Thursday, June 16, 2011

Complete DHS Daily Report for June 16, 2011

Daily Report

Top Stories

• According to ABC News Radio, Amtrak said it is taking additional security countermeasures on all of its trains after a June 12 incident in which someone tried to derail a train carrying highly flammable ethanol in Iowa. (See item 25)

25. June 15, ABC News Radio – (Iowa; National) Amtrak steps up security following Iowa train sabotage. Amtrak said it is taking additional security countermeasures after someone tried to derail a train carrying highly flammable ethanol in Iowa June 12. The Iowa Interstate Railroad CEO said a lock was cut off a track switch box just outside Menlo, a town that sits along the rail line between Des Moines and Omaha, Nebraska. The track was also “gapped open” about 2 inches, and a black bag was used to cover the switch signal so the tampering would be harder to notice. The CEO said the switch tampering, and the creation of the gap in the tracks, clearly indicated to him that someone was trying to derail one of the 130-car trains that were running the track. The Amtrak chief of police announced June 14 the company is expanding its comprehensive rail security efforts to provide increased right of way protection to detect and deter terrorists seeking to derail passenger trains. Amtrak said the additional security countermeasures would focus first on passenger trains, particularly those operating on the Amtrak-owned Northeast corridor. Amtrak said it already had security in place, which was focused on the threat of improvised explosive devices, in a station or on a train, or on an active shooter scenario. Source:

• The Associated Press reports that a temporary earthen levee is the only barrier preventing Hamburg, Iowa from being covered by as much as 10 feet of floodwater that could linger for months. (See item 63)

63. June 15, Associated Press – (Iowa; Missouri) Officials hope temporary levee will save Iowa town. A temporary earthen levee is the only barrier standing between Hamburg, Iowa and the floodwaters of the Missouri River, and officials hope efforts to beef it up will be enough to keep the small southwestern Iowa town from filling up with water. Crews working for the U.S. Army Corps of Engineers hope to pile at least 3 feet of extra dirt atop the levee before the evening of June 15. The stakes are high: If it fails, parts of the town could be covered by as much as 10 feet of water within days, and high water could linger for months. The hurriedly constructed levee became Hamburg’s last line of defense after the river punched through another levee downstream in northwest Missouri that provided the town’s primary protection. That failure left water gushing through a large gap on a path to inundate the town of 1,100 — unless the other levee can be made taller. Even though the levee breach was downstream, the floodwaters were flowing north to fill the area around Hamburg because the town sits in a valley. Source:


Banking and Finance Sector

17. June 15, New York Post – (New York) Police searching for brazen Harlem bank bandit. On June 15, police released a picture of the robber wanted for knocking off three banks in the Harlem section of Manhattan, New York. The robber made off with nearly $2,660 after targeting the Citibank at 2481 Seventh Avenue March 8, but fled empty-handed when he hit the Bank of America at 106 West 117th Street March 9, police said. He scored $5,860 after passing a note March 31 at the Wells Fargo branch at 143 Lenox Avenue, police added. Source:

18. June 14, Bloomberg – (New York) Salesman in Gryphon ‘Boiler Room’ scheme pleads guilty after trial begins. A New York man June 14 pleaded guilty to his role in the Gryphon Holdings Inc. “boiler room” scheme, the last of 18 defendants to do so. The man, a former salesman for Gryphon, misled investors into paying for phony stock tips and investment advice, defrauding them of $20 million, prosecutors charged. “From April 2007 until April 2010, I participated in the scheme to defraud Gryphon clients,” the man told the judge. Gryphon told victims its office was on Wall Street or even in the New York Stock Exchange when it was in a strip mall in the New York borough of Staten Island, according to the man’s indictment. The man said he was paid $1.1 million while working at Gryphon. He pleaded guilty to one count of wire fraud and securities fraud conspiracy. Federal guidelines call for a prison sentence of up to 21 years and 10 months, an assistant U.S. attorney said. Source:

19. June 14, Bloomberg – (National) Florida lawyer admits to role in $1.2 billion Rothstein investment fraud. A Florida attorney pleaded guilty in federal court June 14 to aiding a man in a $1.2 billion investment scheme involving fake court settlements. The man pleaded guilty to a single count of conspiracy to commit wire fraud. Prosecutors said they agreed to recommend a prison sentence of 24 to 30 months. The leader of the scheme previously pleaded guilty in January 2010 to five counts of racketeering, money laundering, and wire fraud, admitting he sold investors interests in bogus settlements in sexual-harassment and whistleblower suits. He was sentenced to 50 years in prison. Prosecutors said the attorney who pleaded guilty June 14, wrote a letter claiming to have settled a pending case in a client’s favor when the case had never been filed and no settlement existed. Source:

20. June 14, Bloomberg – (International) ‘Anonymous’ hacker group identifies Fed as target on YouTube. A group of online hackers identified the Federal Reserve as a target, using a video on the YouTube Web site to call on its chairman to resign. In the video, the group, which calls itself Anonymous, said June 14 would mark the “first step” of protests against the Federal Reserve Chairman and urged those wanting him to quit to occupy a public space. “The Federal Reserve’s policies are systematically looting the country to enrich one 10th of 1 percent of the population,” a distorted voice said on the video. The group attacked several Turkish government Web sites the week of June 6 to protest an Internet filter it said will restrict Web surfing, the Hurriyet newspaper reported. Source:

21. June 14, Portland Oregonian – (Oregon) Video surveillance helps authorities nab suspected ‘Beastie Boys’ bank bandit. Investigators responding to the Wells Fargo bank robbery in southwest Portland, Oregon, June 9, obtained video surveillance images from a nearby business that caught the suspect putting on a wig and mustache besides a pickup truck outside the bank. The video helped authorities link the suspect to the so-called string of “Beastie Boys” bank robberies in the metropolitan region. Portland police and federal authorities believe the 48-year-old is responsible for up to 8 bank robberies in Portland, Lake Oswego, and West Linn. He was given the nickname the “Beastie Boys Bandit” because his disguises looked like they came out of a music video for the song “Sabotage” by the Beastie Boys. The man, who was convicted of bank robbery in 1996, was taken into custody at Southwest 12th Avenue on a parole violation June 9. The license plate on his truck was also caught on the video surveillance images. Source:

22. June 14, The Register – (International) Citigroup hack exploited easy-to-detect web flaw. Hackers who stole bank account details for 200,000 Citigroup customers infiltrated the company’s system by exploiting a garden-variety security hole in the company’s Web site for credit card users, according to a report citing an unnamed security investigator. The New York Times reported the technique allowed the hackers to leapfrog from account to account on the Citi Web site by changing the numbers in the URLs that appeared after customers had entered valid usernames and passwords. The hackers wrote a script that automatically repeated the exercise tens of thousands of times, the New York Times said. The underlying vulnerability, known as an insecure direct object reference, is so common it’s included in the Top 10 Risks list compiled by the Open Web Application Security Project. It results when developers expose direct references to confidential account numbers instead of using substitute characters to ensure the numbers are kept private. Experts said Citi could have detected the hack attack as it was commenced by employing code that automatically reported users who repeatedly fed suspicious characters into Web site URLs. The Citi hackers also took advantage of a flaw in the Java programming framework to access information stored in an Oracle database maintained by the bank, the Financial Times reported June 14. An unnamed investigator said the situation was “alarming,” given the wide use of Java and the database software, which are both offered by Oracle. Source:

Information Technology Sector

46. June 15, H Security – (International) Adobe patches Flash, Reader and more. Adobe’s patch release June 14 included updates for its Flash and Shockwave Players, Reader, Acrobat, ColdFusion, LiveCycle Data Services, and BlazeDS. All of the updates fix security vulnerabilities that can be remotely exploited by attackers to compromise systems or to crash software. Adobe has fixed a critical vulnerability in Flash Player for Windows, Mac, Linux, Solaris, and Android. The bug is fixed in version for desktop systems; an update for Android is due shortly. In contrast to many Flash vulnerabilities, this time Reader and Acrobat are not affected. Adobe has fixed 13 vulnerabilities in versions 8.x, 9.x and 10.x for Windows, and Mac. The version number of Adobe Reader and Acrobat versions with a sandbox has been incremented to 10.1. The new version will be distributed and installed automatically via the automatic update function, as will the Flash update. Version of Adobe’s Shockwave Player fixes 24 security-related bugs. There are also updates for LiveCycle Data Services and BlazeDS that fix two vulnerabilities. A hotfix for ColdFusion 9.0.1, 9.0, 8.0.1 and 8.0 for Windows, Mac, and Linux takes care of two vulnerabilities. Adobe’s Flash Player update has already seen Google update the stable and beta versions of the Chrome browser that bundles Flash. Source:

47. June 15, Softpedia – (International) Serious upload path injection vulnerability patched in PHP. Web masters are advised to manually patch PHP installations after a serious flaw allowing attackers to potentially delete files from root directories was publicly disclosed. The vulnerability lies in the “SAPI_POST_HANDLER_FUNC()” function in rfc1867.c and can be exploited to append forward or back slashes before the file name during an upload. This allows an attacker to delete files from the root directory or can be combined with other vulnerabilities to enhance attacks. The flaw is described as an input validation error and security bypass issue. Vulnerability research vendor Secunia rates it as “less critical.” A Polish Web application developer is credited with discovering and reporting the issue, but even though it was patched June 12, details about the flaw have been available online since May 27. The vulnerability, identified as CVE-2011-2202, affects PHP 5.3.6 and earlier versions. No new package has been released yet, but a patch can be grabbed from the repository and applied manually. The vulnerability carries a CVSS base score of between 2.6 and 5 out of 10. It can be exploited remotely, does not require authentication, and has a partial impact on system integrity. System confidentiality and availability are not affected. Source:

48. June 14, IDG News Service – (International) LulzSec attacks gaming sites just for laughs. Hacking group LulzSec initiated an attack against several gaming companies June 14. Called “Titanic Takeover June 14,” LulzSec took down systems at the Escapist, Eve Online, Minecraft, and League of Legends during a 3-hour distributed denial-of-service rampage. LulzSec emerged in May and immediately embarked on a series of high-profile hacking attacks, stealing data from Sony and game-maker Bethesda Softworks, and compromising computers at the U.S. Senate, and the Public Broadcasting Service, among others. Source:

49. June 14, Computerworld – (International) Microsoft patches critical IE9, Windows bugs. Microsoft June 14 patched 34 vulnerabilities in Windows, Internet Explorer (IE), Office, and other software, 15 labeled “critical” by the company. The large number of updates — as well as the fact Microsoft issued them 2 hours later than usual — will put pressure on enterprise administrators, one expert said. Of the 16 updates, which Microsoft calls bulletins, 9 were pegged critical, the most-serious rating in the company’s 4-step scoring system, while the remaining 7 were tagged “important,” the next-most-dangerous category. While the number of bugs patched was significantly less than the record 64 Microsoft fixed in April, it was the second-highest total for 2011. The 16 bulletins were just 1 off the record, also set last April. Fifteen of the 34 total vulnerabilities were rated critical, 17 were ranked important, and 2 were marked “moderate.” Microsoft picked 4 of the 16 updates to highlight, and urged customers to roll out the quartet as soon as possible. “Our top priorities are MS11-050, MS11-052, MS11-043 and MS11-042,” a group manager with the Microsoft Security Response Center said. He listed the four in the order of priority. Among the deploy-immediately bulletins, MS11-050 offered 11 patches for IE that Microsoft and independent experts pinned to the top of their lists. Source:

50. June 14, The Register – (International) Malware abusing Windows Autorun plummets. Microsoft saw a sharp drop in malware infections that exploit a widely abused Windows Autorun feature almost immediately after it was automatically disabled in earlier versions of the operating system. As measured by Microsoft’s various antimalware programs, Windows XP and Vista suffered 1.3 million fewer infections in the 3 months following February’s retirement of Autorun compared with the 3 months preceding the change. By May, attacks hitting Vista machines plummeted 74 percent and fell by 59 percent for system running XP. Entire families of malware –- including Conficker, Taterf, and Rimecud –- owe much of their prominence to Autorun, which was designed to make life easier for users by executing code embedded on thumb drives when they were attached to a computer without first prompting the user. Source:

For more stories, see items 20 & 22 above in the Banking and Finance Sector

Communications Sector

51. June 14, Hosting News – (International) Go Daddy returns after outage. Web Hosting site Go Daddy is back online after facing an outage that lasted a few hours June 14. The Web hosting company took responsibility for the incident, saying a software update was responsible for the downtime. In a post on the site’s Community Blog, the company’s chief information officer stated, “We caused the issue, not someone else. We made some changes to our website, and those updates failed. As a result, went down.” He went on to say, “My team is investigating what went wrong with our site update process so we can avoid an issue like this in the future.” During tje downtime, users were unable to access their accounts through the host provider’s home page. However, they could still access their accounts through mobile versions of Go Daddy’s site. Go Daddy is one of the largest online domain registrars, and currently hosts over 45 million domains. Source:

For another story see item 46 above in the Information Technology Sector