Friday, June 15, 2012

Complete DHS Daily Report for June 15, 2012

Daily Report

Top Stories

• Researchers identified an ongoing series of cyberattacks targeting defense contractors, supervisory control and data acquisition (SCADA) security companies, and universities. They believe these attacks are tied to China. – Threatpost

5. June 13, Threatpost – (International) Attacks targeting U.S. defense contractors and universities tied to China. Researchers identified an ongoing series of cyberattacks targeting many high-profile organizations, including supervisory control and data acquisition (SCADA) security companies, universities, and defense contractors. The attacks are using customized malicious files to entice targeted users into opening them and starting the compromise. The campaign is using a series of hacked servers as command-and-control (C&C) points and researchers said the tactics and tools indicate the attackers may be located in China. The first evidence of the campaign was an attack on Digitalbond, a company that provides security services for industrial control systems. The attack begins with a spear-phishing e-mail sent to employees of the targeted company and contains a PDF attachment. In addition to the attack on Digitalbond, researchers found the campaign also hit users at Carnegie Mellon University, Purdue University, and the University of Rhode Island. Also, the Chertoff Group, a government consultant, and NJVC, a government contractor, were targeted. Alienvault identified similarities to the so-called Shady Rat attacks first publicized by McAfee in August 2011. The attackers are not hitting random targets with this campaign but are selecting their targets carefully. “According to the information collected, the targets of these campaigns are somehow related with the US government or US Defense contractors directly, providing different services such as authentication software/hardware, Industrial Control Systems security, or strategic consulting,” a researcher at IOActive wrote in an analysis on the attacks. Source:

• Turbulence seriously injured a flight attendant, hurt five other crew members and passengers, and forced a United Airline flight to make an emergency landing at Lake Charles Regional Airport in Louisiana. – Associated Press

10. June 14, Associated Press – (Louisiana) 5 treated for injuries following emergency landing. A flight attendant remains in serious condition after United Airlines Flight 1632 made an emergency landing at Lake Charles Regional Airport June 12. It was diverted to Lake Charles, Louisiana, after three flight attendants were injured during severe turbulence. The flight was bound for New York City’s LaGuardia Airport from Houston. An airport executive director said three crew members were taken to the hospital when the plane landed, and three passengers were taken to the hospital after the aircraft was emptied. Five of the six were treated for injuries and released, according to a hospital spokesman. Source:

• A fire near a Bay Area Rapid Transit station shut down train service between San Francisco and Oakland June 14, snarling the morning commute as thousands of people had to find other ways to get around. – Associated Press

11. June 14, Associated Press – (California) Fire snarls morning commute in Bay Area. A fire near a Bay Area Rapid Transit (BART) station shut down train service between San Francisco and Oakland June 14, snarling the morning commute as thousands of people scrambled to find other ways to get around. On lines stretching for blocks, several hundreds of commuters waited to catch a bus or ferry boat into San Francisco. BART officials hoped to have limited service by the early afternoon, with full service in place for the evening commute. About 400,000 people take BART trains per weekday, the transit agency said. The shutdown also fouled the commute to the East Bay. The fire broke out at a retirement home that was under construction near the West Oakland BART, according to BART officials. It damaged electrical equipment, but train tracks and the elevated concrete structure supporting them were not damaged. BART officials were concerned about power poles in danger of falling on the tracks. The fire jumped to several other structures and also melted parked cars. The cause of the fire is under investigation, but authorities consider it suspicious. Source:

• Microsoft and Google warned about a new Internet Explorer zero-day vulnerability being exploited to hack into Gmail accounts. – ZDNet See item 43 below in the Information Technology Sector

• An electrical explosion occurred at the New York Hilton June 13, leaving three people with injuries, and knocking power out for hours. – New York Daily News

49. June 13, New York Daily News – (New York) Hilton hotel hit by electrical explosion that hurts three people. An electrical explosion occurred at the New York Hilton in New York City June 13, leaving three people with injuries and knocking power out for hours, officials said. Two workers tending to an electrical panel in the basement of the hotel were hurt in the blast. One man was treated at the scene for a head injury and the other was taken to a hospital for minor burns to his hands. When the power cut off, a total of nine people were stuck in two elevator cars for nearly 30 minutes, officials said. Con Edison crews worked into the evening hours to restore power, a hotel spokesman said, while a generator provided limited lighting to the 46-story building. The hotel, with 1,981 rooms, was at full capacity. After 5 hours, elevators were restored up to the 34th floor. About 9 hours after the explosion, power was back on in all floors. Source:

• The week of June 11, the U.S. Forest Service mobilized 8 additional aircraft to ensure an adequate number of airtankers were available for efforts to extinguish 19 active large wildfires in 9 States. – Summit County Citizens Voice

54. June 14, Summit County Citizens Voice – (National) Feds scrambing for more wildfire air resources. The week of June 11, the U.S. Forest Service (USFS) said it mobilized eight additional aircraft to ensure that an adequate number of airtankers were available for wildland firefighting efforts. With these additional airtankers, the USFS has 16 large airtankers, and one very large tanker available immediately for wildfire suppression. The USFS can mobilize an additional 11 large airtankers, should circumstances require it. Additionally, it and the Department of the Interior fire agencies can mobilize hundreds of helicopters and dozens of smaller aircraft, called “single-engine airtankers.” The U.S. President authorized the USFS to expedite its acquisition of at least seven next-generation large air tankers via Senate Bill 3261, which passed the U.S. Senate and the U.S. House of Representatives the week of June 4. As of June 13, 19 active large fires were burning in 9 States, including one of the largest wildfires in New Mexico history, and one of the largest wildfires on record in Colorado. While extremely serious fires were burning in several States, the season was considered below average, meaning that additional resources remained available if needed. Source:


Banking and Finance Sector

6. June 1, Miami Herald; WFOR 4 Miami – (Florida; National) Officials break up $13 million, multi-state gift card scam. Florida Department of Law Enforcement (FDLE) officials said 14 people who took part in a complex counterfeit scam involving runners, identity theft, and cigarettes scammed more than $13 million from one of the world’s largest retailers: Wal-Mart and Sam’s Club, the Miami Herald and WFOR 4 Miami reported June 13. Police busted the ring, which used stolen identities to apply for 23,527 credit cards, which they then used to purchase 56,873 gift cards. They used those cards at the stores to buy cigarettes and other goods to resell. Overall, they cost the companies $13,029,011.59, according to an arrest warrant. Twelve of the 14 people charged appeared in bond court June 13. U.S. Secret Service agents and the FDLE investigated the ring for about a year. From January 2010 to April 2012, the gift cards were used by 12 small businesses to buy items from Wal-Mart, Sam’s Club and other stores. The businesses fronted themselves as “discount dollar/convenience” stores. Goods purchased with the fake gift cards were then sold at the discount stores across Miami-Dade. Officials found 209 Wal-Mart gift cards in the lining of the suitcase of one of the alleged scammers when he was flying from Manchester Boston Regional Airport to Miami International Airport in 2011. He and another man were released after officials took the cards. Gift cards were bought at stores as far away as Maine.


7. June 13, New York Daily News – (New York) ‘Burberry Bandit’ collared in bank rob spree after allegedly knocking over Park Ave. bank. An ex-con was arrested June 12 just hours after he robbed a New York City bank — the 13th heist he has committed since April, police said. Dubbed the “Burberry Bandit” for his fashionable clothing, the bandit would calmly walk into the banks donning designer sunglasses, pass a note to the teller, and flee with cash, police sources said. He never wore the same outfit twice during any of the robberies, they added. He was released from prison just 10 months ago and placed on parole until August 2013, state records indicated. Police arrested him as he walked around the city’s Harlem neighborhood June 12 — a short time after he held up a Chase bank branch in Midtown, police sources said. Source:

8. June 13, Dow Jones Newswires – (California) FTC halts program for vulnerable homeowners. The Federal Trade Commission (FTC) said it has halted a “forensic audit” scheme that allegedly targeted consumers in danger of losing their homes and convinced them to pay $1,995 or more on promises to help them avoid foreclosure and renegotiate their mortgages, Dow Jones Newswires reported June 13. According to the FTC’s complaint, Los Angeles-based Consumer Advocates Group Experts LLC, its owner, and several other companies he controlled charged financially vulnerable homeowners between $1,995 and $2,950 to review mortgage-loan documents to determine whether lenders complied with State and federal mortgage lending laws and made allegedly false claims that consumers could use the “forensic audits” to avoid foreclosure and negotiate more favorable terms on their mortgages. The complaint also named Paramount Asset Management Corp. and Advocates for Consumer Affairs Expert LLC as defendants. The FTC’s complaint alleges consumers often did not receive loan modifications or reduced payments and often found out from their lenders that the defendants either never contacted them, or did contact them but failed to follow up. The complaint also claims the defendants routinely failed to answer or return consumers’ telephone calls and e-mails seeking updates on their mortgage modifications, failed to provide refunds to consumers who requested them, and put consumers at risk of losing their homes and damaging their credit ratings. Consumers often learned too late that their houses were being foreclosed upon, according to the complaint. Source:

9. June 13, U.S. Securities and Exchange Commission – (Utah; National) Promoters of convicted Ponzi scheme operator ordered to pay over $20 million in disgorgement and civil penalties. The U.S. Securities and Exchange Commission (SEC) announced that June 11, the U.S. District Court for the District of Utah granted its motion for final judgment against six men ordering disgorgement and civil penalties totaling more than $20 million. Previously, the court entered permanent injunctions against the defendants enjoining them from future violations of the federal securities laws. The SEC complaint alleged the defendants acted as promoters for a Ponzi scheme operator, who is 10-year prison term. The complaint alleged the promoters raised millions of dthrough the unregistered offer and sale of high-yield promissory notes to moreinvestors in several states. The funds raised were then funneled to the Ponzi opthrough one of the men, who used the funds for his personal benefit, misappromore than $8 million. Source:

For another story, see item 42 below in the Information Technology Sector

Information Technology Sector

38. June 14, H Security – (International) Ruby on Rails patches more SQL injection holes. Further security problems were found in the Ruby on Rails Web framework following the release of updates that addressed two critical vulnerabilities less than 2 weeks ago, H Security reported June 14. The new security holes are in the same areas of the framework’s database layer Active Record and in its query generation. The vulnerabilities could allow hackers to access confidential data from the database tables without authorization. The developers again released updated versions of Ruby on Rails — 3.2.6, 3.1.6, and 3.0.14 — and asked all affected users to update their Rails installations. For users who cannot update to the latest supported versions of Rails, the developers issued patches for both security vulnerabilities. In the case of the Active Record vulnerability, fixes were issued for versions 2.3.x and 3.x of Ruby on Rails. The unsafe query generation problem was fixed in the 3.x series of Rails. Version 2.3.x and 3.0.x of Rails are now unsupported and it is recommended that users running these older, unsupported versions update to supported versions because the availability of patches for future security issues is not guaranteed. Source:

39. June 14, IDG News Service – (International) Facebook, Twitter, Google, AOL join alliance to fight ‘bad ads’. Facebook, Google, Twitter, and AOL joined an alliance set up to counter “bad ads,” including those that deliver malware, direct users to scams, or try to sell counterfeit goods, said StopBadware, the promoters of the alliance. The Ads Integrity Alliance was launched June 14 and has the Interactive Advertising Bureau in New York also as a charter member. Since 2006, StopBadware enabled many Web sites, service providers, and software providers to share real-time data to warn users and significantly eliminate malware, Google’s global public policy manager said. StopBadware hosts the Badware Website Clearinghouse that lists Web sites identified and examined by partners such as Google as containing or linking to malware and related software, which the organization calls “badware.” The alliance outlined general plans to develop and share definitions, industry policy recommendations, and best practices. It also plans to share information about “bad actors,” and share relevant trends with policymakers and law enforcement agencies. Source:

40. June 14, Softpedia – (International) Memory corruption vulnerability in Firefox 13. A security researcher identified a memory corruption vulnerability in Firefox 13, the latest variant of Mozilla’s Web browser. To demonstrate his findings, the expert made available a working proof-of-concept. He told Softpedia that Mozilla confirmed the existence of the vulnerability and plans to fix it in upcoming versions. In the proof-of-concept, the researcher shows that by launching the specially crafted HTML file the vulnerability would be triggered, causing a denial-of-service state. In practice, an attacker would have to host a Web site that contains the malicious Web page. Then, with e-mails or instant messages, he/she could lure potential victims to the Web site. Source:

41. June 14, Computerworld – (International) Apple hustles, patches Java bugs same day as Oracle. June 11, Apple released a Java update for OS X on the same day Oracle patched the vulnerabilities for Windows and other operating systems. Apple issued separate updates for OS X 10.7, aka Lion, and OS X 10.6, or Snow Leopard, that quashed 11 bugs in each edition. Oracle, which maintains Java for Windows, Linux, and Solaris, shipped its update to patch 14 vulnerabilities. Of the three bugs Oracle fixed but Apple did not, two applied solely to non-Apple operating systems, Solaris, and Linux. It was unclear why the third was not included in Apple’s version. The same-day patching was unprecedented: Apple, still responsible for Java security updates for Lion and Snow Leopard, typically lags behind Oracle by weeks or months. That practice turned disastrous earlier in 2012 when Apple’s Java update lagged behind Oracle’s by 7 weeks. Hackers quickly infected an estimated 600,000 Macs with the Flashback malware by exploiting a Java bug that Oracle patched but Apple did not. Source:

42. June 13, Federal News Radio – (International) TSP executive director gives update on data breach. It has been nearly 3 weeks since the Thrift Savings Plan (TSP) board announced a data breach of 123,000 TSP accounts, and since then, the board has been fielding questions from participants, Congress, and the media. One of the most common questions: Is my account safe? If a participant did not receive a letter from the TSP board, their account is not affected by the breach, said the executive director of the TSP. In July 2011, a breach at a TSP contractor — Serco, Inc. — compromised the data of 123,000 accounts. Most of the data accessed included Social Security numbers only. However, of those 123,000, about 43,000 participants had their names, addresses, Social Security numbers and other information — possibly bank routing numbers — also compromised. Source:

43. June 13, ZDNet – (International) ‘State-sponsored attackers’ using IE zero-day to hijack Gmail accounts. Microsoft and Google warned about a new Internet Explorer (IE) zero-day vulnerability being exploited to hack into Gmail accounts. The browser flaw, which is currently unpatched, exposes Windows users to remote code execution attacks with little or no user action (drive-by downloads if an IE user visits a rigged site). Microsoft’s advisory speaks of “active attacks” and follows a separate note from Google that references the IE flaw “being actively exploited in the wild for targeted attacks.” A source close to the investigations confirms these attacks prompted Google’s recent decision to warn Gmail users about “state-sponsored attackers.” Internet Explorer users should know this vulnerability is different from another under-attack issue fixed June 12 with the MS12-037 bulletin. Source:

For more stories, see items 44 and 45 below in the Communications Sector

Communications Sector

44. June 13, WDIO 10 Duluth – (Minnesota) Massive Internet outages across Minnesota. Customers of Frontier Communications were facing massive Internet outages June 13 across almost the entirety of Minnesota. Frontier Communications said a cut in a fiber line affected DSL and high-speed Internet access for customers living in six different telephone area codes including: 218, 763, 320, 507, 952, and 651. A Frontier representative could not say exactly where the fiber line had been cut or how many people had been affected. Frontier expected the problem to be fixed within 24 hours. Source:

45. June 13, Gainesville Sun – (Florida) Gainesville customers of Verizon and GRUCom reported service outages on Wednesday. A widespread outage in Gainesville, Florida, took out phone, data, and Internet service for at least two carriers June 13, but by mid-evening the problems appeared to be resolved. Customers of Verizon and GRUCom reported service outages. Officials from both companies said the problem — likely an equipment failure — was not on their end. “For us, it’s affecting all business customers of GRUCom — telecom, data, Internet — and cell companies that run through our towers,” a spokeswoman with Gainesville Regional Utilities said. A Verizon spokesman said he heard from maintenance crews that the problem resided with a third-party vendor for landline connections. For several hours, the ability to connect with the Internet via Verizon smartphones was spotty, as was the ability to simply make phone calls. Local government Web sites also were down. However, by 8 p.m., Internet service appeared to be back to normal locally on Verizon smartphones, and the ability to access Web sites had returned. Source:

For another story, see item 43 above in the Information Technology Sector