Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, April 27, 2010

Complete DHS Daily Report for April 27, 2010

Daily Report

Top Stories

 According to the Associated Press, a tornado slammed into the Complex Chemicals plant and the Northrop-Grumman shipyard at the Tallulah Port in Louisiana on Saturday. The tornado also tore through Mississippi, cutting power to thousands. (See items 4 and 8)

4. April 26, Associated Press – (Mississippi) Entergy crew from Arkansas sent to tornado-ravaged area. Entergy Arkansas dispatched 75 workers to Mississippi to help restore power after a deadly tornado tore through the state Saturday. Hundreds of homes were damaged in the tornado, which carved a path of devastation from the Louisiana line to east-central Mississippi. Ten people were killed, and at least three dozen were hurt in the storm. A National Weather Service meteorologist said the tornado had winds of 160 miles an hour and left a path of destruction at least 50 miles long. Volunteers poured into the hardest-hit areas with four-wheelers, chain saws and heavy equipment to chop up downed trees and haul away the wreckage as the cleanup began. Entergy Arkansas restoration workers departed Sunday from service centers across the state. The workers began work Monday morning. Yazoo City was the hardest-hit area. Entergy Mississippi has about 1,800 customers still without power. At its peak, there were nearly 14,000 Entergy customers without power across the state. Crews from Entergy Louisiana will also provide assistance. Source: http://www.arkansasonline.com/news/2010/apr/26/entergy-crew-arkansas-sent-tornado-ravaged-area/


8. April 24, Associated Press – (Louisiana) Tornado hits chemical plant, shipyard, houses. A tornado slammed into a chemical plant and a shipyard at the Tallulah Port in Louisiana and destroyed 12 houses Saturday, damaging many others. The Madison Parish sheriff said a dozen people suffered broken bones, cuts or other injuries, and deputies had to clear fallen trees from several yards so people could get out of their houses. But he said nobody was seriously hurt. The owner of Complex Chemicals Co. said he will rebuild his plant, noting that a police report that people were trapped inside was not correct. He also said a small leak of liquid nitrogen evaporated harmlessly. A Northrop-Grumman Corp. spokesman said the shipyard would be closed Monday to assess damage. A state trooper said a tractor-trailer was overturned by the tornado shortly before the plant was hit. Source: http://www.wxvt.com/Global/story.asp?S=12370204


 WTRF 7 Wheeling reports that an Ohio man was arrested in Asheville, North Carolina after authorities said he was carrying a firearm near Air Force One, which was transporting the U.S. President to Beckley, West Virginiaon Sunday. (See item 48)

48. April 26, WTRF 7 Wheeling –(North Carolina) Ohio man arrested with gun near Air Force One. A Coshocton, Ohio, man was arrested in Asheville, North Carolina, after authorities said he was carrying a firearm near Air Force One, which was transporting the U.S. President to Beckley for the miner’s memorial April 25. The 23-year-old suspect was arrested and charged with going armed to the terror of the public. According to the Asheville Regional Airport Police, the suspect pulled into the airport rental car return parking lot in a Pontiac Grand Prix with Ohio plates. Police said the vehicle was equipped with LED law-enforcement style lights in the front and rear, as well as a mounted digital camera and four large antennas on the trunk lid. According to the release, the suspect appeared to be listening to a radio/hand-held scanner when he exited the vehicle. Officers approached the suspect and removed his firearm. Police said he told them he heard the President was in town and he wanted to see him. Police said there was a siren box located under the dash of the vehicle and a note with rifle-scope formulas in the cup holder. Source: http://www.wtrf.com/story.cfm?func=viewstory&storyid=78869


Details

Banking and Finance Sector

19. April 26, SCMagazine – (International) Blippy to hire CSO, conduct audits after credit card breach. Blippy, a Silcon Valley start-up that enables users to share details in real time about purchases they make, plans to invest millions in information security following revelations that it exposed the credit card numbers of a small number of people through Google’s search index. The co-founder and CEO of Blippy said in a blog post early Monday that as a result of the breach the company plans to hire a CSO, conduct regular third-party security audits, and install technology that strips out sensitive information from Blippy posts. In addition, the firm plans to create a central portal for users to obtain information about security and privacy. He explained that some banks, in rare instances, include credit card numbers as part of the line-item purchases shown on transaction statements. This so-called raw transaction data normally is stripped out by Blippy but, due to a “technical oversight,” it appeared within the HTML code on some Blippy pages for a half day in early February, coincidentally the same time that Google indexed the site. Source: http://www.scmagazineus.com/blippy-to-hire-cso-conduct-audits-after-credit-card-breach/article/168728/


20. April 24, Gainesville Sun – (Florida) Area man accused of $24-million Ponzi scheme. The Florida attorney general’s office has accused a Gainesville man and his partner of running a nearly $24-million Ponzi scheme and using investor money to finance a lavish lifestyle. The suspects, a 46-year-old of Gainesville, and a 38-year-old of St. Petersburg, are the principals in Botfly LLC of Bayonet Point in Pasco County. They took in $23.7 million from more than 550 investors between January 2008 and February 2010 on promises of a monthly return as high as 10 percent that they said was the result of buying and selling currency at a return of 19 percent. But a financial investigator for the state attorney general’s office reported that bank subpoenas showed only $1.1 million was invested, of which nearly $200,000 was paid back to one of the suspect’s personal bank account. Another $11.4 million from new investors was used to pay existing investors, making it a Ponzi scheme, he reported. Most of the remainder was spent on personal items. As of February, $3.8 million remained. A Pasco County circuit judge granted the attorney general’s request to freeze company and personal assets earlier in April and issued an injunction that prohibits the company from seeking new investments, destroying related documents or moving any assets. The court also granted the attorney general’s request to appoint a receiver to collect remaining assets that would go to investors. The attorney general is seeking a jury trial and has forwarded information to the Florida Department of Law Enforcement for possible criminal charges. Source: http://www.gainesville.com/article/20100424/ARTICLES/4241014/1002?tc=ar


21. April 24, WLFI 18 Lafayette – (Indiana) Local debit cards affected in breach. Lafayette, Indiana police said a national, debit-card security breach has hit close to home. According to police, this compromise has affected customers from a string of local restaurants and other businesses. And it has hit several area banks and credit unions. “I have spoken with a lot of the local financial institutions, and I know that right now the scale is over $100,000 that has affected local financial institutions,” said a Lafayette police detective. Executives at Lafayette Bank and Trust, and Purdue Employees Federal Credit Union confirmed that they have seen an increase in fraudulent activity on debit cards. The detective said he has heard from many people in the Lafayette area who say they found fraudulent charges on their bank accounts after eating at some local restaurants. “And it is not solely isolated to restaurants,” he said. “There are other businesses involved. So that leads me to believe about the third-party processor.” That means the fraud is probably not linked to any criminal activity from local employees. In fact, the detective said this security breach has been seen across the country. Source: http://www.wlfi.com/dpp/news/crime/lafayette-area-debit-cards-affected-in-security-breach


22. April 24, Federal Trade Commission – (National) FTC warns against credit-card, interest-rate reduction scams. U.S. consumers are being inundated with prerecorded “robocalls” from companies claiming they can negotiate lower credit-card interest rates – for a fee. The Federal Trade Commission urges extreme skepticism about these offers, because many of them are fraudulent. In a new consumer alert, Credit Card Interest Rate Reduction Scams, the FTC said consumers have just as much clout with their credit card issuers as these companies do. It urges consumers to avoid paying middlemen, and negotiate directly with the credit-card companies. Source: http://www.foodconsumer.org/newsite/Non-food/Miscellaneous/credit_card_interest_rate_reduction_scams_2404100850.html


23. April 24, Helena Independent Record – (Montana) New scammer phishing for card numbers. Officials with Rocky Mountain Credit Union are cautioning members not to be taken in by a scam that is attempting to lure people to give out their account numbers over the phone. According to the credit union’s marketing and business development specialist, several members — and non-members — have contacted the credit union about text messages and telephone messages they’ve received that are purportedly from Rocky Mountain Credit Union. The text message read, “Rocky Mountain CU Alert: Your CARD has been DEACTIVATED. Please contact us at 406-545-4719 to REACTIVATE your CARD.” The specialist said a call earlier this week to the number led to an automated message asking people to enter their 16-digit account numbers. A call to the number, which has a Billings prefix code, at midday April 23 resulted in a message that the mailbox at the number was full. The specialist said on April that the credit union is not aware of any members falling for the scam. The specialist said the credit union would not contact members via text or automated message. Source: http://helenair.com/news/article_3eedea7c-4f69-11df-b0cc-001cc4c002e0.html


24. April 24, Bank Info Security – (Illinois) Regulators close 7 Illinois banks. State and federal banking regulators closed seven Illinois banks April 23. Amcore Bank, a $3.8-billion bank based in Rockford was the largest of the failed institutions, followed by Chicago’s $1.2-billion Broadway Bank. These latest closings raise to 63 the number of failed banks and credit unions so far in 2010. MB Financial Bank bought the assets and deposits of two Chicago-based banks: Broadway Bank and New Century Bank. Both banks were closed by the Illinois Department of Financial and Professional Regulation Division of Banking, which appointed the Federal Deposit Insurance Corporation (FDIC) as receiver. The estimated cost to the Deposit Insurance Fund (DIF) for Broadway Bank will be $394.3 million; for New Century the cost will be $125.3 million. Amcore Bank, National Association, Rockford, was closed by the Office of the Comptroller of the Currency, which appointed the FDIC as receiver. The estimated cost to the DIF will be $220.3 million. Citizens Bank&Trust Company of Chicago, was closed by the Illinois Department of Financial and Professional Regulation Division of Banking, which appointed the FDIC as receiver. The estimated cost to the DIF will be $20.9 million. Lincoln Park Savings Bank, Chicago, was closed by the Illinois Department of Financial and Professional Regulation - Division of Banking, which appointed the FDIC as receiver. The estimated cost to the DIF will be $48.4 million. Peotone Bank and Trust Company, Peotone, was closed by the Illinois Department of Financial and Professional Regulation - Division of Banking, which appointed the FDIC as receiver. The estimated cost to the DIF will be $31.7 million. Wheatland Bank, Naperville, was closed by the Illinois Department of Financial and Professional Regulation - Division of Banking, which appointed the FDIC as receiver. The estimated cost to the DIF will be $133 million. Source: http://www.bankinfosecurity.com/articles.php?art_id=2456


25. April 23, WABC 7 New York – (New York) ATM skimmers targeting Bronx residents. High tech crooks are scamming ATM users — stealing money from their accounts, and getting more brazen with the technology. The scam has happened at branch ATMs at two Bank of America branches: one on Katonah Avenue in the Bronx, and another a few blocks away on McLean Avenue in Yonkers. Police said that all that the crooks need to steal money is two things: the card number and Personal Identification Number (PIN). The thieves slip an electronic-reader device over the card slot — most can’t even see it — and once a card is put in they have the number. Next they need the PIN, which they obtain by watching users key in the data through a tiny camera installed above the ATM. But Bank of America has its own security cameras in the vestibule, which can catch the crooks installing and then removing the electronic-reader devices. Source: http://abclocal.go.com/wabc/story?section=news/local&id=7403378


26. April 22, Krebs on Security – (Arkansas) Fire-alarm company burned by e-banking fraud. A fire-alarm company in Arkansas lost more than $110,000 this month when hackers stole the firm’s online banking credentials and drained its payroll account. On April 7, Ft. Smith based JE Systems Inc. received a call from its bank stating that the company needed to move more money into its payroll account, the chief executive said. Over the course of the previous two days, someone had approved two batches of payroll payments — one for $45,000 and another for $67,000. “They said ‘You’re overdraft,’ and I told them that was impossible because we didn’t do our payroll รข_¦ we do it every Thursday, not on Mondays at 2 a.m., which was when this was put through,” the chief executive said. “I told them we did not authorize that.” A few days later, however, the First National Bank of Fort Smith sent JE Systems a letter stating the bank would not be responsible for the loss. First National did not return calls seeking comment. “They said it was our [Internet] address that was used to process the payments, and our online banking user name and password,” the chief executive said. “I feel like the bank should have caught this. As the chief executive discovered the hard way, businesses do not enjoy the same legal protection as consumers against online banking fraud. All the attackers must do is trick an employee with access to a company’s bank accounts into opening a booby-trapped, e-mail attachment or specially crafted link. From there, the attackers can plant malware on the target’s system and siphon any credentials stored on or transmitted through the infected PC. Source: http://krebsonsecurity.com/2010/04/fire-alarm-company-burned-by-e-banking-fraud/


For another story, see item 69 below in the Communications Sector


Information Technology


60. April 26, V3.co.uk – (International) Backdoor malware targets Apple iPad. Apple iPad users are being warned of an email-borne threat which could give hackers unauthorized access to the device. The technology writer for anti-virus firm BitDefender, wrote in a blog post Monday that the threat arrives via an unsolicited e-mail urging the recipient to download the latest version of iTunes as a prelude to updating their iPad software. “A direct link to the download location is conveniently provided. As a proof of cyber-crime finesse, the Web page the users are directed to is a perfect imitation of the one they would use for legitimate iTunes software downloads,” the writer said. “Unfortunately for these users, following the malicious link means opening up a direct line to their sensitive data, as instead of the promised iTunes update they get malware on their systems.” The Backdoor.Bifrose.AADY malware opens up a back door which could let the perpetrator gain unauthorized access to the device, warned the technology writer. It also tries to read the keys and serial numbers of the software installed on the device, and logs the passwords to any Webmail, IM or protected storage accounts. Source: http://www.v3.co.uk/v3/news/2261993/malware-targets-ipads


61. April 26, RedOrbit – (International) Researchers find voltage-related RSA security flaw. Researchers at the University of Michigan have discovered a serious flaw in RSA authentication. In their report, ‘Fault Based Attack of RSA Authentication,’ computer scientists found that by altering the voltage supply to the processor of the private key holder, they could thwart a security system and gain access to the protected data. “For any computing system to be secure, both hardware and software have to be trusted,” the authors write. “If the hardware layer in a secure system is compromised, not only it would be possible to extract secret information about the software, but it would also be extremely hard for the software to detect that an attack is underway.” To test their theory, the researchers launched “a complete end-to-end fault-attack on a microprocessor system” in order to “demonstrate how hardware vulnerabilities can be exploited to target secure systems. We developed a theoretical attack to the RSA signature algorithm, and we realized it in practice against an FPGA implementation of the system under attack.” In doing so, they were able to uncover the 1024-bit private key in an about 100 hours. “Our mainstream research in this area is to make microchips operate correctly even in the face of transistor failure,” one researcher told BBC News on Monday, adding that the university researchers hope that their work will lead to both an overhaul of the RSA security system to make the public key less susceptible to this kind of attack as well as more reliable chips. “As transistors get smaller, so they are more prone to failure,” she also noted. Source: http://www.redorbit.com/news/technology/1855164/researchers_find_voltagerelated_rsa_security_flaw/


62. April 25, Register-Guard – (National) Latest phishing scam hides behind BBB name. Scammers are taking the Better Business Bureau’s name in vain, in yet anther version of the “phishing” scam, according to the agency’s Pacific Northwest office. The scammers are sending out fake complaint notices to businesses that purport to be from the BBB. The e-mails use the return address of seatac@bbb.org and the subject line refers to a “BBB Complaint Case” followed by a nine-digit number. The e-mails claim that the company receiving the “notice” has not responded to a complaint, the real BBB says. The e-mails ask companies to “click and download” the complaint. If someone at the company does this, their computer is infected with a virus, according to the BBB. “We believe this virus hacked into each computer, stealing personal information like passwords, access to personal e-mail accounts, etc.,” said the vice president of marketing for the regional BBB. The BBB for Oregon, western Washington and Alaska says that these notices have been sent to both businesses that are accredited by the BBB and those that are not. Source: http://www.registerguard.com/csp/cms/sites/web/business/24710893-41/bbb-businesses-mail-complaint-mails.csp


63. April 23, PC Magazine – (International) Twitter issues alert about phishing scam. Twitter issued a warning April 23 about phishing e-mails that tell users they have unread messages on the micro-blogging site. The e-mails, coming from a support@twitter.com e-mail address, tell members they have unread, delayed, or undelivered messages, and ask them to click a link in the e-mail to view the mystery messages. Twitter denied sending out the e-mails. The e-mail itself does not appear to contain malware, Twitter said. The link in the e-mail actually takes users to a pharmaceutical site, though to get to that site, users are re-routed through several other sites, which could contain malware. “We’re actively pursuing measures to get these sites shut down; in the meantime, we recommend that you not click on the link and instead just delete any such e-mails you receive,” Twitter said. Source: http://www.pcmag.com/article2/0,2817,2363006,00.asp


64. April 23, ZDNet – (International) Microsoft admits MS10-025 patch didn’t fix vulnerability. Microsoft has yanked security updates shipped in the MS10-025 bulletin after realizing the patch did not fix the underlying security vulnerability. The withdrawal of the bulletin means that affected Windows 2000 Server users should immediately consider applying mitigations and workarounds to avoid malicious hacker attacks. The company did not explain why the bulletin was shipped with an inadequate patch. The issue only affects Windows 2000 Server customers who have installed Windows Media Services (a non-default configuration). A Microsoft spokesman urged affected users with Internet facing systems with Windows Media Services installed to evaluate and use firewall best practices to limit their overall exposure. The MS10-025 bulletin is rated “critical” because attackers could launch remote code execution if an attacker sent a specially crafted transport information packet to a Microsoft Windows 2000 Server system running Windows Media Services. Source: http://blogs.zdnet.com/security/?p=6298


65. April 23, DarkReading – (International) Qakbot worm steals 2 GB of confidential data per week, researchers say. An emerging worm is turning up more frequently in enterprises across the Web, and researchers now estimate that the malware is stealing as much as 2 GB of confidential data per week. According to a report by Symantec’s security research team, the W32.Qakbot worm continues to pick up steam, infecting large batches of business computers as well as home users. More than 1,100 computers at the U.K.’s National Health Service are among the enterprise victims, according to news reports. “One unusual aspect of Qakbot is that even though its purpose is to steal information associated with home users, it has also been successful at compromising computers in corporate environments as well as government departments,” Symantec said. The research also found more than 100 compromised computers on a Brazilian regional government network. “Whoever is behind Qakbot has not put much effort into securing the stolen information,” Symantec reported. “Anyone with a sample of this threat who knows what they are doing will be able to access this data quite easily,” it continued. “At the time of this writing, we have only observed Qakbot stealing consumer-based information. But since Qakbot also functions as a downloader, corporate environments compromised by Qakbot could find themselves defending a more serious attack if appropriate action is not taken now.” Source: http://www.darkreading.com/vulnerability_management/security/antivirus/showArticle.jhtml?articleID=224600309


For another story, see item 19 above in the Banking and Finance Sector


Communications Sector

66. April 25, Hendersonville Times-News – (North Carolina) Morris giving credits for loss of cable service. Morris Broadband has agreed to pay credits to North Carolina consumers who experienced lengthy service outages in the fall of 2009, the state’s attorney general said. The transition from Mediacom to Morris Broadband did not go smoothly. In October 2009, company representatives said wiring problems and software glitches were to blame for thousands of customers losing their cable, Internet and phone services. Eventually the problems were fixed, and residents were able to receive cable. As part of the agreement, Morris Broadband will issue $60,000 in credits by May 14 to the remaining households and businesses that were affected by the service problems. The credits are in addition to $68,000 in credits the company has already issued. According to Morris’ estimates, about 1,800 telephone and 8,000 Internet subscribers were without service for up to 10 days. Areas affected by the problems were Hendersonville, Nebo (McDowell County), Sylva (Jackson County) and Franklin (Macon County). Source: http://www.blueridgenow.com/article/20100425/NEWS/4251068/1042/news?Title=Morris-giving-credits-for-loss-of-cable-service


67. April 25, Xinhua News Agency – (International) Rain triggers landslides, cuts telecommunications in Tibet. Torrential rain has battered southeastern Tibet Autonomous Region since April 22, triggering landslides and cutting telecommunications links, local authorities said April 25. Landslides and mud-and-rock flow cut off road traffic and caused other problems in the county, but there have been reports of any human casualties, said the secretary of the Zayu County Committee of the Communist Party of China. Communication links were also damaged, leaving the county with only one satellite phone to connect with the outside world, the secretary said. Source: http://www.istockanalyst.com/article/viewiStockNews/articleid/4058375


68. April 25, India Economic Times – (International) Undersea cable system repair may hit Internet service in India. The disruption in the SEA-ME-WE 4 undersea submarine cable system, which links South East Asia and Europe, is likely to affect the high-speed Internet services in the country, authorities said April 25. The South East Asia-Middle East-West Europe 4 (SEA-ME-WE 4) project links the two regions via the Indian sub-continent and the Middle East. The project is run by a consortium of 16 international telecom companies, including Indian majors Bharti Airtel and Tata Communications. According to sources, the disruption in the undersea cable network near Italy is likely to hit the broadband connections in India. Maintenance of the undersea cables will be carried out for the next four days, which may cause some disruption in services. However, the companies have taken various steps to minimize the impact, sources said. Source: http://economictimes.indiatimes.com/infotech/internet/Undersea-cable-system-repair-may-hit-Internet-service-in-India-/articleshow/5855874.cms


69. April 25, Jerusalem Post – (International) TAU professor tips off US over security flaw in e-passports. A Tel Aviv University (TAU) researcher has enabled the US State Department to fix security holes in its electronic passports, and now has set his sights on at-risk credit, debit and “smart” cards used by hundreds of millions of people around the world. E-passports contain biometric data, electronic fingerprints and pictures of the holder, as well as a wireless radio frequency identification (RFID) transmitter. Although the original system was designed to operate at close range, the TAU computer science professor realized hackers were able to access data from afar. Noticing this security problem, the professor helped ensure that the computer chip in American e-passports could be read only when the passports were opened. In 2007, the U.S. State Department outfitted every new passport with both a security chip and conductive fibers on the back. A U.S. Embassy spokesman told The Jerusalem Post Thursday that there had “been a problem” in the past with his country’s e-passports, but added that it had been dealt with. Now, a new study by the TAU professor has found serious security drawbacks in similar chips that are being embedded in credit, debit and smart cards. The vulnerabilities of this electronic approach – and of the private information contained in the chips – are becoming more acute, he said. Using simple devices constructed from $20 disposable cameras and copper cooking-gas pipes, the professor and his team of students have demonstrated how easily the cards’ radio frequency (RF) signals can be disrupted. The professor has suggested some small steps that can be taken to make smart cards smarter, the easiest one being to shield the card with something as simple as aluminium foil to insulate the e-transmission. Source: http://www.jpost.com/LandedPages/PrintArticle.aspx?id=173841#


70. April 23, WYMT 57 Hazard – (Kentucky) Copper thieves could be facing federal charges. Copper thieves, who hit a brand new communications tower in Kentucky could be facing federal charges. Estill County officials said burglars stole copper from the tower sometime the weekend of April 17, which knocked out a flashing light on top of the tower. Workers were able to fix the light before dark so aircraft would not be in danger. Officials said the tower was funded by federal money and would be used for 911 calls. Source: http://www.wkyt.com/wymtnews/headlines/91944199.html


71. April 23, Associated Press – (Colorado; Wyoming) Glitch at Aurora center disrupts cellphone, text service in Colo., Wyo. A software glitch at a wireless switching center in Aurora interrupted cellphone and text service for about 11 hours in most of Colorado and Wyoming on April 22. A Verizon Wireless spokesman said the problem began at about 2 a.m. April 22, with service restored at about 1 p.m. He said it appeared a software defect, not a virus, caused the outage. The switch in Aurora handles service for most of Wyoming and Colorado, with the exception of the Front Range cities of Colorado Springs, Denver and Fort Collins, which were not affected. Affected cities in Colorado included Alamosa, Vail, Aspen, Durango and Grand Junction, while affected cities in Wyoming included Laramie, Casper and Cheyenne. Source: http://www.denverpost.com/headlines/ci_14940879