Tuesday, March 29, 2011

Complete DHS Daily Report for March 29, 2011

Daily Report

Top Stories

• North American steelmakers were scrambling to find sources of calcium carbide in the wake of a devastating March 21 explosion at Carbide Industries LLC, one of two U.S. producers of the essential product. (See item 12)

12. March 27, Metal Bulletin – (International) Carbide Industries blast puts supply in question. North American steelmakers were scrambling to find sources of calcium carbide in the wake of a fatal explosion at Carbide Industries LLC in Louisville, Kentucky. The March 21 blast killed two employees and injured two others. The company continues to investigate the cause of the explosion, which occurred in a furnace producing calcium carbide, used by steelmakers as a desulfurizing agent. The explosion leaves Carbide Industries unable to supply its customers. With only one other U.S. producer of calcium carbide — Central Carbide LLC, of Pryor, Oklahoma, is the other — North American steel producers are left short of supply. Source: http://www.metalbulletin.com/Article/2795336/AMM-Carbide-Industries-blast-puts-supply-in-question.html

• A major wildfire that damaged some aerospace businesses, and burned a few hundred acres near Bob Sikes Airport in Crestview, Florida, was contained March 25. (See item 16)

16. March 25, Florida Freedom Newspapers – (Florida) Wildfire threatens homes, businesses in Crestview. A major wildfire that threatened businesses at Bob Sikes Airport and homes in nearby subdivisions in Crestview, Florida, March 24 was contained as of March 25. All businesses on Adora Teal Way near the airport were evacuated, but firefighters kept the blaze from causing significant damage to buildings. Area residents were prepared to evacuate, and traffic was blocked on John Givens Road, which serves the airport and businesses there, as firetrucks rushed in. The fire started about 1:30 p.m. A transformer near the EJM Aerospace building exploded with a loud blast about 1:50 p.m. Firefighters from Crestview, Dorcas, Holt, Almarante, Freeport, Argyle, Liberty, North Bay, Baker, Fort Walton Beach, Ocean City-Wright, Niceville, Harold, and Eglin Air Force Base responded to help the North Okaloosa Fire District, which initially coordinated the battle against the blaze. As the fire spread to surrounding woods and residential areas, Okaloosa County’s emergency task force was summoned and command was turned over to the Florida Division of Forestry. The North Okaloosa fire chief said the fire burned 200 to 250 acres. He said the first fire started in a grassy field off Adora Teal Road. The fire spread and jumped around the airport as high winds blew burning embers. Flames ignited behind the EJM Aerospace building on John Givens Road, which was being used by Qwest Air Parts as a warehouse, a BAE Systems employee said. Employees of airport tenants, including BAE, NEW Corp., and nonessential personnel at L-3 Crestview Aerospace were evacuated. Representatives with Emerald Coast Aviation, the airport’s fixed-base operator, said the runway was closed during the fire. At one point the fire approached to within 75 yards of a small diesel fuel storage tank at the airport. The division of forestry was investigating the cause of the fire. The center manager for the Blackwater Forestry Center said a preliminary investigation indicated the fire was started by someone, but it was unclear whether it was intentional or accidental. Source: http://www.newsherald.com/news/threatens-92143-wildfire-businesses.html


Banking and Finance Sector

18. March 26, Salt Lake Tribune – (Utah; National) SEC: Ponzi scheme was run through payday loan company. A Hyde Park, Utah man has been accused in federal court of orchestrating a Ponzi scheme under the guise of an online payday loan company. The Securities and Exchange Commission (SEC) March 25 filed a complaint in U.S. District Court against a 58-year-old man and his businesses, Logan-based Impact Cash and Impact Payment Systems. SEC alleged that between March 2006 and September 2010, more than $47 million was raised from 120 investors who were promised lavish returns for funding payday loans. About $4 million of that allegedly was raised for equity investments in the companies, while the rest came from investors who agreed to provide capital to the companies for payday loans. But the suspect diverted funds for personal use and outside business ventures, SEC alleged. He also used the money from new investors to pay off profits to initial investors, the complaint states. He built the scam through recruiting investors at trade shows, attending payday loan conferences and employing salespeople to recruit potential investors, the complaint states. Under pressure from investors, the man admitted to a family member who had invested in the companies that he had misappropriated funds, overpaid some investors, and compromised Impact Cash and Impact Payment Systems, according to the complaint. SEC is accusing the man of employment of a scheme to defraud, fraud in the offer and sale of securities, fraud in connection with the purchase and sale of securities, offer and sale of unregistered securities, and sale of securities by an unregistered broker. Source: http://www.sltrib.com/sltrib/money/51503972-79/investors-clark-complaint-payday.html.csp

19. March 25, Los Angeles Times – (International) 5 convicted in international bank fraud scheme. Five people were convicted March 25 in connection with an international scam to defraud American banks by using fake Web sites and spam e-mails, according to the U.S. attorney’s office. More than 40 others have already been convicted in the case. According to authorities, Egyptian-based hackers took bank account numbers and other personal information from customers to hack into American accounts. They worked with partners in the United States to transfer money out of those accounts, authorities said. Bank customers were tricked into giving up their personal information with bogus bank Web sites set up to appear legitimate using bank logos and legal disclaimers. Source: http://latimesblogs.latimes.com/lanow/2011/03/5-convicted-in-international-bank-fraud-scheme.html

20. March 25, Las Vegas Sun – (National) Leader of anti-government group pleads guilty to money laundering. The national leader of an anti-government movement pleaded guilty to charges of conspiracy and money laundering, Nevada’s U.S. attorney said March 25. The 56 year-old Council, Idaho man pleaded guilty to one count of conspiracy to commit money laundering, and 30 counts of money laundering. The man, who faces up to 20 years in prison and a fine of $250,000 on each count, will be sentenced June 24. According to a plea agreement, the man and an accomplice allegedly laundered $1.3 million for undercover FBI agents in 2008 and 2009. The agents told the men the funds were proceeds from a bank fraud scheme, specifically the theft and forgery of stolen official bank checks. The men allegedly laundered the money through a trust account controlled by one of the men and through an account of a purported religious organization controlled by the other. The men took about $74,000 and $22,000, respectively, in fees for their money laundering services, officials said. The man who pled guilty March 25 was arrested with three other members of the anti-government Sovereign Movement in May 2010 after a 3-year investigation by the Nevada Joint Terrorism Task Force. According to the U.S. Department of Justice, the Sovereign Movement is an anti-government organization whose members seek to overthrow the government through “paper terrorism” tactics, intimidation, harassment, and violence. Source: http://www.lasvegassun.com/news/2011/mar/25/leader-anti-government-group-pleads-guilty-money-l/

Information Technology

49. March 28, IDG News Service – (International) MySQL Web site falls victim to SQL injection attack. Oracle’s MySQL.com customer Web site was compromised the weekend of March 26 and 27 by a pair of hackers who publicly posted usernames, and in some cases passwords, of the site’s users. Taking credit for the hack were “TinKode” and “Ne0h,” who wrote the hack resulted from a SQL injection attack. The vulnerable domains were listed as www.mysql.com, www.mysql.fr, www.mysql.de, www.mysql.it and www-jp.mysql.com. According to a post on the Full Disclosure bug mailing list March 27, MySQL.com ran a variety of internal databases on an Apache Web server. The information posted included a raft of password hashes, some of which have now been cracked. Among the credentials in a dump of the information posted on Pastebin were passwords for a number of MySQL database users on the server, and the admin passwords for the corporate blogs of two former MySQL employees. Source: http://www.computerworld.com/s/article/9215249/MySQL_Web_site_falls_victim_to_SQL_injection_attack

50. March 28, Softpedia – (International) Anonymous launches new DDoS attack against RIAA. The Anonymous hacktivist collective has launched new distributed denial-of-service (DDoS) attacks against the Recording Industry Association of America (RIAA), after the trade group sued LimeWire. LimeWire was discontinued last October after RIAA won a permanent injunction forcing its creator, Lime Wire LLC, to disable the program’s searching, downloading, uploading, file trading, and/or all of its functionality. Earlier in March, on behalf of music labels, RIAA filed a statutory damage claim of $150,000 for each of the 11,000 songs illegally shared by LimeWire users. RIAA’s request was rejected by a judge of the U.S. District Court for the Southern District of New York. Despite RIAA’s request being denied, the Anonymous collective mounted a DDoS attack against the trade association’s Web site. Source: http://news.softpedia.com/news/Anonymous-Launches-New-DDoS-Attack-Against-RIAA-191581.shtml

51. March 27, Computerworld – (International) Solo Iranian hacker takes credit for Comodo certificate attack. A solo Iranian hacker March 26 claimed responsibility for stealing multiple SSL certificates belonging to several Web sites, including Google, Microsoft, Skype, and Yahoo. Early reaction from security experts was mixed, with some believing the hacker’s claim, while others were dubious. During the week of March 21, conjecture had focused on a state-sponsored attack, perhaps funded or conducted by the Iranian government, that hacked a certificate reseller affiliated with U.S.-based Comodo. Comodo acknowledged the attack March 23, saying 8 days earlier, hackers had obtained 9 bogus certificates for the log-on sites of Microsoft’s Hotmail, Google’s Gmail, the Internet phone and chat service Skype, and Yahoo Mail. A certificate for Mozilla’s Firefox add-on site was also acquired. Comodo’s CEO said the week of March 21, circumstantial evidence pointed to a state-backed attack, and claimed the Iranian government was probably behind it. He based his opinion on the fact that only Iran’s government — which could tamper with the country’s domain name system to funnel traffic through fake sites secured by the stolen certificates — would benefit. Source: http://www.computerworld.com/s/article/9215245/Solo_Iranian_hacker_takes_credit_for_Comodo_certificate_attack

52. March 26, The Register – (International) Microsoft: Mystery bug blocks Syrian secure Hotmail. Microsoft is blaming a mystery bug for preventing access to the encrypted version of Hotmail, denying that it deliberately blocked access to the service in Syria. Microsoft told The Register March 25 Hotmail users who had already enabled the HTTPS version of the popular e-mail service were still able to use it. Only Hotmailers trying to turn on HTTPS for the first time in certain countries and languages were being blocked, the company said. Microsoft said it still does not know what caused the bug, but it has been resolved and the company is investigating the cause. The company said users in the Bahamas, Cayman Islands, and Fiji were also affected. Source: http://www.theregister.co.uk/2011/03/26/microsoft_https_hotmail_syria/

53. March 25, H Security – (International) Another zero-day exploit for SCADA systems. In addition to the 35 vulnerabilities and zero-day exploits in supervisory control and data acquisition (SCADA) systems reported at the beginning of the week of March 21, another vulnerability and another zero-day exploit have now been revealed. A security specialist has published code demonstrating a flaw in the Web-based virtualization software WebAccess from BroadWin. The code reportedly allows a flaw in WebAccess Network Service’s RPC interface to be exploited allowing code to be injected. The researcher said he informed DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) in advance, and the team contacted the vendor. ICS-CERT said the vendor was not able to confirm the flaw. The researcher later wrote the vendor denied the flaw’s existence, so he published the exploit. In lieu of a patch, ICS-CERT recommended BroadWin users protect their systems with a firewall and use VPNs for remote access. ICS-CERT said it found a SQL injection vulnerability in the IntegraXor software from Malaysian vendor Ecava. The team said attackers can exploit the flaw to manipulate the database and execute arbitrary code. According to ICS-CERT, the software is used in 38 countries, including the United States, Australia, the United Kingdom, Poland, and Canada. Source: http://www.h-online.com/security/news/item/Another-zero-day-exploit-for-SCADA-systems-1215450.html

54. March 25, Help Net Security – (International) Randomization of code and binaries for evading AV solutions. A detection evasion technique by a site that serves fake AV has recently been spotted by a Zscaler researcher. The site’s source code was randomized so that each time a user visits the site, he is presented with a different fake count of supposedly found malware and a different malicious binary masking as an AV solution to download. “The code contains different random variables and fake security warnings, which have been split into smaller variables in an effort to evade antivirus and IDS/IPS engines that may seek to match common string patterns,” the researcher noted. Even though the offered malware changes with each visit and the various files have different MD5 hashes, the size of the malicious binaries is always the same. All these files have a pretty low detection rate (around 19 percent on VirusTotal). “This demonstrates that pure pattern matching engines will fail to detect the attack based on pattern matching strings in source code,” the researcher concluded. “Randomization of malicious binaries will also evade good antivirus engines.” Source: http://www.net-security.org/malware_news.php?id=1675

55. March 24, V3.co.uk – (International) Security expert warns of targeted attacks on senior execs. Attackers could use the practice of “vanity” searches to carry out targeted attacks, according to security experts. The chief executive of Trusteer suggested attackers could infect PCs belonging to high-level executives by lacing pages with search terms associated with the target’s name or company. He explained that, to keep tabs on news coverage, many executives have Google Alert settings that comb the engine for mentions of their own name, a practice known as a “vanity search.” An attacker could craft a malicious page with an exploit tool or attack code. The malicious page could then be loaded with words associated with the individual or company being targeted. The attack page would then appear on the target’s vanity searches, possibly luring an executive or other high-value target into a malware attack. Trusteer’s CEO said the potency of the attacks could be increased by the use of zero-day flaws in combination with personal information gathered through services such as LinkedIn. Source: http://www.v3.co.uk/v3-uk/news/2036904/security-expert-warns-targeted-attacks-senior-execs

Communications Sector

46. March 26, Des Moines Register – (Iowa) State inaction hurts emergency radio upgrade effort. Iowa police, firefighters, ambulances, hospitals, dispatch centers, and others will lose their ability to communicate via two-way radio at the end of 2012 if they do not make upgrades required by the federal government. Many small local agencies cannot cover this expense, but attempts to address the issue are stalled. Without the upgrades, as of January 1, 2013, dispatch centers would still get 911 calls, but the emergency workers would no longer have working radios to receive details about the calls or to talk with each other once they reach the scene. The mandate “may result in approximately one-fourth of the state being without radio coverage unless some corrective steps are taken to ensure continued coverage,” according to an analysis by the nonpartisan Legislative Services Agency. Local emergency agencies that fail to upgrade face fines up to $10,000 per day, cancellation of their Federal Communications Commission license to operate radios, and loss of communications capabilities, the analysis said. Source: http://www.desmoinesregister.com/article/20110326/NEWS10/103260332/1094/SPORTS0206/?odyssey=nav|head