Friday, August 26, 2011

Complete DHS Daily Report for August 26, 2011

Daily Report

Top Stories

 Three million gallons of raw sewage are streaming into the Missouri River each day in Omaha, Nebraska, after heavy rains took out four pumping stations the week of August 22, adding another six million gallons to untreated water daily since a station went out in June. – KETV 7 Omaha (See item 26)

26. August 24, KETV 7 Omaha – (Nebraska) Heavy rain takes out four pumping stations. Heavy rain the week of August 22 took out four pumping stations in Omaha, Nebraska. Three of the pumping stations — Pierce Street, Hickory Street, and River View — could be offline for weeks since their electrical components are underwater. Three million gallons of raw sewage is streaming into the Missouri River each day as a result, adding another six million gallons to untreated water every day since a station went out in June. With the gates closed since June, there is no place for heavy rainfall to go. ―When you get this much water, it pools up. It either floods transformers or it causes power outages to where the water cannot go anyplace. And it shorts out everything, and it’s a major repair to fix those,‖ one official said. The city plans to have a meeting with Federal Emergency Management Agency officials later the week of August 22. Source:

 The governors of Virginia, New Jersey, and Maryland declared emergencies for their states, and the North Carolina governor declared a state of emergency in the eastern part of the state August 25 as Hurricane Irene threatened the United States’ Eastern Seaboard. – CNN (See item 31)

31. August 25, CNN – (National) Irene’s flooding ‘could be a hundred-year event’. Four governors declared states of emergency August 25 as Hurricane Irene threatened to wreak havoc along the United States’ Eastern Seaboard. The governors of Virginia, New Jersey, and Maryland declared emergencies for their states, while the North Carolina governor declared a state of emergency in counties east of Interstate 95. If Irene continues along its current track, ―from a flooding perspective, this could be a hundred-year event,‖ The New Jersey governor said. He encouraged voluntary evacuations to begin immediately. In parts of North Carolina, mandatory evacuations were under way August 25. As of 2 p.m. ET, the Category 3 storm was pounding the Bahamas, with its eye over Abaco Island, the National Hurricane Center said. ―The core of the hurricane will continue to move over the northwestern Bahamas (August 25), and pass well offshore of the east coast of central and north Florida tonight and early (August 26). The hurricane is forecast to approach the coast of North Carolina on (August 27),‖ the center’s advisory said. Source:


Banking and Finance Sector

12. August 25, Reuters – (International) Chicago hedge fund manager pleads guilty to fraud. A former managing director of the collapsed Chicago hedge fund Lake Shore Asset Management pleaded guilty on August 24 for his role in what prosecutors called a $291.8 million worldwide fraud. The Canadian citizen admitted to one count of wire fraud, according to the office of the U.S. Attorney in Chicago. The 46-year-old has been in U.S. custody since December 2009, six months after a 27-count indictment against him was made public. He had been living in Hamburg, Germany at the time and was arrested there in July 2009. Under a plea agreement, prosecutors will recommend the maximum 20 years in prison. He will also pay about $154.8 million in restitution. According to the plea agreement, the man from 2002 to September 2007 obtained the $291.9 million from about 900 investors he fraudulently solicited to invest in commodity pools, for the purpose of trading futures. Prosecutors said he advertised annual double-digit returns from some Lake Shore investments, reaching as high as 55.5 percent, when in fact he was hiding millions of dollars of trading losses. They said he diverted about $33 million for personal use by himself and another Lake Shore director. The Commodity Futures Trading Commission won a court order in August 2007 freezing Lake Shore’s assets and a receiver was appointed that October. More than $100 million has been returned to investors so far, the U.S. Attorney’s office said. Source:

13. August 25, Media News Group – (California) Armored car robbery ends in bloody battle. A botched armored car robbery turned into a bloody shootout August 24, as two brothers exchanged gunfire with a guard and two Pinole, California police officers, leaving one robber dead and a cop and two others wounded. It was not the first time the brothers were suspected of armored car robbery. Police had warrants issued for both in connection with a similar attempt in May at a bank a mile away, police sources said. One of the brothers was killed and the other was wounded. The injured police officer was hospitalized August 24 with a shoulder wound. The August 24 holdup unraveled when the Loomis guard and two robbers shot rounds at one another about 9:20 a.m. in front of a Wells Fargo branch on Fitzgerald Drive. The robbers ran, one toward Fitzgerald Drive into the path of two Pinole police officers rushing to the emergency call and shot one officer, the Pinole police chief said. A second officer fired back, killing the man. The second brother briefly escaped, and droves of police from Richmond, Pinole, Hercules, San Pablo, and the Contra Costa Sheriff’s Office combed the shopping center with dogs searching for him. Emergency room workers at Doctors Medical Center in San Pablo reported the suspect had arrived with a gunshot wound. Richmond detectives months ago arrested one brother and a 25-year-old man after they tried to grab a bag of money from an armored transport guard May 25 at a different bank near Hilltop mall, law enforcement sources said. Source:

14. August 24, Associated Press – (Florida; New York) Ex-analyst ordered to pay $34.5M in SEC case. A federal judge August 23 ordered a former Moody’s Investors Service analyst to pay $34.5 million after he fled the country to avoid facing insider-trader charges. Government officials filed criminal and civil insider-trading charges against the analyst in 2009. The government has said the man received money for giving confidential information on company acquisitions to a leading figure in the Galleon case, the largest hedge fund insider-trading investigation in history. He has not responded to the suit and is believed to be in India, the Securities and Exchange Commission said. He was ordered to pay a $24.6 million fine and $9.9 million in restitution plus interest. The analyst, who was a hotel industry analyst for Moody’s in New York, was accused of passing tips about acquisitions on to a Florida investor who pleaded guilty in 2009 to criminal conspiracy and securities fraud charges. The Florida investor has been cooperating with the government’s investigation. The Moody’s analyst received cash from the investors and others in exchange for confidential information, the government said. The probe has resulted in more than two dozen arrests and 21 guilty pleas. It also has led to a second investigation into industry consultants who pass along inside information as the product of legitimate research. Source:

15. August 24, Miami Herald – (National) New charges linked to scam. A one-time Fort Lauderdale, Florida executive who is already accused of running the state’s biggest investment scam was charged again August 24 with laundering millions of dollars through homes in the Northeast, hiding assets from federal authorities and lying to a court-appointed receiver who was seeking to reimburse fleeced investors. The former Mutual Benefits Corp. vice president (VP) was arrested by FBI agents August 24 on charges of conspiring to divert tainted proceeds from the now-defunct company to buy properties in Camden, New Jersey, Maine, and New York City. The purpose: to support a ―lavish lifestyle’’ with his longtime partner, according to an indictment. The partner was arrested in Maine and will soon be transferred to Miami. The 54-count indictment charges the two men with conspiracy, money laundering, and obstruction of justice. The former VP was charged in the original fraud indictment in late 2008, along with his brother and two Fort Lauderdale lawyers, one of whom recently pleaded guilty. They were accused of conspiring to bilk investors on the sale of $1.25 billion worth of life insurance policies once held by people dying of AIDS. Some 30,000 investors lost $830 million between 1994 and 2003, according to prosecutors. The latest criminal case accuses the two men of plotting to funnel nearly $11 million of Mutual Benefits proceeds through a consulting business, using the money for their Northeastern homes and lying about the real value of their assets to the court-appointed receiver for Mutual Benefits. To obtain a favorable settlement with the Securities and Exchange Commission, the men submitted a series of false and misleading documents to conceal their true financial condition, according to the indictment. Source:

16. August 24, Associated Press – (New Hampshire) Secret Service joins probe of NH fake checks. Three men charged with passing counterfeit checks at a popular New Hampshire shopping outlet had a stash of hundreds of stolen identities from around the country, authorities said. The men each had eight to ten fake IDs on them and matching counterfeit checks when they were arrested August 23, the Tilton Police chief said. The Secret Service and U.S. Attorney’s office are joining Tilton police to unravel the scheme. Police said they were alerted to the trio by an off-duty loss prevention investigator who thought he recognized one of the men from a flier distributed at a national intelligence conference. Plain-clothed officers were able to verify the checks were counterfeit while the men shopped, the police chief said. Officers stopped their rented van as it exited the Tanger Outlet Center. Police got a search warrant for the van and found a trove of counterfeit check-printing equipment, magnetic ink to mirror that used on legitimate checks, and detailed information on hundreds of stolen identities, the police chief said. He said the men had made fake licenses bearing their image and using the stolen identity information. The men were charged with counterfeiting, check fraud, identity theft, and organized retrial crime. The three were operating throughout New England, hitting high-end stores as they bounced from state to state, he said. The men also were counterfeiting payroll checks and cashing them at big-box stores, the police chief said. He said he has already fielded a call from one store that is looking for a suspect who cashed more than $400,000 in counterfeit payroll checks. Source:

17. August 24, Naples Daily News – (Florida) Deputies: 3 men caught with 52 fake gift cards. Three Miami men face felony counterfeit charges after Collier County, Florida sheriff’s deputies found 52 fake gift cards among the 117 cards in their car August 22. Each man was arrested on a single charge of possessing counterfeit credit cards following a deputy’s discovery of the cards during a routine traffic stop, according to a sheriff’s office report. All three remain in Collier County Jail. The trio was pulled over for speeding on Interstate 75. A deputy asked for and received permission to search the car, the report said. A total of 117 gift cards and 38 cartons of cigarettes were found in the car, the report said. Scans showed the card number embedded on magnetic strips did not match the numbers listed on the front of 52 cards. The other 65 were valid. Lee County sheriff’s deputies made a counterfeit card bust August 23 on Interstate 75. The 46-year-old man was arrested and faces 43 charges of possessing counterfeit credit cards. Deputies said they found him with cards cloned to match a fake driver’s license, with the potential to make a total of $350,000 in purchases. Source:

Information Technology Sector

36. August 25, Softpedia – (International) Zero-day vulnerability exploited in PrestaShop. The PrestaShop developers warned users hackers are exploiting a zero-day vulnerability in the e-commerce solution and is urging them to deploy a fix. The vulnerability was identified when PrestaShop’s own Web site was hacked August 23, an event that put the development team in full alert. ―Last night, the PrestaShop’s official website,, was hacked, resulting in the misappropriation of a script intended for transcribing news information in the Back Office of PrestaShop stores,‖ the developers announced. ―The entire PrestaShop team dedicated ourselves to identifying and fixing this issue as quickly as possible. That fix has been completed,‖ they add. Versions 1.4, 1.4.1, 1.4.2, 1.4.3, and 1.4.4 of the popular open source e-commerce solution are vulnerable, but not all installations are necessarily affected. Source:

37. August 25, H Security – (International) phpMyAdmin updates close XSS hole. The phpMyAdmin developers announced the release of versions 3.4.4 and of their open source database administration tool. According to the security advisory, the maintenance and security updates close a hole (CVE-2011-3181) in the Tracking feature that leads to multiple cross-site scripting (XSS) vulnerabilities. The exploit is caused due to improper sanitization when input is passed to the table, column, and index names. For an attack to be successful, an attacker must be logged in via phpMyAdmin. Versions 3.3.0 to are affected and the developers consider the problem to be serious. Updating to phpMyAdmin or 3.4.4 fixes the problem. Alternatively, users can apply the provided patches. Source:

38. August 24, Network World – (International) MIT researchers craft defense against wireless man-in-middle attacks. MIT researchers devised a protocol to flummox man-in-the-middle attacks against wireless networks. The all-software solution lets wireless radios automatically pair without the use of passwords and without relying on out-of-band techniques such as infrared or video channels. Dubbed Tamper-evident pairing, or TEP, the technique is based on understanding how man-in-the-middle attacks tamper with wireless messages, and then detects and in some cases blocks the tampering. The researchers suggest that TEP could have detected the reported but still unconfirmed cellular man-in-the-middle attack that unfolded at the Defcon conference earlier in August in Las Vegas, Nevada. Source:

39. August 24, Help Net Security – (International) Install one trojan, get three more. Downloader trojans are often used by cyber criminals to thoroughly infect systems in order to extract anything that might be of value to them. Trojan.Badlib is a particularly effective piece of malware belonging to that particular category, effectively acting as a malware distribution network. When Badlib is firstly installed and detects an Internet connection, it tries to reach a C&C server in order to receive commands from it. It searches for it on a number of hard-coded domains, and if it does not find it, it proceeds to check out several IP addresses on a default list. Once the C&C is contacted, it instructs the trojan on where to download further malware. The response includes the number of files it has to download and their digital signature so as to make sure it downloads the right ones. According to Symantec researchers, Badlib is currently downloading three distinct trojans: Trojan.Badfaker, Trojan.Badminer, and Infostealer.Badface. Trojan.Badfaker’s goal is to disable the AV solution on the infected computer and to hide that fact from the user. Once it detects and recognizes the running AV software, it modifies Windows to boot into safe mode when it next boots up. Then, it deletes all the files and folders related to that AV it can find, but not before extracting the the icon from the main executable file, which it will continue to display in the system tray in order to preserve the illusion that the legitimate AV is still running. Next, it proceeds to disable the Windows Firewall and warnings from Microsoft Security Center, and ends with occasionally showing fake warnings about infections mimicking the (now disabled) legitimate AV. Trojan.Badminer aims at using the power of the infected computer’s GPU to mine Bitcoins. Infostealer.Badface’s goal is to harvest login credentials for a number of popular social networks. It does that by creating a local Web server through which the traffic destined for those sites is redirected. Source:

Communications Sector

40. August 25, Mohave Daily News – (Arizona) Suddenlink working to correct outages. As St. Louis-based Suddenlink Communications works to upgrade and replace the existing system left behind by NPG Cable, its technicians have had to make a number of post-replacement tweaks due to the region’s unusual temperature extremes in Arizona. For several weeks, Suddenlink technicians have been replacing the region’s old NPG ―nodes,‖ outdoor boxes that contain many of the components that control the phone, cable, and internet for the surrounding neighborhood. According to Suddenlink’s regional director of operations, each node provides service to between 250 and 400 households, with dozens of nodes spread throughout the company’s coverage area. The problem, he said, is that the equipment in each node is heat-sensitive, and it must be re-calibrated to work in the right temperature range. The regional director of operations acknowledged a fairly sizable outage had occurred along sections of Hancock Road over the weekend of August 19, creating a maintenance backlog for some customers in the area. Suddenlink is nearly finished replacing the region’s remaining nodes, and the new nodes should function better in prolonged heat waves than the previous ones did, he said. Source:

Thursday, August 25, 2011

Complete DHS Daily Report for August 25, 2011

Daily Report

Top Stories

• Firefighters tried to drain propane from a burning rail car to prevent an explosion after the fire forced the evacuation of thousands of homes and the closure of major highways in Lincoln, California. – Associated Press (See item 2)

2. August 24, Associated Press – (California) Firefighters try bold step to end Calif. rail fire. Firefighters August 24 tried to drain propane from a burning rail car in a bold maneuver meant to head off an explosion after the blaze forced the evacuation of thousands of people in Lincoln, California. Officials decided to take the step after consulting with members of a national response team from Houston, who were flown in overnight to offer advice, the Lincoln fire chief said. Fire officials initially said the blaze could continue for 21 days, but the chief said that scenario was unacceptable. Between 4,000 and 5,000 homes in the city of 40,000 were evacuated, and students in the area were missing their first days of school. The chief said firefighters now hope to have the blaze under control within 24 to 48 hours. Officials were trying to head off a potentially catastrophic failure of the 29,000-gallon tank. A buildup of heat could lead to an explosion and fireball several hundred yards wide. An explosion also could throw metal shards up to a mile away, prompting officials to order mandatory evacuations within a 1-mile radius. The chief said firefighters had managed to keep the tanker cool since it caught fire August 23, but worried it was showing signs of melting. It was burning at the Northern Propane Energy yard. It was surrounded by trucks, other rail cars and storage tanks with at least 170,000 gallons of additional propane that the chief said were "at risk" as the fire burned. A gas pipeline also runs through the area. One worker at the rail yard was injured in the initial fire and suffered flash burns, but has been released from the hospital. The chief said the procedure to drain the rail car of propane, called a "hot tap," would begin later August 24. He said the tanker would remain in place as firefighters attach a pipe and drain the propane into a hole to be dug by bulldozers. The propane would then be ignited and allowed to burn itself out, a process that will take several hours and produce black smoke. Highway 65, a major commuter thoroughfare between Sacramento and Lincoln, remained closed near the blaze. Source:

• State and federal agents August 23 cracked down on South Florida pill mills, dismantling the nation's largest criminal organization, which had made $40 million by illegally distributing more than 20 million painkillers. – Reuters (See item 36)

36. August 23, Reuters – (Florida) Agents dismantle alleged pill mills that netted $40 million. State and federal agents cracked down August 23 on South Florida pill mills, dismantling what was described as the nation's largest criminal organization involved in illegally distributing painkillers. Authorities charged 32 doctors, pain clinic owners, and workers with illegally prescribing more than 20 million painkillers and reaping more than $40 million in profits from 2008 to early 2010. The clinics wrote prescriptions for large quantities of oxycodone, which authorities said were used by traffickers and addicts. The indictment said many in the newly charged group were also involved in the illegal Internet distribution of anabolic steroids, and some engaged in wide-ranging violence, including kidnapping, extortion, other crimes against competitors, and people they suspected of disloyalty. The five-count indictment includes racketeering, money laundering, and wire and mail fraud conspiracy charges. Thirteen of those charged were doctors ranging in age from 36 to 76 who worked at the pain clinics. Demand for the prescription drugs has grown to epidemic proportions in Florida and other parts of the United States, where dealers can sell a 30-milligram oxycodone pill on the street for $10 to $30 or more, authorities have said. Florida leads the nation in diverted prescription drugs, according to the U.S. Attorney General's office. Seven people die in the state each day from drug overdoses. Source:


Banking and Finance Sector

14. August 24, Associated Press – (Arizona) Man arrested in string of 12 Ariz. bank robberies. An unemployed man accused of holding up 12 banks in the Phoenix, Arizona area was arrested on 16 counts of armed robbery and using a firearm while committing a crime, authorities said August 23. He was indicted August 18 in the alleged spree over a 10-month period. Investigators linked the robberies based on the method of operation and the robber's physical appearance. They all occurred in the Phoenix suburbs of Gilbert, Mesa, Chandler, Tempe, and Scottsdale between September 2010 and July 2011. An FBI special agent said the suspect carried a black binder during each of the robberies, approached tellers with a note and demanded money. Sometimes a black gun could be seen inside the binder, the complaint said. The break in the case came after the most recent robbery in Gilbert July 20, when bank employees followed the suspect outside while calling 911. Gilbert police officers pulled over a vehicle being driven by the suspect. Officers found an unloaded black gun, a note demanding money, and a black binder stuffed with cash in the car.


15. August 24, KWTX 10 Waco – (Texas) Blue Jacket Bandit convicted of robbing local bank. A man was convicted of bank robbery August 23 in a Waco, Texas federal court. He was convicted on all four counts associated with a series of bank robberies and could face up to 37 years. The man, government lawyers said, was part of a two-man team that held up five banks along Interstate 35 between January 19 and February 11, 2010. He was accused of bank robberies January 19, 2010 at Wachovia Bank in Dallas, February 2, 2010 at Independent Bank in Waco, and February 11, 2010 at the Bank of America in Temple. He was previously convicted in March of the Dallas robbery. The man, prosecutors said, acted with a co-conspirator who was convicted in July in Waco on all five counts in the same string of robberies, and was sentenced to more than 50 years in federal prison. The charges against both men were enhanced by accusations they used firearms during the robberies. Source:

16. August 24, Softpedia – (International) New zeus spin-off threatens users. Security researchers from Kaspersky Lab warn about a new crimeware pack called Ice IX which was built using the zeus source code leaked earlier in 2011. Ice X is sold on the underground market and can be used to generate custom trojans that join infected computers into botnets. According to a Kaspersky Lab expert, Ice X has been in the wild for some time already and the builder is available for $1,800, a fairly high price considering the entire zeus source code was once advertised for $10,000. ZeuS remains the most popular banking trojan among cyber fraudsters, its infection count currently exceeding that of its closest competitor, SpyEye, four to one. The Ice X trojan is similar to ZBot (zeus bot) and its main purpose is to steal financial information. It does this by hooking into the browser process. However, some variants analyzed by Kaspersky experts also steal Amazon AWS credentials. This aspect might be related to the recent increase in quantity of AWS-hosted malware. Source:

17. August 23, Wall Street Journal – (International) Judge freezes $28 million linked to alleged gambling scheme. A federal judge on August 23 froze more than $28 million that prosecutors said is tied to an illegal gambling operation in the Dutch Caribbean involving a prominent Curacao businessman. A U.S. district judge in Washington issued a restraining order against three UBS investment accounts in Miami allegedly controlled by the subject of a 3-year investigation by Curacao authorities into allegations of money laundering, tax fraud, and forgery. The suspect, a half brother of the Curacao finance minister, is accused of selling millions of dollars in forged lottery tickets out of his gambling businesses in Curacao and St. Martin, known as “Robbie’s Lottery.” The U.S. Department of Justice received a request for assistance from the Curacao public prosecutor’s office in July. In it, Curacao officials alleged the suspect has accumulated more than $52 million in illegal profits through the scheme since 2004. Prosecutors said they established the suspect's control over three companies — Ponsford Overseas Ltd., Carribean Investment Group Ltd., and Tula Finance Ltd .— with assets of about $28 million at UBS. Source:

18. August 23, WXIX 19 Newport – (Kentucky) Former bank president pleads guilty to embezzlement. The former president and chief executive officer of a Falmouth, Kentucky bank admitted she embezzled more than $2 million. The 50-year-old pleaded guilty August 22 in federal court to an embezzlement charge and admitted that from March of 2003 until January 26 of this year, she embezzled $2,244,506.44 from United Kentucky Bank. According to the plea agreement, she transferred money belonging to the bank into accounts owned by her husband and her two sons. She then falsified bank records to conceal her criminal conduct from auditors. She worked as the bank president for 2 years. Prior to that, she had worked as the bank's vice president since the bank opened in 1992. Source:

19. August 23, Los Angeles Times – (California; Oregon) 'Skateboard bandit' guilty of robbing banks in California, Oregon. A bank robber nicknamed the "skateboard bandit" pleaded guilty August 22 to heists across California and Oregon. The 30-year-old entered his plea in federal court in Sacramento, California. He received his nickname from a Sacramento crime task force because tellers reported he sometimes fled by skateboard to a getaway vehicle. A stolen vehicle recovered in Sunnyvale, California, led to his arrest. Authorities recovered $4,900 in cash, a loaded 9-millimeter semi-automatic pistol, a skateboard, and a receipt from a dentist in Oregon. The dentist positively identified the suspect in surveillance photos of the bank robber. He faces up to 100 years in federal prison, and a fine of up to $1.25 million. He was convicted of robbing five banks in 2009: Wells Fargo branches in Modesto, the Sacramento area, San Jose, and Santa Clara, and a Bank of America in Oregon. Source:

20. August 23, Reuters – (National) US: Deutsche Bank knew mortgage co it bought lied. Deutsche Bank AG knew in 2006 that a mortgage company it was preparing to buy lied to the U.S. government about its mortgages, yet went ahead with the purchase and should be held financially responsible, the U.S. Justice Department (DOJ) said August 22. According to the DOJ's amended $1 billion complaint filed with the U.S. district court in Manhattan, New York, Deutsche was "on notice of and expressly assumed responsibility" for wrongdoing at MortgageIT Inc, which it bought in 2007. The government first sued Deutsche and MortgageIT in May, saying they misled the Federal Housing Administration into believing mortgages issued by MortgageIT qualified for federal insurance, when the quality was so poor that nearly one in three defaulted. The government said the bank, in conducting due diligence prior to the merger, knew MortgageIT violated Department of Housing and Urban Development rules, which the Federal Housing Administration (FHA) is part of, and made false representations to the agency. It said Deutsche had access to letters showing MortgageIT did not review all early payment defaults, and had access to managers who knew misconduct was taking place. The compliant said that of the more than 39,000 loans MortgageIT approved for FHA insurance between 1999 and 2009, more than 12,900 were in default by June, up from 12,500 in February. The amended complaint also adds two Deutsche units as defendants, DB Structured Products Inc., and Deutsche Bank Securities Inc. Source:

Information Technology Sector

45. August 24, IDG News Service – (International) Twitter turns on SSL encryption for some users. Twitter is slowly turning on automatic encryption on its Web site, a move following other major providers of Web-based services to thwart account hijacking over wireless networks. Twitter has offered an option for users to turn on Secure Sockets Layer (SSL) encryption, but said August 23 it will turn the feature on by default for some users. It did not indicate when the option would be turned on by default for all users. SSL encryption, indicted by "https" in the URL bar and sometimes a padlock in the browser window, is an encryption protocol used to protect communication between a client and a server. It is important to use because unencrypted information passed over wireless networks can be intercepted. Source:

46. August 24, H Security – (International) PHP 5.3.8 fixes cryptographic function bug. The PHP developers issued version 5.3.8 of the PHP scripting language to address a serious bug found in the previous release. PHP 5.3.8 fixes a bug introduced by the 5.3.7 security update that caused the crypt() function to fail if an MD5 salt was given as an argument. The function is used to hash a string, typically a password, but instead of returning the hashed string, the function merely returned the salt itself. The update also corrects a bug that caused mysqlnd SSL connections to hang. The developers noted the PHP 5.2.x series is no longer supported. Source:

47. August 24, H Security – (International) Tool causes Apache Web server to freeze. A previously unknown flaw in the code for processing byte range headers allows version 2.2.x of the Apache Web Server to be crippled from a single PC. An "Apache Killer" Perl script that demonstrates the problem has been published on the Full Disclosure mailing list. The tool sends GET requests with multiple "byte ranges" that will claim large portions of the system's memory space. A "byte range" statement allows a browser to only load certain parts of a document, for example bytes 500 to 1000. This method is used by programs such as download clients to resume downloads that have been interrupted; it is designed to reduce bandwidth requirements. However, it appears that stating multiple unsorted components in the header can cause an Apache server to malfunction. No official patch has been released, but a functional workaround is to use rewrite rules that only allow a single range request in GET and HEAD headers. This should not present a problem for most applications. To enable the rules, administrators must load the Apache Web Server's mod_rewrite module. Another suggested workaround is to use the mod_header module with the RequestHeader unset Range configuration to completely delete any range requests that may be contained in a header. However, this approach is likely to cause more problems than restricting the number of ranges. Source:

48. August 23, Infosecurity – (International) Mozilla plugs critical security holes in latest Firefox browser. Mozilla patched four critical memory safety bugs in the Firefox browser engine. “Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort, at least some could be exploited to run arbitrary code,” Mozilla said. Another bug patched in Firefox 6 allowed unsigned JavaScript code to run a script inside a signed JAR file with the permissions and identity of that file. Mozilla also fixed a critical flaw in the WebGL shader program that ”could cause a buffer overrun and crash in a strong class used to store the shader source code.” Also, the company fixed a potentially exploitable heap overflow in the ANGLE library used by WebGL implementation, and a “dangling pointer vulnerability” in a SVG text manipulation routine. Also fixed in Firefox 6 were two high-risk flaws: credential leakage using Content Security Policy reports, and cross-origin data theft using canvas and Windows D2D. Firefox 6 added domain highlighting in the URL to make phishing attempts more apparent. "The Awesome Bar (URL bar) highlights a Website’s domain name and the identity block is more prominent to help quickly identify where you are on the Web," Mozilla said. Source:

49. August 23, threatpost – (International) Ubuntu fixes WebKit flaws, other issues with updates. Ubuntu fixed a pile of security vulnerabilities in some of its current releases, including 22 vulnerabilities in the WebKit framework that is part of the operating system. The WebKit flaws include some issues that could be exploited by remote attackers to run code on vulnerable machines. The security vulnerabilities in WebKit affect Ubuntu 10.10 and 10.04 LTS. "A large number of security issues were discovered in the WebKit browser and JavaScript engines. If a user were tricked into viewing a malicious Web site, a remote attacker could exploit a variety of issues related to Web browser security, including cross-site scripting attacks, denial of service attacks, and arbitrary code execution," the Ubuntu advisory said. Source:

50. August 23, H Security – (International) Mac OS X Lion fails to check passwords when authenticating via LDAP. A bug in the module for authenticating (Open)LDAP under Mac OS X 10.7.x Lion can result in any password being accepted during log-in –- all that is required is a valid user name. The problem occurs when logging in both via a graphical interface on a client and over the Web via SSH on a server. Lion does not use LDAP to log-in by default; LDAP authentication tends to be used in large infrastructures for centralized user administration (name, password, group, etc.). Apple has been informed of the problem and has apparently succeeded in reproducing it. Additionally, some users are reporting they are completely unable to log-in using LDAP after updating to Lion. Whether or not the problem occurs appears to depend on whether the LDAP server is running on a local or on a separate system. It is not clear whether the problem will be fixed by means of a security update or in the next Lion point release, Mac OS X 10.7.2. At present, the only remedy is to deactivate LDAP authentication for critical services. Source:

For another story see item 16 above in the Banking and Finance Sector

Communications Sector

51. August 23, Ellensburg Daily Record – (Washington) Phone service restored in Upper County. Phone service was restored at 11:30 a.m. August 23 to 3,100 CenturyLink customers in Cle Elum and Easton, Washington. Phone service was lost at 2:30 a.m. August 23 after vandals cut a Fairpoint Telecommunications fiber line in a manhole in Selah, according to a marketing development manager at CenturyLink. The outage hit residential landlines and 911 services. Crews were able to repair the fiber restoring residential and 911 services. Source:

For another story see item 45 above in the Information Technology Sector