Monday, February 28, 2011

Complete DHS Daily Report for February 28, 2011

Daily Report

Top Stories

• Oil industry documents filed with the federal government reveal that an accidental release of a lethal chemical used in 50 aging refineries across the country could prove devastating, with 16 million Americans living within range of toxic plumes that could spread for miles, ABC News and Center for Public Integrity reported February 24. (See item 2)

2. February 24, ABC News and Center for Public Integrity – (National) Hydrofluoric acid risk at oil refineries. Oil industry documents filed with the federal government reveal that an accidental release of a lethal chemical used in 50 aging refineries across the country could prove devastating, with 16 million Americans living within range of toxic plumes that could spread for miles. Los Angeles, Philadelphia, Minneapolis, New Orleans, and the stretch of Texas coastline known as “Refinery Row” are among the at-risk areas cited in the documents. Citing homeland security concerns, the government keeps the industry filings under close guard in Washington, D.C. They were reviewed as part of a joint investigation by ABC News and the Center for Public Integrity. According to the industry’s worst-case scenario documents, a release of the chemical could endanger entire communities. Even though one-third of the oil refineries in the United States are using the chemical, a spokesman told ABC News that the industry has long avoided demands from safety advocates and from the union that represents refinery workers that it explore safer options. Officials at the U.S. Chemical Safety Board have warned that while the refinery industry has been painting a rosy picture of the conditions at their facilities, it has compiled a disconcerting track record. As the nation’s 150 refineries have aged, there have been an increasing number of fatal, or near-fatal, incidents. Source:

• According to Killeen Daily Herald, the city of Killeen, Texas, advised its residents to avoid Nolan Creek until February 28 because a mechanical failure at a lift station February 22 sent about 298,000 gallons of wastewater pouring into the creek. (See item 32)

32. February 24, Killeen Daily Herald – (Texas) Residents told to avoid part of contaminated Nolan Creek. A mechanical failure at lift station 1 sent about 298,000 gallons of wastewater pouring into the Nolan Creek, in Killeen, Texas, February 22. Two days later, the city advised its residents to avoid the creek until February 28. The Drainage Utility Project engineer said a large buildup of grease was found in the lift station and has been a problem in the past, but did not confirm the cause of the spill. Four manholes also discharged sewage, affecting one business at the intersection of 38th and Water streets. Source:


Banking and Finance Sector

16. February 24, Softpedia – (National) FTC files complaint against SMS spammer. The Federal Trade Commission filed a complaint against a man from Huntington Beach, California, alleging that he is responsible for sending millions of SMS spam messages. According to the complaint, during a 40-day period alone, defendant sent over 5.5 million unsolicited commercial text messages at a rate of 85 per minute. The FTC claims the messages deceptively advertised loan modification assistance, debt relief and other services. In one instance, recipients were directed to, a site claiming to provide “Official Home Loan Modification and Audit Assistance Information.” This type of activity can cost people money because some wireless carriers charge fees for receiving text messages. In addition, the suspect is accused of selling the contact information of consumers to marketers claiming they are debt settlement leads. The alleged spammer is also said to have sent unsolicited email messages that promoted his SMS spamming services. The FTC charges the suspect with violations under the FTC Act and the CAN-SPAM Act, the law that governs the sending of commercial emails. He also failed to include an “opt-out” option. Source:

17. February 23, Contra Costa Times – (California) Orinda robbery suspect arrested in San Francisco. A man suspected in a February 4 armed robbery of an Orinda, California, bank has been arrested in San Francisco, police said February 22. San Francisco police arrested the 51-year-old February 8 on a drug charge. He is one of two men suspected of robbing the First Republic Bank on Brookwood Road. The men left the bank with an undisclosed amount of cash, a police official said, and their getaway car was later found abandoned. Orinda police officers interviewed Smith in San Francisco, and the FBI has taken over the case because of his possible involvement in other robberies. Source:

18. February 22, Federal Bureau of Investigation – (New York) Business owner pleads guilty to securities fraud. A 46-year-old New York man pleaded guilty February 22 to one count of securities fraud. The guilty plea was entered in United States District Court in Syracuse, New York. Sentencing is set for July 7, 2011 in Albany, New York. The man faces a maximum term of up to 20 years in prison. As part of his guilty plea the man admitted that, from 2002 through 2010 he was the founder, owner, and sole managing member of Prime Rate and Return, LLC and American Integrity Financial Co. Neither Prime Rate nor American Integrity was registered in any capacity with the Securities and Exchange Commission (SEC). He also admitted that he solicited and received money from investors as a representative of American Integrity. He offered and sold investors contracts with American Integrity, which American Integrity promised to pay a “guaranteed” fixed rate of interest on the initial investment. These contracts were for a fixed term, usually three years, after which the investor could either withdraw his or her investment or roll the investment over into another fixed term with a fixed rate of return. He offered rates of return that varied from investor to investor and ranged from 3.85 percent to 9.35 percent annually. Source:

Information Technology

45. February 25, Softpedia – (International) Removal of NIC-hijacking malware leads to network connection problems. Researchers from security vendor Bkis warn that removal of a trojan which intercepts network traffic can leave the computer isolated from the network and Internet. The reason for this lies in the trojan’s routine, which involves creating virtual network adapters using the names of existent ones and adding the “-” character at the end. Bkis detects this threat W32.Ndisvan.Trojan and says its purpose is to filter data passing through network controllers, download additional malware and evade antivirus detection. The rogue network adapters created by the trojans use a driver called “ndisvvan.sys,” which tries to pose as the Windows NDISWAN Miniport Driver, ndiswan.sys. A Bkis senior malware researcher notes that by removing the rogue ndisvvan.sys, the network filter driver chain is broken and data can no longer reach the real network adapter. Because of this the computer will appear to have no network connection and attempting a normal local area connection repair will not resolve the problem. Source:

46. February 25, Help Net Security – (International) Failure to invest in secure software a major risk. Failure to take software security seriously is putting organizations, brands and people at risk, according to a report by Creative Intellect Consulting. Key highlights from the report included: key software security and quality processes are not being followed; managers are jeopardizing secure software delivery, but they are not alone; there is a clear mandate for better education and training that cannot be ignored; a mentality exists to invest in what people already know; and compliance and regulation is a key driver. Source:

47. February 24, The Register – (International) Thunderbolt: A new way to hack Macs. The 10Gbit/s interconnect Apple introduced February 24 in a new line of Macbook Pros may contain the same security weakness that for years has accompanied another Mac innovation: the Firewire port. Like Firewire, the Intel-designed Thunderbolt is based on a peer-to-peer design that assigns blind trust to any device that connects through the bi-directional, dual channel interface. According to CEO of security consultancy Errata Security, that gives attackers yet another weakness to exploit when targeting machines that offer the interconnect. “Imagine that you are at a conference,” the security expert writes. “You innocently attach your DisplayPort to a projector to show your presentation on the big screen. Unknown to you, while giving your presentation, the projector is downloading the entire contents of your hard disk.” Such attacks rarely work on USB ports because they are based on a “master-slave” design. That means the computer has full access to the attached device but the attached device has limited access to the computer. Firewire and now Thunderbolt, by contrast, have full access to a Mac’s entire memory. Source:

48. February 22, The Register – (International) Site to highlight social networks’ security soft spots. Security researchers have set up a site designed to prod social networking Web sites into practicing what they preach about web security., which aims to publish details of security vulnerabilities on Web 2.0 sites such as Xing or Facebook, was set up the weekend of February 19 by security researchers frustrated with a lack of response from sites about the problems they discovered. Many of the vulnerabilities unearthed fall into the category of cross-site scripting vulnerabilities, some of which (in the case of bugs on Xing and, for example) have already been fixed. Separately, an insecure script on Facebook creates a mechanism to make more convincing phishing attacks. This bug remains live, warns. The German-based team behind the website, who wish to remain anonymous, want to push vendors into becoming more responsible about security bugs. At a first step they want Web 2.0 to establish a security-related contact form, and to allow submission of confidential security-related problems via encrypted e-mail. Source:

Communications Sector

Nothing to report

Friday, February 25, 2011

Complete DHS Daily Report for February 25, 2011

Daily Report

Top Stories

• According to Bloomberg, computer hackers working through Internet servers in China broke into and stole proprietary data from the networks of six U.S. and European energy companies, including Exxon Mobil Corp., Royal Dutch Shell Plc and BP Plc. (See item 3)

3. February 24, Bloomberg – (National) Exxon, Shell, BP said to have been hacked through Chinese internet servers. Computer hackers working through Internet servers in China broke into and stole proprietary information from the networks of six U.S. and European energy companies, February 10, including Exxon Mobil Corp., Royal Dutch Shell Plc and BP Plc, according to one of the companies and investigators who spoke about the incident February 23. The attacks, dubbed “Night Dragon,” originated “primarily in China” and occurred during the past 3 years. The list of companies hit also include Marathon Oil, ConocoPhillips, and Baker Hughes Inc. In some of the cases, hackers had undetected access to company networks for more than 1 year, said a chief executive officer of HBGary Inc., a cyber-security company that investigated some of the security breaches. “Legal information, information on deals and financial information are all things that appear to be targeted,” the CEO said, summing up conclusions his firm made from the types of documents and persons targeted by the hackers. “This is straight up industrial espionage.” Hackers targeted computerized topographical maps worth “millions of dollars” that show locations of potential oil reserves, said an InGuardians Inc. employee, whose company investigated two recent breaches of U.S. oil companies’ networks. McAfee Inc., a cyber-security firm, reported February 10 that such attacks had resulted in the loss of “project-financing information with regard to oil and gas field bids and operations.” The McAfee report described the techniques used to get into the computers as “unsophisticated” and commonly used by Chinese hackers. The attacks began in November 2009, McAfee said. Two cyber investigators familiar with the probes said the attacks began even earlier, in 2008, and involved several well-financed groups. A former head of U.S. counterintelligence during the Bush and Obama administrations said the thefts of oil company data like those in the McAfee report match the profile of industrial espionage operations that have the backing or consent of the Chinese government. Source:

• The Dallas Morning News reports a 20-year-old Saudi Arabian national was arrested by theFBI in Lubbock, Texas for plotting to carry out terrorist attacks against dams, nuclear power plants, and the home of a former U.S. President. (See item 28)

28. February 24, Dallas Morning News – (Texas; Colorado; California) FBI: Lubbock college student from Saudi Arabia targeted Bush’s Dallas home in bombing plot. A 20-year-old Saudi Arabian national arrested by the FBI in Lubbock, Texas, for allegedly plotting to carry out terrorist attacks, also allegedly targeted the Dallas home of the 43rd U.S. President, documents show. The Saudi citizen was arrested February 23 and was scheduled to appear before a federal judge in Lubbock February 25. Agents also found lists of various targets, including reservoir dams in Colorado and California, and nuclear power plants. According to an arrest warrant affidavit, FBI agents learned of the man’s alleged plotting February 1, when a chemical supplier reported a suspicious attempted purchase of concentrated phenol. Phenol can be used to make explosives. The suspect had successfully purchased concentrated nitric and sulfuric acids in December. He also allegedly purchased many other items, including a gas mask, a haz-mat suit, a soldering iron kit, glass beakers and flasks, wiring, a stun gun, clocks, and a battery tester. A spokesman said the terrorism investigation is ongoing, but “the federal complaint contains no allegations that he received direction from or was under the control of a foreign terrorist organization. We are confident that we have eliminated the alleged threat by [the accused],” he said. The suspect was lawfully admitted into the United States in 2008 on a student visa, and is enrolled at South Plains College near Lubbock. In online blog entries agents found, the man allegedly wrote of his plans to carry out violent jihad, or holy war, in the United States. The affidavit also alleged he conducted research indicating he considered using infant dolls to conceal explosives, and considered targeting of a nightclub with an explosive concealed in a backpack. A search of his Lubbock residence revealed a journal, which showed he had been allegedly plotting for years. Source:


Banking and Finance Sector

10. February 24, WGHP 8 Sophia – (North Carolina) ‘Ball cap bandit’ wanted in 3 Triad bank robberies. Detectives in High Point and Thomasville in North Carolina believe a man labeled the “Ball Cap Bandit” by the FBI is responsible for robbing 3 local banks over the past 2 weeks. Detectives with High Point Police Department and Thomasville Police Department believe the suspect who robbed the High Point Bank and Trust on Eastchester Drive might be the same suspect that robbed the BB&T on Randolph Street in Thomasville, and the State Employees’ Credit Union in Asheboro. The suspect in all three robberies is described as a white male, approximately 50 years old, short, about 150 lbs and with a “scruffy” beard. The suspect was reportedly wearing blue jeans, a light green or blue jacket, tan colored camouflage hat, and sunglasses. Source:,0,2436322.story

11. February 24, Bucks County Courier Times – (Pennsylvania) Man charged in bank robberies. A Bensalem, Pennsylvania man is in jail on a $1 million bail, accused of robbing two Bucks County banks February 18 and February 19, netting him more than $26,000. The suspect was arraigned February 23 in connection with the robberies at the TD Bank at 624 S. Oxford Valley Road in Bristol Township February 18, and the Bank of America at 381 Easton Road in Warrington February 19, according to court documents. In both robberies, investigators said the suspect asked for a withdrawal slip and wrote on it that he wanted money, then he handed the note to the teller. Source:

12. February 23, H Security – (International) Online banking trojan attacks Windows Mobile smartphones. According to reports from F-Secure and Kaspersky, fraudsters are using a special trojan for smartphones to target users who use mTANs for online banking. As well as a Symbian version, there is now a version which specifically targets Windows Mobile. It uses the same trick as the September 2010 wave of trojans which targeted Symbian mobiles. After infecting a PC, the Zeus trojan displays additional fields on online banking Web sites, into which the victim is requested to enter the number and make of his or her mobile phone. The victim then receives a text containing a URL for what claims to be a certificate update. After installation, this turns out to be a trojan which secretly forwards texts containing mTANs to a phone number in the United Kingdom. Source:

13. February 23, New Orleans Times-Picayune – (Louisiana) Credit card fraud investigation leads to four arrests. An organized group of 16 suspects illegally acquired more than $250,000 in goods by taking credit cards from more than 100 people, a Louisiana State Police (LSP) superintendent said February 23. Individuals in the French Quarter and Central Business District of New Orleans have been the primary target of the bandits whose reach extended far beyond the area, a LSP spokesman said. Four of the 16 suspects have been arrested. Warrants have been issued for the others. Two of the people arrested are charged with access device fraud. The other two arrested are charged with attempted device fraud. All four suspects live in New Orleans. A task force of the members of the LSP, the New Orleans Police Department, and the U.S. Secret Service have been investigating the organized group. Police said the 16 suspects shared stolen cards with each other. Source:

14. February 23, IDG News – (International) Belarus man pleads guilty to running identity theft site. A 26-year-old Belarusian man entered a guilty plea February 23 to running an identity theft Web site designed to thwart the antifraud measures used by many banks. Until he was arrested in April 2010, the man had been the mastermind behind CallService(dot)biz, a Web site that helped more than 2,000 identity thieves commit fraud. CallService employed a network of English and German speakers who would call up banks, pretending to be ID theft victims, and confirm fraudulent transactions rung up by the criminals. This enabled them to skirt antifraud measures put in place by many U.S. banks, which often ask cardholders to phone in to confirm suspicious transactions. The man would make sure his callers were the correct gender, and then tell them exactly what to say to ensure the bogus purchases went through. He’d give his callers a dossier on the victim, including the name, e-mail address, Social Security number and answers to security questions such as “What city were you married in?” and “What is the name of your oldest sibling?” In online advertisements, CallService(dot)biz claimed to have done over 5,400 of these confirmation calls. The suspect faces a maximum sentence of nearly 38 years in prison on wire and credit card fraud charges, and is set to be sentenced May 26. Source:

Information Technology

37. February 24, The Register – (International) Man admits hacking into NASA, e-commerce servers. A man from Houston, Texas, has admitted hacking into servers owned by an e-commerce company and making off with about $275,000. The man also admitted to charges of breaking into servers maintained by NASA’s Goddard Space Flight Center in Maryland and causing $43,000 in damages. The hacking spree spanned a 10-month stretch starting in December 2008 with the breach of systems owned by SWReg. A subsidiary of Digital River of Minnesota, the company manages royalties for independent software developers. “[The man] hacked into SWReg’s system, created the money by crediting the SWReg accounts, and then caused that money to be wire transferred to his bank account instead of the accounts of several developers,” a press release issued by the U.S. Attorney’s office in Minnesota said. The NASA servers the man hacked gave paying members of the scientific community access to oceanic data being sent to Earth from satellites. Eventually, the data was made available to everyone. Source:

38. February 24, H Security – (International) The unintended kill switch in Bind. The developers of the Bind server software have warned of a security problem that could prevent DNS servers from responding to requests. This is a serious problem, as many of the central DNS servers on the Internet use Bind, and hardly anything works without domain name resolution. However, the developers said no public exploits have so far been found. A domain’s master servers are vulnerable while they are performing an incremental zone transfer –- a type of DNS zone transfer – or a dynamic update. The relevant security advisory lists versions 9.7.1-9.7.2-P3 as being affected. Source:

39. February 24, Help Net Security – (International) Malware-driven pervasive memory scraping. Reports are coming in of a new trend in hacking techniques. Known as “pervasive memory scraping,” the technique relies on the fact certain areas of Windows memory are only occasionally overwritten, meaning data from software that has been closed down on the PC can still remain for some time after. “The SANS Institute is reported to have spotted evidence of this type of attack methodology on an increasing basis. This means that, where a Windows PC user loads a secure application to view data, views that data and then closes the application, there is a chance that the data may continue to reside in the computer’s memory for some time after,” the CEO of Lieberman Software said. “Put simply, this means that, even if the secure software checks for the presence of trojans and similar credential scanning malware — and locks down the malware whilst it is loaded - once the application is closed, the contents of the computer memory can still be subsequently lifted by a remote scanning piece of malcode,” he added. Source:

40. February 24, The Register – (International) Security shocker: Android apps send private data in clear. Cellphones running the Android operating system fail to encrypt data sent to and from Facebook and Google Calendar, shortcomings that could jeopardize hundreds of millions of users’ privacy, a computer scientist said. In a simple exercise for his security class, a professor at Rice University in Houston, Texas connected a packet sniffer to his network and observed the traffic sent to and from his Android handset when he used various apps available for Google’s mobile platform. The official Facebook app transmitted everything except for the password in the clear, the professor blogged February 22. This meant that all private messages, photo uploads, and other transactions were visible to eavesdroppers, even though the account had been configured to use Facebook’s recently unveiled always-on SSL encryption setting to prevent snooping over insecure networks. Google Calendar showed a similar carelessness in the experiment by also sending and receiving data in the clear. That makes it possible for hackers to see users’ schedules when the service is accessed on unsecured networks. Source:

41. February 24, Softpedia – (International) Fake YouTube pages serve trojan via malicious Java applets. Security researchers from antivirus vendor BitDefender warn of scams that make use of fake YouTube pages to install trojans via a malicious Java applet. The scammers worked to make the pages look as close as possible to the real YouTube Web site. When visitors land on these rogue sites, a Java applet is launched automatically and they are prompted to run it. The dialog appears because the applet is unsigned and since Java is rarely used for mainstream Web services, users unfamiliar with it might be tempted to hit “run” to see the video they have been promised. The applet uses the OpenConnection Java method to download and executes a trojan. The malware has botnet capabilities and connects to an IRC server from where it receives commands. It is mainly used as a distribution platform for additional threats. Among those seen by BitDefender is a trojan that can use the Facebook accounts of its victims to send spam and record conversations from the most popular IM clients. There is also a worm with DDoS capabilities that can spread via removable USB drives, and a click fraud trojan that hijacks searches performed in Firefox, Internet Explorer, and Chrome on Google or Bing. Source:

42. February 23, IDG News Service – (International) Microsoft fixes a security bug in its virus-scanner. Microsoft has patched a bug in its malware scanning engine that could be used as a stepping stone for an attacker looking to seize control of a Windows box. The bug is fixed in an update to the Microsoft Malware Protection Engine that was pushed out to users of Microsoft’s security products February 23. The bug is classified as an elevation of privilege vulnerability — something that could be used by an attacker who already has access to the Windows system to gain complete administrative control. Microsoft has not seen anyone take advantage of the bug yet, but the company thinks hackers could develop code that reliably exploits the issue. Source:

Communications Sector

44. February 24, – (Missouri) Apartments evacuated when active meth lab found. Several families in Springfield, Missouri, were evacuated February 24 after an active meth lab was discovered outside their apartments. A police spokesman said officers were called about 1 a.m. to the 600 block of South Jefferson, just west of the Missouri State University campus. They found the components of a working meth lab behind a garage in the yard of the apartments. People living in several apartments were evacuated as haz-mat crews and the fire department arrived. They said the lab was reacting and there was a high risk of explosion. Springfield police said they did not have any suspects yet. Source:

45. February 23, Associated Press – (Florida) Officer shoots man reportedly wielding knife. A police officer in South Florida shot a man reportedly wielding a knife inside Luther Memorial Lutheran Church February 23. Someone in the church called authorities for help saying a man with a knife was inside a classroom. Authorities said an officer who feared for his life shot the man once in the torso. The man was taken to a hospital. His condition was not known. Source:

46. February 23, New England Cable News – (Massachusetts) Police search for suspects in Lynn home-made bomb plot. Four home-made bombs went off in Lynn, Massachusetts, February 21, and now police are looking for those responsible. The one bomb police did manage to recover was 5 inches long, and had the strength of a stick of dynamite. Police believe as many as three other bombs have yet to be found. All the bombs went off within a span of about 15 minutes of each other. Lynn police and fire departments are working on the case along with the state fire marshal’s office. Source:

47. February 23, Computerworld – (Kansas) Hacker claims credit for knocking church’s site offline. A Twitter message February 21 suggested a self-proclaimed “hacktivist” using the handle The Jester may have been responsible for knocking the Topeka, Kansas-based Westboro Baptist Church (WBC) offline. In the message, the hacker claimed to have temporarily taken down the public Web site of the church “for celebrating the death of U.S. troops.” The message, however, made no direct mention if The Jester (atth3j35t3r on Twitter) was also responsible for the unavailability February 23 of several other Web sites affiliated to the WBC. The week of February 14, someone purporting to be from the hacking collective known as Anonymous, posted a letter on an Anonymous site, warning WBC members of attacks against their church public Web sites if they did not stop their protests. That letter was later dismissed as a hoax by Anonymous. All of the church’s sites were unavailable February 23. Source:

48. February 22, Orange County Register – (California) Object used in GPS treasure hunt closes Downtown Disney. Downtown Disney in Anaheim, California, was reopened after about 90 minutes February 22 following a report of a suspicious object that turned out to be part of a high-tech treasure-hunt. An Anaheim police sergeant said police received a call of a suspicious object in Downtown Disney at 11:07 a.m. Assisted by Disney security, the object was located on a box on a walking bridge east of the ESPN Zone and west of the House of Blues, and the Orange County Sheriff’s Department Bomb Squad was called. A Disneyland Resort spokeswoman said about half of the shops and restaurants in Downtown Disney were evacuated at 11:30 a.m. At 12:38 p.m., the sergeant said the object was discovered to be a “geocaching” site –- a location for high-tech scavenger hunters, who use GPS devices to find objects left at specific locations. Source: