Tuesday, August 30, 2011

Complete DHS Daily Report for August 30, 2011

Daily Report

Top Stories

 Hurricane Irene was blamed for at least 20 deaths, downed power lines, flooding, and travel delays, involving airports, train stations, and roadways along the East Coast, and economic losses are estimated at up to $10 billion. – USA Today (See item 20)

20. August 29, USA Today – (National) Even weakened Irene’s wake to be felt for weeks. Hurricane Irene lost much of its bluster by the time it was downgraded to a tropical storm August 28, but as it continued to course up the Eastern Seaboard, its destructive wake — which left more than 20 dead — will be felt for weeks. Irene claimed victims from Florida to Connecticut, economic losses are already estimated at up to $10 billion, and problems from downed power lines, flooding, and snarled travel. Thousands of weekend flights were canceled, promising air-travel delays for much of the week of August 29. New Jersey Transit, which carries train passengers into New York across the Hudson River, planned to operate on a modified schedule August 29 after completing checks of tracks and infrastructure. The New York mayor lifted an evacuation order allowing 370,000 residents of low-lying areas to return to their apartments and houses. PATH train service linking New York City with Newark and Hoboken, New Jersey, was scheduled to resume at 4 a.m. August 29. The Port Authority and the Federal Aviation Administration said late August 28 that John F. Kennedy Airport and Newark Liberty Airport would reopen at 6 a.m, while LaGuardia Airport would open at 7 a.m. In New Jersey, officials were shifting attention from the state’s battered coastline to inland areas, where record-breaking flooding is expected along the Passaic and Ramapo rivers through August 30. Evacuations of some communities along both waterways were planned even as residents of the state’s coastal communities were cleared to return August 28. In Vermont, where Wilmington and Dover were hit hard, more than 80 main and secondary roads are shut down, including parts of Interstate 91. In Rhode Island, where half the state’s 1 million residents were without power August 28, there were scores of reports of fallen trees, limbs, and downed power lines. Source: http://www.11alive.com/news/article/203292/40/Even-weakened-Irenes-wake-to-be-felt-for-weeks

 About 70 homes and 2 campgrounds were ordered to evacuate August 28 as a wildfire, which was burning 4,700 acres, spread outside Yosemite National Park in California, fire officials said. – San Francisco Chronicle (See item 53)

53. August 29, San Francisco Chronicle – (California) Yosemite fire grows - 2 campgrounds evacuated. About 70 homes and 2 campgrounds were ordered to be evacuated August 28 as a wildfire spread outside Yosemite National Park in California, fire officials said. The Motor Fire, which spread from a motor home blaze August 25 in the Merced River Canyon, was 35 percent contained after burning more than 4,700 acres on both sides of the river. The evacuation order for homes in and around Cedar Lodge affects two commercial buildings and 35 outbuildings, a National Park Service spokeswoman said. The Incline and Merced River Canyon Campgrounds were also evacuated. Officials said homes in the nearby community of Rancheria Flats may need to be evacuated as well. A 15-mile stretch of Highway 140, a main entrance into Yosemite, has been closed indefinitely, starting about 4 miles west of the park entrance and continuing east of Midpines. The fire was spreading toward nearby Trumbull Peak, threatening a historic fire lookout tower, officials said. A DC-10 aircraft was dispatched to the fire August 28 and made multiple drops of flame retardant on the fire’s eastern edge. Source: http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2011/08/29/BAL11KT3TO.DTL


Banking and Finance Sector

16. August 28, Associated Press – (Arkansas; Oklahoma; Missouri) Arrest made in ‘Fake Beard Bandit’ case. Fort Smith, Arkansas investigators said late August 26 that they were notified by the FBI that an anonymous tip was received identifying a 39-year-old man as the so-called ―fake beard bandit.‖ Investigators said the suspect, a resident of Tulsa, Oklahoma, was identified as the man in surveillance video by witnesses from two recent incidents at banks in Fort Smith, as well as robberies in the Kansas City area, Oklahoma, and Joplin, Missouri. The most recent robbery was on August 23 at Liberty Bank in Fort Smith. Source: http://www.kmbc.com/r/28998687/detail.html

17. August 28, Bloomberg News – (New York; New Jersey; North Carolina) Exchanges to shed sandbags as Irene passes. Goldman Sachs Group Inc. and Citigroup Inc., whose offices in New York’s evacuation zone for Hurricane Irene escaped major damage, are among Wall Street banks that will resume business August 29 as exchanges open. Sandbags remained piled around the entrance to Goldman Sachs’s headquarters at 200 West Street August 28, with security guards standing by. The firm’s buildings are ―functioning normally‖ and will be open, a Goldman Sachs spokesman, said in a phone interview. Across the street, American Express Co.’s (AmEx) headquarters will remain closed today. AmEx advised its New York-based employees to work from home. The buildings that house Citigroup’s main trading floors at 388-390 Greenwich Street ―are fully functional,‖ a spokeswoman for the firm, said August 28 in an e-mail. JPMorgan Chase & Co. said it was contacting workers after its Midtown headquarters avoided serious damage. Bank of America Corp.sustained minimal impact to its facilities in downtown New York and expects its headquarters in Charlotte, North Carolina, to be open for business, said a spokeswoman for the firm. The Times Square headquarters of Morgan Stanley, operator of the world’s biggest retail brokerage, was not damaged and the company is prepared for ―business as usual,‖ a spokesman for the firm, said in an e-mail. NYSE Euronext, Nasdaq OMX Group, Bats Global Markets, and Direct Edge Holdings LLC said in statements that they plan normal trading sessions August 29. The Securities Industry and Financial Markets Association recommended no change to bond-market schedules, and CME Group Inc. (CME) said the New York Mercantile Exchange will open. Security guards were posted at the entrances and exits of Goldman Sachs and American Express headquarters buildings August 28, as well as in front of the Federal Reserve Bank of New York. There was little visible evidence of flooding, downed trees, or other damage in the area. Source: http://www.bloomberg.com/news/2011-08-28/citigroup-s-downtown-new-york-offices-fully-functional-as-irene-passes.html

18. August 26, KNTV 13 Las Vegas – (Nevada) Police capture bank robber dubbed ‘Bilingual Bandit’. An accused robber known for holding up banks in two languages was arrested August 26 in Las Vegas, Nevada. Metro Las Vegas officers and FBI agents were after the suspect, also known as ―The Bilingual Bandit.‖ He is believed to have burst into four banks with a gun, yelling in Spanish for everyone to get down. It was the same story the morning of August 26 when he robbed a Wells Fargo on North Nellis and Charleston. By taking a look at previous bank robbery scenes, police were able to make a pretty good guess on where he was going to hit next. ―It’s one of those things where he developed his own pattern, and because of his own pattern we were able to catch him,‖ police said. Source: http://www.ktnv.com/news/local/128504433.html

19. August 26, Security News Daily – (International) Cyber crime gang steals $13 million in a day. A coordinated cyber criminal network pulled off one of the largest and most complex banking heists ever, withdrawing $13 million in 1 day from ATMs in 6 countries. The massive breach hit Fidelity National Information Services Inc. (FIS), a Jacksonville, Florida-based firm that processes prepaid debit cards. FIS disclosed the breach May 5. According to a security researcher, the attackers first broke into FIS’s network and gained unauthorized access to the company’s database, where each debit card customer’s balances are stored. FIS’s prepaid debit cards include a fraud protection policy that limits the amount cardholders can withdraw from an ATM with a 24-hour period. Once the balance on the cards is reached, the cards cannot be used until their owners put more money back onto the cards. Then, the criminals obtained 22 legitimate cards, eliminated each card’s withdrawal limit, and cloned them, sending copies to conspirators in Greece, Russia, Spain, Sweden, Ukraine, and the United Kingdom. When the prepaid limit on each card got too low, the hackers simply reloaded the fraudulent cards remotely. At the close of the business day March 5, the criminals began taking out money from ATMs. By March 6, the scam was over, and the attackers had stolen $13 million. It is not clear who is behind the attack on FIS, although the characteristics of the scheme put it in line with similar crimes perpetrated by cyber criminals in Estonia and Russia. Source: http://www.msnbc.msn.com/id/44291945/ns/technology_and_science-security/#.Tlu1K12PzAw

Information Technology Sector

44. August 29, Softpedia – (International) Sophisticated file infector powers click fraud scam. Security researchers from Symantec uncovered a click fraud scam instrumented with the help of a sophisticated file infector. It was the infector, W32.Xpaj.B, that attracted the attention of malware analysts with its complex detection-evading techniques. W32.Xpaj.B infects executable files on computers and network drives which then query the command and control servers every time they are run. Despite resembling a general purpose downloader, W32.Xpaj.B has only been used as part of this click fraud scheme that hijacks legitimate search engine queries and returns ad-laden results. The infrastructure supporting this operation spans several countries, but unlike the file infector, the server-side code is unsophisticated. This has led researchers to believe that the dropper might have been bought from a third-party. The scam itself is similar to the one that recently led to Google displaying malware warnings on its search site. The search queries are passed through a series of proxies and when results are returned, they are accompanied by rogue ads. Symantec’s researchers managed to reverse-engineer the encrypted code and obtain access to the ―accounting‖ back-end which held logs going back as far as September 2010.The extracted data shows that fraudsters intercepted an average of 241,000 searches per day until June 2011, which resulted in profits of $170 per day. Source: http://news.softpedia.com/news/Sophisticated-File-Infector-Used-in-Click-Fraud-Scam-219190.shtml

45. August 29, H Security – (International) Hacker steals user data from Nokia developer forum. A vulnerability in its forum software has been exploited by a hacker to compromise mobile phone maker Nokia’s developer forum. The attacker used SQL injection to access the forum database at developer.nokia.com and, according to Nokia, obtained e-mail addresses of registered users. Where configured to be publicly available, the table also includes details such as the user’s date of birth, Web site URL and Skype, ICQ or other IM username; this is reported to be the case for around 7 percent of users. The database did not contain passwords or credit card information. The issue does not, according to Nokia, affect any other Nokia accounts. The attacker, calling himself pr0tect0r AKA mrNRG, temporarily redirected the developer forum to a site containing a message for Nokia. Nokia apologized for the incident and has temporarily taken the forum offline. The company states that, although the vulnerability was fixed immediately, it is still investigating the incident. Source: http://www.h-online.com/security/news/item/Hacker-steals-user-data-from-Nokia-developer-forum-1332867.html

46. August 28, threatpost – (International) New worm Morto using RDP to infect Windows PCs. A new worm called Morto has begun making the rounds on the Internet in the last couple of days, infecting machines via Remote Desktop Protocol (RDP). The worm is generating a large amount of outbound RDP traffic on networks that have infected machines, and Morto is capable of compromising both servers and workstations running Windows. Users who have seen Morto infections are reporting in Windows help forums that the worm is infecting machines that are completely patched and are running clean installations of Windows Server 2003. The SANS Internet Storm Center August 28 reported a huge spike in RDP scans in the last few days, as infected systems have been scanning networks and remote machines for open RDP services. One of the actions that the Morto worm takes once it is on a new machine is that it scans the local network for other PCs and servers to infect. Researchers at F-Secure said that Morto is the first Internet worm to use RDP as an infection vector. Once it is on a new machine and has successfully found another PC to infect, it starts trying a long list of possible passwords for the RDP service. Source: http://threatpost.com/en_us/blogs/new-worm-morto-using-rdp-infect-windows-pcs-082811

47. August 26, Softpedia – (International) Malvertizing spotted on Google’s DoubleClick. Security researchers from Web security vendor Armorize spotted malicious ads on Google’s DoubleClick network that lead to drive-by download exploits. ―In the past few days, our scanners noticed malvertising on Google DoubleClick. The malvertisement is being provided to DoubleClick by Adify (Now a part of Cox Digital Solutions), and to Adify by Pulpo Media, and to Pulpo Media by the malicious attackers pretending to be advertisers: indistic.com,‖ the Armorize experts warn. ―The malvertisement causes visitor browsers to load exploits from kokojamba.cz.cc (the exploit domain), which is running the BlackHole exploit pack. Currently, 7 out of 44 vendors on VirusTotal can detect this malware,‖ they add. Source: http://news.softpedia.com/news/Malvertizing-Spotted-on-Google-s-DoubleClick-218988.shtml

Communications Sector

48. August 29, Associated Press – (National) Irene takes out some East Coast cellphone service. Wireless networks fell quiet August 29 in some coastal areas of North Carolina and southern Virginia, but calls were going through in most areas affected by Tropical Storm Irene, the FCC said. In Lenoir, Greene, and Carteret counties of North Carolina, 50 percent to 90 percent of cell towers went offline, said the head of the public safety bureau of the FCC. About 400 cell towers were offline in North Carolina and Virgina, with power outages the chief reason. Another 200 towers were running on backup power by the evening of August 27 and could go silent as their backup batteries or generators run dry, the head of the public safety bureau said. Landline phone service failed for about 125,000 households on the coast, the FCC said. Another 250,000 have lost cable service, and some of them could have phone service from the cable company, which would then also be out. The FCC Chairman said the 911 system has held up well. There were no reports of call-center outages or call congestion, he told The Associated Press. Public-safety networks for police, firefighters, and ambulance crews also were working. Networks in the biggest population center in the path of the storm, the greater New York metropolitan area, were largely spared. In New York City itself, the FCC said, only 1 percent of cell towers went off the air. Time Warner Cable Inc., one of the city’s two cable companies, said it had reports of sporadic outages. Verizon Communications Inc., the local phone company, was running some switching centers on backup power. Source: http://www.forbes.com/feeds/ap/2011/08/29/technology-broadcasting-amp-entertainment-us-irene-phone-service_8648024.html

49. August 28, City News Service – (California) Time-Warner Internet service restored. Internet and telephone service for thousands of Southern California homes and businesses went out for more than six hours August 28, as one of the largest Internet providers grappled with a system-wide failure in its network serving San Diego and large areas in the Los Angeles, Orange County, and Palm Springs areas. Time-Warner Cable engineers said they found a malfunctioning piece of equipment at an undisclosed location ―outside the state of California‖ and at about 1 p.m. began reprogramming routers to avoid the bottleneck, said a company spokesman. Repairs began to take effect in some locations immediately, and the entire system should be functioning normally by mid-afternoon, he said. The spokesman said the data interruption, which he said was intermittent, also cut telephone service for customers who use a Time-Warner cable or fiber line for bundled Time-Warner dial-tone phone service. VOIP service like Skype or Vonage was also affected. The company has concentrations of customers in San Diego, Los Angeles, Orange counties, and Coachella Valley, and all were affected August 28, a spokesman said. Source: http://www.10news.com/news/29006825/detail.html

No comments: