Wednesday, April 6, 2011

Complete DHS Daily Report for April 6, 2011

Daily Report

Top Stories

• According to Homeland Security Newswire, a new report found that nearly 12 percent of the bridges in the United States were “structurally deficient” and required replacement. (See item 14)

14. April 5, Homeland Security Newswire – (National) Report finds thousands of U.S. bridges in dangerous need of repair. The week of March 28, a new report found that nearly 12 percent of the bridges in the United States were “structurally deficient” and required replacement. The report, prepared by Transportation for America (TOA), an advocacy organization made up of business, transportation, and environmental organizations, found that 69,000 bridges are in need of major repairs and critical maintenance has often been delayed as states are struggling with budget shortfalls. Pennsylvania is the state with the largest number of deteriorating bridges with more than one out of four bridges in need of repair – 5,906 out of a total of 22,271. Oklahoma, Iowa, Rhode Island, and South Dakota rounded out the top five states with the highest number of aging bridges. More than 20 percent of bridges in those states were structurally deficient. The average age of bridges across the country is nearing 42 years, and most were designed to have a 50 year lifespan before they were replaced or reconstructed. TOA has called for increased funding for infrastructure to help make repairs. The report noted the American Society of Civil Engineers has recommended the United States spend $17 billion per year on bridge maintenance, significantly more than the $10.5 billion that is currently spent each year. Source:

• WBIR 10 Knoxville reports the Gatlinburg, Tennessee Wastewater Treatment plant was rendered inoperable, April 5, after a container ruptured, sending millions of gallons of waste into the Little Pigeon River. (See item 25)

25. April 5, WBIR 10 Knoxville – (Tennessee) 2 missing after wastewater storage tank ruptures, spilling into river. The Gatlinburg, Tennessee Wastewater Treatment plant was rendered inoperable, April 5, after a container that stores sewage ruptured, sending millions of gallons of waste into the Little Pigeon River, and sweeping two people into water. The situation means that any waste that enters the system will go directly into the river. Plant officials indicated they have pumps and mobile treatment equipment on the way. Gatlinburg’s city manager decribed the spill as a “catastrophic event”. She said the two people who are missing are employees of Veolia Water NA, the company contracted to operate the city-owned plant. A Great Smoky Mountains National Park spokesman said there was a failure of the equalization basin at the plant. When sewage comes in from the city, it is pumped into that basin, where it is held until it is released in a steady flow into the actual treatment plant. The U.S. Park Service is involved because they manage the road that goes in front of the visitors center and the plant, and they manage the West Prong of the Little Pigeon River. Officials said they were conducting search and rescue operations and would address water quality after the search for the missing people is completed. A spokesman from the Tennessee Emergency Management Agency (TEMA) said 1.5 million to 3.2 million gallons of sewage may have spilled into the river. TEMA’s area coordinator, and teams from the Tennessee Department of Environment and Conservation and the state health department have been asked to respond. The state health department advised people to not come into contact with the water in the Little Pigeon River. But city officials said the drinking water is safe. Because the missing employees may have been swept into the river, swift water rescue crews were staged at the Rivers Edge RV Park, which is downstream from the plant. The city manager said crews will also use a crane and other heavy equipment to search under the basin wall that collapsed. The wall was about 40 feet high and made of 12-inch thick reinforced concrete. Source:


Banking and Finance Sector

11. April 5, The Register – (International) SpyEye mobile banking Trojan uses same tactics as ZeuS. Cybercrooks have deployed a sophisticated man-in-the-mobile attack using the SpyEye banking trojan toolkit. The trojan, which infects Windows machines, displays additional content on a targeted European bank’s Web page that requests prospective marks to input their cell phone number and the international mobile equipment identity of the device. The bank customer is told the data is needed so a new “digital certificate” can be sent to the phone. The certificate contains the malicious executable (sms(dot)exe) that infects Symbian-based smartphones along with another executable (SmsControl(dot)exe) that displays a message designed to hoodwink users into believing the only thing delivered was a digital certificate. Net security firm F-Secure detects this malware as Spitmo-A. The European bank targeted in the attack uses short message service (SMS)-based mobile transaction authentication numbers (mTANs) to authorize transfers. Details of how the SMS-based mTANs are delivered to the attacker are still under investigation, but preliminary research suggests they are delivered via hypertext transfer protocol, and not via SMS as with an otherwise similar earlier attack that used the infamous ZeuS cybercrime toolkit. The earlier ZeuS-based attack also used a file called SmsControl(dot)exe as part of its payload. Presenting a trojan as a digital certificate, one of the tricks of the SpyEye-based attack, also appeared in the earlier ZeuSMitmo attack. Despite these similarities, and the rumored merger between ZeuS and SpyEye, the two strains of malware are otherwise dissimilar, F-Secure reports. Source:

12. April 4, KMBC 9 Kansas City – (Kansas) Teller pleads guilty in fake bank heist. A former employee of an Overland Park, Kansas bank has pleaded guilty to embezzlement charges in connection with a staged robbery and kidnapping at the bank last fall, KMBC reported April 4. The man admitted taking part in the scheme to cover up stolen money from the bank’s ATM, a U.S. attorney said. The FBI was called to the bank at 10100 W. 119th St. in November 2010 after the employee was found in the bank at 7:20 a.m., bound with duct tape and suffering from a nosebleed. He said he had been abducted and forced to get money out of the bank. Agents said they believed the robbery was staged. The former employee is scheduled for sentencing in June. He faces a maximum penalty of 30 years in prison and up to $250,000 in fines. Three other co-defendants who also pleaded guilty to taking part in the scheme will also be sentenced this summer. Source:

13. April 4, San Francisco Examiner – (California) Four floors of Bank of America building evacuated after water main break. Four floors of the Bank of America building in San Francisco, California, were evacuated April 4 after a 3-inch water main broke, flooding the seventh and eighth floors of the building. According to fire dispatch, reports of a water main break were received by the San Francisco Fire Department around 11:52 a.m. Fire officials were on the scene within 3 minutes. The water valves were shut off within 25 minutes of the first call, according to fire dispatch. The seventh and eighth floors received the most water damage. The seventh, eighth, ninth, and tenth floors of the building were evacuated, according to fire officials. No injuries were reported, but there is a lot of water in the area. The building, located at 555 California St., is a 52-story building in the center of the city’s financial district. Source:

Information Technology

42. April 5, Softpedia – (International) Profile Spy scam hits Twitter. Security researchers warn of a survey scam currently making the rounds on Twitter which tricks users by promising them the ability to view their profile visitors. According to a researcher from Errata Security, victims post spam messages that read “94 people viewed my profile today!” followed by “Wow! See who viewed your twitter with Profile Spy [link]” Clicking on the link takes users to a page asking for an app called “Profile Spy” to connect to their accounts. This app is used for the scam’s propagation and if allowed, it will start sending spam from the victim’s accounts without their permission. People who agree to connect with the application will be redirected to a page asking them to participate in a survey, allegedly as a security check. These surveys try to sign up users for premium rate mobile services or are part of legit affiliate marketing campaigns that are abused by the scammers. Each time a user completes a survey, the scammers earn a commission, which makes it worthwhile to keep the attacks going. “There might be further malware in those links designed to compromise your machine or accounts, like clickjacking exploits,” the researcher warned. Source:

43. April 5, The Register – (International) Anonymous hacks Sony PS3 sites. Several Sony PlayStation sites were unavailable April 5 due to what was probably a distributed denial of service attack launched by Anonymous. The hacktivists decided to attack Sony because the company took legal action against two hackers for jailbreaking PS3s. The U.K. PlayStation 3 site is currently down, and so is the European PlayStation store, while the main U.S. and U.K. Sony sites are still available. Source:

44. April 4, Softpedia – (International) Millions of Facebook users invited to rogue events by spammers. Security researchers warn that millions of users have been invited to attend fake Facebook events that are used by cybercrooks for survey spam. One of these rogue events is called “Who blocked you from his friend list?” and already has over 165,000 confirmed attendees. What is interesting about this spam event is the number of people whose response is still pending, over 10.3 million. There have also been around 70,000 users who answered that they might be attending, and 880,000 who declined, resulting in 1 in 6 people who decided to attend. The actual spam is inserted in the event’s description and instructs users to visit a link in order to access the promised content. However, the link takes them to a spoofed Facebook page that displays a dialog asking them to participate in a survey before continuing. Some of these surveys are part of legitimate affiliate marketing campaigns that are abused, but others can be malicious and try to sign up users to expensive services. Another event spotted by security researchers from Sophos uses the title “You will NEVER send a TEXT after seeing this VIDEO!” while experts from Trend Micro warn of one called “How to Find Out Who’s Viewing Your Profile.” It appears that since Facebook has gotten better at suspending the rogue apps commonly used in survey scams, spammers have discovered new conduits that are not monitored as strictly. Source:

45. April 4, Softpedia – (International) Xbox LIVE policy director has online accounts hijacked. A disgruntled gamer has managed to hijack the domain, e-mail, and Xbox accounts of Microsoft’s director of policy and enforcement for Xbox LIVE. It appears the hack began with a social engineering attack against Network Solution, the registrar used by the policy director for his domain. With control over the domain, the hacker managed to obtain access to the director’s personal e-mail address and used it to reset the password for his Xbox LIVE account. The attacker, who calls himself Predator, posted a video of him controlling the account on YouTube. Apparently, he was annoyed with the director for repeatedly banning him. As director of policy and enforcement for Xbox LIVE, the victim is responsible for banning people who try to cheat the system. The hacker also offered to hijack other people’s accounts for a price of $250. Source:

46. April 4, The Register – (International) Attack hijacks sensitive data using newer Windows features. Security researchers have outlined a way to hijack huge amounts of confidential network traffic by exploiting default behavior in Microsoft’s Windows operating system. The man-in-the-middle attacks described April 4 take advantage of features added to recent versions of Windows that make it easy for computers to connect to networks using the next generation IPv6 protocol. The attack will also work against Apple’s OS X for Macs, although the proof-of-concept has not been tested on that platform, said a program manager at InfoSec Institute, an information security services company. The attack exploits an industry standard known as Stateless Address Auto Configuration (SLAAC) for allowing clients and hosts to find each other on IPv6 networks. When the next-generation addressing scheme is turned on, as it is by default in OS X, Windows Vista, Windows 7, and Server 2008, SLAAC can be used to create an unauthorized IPv6 network that reroutes data through hardware controlled by the attackers. “All these Windows boxes will default connect to the evil router instead of the legitimate router when this parasitic overlay is running,” the researcher told The Register. “If Microsoft didn’t have that configuration by default, it would negate a lot of the effects of the attack.” Source:

Communications Sector

47. April 4, WLEX 18 Lexington – (Kentucky) Officials confirm tower collapse during W. Ky. storm. A storm caused heavy damage as it rolled through Ballard County in western Kentucky April 4. The Paducah Sun reported a spokeswoman for the Ballard County Sheriff’s Department confirmed the collapse of a cell phone tower near the community of La Center. The official said she did not know if another report of a building collapse was the cell phone tower support building. There were reports that someone was trapped inside that building after the collapse. The paper also said there were numerous reports of downed trees blocking roads. Source:

48. April 4, Associated Press – (Arkansas; Texas) Damage knocks NPR stations in Ark., Texas off air. An arson at a National Public Radio affiliate in Arkansas and possible transmission wire tampering at a station in Texas were being investigated as separate incidents April 4, but authorities said they would work to determine if the two were connected. Engineers at KTXK in Texarkana, Texas, found holes in a transmission cable April 1. A fire damaged KUAR’s transmitter at Little Rock, Arkansas, April 2. Police said someone changed the station’s lock, and fire officials later told the station the blaze was intentionally set. Crews in Texarkana found a hole about the size of a pencil in KTXK’s transmission cable April 1. The executive director of public safety and police services at Texarkana College, said it is too early to determine what caused the hole, but that he has not ruled out vandalism. “It’s a pretty clean hole so it could have been a bullet,” he said. “At that height, nobody climbed up there and punched a hole.” The general manager of KUAR said the station first became aware of the April 2 fire after someone called in to report the Little Rock station was off the air. He said an engineer who headed out to inspect the tower discovered the original lock on the door had been removed and a new lock was put in its place, preventing the engineer from entering the burning building. After fire crews extinguished the blaze, he said officials discovered part of the perimeter fencing had been cut and pulled back and that some copper was missing. KUAR reported April 4 that ATF agents informed the station a trained dog had sniffed out an accelerant. Both stations were broadcasting online April 2. The general manager said that full repairs to the Little Rick station will cost around $200,000. The general manager of the Texarkana station said he expects repairs to cost close to $40,000. Source: