Thursday, March 29, 2012

Complete DHS Daily Report for March 29, 2012

Daily Report

Top Stories

• The San Onofre nuclear plant near San Diego will remain shut down while investigators try to discover what is causing the rapid decay of generator tubing that carries radioactive water. – Associated Press

6. March 28, Associated Press – (California) Feds: State nuke plant to remain shut for probe. The San Onofre nuclear plant near San Diego will remain shut down while investigators try to solve a mystery inside its massive generators — the rapid decay of tubing that carries radioactive water, federal regulators said March 27. A four-page letter to plant operator Edison from the Nuclear Regulatory Commission regional administrator laid out a series of steps the company must take before restarting the seaside reactors, underscoring the concern over the unusual degradation in the tubes. The administrator wrote that the problems in the generators must be resolved and fixed and “until we are satisfied that has been done, the plant will not be permitted to restart.” The plant’s 4 steam generators each contain nearly 10,000 alloy tubes that carry hot, pressurized water from the reactors. The Unit 3 reactor was shut down as a precaution in January after a tube break, and extensive wear was found on similar tubing in its twin, Unit 2, which has been shut down for maintenance. Source: State nuke plant to remain shut for probe

• The Securities and Exchange Commission sued a former United Commercial Bank vice president, accusing him of creating false records that contributed to the bank’s failure. The collapse cost the federal government $2.5 billion. – Bloomberg See item 9 below in the Banking and Finance Sector.

• A section of railroad in northeastern Indiana that carries up to 100 trains per day was shut for a second day while crews contended with a chemical fire caused by a train derailment. – Fort Wayne Journal Gazette

14. March 28, Fort Wayne Journal Gazette – (Indiana) Derailment, fire prompt evacuation near Ligonier. Officials said a heavily traveled stretch of railroad in northeastern Indiana would likely be closed through March 28, a day after a freight train derailed and spewed molten sulfur that caught fire. Firefighters were still at the site near Ligonier March 28 monitoring the fire caused after 21 cars of the eastbound 59-car Norfolk Southern train derailed. The Noble County sheriff said firefighters decided to let the cars burn because water could wash the chemical into the Little Elkhart River. He said the fire was expected to burn until at least noon March 28. Up to 100 trains, including two Amtrak passenger trains, use the route daily, Norfolk Southern said. It said that trains that normally use the route have been rerouted with other carriers and alternate routes. The train that derailed had 3 locomotives, 43 cars loaded with freight, including 11 with hazardous materials such as molten sulfur and toluene, and 16 empty freight cars. The derailment forced detours of two Amtrak trains carrying about 400 passengers combined. It also forced the evacuation of about six homes in the rural area. Source:

• For the second time in 6 months, researchers from Kaspersky Lab led an operation to take down the newest iteration of the Kelihos botnet. The bot is used to send spam, carry out distributed denial-of-service attacks, and steal online currency. – Threatpost See item 36 below in the Information Technology Sector.


Banking and Finance Sector

9. March 27, Bloomberg – (California; National) SEC sues former United Commercial Bank executive. The Securities and Exchange Commission (SEC) sued a former United Commercial Bank vice president (VP) March 27, accusing him of creating false records tied to the defunct San Francisco-based bank’s evaluation of loan risks. United Commercial, a unit of UCBH Holdings Inc., was seized by regulators in November 2009. It failed following the 2008 credit crisis and caused a $2.5 billion loss to the Federal Deposit Insurance Corporation’s insurance fund, according to the SEC. The VP was in charge of the bank’s commercial banking division, the SEC said. The VP, taking orders from his superiors during the financial crisis, “misstated and omitted material information in documents provided to the bank’s independent auditors,” the SEC said in its complaint. He “altered memoranda addressing the risks associated with certain large loans and the potential losses the bank faced from the loans,” which auditors relied on, according to the complaint. Three former executives at the bank were sued by the SEC in 2011 over claims they misled investors by concealing at least $65 million in loan losses before the lender collapsed. Source:

10. March 27, Burlington Free Press – (Connecticut; Vermont) Chiropractor pleads not guilty to $28 million investment fraud scheme. A Connecticut chiropractor was accused of being a silent partner, but prime beneficiary, in an alleged $28 million investment fraud scheme, the Burlington Free Press reported March 27. A renowned Vermont storyteller was a central fundraiser in the case. According to a federal indictment, the chiropractor induced the Vermont man to raise $28 million for for a still-unreleased film. The chiropractor, who was arrested in Connecticut the week of March 19, pleaded not guilty to an 18-count indictment March 27 in a U.S. district court in Burlington, Vermont. He is facing nine wire fraud counts, five mail fraud counts, three money laundering counts, and a single conspiracy count. Court documents allege that most of the investor money the Vermonter raised for the film went to pay off earlier investors. Some of the remainder went into the film project, but an estimated $3.8 million was diverted to the chiropractor. The Vermont man pleaded guilty the week of March 19 to conspiracy to commit wire fraud, and one count of filing a fraudulent tax document. He has agreed to cooperate with the government’s case. Source:

11. March 27, Manchester Union Leader – (New Hampshire) Prosecutors: NH mortgage scam stiffed homeowners. A man accused of running a mortgage scam that duped dozens of people into believing they were saving their homes while he pocketed loan proceeds that he never repaid was on trial March 27 in a U.S. district court in New Hampshire. According to an indictment, the man approached people who were struggling to make mortgage payments from 2005 to 2008. He would offer to take the deed to their property while allowing them to stay in the home. According to prosecutors, part of his scheme would have them pay rent while offering them an option to buy their homes back in 2 years. Instead, he leveraged the properties to take out more loans and would also use agents, or “straws,” who would pose as purchasers and take out mortgages to buy homes from the man’s companies. The loans, which totaled more than $13 million, were never repaid, prosecutors allege. The defendant paid associates and straws with the money, and pocketed much of it, spending it for personal expenses. “When [he] later defaulted on the mortgages and the homes went to foreclosure, the distressed homeowners were not notified because the straws were the owners of record,” the indictment alleged. Meanwhile, the defendant continued collecting rent payments from the homes’ former owners, the indictment said. Source:

For more stories, see items 36 and 39 below in the Information Technology Sector.

Information Technology

35. March 28, Threatpost – (International) Adobe patches Flash Player, unveils new silent updater. Adobe released a security update for its Flash Player March 28, patching two critical holes and introducing a new silent update option. The update, Adobe Flash Player 11.2, addresses two memory corruption vulnerabilities in Windows, Mac, Linux, and early Android builds that could lead to remote code execution according to a bulletin (APSB12-07). Users updating to 11.2 on Windows machines will notice a new background updater for Flash that has been shipped with the patch. After users update Flash, they will be asked how they want to receive Adobe updates going forward. The updater gives three options, including one that will automatically install updates in the background. If selected, the updater will check with Adobe every hour until it receives a response. If there is no available update, the updater will check back 24 hours later. Source:

36. March 28, Threatpost – (International) Kaspersky knocks down Kelihos botnet again, but expects return. For the second time in 6 months, researchers from Kaspersky Lab carried out an operation to take down the newest iteration of the Kelihos botnet, also known as “Hlux.” Microsoft and Kaspersky worked together in September, 2011, on the first Kelihos take-down. The bot then resurfaced in January only to be shut-down again in March by a combination of private firms including Kaspersky, Dell Secure Works, and Crowd Strike Inc. Kelihos is used to send spam, carry out distributed denial-of-service attacks, and steal online currency such as bitcoin wallets. It operates as a “peer-to-peer” bot network, which are more difficult to take down than those with centralized command and control (C&C) servers, according to a senior researcher at CrowdStrike. Peer-to-peer botnets are distributed, self-organizing, and may have multiple command and control servers that disguise themselves as peers. In Kelihos’s case, there were three C&C servers and each had two unique IP addresses, he said. Source:

37. March 28, H Security – (International) Opera 11.62 closes security holes. Opera released version 11.62 of its Web browser. This maintenance update fixes a number of bugs, improves overall stability, and closes seven security holes, five of which affect all supported platforms. Two of the vulnerabilities are rated as “high” severity and could be exploited by an attacker to download and execute a possibly malicious file. This is done by tricking a victim into clicking a hidden dialogue box or by entering a specific keyboard sequence. Three other problems rated as “low” severity, including an address-spoofing bug, an address-bar problem and a cross-domain information disclosure bug, were also fixed. A moderate vulnerability affecting Opera for Mac and a low risk bug on Linux/Unix were also corrected. Source:

38. March 28, H Security – (International) Critical Java hole being exploited on a large scale. Criminals are increasingly exploiting a critical hole in the Java Runtime Environment to infect computers with malicious code when users visit a specially crafted Web page. According to a security blogger, the reason for this increased activity is that the arsenal of the BlackHole exploit kit has been extended to include a suitable exploit. The hole patched by Oracle in mid-February allows malicious code to breach the Java sandbox and permanently anchor itself in a system. Varying types of malware are injected; for example, it is believed the hole is exploited to deploy the Zeus trojan. According to an analysis by Microsoft, the dropper is distributed across two Java classes. The first class exploits the vulnerability to elevate its privileges when processing arrays, and then executes a loader class that will download and install the payload. Users can protect themselves by installing or updating to one of the current Java releases: Java SE 6 Update 31 or version 7 Update 3. Source:

39. March 27, Threatpost – (International) Carberp: It’s not over yet. March 20, Russian law enforcement agencies announced the arrest of a cybercriminal gang involved in stealing money using the Carberp trojan. Evidently, those arrested were just one of the criminal gangs using the trojan. At the same time, those who developed Carberp are still at large, openly selling the trojan on cybercriminal forums. There are still numerous “affiliate programs” involved in the distribution of Carberp, particularly “traffbiz(dot)ru.” In short, those responsible for developing Carberp remain at large and the cybercriminal gangs using the trojan remain active. Source:

40. March 27, Dark Reading – (International) Malware to increasingly abuse DNS. Security researchers have looked at ways to abuse the domain-name service (DNS) for years. Now, some researchers are warning the protocol may increasingly be used to help criminals communicate with compromised systems. At the RSA Conference in February, a senior security consultant with InGuardians predicted more malware would hide its commands and exfiltrated data in DNS packets. The advantage for malware writers is that, even if a company bars a potentially infected computer from contacting the Internet, malware could send DNS requests to a local server, which would then act as a proxy, bypassing defenses. To date, the tactic has been relatively rare: Perhaps a dozen malware variants have used the domain-name system to send commands and updates to botnets. Source:

41. March 27, CNET News – (International) New exploit uses old Office vulnerability for OS X malware delivery. Some malware groups have recently been found to be taking advantage of an old, patched vulnerability in Microsoft Office for OS X in an attempt to spread command-and-control malware to OS X systems. The vulnerability used in the attack was outlined in a Microsoft security bulletin in June 2009, which applied to all versions of Office 2004 version 11.5.4 or earlier, Office 2008 version 12.1.8 or earlier, and OpenXML Converter 1.0.2 or earlier. The vulnerability was patched soon after it was found and currently all supported Office programs are well beyond these versions. However, malware developers are attempting to exploit unpatched systems. These efforts mark the first time Office documents have been used as a vehicle for attacks in OS X. For this attack to work, a person would need to open a maliciously crafted Word file that has likely been distributed via spam and other suspicious means that could easily be avoided. When a maliciously crafted Word file is opened in an unpatched version of Word for Mac, it runs a script that writes the document’s malware payload to the disk and executes a shell script that runs the malware. In addition, it displays a Word document containing a poorly formatted political statement about Tibetan freedoms and grievances. Source:

For another story, see item 42 below in the Communications Sector

Communications Sector

42. March 28, Taos News – (New Mexico) Gunshot blamed for Taos cell phone, Internet outage. A gunshot was identified as the cause of a cell phone and Internet outage that affected an estimated 7,800 residents in Taos, Questa, Penasco, Red River, Eagle Nest, Angel Fire, Cimarron, and Raton, New Mexico. The outage began just before 7 p.m. March 24. Service was restored by midday March 25. The loss of service was the result of a bullet that apparently cut an overhead fiber optic cable owned by CenturyLink. Several Internet providers and cell phone companies that serve Taos lease space on the same cable. E-mailed outage updates provided by the Public Regulation Commission showed CenturyLink reported that 7,774 residential, business, and government customers were impacted by the cut line. Outage updates from CenturyLink stated that mobile phone customers with Verizon, AT&T, and Sprint all went without service because of the break. Source:

For another story, see item 35 above in the Information Technology Sector

No comments: