Tuesday, May 8, 2012

Complete DHS Daily Report for May 8, 2012

Daily Report

Top Stories

• The Industrial Control Systems Cyber Emergency Response Team identified an active series of cyber intrusions targeting natural gas pipeline sector companies that began in December 2011 and continued for at least 5 months. – Industrial Control Systems Cyber Emergency Response Team

4. May 4, Industrial Control Systems Cyber Emergency Response Team – (National) Gas pipeline cyber intrustion campaign. In March, the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) identified an active series of cyber intrusions targeting natural gas pipeline sector companies, ICS-CERT reported May 4. Various sources provided information to ICS-CERT describing targeted attempts and intrusions into multiple natural gas pipeline sector organizations. Analysis of the malware and artifacts associated with these cyber attacks has positively identified this activity as related to a single campaign. It appears to have started in December 2011 and remains active. Analysis showed the spear-phishing attempts have targeted a variety of personnel within these organizations; however, the number of persons targeted appears to be tightly focused. In addition, the e-mails have been convincingly crafted to appear as though they were sent from a trusted member internal to the organization. ICS-CERT has issued an alert to the United States Computer Emergency Readiness Team Control Systems Center secure portal library and also disseminated them to sector organizations and agencies to ensure broad distribution to asset owners and operators. ICS-CERT is currently engaged with multiple organizations to identify the scope of infection and provide recommendations for mitigating it and eradicating it from networks. Source: http://www.us-cert.gov/control_systems/pdf/ICS-CERT_Monthly_Monitor_Apr2012.pdf

• An Iowa man was convicted of mailing pipe bombs and threatening letters to investment companies in a failed bid to get the firms to artificially drive up the value of certain stocks. – Reuters See item 14 below in the Banking and Finance Sector

• A fire at the Mount Zion, Illinois Fire Department’s station caused an estimated $3 million in damages to equipment and the building. – Decatur Herald-Review

32. May 6, Decatur Herald-Review – (Illinois) Mount Zion firehouse, equipment ravaged by blaze. The Mount Zion Fire Department in Mount Zion, Illinois, suffered an estimated $3 million in damages after a fire May 5. Firefighters from nearby departments arrived quickly and put out the fire, but the department lost two expensive firefighting vehicles and its entire new addition which housed its training center, kitchen, dining area, and bunkhouse. It is believed the fire started by a short circuit in the cab of a 2000 American LaFrance ladder truck, according to the fire chief. The interior of the cab caught fire, the aluminum cab started melting, and “that opened it up to starting the rest of the building on fire.” A firefighter tried to save the engine next to the burning truck, but when the garage door failed to open, the firefighter quickly exited the vehicle and escaped from the building. Source: http://www.herald-review.com/news/local/mount-zion-firehouse-equipment-ravaged-by-blaze/article_27e96282-9730-11e1-8aaf-001a4bcf887a.html

• New York City’s 9-1-1 system is riddled with problems that could cost crucial seconds in dispatching emergency services despite a $2 billion overhaul, a city government report found. – New York Post (See item 34)

34. May 5, New York Post – (New York) City report trashes 911 call response. New York City’s 9-1-1 system is riddled with problems that could cost crucial seconds in dispatching emergency services despite a $2 billion overhaul, a May 4 report released by the city’s mayor found. The shortcomings of the $2 billion system, launched in May 2009, were numerous and resulted in 14 recommendations for improvements included in the report. Most centered on the lack of coordination between police and fire departments in creating what was supposed to be a “unified” response to get emergency vehicles to the scene more quickly. Among the findings: there is no unified governance structure for 9-1-1; city police department (NYPD) and city fire department (FDNY) call takers waste valuable time asking duplicative questions and taking identical actions for the same 9-1-1 caller; 9-1-1 operators answer every call by stating their ID number, a practice dating back to before computers; under current protocols, callers in distress have to wait until the seventh question to be asked the most critical question: “What is the emergency?”; and the FDNY and NYPD do not have agreed-upon policies or training curriculum for how to respond to a surge of 9-1-1 calls and use separate maps. Furthemore, 38 percent of all 9-1-1 calls in 2010 were made by accident. Most were thought to be “pocket dials” by cell phones, eating up precious seconds that could be devoted to genuine emergencies. Source: http://www.nypost.com/p/news/local/city_report_trashes_call_response_C17IyeQDrAXQ39XAuItTYM

• Although States have made huge strides in emergency and natural disaster preparedness, they are still vulnerable to cyber disasters, said the Federal Emergency Management Agency’s National Preparedness Report. – Government Security News See item 44 below in the Information Technology Sector


Banking and Finance Sector

11. May 6, Boston Globe – (Massachusetts) FBI searching for woman who allegedly robbed 5 banks, including three Dorchester banks on Friday. The FBI was searching for a woman who allegedly robbed five banks in Boston since mid-April, including three May 4, officials said. A spokesman for the city’s FBI unit said surveillance tapes showed a woman allegedly slipping a note demanding cash from five different banks. A Boston Sovereign Bank was robbed April 13, and another branch of the bank in Dorchester was robbed April 21. Three more banks were robbed — authorities believe by the same woman — May 4: the Jamaica Plain-based Mt. Washington Bank; a Members Credit Union in Dorchester; and a Citizens Bank in Boston. Source: http://www.boston.com/metrodesk/2012/05/fbi-searching-for-woman-who-allegedly-robbed-banks-including-three-dorchester-banks-friday/PFgP3AgcJ7mxX2Hcdcc2FI/index.html

12. May 5, KNBC 4 Los Angeles – (California) ‘Snowboarder Bandit’ arrested: FBI. A man believed to be the “Snowboarder Bandit” was arrested in connection with robbing at least 10 banks across southern California since December 2011. FBI officials were expected to announce more details the week of May 7. A task force of local and federal authorities in a bank robbery apprehension team worked with the Irvine Police Department on the case. The suspect was arrested at his home in Riverside, California. He was linked to three robberies in Palm Desert and Oxnard, and an attempted robbery in Bermuda Dunes, an FBI spokeswoman said. FBI officials credited media coverage, which included bank surveillance photos, for helping develop leads. The “Snowboarder Bandit” was on the FBI’s most-wanted list of southern California bank robbers. The suspect earned his nickname because of his youthful appearance and the knit hat and ski clothes he wore as a disguise. Source: http://www.nbclosangeles.com/news/local/Snowboarder-Bandit-Arrest-150285675.html

13. May 5, Los Angeles Times – (California) ‘Explosives Threat Bandit’ charged in string of robberies. A man known as the “Explosives Threat Bandit” for threatening tellers with a bomb device was charged the week of April 30 in a string of bank heists he allegedly pulled off in the Los Angeles area. He was indicted by a federal grand jury on eight counts of bank robbery and attempted bank robbery, the FBI said May 5. He was arrested by Los Angeles police in mid-April and is being held without bail in a federal detention facility in California City. In the first two robberies, in November 2011, he allegedly left a package of wires and electronic devices that he said an accomplice would set off if tellers did not do what they were told. This “establishment will not exist,” he warned in one note. The bombs were fakes, and authorities said the suspect later switched to a more standard modus operandi, brandishing a handgun. The five robberies and three attempted robberies involved branches of major banks in west Los Angeles, Santa Monica, and Venice. The amounts taken ranged from $245 to $15,534. Source: http://latimesblogs.latimes.com/lanow/2012/05/bank-robber-.html

14. May 4, Reuters – (National) Iowa man convicted in bomb plot targeting financial firms. An Iowa man was convicted May 4 of mailing pipe bombs and threatening letters to investment companies in a failed bid to get the firms to artificially drive up the value of certain stocks. A jury in Chicago found the man guilty of one count of using a destructive device while mailing a threatening communication, two counts of possessing an unregistered destructive device, and nine counts of mailing a threatening communication. Prosecutors said the man, writing under the name “The Bishop,” sent a series of letters to financial institutions in 2005, demanding they move a number of stocks he had an interest in to specific price targets by specific dates. The U.S. Postal Inspection Service, which led the 100-person-member task force that investigated the mailings and ultimately tracked them to the man, said the letters and packages contained recurring phrases, including “Life is full of choices,” “Bang you’re dead,” and “Tic-Toc.” Prosecutors said the man’s motive was financial. At trial, they presented evidence he had opened option contracts in two of the firms mentioned in the letters, and the value of those positions would have increased if the underlying stocks had moved in the direction he demanded. The mailings took an ominous turn in 2007 when American Century Investment Management in Kansas City, Missouri, and Janus Capital Group in Denver received threatening notes and functional, but disarmed, pipe bombs. The device sent to Denver was rerouted to the firm’s Chicago office where police intercepted it. On the day the suspect was arrested, investigators recovered two additional assembled pipe bombs in a storage locker he rented that were similar to the mailed ones. Source: http://www.chicagotribune.com/news/sns-rt-us-crime-bomber-iowabre844005-20120504,0,1448561.story

Information Technology

38. May 7, Computerworld – (International) Adobe preps silent Flash updates for Macs. May 4, Adobe released a new beta of Flash Player, 11.3 or “Beta 3,” that includes silent updates for Macs. This updated program pings Adobe’s servers every hour until it receives a response. If it reaches Adobe and finds no ready update, the tool re-checks the servers 24 hours later. Found updates are applied entirely in the background, and do not display notices on the screen or require the user to take any action. By default, Flash 11.3 has silent updates switched on, but users can change the setting to continue to receive on-screen alerts. Another prominent feature is a “sandboxed” plug-in for Mozilla’s Firefox on Windows Vista and Windows 7, the second step in Adobe’s plan to stymie attacks that exploit unpatched Flash bugs. Adobe plans to ship the final version of Flash Player 11.3 before the end of June. Source: http://www.computerworld.com/s/article/9226921/Adobe_preps_silent_Flash_updates_for_Macs

39. May 7, Help Net Security – (International) Phishers mimic OpenID to steal credentials. New spam e-mail campaigns are taking advantage of the users’ vague familiarity with the OpenID authentication method to phish their log-in credentials for many different and popular online services, warn Barracuda Labs researchers. The e-mails in question currently take the form of an offer from a real estate company or of a bogus UPS tracking alert. After following the offered link, users are presented with a fake log-in page hosted on a compromised site. The page itself does not mention OpenID, but the logos of large and popular Web sites that use and provide the option of OpenID authentication (Google, AOL, Yahoo!, etc.) can fool users into thinking the page is legitimate. Whichever e-mail the user selects, a pop-up window requesting log-in credentials appears. “This is not how OpenID authentication works,” the researchers point out. With genuine OpenID authentication we would be directed to a secure Yahoo Web page which would ask for credentials.” In this case, the inputed credentials are simply forwarded in plain text to a remote server operated by the phishers, and the user is redirected to the real estate agency’s or UPS’ legitimate Web site. Source: http://www.net-security.org/secworld.php?id=12874&utm

40. May 7, IDG News Service – (International) PHP will try again to patch chip flaw. The PHP Group plans to release new versions of the PHP processor May 8 to patch two publicly known critical remote code execution vulnerabilities, one of which was improperly addressed in a May 3 update. One the vulnerabilities is known as CVE-2012-1823 and is located in php-cgi, a component that allows PHP to run in a Common Gateway Interface (CGI) configuration. It was discovered and reported to the PHP Group in mid-January by a team of computer security enthusiasts called De Eindbazen. The bug allows for URL query strings that contain the “-” character to be interpreted by the php-cgi binary as command line switches, such as -s, -d, -c. The vulnerability can be exploited to disclose source code from PHP scripts or to remotely execute arbitrary code on vulnerable systems. May 3, the PHP Group released PHP 5.3.12 and PHP 5.4.2 as emergency updates to address the remote code execution flaw after technical details about it were accidentally made public. However, shortly afterward, the creator of the Suhosin PHP security extension and other security experts noted the CVE-2012-1823 fix included in PHP 5.3.12 and PHP 5.4.2 can easily be bypassed. The PHP Group acknowledged the ineffectiveness of its original patch May 6 and announced plans to release new updates May 8. Source: http://www.computerworld.com/s/article/9226923/PHP_will_try_again_to_patch_chip_flaw

41. May 6, KTVB 7 Boise – (Oregon) Four treated for chemical exposure at Intel. Three men were taken to hospitals in the Hillsboro, Oregon area after they ingested chemicals released on the Intel campus May 5, and a fourth man was treated for skin exposure. An Intel HAZMAT team responded to a report the four employees were exposed to the chemicals, made up mostly of sodium nitrate, a Hillsboro Fire Department official told KGW 8 Portland. Primary and secondary safety procedures failed during a chilling process, he said. The men were decontaminated on site in the Ronler Acres area of the campus. Soon afterward, they started to experience symptoms and fire crews were called in. The public was not in danger; the chemicals were contained on site. Source: http://www.ktvb.com/news/regional/150356595.html

42. May 6, IDG News Service – (International) Apple engineering mistake exposes clear-text passwords for Lion. Apple’s latest update to OS X contains a programming error that reveals the passwords for material stored in the first version of FileVault, the company’s encryption technology, a software consultant said. He wrote on Cryptome that a debugging switch inadvertently left on in the current release of Lion, version 10.7.3, records in clear text the password needed to open the folder encrypted by the older version of FileVault. Users who are vulnerable are those who upgraded to Lion but are using the older version of FileVault. The debug switch will record the Lion passwords for anyone who logged in since the upgrade to version 10.7.3, released in early February. Apple has two versions of FileVault. The first version allowed a user to encrypt the contents of the home folder using the Advanced Encryption Standard (AES) with 128-bit keys. An upgraded product, FileVault 2, which shipped with OS X Lion, encrypts the entire content of the hard drive. When someone upgrades to Lion but still uses the first version, the encrypted home folder is migrated, which is now vulnerable with this security issue. The consultant said the password is accessible to anyone with root or administrator access. He said passwords can also be read by “booting the machine into FireWire disk mode and reading it by opening the drive as a disk or by booting the new-with-Lion recovery partition and using the available superuser shell to mount the main file system partition and read the file.” Source: http://www.computerworld.com/s/article/9226916/Apple_engineering_mistake_exposes_clear_text_passwords_for_Lion

43. May 4, Help Net Security – (International) 1,000+ WordPress sites compromised through automatic update feature. More than 1,000 WordPress blogs were modified to redirect visitors to sites serving malware, affiliate, and pay-per-click redirectors and low quality PPC search result aggregators through the WordPress’ automatic update feature. The individuals behind the attack discovered how to add the malicious code to the update.php file, which prompts WordPress to update. This code then injects other code in the wp-settings.PHP file, and effects the redirects. Source: http://www.net-security.org/secworld.php?id=12865

44. May 4, Government Security News – (International) Cyber security is weakest link in state preparedness, according to FEMA survey. Although States have made huge strides in emergency and natural disaster preparedness, they are still vulnerable to cyber disasters, according to the Federal Emergency Management Agency National Preparedness Report released May 4. The study said despite progress across core areas such as planning and operational coordination for natural disasters, and information sharing among intelligence agencies on terror activity, States indicated cybersecurity was their weakest core capability. Source: http://www.gsnmagazine.com/node/26273

For another story, see item 4 above in Top Stories

Communications Sector

45. May 7, FierceCable – (National) Dish Network suffers satellite ‘anomalies’; gains 104,000 subs in Q1 2012. Dish Network experienced several technical glitches with its satellites during the first quarter of 2012, including “solar array anomalies” that hit three of its satellites, according to a May 7 U.S. Securities and Exchange Commission filing. The company said its EchoStar XI, EchoStar XIV, and EchoStar VI satellites experienced solar array anomalies, and EchoStar I suffered a “communications receiver anomaly.” Dish said the glitches experienced by EchoStar XI and EchoStar XIV “reduced the total power available for use by the spacecraft,” and EchoStar VI experienced the loss of two traveling wave tube amplifiers. The amplifiers are used to boost the strength of signals that deliver programming from satellite transponders. EchoStar warned that EchoStar VI experienced solar array anomalies that have previously impacted its commercial operation, and that future anomalies could hurt the satellite. Dish did not say what may have caused the glitches, but solar flare activity could be impacting the satellites. In September 2011, Dish suffered an outage that saw subscribers lose high-definition networks. It blamed that outage on “human error” in the ground operation of a satellite operated by SES Americom. Source: http://www.fiercecable.com/story/dish-network-suffers-satellite-anomalies-gains-104000-subs-q1-2012/2012-05-07

46. May 5, Brattleboro Reformer – (Vermont) Brattleboro Community Radio is back on the air. Brattleboro Community Radio, WVEW 107.7 FM Brattleboro, Vermont, was back on the air May 5. After a fire at the Brooks House destroyed the station’s equipment in 2011, it took almost 12 months for the volunteers to reorganize, purchase new equipment, and find a new location for the studio and antenna. Federal Communications Commission rules require that radio stations get back on the air within 12 months of fires. The station had until early May and was able to meet the deadline by about a week. WVEW is broadcasting from a new studio. The station also built a new antenna at the Vermont Center for the Deaf and Hard of Hearing that will send a stronger signal across town. Source: http://www.reformer.com/ci_20554001/brattleboro-community-radio-is-back-air-overcoming-brooks?source=most_viewed

For another story, see item 42 above in the Information Technology Sector