Monday, September 12, 2011

Complete DHS Daily Report for September 12, 2011

Daily Report

Top Stories

• Human error knocked out power to about 5 million customers in California, Arizona, and Mexico, and led to a massive sewage spill that closed several San Diego-area beaches. – NBC;; Associated Press; Reuters (See item 1)

1. September 9, NBC;; Associated Press; Reuters – (California; Arizona; International) Power restored for many after massive blackout. San Diego Gas & Electric (SDG&E) restored power to all 1.4 million of its customers who lost electricity in a major blackout. The utility made the announcement September 9, a day after a large swath of the Southwest and parts of Mexico lost electricity, and restoration of power came sooner than expected. The blackout also caused a sewage spill that closed some San Diego-area beaches. All public schools in the city also were closed September 8 as well as local state universities and community colleges. In Mexico, officials said power was out in northern Baja California's 2 biggest cities, home to roughly 2.5 million people, which are connected to the U.S. power grid. Two reactors at a nuclear power plant along the coast went offline after losing electricity, but officials said there was no danger to the public or workers. Officials blamed "human failure" for the outage, which was apparently linked to the actions of an employee at a substation in Arizona. The source of the trouble was traced to an employee removing a piece of monitoring equipment, officials at Phoenix-based Arizona Public Service Co. said. The ill-fated procedure first caused the failure of a high-power line supplying electricity to Southern California before unleashing a domino effect across the Southwest, officials said. Why that mishap, which normally would have been isolated locally, triggered such a widespread outage was to be a focus of the probe, the officials said. Before midnight, power was restored to some 720,000 users in the region, according to combined tallies provided by officials in Arizona, California, and Mexico. Police stations were forced to use generators to accept emergency calls across the area. There were no signs of widespread looting or other unrest related to the outage. Gas stations were shuttered and most shops and restaurants shut down. A backup system allowed officials to continue operating crossings from Arizona to California, said a Customs and Border Protection spokeswoman. Source:

• Torrential rains swept over the Washington, D.C. region September 8, triggering flash floods that shut major highways, damaged cars and homes, and forced emergency crews to make scores of water rescues. – Washington Post (See item 23)

23. September 9, Washington Post – (Maryland; District of Columbia; Virginia) Torrential rains inundate D.C. region: 3 killed, roads and schools closed. Torrential rains swept over the Washington, D.C. region September 8, triggering flash floods that killed two people in Fairfax County, Virginia, and one in Anne Arundel, Maryland. Rising waters trapped scores of terrified motorists, forced hundreds to evacuate their homes, and shut major highways, including Interstate 66, and the Capital Beltway. The victims included a 12-year-old boy who was swept away by the flood-swollen waters of Piney Branch Creek in Vienna, Virginia; a 60-year-old man in Great Falls, Virginia who was killed near his stranded vehicle; and a 49-year-old man who drowned in Pasadena, Maryland, authorities said. The Virginia Department of Transportation (VDOT) and state police ordered the Beltway closed from Route 1 to the Mixing Bowl at Interstate 395, as the waters of Cameron Run spilled onto the highway, a VDOT spokeswoman said. Maryland officials closed the Woodrow Wilson Bridge to keep cars off the flooded portion of the Beltway in Virginia. Interstate 66 was also closed westbound near Route 50. The unrelenting rains, sometimes falling at 4 inches an hour, closed schools, courthouses, and government buildings in Prince George’s and Charles counties, Maryland. Cars were flooded at a park-and-ride lot in Reston, Virginia, and at auto dealerships in Upper Marlboro, Maryland. Commuter trains were halted. Basements flooded. People were stranded. Homes were evacuated in Prince William, Prince George’s, and Fairfax, Virginia. Fairfax and Prince William County officials decided to close schools September 9 because so many roads were flooded, and Prince William declared a local state of emergency. Virginia Railway Express closed its two train lines September 9 because of flooded tracks. Fairfax fire and rescue teams rescued more than 100 stranded motorists, including 12 on Cinderbed Road in Lorton, Virginia. Six were helped from their cars on Interstate 95 at Telegraph Road, a county spokesman said. Earlier in the day, rescue workers in Prince George’s helped scores of similarly stranded drivers. County officials said they were keeping an eye on 19 state-regulated dams, most of them in the Pohick watershed. Source:


Banking and Finance Sector

16. September 9, Federal Bureau of Investigation – (National) Marlborough man admits role in multi-million-dollar bank fraud conspiracy. The U.S. Attorney for the District of Connecticut announced that a 48-year-old man pled guilty September 9 to one count of conspiracy to commit bank fraud stemming from his involvement in a multi-million dollar scheme. According to court documents, the man worked for Branford-based New England Cash Dispensing Systems, Inc. (NECDS). Beginning in March 2000, NECDS entered into an agreement with Domestic Bank of Cranston, Rhode Island, whereby NECDS would supply ATM services. The ATMs in the network were stand-alone machines in commercial establishments and other locations throughout several northeastern states. In pleading guilty, the man admitted he and others engaged in a conspiracy to defraud Domestic of cash the bank supplied for use in the ATMs. As part of the scheme, he and other NECDS personnel ordered excess cash from Domestic and then diverted the cash, which was meant to be used to refill Domestic ATMs, to refill ATMs that would otherwise have been refilled with NECDS’s funds. He and others also engaged in a “cover-up” to prevent the bank from recognizing that money was missing by ”floating” Domestic’s money. This was done regularly over several years, and resulted in Domestic receiving false data through the periodic replenishment process. Domestic ultimately lost about $4.8 million in funds it had supplied to NECDS. In pleading guilty, the convict admitted he personally stole about $2 million in cash, which he used for his own personal enrichment. Source:

17. September 9, Phoenix Business Journal – (Arizona) Former bank execs settle FDIC lawsuit for $20 million each. The ex-chief executive of First National Bank (FNB) of Arizona and a former director settled a lawsuit brought by the Federal Deposit Insurance Corporation (FDIC) August 23, alleging the two “sacrificed safety” and promoted risky loans that ultimately caused the bank’s failure. The pair agreed to settle for $20 million each, while denying all allegations in the complaint As part of the settlement, the FDIC agreed not to collect the judgments against them if the pair waived their right to sue Lloyds of London Catlin Syndicate, which insured both men. The broader settlement agreement, which is not public, also included other former officers and directors of FNB. In its original complaint, the government agency sought to recover more than $193 million in damages resulting from the directors’ and officers’ breaches of fiduciary duties, including ”gross negligence.” In its complaint, the FDIC alleged FNB created a wholesale mortgage division to purchase and market billions of dollars in risky nontraditional mortgages dubbed “Alt-A” loans. The loans boosted FNB's profits to record levels in the short-term, but eventually caused the bank’s failure when the real estate market softened. The pair promoted the risky mortgages ”long after they should have known the loans being made created a substantial harm to the bank,” FDIC documents said. Source:

18. September 9, U.S. Securities and Exchange Commission – (Texas) SEC charges solicitor in investment scheme targeting deaf community. The Securities and Exchange Commission September 8 charged a Corinth, Texas man with securities fraud for soliciting more than $3.45 million from several thousand deaf investors in an investment scheme that the SEC halted last year. The SEC previously charged Imperia Invest IBC with securities fraud and obtained an emergency court order to freeze the investment company’s assets. In the complaint, the SEC alleges that the man, who is deaf, solicited investments for Imperia over a 3-year period from others in the deaf community, promising them he would invest in Imperia on their behalf. What he did not tell investors is that he was misappropriating a portion of their funds to pay his mortgage, car payments, car insurance, and a variety of other personal expenses. He sent the remaining amounts to Imperia’s offshore bank accounts. While Imperia guaranteed returns of 1.2 percent per day on these investments, investors have never been paid any interest after giving their money to the man to invest. Even after the SEC charged Imperia and issued an investor alert about the scheme, he continued to reassure investors that Imperia was legitimate and they would be paid. According to the SEC’s complaint, the man's investors transferred funds to him via money orders that he then cashed and deposited into accounts he controlled. From there, he forwarded funds to Imperia. He initially sent money to Paypal-like accounts in Costa Rica, Panama, and the British Virgin Islands, but later wired it directly to bank accounts with no apparent link to Imperia in such various other countries as Cyprus and New Zealand. Source:

19. September 8, CNN – (International) U.S. sanctions Venezuelan officials for allegedly helping FARC rebels. The U.S. Treasury Department September 8 added four Venezuelan officials to its drug "kingpin" list for allegedly providing arms and security to the Revolutionary Armed Forces of Colombia (FARC) leftist guerrilla group. A loyalist of the Venezuelan president and three other officials are now on the list, the Treasury Department said. The others receiving the designation of "Specially Designated National" under the Foreign Narcotics Kingpin Designation Act are the alternate president of the Latin American Parliament; a major general in the Venezuelan army; and an officer in the country's intelligence service. Their assets are now blocked, and U.S. citizens are generally prohibited from dealing with them. The U.S. government designated the FARC as a "significant foreign narcotics trafficker" in 2003. Treasury's statement alleged one of the men "has facilitated arms sales between the Venezuelan government and the FARC"; another "has used his position to establish an arms-for-drugs route with the FARC"; a third "has served as a primary arms dealer for the FARC, and is a main conduit for FARC leaders based in Venezuela"; and the fourth "has coordinated security for the FARC". Source:

20. September 8, Softpedia – (National) Financial services company impersonated in malware spreading campaign. The Automated Clearing House (ACH), a financial service offered by the U.S. electronic payments association National Automated Clearing House Association (NACHA), was impersonated in a campaign of spam messages sent out to unsuspecting users with the purpose of spreading malware. The samples investigated by MalwareCity seemed to be sent from a legitimate NACHA e-mail account. This specific message, named “ACH Transfer Review,” informs the victim a transaction has failed and that she must review the input data for the payment. She then must fill the application form attached to the e-mail. The attachment is represented by a zip file that contains what seems to be a .pdf document that must be reviewed by the recipient. The .pdf file is actually an executable that installs a downloader on the soon-to-be infected computer. The downloader's purpose is to get other malware from the Web, and onto the computer. A few moments later, the Zeus bot, also known as Trojan(dot)Generic.6152125, is installed on the machine, closely monitoring all electronic financial transactions and sending out username and password information. The routing details from the message appear to come from a domain called ””, the Web site of a wireless solutions company, likely used by the cybercriminals to mask their true identity. Source:

21. September 8, U.S. Department of Justice – (Arizona) Four Tucsonans indicted for mortgage fraud conspiracy. A federal grand jury in Arizona returned an indictment September 8 charging four defendants in a mortgage fraud conspiracy. The indictment charged 20 counts, including conspiracy to commit bank fraud, false statement to influence a financial institution, and conspiracy to commit transactional money laundering. “The indictment alleges that the defendants fraudulently obtained loans for 19 properties that eventually ended in foreclosure,” said the acting U.S. attorney. It alleges the defendants conspired to commit mortgage fraud to obtain 19 loans totaling about $5.85 million in 2006 and 2007. According to the indictment, two of the defendants purchased properties using various business entities with which they were associated. Thereafter, they sold these properties to straw buyers for a profit. The indictment further alleges the defendants submitted loan applications and other documents that contained material false representations relating to the purchase of the 19 properties. After the fraudulently obtained loan proceeds were received, portions were diverted into the suspects' bank accounts. As a result of the scheme, each of the properties referenced in the indictment went into foreclosure. Source:

22. September 8, U.S. Securities and Exchange Commission – (Massachusetts) Commission sues Massachusetts investment adviser for fraudulently inducing clients to invest in forex, causing investor losses of nearly $4 million while adviser earned hefty fees. The U.S. Securities and Exchange Commission (SEC) announced September 8 it filed a civil injunctive action in federal district court in Massachusetts against registered investment adviser EagleEye Asset Management, LLC, and its sole principal in connection with their fraudulent conduct toward advisory clients. In its complaint, the SEC alleges that, between at least April 2008 and August 2010, the head of EagleEye made material misrepresentations to a dozen or so advisory clients to induce them to liquidate investments in securities and instead invest the proceeds in foreign currency exchange (forex) trading. These investments, which were not suitable for older clients with conservative investment goals, resulted in steep losses for clients, totaling nearly $4 million, but EagleEye and its head came away with more than $300,000 in performance fees on the investments, in addition to other management fees. His strategy was to generate temporary profits on forex investments to enable him to collect performance fees, after which client investments invariably would sharply decline in value. According to the SEC's complaint, the man's material misrepresentations to clients concerned the nature of forex investments, the risks involved, and his expertise and track record. The complaint further alleges that, in the case of two clients, without their knowledge or consent, the suspect liquidated securities in their brokerage accounts and transferred the proceeds to their forex accounts where he lost nearly all client funds, but not before first collecting performance fees for EagleEye (and ultimately himself) on short-lived profits. The complaint said he accomplished the unauthorized transfers by doctoring asset transfer forms. Source:

For more stories, see items 46 and 49 below in the Information Technology Sector

Information Technology Sector

45. September 9, H Security – (International) Microsoft and Adobe preview September Patch Tuesday. When it releases its monthly patches September 13, Microsoft will publish five bulletins categorized as "important" to close 15 holes. Most of the bulletins fix vulnerabilities in Microsoft Office, which attackers can use to inject malicious code and escalate rights. Arbitrary code can also be executed in the Mac edition of Office, and rights can also be escalated in the server component SharedPoint Workspace. One bulletin closes a hole in all Windows versions starting with XP (including Server) that attackers can use to remotely inject code. It is currently unclear why Microsoft does not categorize this bulletin as "critical." In addition, Microsoft will fix a privilege escalation problem in Windows Server from version 2003. Finally, the Windows Malicious Software Removal Tool will receive current virus signatures. September 13 is also Adobe's patch day. The company announced it will be closing critical holes in all currently maintained versions of Adobe Reader and Acrobat both for Windows and Mac. Adobe also announced it was working to remove compromised DigiNotar-CA certificates from its products. For the time being, Adobe published a workaround for users who do not want to wait for the official update. Source:

46. September 9, H Security – (International) Anonymisation service uses botnet as proxies. Anonymization service AWM Proxy rents computers infected with the TDL4 bot for use as proxies, according to a report by a security expert. Starting at $3 per day, users can have their data traffic directed through the bot network to surf the Internet anonymously with other people's IPs. The researcher said the provider has been in business since the beginning of 2008. A Firefox extension reportedly facilitates configuration and use. The firm said it does not save any log files about its users' activities. If the proxy user views illegal content, or uses the anonymized connection to spread terror threats, the owner of the infected system could face legal consequences. To prove they did not commit these illegal actions themselves, they will first have to find the rootkit deep down in their system. Among other things, it implements its own encrypted file system; its rootkit functions even work on 64-bit Windows. However, the proxy module is only one of the bot's functions. Once the virus has settled down in a user's system, the botnet operator can load and execute files on an infected computer — so TDL4 can be used to send spam or in DDoS attacks. Online banking sessions might also be vulnerable. Source:

47. September 8, IDG News Service – (International) After digital certificate hack, Mozilla seeks reassurances. Following the hack of DigiNotar, Mozilla is asking issuers of digital certificates to take a look at their internal security and to report back in a week. In e-mails sent out to digital certificate authorities September 8, Mozilla's Certificate Authority (CA) Certificates Module owner asked CAs such as Symantec and Go Daddy to audit their systems for any possible compromise, confirm that nobody can issue a digital certificate without two-factor authentication, and shore up practices with third parties that might be able to issue digital certificates using the CA's root key. Mozilla is giving CAs until September 16 to respond, but the browser maker is not saying what will happen if any of its 54 CAs ignore the request. Mozilla is also telling the CAs to put "automatic blocks in place for high-profile domain names (including those targeted in the DigiNotar and Comodo attacks this year)," Mozilla's CA Certificated Module owner wrote in the e-mail. "Please further confirm your process for manually verifying such requests, when blocked," she wrote. By asking for a manual verification, Mozilla is trying to make it harder for anyone to issue a digital certificate for or, two domains that were targeted in the DigiNotar hack. Source:

48. September 8, threatpost – (International) Adobe says it is breaking ties to Diginotar. Adobe said September 8it was removing Diginotar's Qualified CA certificate from the Adobe Approved Trust List, according to a company blog post. The move would affect Adobe Reader and Adobe Acrobats Versions 9 and X. It is the latest move by major software vendors to break ties to the compromised, Dutch certificate authority, which was found to have unwittingly issued hundreds of fraudulent certificates in the names of prominent organizations in recent months. In a post on the company's Product Security Incident Response Team (PSIRT) blog, Adobe said it hoped to have implemented the change by September 9. The company provided instructions for removing Diginotar certificates from the Approved Trust List manually. Those instructions are available on the PSIRT blog. Source:

49. September 8, Wired – (International) Researchers’ typosquatting stole 20 GB of e-mail from Fortune 500. Two researchers who set up doppelganger domains to mimic legitimate domains belonging to Fortune 500 companies said they managed to steal 20 gigabytes of misaddressed e-mail over 6 months. The intercepted correspondence included employee usernames and passwords, sensitive security information about the configuration of corporate network architecture that would be useful to hackers, affidavits and other documents related to litigation in which the companies were embroiled, and trade secrets, such as contracts for business transactions. Doppelganger domains are ones that are spelled almost identically to legitimate domains, but differ slightly, such as a missing period separating a sub-domain name from a primary domain name. The researchers found that 30 percent, or 151, of Fortune 500 companies were potentially vulnerable to having e-mail intercepted by such schemes, including top companies in consumer products, technology, banking, Internet communication, media, aerospace, defense, and computer security. The researchers also discovered that a number of doppelganger domains had already been registered for some of the largest companies in the United States by entities that appeared to be based in China, suggesting that spies may already be using such accounts to intercept valuable corporate communications. Source:

For more stories, see items 20 above in the Banking and Finance Sector and 50 below in the Communications Sector

Communications Sector

50. September 9, The Register – (International) Office 365, Hotmail and SkyDrive hit by outage. Microsoft's Office 365 cloud service experienced another outage September 9. This time it had company as Hotmail and SkyDrive were also downed by the same DNS (Domain Name System) issue. Outages started around 4 a.m. GMT and lasted for around 3.5hours affecting mostly users in Asia Pacific and North America. On the official Office365 Twitter feed, Microsoft said: "Preliminary root cause suggests a DNS issue, though we're still working hard to restore." This is the second major outage since Office 365 launched in late June as the successor to BPOS. Microsoft said it has a financially backed SLA for its cloud services, and last month gave BPOS customers a 25 percent credit note on future invoices following an outage. Hotmail, Skydrive, and other Live properties were also out of service, the Inside Windows Live blog confirmed. "We are working on propagating the DNS configuration changes and so it will take some time to restore service to everyone. Again we appreciate your patience," the firm said. In a statement sent to The Register, Microsoft said DNS issues had caused service degradation for "multiple services", adding "we are conducting a review of the incident". Source:

For more stories, see items 47 and 49 above in the Information Technology Sector