Thursday, September 8, 2011

Complete DHS Daily Report for September 8, 2011

Daily Report

Top Stories

• A 4,500-acre fire at Dollar Lake in Oregon was 3 miles east of the watershed boundary September 6, threatening drinking water for 900,000 people in the Portland area. – Portland Oregonian (See item 29)

29. September 6, Portland Oregonian – (Oregon) Dollar Lake Fire could threaten Portland’s water supply. The 4,500-acre fire at Dollar Lake in Oregon, south of Hood River was 3 miles east of the watershed boundary, and only 10 percent contained September 6. Firefighters and Portland officials worried the fire might impact the Bull Run watershed, the main source of drinking water for 900,000 people in Portland and many suburbs. The fire, which began after a lightning strike August 27, could spread west given rising temperatures, dry air, and east winds with gusts up to 30 miles per hour expected September 7. More than 730 firefighters were attacking the blaze. A fire would not immediately affect water quality, the Portland Water Bureau administrator said, but a large burn in the 68,000-acre watershed could send debris, dirt, and ash into the water once rains begin, potentially causing a shutdown of the unfiltered system. The city has backup wells along the Columbia River, but capacity is far lower than the two Bull Run reservoirs. The biggest threat is wind-blown embers could start spot fires beyond fire lines being cut between the blaze, the watershed, and high-voltage power lines that run in between. Source:

• Wildfires continued to rage September 6 through central Texas, claiming 2 lives and 550 homes, knocking out power to thousands, and closing numerous schools and roads. – Houston Chronicle (See item 51)

51. September 7, Houston Chronicle – (Texas) Texas wildfires claim 2 lives. Wildfires continued to rage September 6 through Central Texas, where an out-of-control blaze claimed 2 lives and 550 homes, and in the Magnolia area, where officials ordered the evacuation of more than 4,000 households. The Bastrop County fire had burned 33,089 acres of farmland and forest. The fire emptied 20 neighborhoods and left 4,300 additional households without power, a Texas Forest Service spokeswoman said. Closer to Houston, the three-county Magnolia-area fire was 85 percent contained by early September 7 after consuming about 7,800 acres, the forest service said. The fire, known as the Riley Road fire, destroyed about 73 homes in the Remington Forest subdivision Monday night, said a spokesman of the Waller County Sheriff’s Office. The Magnolia school district in Montgomery County canceled classes September 6 and 7. A shelter was set up at Magnolia High School. The largest burned area from the Riley Road fire was in Montgomery County, which lost about 5,000 acres but only two structures, a forest service spokesman said. FM 1774 between FM 1486 and the Waller County line will remain closed because wildfires continue to flare up there. Fourteen fire departments from unincorporated areas of Harris County sent 75 to 100 firefighters and 50 pieces of equipment to the Riley Road fire, a senior inspector for the Harris County fire marshal’s office said. In Bastrop County, the sheriff declined to provide details about two deaths other than to say that the victims were not police or firefighters. The governor said a 100-member search team will comb the area September 7 for more possible victims. He said the number of homes destroyed by wildfires since last December had surpassed 1,000 statewide. Some 3.5 million acres have burned. Source:


Banking and Finance Sector

14. September 7, Help Net Security – (International) New financial malware attacks global financial institutions. Trusteer warned September 7 that a second non-financial malware variant called Shylock has been retrofitted with fraud capabilities and is abusing its large installed base of infected machines to attack global financial institutions. Unlike the non-financial malware Ramnit that turned into a fraud platform, Shylock does not incorporate tactics from the zeus trojan. It appears criminals have custom developed financial fraud capabilities for Shylock. Shylock uses unique mechanisms not found in other financial malware toolkits, including: an improved method for injecting code into additional browser processes to take control of the victim’s computer; a better evasion technique to prevent malware scanners from detecting its presence; and a sophisticated watchdog service that allows it to resist removal attempts and restore operations. “As with all financial fraud toolkits, Shylock’s detection rate among anti-malware solutions and fraud detection systems is extremely low,” Trusteer’s chief technology officer said. Source:

15. September 7, Housing Predictor – (California) Renters ripoff landlords in $6 million mortgage scam. Seven people were arrested September 6 in California for allegedly posing as homeowners of the homes they were renting and applying to take out $6 million in home equity mortgages. They were arrested by after a major investigation by sheriff’s investigators and the FBI. The renters allegedly stole the homeowners’ identities to pose as the owners of more than 20 homes they borrowed against. An FBI agent, who is a member of the special Asian Organized Crime Squad, submitted an affidavit in federal court detailing the sophisticated operation that involved money laundering and a possible link to a series of cases in the Los Angeles area 3 years ago. Most of the homes were in Los Angeles and San Bernardino counties, which have been devastated by the foreclosure crisis. An Irvine real estate investor notified authorities after receiving an unexpected appraisal in the mail for one of the homes involved in the scam. Investigators said the scheme lasted more than 2 years and was conducted by Korean and Chinese immigrants, including some people in the country illegally. An undercover sting was set up to catch the suspects, who used prepaid cell phones. The group used public records to conduct title searches to find homes to rent with small mortgages or properties that were free and clear. Fake driver’s licenses and other IDs were used by the suspects, who are being held in jail without bail. The loans that were funded, including home equity lines of credit, were transferred into bank accounts using the real homeowner’s names at a variety of financial institutions and funds were withdrawn in small amounts. Source:

16. September 7, U.S. Department of Treasury – (International) Treasury targets three senior al-Qa’ida leaders. The U.S. Department of the Treasury September 7 announced the designation of three senior al-Qa’ida leaders based in Pakistan. As a result of the action –- taken by the Under Secretary for Terrorism and Financial Intelligence.pursuant to Executive Order (E.O.) 13224 –- U.S. persons are generally prohibited from engaging in transactions with the designees and any assets they may hold under U.S. jurisdiction are frozen. The first leader, referred to as al-Qa’ida’s propaganda chief, is one of the group’s most prominent public figures and plays a key role in al-Qa’ida’s media operations. The second is a leader who was in charge of al-Qa’ida’s external operations as of mid-2010. He participated in the formation of the affiliate group al-Qa’ida in the Islamic Maghreb (AQIM) and developed a well-funded plan to ostensibly damage the European economy. The third has been an al-Qa’ida facilitator, courier, and operative since at least 2003. He has also been active facilitating the travel of al-Qa’ida members. On al-Qa’ida’s behalf, he recruited a facilitator who helped him move people and money between Gulf countries and Pakistan. In 2007, he helped al-Qa’ida reestablish logistic support networks in Pakistan. Source:

17. September 6, KSAZ 10 Phoenix and Associated Press – (Arizona) Police: robbery suspect enters bank through roof. Police said a robbery suspect entered the First Fidelity Bank near 32nd Street and Lincoln in Phoenix September 6, before it opened — through the roof. According to police, an employee arrived for work around 7 a.m. and was immediately confronted by an armed man already inside the building. The robber bound that employee with plastic zip ties. Five other workers also were confronted and tied up when they entered the building. A gun was pointed in their faces. At about 8:30 a.m., another employee was arriving for work when he spotted at least two of his colleagues tied up. He backed out of the building without attracting attention and immediately called 911. Police have not released any details about how much cash was taken. The FBI said the same suspect is wanted in at least 4 other bank robberies in Arizona in Scottsdale, Carefree, and Peoria, going as far back as 2009. His modus operandi is to drill through walls and roofs to get into banks. He has been dubbed the “Thou Shalt Not Steal Bandit.” Source:

18. September 6, Reuters – (New York) Ex-Citigroup VP admits embezzling over $22 million. A former vice president (VP) for Citigroup Inc. pleaded guilty September 6 to embezzling more than $22 million fand funneling the money to his personal bank account. The 35 year-old pleaded guilty to bank fraud, admitting he took the money between 2003 and 2010. An assistant U.S. attorney said the government will request a prison sentence of 8 to 10 years. The former VP was arrested in June and charged with embezzling $19 million. He admitted in court September 6 to taking more than $22 million, although his total seized assets were estimated at $16 million, the assistant attorney said. The defendant, who worked for Citigroup for 10 years, said that between 2003 and 2010 he drafted e-mails and faxes directing the funds to his personal account. According to the government, he first transferred money from various Citigroup accounts to Citigroup’s cash account, and then wired the money to his personal bank account at another bank. He concealed his thefts by, among other methods, making false accounting entries to create the appearance that the bank’s cash account was in balance. Source:

19. September 6, Central Valley Business Times – (California) Swindlers plead guilty to $5 million Central Valley mortgage fraud. A 41-year-old woman of Oakland, California, and a 38-year-old of Elk Grove, pleaded guilty September 6 to their parts in a multi-million dollar mortgage fraud in California’s Central Valley. The two were charged in June 2010 along with eight others in a conspiracy that centered around Liberty Real Estate and Investment Company and Liberty Mortgage Company, two companies owned by a co-defendant. The companies were instrumental in the purchase of at least 30 homes in the Sacramento area in 2006 and 2007. The purchases were typically accomplished through 100 percent financing, obtained as the result of false information regarding the buyers’ employment, income, and intent to live in the properties. At the close of the transactions, and unbeknownst to the lenders, cash payments were made back to the buyers out of the loan proceeds. Of the 30 transactions, at least 28 have gone into foreclosure, resulting in a loss to lenders in excess of $5 million. According to his guilty plea, the 38-year-old man admitted purchasing three homes in 2 months submitting false loan applications to finance the purchases, and receiving about $75,000 at the close of these transactions. According to her plea, the 41-year-old woman admitted purchasing two homes over 2 months, submitting false loan applications, and receiving about $64,000 at closing. The convicts face a possible maximum statutory penalty of 5 years in prison. Source:

20. September 3, Cherry Hill Courier-Post – (New Jersey; Pennsylvania) Officials: Ring faked checks. Federal prosecutors September 1 provided details of a fourth scheme that allegedly used a TD Bank worker steal money from customers’ accounts. Participants in a counterfeit-check ring, using account information supplied by a TD Bank teller, stole more than $200,000 between October 2009 and January 2010, according to an indictment filed by the U.S. attorney’s office in Philadelphia. Ring members posed as the victims to make sizable cash withdrawals after depositing the bogus checks at TD Bank offices in South Jersey and elsewhere. The September 1 indictment charged three Philadelphians with conspiracy, bank fraud, and aggravated identity theft. Eight other people already face similar charges in that case, including a teller at TD Bank. Prosecutors allege she provided the ring with information about TD Bank business and personal accounts, including photocopies of the victims’ legitimate checks with account holders’ signatures. An August 31 indictment said a separate scheme withdrew about $189,000 with a TD Bank teller’s cooperation between August 2009 and April 2010. Prosecutors claim another ring, allegedly using ID information from three TD Bank workers stole more than $200,000 from December 2008 to June 2011, according to prosecutors. And authorities allege a fourth ring, which also targeted Citizens Bank and the former Wachovia Bank, pocketed more than $400,000 from November 2005 to May 2010. All of the cases are being pursued by federal prosecutors in Philadelphia. Source:

Information Technology Sector

37. September 7, H Security – (International) Browser makers update their DigiNotar disaster updates. As more details of the damage from the DigiNotar certificate authority (CA) compromise are revealed, browser makers are now releasing second updates to their products to remove more untrustworthy certificates. Microsoft updated security advisory 2607712 and announced it added the root certificates for DigiNotar Root CA and the DigiNotar PKIoverheid to its Untrusted Certificate Store. The update should appear automatically on most Windows systems, but Microsoft also made immediate download links for the update available for all Windows systems from Windows XP to Windows 7 and Windows 2008. Mozilla released updates for Firefox browser, 6.0.2 and 3.6.22, and the Thunderbird e-mail client, 6.0.2, 7.0 beta and 3.1.14; these new updates remove all trust from the DigiNotar CA. Mobile users and Mac users appear less well served. There has been no news of updates for Apple’s iOS or Google’s Android, meaning the mobile devices that run the systems are still vulnerable to man-in-the-middle attacks using the bogus certificates. Android users will have to wait for each device vendor to release updates for their phones, or move to a custom ROM such as CyanogenMod; a fix is in the process of being implemented for the popular third party ROM. Mac OS X users are also waiting for a security update; despite instructions on how to distrust DigiNotar certificates on the Mac being available, Apple has, so far, remained silent about releasing an automated update. Source:

38. September 7, The Register – (International) New trojan masquerades as Microsoft enforcement-ware. Malware-makers have created a strain of ransomware trojan that masquerades as a Microsoft utility. The Ransom-AN trojan claims a user’s Windows machine is running an unlicensed copy of Windows, and threatens to cripple the computer unless $143 is paid to obtain an unlock code, which can be purchased via credit card via a scam Web site. The malware attempts to spook intended victims with entirely bogus claims that a criminal prosecution will be launched unless payment is received within 48 hours. In addition, the trojan says all data and applications on targeted systems will be “permanently lost.” The malware, which targets German-speaking users, is being distributed via spam and P2P downloads. Panda Software, the net security firm which detected the threat, warned the trojan is difficult to remove manually. Source:

39. September 6, IDG News Service – (International) After hacking claims, second firm pulls digital certificates. Digital certificates issued by GlobalSign have come under scrutiny after a hacker’s claim that he broke into the company’s computer systems. If true, it would be the second such compromise in the past few weeks. The hacker, known as Comodohacker, said September 5 he had broken into Dutch certificate authority DigiNotar and that he had access to four other such companies, including GlobalSign, a certificate authority based in Portsmouth, New Hampshire. GlobalSign said September 6 it was investigating the claim and had “decided to temporarily cease issuance of all certificates until the investigation is complete.” Source:

40. September 6, threatpost – (International) Evidence of infected SCADA systems washes up in support forums. A security researcher said evidence viruses and spyware have access to industrial control systems is hiding in plain sight: on Web based user support forums. Close to a dozen log files submitted to a sampling of online forums show evidence signs laptops and other systems used to connect to industrial control systems are infected with malware and trojans, including one system used to control machinery for British-based energy firm Alstom UK, according to an industrial control systems expert. He said he uncovered almost a dozen log files from computers connected to industrial control systems while conducting research online. The configuration log files, captured by the free tool HijackThis by Trend Micro, were willingly submitted by the computer’s operator to weed out malware infections. The random sampling suggests critical infrastructure providers are vulnerable to attacks that take advantage of mobile workers and contractors wo bring infected laptops and mobile devices into secure environments. The researcher circulated his findings via Twitter and discussed them in a blog post for Digital Bond, a consulting firm that specializes in work with firms in the control systems space. He discovered the links between infected Windows systems and industrial control systems by analyzing the HijackThis logs posted on the forums, which reveal detailed configuration information about the systems in question, the organization it belonged to, and even the role of the individual who owned the system. Source:

41. September 6, threatpost – (International) Researcher will demo crippling Siemens attack using Metasploit. A security researcher said he will use a presentation September 20 at the 2011 ICS Cyber Security Conference in Washington, D.C., to demonstrate a crippling attack on Siemens S7 (Step 7) Programmable Logic Controllers using the free Metasploit penetration testing tool. He said the attack he will demonstrate will be similar to one he outlined in July — a generic attack against Siemens S7 Programmable Logic Controllers and modeled after an attack used in the Stuxnet worm. The attack, if successful, could cause industrial machinery controlled S7 PLCs to “run wild.” It would also lower the bar for attacking industrial control systems, giving low-skilled hackers a point and click attack using Metasploit. The researcher said the demonstration will leverage a Metasploit module written to automate a small, efficient attack against Siemens S7 systems, and that he described itin a July post. In that post, he described an attack that used just four lines of code to freeze a Siemens PLC by causing it to skip the execution of its normal control logic. While freezing a PLC is not necessarily a precise attack, it can be carried out with a minimum or knowledge or overhead, because of the unique characteristics of industrisystems that PLCs control. Source:

For more stories, see items 14 above in the Banking and Finance Sector and 42 and 44 below in the Communications Sector

Communications Sector

42. September 7, St. Petersburg Times – (Florida) Widespread Bright House service outages blamed on ‘software bug’. Much of the Tampa Bay, Florida area had a busy signal Septemeber 6 as Bright House Networks grappled with widespread service outages. Internet signals went dead. Cable programs froze. Businesses couldn’t run credit card machines. Internal phone lines at the Pinellas Sheriff’s Office went down. Even local libraries were affected. Starting at about 10:40 a.m., Bright House customers throughout Pinellas, Pasco, Hernando, Hillsborough, and Manatee counties were without phone, cable and high-speed Internet services. Company officials said service was restored by about 5 p.m., though there were scattered reports from people who said they were still having problems the night of September 6. Bright House officials said the heavy thunderstorms the morning of September 6 had nothing to do with the service interruption. Instead, it was a computer issue. “This was a software bug that caused a cascading effect,” a Bright House spokesman said. He said it was unclear how many people lost service. Pinellas County workers, including those at the sheriff’s office, said they experienced spotty service with voice-over Internet phones, though 911 emergency functions were not affected. Source:

43. September 7, Middletown Times Herald-Record – (New York) Verizon, Frontier working to restore service. Verizon and Frontier Communications continued working September 6 to restore land-line telephone service to customers around the Hudson Valley region in New York. How long repairs will take was unknown, as was the number of Verizon customers without phone service, a figure the company won’t release to the public. Verizon also won’t give specific locations of outages. Most of Frontier’s outages occurred in Goshen, Washingtonville, and neighboring areas, where restorations continued September 6. It has about 12,000 land-line customers in those communities, and most were affected when the storm flooded switching centers. One facility is next to the Washingtonville Middle School, which flooded as storm waters covered a swath of properties off Route 94. Frontier had aimed to have most customers restored by September 4. It was not known September 6 how many still remained without service. Source:

44. September 6, Associated Press – (Washington) Power surge that shut down Washington state government network to cost $500,000. A power surge that shut down the State of Washington’s internal network in August for several hours will end up costing the government $500,000, officials said September 6. The department of general administration (GA) estimates it will cost about $130,000 to purchase and install a new electrical vault switch. A contractor was working on a new high-voltage power line 2 weeks ago when equipment in the underground vault short-circuited. The ensuing power surge shut down electricity to the entire campus, and forced a hard shutdown of the state’s data center. The data center hasn’t been fully shut down in more than 20 years. A GA spokesman said officials are still working together to determine exactly what happened and how to prevent it from happening again. The outage occurred on a Sunday afternoon, and most services were up and running by the next day. The outage caused the largest problems at the employment security department, which had a delay processing unemployment claims. Source:

For more stories, see items 37, and 40 above in the Information Technology Sector