wisconsin) Kewaunee County phone outage resolved. The Kewaunee County, Wisconsin Sheriff’s Department said a phone outage that affected several prefixes in the county August 13 was resolved early August 14. The sheriff said residential land lines with the prefixes 837, 845, and 863 were out of service August 13. During the outage, 9-1-1 service was available by cell phone use in the affected areas until repairs were made. Source: http://www.doorcountydailynews.com/news/details.cfm?clientid=28&id=42566

52. August 13, Arizona Daily Sun – (Arizona) Lightning knocks out cable TV Sunday night. Thousands of Flagstaff, Arizona residents lost cable when lightning struck a utility pole in Kingman the evening of August 12. The lightning caused a fire and damaged lines attached to that pole including those associated with Suddenlink Communications, a spokesperson for the cable television services company said. It took nearly 6 hours for services to be restored, although Suddenlink crews were not allowed to repair the damaged lines until being cleared by emergency officials late August 12. Source: http://azdailysun.com/news/local/lightning-knocks-out-cable-tv-sunday-night/article_82a1eb5c-e598-11e1-b0c9-001a4bcf887a.html

For more stories, see items 44 and 50 above in the Information Technology Sector