Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, May 6, 2010

Complete DHS Daily Report for May 6, 2010

Daily Report

Top Stories

 According to WHNT 19 Huntsville, a spokesperson for Redstone Arsenal near Huntsville, Alabama confirmed that two Amtec contractors were hurt Wednesday morning in a chemical explosion at a building at the Aviation Missile Research Development & Engineering Center. The contractors were demilitarizing a tactical missile. (See item 11)

11. May 5, WHNT 19 Huntsville – (Alabama) Emergency crews respond to explosion at Area 10 on Redstone Arsenal. A spokesperson for Redstone Arsenal confirmed two people were hurt Wednesday morning in a chemical explosion at Test Area 10, as they were working to get rid of ammonium perchlorate, a chemical used in rocket fuel. The explosion happened at approximately 8:45 a.m. at Building 7352, the Aviation Missile Research Development & Engineering Center. The Arsenal says Amtec contractors were demilitarizing a tactical missile. They were working to separate ammonium perchlorate from other chemicals, and during the process, something exploded. The building they were in exploded, but the roof and sides of the building were designed to take the force of the explosion, blow off, and protect the workers. The Arsenal said the building fell apart just as it was supposed to. Huntsville Police, Huntsville Fire, and HEMSI responded to the Arsenal shortly after the explosion to help. According to a HEMSI spokesman, paramedics treated two men at the scene. Both are civilian workers. One was taken by helicopter to the UAB Burn Center in Birmingham, and the second person was taken by helicopter to Huntsville Hospital. After the explosion, the Arsenal sent an email to workers in nearby buildings to let them know about it, and to say the situation was not an exercise. In the email, they asked workers to stay inside until they hear otherwise. A spokesperson says investigators will look into the situation closely to find out what went wrong in this case, so it does not happen again. Source: http://www.baltimoresun.com/whnt-explosion-redstone-arsenal-050410,0,956773.story

 The Louisville Courier-Journal reports that Insight Communications has restored cable to about 300,000 customers in the Louisville area and in parts of Lexington and northern Kentucky. The Tuesday outages were caused by a broken router and the subsequent failure of Insight’s backup routers at its Lexington service center. (See item 55)

55. May 4, Louisville Courier-Journal – (Kentucky) Insight fixes problem, restores service to tens of thousands of TV customers. About 300,000 cable customers in the Louisville area woke up Tuesday morning with no television coming from Insight Communications. Thousands more in the Lexington area and northern Kentucky were also affected. The problem was fixed between mid-morning and 1:30 p.m. Insight phone and Internet service remained intact. Caused by a broken router and the subsequent failure of Insight’s backup routers at its Lexington service center, the television blackout affected all Louisville-area subscribers, an Insight spokesman said. “It is the largest video outage that I am aware of,” he said, in the company’s 10-year history in Louisville. By 10 a.m., Insight restored high-definition service, he said. Technicians replaced routing equipment and restored all service to the Louisville region by 1:30 p.m. Early Tuesday morning, Insight’s customer service lines were so deluged with calls that a customer said he could not get through with his complaint. Source: http://www.courier-journal.com/article/20100504/NEWS01/5040329/1003/BUSINESS/Insight+fixes+problem++restores+service+to+tens+of+thousands+of+TV+customers

Details

Banking and Finance Sector

14. May 5, Associated Press – (International) 3 dead in fire at Greek bank during Athens riots. Three people died when an Athens bank went up in flames Wednesday as tens of thousands of Greeks took to the streets to protest harsh spending cuts aimed at saving the country from bankruptcy. Tear gas drifted across the city’s center as hundreds of rioters hurled paving stones and Molotov cocktails at police, who responded with heavy use of tear gas. At least two buildings were on fire. The fire brigade said the bodies were found in the wreckage of a Marfin Bank branch, on the route of the march in the city center. An estimated 100,000 people took to the streets as part of nationwide strikes to protest austerity measures imposed as a condition of bailout loans from the International Monetary Fund and other eurozone governments. Source:

http://www.google.com/hostednews/ap/article/ALeqM5iXUJvBknZVGqsBenIusBgBvWj5WQD9FGMT100


15. May 4, Wired – (Texas) Former con man helps feds thwart alleged ATM hacking spree. A North Carolina grocery worker is being held without bail in Houston on attempted computer hacking charges after inadvertently partnering with an undercover FBI agent in an alleged citywide ATM-reprogramming caper. The 19-year-old was arrested at a Houston flea market last month after trying a default administrative passcode on a Tranax Mini-Bank ATM there, according to the FBI. He allegedly hoped to reprogram the machine to think it was loaded with $1 bills instead of $20 bills. That would let him pull $8,000 in cash with $400 in withdrawals from a prepaid debit card. The 19-year-old ran a Web site that sold replicas of American Express Centurion Cards. He allegedly planned his ATM attacks after meeting a former Houston-area con artist through the site. Source: http://www.wired.com/threatlevel/2010/05/thor/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+wired/index+(Wired:+Index+3+(Top+Stories+2))&utm_content=Google+Feedfetcher


16. May 4, KCRA 3 Sacramento – (California) ‘Poodle Bandit’ sought in bank heists. The FBI said it is looking for a bank robber who’s been dubbed the “poodle bandit.” The man is wanted in at least five bank robberies across the Central Valley. He was given the moniker because of a fluffy wig he has worn during the robberies. Officials said the man typically shows a hand gun to the teller while demanding money. According to the FBI, the “poodle bandit” is wanted in the robberies of a U.S. Bank branch in Tracy on March 8, a U.S. Bank branch in Elk Grove on March 29, a Citibank branch in Fresno on April 14, a Rabobank branch in Bakersfield on April 28, and a Rabobank branch in Turlock on April 29. Surveillance photos show that the robber usually wears a dark-colored blazer, blue jeans, black gloves and glasses. Source: http://www.kcra.com/news/23454274/detail.html


17. May 4, U.S. Department of Justice – (Oklahoma) Two Oklahoma men convicted of devising and participating in stock manipulation scheme. A Tulsa, Oklahoma, attorney and another Tulsa man were convicted on March 3 by a federal jury of devising and participating in a scheme to defraud investors through the manipulation of publicly traded stocks of three companies, announced an Assistant Attorney General of the Criminal Division and U.S. Attorney of the Northern District of Oklahoma. They were each convicted of one count of conspiracy to commit wire fraud, securities fraud, and money laundering. In addition, the attorney was convicted of nine counts of wire fraud, five counts of securities fraud, five counts of money laundering and one count of making a false statement to the U.S. Securities and Exchange Commission (SEC). The other was also convicted of seven counts of wire fraud, five counts of securities fraud and one count of money laundering. According to evidence presented at trial, between April 2004 and December 2006, both men devised and engaged in a scheme to defraud investors known as a “pump and dump,” in which they manipulated three publicly traded penny stocks. A penny stock is a common stock that trades for less than $5 per share in the over the counter market, rather than on national exchanges. “Investors were left with nearly worthless stock while these defendants reaped more than $44 million in profits,” said an Assistant Attorney General. Source: http://www.justice.gov/opa/pr/2010/May/10-crm-515.html


18. May 3, Federal Bureau of Investigation – (California) Valley man pleads guilty in $39 million ponzi scheme. A Sherman Oaks man pleaded guilty on March 3 to 26 felony counts related to a long-running scam that offered investments in, among other things, caffeinated mints, and took approximately $39 million from 1,000 victims across the United States. The defendant pleaded guilty Monday morning in United States District Court to fraud, money laundering and tax offenses. His son pleaded guilty on April 22 to 20 felony counts related to the scheme that utilized a number of sham companies, including one called Euromints. Both face hundreds of years in federal prison when they are sentenced in the fall. Source: http://losangeles.fbi.gov/dojpressrel/pressrel10/la050310.htm


19. May 3, Government Computer News – (National) Federal mortgage watchdog agency struggles with its information security. The Federal Housing Finance Agency has not fully implemented an information security program, resulting in weaknesses in its information technology security, according to the Government Accountability Office. GAO found that FHFA did not always maintain authorization records for network and system access, and did not enforce least-privilege policies for system and application users. It also did not have adequate physical security and environmental safety controls for facilities housing IT resources. “Until the agency strengthens its logical access and physical access controls and fully implements an information security program that includes policies and procedures reflecting the current agency environment, increased risk exists that sensitive information and resources will not be sufficiently protected from inadvertent or deliberate misuse, improper disclosure, or destruction,” GAO concluded. FHFA expects to have final access control procedures in place by June that will restrict access to administrators, application users, and others authorized by the information owners. “We are moving forward expeditiously to strengthen and complete implementation of FHFA’s information security program,” the acting director wrote in response to the GAO findings. Source: http://gcn.com/articles/2010/05/03/fhfa-security-050310.aspx


Information Technology


48. May 5, IDG News Service – (International) Wi-Fi key-cracking kits sold in China mean free Internet. Dodgy salesmen in China are making money from long-known weaknesses in a Wi-Fi encryption standard, by selling network key-cracking kits for the average user. Wi-Fi USB adapters bundled with a Linux operating system, key-breaking software, and a detailed instruction book are being sold online and at China’s bustling electronics bazaars. The kits, pitched as a way for users to surf the Web for free, have drawn enough buyers and attention that one Chinese auction site, Taobao.com, had to ban their sale last year. With one of the “network-scrounging cards,” or “ceng wang ka” in Chinese, a user with little technical knowledge can easily steal passwords to get online via Wi-Fi networks owned by other people. The kits are also cheap. A merchant in a Beijing bazaar sold one for 165 yuan (US$24), a price that included setup help from a man at the other end of the sprawling, multistory building. To crack a WEP key, they capture data being transmitted over the wireless network and target it with a brute-force attack to guess the key. The brute-force attacks on WPA encryption are less effective. But while WEP is outdated, many people still use it, especially on home routers, said one security researcher in China. That means an apartment building is bound to have WEP networks for a user to attack. “No matter where you go, you can use the Internet for free,” the researcher said. Source: http://www.computerworld.com/s/article/9176318/Wi_Fi_key_cracking_kits_sold_in_China_mean_free_Internet


49. May 5, TechWorld – (International) Fast-spreading P2P worm targets USB drives. A crafty new P2P worm appears to be spreading quickly among users of a range of popular file-sharing programs. The worm lures victims using a link embedded in a spam IM message, which leads to what appears to be an image file but is actually the malicious payload. From that point on, the malware burrows into the host by installing a number of files that compromise the Windows XP firewall. By this point the criminals have control over the system and can open backdoors to install further malware or capture passwords entered using Internet Explorer or Mozilla Firefox. Two elements make Palevo.DP, the worm, interesting. First, it copies itself to network shares from the infected PC as well as USB sticks or other external drives. Any unprotected system with the Windows autorun feature turned on — basically almost every PC — will find itself infected as those drives are moved from PC to PC. The second feature is its targeting of P2P services by adding code to shared program files. The combination of removable media and P2P gives the worm a two-pronged attack-and-spread strategy which allows it to target home systems which are then used to launch attacks on better-defended business PCs from inside the network perimeter. Source: http://www.networkworld.com/news/2010/050510-fast-spreading-p2p-worm-targets-usb.html?hpg1=bn


50. May 4, Computerworld – (International) Foxit Reader update blocks new PDF attack tactic. PDF-based attacks are a major problem. According to recent tallies by antivirus vendor McAfee, PDF exploits were up more than eight-fold in 2009 compared to the year before, a trend that has continued thus far into 2010. Microsoft and Symantec have also noted a surge in exploits tucked into PDF documents. Last week, several security companies warned of a major malware campaign that tried to dupe users into opening rigged PDFs that exploited an unpatched design flaw in the PDF format, one attackers could use to infect users of Adobe’s and Foxit’s software. Foxit Software, the developer of a rival PDF viewer to Adobe’s vulnerability-plagued Reader, released an update Tuesday that blocks some attacks with a “safe mode” that’s switched on by default. Foxit Reader 3.3 for Windows includes what Foxit dubbed “Trust Manager,” which blocks all external commands that may be tucked into a PDF document. The new version is designed to stymie some common attack vectors that hackers use when they probe PCs for bugs in the PDF format, or in a viewer application. “The Foxit Reader 3.3 enables users to allow or deny unauthorized actions and data transmission, including URL connection, attachment PDF actions, and JavaScript functions,” the update’s accompanying text explains. Foxit 3.3 can be downloaded free-of-charge from the company’s Web site. Source: http://www.computerworld.com/s/article/9176308/Foxit_Reader_update_blocks_new_PDF_attack_tactic


51. May 4, M86 Security – (International) M86 Security Labs report details Web exploit kits. M86 Security Tuesday announced the release of their latest security report which details the rise of distributed, monetized “exploit” kits, with M86 Security Labs counting more than a dozen new attack kits being launched in just the last six months. M86 Security Labs noted that the majority use Adobe Flash, Java classes, and PDF-based exploits. Code used in the exploit kits observed, particularly for malicious Javascript code, is often obfuscated, greatly reducing the ability of many security products to even ‘read’ the code. All kits observed pose a serious threat to Web and email with applications that allow less technical individuals to easily and inexpensively run cyber attacks. These kits have quickly become a major driver of Internet exploits in the “wild.” M86 Security Labs also has noted that most of the exploit kits were in Russian, such as Adpack and Fragus, perhaps indicating the location of buyers. Source: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=224700717&subSection=Vulnerabilities+and+threats


52. May 4, ZDNet – (International) ‘Extremely severe’ flaw in Opera web browser. An “extremely severe” security vulnerability in the Opera browser could put web surfers at risk of remote code execution attacks, the software maker warned Tuesday. The vulnerability, now patched with the new Opera 10.53, affects Opera for Windows and Mac. Details on the flaw are scarce. In this advisory, Opera warns: Multiple asynchronous calls to a script that modifies the document contents can cause Opera to reference an uninitialized value, which may lead to a crash. To inject code, additional techniques will have to be employed. Source: http://www.zdnet.com/blog/security/extremely-severe-flaw-in-opera-web-browser/6355


Communications Sector

53. May 5, McMurray Almanac – (Pennsylvania) Verizon seeks to install antenna at stadium. Upper St. Clair Township Commissioners will continue a public hearing at its June 1 meeting regarding a request from Verizon Wireless to locate an antenna on an existing light post at Upper St. Clair High School stadium. At the start of the May 3 public hearing, Verizon representatives outlined their request to install an antenna on one of the light poles, as well as equipment, batteries and a diesel generator with a muffler in a locked room under the bleachers of the stadium. A commissioner questioned the problem of radio signal interference for nearby residents, and Verizon representatives stated that they monitor that issue and that the Federal Communications Commission requires them to correct any radio interference problems that surface. A township resident asked about the safety of the diesel fuel stored for use by the generator that is kept in case of electrical power failure. Verizon representatives said the fuel is kept in dual-walled steel tanks. Verizon representatives said they already had a signed agreement with the school district to place the antenna on the light pole. The representatives also said that three other cell phone companies already operate antennas on the stadium’s light poles. Source: http://www.thealmanac.net/ALM/Story/05-05-2010-USC-antenna


54. May 4, Utica Observer-Dispatch – (New York) Storm knocks out WKTV transmitter. WKTV was off air for several hours Tuesday after a weather-related power outage disabled its transmitter in Middleville, according to the station’s website. A message about the outage - which did not affect cable customers - was published to the WKTV website at about 3:45 p.m. Tuesday. As of 9 p.m., the transmitter was still off air, but a station employee said regular broadcasting was expected to resume later that evening. Source: http://www.uticaod.com/latestnews/x359588118/Storm-knocks-out-WKTV-transmitter


55. May 4, Louisville Courier-Journal – (Kentucky) Insight fixes problem, restores service to tens of thousands of TV customers. About 300,000 cable customers in the Louisville area woke up Tuesday morning with no television coming from Insight Communications. Thousands more in the Lexington area and northern Kentucky were also affected. The problem was fixed between mid-morning and 1:30 p.m. Insight phone and Internet service remained intact. Caused by a broken router and the subsequent failure of Insight’s backup routers at its Lexington service center, the television blackout affected all Louisville-area subscribers, an Insight spokesman said. “It is the largest video outage that I am aware of,” he said, in the company’s 10-year history in Louisville. By 10 a.m., Insight restored high-definition service, he said. Technicians replaced routing equipment and restored all service to the Louisville region by 1:30 p.m. Early Tuesday morning, Insight’s customer service lines were so deluged with calls that a customer said he could not get through with his complaint. Source: http://www.courier-journal.com/article/20100504/NEWS01/5040329/1003/BUSINESS/Insight+fixes+problem++restores+service+to+tens+of+thousands+of+TV+customers