Department of Homeland Security Daily Open Source Infrastructure Report

Monday, April 12, 2010

Complete DHS Daily Report for April 12, 2010

Daily Report

Top Stories

 KRIV 26 Houston reports that almost 150 people were evacuated from the Wallis State Bank building in west Houston on Thursday after a mysterious white powder was found in a letter received in the mailroom. (See item 16 below in Banking and Finance Sector)

 According to the Associated Press, two Ohio National Guard F-16s came so close to an Atlantic Southeast Airlines flight over southern Ohio on Thursday that they triggered a cockpit alarm in the commuter plane.

18. April 9, Associated Press – (Ohio) Authorities: F-16s neared commercial jet over Ohio. Two military fighter jets came so close to a commercial flight over southern Ohio this week that they triggered a cockpit alarm in the commuter plane, authorities said Friday. Atlantic Southeast Airlines Flight 5202, a 70-seat commuter jet, was flying from Cleveland to Atlanta on Thursday when its two pilots saw the F-16s at 10 a.m., the airline said. The plane remained on its flight plan and landed safely and on time in Atlanta, a spokesman said Friday. Radar showed the Ohio National Guard F-16s were flying at 30,000 feet when they should have been no higher than 29,000 feet, an Federal Aviation Administration spokesman said. The commercial plane “encountered two F-16s and they had a near-miss incident,” he said. Pilots contacted controllers, who cleared them to climb to 36,000 feet as a precaution. Source: http://www.chron.com/disp/story.mpl/ap/nation/6951308.html

Details

Banking and Finance Sector

10. April 9, KPRC 2 Houston – (Texas) ‘Reckless’ robber holds up another bank. A man the FBI has dubbed the “reckless robber,” who is suspected in bank robberies across the state, robbed a Spring bank on Thursday, KPRC Local 2 reported. FBI officials said the man robbed the Wells Fargo Bank in the 1400 block of Spring Cypress Road at about 10 a.m. Investigators said he entered the bank and loudly announced that he was committing a robbery. The man pulled out a gun, went up to the teller’s counter, threw a red mesh bag down and demanded that cash be put in the bag. Detectives said he put the gun to the head of one of the tellers and threatened to hurt him if his demands were not met. The robber was described as white or Hispanic, 35 to 40 years old, 5 feet 10 inches to 6 feet tall with a stocky build, light complexion and clean-shaven with short hair. He was last seen wearing a blue short-sleeved work shirt with a city of Houston patch on the chest pocket, dark pants and sunglasses. Investigators said the “reckless robber” is believed to be responsible for more than a dozen bank robberies in the Houston area and several in Austin and San Antonio. Source: http://www.click2houston.com/news/23100226/detail.html


11. April 9, LAS Newswire – (Illinois) Former financial advisor faces stock fraud arbitration over multi-million dollar ponzi scheme. A former financial planner with the respected firm LPL Financial is the subject of stockbroker arbitration stemming from allegations that the Grayslake, Illinois resident operated a Ponzi scheme that successfully conned millions of dollars from unwitting investors over the course of a decade. The allegations claim that the financial planner accepted money from clients under the guise of investments on behalf of an LPL account that would open new opportunities for clients. Financial Industry Regulatory Authority documents suggest that the planner actually diverted the money to a personal account to furnish his lavish lifestyle and alleged gambling addiction. “The Ponzi scheme was brazen and obvious and kicked up dozens of supervisory red flags,” the prosecuting attorney said. “[He] was an addicted gambler with unpaid gambling debts and living a lifestyle far outside of his financial means. This scheme should have been detected and stopped right after it started.” The planner died shortly after his scheme was exposed. Source: http://www.lawyersandsettlements.com/articles/13918/stock-broker-fraud-arbitration-16.html


12. April 9, Commercial Appeal – (National) Morgan Keegan fraud alleged — SEC, states aim at ‘Kelsoe’ funds, $2B loss. Federal and state regulators took action Wednesday against Morgan Keegan & Company, alleging that fraud and misrepresentation contributed to about 13,000 investors losing $2 billion. The U.S. Securities and Exchange Commission’s enforcement division is seeking civil penalties and repayment of whatever gain the Memphis-based investment firm experienced from the alleged fraud, which involved securities backed by subprime mortgages. Mississippi, Alabama, Kentucky and South Carolina mounted their own probe as their regulatory agencies filed notices of intent to revoke Morgan Keegan’s registrations and to impose penalties. Meanwhile, the Securities Division of Tennessee’s Department of Commerce and Insurance notified Morgan Keegan on Wednesday that it also started administrative action. All the action is civil; no criminal charges are involved. The states’ probe focused on six bond funds sold by Morgan Keegan that drained thousands of investors’ funds, especially between March 31, 2007, and March 31, 2008. The states singled out four Morgan Keegan employees and requested that they be barred from the securities industry. In a separate action, the SEC alleged that during the first half of 2007, a Morgan Keegan, Kelsoe fund accountant and Morgan Asset Management fraudulently overstated the value of securities backed by subprime mortgages. An administrative law judge now has 300 days to make a finding on the SEC allegations. Source: http://www.americanchronicle.com/articles/yb/143508085


13. April 8, Wired – (Arizona) Identity thieves filed for $4 million in tax refunds using names of living and dead. A group of sophisticated identity thieves managed to steal millions of dollars by filing bogus tax returns using the names and Social Security numbers of other people, many of them deceased, according to a 74-count indictment unsealed in Arizona Thursday. The thieves operated their scheme for at least three years from January 2005 to April 2008, allegedly filing more than 1,900 fraudulent tax returns involving about $4 million in refunds directed to more than 170 bank accounts. The conspirators used numerous fake IDs to open internet and phone accounts, and also used more than 175 different IP addresses around the United States to file the fake returns, which were often filed in bulk as if through an automated process. A self-described hacker from California was the ringleader of the group. He conspired with another man from Arizona, who is still at large, and at least one other conspirator who was arrested in Utah in 2008. The two are charged with 35 counts of wire fraud, 35 counts of identify theft, one count of unauthorized computer access, and two counts of mail fraud. Authorities are also seeking a monetary judgment in the amount of $5.5 million. The scam took advantage of the IRS’ quick turnaround in processing refunds for electronically filed returns. The investigation began in May 2007, when the IRS zeroed in on a business bank account one of the thieves opened at Compass Bank in Arizona that appeared to be set up to receive fraudulent refunds. The account, in the name of Carter Tax & Accounting, accumulated $340,000 from 200 fraudulent returns, which he allegedly converted to cashier’s checks. Source: http://www.wired.com/threatlevel/2010/04/fake-tax-returns/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+wired/index+(Wired:+Index+3+(Top+Stories+2))&utm_content=Google+Feedfetcher


14. April 8, New York Times – (International) Privacy issues hinder plan on tracking terror assets. The United States stands ready to cooperate if plans for a new European Union system for tracking terrorism financing come through, a senior Treasury Department official said in Madrid on Thursday. But he would not say whether that cooperation would go so far as to share American bank account data. Speaking on the eve of a meeting between American and European justice and interior ministers, the American treasury official, the under secretary for terrorism and financial intelligence, said Washington was committed to working with any new European system “under the basis of reciprocity.” Asked whether that might involve allowing European terrorism investigators direct access to data from American bank accounts, he would not say. In terms of overall investigative cooperation, he said, “You have to create the right circumstances, but we would cooperate.” Source: http://www.nytimes.com/2010/04/09/world/europe/09spain.html?partner=rssnyt&emc=rss


15. April 8, KSAZ 10 Phoenix – (Arizona) Police: Bank robber threatened tellers with explosives. A 72-year-old man has been arrested after police say he robbed a Compass Bank located inside an Albertson’s supermarket in Prescott. Prescott Police say that he entered the bank, showed tellers a handgun, and claimed he had put explosives in the store Thursday afternoon. He robbed two tellers of an undisclosed amount of cash, as well as some personal money, according to police. He was taken into custody immediately after he exited the bank. The store was evacuated and searched for explosives, but nothing was found. He is being held at the Yavapai County Jail on three counts of armed robbery, two counts of aggravated assault, and two counts of kidnapping. He is being held on a $500,000 bond pending his next court appearance. Source: http://www.myfoxphoenix.com/dpp/news/crime/bank-robber-explosives-4-8-2010


16. April 8, KRIV 26 Houston – (Texas) White powder mailed to west Houston office. Almost 150 people were evacuated from a building in west Houston after a mysterious white powder was found in a letter received at one of the offices. Houston firefighters arrived at approximately 2 p.m. Thursday to the Wallis State Bank building on Town and Country Lane after learning of the opened letter in the mailroom in the Tax Masters, Inc. office. A Houston Fire Department spokesman said that 20 people who were in the mailroom when the powdery substance was discovered were escorted out of the office and isolated. Investigators, including U.S. Postal Service officials, are trying to identify the substance, but tests so far have not yielded any positive results for toxic contamination. Source: http://www.myfoxhouston.com/dpp/news/local/100408-white-powder-mailed-to-west-houston-office


Information Technology


42. April 9, IDG News Service – (International) Black Hat to address emerging Web threats. The Black Hat security conference will kick off next week in Barcelona, with training sessions and briefings from top security researchers. One of those presentations will focus on a way to insert a backdoor into SAP’s enterprise resource planning applications. SAP’s business software is often the core of a company’s operations and is used to manage invoicing, human resources, procurement and billing, among many other functions. SAP’s software uses databases from companies such as Oracle, said the director of research and development for Onapsis, a company that focuses on penetration testing for SAP systems and others such as Oracle’s PeopleSoft and JD Edwards enterprise applications. Many companies do not configure the Oracle database correctly, which makes the SAP system vulnerable to attack. “What we have found is, it is possible instead of modifying the program you can connect to the database and modify the code directly in the database,” the Onapsis researcher said. The problem with SAP and the Oracle database has been known for a few years, although Onapsis recently figured out how to slip a “backdoor” into a program in the database that can then send data to a remote hacker. Since the Oracle database does not conduct an integrity check of the source code, the attack would be difficult to detect. It would allow an attacker, for example, to forward all information related to a new customer account. It could also let a hacker modify shipping orders or collect the log-in details when employees log on to the SAP system, he said. Source: http://www.computerworld.com/s/article/9175138/Black_Hat_to_address_emerging_Web_threats


43. April 9, DarkReading – (International) Cisco WLAN flaws may be typical of many proprietary systems, researcher says. Researchers at Black Hat Europe will outline vulnerabilities in Cisco wireless LAN technology they say may be indicative of flaws that exist in other proprietary technologies as well. In a session called “Hacking Cisco Enterprise WLANs,” researchers employed by German penetration-testing firm ERNW — will offer a look at some of the flaws found in existing, proprietary Cisco wireless LAN products. In the presentation, the researchers will demonstrate how proprietary technologies — particularly older technologies that are no longer strategic to the vendor — often fail to receive the vulnerability assessments and scrutiny of more current Web- and standards-based technologies. The ERNW researchers evaluated three generations of Cisco wireless LAN products, ranging from the first-generation Cisco Structured Wireless-Aware Networks (SWANs) first introduced a decade ago to the more current Cisco Unified Wireless Network (CUWN). In each case, they found flaws that were relatively easy to spot and would not be difficult to exploit. For SWAN, the researchers took a hard look at Cisco’s proprietary Wireless LAN Context Control Protocol (WLCCP), which enables wireless access points to communicate. They found a number of flaws in the authentication methods used by the APs that could allow an attacker to extract cryptographic material — including the encryption keys used on the wireless network. A key point of the presentation, is to point out that proprietary systems often are not vetted and tested as scrupulously as more mainstream systems. Source: http://www.darkreading.com/vulnerability_management/security/perimeter/showArticle.jhtml?articleID=224202409


44. April 9, The Register – (International) Adobe Reader security updater to be unveiled next week. Under criticism for applications that are hard to patch, Adobe Systems will unveil a mechanism that automatically downloads and installs security updates for its widely used PDF programs. The software maker announced the updater for its Reader and Acrobat apps in October and used it with beta testers for patches issued in January and February. The system will go live on April 13 with the release of its quarterly release of security bulletins. In a blog post published Thursday, a member of Adobe’s security team said the updater will be individually tailored for Windows and Mac OS X operating systems and will allow users to turn off the feature if they want. In addition to disabling automatic updating, Windows users will also be able to automatically download updates and choose to install them later. Mac users don’t have this additional option. The updater will be used to push out critical updates for Reader versions 9.3.1 and 8.2.1. Tuesday’s updates will coincide with 11 updates Microsoft will release to patch 25 vulnerabilities in Windows, Office, and Exchange. Source: http://www.theregister.co.uk/2010/04/08/adobe_reader_updater/


45. April 8, The Register – (International) MS preps 5 Windows critical fixes for busy Patch Tuesday. Microsoft has lined up 11 patches that collectively address 25 security vulnerabilities as part of its April Patch Tuesday security update. Five of the scheduled patches fix critical flaws, all involving Windows vulnerabilities. All supported versions of Windows are addressed by this much heavier than usual update batch. “Important” patches for Microsoft Office and Microsoft Exchange are also being loaded up for delivery April 13. Microsoft is due to fix two open zero-day vulnerabilities, notes the CTO at vulnerability scanning services firm Qualys. These are the F1 attack through Internet Explorer and the SMBv2 Denial of Service vulnerability, which only affects Windows 7 and Windows Server 2008. Critical updates from Adobe are also due April 13, fixing well-publicized flaws in the company’s Reader PDF client software. The Adobe updates are due as part of a quarterly patch batch. More and more vendors have begun updating regular patching cycles, either monthly or quarterly, to help sysadmins predict and manage patching workloads. In the latest move in this industry-wide trend, Oracle announced on Thursday that it had moved Solaris updates onto its pre-existing quarterly security patch release schedule. Around a third (16 out of 47) of the vulnerabilities Oracle plans to address April 13 involve Sun Solaris. Eight might be remotely exploitable without authentication. Source: http://www.theregister.co.uk/2010/04/09/ms_april_patch_tuesday_pre_alert/


Communications Sector

46. April 9, PC Magazine – (National) FCC may tweak broadband plan after Comcast ruling. Despite a recent ruling that said the Federal Communications Commission did not have the right to interfere in Comcast’s network management issues, the agency is pushing ahead with its national broadband plan, though there might be some tweaks. “The Comcast/BitTorrent opinion has no effect at all on most of the plan,” the general counsel for the FCC wrote. “Many of the recommendations for the FCC itself involve matters over which the commission has an ‘express statutory delegation of authority.’ These include critical projects such as making spectrum available for broadband uses, improving the efficiency of wireless systems, bolstering the use of broadband in schools, improving coordination with Native American governments to promote broadband, collecting better broadband data, unleashing competition and innovation in smart video devices, and developing common standards for public safety networks.” Those thoughts were echoed by the FCC chairman, who acknowledged that the court’s decision “may affect a significant number of important plan recommendations.” That includes: strengthening public safety communications; cyber security; consumer protection, including transparency and disclosure; and consumer privacy. Source: http://www.pcmag.com/article2/0,2817,2362444,00.asp