Friday, September 17, 2010

Complete DHS Daily Report for September 17, 2010

Daily Report

Top Stories

 According to Defense Tech, the U.S. Navy announced September 15 it has found “significant structural” damage and corrosion in its fleet of Cyclone-class patrol coastal (PC) vessels based in Norfolk, Virginia, and forward deployed to the 5th fleet in Bahrain. (See item 34)

34. September 15, Defense Tech – (International) Navy ‘Grounds’ Cyclone class coastal patrol boats. The U.S. Navy announced September 15 it has found “significant structural” damage and corrosion in its fleet of Cyclone-class patrol coastal (PC) vessels based in Norfolk, Virginia, and forward deployed to the 5th fleet in Bahrain. According to the Navy, the vessels — 10 in all — are all “at or beyond” their 15-year service life, and recent inspections revealed frame buckling and damage to the hulls. The service said all PC operations have ceased pending repairs. The PCs have lightweight structure designed for high performance. With the exception of PC 14, they are all at or beyond their service life. The condition of the hull structure is the cumulative result of a full service life of operation including the effects of corrosion and severe operating conditions. It is not generally possible to identify one event or single root cause of the damage. The Navy is coordinating with the Coast Guard to inspect the three vessels it is borrowing for domestic patrols. The Navy is also coordinating with the Philippine navy on the one PC it obtained in 2004. Source:

 WPIX-11 reports that a former teacher at the prestigious Stuyvesant High School in Manhattan, New York was being held September 15 on charges he tried to send assault weapons to Mideast terror groups. Investigators said he also talked about killing police stations and Jewish people in New York City. (See item 38)

38. September 15, WPIX 11 New York – (National) Officials: Ex-NYC teacher attempted to send weapons to terror groups. A former teacher at the prestigious Stuyvesant High School in Manhattan, New York was being held September 15 on charges he tried to send assault weapons to Mideast terror groups. Investigators said he also talked about killing cops and Jews. The suspect pleaded not guilty in Bronx Supreme Court to a multiple-count indictment September 15, officials said. According to prosecutors, they have video and audio surveillance showing the suspect inside a Bronx warehouse, trying to negotiate the sale of weapons to confidential informants who were working with state investigators. One investigator who worked on the case told PIX 11 News that the man talked about throwing hand grenades into a Jewish Center at 74th Street and Amsterdam Avenue, on Manhattan’s Upper West Side. He also was caught talking about bombing a police precinct and for supporting the terror group, Hamas. Source:,0,2761066.story


Banking and Finance Sector

13. September 16, Bank Info Security – (International) What closed Chase Bank site? The recent outage of Chase Bank’s online banking service may point to underlying issues with outdated, legacy technology. The bank’s online service went dark September 13. The service, which serves 16.5 million customers at the nation’s second-largest bank, apparently was caused by an internal technical problem. The service was not restored until after 1 a.m. September 15. Online customers learned of the outage September 14, when they went to Chase’s Web site and found a message saying, “Our website is temporarily unavailable. We’re working quickly to restore access. Please log on later.” The bank said the outage was due to an internal problem, not any external cause. A Chase spokesman said the bank was working on the technical issue on its Website. He said software from a third-party database company corrupted information in its systems and prevented users from logging on. This caused a long recovery process. No customer data was at risk during the outage and Chase apologized to affected customers. One banking expert said the Chase outage is only a part of a problem that many larger institutions face with outdated, legacy systems and technology. Banks may be offering modern applications on the front end, he said. “But the back end is running on legacy systems that are outdated technology ... This may be one of the reasons that it went down and didn’t come back up quickly.” Source:

14. September 16, Newark Star-Ledger – (National) FBI arrests dozens in raid on massive N.J. bank-fraud ring. Federal authorities in New Jersey charged 53 people September 16 with participating in a massive bank-fraud ring that authorities said hijacked identities of overseas workers to bilk million from financial institutions. More than 270 local and federal agents — including from the FBI, IRS, Immigration and Customs Enforcement — fanned out across Bergen and Essex counties in New Jersey, and Manhattan in New York City to arrest 43 suspects. Stretching from New Jersey to California to the South Pacific, the alleged scheme used Social Security numbers from Asian immigrants who worked in American territories, including Guam, to apply for driver’s licenses under fake names, which they then utilized to secure credit cards and bank loans. The suspects used those credit cards to buy luxury cars, designer shoes, aged whiskey and other finery, authorities said. Or, members of the ring swiped the cards at their own businesses or shell companies to trick banks into transmitting them money directly, authorities said. When time came to pay the credit-card bills, the banks were left with the name of someone on the other side of the globe, authorities said. Source:

15. September 15, WMAQ 5 Chicago – (Illinois) Cardholders missing thousands in bogus ATM withdrawls. Thieves near Chicago, Illinois have stolen money through unauthorized ATM transactions more than 30 times since September 12, suburban police departments said. Buffalo Grove police said they have fielded 20 complaints from residents who have said they have lost thousands of dollars. “We are trying to get those cases together and find out is there a commonality, is there a store involved, is there a certain ATM involved, is there a certain bank involved, and find out how these cases are all linked up together,” said the Buffalo Grove police commander. There have also been at least 15 similar incidents reported in Wheeling, where account-holders noticed money missing from their accounts. Others have been reported in Harwood Heights. The withdrawals occurred in California, Ohio, Schaumburg, Melrose Park and Harwood Heights, police said. The most common place was California, where six of the incidents occurred. Police said they believe the thieves are using skimming devices. Source:

16. September 15, TrendLabs Malware Blog – (International) One server, multiple botnets. During a recent investigation into a server hosting SpyEye, TrendLabs noticed there were several open directories that led to other control panels. SpyEye was also the same malware family that recently targeted Polish users. One of the control panels is for URLZone/Bebloh. The other control panel, on the other hand, did not have any name or version so TrendLabs named it after the server, “Spencerlor.” The investigation led to the discovery of what seems to be three botnets running on one server, which appears to be operated by at least two remote users, as the logs revealed. SpyEye and URLZone’s modules are both written in English, while Spencerlor’s is written in Russian. All three of the botnets on this server are designed and/or configured to steal only German banking credentials. Both Spencerlor and URLZone are actually coded to work with the German banking system using the so-called BLZ. A BLZ is an equivalent of a bank routing number that identifies a user’s bank and branch location. Apart from collecting account names, contact numbers, PINs, and balances, the group responsible for this botnet also collects a user’s BLZ. Source:

Information Technology

39. September 16, Help Net Security – (International) Facebook is the top source for malware infections. The use of social networking during working hours is common (77 percent of employees do), and consequently, 33 percent said they have been infected by malware corporate network that has been distributed by these communities, according to Panda Security. Facebook is by far the most popular social media tool among SMBs: Sixty-nine percent of respondents reported that they have active accounts with this site, followed by Twitter (44 percent), YouTube (32 percent) and LinkedIn (23 percent). Facebook was cited as the top culprit for companies that experienced malware infection (71.6 percent) and privacy violations (73.2 percent). YouTube took the second spot for malware infection (41.2 percent), while Twitter contributed to a significant amount of privacy violations (51 percent). For companies suffering financial losses from employee privacy violations, Facebook was again cited as the most common social media site where these losses occurred (62 percent), followed by Twitter (38 percent), YouTube (24 percent) and LinkedIn (11 percent). Source:

40. September 16, The H Security – (International) Mozilla releases Firefox stability updates. The Mozilla Project has issued stability updates for the latest stable and legacy branch of its open source Firefox Web browser. According to the developers, Firefox 3.5.13 and 3.6.10 each address a bug (3.5.13,3.6.10) that caused the browser to crash during start-up for “a limited number of users” across all three platforms — Windows, Mac OS X and Linux. The updates come just 1 day after Mozilla reportedly turned off update notifications for some users running older versions of the software due to the stability problem. The 3.6.9 and 3.5.12 updates from last week addressed a total of 15 security vulnerabilities, with 10 of them rated as critical by the developers. The 3.6.10 update also fixes an issue related to the Personas blocklist. Personas are lightweight “skins” for the Web browser that change the look of Firefox by changing the header and footer areas, while leaving the navigation buttons and menus alone. More details about the updates can be found in the 3.6.10 and 3.5.13 release notes. Firefox 3.5.13 and 3.6.10 are available to download from the project’s site. Alternatively, existing Firefox users can upgrade to the new version, either by waiting for the automated update notification or by manually selecting “Check for updates” from the Help Menu. Source:

41. September 16, Help Net Security – (International) 80% of network attacks target web-based systems. This year has seen the use of the Internet for conducting business hit an all-time high; however, attacks continue to strike networks more than ever by using sophisticated techniques. Employee use of Web-based business applications and social networking sites while on corporate networks continues to grow daily. While the employee premise for these programs is honorable — to help build brand awareness or improve productivity — use of these applications opens up the enterprise network to serious security threats. One of the key findings of a new report was that more than 80 percent of network attacks targeted Web-based systems. There are two key elements to this number: Web sites and Web clients. The report shows Web sites are constantly at risk of being taken offline or defaced from SQL injection, PHP File Include or other attacks, and that these types of attacks have doubled in the last 6 months. The report by HP TippingPoint DVLabs, SANS Institute and Qualys Research Labs, provides data and analysis — including real-world examples of attacks and recommended ways to mitigate risk — to fully inform companies about the latest security threats. It includes updated vulnerability trends, an in-depth analysis of a PDF-based exploit, discussion of client versus server side attacks, and information on growing tendencies, including botnets and malicious JavaScript. Source:

42. September 15, The Register – (International) Unofficial fix brings temporary relief for critical Adobe vuln. Security researchers have released what they say is an unofficial fix for the critical Adobe Reader vulnerability that is being actively exploited to install malware on machines running Microsoft Windows. The download replaces a buggy strcat call in a font-rendering DLL module with a more secure function, according to this explanation from the researchers at penetration-testing firm RamzAfzar. Protecting yourself from the underlying stack overflow flaw is as easy as overwriting the existing CoolType.dll located in the Acrobat Reader folder with the revised one. “We’ve decided to modify this strcat call and convert it to strncat,” they wrote. “Why? Because strncat at least receives the buffer size and how much bytes you want to copy from src to dest.” The CSO of Rapid7 and chief architect of the Metasploit project said he has not had a chance to test whether the update truly patches the gaping hole left by Adobe developers. But he said the approach seemed to make sense. Adobe has said it will not release an update for Reader until October 4. That means users of the near-ubiquitous program have another 3 weeks until they are protected against a sophisticated threat that criminals are already exploiting with aplomb. The delay wasn’t lost on the people from RamzAfzar, who said their fix was easy even from their considerably less advantaged position. Source:

43. September 15, DarkReading – (International) Number of malware-infected websites tops 1 million mark. According to a new report published in a blog September 15 by researchers at security firm Dasient, the number of Web sites infected by malware in the second quarter of 2010 spiked to more than 1.3 million — the first time that figure has ever topped 1 million. “That’s a jump of almost two times the number that we saw in the previous quarter,” said Dasient’s co-founder. “The numbers are really surprising.” Malware authors are becoming more efficient and creative in methods of attacking Web sites, Dasient said. For one thing, they are creating new malware at an exceedingly rapid rate: Dasient detected more than 58,000 new infections in Q2 alone, raising its comprehensive malware library to more than 200,000 different infections. Attackers are also becoming more crafty in the way they distribute their payloads, Dasient’s co-founder observed. For example, many malware authors have begun deploying new infections late on Friday afternoons, when they know most IT departmental resources will be at an ebb over the weekend. Source:

44. September 15, The Register – (International) Die-hard bug bytes Linux kernel for second time. The Linux kernel has been purged of a bug that gave root access to untrusted users — again. The vulnerability in a component of the operating system that translates values from 64 bits to 32 bits (and vice versa) was fixed once before — in 2007 with the release of version But several months later, developers inadvertently rolled back the change, once again leaving the OS open to attacks that allow unprivileged users to gain full root access. The bug was originally discovered by the late hacker “cliph.” But the researcher who discovered the kernel regression bug said he grew suspicious when he began tinkering under the hood of the open-source OS and saw signs the flaw was still active. No doubt, Linux fans will be quick to point out the bug can be exploited only by those with a valid account on a targeted machine in the first place. This is true, but the existence of such vulnerabilities are a big deal in corporate, government and educational environments, where Linux has a large following. Add privilege escalation to the mix and things like protected mode, integrity levels, and chroot — often the very reason the OS was chosen in the first place — are largely wiped out. The oversight means untrusted users with, say, limited SSH access have a trivial means to gain unfettered access to any 64-bit installation. Source:

Communications Sector

45. September 16, Alexandria Daily Town Talk – (Louisiana) Accident causes telephone outage for some Pineville businesses. Businesses along Main Street in Pineville, Louisiana, including Huey P. Long Medical Center, were without phone service part of September 14 and 15 after a digging accident. The Louisiana spokeswoman for AT&T said a contract worker who was digging across from the Jewish Cemetery on Main Street to install optical fibers for a communications upgrade “accidentally cut the existing cable” around 4 p.m. September 14, knocking out phone service in the area. AT&T was able to restore service by 9:30 September 15. The administrative assistant for Huey P. Long’s administrator said the hospital’s phone service was restored around 5 a.m. September 15. The hospital’s service was restored first, while the remaining businesses affected were restored over the next several hours. Source:

46. September 15, WNEP 16 Scranton – (Pennsylvania) Arrest made in joyride gone wrong. After almost 2 years, investigators in Lycoming County, Pennsylvania arrested a 29-year-old South Williamsport man in connection with an October 2008 joyride that ended when a heavy piece of machinery knocked out a radio station’s transmitter. The suspect faces a slew of charges in connection with the joyride gone wrong on state forest land, and court papers indicated the suspect and another man stole a heavy piece of machinery and slammed it into WILQ FM’s transmitter near South Williamsport. The transmitter building was totaled, causing more than $100,000 in damage. Source:,0,7915446.story

47. September 15, WJAC 6 Johnstown – (Pennsylvania) Verizon cell phone service restored to Northern Alleghenies. Many Verizon Wireless customers in Jefferson, Clearfield, and Elk counties in Pennsylvania went without cell service September 15. Officials have not said how many people were affected by the outage. Service was restored by 5 p.m. that day. But many said the outage affected their businesses. Emergency officials said no problems were reported due to the outage. They added that people could still call 911, if they were in an area with more than one cell phone service provider. Source:

48. September 15, KIFI 8 Idaho Falls – (Idaho) Cut line disrupts Cable One Internet service. Employees at the Idaho Falls Cable One office in Idaho said Internet service was being disrupted to customers all over the area September 15. The employees said the Forestry Department cut one of Cable One’s main fiber optic lines near Boise. Only customers who live from Blackfoot to St. Anthony and have the company’s high-speed internet connection were being affected. Company officials hoped to have a temporary solution in place by 6 p.m. September 15, employees said. Source:

49. September 15, Virgin Islands Daily News – (Virgin Islands) Innovative’s competitors restored service within days of storm. While Innovative Telephone officials said that their restoration efforts from Hurricane Earl ramped up the week of September 6 when electricity was fully restored, their competition — wireless providers of cable, phone and Internet service — claimed to be back as soon as the lights were on, and some providers said they never lost service at all. Innovative’s phone and cable service will not be fully restored until the end of the week of September 13, according to the company’s vice president of engineering operations. He said September 14 that he could not provide an estimate of how many telephone and cable customers remained without service, but he said that all Internet customers were back online. Innovative officials said that the hurricane restoration work has been slowed by power surges and gunshots. Source:

50. September 15, WTOV 9 Steubenville – (West Virginia) Frontier catches up with trouble reports. Frontier Communications said it has finally caught up with thousands of orders and trouble reports in West Virginia. The company took over landline phone service in West Virginia from Verizon in July, and many customers have reported several extended outages and service issues. Emergency officials in several counties in the Northern Panhandle also reported issues with 911 service and emergency radio communications after the handover. A Hancock County delegate contacted a woman the week of September 13 who claimed her service was spotty for weeks. Frontier officials think they may have turned the corner. In a September 9 news release, Frontier’s general manager reported the company was ending its “extended service difficulty” status and allowing its workforce to return to regular work shifts. He said the company had finally been able to catch up with 3,000 service calls, orders and trouble reports. Source:

51. September 14, Denver Post – (Colorado) Federal grant will build high-speed Internet across Colorado. Until now, Colorado has lagged woefully behind most of the country in providing students high-speed Internet — ranking 42nd among the 50 states for Internet connectivity. But the state won a $100.6 million federal grant that will be combined with $34.7 million in matching contributions to help build an affordable broadband network across the state, providing access for as many as 230 community institutions — including 178 school districts, 26 libraries, and 12 community colleges. The money will cover the cost of laying optical fiber and copper cable and the addition of microwave switching stations that will bring fast Internet connections to rural outposts. “We have an elementary school that has less bandwidth than a well-connected house in Denver,” a board member for Ault-Highland RE-9 School District said. The federal grant is being funded through the American Recovery and Reinvestment Act, which included $7.2 billion to expand broadband connectivity across the country. Source: