Monday, January 31, 2011

Complete DHS Daily Report for January 31, 2011

Daily Report

Top Stories

• Crews from the Northern Indiana Public Service Co. January 28 stopped and repaired a gas leak, which prompted the evacuation of hundreds of residents within a four-block radius the night before, in East Chicago, Indiana, the Indiana Post-Tribune reports. (See item 2)

2. January 28, Indiana Post-Tribune – (Indiana) Gas leak forces hundreds from East Chicago homes. Crews from the Northern Indiana Public Service Co. (NIPSCO) on January 28 stopped and repaired a gas leak in East Chicago, Indiana, that led to the evacuation of hundreds of residents the night of January 27. East Chicago Fire Department and police evacuated residents in a four-block radius in buses and emergency vehicles around 10 p.m. January 27 after NIPSCO and police received several calls about a potential gas leak in the area. As a safety precaution, NIPSCO disconnected gas for 21 to 22 residences from the time the leak was detected until January 28 when the company finished repairing a crack in welding that caused the leak. The welding connects the 6-inch steel main. “[It] can be a number of causes, none of which are preventable. It can be caused from ground movement, from the change in climate and temperature. Frost can play a factor or even things on the external surface, like work and other projects above the ground that can have an impact on things beneath the surface” a spokesman said. NIPSCO will take the part of the pipeline that leaked to additional testing, he said. Source:,ecgaslk-ptb-0128.article

• According to Network World, a new study shows half of U.S. government Web sites are vulnerable to commonplace denial of service (DNS) attacks because they have not deployed a new authentication mechanism that was mandated in 2008. See item 61 below in the Communications Sector.


Banking and Finance Sector

15. January 28, Washington Post – (Maryland) ATM skimmer investigated in Md. A 48-year-old woman discovered what appeared to be an ATM skimmer while using an ATM at a Bank of America in Anne Arundel County, Maryland on January 22, police said. At approximately 5:26 p.m., officers responded to a call from to the Bank of - America in the 600 block of Annapolis Boulevard in Severna Park, for a recovered ATM skimmer affixed to the ATM machine. The woman told police she observed what appeared to be a fraudulent device attached to the machine for the purpose of scanning the ATM cards of customers. She had pried the device from the machine before the suspect could return to retrieve the device and obtain customer data. This appeared to be an isolated incident and no personal account information has been compromised for individuals that used the ATM, police said. The case is being investigated by the United States Secret Service with the assistance of the Anne Arundel County Police Department. Source:

16. January 28, Washington Post – (Maryland) Takoma Park bank robbery suspect killed. A man was fatally shot by police January 28 after he attempted to rob a bank in Takoma Park, Maryland, authorities said. Three people were also injured. The incident began at 9:25 a.m. when police officers were called to the Capital One bank at New Hampshire Avenue and University Boulevard for a report of a suspicious package. When officers from Takoma Park and Prince George’s County police departments arrived on the scene, they discovered that a suspect was holding a weapon to the head of a woman. Six people were in the bank at the time of the robbery. Video shown on a number of local television stations showed the suspect and a female hostage leaving the bank and walking toward a parking lot. The two were surrounded by armed police officers nearby. Shortly after a red dye pack exploded, the suspect slipped on ice and the hostage broke free, the video showed. Authorities said three Takoma Park officers and three Prince George’s County officers opened fire on the suspect. He was taken into custody, taken to authorities and later pronounced dead. Officials said one hostage was pistol whipped and a second was taken to the hospital after experiencing shock. A Prince George’s officer was grazed by a bullet. Authorities said it is possible the officer’s wound may have come from another police officer. Source:

17. January 28, Columbia Broadcasting System; Associated Press – (National) “Granddad Bandit” Michael Mara to plead guilty to bank robberies in Virginia, Alabama, Arkansas. The 53-year-old man dubbed the “Granddad Bandit” by the FBI will pleaded guilty to multiple bank robbery counts February 10, according to the federal prosecutor’s office in Richmond, Virginia. A representative of the federal public defender’s office confirmed January 26 that the suspect will plead guilty, but would not discuss details of the case. The man, who is suspected in 25 bank robberies in 13 states, is charged with two robberies in Virginia and has apparently agreed to plead guilty in Richmond to four robberies in Alabama and one in Arkansas. The man was captured at his home in Baton Rouge August 11, 2010 after the FBI and police received a tip from someone who identified the suspect as the “Granddad Bandit” and gave authorities photographs to match bank surveillance videos. Source:

18. January 28, Medford Mail Tribune – (Oregon) Man armed with ‘Uzi-style’ gun robs Medford bank. The hunt is on for two men suspected in an armed robbery of a Key Bank branch January 27 on East Barnett Road in Medford, Oregon. A white man, about 5 feet 9 inches tall, wearing a knit cap, a camouflage shirt and baggy pants showed an Uzi-style submachine gun and fled the bank at the corner of Black Oak Drive and Barnett Road with what a deputy chief described as “a significant amount of cash.” The robber had a getaway driver, police said. A suspicious man was seen in the area in a white, four-wheel-drive Dodge pickup, which police are still looking for. A police tracking dog was called to the area and sniffed through the complex, but was unable to locate a suspect. Officers taped off the bank while detectives and FBI agents spoke with witnesses. As detectives collected more statements, they learned the truck was fitted with a canopy and might have had red lettering on one side reading “sport.” It also had chrome rims, a spokesman said. The suspect brandished a silver-colored handgun and shouted at employees and customers. He stuffed an undisclosed amount of money into a green bag and ran from the bank, police said. Source:

19. January 28, KGTV 10 San Diego – (California) Man accused of robbing bank, attacking detective. A San Diego, California man was behind bars January 27 on suspicion of robbing a Kearny Mesa bank and attacking a detective at police headquarters after being arrested at the end of a freeway and foot chase. The man allegedly handed a demand note to a teller at the Wells Fargo branch in the 9300 block of Clairemont Mesa Boulevard January 25. The employee complied, but the money she turned over had an electronic tracking device hidden inside it, according to the FBI. A few minutes later, San Diego police caught up with the white sport utility vehicle he was driving and tried to pull it over. He fled to the south and west before running over a tire-flattening spike strip laid in his path by the California Highway Patrol on southbound Interstate 805. He then jumped out of the SUV and ran off, but officers arrested him a short distance away with help from a K-9. At downtown San Diego Police Department headquarters, he asked to use the restroom, and officers took off his handcuffs. He allegedly made two attempts to overpower a detective and get hold of his gun. Both times, he was subdued by officers. Source:

20. January 27, Fort Bend Now – (National) Two Fresno residents found guilty In $3.7 million mortgage scheme. Two Fresno, California, residents, along with a Katy resident, have been found guilty of defrauding residential mortgage lenders of more than $3.7 in loans in connection with home purchases in the Houston, Texas, area. Members of the United States Attorney’s office, FBI, and IRS — Criminal Investigations Section announced January 26 that a jury in United States District Judge Sim Lake’s Courtroom found the suspect, former fee attorney for First Southwestern Title Company and attorney for Aldridge and Associates, along with the other suspect, a former employee of First Southwestern Title Company and a third man, a co-owner of Waterford Homes, guilty of charges of wire fraud and money laundering. The first two suspects, both of Fresno, were found guilty of 19 counts which included conspiracy to commit wire and mail fraud, wire fraud, conspiracy to commit money laundering and money laundering charges. The third man, of Katy, was found guilty of 13 counts which included conspiracy to commit wire and mail fraud, wire fraud and conspiracy to commit money laundering. Source:

Information Technology

54. January 28, The Register – (International) braces for Anonymous hacklash. U.K. government websites have been warned to brace themselves for website attacks in the wake of the arrest of five Britons as part of an investigation into Anonymous the week of January 23. Members of the Anonymous hacking collective condemned the arrests, arguing that denial of services attacks are a legitimate protest tactic, comparable with staging a sit-in or picketing. In a statement, the group criticizedthe police operation as disproportionate, describing it as “a serious declaration of war from yourself, the U.K. government, to us, Anonymous, the people.” Information security agency GovCertUK has taken this implied threat seriously, issuing an advisorurging government websites to prepare defenses against possible attack. Source:

55. January 28, Softpedia – (International) Kapersky anti-virus source code leaks online. The source code for one of Kaspersky’s security suite products has been leakedonline and is available for download from torrent and file hosting websites. According to a description accompanying the release, the sources were stolen from Kaspersky Lain 2008 and the last changes made to them date from December 2007. The code is written in C++ and Delphi and covers the anti-virus engine, as well as the anti-phishing, anti-dialer, anti-spam, parental control, and other modules. It is unknown what version of Kaspersky’s security suite the sources actually correspond to, but 8.0 is the most likely candidate. The Russian vendor’s line of products is now at version 11.0, which is publicly marketed as 2011 and PURE, for the most complete offering. Source:

56. January 28, Softpedia – (International) Eight-character password bug identified on Amazon. A password bug has been identified on Amazon, where the casing and everything after the first eight characters is ignored for older access codes. The discussion about this problem was started on Reddit by a user who noticed that Amazon’s system would authenticate him even if he mistyped the ending of his password. Apparently, the issue exists only for access codes longer than eight characters. And, after analyzing the implications, that the impact is quite limited — if an attacker would decide to hack a user whose password is common eight-letter word, they would still need to find out their e-mail addresses. Giving the sheer size of Amazon and the likely protection against brute force attacks, finding even a single match would probably take a lot of time, even with lists of already harvested e-mail addresses. In addition, the password must not have been changed in a long time, because this trick does not appear to work with newer access codes, probably because the source of the bug is an old password hashing algorithm. Source:

57. January 27, H Security – (International) 50 million viruses and rising. IT security lab AV-Test registered the 50 millionth new entry into its malware repository January 27. The malware in question is a PDF file which exploits a security hole in Adobe Reader to infect Windows systems. It has not been given a name yet because it has not been fully identified. So far, only the heuristics of Authentium, Eset, F-Prot, Kaspersky, and McAfee have issued a generic message such as: “HEUR:Exploit.Script.Generic.” This new item of malware confirms the trend that attackers trying to infect PCs no longer use mainly the security holes in operating systems or browsers as their point of entry. Instead, malware authors are focusing on third party applications. Source:

58. January 27, IDG News Service – (International) FBI executes 40 search warrants in quest for ‘Anonymous’. Police agencies worldwide are turning up the heat on a loosely organized group of WikiLeaks activists. U.K. police arrested five people January 27, and U.S. authorities said more than 40 search warrants have been executed in the United States in connection with December’s Web-based attacks against companies that had severed ties with WikiLeaks. Investigations are also ongoing in the Netherlands, Germany, and France, the FBI said January 27. Acting on information from German authorities, the FBI raided Dallas ISP Tailor Made Services in December, looking for evidence relating to one of the chat servers used by Anonymous. Another server was traced to Fremont, California’s Hurricane Electric. The actions come after Anonymous knocked websites for MasterCard, Visa and others offline briefly by - recruiting volunteers to target them with a network stress-testing tool called LOIC (Low Orbit Ion Cannon). LOIC flooded the sites with data, making them unable to serve legitimate visitors. Source:

59. January 27, Softpedia – (International) Most computers infected with SpyEye are located in Poland. Security researchers from Trend Micro have recently investigated new developments surrounding the SpyEye crimeware and have discovered that most computers infected with this threat are located in Poland. SpyEye is a sophisticated banking trojan which appeared around a year ago and positioned itself as an alternative to the ZeuS crimeware toolkit. With a similar set of features for a much lower price, SpyEye not only competed with ZeuS for market share, but also removed it from the computers it infected. In a Twitter update, TrendLabs announces that most SpyEye-infected computers are located in Poland, which is unusual giving that most banking trojans usually target users and companies in U.S. and U.K. Source:

60. January 26, The H Security – (International) Conficker: Lessons learned report published. The Conficker Working Group has published a report by the Rendon Group, based on work funded by the Department of Homeland Security, on the “Lessons Learned” from the international effort to contain the virulent Conficker worm, a botnet infection that spread throughout the world in 2009. The report, written in the summer of 2010, documents the history of the Conficker worm, from the early reports in November of 2008 through to 2009 when Conficker infections were widely reported. Security researchers started to work together on solving the problems posed by the worm in 2008, a cooperation which eventually became the Conficker Working Group. Source:

Communications Sector

61. January 27, Network World – (International) Half of federal Web sites fail DNS security test. Half of U.S. government Web sites are vulnerable to commonplace denial of service (DNS) attacks because they have not deployed a new authentication mechanism that was mandated in 2008, a new study shows. The Office of Management and Budget issued a mandate requiring federal agencies to deploy an extra layer of security — called DNS Security Extensions (DNSSEC) — on their .gov Web sites by December 31, 2009. However, an independent study conducted in January 2010 shows that 51 percent of agencies are out of compliance with the requirement to deploy DNSSEC, which is also necessary for high marks in agency report cards under the Federal Information Security Management Act. Source:

62. January 27, International – (Unknown Geographic Scope) To avert Internet crisis, the IPv6 scramble begins. The Internet is running out of Web addresses that computers need to communicate with each other. It is likely that within a week, the central supplier of Internet Protocol version 4 (IPv4) addresses will dole out the last ones at the wholesale level. That will set the clock ticking for the moment in coming months when those addresses will all be snapped by corporate Web sites, Internet service providers, or other eventual owners. And that means it is now a necessity to rebuild the Net on a more modern foundation called IPv6. It has taken a long time because there was little immediate payback for companies spending money and time to build IPv6 support. Source:

63. January 27, Softpedia – (International) Top Russian cybercrime host shut down. Malicious host-tracking outfit HostExploit announced that the number one cybercrime hosting provider, VolgaHost, has been offline since January 17. Russian-based VolgaHost made it to the first position of HostExploit’s “Bad Hosts” list for the fourth quarter of 2010 and ranked third in previous tops. The provider used to offer bulletproof hosting services to people running command and control servers for various botnets, with ZeuS in particular. Other malicious activity detected on VolgaHost’s IP space consisted of infected Web sites, phishing pages, exploit servers, and spam. VolgaHost went offline after it was depeered by its upstream provider,, the Russian State Institute of Information Technologies and Telecommunications, along with several other ISPs known for hosting ZeuS domains. Source:

64. January 27, USA Today – (National) Comcast to broadcast info on missing children. Starting January 27, a missing child’s story and photo will be available to nearly 20 million Comcast cable customers in more than 25 cities in partnership with the National Center for Missing & Exploited Children. “Somebody knows where this child is,” says center President. “If we reach that one person, we increase the likelihood that we’ll get that one lead that will bring the child home.” The public service campaign comes a day before Comcast closes its deal with General Electric for 51 percent of a joint venture that includes NBC Universal. The deal makes Comcast the nation’s most powerful media, entertainment and news company. Comcast created the missing kids videos after having some success with its Police Blotter program, which features fugitives. Police credit the crime videos with generating tips that led to 90 arrests, said vice president of entertainment services for Philadelphia-based Comcast. Twenty, 2-minute video profiles are available. The videos include the child’s name, description, photo, possible whereabouts, and a narrative of the disappearance. Each month, the missing children’s center and Comcast will rotate new videos into the lineup. Each video will be available for at least 12 weeks. Source:

Friday, January 28, 2011

Complete DHS Daily Report for January 28, 2011

Daily Report

Top Stories

• An overnight lockdown, triggered when a vial of the deadly VX nerve agent went temporarily missing, was lifted January 27 at Utah’s sprawling, 801,000-acre Dugway Proving Ground. (See item 13)

13. January 27, Salt Lake Tribune – (Utah) Missing vial of nerve agent triggers Dugway shutdown. An overnight lockdown, triggered when a vial of the deadly VX nerve agent went temporarily missing, was lifted January 27 at Utah’s sprawling, 801,000-acre Dugway Proving Ground. Officials at the remote Army installation, 90 miles southwest of Salt Lake City, ordered gates closed at 5:24 p.m. January 26. Up to 1,500 employees of Dugway — military personnel, contractors and civilian workers — were forced to stay the night. A Dugway spokeswoman said the lockdown was ordered after a “routine inventory of sensitive material in the chemical laboratory ... discovered a discrepancy between the records and the agent on-hand. As a precaution, the commander immediately locked down the installation and began efforts to identify the cause of the discrepancy.” The vial was located, uncompromised, at 3 a.m. January 27 within the facility. Dugway officials did not specify exactly where the vial, containing less than 1 milliliter, or roughly a quarter-teaspoon of the agent, was found — nor did they detail how the vial had gone missing in the first place, or whether anyone was being disciplined as a result of the incident. Dugway houses small amounts of various chemical and biological warfare agents for defense testing purposes; it also is a prime Army base for testing of an array of conventional military weaponry and ammunition. Source:

• A snowstorm walloped the East Coast, stranding thousands of air, road and air travelers, knocking out power to more than 500,000 households, and closing down schools, government offices, and courts. (See items 21, 1)

21. January 27, Associated Press – (National) Snowstorm wallops Northeast, piling on the misery. A storm that had been predicted for days caught much of the East Coast off guard with its ferocity, January 26 and 27, tearing through with lightning, thunder, and tons of wet snow, stranding thousands of road, rail, and air travelers. New York got 19 inches, while Philadelphia received 17 inches. In Massachusetts, travel was made trickier with high winds. Gusts of 46 mph were reported in Hyannis, 45 mph in Rockport, and 49 mph on Nantucket January 27. New York declared a weather emergency for the second time since the December 26 storm, which trapped hundreds of buses and ambulances. The city shuttered schools and some government offices, and federal courts in Manhattan closed. New York’s Long Island Rail Road, the nation’s largest commuter rail line, operated on a reduced schedule. At Penn Station, about half the trains listed on the Amtrak departure board were delayed or canceled. Two major New York-area airports, Newark and Kennedy, closed for snow removal but were scheduled to begin taking flights at 10 a.m. Hundreds of flights were canceled at both airports. LaGuardia Airport had 168 cancellations. About 1,500 passengers were stranded overnight at Philadelphia International Airport. Northeast of New York in New Canaan, Connecticut, a Metro-North commuter train ran off the tracks, suspending service. Its two passengers and crew members were not injured. The Philadelphia area’s transit agency, the Southeastern Pennsylvania Transportation Authority, suspended nearly all bus service, and road crews worked through the night to gets tons of snow off major arteries. Source:

1. January 27, Washington Post – (Maryland; District of Columbia; Virginia) Washington stumbles to its feet after hard-hitting storm. The Washington, D.C. metro region struggled to regain its footing January 27 after a winter storm that caused at least one death and left the area icy and snowed-under, prompting local governments and schools to close for the day, public transportation to limit service and repair crews to scramble to restore electricity for hundreds of thousands left in the dark by snapped power lines. Though the day dawned to clear skies, morning brought an unwelcome chill to about 422,000 households without power in the region served by Pepco, Dominion Virginia and Baltimore Gas and Electricity (BGE). The Virginia Department of Transportation encouraged people to stay home the morning of January 27 until the roads could be cleared of snow, abandoned cars, trees, and power lines. Major highways, such as Interstate 66 westbound, became filled with cars, trucks and SUVs abandoned on the shoulder, some stuck out into traffic lanes just enough to pose a danger. After a drizzly, dreary start January 26, the storm struck with fury beginning at mid-afternoon, causing whiteout conditions across the region and casting a wintry glaze on roads and sidewalks that sent cars spinning and people tumbling. It is unknown when all power will be returned to customers. Source:


Banking and Finance Sector

17. January 27, Port Clinton News Herald – (Ohio) Perrysburg man charged with eight robberies at five banks. The FBI’s Violent Crimes Task Force has concluded its investigation into a series of bank robberies in the Toledo, Ohio, area and charged a Perrysburg man with robbing five banks a total of eight times. The U.S. Attorney’s Office in Cleveland announced January 26 that the 45 year-old male was charged with the robberies, two of which were committed at the Huntington National Bank branch on Main Street in Genoa. The suspect was already at the Lucas County Jail when the charges were filed. According to the U.S. Attorney for the Northern District of Ohio, the suspect robbed the bank in Genoa May 21 and September 23 last year. The U.S. Attorney said the suspect began robbing Toledo-area banks in November 2009. According to an indictment issued January 24, the suspect took $100,436 in the first seven robberies, including $19,194 during the first Genoa heist. The sum taken from the Genoa bank during the second robbery was not disclosed. The suspect was charged with robbery and kidnapping in Lucas County in November, and pleaded guilty to both counts last week, according to Lucas County Clerk of Courts records. He is scheduled to be sentenced February 1. Source:

18. January 27, Contra Costa Times – (California) Man robs 3 SoCal banks in 30 minutes. A suspect dubbed the “fuzzy-face bandit” held up three banks in Anaheim in about a half-hour January 26, but only came away with cash from one of the heists, authorities said. The man’s crime spree started about 10:45 a.m. at the Wells Fargo branch at 1135 N. State College Blvd., an FBI special agent. The suspect walked into the bank, gave the teller a note saying he had a gun, and demanded money, the Special Agent said. When the teller did not provide the money fast enough, the robber stormed out and went next door to a Bank of America at 1141 N. State College Blvd., the Special Agent said. He did the same thing at that branch, leaving empty-handed when the teller did not give up the money fast enough. The suspect then went to a Chase bank branch at 5791 E. Santa Ana Canyon Road at 11:17 a.m., and this time left with an undisclosed amount of cash. He was described as a light-skinned Latino man with a husky build, in his late 20s or early 30s and standing 5-foot-7. He was wearing a dark-colored hooded sweatshirt and some sort of dark head covering such as a hat or cap. Source:

19. January 27, WGME 13 Portland – (Maine) Long-time credit union employee accused of embezzling $519K. A female credit union employee, recently honored for being an outstanding employee by Atlantic Regional Federal Credit Union, is now accused of stealing over a half a million dollars from that same employer. The suspect has been named in a civil suit filed by her former employer that accuses her of stealing $519,000 from the credit union where she worked for 23 years. Court papers said the suspect was allegedly taking money belonging to the credit union and putting it in her account and accounts of her friends and family members. She is accused of taking $519,000, but as the FBI investigates, that total is expected to increase. The dredit union CEO believes the suspect was embezzling money for at least 6 years, but possibly even longer, dating back to 1990. The CEO also says internal changes have been made to ensure something like this does not happen again. Source:

20. January 26, WTXF 29 Philadelphia – (New Jersey; Pennsylvania) Former cop accused of 7 bank heists. Authorities said a former Bridgeton, New Jersey, police officer who served prison time for official misconduct is in federal custody for allegedly committing at least seven bank robberies in Pennsylvania and New Jersey. The list of suspected heists includes the December 9 robbery of a TD Bank on the 1400 block of Valley Forge Road in Towamencin, according to police in that Montgomery County township. The 33-year-old suspect, who resides in Vineland, New Jersey, was stopped and taken into custody by police in White Haven, Pennsylvania. A witness to a bank robbery in that area November 18 identified a suspect vehicle and contacted police. He reportedly fit the physical description of the suspect in the previous White Haven robbery, and confessed to the other robberies as well, Towamencin police reported in a news release. The suspect was turned over to the FBI and transported to the federal courthouse for the Middle District of Pennsylvania in Scranton to be arraigned. The suspect remains in federal custody, and the U.S. Attorney’s Office is prosecuting the case. Source:

Information Technology

45. January 27, IDG News Service – (International) Hackers turn back the clock with Telnet attacks. A new report from Akamai Technologies showed hackers appear to be increasingly using the Telnet remote access protocol to attack corporate servers over mobile networks. Akamai, which specializes in managing content and Web traffic, issues quarterly reports on Internet traffic trends. The latest report, which covers the third quarter of 2010, showed that 10 percent of attacks from mobile networks are directed at Port 23, which Telnet uses. That marks a somewhat unusual spike for the aging protocol. Telnet is a remote access tool used to log into remote servers, but it has been gradually replaced by Secure Shell (SSH). Administrators are generally advised to disable Telnet if the protocol is not used to prevent attacks targeting it, but some forget. Although those attacks originated from mobile networks, Akamai said it did not appear mobile devices were the source. Source:

46. January 27, IDG News Service – (International) Smart cards no match for online spies. The U.S. government has been stepping up its use of smart cards to help lock down its computer networks, but hackers have found ways around them. Over the past 18 months, security consultancy Mandiant has come across several cases where determined attackers were able to get onto computers or networks that required smart cards and passwords. In a report released January 27, Mandiant calls this technique a “smart card proxy.” The attack works in several steps. First, the criminals hack their way onto a PC. Often they will send a specially crafted e-mail message to someone at the network they are trying to break into. The message will include an malicious attachment that, when opened, gives the hacker a foothold. After identifying the computers with card readers, the criminals install keystroke logging software on them to steal the password typically used in concert with the smart card. When the victim inserts the smart card into the hacked PC, the criminals then try to log into the server or network that requires the smart card for authentication. When the server asks for a digital token from the smart card, the criminals redirect that request to the hacked system, and return it with the token and the previously stolen password. Source:

47. January 27, Help Net Security – (International) Multiple vulnerabilities in Symantec products. Multiple vulnerabilities have been reported in Symantec products, which can be exploited by malicious people to cause a Denial of Service attack and compromise a vulnerable system, according to Secunia. The first is an error in the Intel AMS2 component when processing certain messages can be exploited to cause a buffer overflow via specially crafted packets sent to TCP port 38292. The second is an error in the Intel AMS2 component when processing certain messages can be exploited to run arbitrary commands via specially crafted packets sent to TCP port 38292. The third is an error in the Intel AMS2 component when processing certain messages can be exploited to create arbitrary events (e.g. launch a program or send an e-mail) via specially crafted messages sent to TCP port 38292. Successful exploitation of the vulnerabilities may allow execution of arbitrary code. The fourth is an error in the Intel AMS2 component when processing certain messages can be exploited to crash the Intel Alert Handler service via specially crafted packets sent to TCP port 38292. The vulnerabilities are reported in Symantec AntiVirus Corporate Edition Server 10.x. and Symantec System Center 10.x. Source:

48. January 27, H Security – (International) Opera 11.01 closes critical hole. The new version of the Opera Web browser closes the critical hole reported early the week of January 23; this vulnerability allows attackers to gain control of a computer. The problem was caused by a flaw in the code for processing HTML documents that contain select elements with a large number of child elements. In combination with further tricks, this flaw allows arbitrary code to be injected and executed. The vulnerability affects not only the Windows version, but also those for Mac and Unix, and has been closed in all versions. The updates for all operating systems also correct a browser configuration click-jacking vulnerability and a another that allows Web pages to read out local files. Source:

49. January 27, Help Net Security – (International) 5 men busted in relation to Anonymous DDoS attacks. Five men believed to have taken part in recent Anonymous’ DDoS attacks were arrested in the United Kingdom January 27, during a series of raids coordinated by the Metropolitan Police Service’s Police Central e-Crime Unit. The arrested males — aged 15, 16, 19, 20, and 26 — have been taken to their local police stations in West Midlands, Northants, Herts, Surrey, and London, and are currently in custody, police said. The suspects are likely to be charged with offenses under the Computer Misuse Act 1990. They were probably tracked down by the police because they were using Anonymous’ LOIC tool to DDoS various sites — a tool that actually does not completely anonymize its users’ involvement. The arrests are the results of a months’ old investigation the Metropolitan Police has mounted with the help of law enforcement agencies from the United States and various European countries. Source:

50. January 25, Network World – (International) Low-cost SSL proxy could bring cheaper, faster security; defeat threats like Firesheep. Researchers have found a cheaper, faster way to process SSL/TLS with off-the-shelf hardware, a development that could let more Web sites shut down cyber threats posed by the likes of the Firesheep hijacking tool. The technology, dubbed SSLShading, shows how SSL proxies based on commodity hardware can protect Web servers without slowing down transactions, according to a presentation scheduled at the USENIX Symposium on Networked Design and Implementation in Boston March 30 through April 1, 2011. SSL/TLS — the cryptographic protocols used to protect online Web transactions — encrypts traffic from visitors’ machines all the way to Web servers. That makes it impossible to pick up data such as session cookies by preying on unencrypted wireless networks, which is what Firesheep does. Based on an algorithm devised by researchers in Korea and the United States, SSLShading is software that directs SSL traffic being proxied either to a CPU or a graphics processing unit, whichever is most appropriate to handle the current load. The researchers will discuss the algorithm in their paper “SSLShader: Cheap SSL Acceleration with Commodity Processors.” Source:

51. January 24, Darkreading – (International) Active ‘Darkness’ DDoS botnet’s tool now available for free. A free version of a fast-growing and relatively efficient DDoS botnet tool has been unleashed in the underground. The so-called Darkness botnet is best known for doing more damage with less — its creators boasting that it can take down an average-sized site with just 30 bots. Researchers are keeping a close eye on the botnet, which has been very active the past few months. In just the past 3 weeks, for example, Darkness has attacked an average of 1.5 victim sites per day, and about 3 per day in the fourth quarter of 2010, according to data gathered by a research analyst with Arbor Networks’ Asert team. The DDoS botnet appears to originate out of Russia. “It tends to go after targets primarily in Europe, and to a lesser extent, the U.S.,” he said. The director of Shadowserver, revealed January 23 that an older version of the bot code, version 6m, had become available for free in various underground forums as of late December 2010, and that Shadowserver was already seeing new Darkness botnet command and control servers waging DDoS attacks. “Darkness requires fewer infected systems, which makes it more efficient,” he said. Source:

Communications Sector

52. January 26, Reuters – (National) Verizon struggles with BlackBerry data traffic. Some Verizon Wireless customers using BlackBerrys have been limited to making voice calls on Research In Motion’s (RIM) smartphone for as long as a week, but Verizon said January 26 the issue was fully resolved. Contributors to a BlackBerry support forum said they had trouble connecting to the Internet, using Internet-based apps and had delayed e-mail delivery since January 25. RIM routes BlackBerry data traffic through its own servers via a carrier’s network, a method not replicated by other smartphones. The company said its service has been operating normally. “There is no outage, and there hasn’t been one,” a Verizon Wireless spokesman said. “Our engineers discovered that a small number of customers in a limited geographic area had technical glitches that resulted in their e-mail being delayed up to an hour,” he said. The Verizon glitch was fully resolved January 25, he said, declining to provide further technical details or say how many customers were affected or where they were located. Source:

53. January 26, Wall Street Journal – (National) Smartphones get more airwaves. The Federal Communications Commission (FCC) approved a request January 26 to allow a satellite broadband start-up funded by investment firm Harbinger Capital Partners to lease its airwaves for traditional mobile phones. The agency approved a request by LightSquared to drop a requirement that airwaves set aside for satellite-phone use aren’t primarily used instead for ground-based phone networks. The FCC’s action means LightSquared can lease its airwaves to companies that offer normal smartphones such as the iPhone, and not pricier satellite-enabled phones. Source:

54. January 26, WTNH 8 New Haven – (Connecticut) Wallingford building evacuated after roof sags. Fire crews in Wallingford, Connecticut, are on the scene of an AT&T building January 26, where there were concerns about the safety of the roof. The building, located on Research Parkway, was evacuated as fire personnel and engineers looked at the sagging roof structure. Other workers were told not to come in to work January 26. Crews were raking the snow off the roof to lighten the weight load. Engineers said the building was structurally safe, and workers could return to their jobs January 27. Source:

55. January 24, Aviation Week – (International) Errant satellite to be back in business soon. Intelsat appears poised to recoup use of Galaxy 15, the wayward “Zombie Sat” that terrorized telecom satellite neighborhoods around the globe until it was brought under control in late December. Intelsat reported January 13 that Galaxy 15 appeared to be in good health following recovery of control in late December, after a 6-month trek that took it past 15 geostationary communications spacecraft. The incident, which occurred April 5, did not lead to substantial interference or service loss. Galaxy 15 arrived at 93 deg. W. Long. January 15 for a complete checkout, including validation of three control-and-command software patches uploaded in December to ensure the incident did not recur. Intelsat said engineers are focusing on firmware in the baseband equipment (BBE) command unit as the source of the Galaxy 15 incident, and they hope further testing will enable them to narrow down and complete the failure review board inquiry initiated under the control of Orbital Sciences Corp., which built the spacecraft. OSC has also uploaded the software patches, which were validated in orbit in October, on other Intelsat spacecraft that use the same Star 2 bus employed in Galaxy 15. Source: Satellite To Be Back In Business Soon

Thursday, January 27, 2011

Complete DHS Daily Report for January 27, 2011

Daily Report

Top Stories

• The Wilkes-Barre Times Leader reports that a steam leak led to a shutdown of one of two nuclear reactors at the Susquehanna Steam Electric Station near Berwick, Pennsylvania, January 26. (See item 8)

8. January 26, Wilkes-Barre Times Leader – (Pennsylvania) Leak shuts down nuke reactor. The nuclear power plant near Berwick, Pennsylvania, will likely move up a notch on the Nuclear Regulatory Commission’s (NRC) watch list and be subject to increased scrutiny after a steam leak January 25 led to a shutdown of one of the plant’s two reactors. PPL’s chief nuclear officer stressed there were no injuries and that all safety equipment functioned as designed during the shutdown. Plant operators at PPL’s Susquehanna Steam Electric Station decided to shut down reactor Unit 1 at 6:10 a.m. after they discovered steam leakage in an area where water is preheated before being fed into the reactor, the NRC Public Affairs Officer for Region I said. Operators decided to scram the reactor — manually shut it down — after determining the leak could not be isolated and the portion of the system with the leak could not be removed from service without affecting other plant systems, the NRC official said. Source:

• New maps show that should the Lake Maloney dam in North Platte, Nebraska rupture, flooding could be much more extensive than originally thought, according to the North Platte Telegraph. (See item 62)

62. January 26, North Platte Telegraph – (Nebraska) If dam breaks, flooding could be extensive. New maps show a bigger area than originally thought would be affected should Lake Maloney’s north wall rupture. A Nebraska Public Power District media relations specialist said the dam in North Platte is safe, but the Federal Energy Regulatory Commission requires a plan be in place to identify and address any issues that could potentially occur. Local emergency management officials have been briefed about changes to areas that could be affected and the length of time it could take water to enter those areas. The media relations specialist said the maps that were used were made in the 1990s and were updated yearly. They showed water could flow up to the south side of the airport. New versions, created with more sophisticated modeling software, were made available in December to emergency responders. They show water around Newberry Access, the airport and the wastewater treatment plant east of North Platte. Inspections of the dam and canal system are conducted daily. Repair work wrapped up on the dam last spring after underwater cameras detected areas that needed reinforcement. The media relations specialist said the wall was not in danger of rupturing, but the lake was drained for closer examination. The result was steel pilings were inserted on the water side of the wall and concrete was placed behind the pilings. Source:


Banking and Finance Sector

11. January 26, Help Net Security – (National) Hedge funds unprepared for cyber attack. With details trickling in about how the sophisticated Stuxnet computer worm derailed years of work on Iran’s nuclear program, many seasoned observers are left to wonder what might happen if such a powerful weapon were ever turned against the nearly $2 trillion hedge fund industry. On January 26, Alphaserve Technologies, IT advisor to many of the world’s largest hedge funds, offered potential solutions to an industry it perceives as ill-prepared when compared to big banks and other financial institutions. Most hedge funds have protected themselves from external security breaches for years, but today’s managers must protect themselves not only from the outside in, but rather from the inside out, contends the CEO and CTO of Alphaserve Technologies. The everyday, internal activities of employees accessing the Internet, e-mail, Skype, and other information provide ideal channels for worms, malicious software and dishonest employees to siphon off confidential information and do harm. New technologies like Digital Loss Prevention (DLP) software and deep packet inspection firewalls can look inside the Internet channel for any corporate data leaving the company and stop intentional or unintentional illicit transfers of information. Surprisingly though, many marquee names in the hedge fund industry do not have this essential protection even though some are in the process of adopting it, the CEO said. Source:

12. January 26, Petoskey News-Review – (Michigan) Phone and e-mail scams sweep through Northern Michigan. The Michigan State Police Petoskey Post is reporting a new phone scam has emerged in northern Michigan, targeting elderly residents. According to a police spokesman, in the last week-and-a-half alone, two to three dozen residents have reported this scam. Typically, the residents are receiving a phone call informing them their grandchild, who is in the military, has been injured, robbed, or arrested in England. They are then asked to wire $2,800 overseas to help out. The police spokesman said residents should be aware that this scam can be believable. “They often have the name of these people’s grand kids and what branch of military they’re in,” he said. “These people have really done their homework.” In addition to this scam, he said a resident from Petoskey reported she had recently received an e-mail from an old high school friend who told her that she and her family were on vacation in England and were mugged outside their hotel. Source:,0,7621784.story

13. January 26, – (National) Internal fraud and dollar losses. Internal fraud is one of the financial-services industry’s most threatening types of fraud. Industry experts ranked it as one of the top 9 security threats banks and credit unions will face in 2011. A senior analyst with Aite Group and author of the report, “Internal Fraud: The Devil Within,” said internal fraud damages an institution’s reputation, is often difficult to detect and is getting more prevalent, now that organized crime has figured out how easy it is to “plant” employees who are more than willing to steal internal information. “Banks and credit unions need to invest more in detection technology,” the analyst said, adding internal fraud at most banks and credit unions is under-reported, if detected at all. The analyst’s research found that institutions that rely on detection systems to catch internal fraud report higher losses, averaging about 10 percent, while institutions relying on manual techniques said internal fraud losses account for only about 4 percent of overall losses. “I think the number is probably closer to 10,” the analyst said. “Those that use technology are catching more.” Source:

14. January 26, Associated Press – (Vermont) Georgia, Vt., bank robbery suspect arrested. Authorities in Burlington, Vermont, have arrested two men wanted in an armed bank robbery in the Vermont town of Georgia. Burlington Police and U.S. Marshals arrested a 30-year-old male from St. Albans and a 37-year-old male from Swanton January 26 after a short chase. The 30-year-old suspect is accused of robbing the People’s Trust Bank January 24 and making off with an undisclosed amount of cash. He is expected to be arraigned January 26 on charges of assault and robbery. The 37-year-old male will be charged with being an accessory. Vermont State Police said tips from the public helped lead to the arrests. Source:

15. January 25, Softpedia – (International) New phishing campaign targets ‘First Data’ merchant accounts. Researchers from e-mail security vendor AppRiver warn about a phishing campaign that targets merchant accounts from a payment processing vendor called First Data. The pool of phishing attacks targets online banking accounts, credit card information, personal details, and other online accounts. Scams aimed at merchants are not very common. “Once the hacker has gained access to the First Data account they will likely have gained control over that specific merchants account,” warned a security researcher at AppRiver. First Data is an Atlanta, Georgia-based provider of online and on-site payment solutions which caters to merchants, financial institutions, and government agencies. Source:

Information Technology

46. January 26, CNN Money – (International) Mark Zuckerberg’s Facebook page hacked. The fan page of Facebook’s founder and CEO was hacked January 25. The message that appeared on the page under his name read: “Let the hacking begin: If facebook needs money, instead of going to the banks, why doesn’t Facebook let its users invest in Facebook in a social way? Why not transform Facebook into a ‘social business’ the way Nobel Price winner ... described it? http://bit(dot)ly/fs6rT3 What do you think? #hackercup2011.” The message received more than 1,800 “likes” before it was removed from the page. The unsettling breaches raise questions about the company’s security. “Mark Zuckerberg might be wanting to take a close look at his privacy and security settings after this embarrassing breach,” a senior technology consultant at Sophos, wrote on the security protection site. “It’s not clear if he was careless with his password, was phished, or sat down in a Starbucks and got sidejacked while using an unencrypted wireless network,” he said. “However it happened, it’s left egg on his face just when Facebook wants to reassure users that it takes security and privacy seriously.” Source:

47. January 26, Computerworld – (International) Intel developing security ‘game-changer’. Intel’s chief technology officer said the chip maker is developing a technology that will be a security game changer. He told Computerworld January 25 that scientists at Intel are working on security technology that will stop all zero-day attacks. And, while he would give few details about it, he said he hopes the new technology will be ready to be released in 2011. He noted the technology will not be signature-based. Signature-based malware detection is based on searching for known patterns within malicious code. The problem, though, is that zero-day, or brand-new, malware attacks are often successful because they have no known signatures to guard against. Intel is working around this problem by not depending on signatures. Source:

48. January 26, The Register U.K. – (International) Man knows when you’re signed in to GMail, Twitter, Digg. A Nottingham, United Kingdom-based Web developer has figured out a simple way to tell if visitors to his site are logged in to Gmail, Facebook, Twitter, Digg, and thousands of other Web sites. One method the man developed makes use of status codes returned by many sites, which differ depending on whether a user is logged in or not. By embedding a small piece of JavaScript that contains a link to one of the sites he is curious about, he can immediately tell if a visitor is logged in. The method works reliably for Twitter, Facebook, and Digg when visitors are browsing with Firefox, Safari, or Chrome. It does not work when visitors are using Internet Explorer or Opera. The exploit works by identifying the HTTP status code returned when the visitor’s browser encounters the link in the man’s script. A 200 code, indicating the request was successfully fulfilled, indicates the person is not logged in, while 404, 500 and other error codes indicate the opposite. Source:

49. January 25, Softpedia – (International) Bagle overtakes Rustock as primary spam source in January. According to the January spam report from Symantec’s

MessageLabs hosted services arm, the Bagle botnet overtook Rustock as the primary source of spam traffic for January. Rustock was the dominant spam botnet in 2010 and was responsible for 47.5 percent of all spam e-mails. M86 Security estimates that at its peak, Rustock accounted for nearly 60 percent of the world’s spam, but its activity started to wind down in October when Spamit, the world’s largest rogue pharmacy affiliate program, closed down. The botnet baffled researchers when it stopped spamming entirely December 25 and remained silent until January 10, however, this was probably due to the winter holidays in Russia. Rustock returned in force since then, but did not make up for the lost start, which allowed Bagle to jump in front. “Since its return, Rustock has accounted for approximately 17.5 percent of all spam in January while the Bagle botnet has taken the lion’s share with 20 percent of spam,” the MessageLabs report said. Source:

50. January 25, Softpedia – (International) Users infected with scareware via ICQ malvertizing. Scareware distributors have managed to push rogue antivirus advertisements onto the ICQ network by posing as the clothing retailer Charlotte Russe. According to a senior antivirus researcher at Kaspersky Lab, the security vendor began receiving numerous reports of infections with a piece of scareware called Antivirus 8 recently. Upon investigating the problem, Kaspersky’s researchers realized that fake antivirus popups were being displayed on people’s desktop even when they were not using their browsers. The rogue ads were tracked down to running instances of the ICQ instant messaging application which has its own internal advertising mechanism. When investigating the ICQ advertisements, experts found that one of them was loaded from [censored], a domain name that seems to be related to clothing retailer. Source:

51. January 25, Help Net Security – (International) Facebook fake photo links lead to malware. A simplistic but effective bait leading to malware has been circling on Facebook for the past few weeks. Users are sent messages from friends’ accounts saying Foto :D apps(dot)facebook(dot)com/photobf/index(dot)php. If the user fails to find it strange or suspicious, a click on the link will take him to a page where the photo was allegedly posted prior to being moved. The next click on the “View Photo” button triggers the download of what looks at first glance like a .png file because of its icon, but it is actually an executable. According to GFI, many rogue application pages were involved in the malware run, but have been deactivated by Facebook one by one. The external sites that have been serving the malware have also been taken offline. The malicious file is a generic Trojan, and is currently being detected by more than two thirds of the AV solutions used by VirusTotal. Source:

For more stories, see item 15 above in the Banking and Finance Sector

Communications Sector

52. January 25, Spokane Spokesman Review – (Washington; Colorado) Accident causes power, Internet outages. Avista customers lost electrical power and a number of businesses lost Internet service January 25 morning after a car smashed a utility pole in Otis Orchards, Washington. About 700 homes were without power for more than 90 minutes after the 4:30 a.m. incident at the intersection of Starr Road and Wellesley Avenue. The longer-lasting impact was on Internet service for more than a dozen business customers of Colorado-based Zayo Enterprises, which manages a large network of fiber-optic cables. Three routes of fiber-optic lines converge on the power pole that was knocked over, a company spokesman said. He said the fiber lines will be reconnected “by this (January 25) evening. The power lines had to be repaired first (before the fiber lines could be fixed),” he said. The spokesman said he had no way of knowing how many dark-fiber customers were impacted. Source: