Thursday, January 20, 2011

Complete DHS Daily Report for January 20, 2011

Daily Report

Top Stories

• According to NBC News,, and Associated Press, an explosion in a gas main in northeast Philadelphia, Pennsylvania spawned a three-alarm fire that left one person dead and five injured and prompted evacuation of several dozen residents January 18. (See item 4)

4. January 19, NBC; and Associated Press – (Pennsylvania) Gas explosion rocks Philadelphia neighborhood. An explosion in a gas main in northeast Philadelphia, Pennsylvania spawned a three-alarm fire that left one person dead and five injured and prompted evacuation of several dozen residents. Fire dispatchers said a gas and water main break was reported at 6900 Torresdale Avenue in the Tacony neighborhood at about 7:19 p.m. January 18, and an explosion occurred at about 8:30 p.m. Dozens of people were evacuated from nearby homes and businesses, according to NBC Philadelphia. The cause of the blast was not immediately known. Authorities said the fire was brought under control just before 11 p.m. The executive fire chief told the Philadelphia Inquirer that the explosion set fire to at least two homes and a PGW truck. A water main also reportedly broke. Four other PGW employees and a firefighter were taken to nearby Torresdale Hospital, where a hospital spokeswoman said four were in critical condition. At least one had been transferred to a burn center. A PGW spokesman told the Inquirer that the injured firefighter was in stable condition. Source:

• The Spokane Spokesman-Review reports that an abandoned backpack found January 17 along the route of Spokane, Washington’s annual Martin Luther King Day march contained a bomb capable of inflicting “multiple casualties,” the FBI has confirmed. (See item 65)

65. January 18, Spokane Spokesman-Review – (Washington) Bomb found on Spokane parade route was lethal, FBI says. An abandoned backpack found January 17 along the route of Spokane, Washington’s annual Martin Luther King Day march contained a bomb capable of inflicting “multiple casualties,” the FBI has confirmed. The bureau’s terrorism task force is offering a $20,000 reward for information leading to the arrest and conviction of those responsible for planting the bomb. The FBI special agent in charge of the Spokane office would not discuss what specifically made the bomb so dangerous but said the investigation has become a top priority. “It definitely was, by all early analysis, a viable device that was very lethal and had the potential to inflict multiple casualties,” he said. “Clearly, the timing and placement of a device — secreted in a backpack — with the Martin Luther King parade is not coincidental. We are doing everything humanly possible to identify the individuals or individual who constructed and placed this device.” Two security sources told The Spokesman-Review they received a briefing suggesting the bomb was designed to detonate by a remote device, such as a keyless entry remote for a vehicle or a garage-door opener. The bomb apparently also had its own shrapnel that could have caused significant injuries to anyone near the blast. The bomb was discovered in a Swiss Army-brand backpack that was placed on a park bench at the northeast corner of North Washington Street and West Main Avenue. Two T-shirts were in the bag. One reads “Stevens County Relay For Life June 25th-26th 2010” and another shirt reads “Treasure Island Spring 2009.” The FBI is working with other federal agencies and virtually all local police agencies with the investigation as part of the Northwest Joint Terrorism Task Force. Source:


Banking and Finance Sector

23. January 19, Glendale News-Press – (California) The heat is on the ‘Cooler Bandit’. FBI officials said a man who allegedly tried to rob Wells Fargo Bank on Brand Boulevard in Glendale, California, January 14 may be the so-called ‘‘Cooler Bandit.” The unidentified robber entered the bank on the 500 block of North Brand Boulevard at 10:15 a.m., approached a teller and passed a demand note, police said. When the teller had trouble reading the writing, she left the booth to talk with a supervisor, so the robber told her to “give me the money,” FBI officials said. At that point, the man abandoned his plans and fled on foot. No one was injured and no cash was stolen, police said. Witnesses described the man as possibly being in his teens. A FBI spokeswoman said the man’s description fits that of the “Cooler Bandit” because of the lunch pail that he carries to store cash from every robbery. The bandit is known to have allegedly robbed banks in Industry and Marina del Rey, she added. The robber has been described as a young black or Latino man with a slender build, she said. Source:,0,4638054.story

24. January 18, eNews Park Forest – (Illinois) FBI says former Chicago hedge fund manager allegedly swindled more than $3.5 million from 48 victims in investment fraud scheme. A former Chicago, Illinois hedge fund manager was taken into federal custody January 18 after he turned himself in for allegedly engaging in an investment fraud scheme in which he swindled more than $3.5 million from approximately 48 victims who invested in funds he purported to operate. The defendant was charged with mail fraud in a criminal complaint filed in U.S. district court. The man obtained about $4.7 million from 48 high net worth investors since 2003 for purported managed futures trading accounts and a commodity pool investment. He provided about $1.1 million in investor redemptions, and allegedly lost roughly half of the total invested funds through trading, and misused most of the remaining funds for his own benefit. Most of the misappropriated funds were spent. Source:

25. January 17, Help Net Security – (International) Banking Trojan incorporates legitimate remote control software. An ESET researcher has recently received a sample of the Sheldor Trojan, which was found by Group-IB investigators while they were inspecting the systems of a major Russian company that fell prey to theft through unauthorized accounting transactions. This particular piece of malware incorporates the well-known TeamViewer remote control software, in order to allow the attacker to start a command shell on the compromised machine in order to control it, to toggle monitoring, to shut down Windows or to log off the user, and - if need be - to remove all traces of the bot. “The dropper installs a backdoor in %WINDIR% and runs as server in console mod,” the researcher explained. “One component of TeamViewer is modified in order to inject code into tv.dll, communicating through the administrative control panel.” In this case, the TeamViewer component was obviously use to circumvent additional authentication mechanism that some banks use. Source:

26. January 17, Help Net Security – (International) Toolkit merging Zeus and SpyEye already on the market. When the alleged Zeus-SpyEye merger became news last October, a lot of people wondered what new capabilities we could expect of this new toolkit. According to a McAfee analyst, the latest version of the SpyEye toolkit has seemingly been offered on sale on the black market: New or improved capabilities include: ZeuS killing, cookies and session cleaning, brute force password breaking, Jabber notification, VNC module, auto-spreading, auto-update, unique stub generator for FUD and evasion, and a new screenshot system — all for $800. There is no proof the offer is true, since the source code is not available for testing. The McAfee analyst casts a doubt on the veracity of the offer by comparing the price with one that was asked by the SpyEye maker from a buyer last November and reached $4,000 for the complete package. Source:

27. January 17, WMTV 15 Madison – (Wisconsin) Man robs Whitewater bank; claims to have bomb. Officers responded to a robbery January 14 at 7:26 p.m. at the Commercial Bank Westside Branch located in the Sentry Grocery Store at 1260 West Main Street in Whitewater, Wisconsin. The suspect robbed the bank of an undisclosed amount of money after he told the teller he had a bomb. The suspect was carrying a brown paper bag with a Sentry logo on it and a red computer type bag with black straps that contained two blue cylinders that the suspect proclaimed was a bomb. After robbing the teller, the suspect fled via the east entry/exit door. He is described as a male White or Hispanic, approximately 50 years old, 5 feet and 10 inches, 200 pounds, with a deep voice. He was wearing a blue fur lined ear flap hat, blue or black scarf, with a blue hoodie underneath, a tan Carhatt type coat, light colored blue jeans, and tan boots. At this point the robbery does not appear to match any other bank robberies in southeastern Wisconsin. Agents from the FBI are assisting Whitewater police in this investigation. Source:

28. January 14, Oklahoma City Oklahoman – (Oklahoma) FDIC warns of fake e-mails. The Federal Deposit Insurance Corporation (FDIC) is warning consumers of a fraudulent e-mail that appears to be from the FDIC. The fake e-mail says the agency “in cooperation with the Department of Homeland Security, federal, state and local governments” has withdrawn deposit insurance from the recipient’s account “due to account activity that violates the Patriot Act.” The e-mail also contains a link that the recipient is directed to use to verify identity and account information. However, the e-mail and link are bogus, the FDIC said. “It was not sent by the FDIC,” the agency said in a news release. “It is an attempt to obtain personal information from consumers. Financial institutions and consumers should not access the link provided within the body of the e-mail and should not under any circumstances provide any personal information through this media.” The FDIC said it is trying to identify the source of the e-mails, and advised consumers to report any similar attempts by sending information to Source:

Information Technology

56. January 19, Federal Bureau of Investigation – (International) Maryland man indicted for copyright infringement of commercial software programs. A federal grand jury indicted a Baltimore, Maryland man, age 30, January 18 for illegally reproducing and distributing over 100 copyrighted commercial software programs. “The illicit proceeds from counterfeiting are routinely used to support other criminal activities in the United States and around the world,” according to the Special Agent in Charge of Immigration and Customs Enforcement, Homeland Security Investigations in Baltimore. According to the one count indictment, from February 2004 to April 2008, the man infringed copyrights by reproducing and distributing over 100 copyrighted commercial software programs for which he received over $265,000. The copyrighted works are estimated to be worth millions of dollars. He allegedly advertised through his Internet Web site and sold infringing copyrighted commercial software at prices well below the suggested retail prices of legitimate, authorized copies of the software. The man used computers in Bel Air, Maryland, and other computers to contact and control his computer server. He is presently a fugitive and believed to be in Pakistan. Source:

57. January 18, H Security – (International) Sybase plugs holes in application server. A security update to EAServer from the SAP company Sybase closes two vulnerabilities that could be remotely exploited. According to the manufacturer’s report, attackers could exploit a directory traversal vulnerability to read arbitrary files on the server. Sybase states it would also be possible to install unauthorized Web services on EAServer, making it possible to gain control of the server. Updates are available to correct the problem on the affected versions of EAServer: 5.x and 6.x, on all supported platforms. Registered Sybase users can apply the updates through Sybase EBF’s after logging in to the EBF Download Area of the Sybase Web site or by downloading full versions from the Sybase Product Download Cente. Other products, such as Sybase Appeon 6.x, Sybase Replication Server 15.x and Sybase WorkSpace 2.x, are also affected as these include EAServer. Source:

58. January 17, eSecurity Planet – (International) Porn malware snares 2,500 victims. Trend Micro researchers report a Russian ransom worm that locks users out of their files has snared at least 2,500 victims. “The malware is identified by Trend Micro as Worm_Rixobot.A, which says it has been spreading in recent weeks using infected porn websites, instant messaging applications and even infected USB drives, hence its designation as a worm rather than a Trojan,” according to a writer for PCWorld. “After taking over a user’s PC, terminating a range of Windows and security programs and blocking access to websites, a splash screen demands that users pay the Russian ruble equivalent of $12 by texting a premium-rate SMS number in order to receive an unlock key,” he wrote. Source:

59. January 17, Gamasutra – (International) Hacker steals Frogster user data, threatens to shut down servers. An anonymous attacker claims to have stolen log-in data for 3.5 million Frogster accounts, threatening to release user information and shut down the game’s servers unless the publisher meets certain demands. In a now-deleted posting on Frogster’s message boards, captured by gaming blog Kotaku, a user with the handle Augustus87 demands the Berlin-based company stop closing forum threads, offer more transparency to customers, secure its game clients and user info, and cease its alleged spying of workers’ online activities. Augustus87 said if these demands are not met in 2 weeks, he will release information from a collection of 3.5 million accounts for Runes of Magic, Bounty Bay Online, TERA, and other free-to-play games from Frogster. He claims 500,000 of those accounts have been “hacked and verified” so far. Frogster said the data released so far comprises “outdated log-in data from 2007,” before its “comprehensive reset initiative.” The company has informed the German State Office of Criminal Investigation about the breach, and has formed a task force to determine how the incident occurred. Source:

60. January 17, Softpedia – (International) Critical security update released for Tor. The Tor Project has released version of its anonymization software to address several security issues including a critical vulnerability that can potentially result in arbitrary code execution. Identified as CVE-2011-0427, the critical flaw consists of a heap overflow bug which can be exploited remotely to crash the program and execute malicious code. Tor maintainers credit a researcher named “debuger” with reporting this issue that was also patched in the older branch. This new security update comes after a similar heap overflow vulnerability (CVE-2010-1676) was addressed in version a month ago. The new version also resolves a flaw with the zlib data compression library that can result in a denial-of-service condition (DoS). The release contains four other major bug fixes to prevent severe stability problems, as well as six minor ones in various components. Source:

Communications Sector

61. January 18, WSYR 9 Syracuse – (New York) Time Warner Cable says Digital Phone outages now fixed: the real deal. Almost twelve hours after the first reports of intermittent outages with their Digital Phone system throughout New York state, Time Warner Cable reports that regular service is now restored. A company spokesperson made the announcement January 18. The spokesperson had no details available about what caused the problem, but said the company’s first priority is making sure it does not happen again. Staff are continuing to investigate the cause of the outages. Time Warner Cable confirmed an intermittent problem impacting their Digital Phone customers. Some were not able to make or receive calls. The problems began around January 18. Source:

62. January 17, Softpedia – (National) cPanel vulnerability abused to misuse high profile domains. Spammers have exploited a cPanel vulnerability at a hosting company in order to abuse high profile domains belonging to educational, financial, and public institutions. The compromises began in April 2010 at Hostmonster, an Utah-based hosting company owned by Bluehost, and lasted until earlier this month. Bluehost co-founder told Krebs on Security that an attacker exploited the vulnerability to create rogue subdomains on dozens of domain names hosted by the company. The subdomains pointed to pages used in black hat search engine optimization (BHSEO) campaigns to poison search results. This method involves creating pages filled with keywords for a particular search topic, a technique referred to as keyword stuffing, on domains with a solid PageRank. According to Krebs on Security, the affected domains included, a financial institution in Nebraska;, the U.S. Senate Whitewater Committee’s investigative tax accountant;, the Army of the Dominican Republic;, the Sacramento Metropolitan Fire District, and, The Wright Institute. The spammer was able to create subdomains between April and July 2010, when the company addressed the security issue, but they remained online until recently. Cloud security vendor Zscaler recently warned about a wave of hijacked domains including .EDU and .GOV ones that were abused to promote online pirated software stores. Source:

Wednesday, January 19, 2011

Complete DHS Daily Report for January 19, 2011

Daily Report

Top Stories

• Framingham MetroWest Daily News reports a chemical explosion January 17 at the Spectrum Microwave building in Marlborough, Massachusetts, sent about 20 employees to the hospital. (See item 13)

13. January 18, Framingham MetroWest Daily News – (Massachusetts) Marlborough chemical explosion sends 20 to hospital. A chemical explosion January 17 at the Spectrum Microwave building in Marlborough, Massachusetts, sent about 20 employees to the hospital. The fire department said it appears a plastic drum with a 20- to 30-gallon capacity apparently ruptured under pressure, causing the explosion at 400 Nickerson Road. The explosion shot the chemicals around the laboratory, but the fire chief said he believes the incident was contained to the lab. The pressure from the explosion knocked over other drums in the lab, but none of them appear to have leaked, he said. There was no fire. There were some employees in the laboratory, but none were injured by the drums. About 50 people were nearby. Six people were taken to Marlborough Hospital and 12 people were taken to Worcester hospitals as a precaution. Patriot Ambulance assisted with the process, sending five of its ambulances to the building. Firefighters evacuated the building after the 7 a.m. incident and took employees next door to 200 Nickerson Road. The building was expected to reopen January 18. Spectrum’s products are used in the aerospace, defense, and communications industries. Source:

• A former New York commodities trader is facing charges he made repeated death threats against 47 employees of the U.S. Commodities Futures Trading Commission, according to the Associated Press. (See item 48)

48. January 14, Associated Press – (New York; National) Feds: NY man threatened US regulators. A former New York commodities trader is facing charges he made repeated death threats against federal regulators. The suspect from Long Beach, New York is accused of threatening 47 employees of the U.S. Commodities Futures Trading Commission (CFTC) and other agencies. Prosecutors said he also posted a $100,000 reward on his Web site seeking personal information about several government officials. A criminal complaint said the threats followed a CFTC civil enforcement lawsuit filed against the man. The complaint alleged the suspect has been the subject of various disciplinary proceedings. The suspect was arrested January 13 and ordered held without bail during an initial court appearance January 14 in federal court in Central Islip, New York. Source:


Banking and Finance Sector

14. January 18, Infosecurity – (International) Ex-banker gives WikiLeaks data on 2,000 private Swiss bank accounts. A Swiss banker handed over two discs of data to WikiLeaks, which could contain evidence of tax evasion and criminal activity committed by prominent people, BBC reports said. The banker will go on trial for breaking bank secrecy laws. In a statement, the bank told the BBC: “Evidently disgruntled and frustrated about unfulfilled career aspirations, the banker exhibited behavior that was detrimental and unacceptable for the bank, which led to termination of the employment relationship.” Authorities in the United States are reportedly urging government agencies to set up programs to identify disgruntled employees who might leak sensitive information. The move comes after whistle-blowing Web site WikiLeaks published thousands of leaked diplomatic cables. Twitter was recently issued with a subpoena by the government to release the personal details of people connected to WikiLeaks. The bank account data is expected to appear on WikiLeaks. Source:

15. January 16, Middle East Media Research Institute – (International) Jihadi cleric Anwar al-Awlaki to jihadists living in the West: Obtain money by any means possible, especially from the U.S. government and its citizens. In a new fatwa issued in the lead article of the fourth issue of Inspire magazine, which was published January 16, a Yemeni-American jihadi cleric encourages jihadists living in the West to assist the financing of jihadi activities through any means possible, including theft, embezzlement, and seizure of property. The U.S. government, and U.S. citizens are singled out as prime targets for these acts. Following are the main points and excerpts from the article: In an attempt to deal with the cash-shortage jihadist groups are facing, the cleric gives religious justification to any actions used by jihadists to obtain money. In the article, titled “The Ruling on Dispossessing the Disbelievers’ Wealth in Dar Al-Harb,” the cleric deals with the issue by ruling that Western countries are considered dar al-harb [the territory of war], countries on which the rules of war apply. Since this is the case, the cleric says Muslims living in the West are not bound by any laws or contracts that prohibit them to harm their countries of residence: “It is the consensus of our scholars that the property of the disbelievers in dar al-harb is halal [permissible] for the Muslims and is a legitimate target for the mujahidin.” Source:

16. January 15, WSMV 4 Nashville – (Tennessee) Suspected bank robber arrested in Smyrna. Police in Smyrna, Tennessee, and the FBI said they have arrested a man they believe may be linked the three holdups at the Ascend Credit Union, at 2:05 p.m. January 15. Police said the suspect was arrested, without incident, at a North Lamar Road home just outside the Smyrna city limits. The suspect is currently being charged under federal indictment for one count of armed robbery at the Ascend Federal Credit Union on Nissan Boulevard in Smyrna. Investigators said the suspect is linked to three robberies at the bank: one in January and two in December. Source:

17. January 14, Pasadena Star-News – (California) Man suspected of leaving explosive device near Arcadia bank in custody. A 23-year-old man was in custody January 14 after he entered Foothills Middle School in Arcadia, California. He was asked to leave by school officials and then left what appeared to be a “homemade explosive device” near a Foothill Boulevard bank, school district and police officials said. The 23-year-old suspect was booked on suspicion of possession of an explosive device, an Arcadia police spokesman said. The Bank of America, the McDonald’s, and a strip mall parking lot on Foothill Avenue were among the areas evacuated for a few hours until the Los Angeles County Sheriff’s Department Bomb Squad successfully detonated the device in the early afternoon. Traffic was also blocked with police cars between First and Second Avenues during this time. Source:

18. January 14, Greeley Tribune – (Colorado) Greeley couple arrested, accused of four bank robberies. A woman arrested for her involvement in six northern Colorado robberies in the past month that netted more than $11,000, told police she and her boyfriend “deserved” the money because they had a tough life. The 20-year-old female suspect and her 22-year-old boyfriend both told police they also spent much of their stolen money on heroin. In appearances in Weld District Court January 15, the male’s bond was set at $400,000 and the female suspect’s at $210,000. The Weld District Attorney has until 3:30 p.m. January 19 to formally charge them. According to court affidavits, the female suspect told investigators that no one was hurt in the robberies, because the gun was not loaded and her boyfriend “was only stealing from the government or the FDIC.” The couple was arrested January 13 after a bank teller at the Credit Union of Colorado placed the money in the robber’s bag, along with an electronic device that enabled police to track the stolen cash. Source:

Information Technology

54. January 18, BBC News – (International) Facebook U-turns on phone and address data sharing. Facebook appears to have decided to allow external Web sites to see users’ addresses and mobile phone numbers. Security experts said such a system would be ripe for exploitation from rogue app developers. The feature has been put on “temporary hold,” the social networking firm said in its developers blog. It said it needed to find a more robust way to make sure users know what information they are handing over. “Over the weekend [January 15 and 16], we got some useful feedback that we could make people more clearly aware of when they are granting access to this data. We agree, and are making changes to help ensure you only share this information when you intend to do so,” the firm said. The updates would be launched “in the next few weeks,” it added and the feature will be suspended in the meantime. Source:

55. January 18, IDG News Service – (International) Third-party apps remains security weak point. Microsoft is still burdened with a bad reputation among users for security, although figures show its products are more secure than most on a person’s computer, according to new data from the Danish security vendor Secunia. The number of vulnerabilities in software commonly found on PCs shot up by 71 percent between 2009 and 2010, mostly due to problems in third-party applications rather than in the Windows OS or Microsoft apps, said a research analyst director for Secunia. The company released its annual vulnerability report January 18. For its report, Secunia used data from its Personal Software Inspector application, which analyzes PCs to see if the installed programs have the latest patches. Source:

56. January 18, Help Net Security – (International) ICQ’s critical flaw allows attackers to serve malicious software update. ICQ — the popular instant messaging application — has a gaping security hole that can allow attackers to execute malicious code on the targeted system, a researcher said. The flaw affects the application’s automatic update mechanism, and affects all versions of ICQ 7 for Windows up to the latest one. The problem is the application does not verify the identity of the update server or the origin of updates through digital signatures or similar means. “By impersonating the update server (think DNS spoofing), an attacker can act as an update server of its own and deliver arbitrary files that are executed on the next launch of the ICQ client,” explained the researcher in a BugTraq post. “Since ICQ is automatically launched right after booting Windows by default and it checks for updates on every start, it can be attacked very reliably.” He even developed (and published) a PoC ICQ update builder and shared step-by-step instructions on how to run a HTTP server to serve the malicious updates. Since there is no way to switch off the automatic updating mechanism, the researcher advises users to stop using the application until a fix is issued. Source:

57. January 18, Help Net Security – (International) Multiple vulnerabilities in Cisco IOS. Some vulnerabilities have been reported in Cisco IOS, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to cause a DoS, according to Secunia. Vulnerabilities include: an error when processing certain IRC traffic can be exploited to cause a device reload by accessing an IRC channel within 36 hours of a reload; an error in the CME (Communication Manager Express) component when handling a SNR number change menu from an extension mobility phone can be exploited to crash the device; a memory leak when processing UDP SIP REGISTER packets can be exploited to exhaust memory resources via a specially crafted SIP packet; an error in the PKI implementation does not clear the public key cache for the peers when the certificate map is changed (this can be exploited to reconnect and bypass the certificate ban); and a memory fragmentation error in the CME (Communication Manager Express) component when handling SIP TRUNK traffic can be exploited to exhaust memory resources via specially crafted SIP packets. As a solution, users are asked to update to Cisco IOS version 15.0(1)XA5. Source:

58. January 18, Help Net Security – (International) Vulnerabilities in the Boonana Trojan increase the danger. First spotted almost 3 months ago, the Boonana Trojan stood out because of its capability to infect computers running Windows, and machines running Mac OS X. The Trojan nestled itself in the system, and allowed outside access to all files on it. It also seems it has vulnerabilities that can be exploited by other attackers to collect information about the system or — according to a Symantec researcher — even be used to create a completely functional parallel botnet or takeover of the existing one. The Boonana bots are designed to take part of a P2P network and to communicate with each other via a custom-designed communication protocol. Apart from making the identification of infected hosts on a particular IP range almost trivial, the P2P protocol also contains an information-disclosure vulnerability that can be used to detect which operating system the computer is running. According to Symantec, in December 2010, 84 percent of infected systems were running Windows, and 16 percent were running a version of OS X. Source:

59. January 14, H Security – (International) SCADA exploit - the dragon awakes. The recent publication of an exploit for KingView, a software package for visualizing industrial process control systems, appears to be having an effect. Threatpost reports that the Chinese vendor Wellintech and Chinese CERT (CN-CERT) have now reacted. The exploit can be used to remotely gain control of a system. In an e-mail to Threatpost, CN-CERT admits it was caught napping when initially notified of the vulnerability by the developer and US-CERT. It was not until November that a further e-mail from US-CERT alerted it to the presence of the vulnerability and led it to rediscover the earlier e-mails sent in September. In November, CN-CERT informed the vendor Wellintech, which is reported to have released a patch December 15 — without, however, informing CN-CERT of the fact and apparently without updating the version available to download from its Web site. A general bug report has now found its way into CN-CERT’s database and the vendor has released a patched library. The man who discovered the KingView vulnerabilities, complains on his blog that neither the vendor nor CN-CERT have provided any details of the vulnerability, thereby leaving customers in the dark over the risks it presents. CN-CERT is now planning to review its procedures to ensure it does not miss such e-mails in future and to ensure better contact with vendors while problems are being resolved. Source:

60. January 14, IDG News Service – (International) Oracle plans to release 66 patches on Tuesday. Oracle is planning to release 66 security patches January 18 that affect hundreds of products, according to a notice on its Web site. A number of the patches are for vulnerabilities that meet the most serious risk level under the Common Vulnerability Scoring System, Oracle said. Products affected include Oracle Audit Vault, JRockit, Solaris, and WebLogic Server. Six of the patches fix vulnerabilities in Oracle’s flagship database. Two of the bugs can be exploited remotely without a user name or password. Sixteen patches target Oracle middleware products. Twelve of those vulnerabilities allow for remote exploitation without authentication, Oracle said. Other fixes are aimed at Oracle’s Enterprise Manager, PeopleSoft, JD Edwards, Glassfish,and OpenOffice. Oracle is also set to release patches for Java SE and Java for Business in February. Source:

61. January 13, Forbes – (International) Web security cams are a voyeur’s delight: Is your IP cam password protected? Web security cameras can be insecure, a researcher from Ars Technica found. The researcher took a spin around the Web checking out live feeds from cameras focused on a number of commercial locations. He was even able to tap into police cameras monitoring an intersection in Texas. In most instances, these cameras were not meant to be offering live video for public consumption. Within the surveillance community, many are turning from closed-circuit/analog cameras to Internet protocol (IP) cameras. While IP cameras are cheaper to install, they can also be easy to locate and to hack into if they are not properly protected. “Finding IP cameras with Google is surprisingly easy,” the researcher noted. “Though the information the search engine provides on the cameras themselves is typically little more than an IP address and a camera name or model number, Google still provides those who know how to ask with extensive lists of IP cameras and Web-enabled surveillance systems throughout the world.” Source:

For another story, see item 63 below in the Communications Sector

Communications Sector

62. January 18, Daytona Beach News-Journal – (Florida) Vandals knock radio station off air. A Daytona Beach, Florida radio station on the air since 1947 was silenced for more than 20 hours after vandals broke into a transmitting tower and smashed expensive equipment, owners of WROD 1340 AM said. Daytona Beach police and the FBI are investigating. The vandalism was discovered at 5:30 p.m. January 16, said the owner and general manager of the station. He said vandals cut a lock at the gated tower at Beach and Wilder streets. They broke into a locked box. The intruders dropped a rock on a device called an antennae tuning unit. Police did not provide any information on the crime January 17. The owner said he was able to fix the damage and put the station back on the air at 2 p.m. January 17. Source:

63. January 18, IDG News Service – (National) Criminal charges filed against AT&T iPad attackers. The U.S. Department of Justice (DOJ) will file criminal charges against the alleged attackers who copied personal information from the AT&T network of approximately 120,000 iPad users, the U.S. Attorney’s Office, District of New Jersey announced January 17. A suspect will be charged in U.S. District Court in New Jersey with one count of conspiracy to access a computer without authorization and one count of fraud. Another suspect will be charged with the same counts at the U.S. Western District Court of Arkansas. The second suspect made headlines last June when he discovered that AT&T’s Web site was disclosing the e-mail addresses and the unique ICC-ID numbers of multiple iPad owners. Claiming he wanted to help AT&T improve its security, he wrote a computer script to extract the data from AT&T and then went public with the information. AT&T said nobody from the hacking group contacted it about the flaw. The hacker was arrested January 18 at an Arkansas courthouse, where he had been facing drug possession charges. Those charges have now been dropped. Source:

64. January 13, Ada Evening News – (Oklahoma) 105.5 station temporarily off air. Radio station 105.5FM, known locally as “the X Factor” was temporarily off the air due to a significant malfunction at the top of its 300-foot tower located in Lula, Oklahoma. The general manager reported the problem was the result of an electrical malfunction which damaged much of the transmission line. If the 300-foot transmission line on the tower has to be replaced, the station could be off the air for up to 2 weeks. “We are doing everything possible to effect repairs as quickly as possible,” he said. “The delays are associated with finding qualified tower crews as there are fewer and fewer people who do this kind of work.” The radio station was purchased 2 years ago by the Chickasaw Nation and serves a 40-mile-radius area including Ada, Lula, Coalgate, McAlester, and south toward Durant. Source:

Tuesday, January 18, 2011

Complete DHS Daily Report for January 18, 2011

Daily Report

Top Stories

• The New York Daily News reports a drowsy traveler set off a scare at LaGuardia Airport in Queens, New York when he dozed off in a restricted area and was found by security 4 hours later, sources said. (See item 20)

20. January 14, New York Daily News – (New York) Sleepy flyer catches some shut eye in LaGuardia Airport terminal, security doesn’t notice. A drowsy traveler set off a scare at LaGuardia Airport in Queens, New York January 13 when he dozed off in a restricted area and was found by security 4 hours later, sources said. The traveler’s Southwest Airlines flight from Chicago landed at LaGuardia at about 11:30 p.m. January 12, sources said. Instead of leaving the terminal, the passenger, a 24-year-old medical student, fell asleep in the waiting area near Gate B1. Private security from AirTran Airways and officers from the federal Transportation Security Administration (TSA) failed to detect the sleeping passenger during two security sweeps, sources said. After the sweeps were done, TSA closed the concourse for the night, sources said. The passenger was undisturbed for 4 more hours, until a TSA supervisor toured the area at about 3:30 a.m. January 13 as staff prepared to reopen Terminal B. “It was a big surprise to find a guy sleeping there; not a good thing, you can imagine,” a source said. TSA staff called Port Authority police, who sent K-9 teams to search the area to make sure no one else was in the restricted area. The passenger was questioned and sent on his way. Source:

• According to the Contra Costa Times, a California State University, Northridge student who threatened several people on campus was charged with two felonies after police found a shotgun and explosive materials in his room. (See item 47)

47. January 13, Contra Costa Times – (California) Cal State Northridge student charged after officials find explosives, shotgun in his dormroom. A California State University, Northridge (CSUN) student who threatened several people at the Los Angeles instittution is facing two felony charges after police found a shotgun and explosives materials in his on-campus dorm room, according to officials. The 22-year-old suspect allegedly made threats to students and staff on campus and was taken into custody for mental health evaluation January 11, the chief of CSUN police said. Police arrested the suspect January 12 and he is currently in county jail in lieu of a $150,000 bond, according to inmate records. No injuries were reported. The suspect is no longer enrolled at the university and had no previous reported problems at the school, the chief said. He is charged with possession of ingredients to make a destructive device and bringing a firearm onto a school campus, according to the Los Angeles County District Attorney’s Office. The suspect is set to appear in court for arraignment January 14 at San Fernando Superior Court. Source:


Banking and Finance Sector

13. January 14, Waterbury Republican-American – (Connecticut) Bank evacuated for reported gas odor. Northwest Community Bank’s New Hartford, Connecticut branch was evacuated January 13 after employees reported an odor of gas. Firefighters converged on the scene about 10 a.m., and found elevated levels of carbon monoxide that were traced to a malfunctioning furnace. A fire official said no one was seriously hurt, though one member of the bank staff was transported to Winsted Health Center as a precaution. Four staff members declined medical attention. There were no customers in the bank when firefighters arrived, the fire official said. Canton firefighters were called to assist providing a ladder truck that allowed firefighters to get to the snow-covered roof and verify that all of the exhaust vents were clear of snow and ice. The fire official said a bank maintenance worker identified the furnace malfunction as the source, and was working on repairs as firefighters packed up just before noon. The bank was expected to reopen once the problem was corrected. Source:

14. January 14, eNews Park Forest – (Illinois) Six defendants indicted in alleged $15 million mortgage fraud scheme involving more than 40 residences in Chicago area. Six defendants were indicted January 12 on federal charges alleging they participated in a $15 million mortgage fraud scheme involving more than 40 residential properties located in Chicago, Illinois and its south suburbs, federal law enforcement officials announced January 12. The defendants include two licensed realtors and a licensed loan officer who bought and sold homes, recruited others to act as residential purchasers, and allegedly caused various financial institutions to lose approximately $4.5 million on mortgage loans that were not repaid by the borrowers or fully recovered through subsequent foreclosure sales. Source:

15. January 14, Softpedia – (International) FDIC phishing emails scare users with Patriot Act violations. The Federal Deposit Insurance Corporation (FDIC) warns users about an ongoing phishing campaign which produces fake e-mails purporting to come from the organization. “The e-mail informs the recipient that ‘in cooperation with the Department of Homeland Security, federal, state and local governments…’ the FDIC has withdrawn deposit insurance from the recipient’s account ‘due to account activity that violates the Patriot Act’,” the FDIC explains in its alert. Recipients are asked to verify their account information through a system called “IDVerify,” otherwise risk account termination. The link to the ID verification system provided in the e-mail takes users to a phishing page that asks them for personal and financial information. FDIC also notes that malicious software may be loaded onto the recipient’s computer, but does not specify if this is done transparently, in a drive-by download attack, or requires interaction from the user. At least one obank has reiterated FDIC’s alert and is warning their customers about the phishing scam, which, apparently, is not entirely new. Source:

16. January 13, Seattle Post-Intelligencer – (Washington) Suspected ‘Mrs. Doubtfire’ robber arrested. The suspected “Mrs. Doubtfire robber” — a dowdily dressed woman suspected in 10 bank robberies — was arrested the week of January 10 shortly after an 11th robbery in Kent, Washington, the FBI said January 13. A FBI Special Agent said the woman was identified by bank employees and other witnesses and arrested by Kent police officers January 11. An Alaska USA Federal Credit Union had just been robbed, and the woman was in the process of leaving the scene when arrested. A 53-year-old Des Moines, Washington resident, the woman will initially face a charge in the latest robbery at 10201 S.E. 240th St. in Kent, the FBI agent said. But investigators suspect her involvement in 10 other bank robberies in Seattle, Edmonds, Burien, Kirkland, and Des Moines since April 2010. In each case, the suspect worked alone and passed a demand note, the FBI agent said. She showed no weapon, but claimed to have had one in at least one case. Source:

17. January 13, KMGH 7 Denver – (Colorado) Bank robber escapes in teller’s car. A bank robber took more than money at a bank in Lakewood, Colorado January 13 — he escaped in a teller’s car. Authorities said a white man entered the TCF Bank at 12053 W. Alameda Ave. sometime around 9 a.m. and gave a teller a note claiming to have a gun and demanding money. The man took the teller’s keys and her car, a 1991 green or turquoise Honda Accord. Police said the license plate number on the car was 632 VVU. It was last seen going east on Sixth Avenue at Federal Boulevard. The only description of the man released was that he was wearing white, was unshaven, and was wearing glasses and a green beanie. The FBI’s Safe Streets Task Force has taken over the investigation. The teller’s car has not been located. Source:

18. January 13, KXTV 10 Sacremento – (California) Highway 12 in Lockeford reopens. A San Joaquin County sheriff’s bomb squad has given the all-clear after checking a possibly suspicious item dropped by a bank robber in Lockeford, California, January 13. Authorities cordoned off Highway 12 for the investigation and evacuated Bank of the West at 13299 E. Highway 12, and several neighboring businesses as a precaution. According to a spokesman with the sheriff’s department, the item was left by the bank robber who entered the bank about 9:30 a.m., ordered a teller to give him money which he took and then walked out. No weapon was seen and no one was hurt. The bomb squad sent in a robot to examine the dropped item, which the robber indicated may be an explosive device, a witness said. The sheriff’s department said the item was possibly a computer bag or purse, maybe taken from another robbery. It was destroyed. The robber was described as white, 50 to 60 years of age, and “scruffy,” the spokesman said. Source:

For another story, see item 51 below in the Information Technology Sector

Information Technology

51. January 14, Softpedia – (International) First toolkit resulting from ZeuS-SpyEye merger hits the underground market. Security researchers from McAfee warned the first crimware toolkit to result from the ZeuS-SpyEye merger is now available for purchase on the underground market. Earlier in 2011, the security community was surprised to hear rumors ZeuS and SpyEye, two rival threats in the cybercriminal world, would be joined together under a single developer. This unexpected turn of events was supposedly the result of the ZeuS author’s intention to retire from the malware-writing scene after a successful run. The new “SpyEye / ZS Builder” was released January 11, which is a SpyEye version enhanced with some of ZeuS’ functionality. New features include brute force password guessing, Jabber notification, VNC module, auto-spreading, auto-update, unique stub generation, and an enhanced screenshot system. The builder is much cheaper than ZeuS used to be. The basic version without VNC (remote desktop) and ability to inject code into Firefox pages costs $300, while the price for the full version is $800. Source:

52. January 14, Help Net Security – (International) Ransomware continues to pose a threat. Symantec warns against attackers using ransomware. This type of malware blocks access to computers and then asks users to pay for having that privilege returned. Some ransomware locks the computer’s desktop and asks the user to send a text message to to a premium rate number to receive back a code that will restore access to the system. Other ransomware adds to that a change of the desktop background image, which contains the request for money, instructions on how and where to send it, and an embarrassing pornographic image that makes the user less willing to ask for technical help. There is also ransomware that encrypts user files and holds them ransom. Sometimes the encryption key is stored on the computer and the user can decrypt the files if he knows where to look for it, but other times the files are lost for good because there is no guarantee the criminals will send the key to decrypt them even if the victim sends the money. Some ransomware does not even allow the operating system to boot. Source:

53. January 13, Softpedia – (International) RIM fixes vulnerabilities in BlackBerry OS and BlackBerry Enterprise Server. Research In Motion has released security updates for BlackBerry OS and the BlackBerry Enterprise Server (BES) software in order to address two moderate and high risk vulnerabilities. The vulnerability affecting BlackBerry devices consists of a denial of service condition that can crash the browser application. It affects BlackBerry Device Software versions earlier than 6.0.0 and can be exploited by tricking users to visit a maliciously crafted Web page. The vulnerability has a score of 5.0 on the CVSS scale, which equates to a moderate risk because the DoS condition is only partial. Meanwhile, the vulnerability patched in the BES is critical and caries a CVSS base score of 9.3 out of 10. It stems from a buffer overflow error in the Attachment Service of the portable document format (PDF) distiller component. Exploitation involves tricking a user to open a specially crafted PDF file. Source:

For another story, see item 15 above in the Banking and Finance Sector

Communications Sector

54. January 13, Ontario Inland Valley Daily Bulletin – (California) Cell tower catches fire, nearby buildings evacuated. A fire station and a post office had to be evacuated January 13 after a nearby cell phone tower caught fire in Rancho Cucamonga, California. Firefighters at Station 171, 6627 Amethyst Ave., reported the blaze about 10:20 a.m. after seeing smoke and flames coming from the top of the tower. About 35 firefighters put out the blaze by 11:20 a.m., the acting battalion chief for the Rancho Cucamonga Fire Department said. No injuries were reported and the cause of the fire has not been determined. The fire station and the neighboring post office at 6649 Amethyst Ave. were evacuated when officials saw the potential for danger. “We were worried the tower would collapse into the fire station and post office,” the chief said. The tower did not fall and evacuees were eventually allowed back into the buildings. BCI Communications West employees were working on the tower when it caught fire. Upland and San Bernardino County fire departments assisted in fighting the blaze. Source: