Monday, August 29, 2011

Complete DHS Daily Report for August 29, 2011

Daily Report

Top Stories

• On August 25, energy suppliers from North Carolina to Maine secured equipment, activated emergency plans, and warned customers about potential power disruptions as Hurricane Irene threatened the East Coast. – Reuters (See item 5)

5. August 25, Reuters – (National) U.S. energy sector braces for direct hit from Irene. From nuclear plants to pipelines and refineries, energy companies braced August 25 for a potentially devastating Hurricane Irene that barreled toward the most populated part of the United States. The storm prompted energy suppliers from North Carolina to Maine to secure equipment, activate emergency plans, and warn customers about potential power disruptions. While the East Coast region has no major offshore oil and gas production like the hurricane-prone Gulf Coast, the stakes were still daunting. The region has around a dozen nuclear plants, a massive oil delivery hub at New York Harbor, and its pipelines and power networks serve more than 100 million Americans. The Colonial Pipeline, a 2.37-million-barrels-per-day refined oil product supply line, stretches 5,500 miles from Texas to the New York Harbor, with “spurs” to other fuel hubs that could be in the storm’s path, including in Maryland and Virginia. The agency warned of potentially long power outages, including in New York City, which predicted winds of more than 75 miles per hour. National Grid, which supplies electricity and natural gas to some 3 million customers in the Northeast, enacted a plan that included racing crews and emergency equipment into place, and warning hospitals to prepare backup power for patients on life support, in case of outages. Kinder Morgan, another pipeline and terminal operator, was busy fueling vehicles, generators and pumps, and securing equipment. It had plans to shut two terminals that handle products including fertilizer and coal in Virginia for 24 hours, starting August 27. Source:

• According to a report issued by the Institute for Safe Medication Practices the week of August 15, 52 percent of hospital purchasing agents and pharmacists reported they have bought drugs from so-calNews (See item 35)

35. August 26, MSNBC News – (National) Half of hospitals buy back-door drugs. Amid growing reports of price-gouging for life-saving drugs, 52 percent of hospital purchasing agents and pharmacists reported they have bought drugs from so-called “gray market” vendors during the previous 2 years, according to a just-released survey of 549 hospitals by the Institute for Safe Medication Practices (ISMP), an advocacy group. Gray-market suppliers are those that operate outside official channels, often buying drugs from uncertain sources and reselling them at a steep profit. A report issued the week of August 15 by one hospital association found their average mark-up was 650 percent. Pressures from demanding doctors and desperate patients helped fuel the transactions, making hospital staffers feel like they had no choice but to buy drugs in short supply at steep prices. More than half of respondents to the ISMP survey, some 56 percent, said they were bombarded daily with solicitations from up to 10 gray market vendors, with requests coming by phone, e-mail and fax. About a third of respondents from critical access and community hospitals who had purchased drugs from gray-market sources said they paid at least 10 times the contract price for the medications. Source:


Banking and Finance Sector

17. August 25, Philadelphia Daily News – (Pennsylvania) Man in $7 million shore mortgage scam: I’m guilty. A Las Vegas, Nevada man who formerly worked as a mortgage broker in Chester County, Pennsylvania, pleaded guilty August 25 for his role in a $7 million mortgage scam, which involved conspiracy, wire fraud, and money laundering. He was a mortgage broker who bilked at least 7 banks or financial institutions in the scam, which lasted from May 2005 to October 2008. Court papers said he found buyers, including family members, to purchase homes, primarily in North Wildwood, for inflated prices, so that buyers would get kickbacks of between $30,000 and $50,000 at closing. He helped buyers qualify for mortgages using fraudulent information, such as inflated income or asset information and false employment information. Most of the buyers made few or no payments on their mortgages, causing lenders to forcelose on the properties and attempt to resell them to recoup some of their losses, authorities said. He profited from the scam by making inflated commissions on the transactions, by receiving kickbacks on his own purchases and by receiving other kickbacks from the sellers of properties for finding them willing buyers. Source:

18. August 25, Southwest Times Record – (Kansas; Missouri; Oklahoma) Police eye tie to FBI’s bank bandit. A man sporting a fake beard during an August 23 bank robbery could be a man wanted by the FBI, but police have not ruled out other possibilities, according to a police spokesman. The FBI refers to him on their website as the “Fake Beard Bandit,” and they believe he is responsible for 7 bank robberies in Oklahoma, Kansas, and Missouri dating back to May 24. A public information officer for the Fort Smith Police department, said there are a lot of similarities to the 7 bank robberies allegedly committed by the Fake Beard Bandit and the robbery that occurred August 23 at Liberty Bank, 4625 Old Greenwood Road. The August 23 suspect suspect came into the bank through the building’s east entrance while four clerks were working, brandished a black handgun, and demanded money. He then ordered everyone in the bank to lie on the floor for five minutes before he left with an undisclosed amount of money. The man the FBI is looking for usually comes to the bank 2 hours before each robbery to get a deposit slip or other paper work, but police said they have not identified anyone doing that on the bank’s security footage. Source:

19. August 25, Forbes – (International) JPMorgan paying $88.3M over alleged violations. JPMorgan Chase Bank is paying $88.3 million in an agreement with the Treasury Department, which says the bank violated regulations that prohibit lending money for entities linked to countries engaged in illicit nuclear trade and that cover dealings with Cuba and Sudan. Treasury’s Office of Foreign Assets Control (OFAC) announced the agreement August 25 with the big Wall Street bank. The office said some of JPMorgan Chase’s “apparent violations” of the regulations were serious. In one case JPMorgan Chase Bank in December 2009 made a $2.9 million trade loan to another bank, which extended credit to a ship that had been identified as linked to the Iranian government’s shipping lines, OFAC said. It said JPMorgan managers knew the loan violated the regulations against helping nations such as Iran that proliferate weapons of mass destruction but did not notify the government until March 2010. In the Cuban case, OFAC said the bank processed 1,711 wire transfers totaling $178.5 million between December 2005 and March 2006 involving Cubans, in an apparent violation of the U.S. Cuban assets control regulations. Although JPMorgan managwere given the results of an internal investigation of the transfers, the bank “failed take adequate steps to prevent further transfers,” the agency said. OFAC said the rinvolved were the Cuban Assets Control Regulations, the Weapons of Mass Destruction Proliferators Sanctions Regulations, the Global Terrorism Sanctions Regulations, the Iranian Transactions Regulations, the Sudanese Sanctions Regulatand the Former Liberian Regime of Charles Taylor Sanctions Regulations. Source:

Information Technology Sector

44. August 26, Help Net Security – (International) Illegal keygen for well-known AV solution leads to infection. An illegal key generator for the recently released latest version of the TrustPort Internet Security solution brings trouble to unsuspecting users, warns BitDefender. Bundled with the keygen is a trojan that injects itself into explorer.exe and adds a list of exceptions to the locally installed firewall, in order to finally deploy a backdoor on the targeted computer. The trojan is capable of stealing passwords cached in a variety of Web browsers and information regarding Internet banking and online financial transactions, recording video and audio streams generated by the computer’s Webcam, and logging conversations executed via IM applications and social networks. It is also capable of downloading a other malicious software, including the eus trojan and a number of remote administration tools. The keygen in question is equipped to spread via a variety of means, including IM services, e-mail clients, P2P sharing, and USBs. Source:

45. August 26, Help Net Security – (International) Bitcoin mining botnet also used for DDoS attacks. A recently discovered P2P Bitcoin mining botnet has acquired DDoS capabilities, warns a Kaspersky Lab researcher. Its main reason of existence has so far been Bitcoin mining, as the bot installs three trojans with that function (Ufasoft, RCP, and Phoenix), but it also functions as a way of delivering other malicious software to the infected machines. Among the delivered files are two DDoS programs. According to H Security, their targets change as different victim lists are delivered to it by the botnet operators. Currently, the first module — which uses HTTP flooding — is attacking 31 German and 2 Austrian estate agency portals and food industry sites. The second one, using UDP flooding, is targeting the IP addresses of companies that offer anti-DDoS services. Among the food industry sites targeted is, which confirmed that it had been suffering an attack for three 3, during which it was bombarded with 20,000 – 30,000 HTTP requests per second, coming from some 50,000 IP addresses. Given the P2P architecture, this botnet will be extremely hard to take down. Currently, the number of infected machines taking part in the botnet is increasing. As its targets are easily updated by its operators, the next ones will likely be determined by the people who will rent its services in the future. Source:

46. August 26, Softpedia – (International) Remote code execution vulnerability patched in F-Secure Antivirus. F-Secure patched a remote code execution vulnerability that affected several of its security products and exposed users to drive-by download attacks. The buffer overflow vulnerability is located in the F-Secure Gadget Resource Handler ActiveX Control (fsresh.dll). According to vulnerability management vendor Secunia, which rates this vulnerability as highly critical, the flaw is caused by a boundary error in the handling of the “initialize()” method. The vulnerability can be exploited by tricking victims into visiting a specially-crafted Web page using Internet Explorer. F-Secure Anti-Virus 2010 and 2011, F-Secure Internet Security 2010 and 2011, as well as products based on F-Secure Protection Service for Consumers version 9 and F-Secure Protection Service for Business — Workstation security version 9 are affected by this flaw. Source:

47. August 26, Softpedia – (International) SecurID secrets stolen with Poison Ivy. Security researchers managed to obtain a copy of the APT used against RSA Security and found it dropped a variant of the Poison Ivy backdoor. The March RSA Security intrusion which resulted in the theft of data related to the company’s popular SecurID two-factor authentication product was widely covered in the media. This was partially because of RSA’s silence following the breach and the fact that it resulted in attacks against Lockheed Martin and possibly other U.S. military contractors. The company eventually offered to replace all SecurID tokens for their customers, which are estimated at 40 million, and has already reported losses of $60 million resulting from the incident. RSA previously revealed that the attack involved an e-mail sent to its employees which carried an Excel file called “2011 Recruitment plan.” This file bundled a zero-day Flash Player exploit. Security researchers have been trying to track down the file in question for months and finally, the week of August 15, a malware analyst from F-Secure had a breakthrough. He wrote a tool that analyzed malware samples for Flash objects most likely associated with an exploit for this vulnerability. One of the identified samples was an Outlook file and when he opened it, he realized it was the exact e-mail sent to RSA employees. Source:

48. August 26, Softpedia – (International) Zeus offspring distributed from compromised osCommerce sites. Security researchers warn that variants of a zeus spin-off trojan called Ice-IX are being distributed from osCommerce Web sites compromised during a recent mass injection attack. The attack targeting osCommerce installations vulnerable to a flaw that dates from November 2010 began at the end of July 2011. The code injection campaign escalated quickly and the number of infected pages jumped from 90,000 to over 3.8 million within a week and 8 million 2 weeks later. The code injected into the pages leads to externally-hosted drive-by download exploits that target vulnerabilities in unpatched versions of Java, Adobe Reader, Internet Explorer, and Windows XP. If exploitation is successful, a trojan is installed on the victim’s computers. According to the Malware Domain List, a non-commercial community project that tracks malicious URLs, that trojan is now Ice-IX. Source:

49. August 25, Help Net Security – (International) Bogus emails delivering scanned documents carry malware. E-mails posing as scanned documents sent from a Xerox WorkCentre Pro photocopier are being sent out by malware peddlers, warns Sophos. This is not the first time that such e-mails have been delivered to inboxes around the world. In February, almost identical e-mails were carrying a booby-trapped PDF file as the attachment, meant to ultimately allow the installation of the information-stealing zeus trojan. This time, the attached ZIP file carries a downloader trojan. Sophos does not mention whether the e-mail is sent from legitimate (but compromised) e-mail accounts known to the potential victims. If it does, this spam run could be very effective. Source:

50. August 25, Softpedia – (International) Remote UPnP scanner puts home routers at risk of abuse. A security specialist released a tool that is capable of launching attacks against home networking devices that support Universal Plug and Play (UPnP) on their WAN interfaces. He revealed entire series of routers, cable modems, and other networking devices from big manufacturers are vulnerable to UPnP attacks over the Internet. The Universal Plug and Play technology was developed by Microsoft in 1999 as a solution for automated NAT traversal. It allows applications to discover network gateways automatically and ask them to forward traffic on special ports back to the computers they are running on. The researcher found many home networking devices allow UPnP requests to be received on the WAN (Internet) interface, despite this technology having been primarily designed for LAN use. However, unlike LAN environments where multicast is used, the WAN UPnP traffic uses exact URLs and ports hard-coded into each device. These are all built into the Umap scanning tool created and freely distributed by the researcher. According to H Security, the researcher claims to have identified over 150,000 potentially vulnerable devices in a short period of time by using Umap. The scanner is also capable of sending requests containing AddPortMapping or DeletePortMapping commands to the exposed UPnP interfaces. Source:

Communications Sector

51. August 26, WTVJ 6 Miami – (Florida) AT&T service down in south Florida again. For the second time this summer, South Florida AT&T customers can not reach out and touch anyone because their service was down. The wireless carrier said an equipment issue knocked out service to some customers August 26. “Some AT&T wireless customers from mid-Broward County south to Key West may not be able to make mobile-to-mobile calls or receive calls to their mobile from a landline due to an equipment issue,” a spokeswoman said. The outage impacts mobile broadband and 3G service only, she said. In June, customers were without service for more than 4 hours. Source:

52. August 25, Erie Times-News – (International) WQLN-TV to be off air over weekend. A transmitter damaged during a storm-related power outage August 25 has knocked WQLN-TV off the air until at least August 29, said the director of creative services for WQLN Public Media. The equipment failure blocked the broadcast signal from WQLN-TV August 25, interrupting local showings of “Curious George” and other programs. New said technicians made several attempts to restore broadcasting before they determined the transmitter tube was damaged beyond repair. Technicians from the Axcera Corp., which manufacturers the transmitter, also are expected help with its installation, the director of creative services for WQLN-TV today said. WQLN Radio broadcasts from a different transmitter and remains on the air, a spokesman said. WQLN airs on Time-Warner cable in Erie County and on Rogers Cable in southern Ontario. Source:

53. August 25, Maui Now – (Hawaii) Verizon wireless service restored after disruption. The Verizon Wireless outage reported on Maui August 25, was also felt by customers on Oahu, Kauai, and parts of the Big Island, according to the company’s media spokesperson for the region that includes Hawaii. The spokesperson said the network outage to voice and data services occurred when the company encountered unexpected issues with a software upgrade. “As soon as it was discovered, it was addressed by technicians,” she said. The network in Hawaii was 99 percent back to normal performance by 2:40 p.m., with full capacity anticipated shortly, according to the spokesperson. Customers on the Valley Isle tell Maui Now that they experienced problems from as early as 6 a.m., with some wireless internet users reporting connectivity issues from August 24. Source:

No comments: