Tuesday, April 26, 2011

Complete DHS Daily Report for April 26, 2011

Daily Report

Top Stories

• CNN reports the main airport in St. Louis, Missouri, was slated to operate at 90 percent capacity April 25, less than 3 days after a powerful tornado tore through the facility destroying windows, the roof, jet gas lines, and parking lots. (See item 20)

20. April 25, CNN – (Missouri) Director: St. Louis airport's recovery 'miraculous' after tornado. The main airport in St. Louis, Missouri, will operate at 90 percent capacity April 25, less than 3 days after a powerful tornado tore through the facility, the airport's director said. But restoration efforts are far from over at Lambert-St. Louis International Airport, where the April 22 storm shattered windows in at least five of the main terminal's arching front facades, ripped off part of a roof, damaged jet gas lines, and wreaked havoc on parking lots and vehicles. "It obviously just took a couple of minutes for the damage to occur," the airport director said. "It will take weeks, maybe a couple of months, to clean up all of it." Still, she said efforts to get the facility up and running again have been "miraculous." Airport officials are still working to help American Airlines and Cape Air restore full service by April 26, the director said. Those carriers were among the hardest hit after the storm, which devastated the airport's C concourse. The tornado damaged 750 homes near the airport, Missouri's governor said. And preliminary National Weather Service estimates show the tornado packed winds between 111 and 165 miles per hour when it hit the airport. The facility's design — and the way people responded to warnings — played a key role to the airport's survival, the director said. "It is a historic building, and it's built very, very well. I think that had a part to do with it, but we also had very early warnings," she said. Sirens sounded, she said, and police and firefighters helped make sure people inside the airport took shelter. Besides damage to homes and the airport, the strong winds also hit businesses and tore through the roof of a Ferguson, Missouri church, where dozens had gathered. Officials have said inspections of buildings will take several days and hauling off debris will take longer. Elsewhere in Missouri, storms over the weekend left behind water on the runways at a regional airport, forcing authorities to shut down the facility temporarily. The Cape Girardeau Regional Airport, located about 100 miles south of St. Louis, has been shut down since April 24, the administrative coordinator said. Crews were activating a pumping system to remove the standing water April 25, she said, but authorities had not determined when the airport would reopen. Source: http://edition.cnn.com/2011/TRAVEL/04/25/st.louis.airport/

• According to V3.co.uk, research from Idappcom found 52 new threats in March targeted at industrial supervisory control and data acquisition (SCADA) systems of the sort hit by the Stuxnet worm. See item 46 below in the Information Technology Sector

Details

Banking and Finance Sector

14. April 23, Alton Telegraph – (Illinois) New details emerge in purported bank scheme. Federal authorities said a woman managed to steal $4.4 million by doctoring reports and other means during a several-year period while an executive at Jersey State Bank in Illinois. New details in the case were released April 22 by a U.S. attorney. The 56-year-old woman was indicted by a grand jury for bank fraud, alleging she embezzled the funds from at least 2003 until January 2011. She resigned her position in February. She was employed by the bank since about 1976. During her employment, she held various positions including assistant cashier, a director of the bank holding corporation, and executive vice president, the attorney said. Her responsibilities included being in charge of the general ledger and the corresponding accounts. She also provided regular reports to the president and board members as to the bank's assets, stability, and financial soundness. The indictment alleges the woman electronically transferred funds from the corresponding accounts to her own accounts, inflated expenses to a prepaid expense account and then electronically transferred the funds to her account, took money from a certificate of deposit account, and concealed the money in the bank's general ledger. It also alleges that to perpetuate the scheme, she provided false information in monthly reports to the board and provided false information to Federal Deposit Insurance Corporation examiners and state bank examiners. Bank fraud carries a maximum penalty of up to 30 years' imprisonment and/or a fine of $1 million, 5 years supervised release, and mandatory restitution. Source: http://www.thetelegraph.com/news/bank-53141-fraud-becker.html

15. April 23, Norfolk Virginian-Pilot – (Virginia) Officer shoots man after bank heist in Va. Beach. A police officer shot a man April 22 after a robbery at a Wachovia Bank in Bayside, Virginia. Waving a semiautomatic handgun and demanding money from clerks, a man wearing a mask entered the bank at 1612 Independence Boulevard at about 9:15 a.m., a police spokesman said. He fled with cash through the front door. A radar officer patrolling the neighborhood noticed a man matching the bank robber's description. He got out of his car, drew his firearm and told the man to stop. The suspect refused, got into a car and drove toward the officer. The officer fired several rounds through the vehicle's windshield, the spokesman said, striking the man, who drove 100 to 200 feet farther and through a fence into the backyard of a townhome. Medics took the suspect to Sentara Norfolk General Hospital, where he was in critical but stable condition April 22. Police identified the man as a 38-year-old from Virginia Beach. He faces three counts each of robbery and use of a firearm. Police recovered weapons from the suspect's vehicle, including one believed to have been used in the robbery, the spokesman said. Detectives are investigating whether the suspect was connected to the January 11 robbery at the same bank, the spokesman said. The robbery occurred at about the same time of day under similar circumstances. Source: http://hamptonroads.com/2011/04/police-id-man-shot-injured-after-bank-robbery-va-beach

16. April 22, WYFF 4 Greenville – (Georgia) GBI: Bank robber leaves behind pipe bombs. A bank robbery suspect who brought bombs into the Northeast Georgia Bank in Carnesville, Georgia, was arrested after he was spotted driving on the wrong side of the road April 21, deputies said. The Franklin County sheriff said the 25-year-old from Central, South Carolina, was covered in dye from dye packs placed in bags with the money he had stolen a short time earlier. Investigators said the suspect first went into the bank and walked around, but then left. Deputies said the suspect then went into the First Citizens Bank at 9654 Lavonia Road and demanded money. Investigators said he put two items, believed to be live pipe bombs, on the counter. Investigators said several elements of the devices led them to believe they were live bombs. A teller gave the man three bags that included the dye packs, deputies said. Buildings in the courthouse square area were evacuated and streets closed down because of the suspected bombs. Just before 5 p.m., the FBI and the Georgia Bureau of Investigation bomb squad mobilized a bomb diffusing robot in the bank. At about 6 p.m., the bomb squad safely detonated the devices. "There was actually two pipe bombs there and from what I understand, they were workable bombs, but they didn't have any powder in them," the sheriff said. The suspect is charged with armed robbery and two counts of manufacturing and possessing explosives. Source: http://www.wyff4.com/r/27628367/detail.html

17. April 22, Financial Advisor – (California) SEC charges Calif. company with $10 million boiler room scheme. The Securities and Exchange Commission (SEC) April 21 charged a Santa Ana, California-based e-mail marketing company, along with a father and twin sons who are the company’s executives, with defrauding investors in a $10 million boiler room scheme. The SEC alleges mUrgent Corporation, its chief financial officer, and his sons operated a boiler room to sell mUrgent stock. Boiler room employees cold-called investors, used high-pressure sales tactics, and misrepresented to investors that mUrgent had a prospering business and would imminently conduct an initial public offering. The SEC also alleges mUrgent and the three family members falsely told investors that stock sale proceeds would not be used to pay the family's cash salaries. “mUrgent falsely portrayed itself to investors as a successful company with imminent plans to go public,” the director of the SEC’s Los Angeles Regional Office said. ”Instead, these three men used the company as their personal piggybank.” According to the SEC’s complaint filed in federal court in Los Angeles, mUrgent and the family conducted 2 unregistered securities offerings beginning in 2008 that raised nearly $10 million from at least 130 investors nationwide. The family misused investor money to fund more than $1.3 million in cash salary and bonuses for themselves. They also established a separate “slush fund” of more than $500,000, and used investor funds to pay for luxury cars and other personal expenses. The SEC seeks permanent injunctions against mUrgent and the family for violations of the antifraud, offering registration, and broker registration provisions of the federal securities laws, disgorgement, financial penalties, and an order prohibiting the three family members from serving as officers or directors of any public company. Source: http://www.fa-mag.com/fa-news/7258-sec-charges-calif-company-with-10-ml-boiler-room-scheme.html

Information Technology

43. April 22, Softpedia – (International) New PDF exploit hiding technique tricks antivirus engines. Researchers from AVAST warn of a new technique used by PDF exploits to evade antivirus detection. It relies on encoding the malicious code as an image object. AVAST first encountered this technique in a malicious PDF file a month ago and has seen it used in limited, but also targeted, attacks since then. "This story began when we found a new, previously unseen, PDF file a month ago. It wasn’t detected by us or by any other AV company," a senior antivirus analyst at AVAST, wrote on the company's blog. "[...] Its originating URL address was quite suspicious and soon we confirmed the exploitation and system infection caused by just opening this document. But our parser was unable to get any suitable content that we could define as malicious," he added. It turned out there was no JavaScript stream in this file. One of the only two objects referenced by an XFA array was decoded, analyzed, and quickly eliminated. Researchers then observed the remaining one required two filters, FlateDecode and JBIG2Decode. FlateDecode is common, but JBIG2Decode is normally used to decode monochrome image data, and this is how attackers chose to store the JavaScript code. As it turns out, JBIG2Decode can be used on any object stream, an unusual behavior the AVAST developers, and probably those from other vendors as well, did not anticipate when coding their PDF parser. This particular file attempted to exploit an older Adobe Reader vulnerability, CVE-2010-0188, discovered in 2010 and patched in current versions of the program. "Based on the information from the avast! Virus Lab logs, this new trick is currently used in only a very small number of attacks [...] and that is probably the reason why no one else is able to detect it," the analyst wrote. Since the PDF parser has been updated to decode JBIG2-encoded objects, the AV vendor spotted the technique being used in other PDF files as well. However, because those also contained regular malicious code, they were already detected. Source: http://news.softpedia.com/news/New-PDF-Exploit-Hidding-Technique-Tricks-Antivirus-Engines-196659.shtml

44. April 21, Darkreading – (International) One-fourth of SSL Websites at risk. More than a year after the Internet Engineering Task Force issued a security extension to the Secure Sockets Layer (SSL) protocol for a flaw that affects servers, browsers, smart cards, and VPN products, as well as many lower-profile devices such as Webcams, more than one-fourth of SSL Web sites have not deployed the patch — leaving them vulnerable to a form of man-in-the-middle (MITM) attack. Of the 1.2 million SSL-enabled Web site servers recently surveyed by the director of engineering at Qualys, more than 25 percent were not running so-called secure renegotiation. He also found that among 300,000 of the top 1 million Alexa Web sites, 35 percent were vulnerable to this type of attack, which takes advantage of a gap in the SSL authentication process and lets an attacker wage a MITM attack and inject his own text into the encrypted SSL session. The gap occurs in the renegotiation process, when some applications require that the encryption process be refreshed. Source: http://www.darkreading.com/authentication/167901072/security/vulnerabilities/229402059/one-fourth-of-ssl-websites-at-risk.html

45. April 21, V3.co.uk – (International) 'Blackhole' attack tool spreads across the Internet. An online attack tool known as Blackhole has stormed onto the market in the first part of 2011 and is being used for large-scale attacks, according to experts. Security vendor AVG said in its latest quarterly security report that the Blackhole Exploit Kit, which targets flaws and allows an attacking machine access to a vulnerable system, has become a favorite tool among cyber criminals in recent months. Use of the malware spiked in February, in some cases rising as high as 800,000 attack attempts per day. The kit was also used for a large-scale attack on U.K. Web users. Blackhole accounted for 44 percent of malware detections collected by AVG in the first quarter, and for more than 86 percent of attack toolkit deployments. The AVG report also highlighted a jump in Android malware, particularly in China, where an Android firmware update was repackaged with additional code on marketplace sites in March. AVG estimates that roughly 0.2 percent of Android applications are malicious, and that users have potentially logged as many as 7.8 million malicious application downloads. The company also found attackers have increased their attacks on social networking services. Social engineering scams, which trick users into clicking on misleading links and visiting third-party sites, have greatly increased in frequency over the past year, with Facebook being a particularly attractive target. Source: http://www.v3.co.uk/v3-uk/news/2045303/blackhole-attack-tool-threatening-users

46. April 21, V3.co.uk – (International) Stuxnet-like attacks beckon as 50 new SCADA threats discovered. Cyber criminals appear to be ramping up their interest in industrial control systems after research from application security management firm Idappcom found 52 new threats in March targeted at supervisory control and data acquisition (SCADA) systems of the sort hit by the Stuxnet worm. The chief technology officer at Idappcom told V3.co.uk that hackers could be going for the systems as they are typically less well defended than more mainstream public facing IT systems. SCADA systems are typically found in a variety of industrial plants ranging from water and waste treatment to food and pharmaceuticals and even nuclear power plants. As such, they play a vital role in the monitoring and production of key products and services, and could represent an attractive target for hacktivists seeking notoriety, or cyber criminals looking to extort money by threatening to disrupt the systems. "We quickly realized this was too much of a significant blip to be an anomaly. It may be an indicator towards a worrying trend," said Idappcom's chief technology officer. "Our records go back to 2004 and I've never recorded any sort of significant blip on the radar in an area like this previously." Many of the exploits discovered by Idappcom center around denial-of-service attacks directly targeting input validation techniques, which are able to repeatedly bring control systems to a halt, he explained. SCADA systems are often at greater risk because they are connected to legacy operating systems such as Windows 95 for which there are no service packs or automatic updates. "These systems are clearly not being monitored and maintained by network infrastructure teams," he said. "They are not updating or service packing them or showing them the same attention as their public facing services." Source: http://www.v3.co.uk/v3-uk/news/2045556/stuxnet-attacks-beckon-scada-threats-discovered

Communications Sector

47. April 24, Associated Press – (National) Sony ‘rebuilding’ PlayStation network, Qriocity after outage. Sony Corporation, said it is rebuilding its PlayStation Network to bring it back online after an “external intrusion” caused it to suspend the service. The company said it turned off the service, which lets gamers connect in live play, so that it could strengthen its network infrastructure. Qriocity — the company’s online entertainment platform — was also affected. ”Though this task is time-consuming, we decided it was worth the time necessary to provide the system with additional security,” the company said in a blog post April 23. The PlayStation Network and Qriocity had been turned off April 20 so the company could investigate an external intrusion. The company said April 21 that it could take a “full day or two” to get the service back up and running. On April 23, the company said in a blog post that it was ”working around the clock” to bring the services back online. The outage came just after April 19’s release of the game “Mortal Kombat,” which is available on the PlayStation 3 and Microsoft Corp.’s Xbox 360. It also comes as Amazon.com restores computers used by other major Web sites as an outage stretched into a fourth day. Source: http://www.washingtonpost.com/business/sony-rebuilding-playstation-network-qriocity-after-outage/2011/04/24/AFUlGYdE_story.html

48. April 24, GigaOm – (International) Will the Royal Wedding break the Internet? Will the Royal Wedding in Great Britain break the Internet? According to a chief executive officer (CEO) of network optimization provider Cymtec, in a small office of 25 people, typically no more than a handful of employees are aggressively using bandwidth for their tasks. But if that number increases dramatically, that could dramatically slow down or crash the internal network. While he believes the time difference will make live stream bottlenecks primarily a United States East Coast issue, other time zones will be affected as Americans catch up on what they missed via archived video. “No matter what, work is going to be the most convenient place to watch it,” he said. And the variety of locations it can be streamed will not lessen the load, as its high level of availability will inspire clicks from people who might not have gone looking for a stream. He has suggested a solution for companies is to give employees permission to watch the event, then do everything possible to centralize viewing, either on television (which will have no impact on networks) or a large PC. Source: http://www.nytimes.com/external/gigaom/2011/04/24/24gigaom-will-the-royal-wedding-break-the-internet-93921.html