Friday, April 1, 2011

Complete DHS Daily Report for April 1, 2011

Daily Report

Top Stories

• The Gallatin New Examiner reports one person was injured in a chemical flash fire March 29 at Hoeganaes Corporation in Gallatin, Tennessee. The incident follows a fatal fire in January, and has resulted in a U.S. Chemical Safety Board investigation. (See item 5)

5. March 30, Gallatin News Examiner – (Tennessee) 1 injured in second flash fire at Gallatin plant. One person was injured in a flash fire March 29 at Hoeganaes Corporation on Airport Road in Gallatin, Tennessee, a plant that produces powdered metal products, the Gallatin Fire Department said. This is the second such flash fire at the facility since January. First responders were dispatched to the scene at 2 p.m. One person sustained burns and was transported to a nearby hospital, fire officials said. The injuries sustained were not significant. The U.S. Chemical Safety Board (CSB), a federal agency tasked with investigating industrial incidents, is investigating both incidents, according to the board’s Web site. On March 30, the board announced it will send a team back into Gallatin to investigate the new event. “We are concerned that we are looking at a second serious incident within a short period of time at this facility,” the investigator in charge said. The accident occurred during maintenance of a burner at the plant, CSB said. In the earlier incident, two maintenance workers were burned, one fatally, in a January 31 flash fire. In that event, investigators determined the fire was caused by an electrical short that ignited materials in an elevator machinery room, burning one worker on about 95 percent of his body and the other on about 70 percent, according to the Gallatin Fire Department’s report. Source:

• According to Tech Herald, an SQL injection campaign grew tenfold in 1 day to infect more than 638,000 Web sites by March 31. See item 53 below in the Information Technology Sector


Banking and Finance Sector

14. March 31, Kennebec Journal – (Maine) Hackers breach bank’s online system. In Augusta, Maine, the Kennebec Savings Bank’s online banking system was infiltrated by an outside party and bank officials are working with a team of computer forensics experts to find out which customers may have been affected and what information may have been accessed. Bank officials said there was no unauthorized access to customer funds, Social Security numbers or debit or credit card information. An investigation is ongoing. A bank spokesman said March 30 bank officials determined the incident affected only Internet banking customers. According to a statement from the bank, the preliminary investigation indicated sophisticated “malware” permitted entry into the online banking system. A spokesman said an alert employee “saw something that didn’t look right” March 21. Fearing suspicious activity involving unauthorized access, the bank shut the system down to protect against further unauthorized access and initiated an investigation. Kennebec’s online banking system was back up and running in about 48 hours. The bank’s president and CEO said the bank hired a nationally recognized computer forensic team, Maine-based Sageworks, to assist with the investigation, and has been working closely with the U.S. Secret Service and other authorities. Source:

15. March 31, Federal Bureau of Investigation – (California; Oregon) California man pleads guilty in Oregon in $18 million Ponzi scheme. On March 30, a man pleaded guilty to mail fraud and money laundering in connection with a Ponzi scheme that reached Florence, Oregon. The defendant admitted to soliciting about 100 individuals, a majority of whom are residents of Florence, to invest in real estate through his company, Sunburst Associates, Inc., a California corporation, bilking them out of more than $18 million. The defendant claimed to offer hard-money loans through his company that were secured by real estate deeds of trust. To entice individuals to invest, the defendant falsely promised high rates of return and a security interest in the property allegedly pledged to secure the investment. Additionally, the defendant sent investors fraudulent investment materials, including the supposed deeds of trust. As part of his plea, the defendant admitted the investments never existed and that it was all a Ponzi scheme — he used new investor money to pay existing investment obligations. The defendant further admitted to spending investor money on personal items, including a car and a home. Source:

16. March 31, Atlanta Journal-Constitution – (Georgia) Suspects in armored car robberies to be in court. Two men charged in a string of recent armored car robberies were slated to have their first court appearance April 1 before a judge at the Gwinnett County Jail. The two were arrested March 30 near the Gwinnett-Fulton County line in Georgia. They are each charged with three counts of armed robbery, a Gwinnett police spokesman said. One of the men was also charged with two counts of conspiracy to commit armed robbery, and charges against other suspects are likely, the spokesman said. He could not say whether the men would be charged with the killing of an armored car guard earlier this month outside the Toco Hill Kroger store, because that robbery and shooting occurred in DeKalb County. According to an arrest warrant, the pair placed a Loomis Armored truck under surveillance March 28; they then drove to a Food Depot and waited for the armored truck to arrive, but then abandoned plans to rob the truck. The men are charged in connection with three armored car heists in Gwinnett, the police spokesman said. “The suspects’ [method of operation] in these cases was to wait until the armored car guards were outside of their vehicle,” the spokesman said. “In all three of the cases in Gwinnett, the guards were refilling ATMs.” Source:

17. March 29, KPHO 5 Phoenix – (Arizona) FBI seeks ‘Castaway Bandit’. The FBI in Phoenix, Arizona, wants the public’s help in tracking down the man agents call the “Castaway Bandit.” The special agent in charge said the man has hit banks at least three times in March, each time giving a teller a note demanding money. He does not appear to have a weapon. On March 10, he robbed the First Fidelity Bank at 74th Street and Camelback Road in Scottsdale, police said. On March 16, he robbed the First Credit Union near Chandler Boulevard and Kyrene Road in Chandler. And he pulled his scheme again March 21 at the TCF Bank at Ray Road and Cooper Road in Chandler. The thief has worn a white “Gilligan”-style hat, dark sunglasses, or large white framed sunglasses and gloves. He is described as white, around 27 to 30 years old, 6 feet to 6 feet 3 inches tall, and weighing about 180 pounds. Source:

18. March 29, KAJ 18 Kalispell – (Montana) Charlo woman admits to stealing $600K+ from bank. A Charlo, Montana woman has admitted in federal court to stealing more than $600,000 from a Polson, Montana, bank. The woman pleaded guilty to embezzlement from a credit union and money laundering. Federal prosecutors said the woman started working at the Polson branch of the Whitefish Credit Union as a teller in 1996, and that she started stealing cash from the teller drawer 2 years later. She was named the manager of the branch in 2009, and the embezzlement continued until a surprise cash audit in June 2010. That check determined the bank’s vault was about $676,000 short and when she was confronted by IRS and FBI agents, she confessed to the theft. Prosecutors said each day a cash count was conducted where two credit union employees counted the cash in the vault and in the teller drawers. She would complete the first columns of the vault balancing sheet, which included the cash counts with a second teller. Then she would have the other teller sign off on the form. She would then complete the vault balancing sheet by herself so it balanced to the general ledger. To hide her theft, she would white-out the numbers for the cash counts in the first two columns that were witnessed by the second teller. She would then place numbers in these columns over the whited-out numbers that matched the general ledger balances. She kept the original vault balancing sheets in her office and sent copies to the accounting department via fax so the white-out would be hidden. She faces up to 30 years in federal prison, a $1 million fine and 5 years supervised release as a result of her plea. Source:

For another story see item 55 below

Information Technology

53. March 31, Tech Herald – (International) SQL injection attack jumps to more than 600,000 domains. Tech Herald reported that an SQL injection campaign that had hit nearly 50,000 Web sites March 30 had increased more than 10 fold by March 31. Since that initial report, two additional attacking domains were discovered. By March 31, the number of sites with signs of infection from the 3 attack sources spiked to more than 638,000. The original attacking domain, lizamoon(dot)com is still offline, but the server hosting it remains active. But this has not stopped the attack from spreading. The majority of the domains impacted are designed using ASP, while others are driven by PHP. These platforms, depending on how they are deployed, are vulnerable to several attack vectors, including SQL injection and Cross-Site Scripting (XSS). The recent attacks use an automated injection process. A bot is launched by the criminals behind the attack, which scans the Web for vulnerable sites. When a vulnerable domain is found, JavaScript code is injected into its database and the bot moves on. Links to malicious domains are delivered as the JavaScript renders in the browser, redirecting the user to rogue anti-virus software, or other malware in some cases.


54. March 31, The Register – (International) Testing confirms Samsung keylogger rumor just a false alarm. Antivirus testers have backed up Samsung’s protestations that the detection of keylogging software on brand-new Samsung laptops was a false alarm. The founder of security consultancy NetSec raised the alarm after a scan revealed two newly purchased Samsung laptops were infected with StarLogger, a commercial keylogger. It was suggested that Samsung was using underhand methods to extract market research, monitoring user activity without their knowledge or consent in the process. The NetSec founder was eventually put through to a Samsung support center manager who told him Samsung had pre-loaded software to “monitor the performance of the machine and to find out how it is being used.” Samsung quickly denied it was doing anything of the sort before issuing a more detailed statement saying the confusion stemmed from the installation of the Microsoft Live! application suite. The Slovak language version of the suite creates a folder called C:\Windows\SL, the same folder name as is used by the StarLogger application. Testing by antivirus researchers March 31 confirmed VIPRE Antivirus detects StarLogger after creating a SL folder on a clean PC. Source:

55. March 30, threatpost – (International) Sophisticated attack yields data on IEEE members. The Institute of Electrical and Electronics Engineers (IEEE) has warned 800 members their credit card and personal information may have been stolen. The group disclosed the November 2010 breach in a letter to the New Hampshire Attorney General, dated February 24. While the source and purpose of the security breach are not known, IEEE’s membership of technical professionals raises concerns about whether group members might be the targets of sophisticated phishing and social engineering attacks using stolen data. IEEE, based in Piscataway, New Jersey, describes itself as the world’s largest technical professional society, with some 400,000 members globally, half of whom are in the United States. Group members include senior executives and rank and file professionals in fields such as aerospace, information technology, nuclear engineering, robotics, and manufacturing. According to a letter from IEEE’s law firm, the group first became aware of intrusions into its database in December. A subsequent forensic investigation revealed a file containing customer credit card information had been deleted a month earlier. The individual(s) responsible for deleting that file would have access to the card holder data and other sensitive information on IEEE members prior to deleting the file, the letter said. A letter from the group to affected members describes the organization as a victim of a “sophisticated network intrusion” that exposed data from a database used when members registered for a conference. The stolen data included names, credit card numbers, expiration data, and card identification numbers. Source:

56. March 30, Help Net Security – (International) Cisco ACS unauthorized password change vulnerability. A vulnerability exists in some Cisco Secure Access Control System (ACS) versions that could allow a remote, unauthenticated attacker to change the password of any user account to any value without providing the account’s previous password. Successful exploitation requires the user account to be defined on the internal identity store. This vulnerability does not allow an attacker to perform any other changes to the ACS database. That is, an attacker cannot change access policies, device properties, or any account attributes except the user password. Source:

57. March 30, Softpedia – (International) Xerox patches printer vulnerabilities. Printer manufacturer Xerox has issued a security patch for several models of its WorkCentre multifunction devices in to address a critical buffer overflow vulnerability. The vulnerability affects network-connected all-in-one printers capable of storing documents and is located in the Samba file sharing service. The flaw, identified as CVE-2010-2063, was discovered by a researcher from of iDefense Labs and was patched in Samba 3.3.12 in June 2010. The patch was subsequently ported to many operating systems and devices that make use of the open source package. The flaw carries a base score of 7.5 on the CVSS scale and can be exploited to crash the system or execute arbitrary code by sending maliciously crafted Service Message Block (SMB) packets. In the context of Xerox printers this vulnerability can be leveraged to make unauthorized changes to the configuration, though the vendor notes usernames and passwords are not at risk. Customers with Xerox WorkCentre 5735, 5740, 5745, 5755, 5765, 5775, 5790 whose system software is version to and network controller version is 061.130.06150 to 061.131.06220 are advised to install the newly released P47 patch. The vendor warned some network vulnerability scanners might still detect the printers are vulnerable even with the patch. Source:

Communications Sector

58. March 31, FIN Alternatives – (National) Pentagon, Transportation Dept. object to LightSquared network. The U.S. departments of defense and transportation have again raised concerns about LightSquared, the wireless broadband venture funded by Harbinger Capital Management. In a recent letter, the two cabinet departments reiterated concerns expressed to the Federal Communications Commission (FCC) in January, that LightSquared’s service could interfere with military and aviation Global Positioning System (GPS) systems. FCC brushed off those concerns, as well as those of the departments of Commerce and Homeland Security, granting a necessary waiver to LightSquared allowing it to begin building its network. But the Pentagon and Transportation Department are undeterred, calling on FCC to undertake “a comprehensive study of all the potential interference to GPS.” The two agencies fear that LightSquared’s use of a frequency close to that used by GPS systems could present a major problem. “The new LightSquared business plan and the new FCC rules significantly expand the terrestrial transmission environment, increasing the potential for interference to GPS receivers,” the deputy defense secretary, and deputy transportation secretary, wrote. LightSquared has already signed deals with Best Buy and Leap Wireless International, and is in talks with more than a dozen others, including major cable companies. Source: