Wednesday, February 8, 2012

Complete DHS Daily Report for February 8, 2012

Daily Report

Top Stories

• Law enforcement officials believe an organized group is responsible for stealing weapons, including AR-15 assault rifles, bulletproof vests, and ammunition, from patrol cars in several counties in Alabama. – Gadsden Times (See item 31)

31. February 6, Gadsden Times – (Alabama) Patrol cars targeted in break-ins; weapons taken. Law enforcement officials believe an organized group is responsible for stealing weapons, bulletproof vests, and ammunition from several patrol cars in several counties in Alabama, the Gadsden Times reported February 6. At least 11 weapons, including AR-15 assault rifles, were taken from law enforcement vehicles since December 2011, the sheriff said. Seven patrol vehicles were broken into, including five the weekend of February 4. The weapons were stored in the patrol cars’ trunks, and the cars’ windows were broken out to gain access to open the trunk. The vehicles broken into over the weekend were from one side of the county to the other, prompting law enforcement officials to believe the group split up and hit some of the vehicles about the same time. The sheriff said the FBI, the U.S. Bureau of Alcohol, Tobacco, Firearms, and Explosives, and the U.S. Marshals Gulf Coast Regional Fugitive Task Force are assisting in the investigation. Source:

• The Industrial Control Systems Computer Emergency Readiness Team reported many organizations have seen secure shell scans of their Internet-facing control systems, including an electric utility that was hit by brute force attempts against its networks. – Dark Reading. See item 34 below in the Information Technology Sector.


Banking and Finance Sector

9. February 6, Vancouver Columbian – (Washington) Alleged ‘Elmer Fudd’ bank bandit goes to court. An alleged prolific Clark County, Washington robber dubbed the “Elmer Fudd” bandit because of his signature hunting clothes made his first appearance in court February 6. The bandit stands accused of seven robberies in east Vancouver over the past 2 months, while a woman is alleged to have been an accomplice to five. The pair was caught by police February 2 fleeing a Bank of America branch. Police found money and a money tracker on them. During an interview with investigators, the two admitted to the other robberies, a prosecutor said. Police have said the bandit was responsible for robberies in December and January east of Interstate 205 in Vancouver. Source:

10. February 6, Bloomberg – (New York) Ex-Jefferies Paragon Fund manager ordered to pay $8.3 million. An ex-Jefferies Paragon Fund money manager must pay $8.3 million in a U.S. Securities and Exchange Commission (SEC) insider-trading suit, a judge has ruled. The judge granted the SEC summary judgment in a New York district court in a February 3 order, citing the facts proved at an earlier criminal trial. The money manager was accused of illegally trading on inside tips about bids for Albertsons Inc. supplied by an investment banker who was the government’s chief witness in the trial. He was convicted of securities fraud and conspiracy in a scheme that federal authorities said netted more than $7 million in illegal profits. The investment banker, who worked at UBS AG, testified he passed him nonpublic information regarding efforts by Cerberus Capital Management LP, to acquire Albertsons, which was then the second-biggest U.S. grocer. Source:

11. February 6, New York Times – (International) The U.S. President imposes freeze on Iran property in U.S. The White House moved to enforce tightened sanctions against Iran February 6 because of the country’s suspect nuclear program, freezing all property of the Central Bank of Iran, other Iranian financial institutions, and the Iranian government in the United States. The new restrictions also raised new warnings to financial institutions in other nations that they could face big penalties in the United States if they did business with Iran’s central bank. The actions were announced in an executive order signed by the U.S. President that started the enforcement process for a tough measure he signed into law at the end of 2011. In a statement, the White House said the executive order “re-emphasizes this administration’s message to the government of Iran — it will face ever-increasing economic and diplomatic pressure until it addresses the international community’s...concerns regarding the nature of its nuclear program.” Many countries buy oil from Iran through its central bank, and their financial institutions could be blocked from the American market if they continue to do so. Documents accompanying the executive order said foreign financial institutions risked American sanctions “if they engage in certain significant financial transactions” with Iran’s central bank rather than “arms-length” transactions. In a statement, the Treasury Department said the executive order “blocks all property and interests in property of the government of Iran, the Central Bank of Iran and all Iranian financial institutions (regardless of whether the financial institution is part of the government of Iran) that are in the United States, that come within the United States or that come within the possession or control of U.S. persons.” The statement did not further specify the exact properties that apply. Source:

12. February 4, Bradenton Herald – (Florida) Ex-Orion Bank president pleads guilty to bank fraud. The former president of the now defunct Naples, Florida-based Orion Bank, with branches in Manatee and Sarasota counties, pleaded guilty February 3 to conspiracy to commit bank fraud and making false statements to federal regulators. He faces a maximum penalty of 15 years in federal prison. The former president participated in a conspiracy with top Orion executives and a former Orion borrower to mislead state and federal regulators that Orion was in a better capital position than it was in truth and fact, a U.S. attorney said. The conspiracy had two goals: to finance the sale of promissory notes secured by mortgages held by Orion on distressed properties, creating the illusion that non-performing loans were performing loans, and to conceal financing for the sale of Orion Bancorp, Inc., creating the illusion of a legitimate capital infusion into the bank, authorities said. The conspirators accomplished this by falsifying the books and records of Orion, and deceiving state and federal regulators over 7 months from May 2009 until November 2009. As part of the scheme, the president directed executives to increase loans-in-process to nominee entities associated with the borrower, to $82 million, including a $26.5 million line of credit, prosecutors said. Within the lines of credit, the president concealed $15 million of financing for the borrower’s purchase of Orion Bancorp, Inc. stock, despite knowing banking laws and rules prohibited the bank from financing the purchase of its, or its affiliates,’ own stock. Source:

Information Technology

32. February 7, H Security – (International) RealPlayer update closes critical holes. RealNetworks released an update to RealPlayer to close many holes in its media player application. Version 15.02.71 of RealPlayer addresses seven remote code execution vulnerabilities, rated as highly critical by Secunia, which could be exploited by an attacker to compromise a victim’s system. These include errors when processing RMFF Flags, VIDOBJ_START_CODE and RealAudio coded_frame_size, as well as RV10 Encoded Height/Width, RV20 Frame Size Array and RV40 content. A remote code execution problem in Atrac Sample Decoding was also fixed, but is not found in the 15.x.x branch of the media player; this issue affects Mac RealPlayer but is reportedly not found in version Source:

33. February 7, IDG News Service – (International) Anonymous claims to have released source code of Symantec’s pcAnywhere. Hacker group Anonymous claimed February 6 the source code of Symantec’s pcAnywhere was uploaded on The Pirate Bay site. Symantec could not immediately comment on whether the hackers indeed released the source code of its product. Earlier February 6, an e-mail string posted on Pastebin referred to negotiations over payment for the source code between a purported Symantec employee and a person named Yamatough. The name of the hacker is similar to the Twitter handle of YamaTough in Mumbai who is associated with the hacker group, Lords of Dharmaraja, that earlier claimed it had access to the source code of some Symantec products. Source:

34. February 6, Dark Reading – (International) Utilities facing brute-force attack threat. The Industrial Control Systems Computer Emergency Readiness Team (ICS-CERT) reported February 3 that many organizations have been witnessing secure shell (SSH) scans of their Internet-facing control systems, including an electric utility that told ICS-CERT it was hit by some brute force attempts against its networks that were “unsuccessful.” The attackers are probing Port 22/TCP, the default SSL listening port, to look for SSH. Once the attackers get a response from the probe, they can execute a brute-force attack for log-in credentials to acquire remote access. SSH is an attractive attack vector because many control-system devices on networks run it by default. ICS-CERT recommends monitoring network logs for port scans and access attempts. Source:

35. February 6, Threatpost – (International) Flash with sandbox in the works for Firefox. Adobe is making a major change to Flash, adding a sandbox to the version of the player that runs in Firefox. The sandbox is designed to prevent many common exploit techniques against Flash. Flash, which is perhaps the most widely deployed piece of software on the Internet, has been a common attack vector for several years now, and attacks in some cases have been used to get around exploit mitigations that were added by the browser vendors. The sandbox is designed to prevent many of these attacks by not allowing exploits against Flash to break out into the browser itself. The version of Flash for Firefox that includes a sandbox is now in beta form, and is only available to developers and not end users. The final version should be available for users later in 2012, Adobe said. Source:

36. February 6, H Security – (International) Joomla! updates close information disclosure holes. Versions 1.7.5 and 2.5.1 of the open source Joomla! content management system (CMS) have been released to address two information disclosure vulnerabilities. These include one medium severity problem in Joomla! 1.7.x that could allow an unauthorized user to gain access to the error log stored on a victim’s server, and, in both versions, an inadequate validation problem that could be exploited to gain access to private data. The update to Joomla! 2.5, which arrived in January, also fixes 30 bugs, including one that caused batch processing to break. Version 2.5.0 and the 1.7.x branch up to and including 1.7.4 are affected; upgrading to 2.5.1 and 1.7.5 fixes these problems. However, the developers remind users the 1.7.x branch will reach its end of life February 24. Source:

37. February 6, Ars Technica – (International) Google to strip Chrome of SSL revocation checking. Google’s Chrome browser will stop relying on a decades-old method for ensuring secure sockets layer (SSL) certificates are valid after one of the company’s top engineers compared it to seat belts that break when they are needed most. The browser will stop querying certificate revocation lists and databases that rely on online certificate status protocol, a Google researcher said February 5. He said the services, which browsers are supposed to query before trusting a credential for an SSL-protected address, do not make end users safer because Chrome and most other browsers establish the connection even when the services are unable to ensure a certificate has not been tampered with. “So soft-fail revocation checks are like a seat-belt that snaps when you crash,” he said. “Even though it works 99 percent of the time, it’s worthless because it only works when you don’t need it.” SSL critics have long complained the revocation checks are mostly useless. Attackers who have the ability to spoof the Web sites and certificates of Gmail and other trusted Web sites typically have the ability to replace warnings that the credential is no longer valid with a response that says the server is temporarily down. Source:

38. February 6, The Register – (International) Cisco recalls suicidal UCS blade servers. The week of January 30, Cisco Systems put out a field notice to customers using its Unified Computing System B440 server blades, stating the failure of a MOSFET power transistor on the blade can “cause the component to overheat and emit a short flash which could lead to complete board failure.” The company said “in extreme circumstances it could affect the other blades in the chassis by disrupting power flow.” Cisco warned customers something was wrong with the MOSFETs July 12, and said at that time there was “no indication of a systemic issue with the MOSFET components, and the observed failure in the field is considered to be a random component failure.” To that end, Cisco’s system engineers could issue a firmware fix for the blade to keep the MOSFET from overheating and flashing, causing the system board to fail. On January 26, Cisco notified customers using the B440 servers the firmware patch did detect MOSFET failures and prevent a “potential thermal event,” but since the firmware was distributed, another B440 in the field failed. As a result, Cisco made hardware modifications to the B440 system board and is now replacing all machines currently used by customers. Cisco said in the field notice no other UCS B Series blade servers or C Series rack servers are affected by this MOSFET failure issue. For users with these B440s in production, Cisco recommends upgrading to the most recent UCS blade management controller software, which has the patch for monitoring the B440 MOSFETs, and arranging to get replacement blades as soon as possible. Source:

For another story, see item 39 below in the Communications Sector.

Communications Sector

39. February 7, Pueblo Chieftan – (Colorado) Phone, Internet outage hits region. Residents in the Spanish Peaks area of Colorado and the San Luis Valley (SLV) were without long distance telephone and Internet services for most of the day February 6. CenturyLink officials said there was an inadvertent fiber cut about 10:45 a.m. between Pueblo and Colorado Springs that affected long distance, wireless, and Internet service south of Pueblo near Walsenburg, and a good part of the SLV. Phone service came back in Walsenburg and Trinidad the afternoon of February 6, but not for everyone. All services were back up and running a little after 6 p.m. Officials said 911 service was not affected by the outage. Verizon phone customers also reported an outage February 6. Source:

40. February 6, WAAY 31 Huntsville – (Alabama) Technical issue resolved, WAAY back on air on charter. Due to a technical issue with Charter Communications, many WAAY 31 Huntsville, Alabama viewers using that cable service provider were unable to see that station for a lengthy period of time over the February 4 weekend. The outage stretched across much of the WAAY 31 viewing area. The issue was fixed the morning of February 6 by Charter. Source:

41. February 6, Los Angeles City News Service – (California) 4 Wildomar men caught stealing microwave tower. Four men were allegedly caught stealing a microwave tower from a Wildomar, California property February 6, causing several thousand dollars in damage. The men were arrested around 5:45 a.m. after allegedly dismantling the transmission tower, according to the Riverside County Sheriff’s Department. Deputies were called to the location to investigate a report of trespassing and caught the suspects in the act, a police sergeant alleged. He said the owner of the microwave transmitter, American Tower, estimated the damage to be in excess of $3,000. All of the men were booked on suspicion of commercial theft and vandalism. Source:

No comments: