Monday, June 11, 2012

Complete DHS Daily Report for June 11, 2012

Daily Report

Top Stories

• The two-unit San Onofre nuclear plant in San Diego County will be shut through the end of August, straining electric supply during the State’s high-demand summer period. – Reuters

4. June 8, Reuters – (California) San Onofre nuclear units in Calif. to be shut through August. The two-unit San Onofre nuclear plant in San Diego County will be shut through the end of August, straining electric supply during the State’s high-demand summer period, the plant’s operator said June 7. The utility said it will submit a plan to regulators by the end of July to outline a schedule to restart Unit 2, but the plan requires the approval of nuclear regulators, which will take additional time. The 2,150-megawatt nuclear station is critical to the grid to import electricity into southern California, the State independent system operator has said. San Onofre’s extended shutdown raises the possibility of rolling power outages as warmer temperatures boost demand for power over the summer. A plan to restart Unit 3 will take longer to file with nuclear regulators due to the type of damage found there. The 5-month outage began following the discovery of premature tube wear in steam generators made by Mitsubishi Heavy Industries and installed within the past 2 years. Source:

• A new federal report indicated drought will persist and intensify in more than a dozen States, imperiling corn and many other crops. – Ag Professional

11. June 8, Ag Professional – (National) Drought dominates Corn Belt in La Nina’s wake. La Nina may be gone, but the persistent drought that plagued Texas in 2011 has now slowly expanded to other areas of the United States, Ag Professional reported June 8. A map of the country’s midsection is now highlighted with a bright yellow in the U.S. Department of Agriculture’s latest Drought Monitor, posing as a warning of a potential drought that could soon be tightening its grip on the region. Colorado, Kansas, Iowa, Illinois, Missouri, Oklahoma, and Texas are the latest to be covered by an overwhelming majority of land rated as abnormally dry to moderate drought. In the High Plains, less than 30 percent of the area is free from any drought or dryness, primarily in the Dakotas and Nebraska. A snow drought has turned into an extreme drought for areas of northwestern Colorado, and 100 percent of the State is in some state of abnormal dryness or drought. To the east, about 60 percent of Kansas is considered to be in a drought, compared to 32 percent the week of May 28. Long-term outlooks suggest little relief for most areas. In the Seasonal Drought Outlook, the drought is expected to persist or intensify over many areas to the west of the Mississippi River. Experts are also anticipating the drought to persist in Arkansas and Missouri, as well as parts of Illinois, Indiana, Kentucky, Tennessee, and Alabama. Source:

• Severe weather briefly knocked a Colorado Statewide emergency digital radio frequency offline June 6. – Pueblo Chieftan

24. June 8, Pueblo Chieftan – (Colorado) Emergency radio system fails. Severe weather briefly knocked the Colorado Statewide Digital Trunked Radio System offline the night of June 6. “It was a momentary glitch. It was a meteorological anomaly,” a city radio technician said. Heavy rain and hail pounded Colorado Springs and Southern Colorado, two areas where radio towers are stationed that maintain the statewide frequency. The weather in those areas caused the frequency to go offline in Pueblo. The statewide frequency allows law enforcement and emergency responders to communicate on a single radio wave in the event of a large emergency. Source:

• A customer cooking methamphetamine inside a soda bottle in her purse caused the evacuation of a St. Louis Walmart store for hours June 7. – St. Louis Post-Dispatch

41. June 8, St. Louis Post-Dispatch – (Missouri) Woman caught cooking meth inside a south St. Louis County Walmart. A customer cooking a so-called “one pot” batch of methamphetamine inside a soda bottle in her purse caused the evacuation of a St. Louis Walmart store June 7. The woman was caught shoplifting an item unrelated to meth-making when store security and then police discovered the 20-ounce bottle. The store full of customers was evacuated because of the possible dangers of the chemical concoction. “It had the potential to be flammable or blow up at any time,” a police lieutenant said. He described the initial situation inside the store as “volatile,” but said the evacuation was mostly precautionary. The woman and a male companion were arrested. Police investigators also confiscated several meth-making precursors from the suspects’ car in the Walmart parking lot. The store was scheduled to reopen many hours after the incident. Source:


Banking and Finance Sector

5. June 8, Charleston Post and Courier – (South Carolina) Check fraud went undetected for almost 10 years at Charleston-based CresCom Bank. South Carolina’s CresCom Bank is bracing for a loss of as much as $4.5 million in the wake of what it called a check-kiting scheme that went undetected for nearly 10 years, the Charleston Post and Courier reported June 8. Carolina Financial Corp., the coastal lender’s privately held owner, disclosed the discovery in its latest quarterly report to shareholders. The transactions were traced to one “business customer” and involved monetary transfers between at least two banks, according to a letter from the chairman of Carolina Financial. He told shareholders the alleged fraud was discovered after March 31 and still was being investigated. Since learning of the alleged fraud, CresCom has put additional controls in place over its deposit system “to further reduce this type of risk in the future,” the chairman wrote. Source:

6. June 7, Federal Bureau of Investigation – (Florida) 14 defendants charged in online bank fraud scheme. A U.S. attorney, and the FBI special agent in charge of the Miami Field Office, June 7 announced the indictment of 14 individuals for their involvement in a scheme through which they gained online access to the personal checking and savings accounts of unsuspecting bank customers to steal funds. The indictment said one of the men used stolen personal identification data of unwitting bank customers, including names, birthdates, and Social Security numbers, to impersonate them and access their accounts through their banks’ Web sites. Once he had control of an account, he transferred funds to accomplices, who made their own accounts available to receive the stolen money. He also ordered checks that were used to drain victims’ accounts. He is charged with conspiring to commit bank fraud; 16 counts of substantive bank fraud; 3 counts of aggravated identity theft; and 1 count for destruction of evidence. The indictment alleges two defendants received stolen funds and recruited others to participate. Five other defendants received stolen funds by means of electronic online transfers and charged a fee for this service. Once the defendants received the stolen funds, they and others made withdrawals from different locations and returned the bulk of the proceeds to their handlers. Lastly, six of the defendants are alleged to have cashed stolen checks obtained through the online fraud. Source:

7. June 7, Reuters – (National) Bear Stearns in $275 million shareholder settlement. Former Bear Stearns Co. (Bear) shareholders who claimed they were misled about the investment bank’s deteriorating health agreed to settle their nationwide lawsuit for $275 million, 4 years after the company was bought by JPMorgan Chase & Co. The all-cash settlement, disclosed June 6, resolves claims against Bear and several former executives including the company’s long-time chief executive, his successor, and a former chairman. Investors led by the State of Michigan Retirement Systems asked a New York City judge to grant preliminary approval of the settlement. JPMorgan agreed to purchase Bear March 16, 2008, in an emergency buyout brokered by the U.S. Federal Reserve, as fleeing clients were causing a liquidity crunch that drove Bear to the brink of collapse. After initially agreeing to pay $2 per share for Bear, JPMorgan later consented to pay $10 per share. That was far below the $170 Bear shares once commanded. More than $18 billion of market value at Bear was erased. The settlement covers owners of Bear Stearns stock and call options, and sellers of Bear put options, between December 14, 2006 and March 14, 2008. It was unclear how the $275 million payout will be allocated among defendants, or how much is covered by insurance. The plaintiffs claimed Bear “secretly abandoned any meaningful effort to manage the huge risks it faced” from subprime and other mortgage-related securities. Such exposure contributed to the collapse of two in-house hedge funds in the middle of 2007. Source:

8. June 7, Associated Press – (California) Ex-Ca. fund manager pleads guilty to $7M in fraud. A former California fund manager pleaded guilty of defrauding investors out of millions of dollars as part of an investment scam. Prosecutors said the defendant entered his plea June 7 on four felony federal fraud charges. He had initially been charged with 41 felonies, including loan fraud and obstruction of justice. Prosecutors said the defendant told investors he would use their money to purchase corporate bonds backed by the Troubled Asset Relief Program. He said in his plea he acknowledges losses of more than $7 million to the Iranian-Americans he targeted. Federal prosecutors reserved the right to argue losses to victims totaled more than $20 million. Prosecutors said the defendant funneled the money to support his family’s lavish lifestyle. Source:

Information Technology Sector

27. June 8, IDG News Service – (International) Oracle to issue 14 patches for Java SE. Oracle is planning to ship 14 patches related to Java SE June 12, including a number with the highest level of severity under the common vulnerability scoring system (CVSS) framework, according to a pre-release announcement on the company’s Web site. “Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible,” Oracle said. The patch batch is aimed at security weaknesses in many products, including JDK and JRE 7 Update 4 and earlier; JDK and JRE 6 Update 32 and earlier; and JavaFX version 2.1 and earlier, according to the announcement. A dozen of the 14 fixes can be exploited by an attacker remotely, with no username or password required, Oracle said. A number of the weaknesses have a CVSS base score of 10.0, the highest possible, but Oracle did not provide further specifics. Source:

28. June 8, Help Net Security – (International) New BIOS rootkit spotted. Toward the end of 2011, a Chinese company detected the first rootkit ever that targeted computers’ BIOS in order to be able to reinfect computers over and over again, even after the hard drive is physically removed and replaced. This BIOS rootkit was dubbed Mebromi (or MyBios), and targeted only users who had Award BIOS on their computers. Still, as it came bundled with a MBR toolkit, a kernel mode rootkit, a PE file infector, and a trojan downloader, users who did not have those motherboards and that BIOS were still not spared an infection. Presently, a second BIOS rootkit — dubbed Niwa!mem — was detected by McAfee. Initially a rootkit that infected the master boot record, its latest variant became a “BIOSkit.” “The malware overwrites the original MBR in sector 0 and writes the file to be dropped (the downloader) in hidden sectors. The DLL copies itself to the Recycle folder and deletes itself. The downloader is dropped and executed every time the system is started,” the researchers explain. “All the components dropped will be present in the DLL, including the utility cbrom.exe from the BIOS manufacturer, which the malware uses to flash the BIOS.” Award BIOS is still the target, and while there are some changes in the code of the malware, many strings are near identical, making the researchers speculate the same group developed both Mebromi and Niwa!mem. Source:

29. June 7, IDG News Service – (International) Flame authors order infected computers to remove all traces of the malware. The creators of the Flame cyber-espionage threat ordered infected computers still under their control to download and execute a component designed to remove all traces of the malware and prevent forensic analysis, security researchers from Symantec said June 6. Flame has a built-in feature called SUICIDE that can be used to uninstall the malware from infected computers. However, the week of May 28, Flame’s creators decided to distribute a different self-removal module to infected computers that connected to servers still under their control, Symantec’s security response team said. Even though it is similar in functionality to the SUICIDE feature — both being able to delete many files associated with the malware — the new module goes further. “It locates every [Flame] file on disk, removes it, and subsequently overwrites the disk with random characters to prevent anyone from obtaining information about the infection,” the researchers said. “This component contains a routine to generate random characters to use in the overwriting operation. It tries to leave no traces of the infection behind.” Source:

30. June 7, The Register – (International) LinkedIn users buried in spam after database leak. LinkedIn users were bombarded by spam e-mails after the social network was hacked and hashed passwords of users were posted online. Members of the business network told The Register June 7 they received scores of invitations to “link in” with new connections, often flagged with warnings from their e-mail provider the message could not be verified as coming from Some of the e-mails urging people to input a new password by clicking on a link turned out to be phishing messages. The real LinkedIn password-reset e-mail has no links in it. Passwords alone are not enough to give hackers the ability to distribute spam, meaning the cyber criminals also stole e-mail addresses. Alternatively, the hackers, or the people to whom they gave the data, may still have access to LinkedIn’s databases. Source:

31. June 7, H Security – (International) SeaMonkey 2.10 released, closes security holes. Mozilla’s SeaMonkey Project announced the release of version 2.10 of its open source “all-in-one Internet application suite.” The new version of SeaMonkey closes seven security holes, four of which are rated as critical. These include a buffer overflow and use-after-free issues, as well as a privilege escalation problem in the Mozilla Updater and various memory safety hazards. High impact information disclosure and Content Security Policy inline-script bypass bugs and moderate parsing errors were also fixed. Source:

32. June 7, Threatpost – (International) More sophisticated DDoS attack a new threat to Apache servers. A once flawed distributed denial-of-service (DDoS) attack targeting the world’s most widely used Web servers has improved its cryptography and attack capabilities to become a more serious threat. MP-DDoser, also known as “IP-Killer,” uses a relatively new low-bandwidth, “asymmetrical” HTTP attack to inflict a denial-of-service attack against Apache Web servers by sending a very long HTTP header. This forces the Web servers to do a great deal of server-side work for a relatively small request. Also, the malware now incorporates multiple layers of encryption. Such sophistication is much different from the first version that appeared as a proof-of-concept Perl script in August 2011 and again months later in the Armageddon DDoS bot, according to a new report by Arbor Networks. Source:

33. June 7, ZDNet – (International) Microsoft to fix dangerous IE, Windows security holes. Microsoft’s June batch of security patches will include critical fixes for dangerous security holes in the Windows operating system and the Internet Explorer browser. According to advance notice from the company, 7 security bulletins will be released to address at least 28 documented vulnerabilities in Microsoft Windows, Internet Explorer, Visual Basic for Applications, Dynamics AX, and the .NET Framework. Three of the seven bulletins (Windows, IE, and .NET) will be rated “critical,” Microsoft’s highest severity rating. The other four bulletins will carry an “important” rating and deal with vulnerabilities that could be exploited in code execution and privilege escalation attacks. This June’s patch batch comes right after the decision the weekend of June 2 to release an emergency fix to thwart “active attacks” that use unauthorized digital certificates derived from a Microsoft Certificate Authority. Source:

34. June 7, SecurityWeek – (International) Criminals bypassing sophisticated device fingerprinting with basic tools. Research from Trusteer shows device fingerprinting, which is used in fraud detection systems, might be a useless layer of protection after they discovered a manual for bypassing such features being circulated among online criminals. In it, the author explains how to bypass the layered protection found in several fingerprinting systems. The tutorial explains that the usage of commercial VPNs and proxy services will work to defeat the IP protections within the fingerprinting systems, and adds information on how to make sessions from a single system appear as if they originate from different computers, operating systems, and browsers by altering the user agent headers. Source:

35. June 7, Ars Technica – (International) Another hack? warns users to change their passwords. Social music site announced an investigation into a user password leak June 7. As a consequence of a recent leak involving large sites such as LinkedIn (where 8 million passwords could have been compromised) and eHarmony, asked users to change passwords immediately. Users can switch their passwords by logging in and accessing the “Settings” page, or by reporting their password as lost. In the site’s announcement, re-emphasized these are the only ways to change passwords: “We will never e-mail you a direct link to update your settings or ask for your password.” will update the status of the leak in the site’s user forums or through Twitter when more information is available. Source:

For more stories, see items 6 above in the Banking and Finance Sector and 37 below in the Communications Sector

Communications Sector

36. June 8, WTAP 49 Parkersburg – (West Virginia) Telephone outage in Mineral Wells area. Frontier Telephone Service restored power to the Mineral Wells, Virginia area about 19 hours after an outage from a cut telephone line, the Wood County 9-1-1 director reported June 8. Frontier first reported the problem late the afternoon of June 7. Frontier said the outage likely affected wireless service in that area. People with an emergency who could not reach 9-1-1 were advised to go to the Mineral Wells Volunteer Fire Department for assistance. The department had radio communications with Wood County 9-1-1 if other public safety agencies were needed during the outage. Source:

37. June 8, Martinsburg Journal – (West Virginia) Communication services interrupted in Jefferson County. Local wildlife helped cause a disruption in communications services throughout Jefferson County, West Virginia, June 7 when Frontier Communications found its fiberoptic cables chewed through in two separate locations, said a company spokesman. The situation resulted in portions of the county losing phone and Internet services. The director of Jefferson County Homeland Security and Emergency Management said Jefferson County Emergency Communications (JCEC), the county’s 9-1-1 center, was affected by the outage. However, a JCEC supervisor said the center was able to switch to its backup system. Landlines, cellphones, and Internet access were all affected to varying degrees. “To restore service, we had to acquire 1,600 feet of fiber optic cable,” the Frontier spokesman said. “Some of the cable that required replacement was buried, thus requiring excavation,” he noted. As of 5:30 p.m. June 7, service had been restored to many cellphones and landline phones. Source:

38. June 8, New Tampa Patch – (Florida) Bright House cable, Internet out in New Tampa. Officials working on Interstate 75 construction accidentally severed Bright House lines June 7, cutting off cable and Internet for New Tampa, Florida-area customers. A Bright House spokesman said “a good portion” of New Tampa was affected by the incident but could not provide specific numbers. Cable workers were addressing the issue and expected to have the matter resolved by June 8, the spokesman said. Source:

39. June 6, WFMJ 21 Youngstown – (Ohio) Copper thief responsible for phone outage in Trumbull County. A copper thief was blamed for a phone service outage in Trumbull County, Ohio, June 5. Utility workers spent the afternoon June 5 trying to restore service to parts of Niles and Weathersfield Township. An AT&T spokesperson said someone took telephone lines from utility poles on West Park Avenue. The theft cut service to an undetermined number of homes and businesses in the area. Source:

For another story, see item 30 above in the Information Technology Sector