Wednesday, September 29, 2010

Complete DHS Daily Report for September 29, 2010

Daily Report

Top Stories

 Seven people were injured when the West Seattle Water Taxi impacted the seawall in Seattle, Washington September 26. (See item 24)

24. September 26, West Seattle Herald – (Washington) Water taxi impacts seawall; Several injured. The West Seattle Water Taxi impacted the seawall in Seattle, Washington September 26 at about 11:30 a.m., and seven people were injured. The Rachel Marie hit the historic Pier 50 at approximately 7 mph. One person fell in the water and was rescued. Seventy-eight passengers and crew were aboard at the time. Those injured were taken to the waterfront division of the Seattle Fire Department (SPD) or to the hospital. A SPD lieutenant said there was no known cause at this time, but that all possibilities including pilot error would be examined. One crewman on the dock suggested that it was mechanical error. After impact, the packing gland around the propeller failed causing the vessel to take on water. This was dealt with by the crew. At no time was the vessel in danger of sinking. The Rachel Marie was towed out by a tugboat around 2:30 p.m. While a piling was clearly damaged along the seawall and the front of the boat was damaged, it appeared that the windows on the front of the vessel took the brunt of the impact. Two of them were smashed in. The U.S. Coast Guard will take the lead in the investigation. Source:

 A gunman wearing a ski mask and brandishing a rifle entered a library at the University of Texas at Austin September 28 and fired several shots before taking his own life, university officials said. No other injuries were reported. (See item 38)

38. September 28, ABC News – (Texas) Shots fired at University of Texas Austin, cops hunt possible second suspect. A gunman wearing a ski mask and brandishing a rifle entered a library at the University of Texas at Austin September 28 and fired several shots before taking his own life, university officials said. Officials said a suspect brought a semi-automatic gun to the school’s library. Police are still looking for a possible second suspect and the campus, site of an infamous 1966 school shooting, remains on lockdown. “The armed suspect is dead. No other injuries have been reported,” the university president wrote in a campus e-mail. An e-mail and text alert was sent to students and faculty around 8 a.m., just as the day’s first classes were beginning, warning that an “armed subject was reported last seen at Perry Castaneda Library” and telling students to remain in place. Source:


Banking and Finance Sector

13. September 28, Roanoke Times – (Virginia) Blacksburg bank hit again by phishers seeking info. For the third time this year, the National Bank of Blacksburg,Virginia has become the target of a scam that attempts to obtain account information from customers. About 6 p.m. September 25, several people called Blacksburg police to report that they had received text messages from National Bank asking them to respond with bank account and personal identification information, a sergeant said. The texts are part of a phishing scam, he said, attempting to gain personal information through the use of fraudulent messages that appear to come from a legitimate business. Similar scams using National Bank’s name happened in April and May. “As soon as we learned of the scam late on Saturday afternoon, we started working with our security consultants to have the criminals’ telephone number deactivated,” said National Bank’s chairman, president and CEO. Source:

14. September 27, Network World – (National) 6 tips for guarding against rogue sys admins. The vice president of the fraud program at the BITS Financial Services Roundtable said there has been an increase in insider incidents among U.S. financial services firms. “You have intentional breaches like theft of financial or propriety information and placement of logic bombs and malware, but you also have the unintentional breaches caused by insiders such as employees accidentally opening an infected file, installing unauthorized software or threats from social media,” the vice president said. “We’ve seen an increase in the intentional and the unintentional” insider-related security breaches. Network World spoke with CISOs and IT security experts about what practical steps IT departments can take to minimize the insider threat. Their advice is: Restrict and monitor users with special privileges; Keep user access and privileges current, particularly during times of job changes or layoffs; Monitor employees found guilty of minor online misconduct; Use software to analyze log files and to alert when anomalies occur; Consider deploying data-loss prevention technology; and educate employees about the insider threat. Source:

15. September 25, Wall Street Journal – (National) Credit unions bailed out. Two years after the peak of the financial crisis, the federal government swooped in to stabilize a crucial part of the credit-union sector battered by losses on subprime mortgages. Regulators announced September 24 a rescue and revamping of the nation’s wholesale credit union system, underpinned by a federal guarantee valued at $30 billion or more. The majority of retail credit unions are sound, but they will have to shoulder the losses through special assessments over the next decade. The moves include the seizure of three wholesale credit unions, plus an unusual plan by government officials to manage $50 billion of troubled assets inherited from failed institutions. To help fund the rescue, the National Credit Union Administration plans to issue $30 billion to $35 billion in government-guaranteed bonds, backed by the shaky mortgage-related assets. Source:

16. September 25, – (Arizona) Device detonated at bank near Anthem following robbery. A bomb scare took place outside a bank near Anthem, Arizona September 24. Workers at a Bank of America witnessed a robbery and a bomb scare just before closing at the location on Daisy Mountain and Gavilan Parkway. Police said a man walked into the bank and handed a note to the teller demanding money. The suspect also told the teller there was a bomb outside. Workers immediately called 911, and Maricopa County deputies found a small device left on the front door of the bank when they arrived at the scene. The bomb squad detonated the device. Authorities said they are still not sure what th3 device was. The suspect remains at large. Source:

17. September 24, Memphis Commercial Appeal – (Mississippi; Tennessee) Southaven couple plead guilty to fraud charges. A Southaven, Mississippi couple have pleaded guilty to federal wire and mail fraud charges stemming from a scam involving insurance checks totaling nearly $700,000. They admitted to siphoning money from the woman’s employer, Direct General Insurance Corp. of Memphis, Tennessee by creating fraudulent checks on insurance claims. She was a claims adjuster at Direct General whose job was to issue claims checks for legitimate claims. According to a criminal complaint, she created fraudulent checks on existing insurance claims by adding her name or her husband’s as payees. She also created checks for her husband and for an unspecified number of others in Mississippi who then would give the defendants a percentage of the checks, according to court documents. The fraud, which occurred between December 3, 2004, and March 6, 2009, totaled $678,704.26, court records show. The couple entered guilty pleas the week of September 20. Source:

18. September 24, Lincoln Journal Star – (Nebraska) Lincoln golf courses, restaurant sources of credit card leaks. Two Lincoln, Nebraska golf courses and a restaurant said they are the sources of more than 200 credit and debit card numbers stolen recently from Lincoln-area residents. In a news release September 24, Wilderness Ridge golf course and restaurant and Hidden Valley Golf announced they had uncovered a security breach that exposed the card numbers of its recent customers. “All offending systems were immediately shut down,” the release said. It is not clear how far back the breach stretched. The Lincoln police chief said one affected cardholder had not been to either business since March. As of the morning of September 24, police had taken 225 reports of credit and debit card fraud they believe to be connected, an officer said. Police suspect the number of victims to be far greater because some people have chosen to handle the fraud through their banks instead of filing police reports. Source:

For another story, see item 41below in the Information Technology Sector

Information Technology

40. September 28, Help Net Security – (International) U.S. leads the way in malware and firewall attacks. The United States has overtaken India and Russia to become the biggest producer of viruses once more, according to Network Box. The United States is now responsible for 12 percent of the world’s viruses, up from 4 percent from August, when the United States trailed both India and Russia. India takes second place with 7.17 percent, after its virus production declined by 6.56 percent. Russia, which was in third place, has dropped to fifth after a fall of 5.53 percent, to be replaced by Korea, which saw an increase in production of 0.27 percent (reaching 6.29 percent of virus production). Viruses produced in the United Kingdom have dropped again (by 0.29 percent). The United Kingdom has now dropped from fourth largest producer in July, to tenth in September. The United States and India still dominate when it comes to spam production, being responsible for 10.79 and 6.88 percent of the world’s spam, respectively. Russia has replaced Brazil as the third largest spam producer, after an increase of 2.53 percent from last month, to 6.04 percent of the world’s spam. The majority of firewall attacks still originate from the United States (18.65 percent) — in fact there was a slight increase of 0.32 percent in September. Source:

41. September 28, SC Magazine UK – (International) Email spam campaigns continue to rise as LinkedIn users targeted. A significant e-mail spam campaign was detected September 27 which targeted the LinkedIn social media community. Targets were e-mailed an alert link with a fictitious social media contact request and after clicking the link, victims were taken to a Web page that said “please waiting ..... 4 seconds,” which redirected them to the Google homepage. According to Cisco, during those four seconds, the victim’s PC was infected with the Zeus data theft malware by a drive-by download. It detected that within a 15-minute interval, these messages accounted for as much as 24 percent of all spam sent. Cisco advised organizations to encourage individuals to delete such requests, especially if they do not know the name of the contact and suggests that the criminals behind this attack are most interested in employees with access to financial systems and online commercial bank accounts. Source:

42. September 27, TrendLabs Malware Blog – (International) ZeuS now uses false download URLs. A TrendLabs Malware blogger has recently been seeing ZeuS variants whose default configuration file references a suspicious list of URLs from which it can download backup configuration files. This particular list is from a ZeuS variant detected by Trend Micro as TSPY_ZBOT.BVQ. The list from its configuration file seems longer than most of the typical ZeuS variants and the domain names looked atypical. When checked, all of these URLs are already inaccessible and most of the domains are unregistered. In addition, the list of URLs does not include, where its drop zone and updated copy are located. It is typical of ZeuS variants’ drop zones, updated copies, and configuration files to be contained in the same domain. Cybercriminals using ZeuS intentionally did this to prevent security researchers from easily gathering information on their activities. Alternately, these extra URLs can be used as backup update locations, just in case the main location is taken down. Source:

43. September 27, The Register – (International) Microsoft to issue emergency patch for ASP.Net vuln. Microsoft was slated to release an emergency patch September 28 that plugs a security hole in a variety of its Web developer tools that has been under active attack for more than 1 week. The vulnerability in ASP.Net applications allows attackers to decrypt password files, cookies, and other sensitive data that is supposed to remain encrypted as they pass from the server to a Web browser. It works by flooding a server with thousands of corrupted Web requests and then analyzing the error messages and other responses that result. The series of responses are known as a “cryptographic padding oracle” that over time deliver information that an attacker can deduce the secret key used to scramble the communications. The vulnerability was disclosed the week of September 13 at the Ekoparty conference in Argentina. Microsoft soon responded with an advisory that warned that the vulnerability was under “limited attack.” It recommended that users implement several temporary measures to make the exploits harder to carry out. Source:

44. September 27, Help Net Security – (International) Google warns Gmail users on spying attempts from China. Recently, a number of users have been witnessing a glaring red banner popping up when they accessed their Gmail account, saying “Warning: We believe your account was recently accessed from: China (IP ADDRESS)”. ThreatPost reports that among the seemingly random victims — gamers, doctors, media consultants — was also a member of Privacy International in the United Kingdom. Even though his Gmail account is wholly unconnected with his work for the human rights organization, he said that it is possible that he was targeted because of a EU-China Human Rights Network seminar during which he discussed freedom of speech issues and differences between the EU and China on that account. All users who have been similarly warned are advised by Google to change their passwords. Technolog asked Google to comment on the occurrence, and they said that the banner is simply part of the security feature introduced in March. Source:

45. September 27, Computerworld – (International) Stuxnet worm can re-infect scrubbed PCs. A security researcher September 27 revealed yet another way that the Stuxnet worm spreads, a tactic that can re-infect machines that have already been scrubbed of the malware. Previously, researchers had spotted several propagation methods in Stuxnet that ranged from spreading via infected USB flash drives to migrating between machines using multiple unpatched Windows bugs. The manager of operations on Symantec’s security response team said he had found another way that the worm spreads. According to the manager, Stuxnet also injects a malicious DLL into every Step 7 project on a compromised PC, ensuring that the worm spreads to other, unaffected PCs whenever an infected Step 7 file is opened. Source:

46. September 27, The H Security – (International) Spamhaus launches whitelist. Spamhaus, previously known mainly for its anti-spam blacklists, is launching an online whitelist project. Spamhaus said that checking whitelists as well as blacklists allows users to improve their spam filtering. According to Spamhaus, e-mails originating from whitelisted mail servers can pass unfiltered, while e-mails from blacklisted servers can be blocked as before. As a consequence, fewer e-mails than before need to be processed via more elaborate secondary filters. Reportedly, this reduces processing loads and errors. The Spamhaus whitelist is to include “qualified corporations” such as banks, accounting firms, and airlines as well as medical centers and government agencies. In its announcement, Spamhaus said the mail servers of large telecommunications providers and ISPs, which jointly generate a major proportion of the e-mail traffic worldwide, as well as the senders of solicited bulk e-mails are not eligible for whitelisting. Priority treatment of such senders can be achieved via a separate whitelist that Spamhaus said is in preparation, or via a project with a wider scope such as DNSWL. Source:

Communications Sector

47. September 27, Sikeston Standard Democrat – (Missouri) Signal loss leads to weekend Charter cable and Internet outage. Approximately 13,000 Charter Communications customers in and between Cape Girardeau and Sikeston, Missouri, were affected by disrupted cable television and Internet services September 25. The outage happened just before 1 p.m. when most channels froze or went out completely while Internet services went out. The government relations manager for Charter said the company experienced a signal loss at the interconnect between Fredericktown, Missouri, and Cape Girardeau. Source:

48. September 27, Danbury News-Times – (Connecticut) Metro-North severs telephone line in Branchville. Workers readying the ground for the modernization of the Danbury-to-Norwalk Metro-North train line accidently severed an AT&T cable near the Branchville station in Ridgefield, Connecticut, September 26, cutting telephone and cable TV service to many in the Georgetown area. A spokeswoman for Metro-North said crews were repairing the damaged line September 27. However, she said the repair involved splicing about 600 wires together. She said crews plowing the ground near the Branchville station cut the line. The crews are doing preliminary work on the $53 million project to modernize the signaling system along the 24-mile railroad line. She said Metro-North had done its due diligence with utilities, including AT&T, to find any cable in the area before it began the work. Source:

49. September 27, Associated Press – (National) Report: U.S. would make Internet wiretaps easier. The U.S. President’s administration is pushing to make it easier for the government to tap into Internet and e-mail communications. But communications firms may be wary of its costs and scope. Frustrated by sophisticated and often encrypted phone and e-mail technologies, U.S. officials said law enforcement must improve its ability to eavesdrop on conversations involving terrorism, crimes or other public safety issues. Critics worry the changes might make citizens and businesses more vulnerable to identity theft and espionage. The new regulations that would be sent to Congress in 2011 would affect American and foreign companies that provide communications services inside the U.S. It would require service providers to make the plain text of encrypted conversations — over the phone, computer or e-mail — readily available to law enforcement, according to federal officials and analysts. Source:;_ylt=Aqu25DccBH64QmMR8cCdS82s0NUE;_ylu=X3oDMTNscnR1cmQwBGFzc2V0A2FwLzIwMTAwOTI3L3VzX2ludGVybmV0X3dpcmV0YXBzBGNjb2RlA21vc3Rwb3B1bGFyBGNwb3MDMwRwb3MDMTEEcHQDaG9tZV9jb2tHNlYwN5bl90b3Bfc3RvcnkEc2xrA3JlcG9ydHVz

50. September 27, Agence France-Presse – (International) French police dismantle mobile phone hacking ring. French police busted a network of mobile phone hackers, a fraud worth millions of euros, and arrested nine people, including employees of cellular phone companies, investigators said September 26. Three people were still in custody September 26 following the arrests across the country that came after a year-long investigation into the network, which had been operating for a decade and is the first of its kind in France, according to officials in an investigative unit of the Marseille gendarmerie. Investigators explained that fraudsters purchased codes to unlock SIM cards for $4 each from high-ranking phone company employees, who had access to company databases. The network subsequently sold the codes on the Internet for $40. The money earned from these sales were put into tax-free overseas bank accounts. With the codes, individuals could access any SIM card, even foreign cards, with their mobile phones. The investigation began at the end of 2009 after a complaint at French phone company SFR in the southern city of Marseille about discrepancies in its security system. Two other companies, Bouygues Telecom and Orange, were also affected by the fraud. Source:

No comments: