Thursday, November 4, 2010

Complete DHS Daily Report for November 4, 2010

Daily Report

Top Stories

• ProPublica reports that the an internal BP report found the extensive pipeline system that moves oil, gas, and waste throughout its operations in Alaska is plagued by severe corrosion that could lead to explosions or spills. (See item 2)

2. November 2, ProPublica – (Alaska; National) With eyes on Gulf, BP Alaska pipes remain at risk. The extensive pipeline system that moves oil, gas, and waste throughout BP’s operations in Alaska is plagued by severe corrosion, according to an internal maintenance report generated 4 weeks ago. The document shows that as of October 1, at least 148 pipelines on Alaska’s North Slope received an “F-rank’’ from BP. According to BP oil workers, that means inspections have determined more than 80 percent of the pipe wall is corroded and could rupture. Most of those lines carry toxic or flammable substances. Many of the metal walls of the F-ranked pipes are worn to within a few thousandths of an inch of bursting, according to the document, risking an explosion or spills. BP oil workers also said fire and gas warning systems are unreliable, giant turbines that pump oil and gas are aging, and some oil and waste holding tanks are verging on collapse. A BP Alaska spokesman said the company has “an aggressive and comprehensive pipeline inspection and maintenance program,” which includes spending millions of dollars and regularly testing for safety, reliability and corrosion. He said that while an F-rank is serious, it does not necessarily mean there is a current safety risk. He added BP would immediately reduce the operating pressure in worrisome lines until it completes repairs. The spokesman noted BP has more than 1,600 miles of pipelines, and does more than 100,000 inspections per year. Source:

• According to The Register, a U.S. computer security team has warned a search engine that indexes servers and other Internet devices is helping hackers find vulnerable industrial control systems for equipment at gasoline refineries and power plants. (See item 3)

3. November 2, The Register – (International) Hackers tap SCADA vuln search engine. A search engine that indexes servers and other Internet devices is helping hackers to find industrial control systems that are vulnerable to tampering, the US Computer Emergency Readiness Team (US CERT) has warned. The 1-year-old site known as Shodan makes it easy to locate Internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants, and other industrial facilities. As white-hat hacker and Errata Security CEO explained, the search engine can also be used to identify systems with known vulnerabilities. According to the Industrial Control Systems division of US CERT, that is exactly what some people are doing to discover poorly configured SCADA gear. “The identified systems range from stand-alone workstation applications to larger wide area network (WAN) configurations connecting remote facilities to central monitoring systems,” the group wrote in an advisory (PDF) published October 28. “These systems have been found to be readily accessible from the internet and with tools, such as Shodan, the resources required to identify them has been greatly reduced.” Besides opening up industrial systems to attacks that target unpatched vulnerabilities, the data provided by Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults, CERT warned. Source:

For more stories, see item 39 below in the Information Technology Sector


Banking and Finance Sector

8. November 3, Sky News – (International) Stock exchange probes ‘suspicious’ tech error. The London Stock Exchange (LSE) said it has launched a probe after a “suspicious” glitch brought down one of its trading systems for 2 hours November 2. The problem took out Turquoise, the stock exchange’s European-wide trading platform. The LSE said in a statement that “human error was to blame for the disruption” which began shortly after 8 a.m. It added: “Preliminary investigations indicate that this human error may have occurred in suspicious circumstances.” A full internal investigation has been launched by LSE and London authorities have been informed. The glitch is the second to hit Turquoise in less than a month, after a problem with a network card forced the exchange to shut the system for over 1 hour October 5. Source:

9. November 3, Chicago Sun-Times – (Illinois) Robbers caught in hail of gunfire. On November 2, a 23-year-old woman and a 36-year-old man, both wearing stocking masks and armed with automatic handguns, burst into a US Bank branch in Chicago, Illinois, and demanded cash, police and the FBI said. But a quick-thinking customer who ran from the bank as the heist began dialed 911, and Homewood and Hazel Crest police officers were waiting for the robbers when they left moments later. In “an exchange of gunfire” with the officers, the female bank robber hastily abandoned a blue backpack stuffed with thousands of dollars in cash and was shot in the shoulder as she attempted to flee, and she and the man were arrested. A third suspect, the male getaway driver, was on the run. None of the 10 customers and bank workers who were in the bank during the robbery was hurt. The branch was targeted in an unsuccessful robbery in August, authorities said. The robbers escaped without cash on that occasion. Source:,CST-NWS-bankshoot03.article

10. November 3, WFOR Miami – (Florida) Reputed mobster linked to Rothstein sentenced. A reputed Italian mobster linked to a massive South Florida Ponzi scheme has been sentenced to 4 years in prison for money laundering conspiracy charges. He was arrested in a U.S.-Italian sweep of suspected Mafia figures in March. Authorities said he sought to broker business deals between Italian and U.S. crime families. He was nabbed after the FBI set up meetings between him and an ex-attorney who admitted operating a $1.2 billion Ponzi scheme. Source:

11. November 3, Lorain Morning Journal – (Ohio) First Federal Savings bank in Lorain robbed again. For the second time in 2 weeks, police and federal agents are searching for an unidentified person who robbed First Federal Savings of Lorain, Ohio, according to an FBI Special Agent. A man walked into the bank around 9:31 a.m. November 2 and passed the teller a note demanding money. After being handed an undisclosed amount, the robber fled the bank on foot. The FBI agent described the suspect as a white man with a medium build, between 5 feet 6 inches and 5 feet 8 inches tall, wearing sunglasses, a hooded jacket, blue jeans, boots and a baseball cap with a red brim. The same bank was robbed by an unidentified woman October 21. She walked into the bank around 5 p.m., just before closing. She was described as a white female about 5 feet 3 inches tall, between the ages of 20 and 30, wearing a red University of Cincinnati hooded sweatshirt, a white cap and dark sunglasses. The robbery remains under investigation. Source:

12. November 2, Associated Press – (Nebraska) Neb. man gets 5 years prison for investment fraud. A Nebraska man who pleaded guilty to securities fraud has been ordered to spend 5 years in prison and repay $6.8 million to his victims. A U.S. District judge sentenced the 47-year-old of Omaha November 1. Prosecutors said he lured mostly elderly investors under false pretenses and used their money to buy luxury items for himself and to pay off some early investors. Authorities said he collected more than $8 million from about 25 investors. Source:

13. November 2, Denver Post – (Colorado) Hedge-fund manager Mueller pleads guilty in $70 million Ponzi scheme. A Cherry Hills Village, Colorado hedge-fund manager faces up to 40 years in prison for running a $70 million Ponzi scheme that lured wealthy Denver-area investors. The suspect pleaded guilty November 1 to the scam that ensnared about 65 people who invested funds since 2001 with Mueller Capital Management. The manager had less than $9.5 million in cash and investments in April, and liabilities to investors of $45 million. Some investors may have made withdrawals, officials said. He attracted investors with a strategy of day trading that he claimed earned regular returns of 12-15 percent per year. Police took him into custody April 22 after he sent apologetic messages to investors and threatened to jump off an RTD parking garage in Greenwood Village. The hedge-fund manager was hospitalized and later released. The state eventually shut down his funds and seized his assets. Source:

14. November 2, eSecurity Planet – (National) Phishing scam targets military families. A new phishing scam is taking aim at members of the U.S. military and their families, using unsolicited e-mails purportedly from United States Automobile Association (USAA), one of the nation’s largest financial services and insurance companies, to trick people into divulging their personal information to identity thieves. USAA and the Navy Federal Credit Union in May were hit by a similar phishing scam that also attempted to extract Social Security numbers, credit card numbers, birth dates and other information used to either pilfer bank accounts or steal unsuspecting users’ identities. This time around, according to an advisory on security software maker AppRiver’s Web site, the con artists are sending a slew of unsolicited e-mails with subject titles, such as “USAA Notification” or “Urgent Message for USAA customer” in the hope of getting just a small fraction of a percentage of recipients to click on a link embedded in the missive. According to the Anti-Phishing Working Group, a consortium of Web retailing, software, security and financial firms, more than 126,000 fake Web sites designed solely to steal users’ personal information were discovered in the first half of this year alone. Source:

15. November 2, Tampa Bay Newspapers Inc. – (Florida) Two arrested for ATM skimming. Clearwater, Florida police arrested two suspects accused of using a scanning device for ATM skimming, police reported. Regions Bank security notified police about two possible skimming/scanning devices attached to two of their ATM machines. Detectives from the robbery unit and narcotics unit immediately set up surveillance on the ATM machines. At about 8:55 p.m. October 25, the suspects approached the Regions ATM and immediately removed the attached scanning device, the report said. Police closed in on the suspects as they left the area, and they conducted a traffic stop. Both suspects were arrested and one scanning device was recovered from their vehicle. A second scanning device was located at a separate ATM machine. The suspects are from the Chicago, Illinois area and apparently traveled to Clearwater for their crimes. The U.S. Secret Service was notified and responded to assist. Source:

Information Technology

37. November 3, Softpedia – (International) Websites hosted at Go Daddy under siege in mass injection attacks. Security researchers warn that Web sites hosted at Go Daddy have been targeted in mass injection attacks, that add rogue code to their pages and direct visitors to scareware. This is the third wave of attacks in recent weeks affecting Websites hosted by the company. “As of 4 a..m. Pacific, November 3, we’ve received various reports of another related outbreak of exploited sites on GoDaddy,” researchers from Web integrity monitoring vendor Sucuri Security warn. The compromised sites get base64-encoded code added to all of their php files. When parsed, this code injects rogue JavaScript content into the resulting page. In addition to hitting Go Daddy, these attackers launched similar campaigns against other hosting companies around October 21. Many of the external domains used in the attacks are registered under the name of Hilary Kneber, an alias associated with many cybercriminal operations, including the notorious ZeuS banking trojan. The malicious JavaScript code forces visitors’ browsers to load additional scripts from external domains, which in turn redirects them to pages displaying fake antivirus scans and pushing scareware. Despite these attacks beginning the weekend of October 30 and 31, some of the rogue domains are still up and serving scareware. Sucuri has created a free clean-up script, which affected Web masters can download and execute. Source:

38. November 3, Saudi Gazette – (International) Saudi websites target of 68,000 hacking bids every day. Saudi Web sites are hit by 68,000 hacking attempts every day and some official sites are not fully protected against the attacks, an information security officer said. The attacks are made against government and private sites, said the director general of the National Information Security Center. No specific government organization is tasked with protecting official Web sites from hacking and cybercrimes, said the information security officer, who added that the role of the Communication and Information Technology Commission is limited to technical support. The statement came after hackers posted pictures of the Hezbollah leader and a youth wielding a syringe on the Web site of the Ministry of Education November 1. Source:

39. November 2, Network World – (Arizona; National) Antivirus software didn’t help in zero-day malware attack on power plant. When the zero-day attack known as the “Here You Have” virus hit about 500 PCs at the Salt River Project, a large public power utility and water supplier for Arizona, it turned out that the antivirus software in use provided no defense. The virus, arriving in mid-September as e-mail with a fake PDF, burrowed past the McAfee and Symantec anti-malware software when the e-mailed victim clicked on the attachment, which appeared to be from someone known. In fact, the security and information event management (SIEM) equipment being used since last May at Salt River Project to monitor events, trouble-shoot the network, and provide log management, turned out to be the best weapon available to go into hand-to-hand combat against the virus. While the anti-virus software was knocked out of commission by “Here You Have,” the SIEM gear called QRadar from Q1 Labs was able to detect the PCs at Salt River Project that had been hit by analyzing the abnormal behavior the PC started to display. That is because each infected PC was suddenly detected trying to “call home” to an unknown command-and-control system on the Internet and spreading as spam via Microsoft Outlook. The QRadar SIEM gave IT staff a way to track down infections and go through the process manually cleaning them up, while it took about 1 day for McAfee and Symantec to provide the needed security updates, with McAfee slightly faster, a network analyst for the Salt River Project said. Source:

For more stories, see item 3 above in Top Stories

Communications Sector

40. November 2, – (International) Could a cellphone call from Yemen blow up a plane? A White House counterterrorism adviser said that a pair of bombs shipped to the United States from Yemen were supposed to detonate aboard the airplanes carrying them. The bombs, hidden in printer cartridges, were hooked up to cellphones without SIM cards, the New York Times reported, so calling the phones during intercontinental travel could not have set them off. And experts noted that calling a phone to activate a bomb aboard a plane is one of the least efficient detonation methods. “They couldn’t call,” said a counterterrorism official from the last two Presidential administrations, now with Goodharbor Consulting. If the terrorists used a regular cellphone to call an airplane-borne bomb from a great distance, it probably would not be able to reach a tower that could bounce a signal to the phone — though it is not impossible. More likely, the official speculated, the bombmakers would have timed the phone’s alarm to go off, triggering the bomb. “If they set the alarm, say, two days in advance, and they had confidence how it was shipped and packed to the U.S., then they’d have confidence about where it would be when [it went] boom,” he said. A Pentagon adviser who specializes in stopping improvised bombs — and who would only talk on condition of anonymity — cautioned that a satellite phone would have the signal strength to reach the phone packed into the printer-bomb. But keeping that phone ready to receive calls “increases your risk of detection from the device, because you’re emitting a signal.” Source: