Monday, March 5, 2012

Complete DHS Daily Report for March 5, 2012

Daily Report

Top Stories

• The entire town of Medford, Oklahoma, was urged to evacuate March 1 as propane from a storage plant leaked for a third straight day, leading to a major fire hazard. – Associated Press (See item 2)

2. March 1, Associated Press – (Oklahoma) Officials urge evacuation of Okla. town as propane leak at fuel storage plant enters 3rd day. Residents of Medford, Oklahoma, were urged to evacuate March 1 as propane leaked for a third straight day out of a well at a fuel storage plant, and officials feared there could be a fire hazard if strong winds carry the vapor into town. “The issue is propane will settle in low-lying areas,” the Medford city manager said. “If there is any kind of spark or ignition then it would be flammable and could start a fire.” The leak began February 28 when a saltwater brine mixture used to move the propane out of a well at the plant spilled, causing propane to vaporize. The company, ONEOK Inc., insisted the air levels posed no risk to the public. Shortly before 5 p.m., none of the 1,000 residents of Medford, located near the Kansas border and about 2.5 miles north of the plant, had checked into a shelter set up in nearby Wakita. The leak shut down U.S. 81, the major highway in the area. An Oklahoma Department of Transportation spokesman said the highway would not reopen before March 2. Source:

• The growing popularity of tax preparation software led to a marked increase in e-mail scams targeted at do-it-yourself taxpayers during the 2012 tax season. – USA Today. See item 18 below in the Banking and Finance Sector.

• SWAT officers in Buena Park, California, rescued a bank manager held at gunpoint by an accused robber March 1. The accused robber was arrested after being wounded in a shootout that also injured some officers. – Associated Press. See item 21 below in the Banking and Finance Sector.

• A researcher presented evidence at a technology conference showing thousands of embedded Web servers on printers, fax machines, and video conferencing systems could be accessed via the Internet. – H Security. See item 48 below in the Information Technology Sector.

• Powerful storms that produced tornadoes stretching from the Gulf Coast to the Great Lakes flattened scores of buildings in several states and wiped out a small Indiana town. – Associated Press (See item 57)

57. March 2, Associated Press – (National) Tornado wrecks Indiana town as Midwest is slammed with severe storms. Powerful storms stretching from the Gulf Coast to the Great Lakes flattened buildings in several states, wrecked a small Indiana town, and bred anxiety across a wide swath of the country, the Associated Press reported March 2. Widespread damage was reported in southern Indiana, where a Clark County Sheriff’s Department official said the town of Marysville is “completely gone.” Dozens of houses were also damaged in Alabama and Tennessee 2 days after storms killed 13 people in the Midwest and South. Thousands of schoolchildren in several states were sent home as a precaution, and several Kentucky universities were closed. The Huntsville, Alabama mayor said students in area schools sheltered in hallways as severe weather passed. At least 20 homes were badly damaged in the Chattanooga, Tennessee area after strong winds and hail lashed the area. In the Huntsville area, five people were taken to hospitals, and several houses were leveled by what authorities believed were tornadoes. An apparent tornado also damaged a state maximum security prison about 10 miles from Huntsville, but none of the facility’s approximately 2,100 inmates escaped. An Alabama Department of Corrections spokesman said the roof was damaged on two large prison dormitories that each hold about 250 men. Part of the perimeter fence was knocked down, but the prison was secure. Source:


Banking and Finance Sector

13. March 2, Help Net Security – (National) Bogus US SEC notification leads to malware. Notifications purportedly sent by the U.S. Securities and Exchange Commission have been hitting in-boxes and trying to trick users into following a malicious link, GFI warned March 2. Those who open the link included in the e-mail will be redirected through a number of sites and will finally end at one that hosts the Blackhole exploit kit, which is able to take advantage of many Adobe Reader, Acrobat and Flash vulnerabilities, as well as some in Java and Windows Media Player. If the kit manages to exploit one of those, the user is taken to a Web site where he can download the about.exe file. This is not a document containing details of the complaint, but a variant of the Zeus/Zbot information-stealing trojan that is currently detected only by a dozen of the AV solutions employed by VirusTotal. Source:

14. March 2, The Lower Westchester Loop – (New York) Over $150k skimmed from Larchmont Citibank, victims to be repaid. Larchmont, New York police now say six individuals have reported unauthorized withdrawals from their bank accounts –- one of whom lost a total of $130,000, the Lower Westchester Loop reported March 2. The other victims reported losses of thousands of dollars. Citibank sent this response to the ATM skimming that occurred at its Larchmont branch: “Citibank identified illegal skimming devices placed on our ATM location at 1920 Palmer Ave. and took corrective action to prevent this type of skimming fraud.” Source:

15. March 2, Ars Technica – (International) Bitcoins worth $228,000 stolen from customers of hacked Webhost. Online bandits made off with at least $228,000 worth of the virtual currency known as Bitcoin after exploiting a vulnerability in a widely used Web host that gave unfettered access to eight victims’ digital wallets, Ars Technica reported March 2. Ars Technica was able to confirm the theft of 46,703 BTC (Bitcoins), worth about $228,845 in U.S. currency. More than 43,000 of the stolen BTC belonged to a Bitcoin trading platform known as Bitcoinica, the company’s chief executive and lead developer, told Ars Technica. Another 3,094 BTC were lifted from the virtual purse of a freelance programmer from the Czech Republic. He said in an interview that a separate Bitcoin user he has been in contact with lost 50 BTC to the same attackers. The lead Bitcoin programmer told Ars Technica he lost all 5 BTC he had stored in one online account. Hours after the two programmers brought the March 1 attacks to light, cloud services provider Linode confirmed a hacker targeted Bitcoin wallets stored on its servers after compromising a customer service portal. “All activity by the intruder was limited to a total of eight customers, all of which had references to ‘bitcoin,’ “ Linode’s advisory stated. “The intruder proceeded to compromise those Linode Manager accounts, with the apparent goal of finding and transferring any bitcoins. Those customers affected have been notified.” Source:

16. March 2, The Register – (International) Anonymous Web weapon backfires with hidden banking Trojan. Anonymous supporters queuing up to participate in denial-of-service attacks are being tricked into installing ZeuS botnet clients. Hacktivists grabbed what they thought was the Slowloris tool, which is designed to flood Web sites with open connections and ultimately knock them offline. However, the download included a strain of ZeuS, which promptly installed itself on their Microsoft Windows machines. The trojan will carry out the distributed attacks, but that’s not all it does — it will also steal users’ online banking credentials, Web mail logins, and cookies. The deception began January 20, Symantec reported. Malware peddlers swiped the template of an Anonymous guide to launching denial-of-service attacks from Pastebin, modified it to include a link to Slowloris, and reposted the message on Pastebin to snare victims. Source:

17. March 2, U.S. Securities and Exchange Commission – (National) Judge orders Brookstreet CEO to pay $10 million penalty in SEC case. The U.S. Securities and Exchange Commission (SEC) announced March 2 that a federal judge has ordered the former chief executive officer (CEO) of Brookstreet Securities Corp. to pay a maximum $10 million penalty in a securities fraud case related to the financial crisis. The SEC litigated the case beginning in December 2009, when the agency charged the CEO and Brookstreet with fraud for systematically selling risky mortgage-backed securities to customers with conservative investment goals. Brookstreet and its CEO developed a program through which the firm’s registered representatives sold particularly risky and illiquid types of Collateralized Mortgage Obligations (CMOs) to more than 1,000 seniors, retirees, and others for whom the securities were unsuitable. Brookstreet and its CEO continued to promote and sell the risky CMOs even after the CEO received numerous warnings these were dangerous investments that could become worthless overnight. The fraud caused severe investor losses and eventually caused the firm to collapse. Source:

18. March 1, USA Today – (International) Phishing scam targets taxpayers who use tax software. The growing popularity of tax preparation software has led to a rise in e-mail scams targeted at do-it-yourself taxpayers, USA Today reported March 1. Intuit, parent of TurboTax and numerous other tax preparation products, has seen a “marked increase” this year in reports of fraudulent e-mails that claim to come from it, a spokeswoman said. Recent examples included one with “Your order confirmation” in the subject line. Another read: “QuickBooks Security Notice.” In addition to stealing financial data, some of these e-mails contain fake Web links that could download viruses. Identity thieves target tax software providers for two reasons: volume and confusion. Spammers who send mass e-mails have a good chance of hitting many tax software users. More than 24 million taxpayers used TurboTax last year; more than 50 million purchased some kind of Intuit product, the Intuit spokeswoman said. TurboTax, H&R Block and other software providers also routinely send customers e-mails advising them of the status of their tax returns. For that reason, customers often feel they cannot afford to ignore what appears to be an e-mail from their software provider, the spokeswoman said. Source:

19. March 1, Baltimore Sun – (Maryland) Glen Arm home builder arrested in $14M investment fraud. A Glen Arm, Maryland home builder was indicted March 1 in connection with a $14 million investment fraud, prosecutors said. A federal grand jury indicted the man for conspiring to commit wire fraud, Maryland’s U.S. attorney’s office announced. The builder, as well as a co-conspirator, told investors that in order to obtain loans for commercial real estate projects, he needed an escrow account with “large sums of money” that showed the business had “liquidity,” according to a statement from the U.S. attorney’s office. Investors, assured by an agreement that said no one could touch their funds without their authorization, gave the man the money to put into the account, the statement said. For at least 2 years, from August 2009 to August 2011, the man and his colleague withdrew millions from the escrow account and used it to pay off personal and business debts, according to federal prosecutors. They hid their fraud by sending out fake bank statements, and paid money owed to early investors with funds invested later on, according to the statement. If convicted, he faces to up to 20 years in prison. Source:,0,3679365.story

20. March 1, Associated Press – (Tennessee) 2 Georgia men accused of using counterfeit ATM cards in Tennessee to steal about $72,000. A federal grand jury in Chattanooga, Tennessee, has indicted two Georgia men on charges they used counterfeit ATM cards to steal about $72,000 from bank customers, the Associated Press reported March 1. According to the U.S. attorney’s office, the two man are accused of using the false ATM cards, bank fraud, and aggravated identity theft. Prosecutors said the two used a skimmer to obtain bank account numbers and PIN numbers of Regions Bank customers in September and October 2011 in East Ridge, Tennessee. Investigators said the two were found with 39 counterfeit ATM cards last October. Source:

21. March 1, Associated Press – (California) Southern California bank hostage rescued. SWAT officers in Buena Park, California, rescued a bank manager held at gunpoint by a would-be robber who was arrested March 1 after being wounded in a shootout with police. The female manager was safe after police shot the middle-aged suspect as he went to the front of the Saehan Bank with the female banker at gunpoint, the Buena Park police chief said. Video from a television helicopter showed at least eight officers with guns drawn approaching the bank in a small strip mall when the front window shattered and the woman was pulled from inside the shattered door. Three officers suffered minor wounds to their arms, but it was not immediately known how they received their injuries or whether the gunman returned fire. The gunman, who has not been identified, was in custody and listed in serious condition. He entered the bank shortly after 11 a.m. and seven people inside were released, authorities said. The police chief characterized the incident as a botched robbery and said the man, armed possibly with a shotgun, had made demands during the 4-hour standoff. “He was coming out the door to retrieve something he demanded” when the shooting occurred, the chief said. Source:

Information Technology

46. March 2, H Security – (International) Phishing via NFC. At the RSA Conference 2012, McAfee’s chief technology officer (CTO) and several of his colleagues demonstrated a range of different attacks on mobile devices. They demonstrated an attack on an near field communication (NFC)-enabled smartphone: the attacker simply attaches a modified NFC tag to a legitimate surface such as an advertising poster. The poster’s regular NFC tag took the browser to a donations Web site, where the donor’s details could be recorded. However, the modified secondary tag diverted the smartphone browser to a phishing site that pretended to be part of the charity. The CTO said such attacks have already been observed in the wild. The researcher also demonstrated how to take control of an iPad. When a victim clicks on a link in an e-mail, a PDF file is downloaded, and malware is installed without the user’s knowledge via a vulnerability in the iOS code for processing PDFs. Although the attack is based on a vulnerability that has long been closed by Apple, the expert said he assumes that newer iOS versions will continue to be vulnerable via jailbreaks. Once a device becomes infected, it establishes a connection to the command and control server and transfers, for example, its location. One click on the symbol displayed in Google Maps on the attacker’s system gives access to several options: to retrieve the SMS database, record the device environment using the microphone, or access the key chain. The key chain contains any passwords for applications and online services that are stored on the device. Source:

47. March 1, H Security – (International) Bug in Plesk administration software is being actively exploited. A critical security vulnerability in the Plesk administration program is currently being actively used to compromise affected servers. Plesk is used most often by hosting providers and provides a Web front-end for administering rented servers. The vulnerability seems to be a SQL injection problem, which an attacker can exploit to gain full administrative access to a system. Linux and Windows versions of Parallels Plesk Panel 7.6.1 - 10.3.1 are affected. Parallels, the company that publishes the software, has already fixed the vulnerability in the current versions and is even offering micro-updates whose only purpose is to fix the problem. Source:

48. March 1, H Security – (International) Report: Thousands of embedded systems on the net without protection. At the RSA Conference 2012, a Zscaler researcher provided evidence many embedded Web servers (EWS) can be easily accessed by outsiders via the Internet. Where multi-function printers or video conferencing systems are concerned, this can cause serious data leaks: the printers store scanned, faxed, and printed files on hard disks and then disclose documents. Video conferencing hardware allows outsiders to monitor rooms remotely or listen to meetings in progress. The researcher’s aim was to scan 1 million Web servers and create a catalog of all the EWS he found. After a round of testing, he entered typical character strings from the EWS Web pages into Shodan. A scan managed to examine the 1 million servers in a short time and came up with the following results: many thousands of multi-function devices, 8,000 Cisco IOS devices, and almost 10,000 VoIP systems and phones did not require any log-in authentication. The majority of the devices were not protected by passwords. This means any Web user can access their Web interfaces through a browser and view the documents stored on such photocopiers and printers, forward incoming faxes to an external number, or record scan jobs. The scan run also identified more than 9,000 video conferencing systems by Polycom and Tandberg (now Cisco). The researcher used a video to demonstrate how he managed to monitor the targeted conference rooms via an accessible video conferencing system that provided both sound and images. Source:

49. March 1, New York Times – (International) Et tu, Google? Android apps can also secretly copy photos. As the New York Times reported the week of February 27, developers who make applications for Apple iOS devices have access to a user’s entire photo library as long as that user allows the app to use location data. It turns out that Google, maker of the Android mobile operating system, takes it one step further. Android apps do not need permission to get a user’s photos, and as long as an app has the right to go to the Internet, it can copy those photos to a remote server without any notice, according to developers and mobile security experts. It is unclear whether any apps available for Android devices are actually doing this. Source:

50. March 1, Computerworld – (International) Internet voting systems too insecure, researcher warns. Internet voting systems are inherently insecure and should not be allowed in the upcoming general elections, a noted security researcher said at the RSA Conference 2012. The researcher, a computer scientist at Lawrence Livermore National Laboratories and chairman of the election watchdog group Verified Voting, called on election officials around the country to drop plans to allow an estimated 3.5 million voters to cast their ballots over the Internet in 2012’s general elections. In an interview with Computerworld, he warned the systems that enable such voting are far too insecure to be trusted and should be jettisoned altogether. A total of 33 states allow citizens to use the Internet to cast their ballots. In a majority of cases, those eligible to vote over the Internet receive their blank ballots over the Web, fill them in, and submit their ballots via e-mail as a PDF attachment. Some states, such as Arizona, have begun piloting projects that allow eligible voters to log in to a Web portal, authenticate themselves, and submit their ballots via the portal. Source:

51. March 1, IDG News Service – (International) Republican Senators introduce their own cybersecurity bill. Republican Senators introduced cybersecurity legislation March 1 after saying an earlier bill would create costly regulations for businesses. The sponsors of the new Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology (SECURE IT) Act also complained they did not have enough input on the earlier legislation. They touted the bill as a less regulatoryalternative to the Cybersecurity Act, a bill introduced by two Democrats, an Independent, and a Republican in February. The Cybersecurity Act would allow the secretary of DHS to designate some private networks as critical infrastructure and require them to submit security plans to the agency. However, the SECURE IT Act has no such rules, instead focusing on encouraging private companies and the federal government to share more information about cyberthreats, sponsors said. The new bill would give legal protections to private groups that share data. The older bill also includes information-sharing provisions, but critics said legal protections would cover only businesses that share data with the U.S. government. The new bill would also increase the prison terms for many cyber crimes. Source:

For more stories, see items 13, 15, 16, and 18 above in the Banking and Finance Sector and 52, 53, and 54 below in the Communications Sector

Communications Sector

52. March 2, Reuters – (Virginia; National) Pentagon suffers Internet access outage. An unspecified number of U.S. Defense Department personnel in the Washington D.C. area and in the Midwest were cut off from the public Internet for nearly 3 hours March 1 because of technical problems, a department spokeswoman said March 2. The outage was not caused by any malicious activity, said the spokeswoman, who is an Air Force lieutenant colonel. She said the networks were back up and operating at normal capacity. The department’s Defense Information Security Agency worked with commercial vendors and “mission partners” to reroute critical DoD traffic and to mitigate the issue until technical issues were resolved, she said. The number of people affected by the outage was not known, “but is estimated in the thousands, given the number of people who work in the Pentagon,” the lieutenant colonel told Reuters. Source:

53. March 2, Boston Globe – (National) Hacker convicted of stealing Internet access. A man was convicted March 1 in federal court in Boston on fraud charges in connection to a $1 million scheme to steal Internet access and sell products that allowed others to do the same. The jury convicted the man on seven of eight counts. Prosecutors said the man built a lucrative business between 2003 and 2009 that helped people defraud cable companies. To access Internet service, the defendant would modify, or uncap, a modem to remove filters set up by the Internet service provider, allowing the modem to have a quicker connection without the Internet service provider being able to throttle it. He would also copy other people’s modem addresses, or identification codes that Internet providers use to confirm a user is a paid subscriber. According to an indictment, he was the founder and president of TCNISO Inc., a San Diego-based company whose primary business was to sell cable modem hacking software and hardware products. He and others developed hacking products that had names including Sigma, Blackcat, and DreamOS, that allowed computer users to get access to the Internet without paying for it, according to prosecutors. He also offered products that let users disguise their online identities when downloading pirated movies, records show. Source:

54. March 1, Arizona Republic – (Arizona; California; Nevada) Cox voice-mail service restored. Cox Communications residential phone customers in metro Phoenix said their voice-mail service was restored March 1 following an outage that lasted at least 9 days. However, Cox officials said some customers may experience intermittent problems while technicians finalize repairs to the voice-mail system’s hardware. Cox officials said March 1 that about 200,000 customers in Arizona, Southern California, and the Las Vegas area had been without the ability to leave or retrieve voice-mail messages. During the outage, customers still had the ability to make and receive phone calls. The voice-mail glitch did not affect Cox business customers, only those with residential service, the company said. Some customers were irked March 1 that in repairing the system, Cox had wiped out all saved messages, personal settings and greetings. It was the effort to save customer data that delayed the company from getting the system back online sooner following a hardware-related failure, Cox’s vice president for public affairs said March 1 in an interview. Cox has more than 2 million cable-TV, Internet and telephone customers in Arizona, including an estimated 1.7 million customers in the Phoenix area. Source:

For more stories, see items 46, 48, and 49 above in the Information Technology Sector