Thursday, July 12, 2012 

Daily Report

Top Stories

 • Bank officials and the FBI released surveillance photos July 10 of a group of armed bank robbers who struck at least five banks in Connecticut and stole almost $500,000 since September 2010. – WNBC 4 New York  See item 8 below in the Banking and Finance Sector

 • Two people were injured in a freight train derailment and explosion in Columbus, Ohio, that forced the evacuation of approximately 100 people, shut down roads, and put more than 100 area transit buses out of commission. – United Press International

13. July 11, United Press International – (Ohio) 2 injured when train derails in Columbus. Two people were injured in a freight train derailment and explosion in Columbus, Ohio that forced the evacuation of about 100 people, shut down roads, and put more than 100 area transit buses out of commission. The July 11 incident occurred near the Ohio State Fairgrounds when 11 cars of the 98-car southbound Norfolk Southern train carrying mixed freight derailed, and several cars caught fire, WCMH 4 Columbus reported. About 100 people living near the derailment were evacuated to the fairgrounds. Fire officials said 20,000 gallons of ethanol were burning. Officials said several cars contained styrene which, if ignited, can emit a gas that affects the nervous system if inhaled, becoming a “nerve agent.” Those cars were not involved in the derailment or fire. Two people in the vicinity of the train when it derailed were injured and drove themselves to a nearby hospital. Officials said they hoped to extinguish the fire by July 11 and allow evacuees to return to their homes. Police, fire, and HAZMAT personnel responded. The National Transportation Safety Board said investigators were dispatched to the scene. The Central Ohio Transit Authority said 135 to 140 buses that operate out of a garage near the derailment would not be in use until further notice WCMH 4 Columbus reported. Source:

 • A plane with 177 passengers was evacuated at Philadelphia International Airport after 6 people on board fell sick July 10, fire officials said. – Philadelphia Inquirer 

14. July 10, Philadelphia Inquirer – (Pennsylvania) Plane evacuated at Phila. International after 6 fall ill. A plane with 177 passengers was evacuated at Philadelphia International Airport in Philadelphia after 6 people on board fell sick July 10, fire officials said. US Airways Flight 720 departed from Charlotte, North Carolina, for Rome, Italy, but was diverted to Philadelphia after people started falling sick on board, officials said. The six people were taken to a hospital. Fire department crews examined the plane and did not immediately find any evidence of fumes or another cause for the people getting ill. Source:

 • More than 20,000 evacuation calls were never delivered to residents in the path of a wildfire that destroyed about 350 homes around Colorado Springs, Colorado, in June, records show. – Associated Press 

40. July 10, Associated Press – (Colorado) Thousands of wildfire warnings undelivered in Colo. More than 20,000 evacuation calls were never delivered to residents in the path of a wildfire that destroyed about 350 homes around Colorado Springs, Colorado in June, records show, according to the Associated Press, July 10. It was the second time in 5 months that Colorado residents said they did not get calls to pack up and run as flames raced toward their homes. Officials in El Paso and Teller counties were trying to determine why two-thirds of the 32,000 impacted residents did not receive calls during the Waldo Canyon fire that began June 23. Nearly 10,000 attempts to reach residents in Colorado Springs were abandoned after the calls were not completed, and more than 11,000 calls were not answered, according to records obtained by KMGH 7 Denver. Cassidian Communications, the reverse notification provider, said some calls were not completed because of heavy volume. Phone company officials said their phones were working fine at the time. A spokesman for El Paso/Teller County E911 said his agency will hold meetings to discuss the problem. The system had 13,000 people registered in its cellphone database before the wildfire, officials said. That jumped to 52,000 as homes were burned, and at one point, 1,000 residents per hour were registering their mobile numbers, the Denver Post reported. About 12 percent of the people authorities intended to notify didn’t get a warning, a sheriff’s spokesman said. The company that handles that system, Baton Rouge, Louisiana-based FirstCall Network Inc., said the process worked exactly as it should have. Source:


Banking and Finance Sector 

6. July 10, McAllen Monitor – (Texas) 2 accused of bilking thousands in fake credit card ring. A man and woman faced allegations in McAllen, Texas, that they participated in a credit card fraud ring that swindled thousands of dollars from banks and retailers and involved hundreds of fraudulent credit cards, the McAllen Monitor reported July 10. McAllen police arrested the two Mexican nationals on suspicion of credit card fraud July 3. The U.S. Secret Service brought federal fraud charges against the two defendants after police discovered hundreds of fake credit cards, gift cards, computers, cocaine, steroids, thousands of dollars in cash, and other brand-new electronics at two apartments in McAllen. Officers also seized a credit card encoder, thousands of debit card PIN numbers, and two luxury sport utility vehicles. Police uncovered the case after they found the man at an Academy Sports + Outdoors store, where he was found with several credit cards and recently purchased gift cards in his pockets, and several American Express gift cards and watches inside his vehicle. Source:

7. July 10, Bloomberg News – (Iowa) Peregrine Financial allegedly has $200 million shortfall. Peregrine Financial Group Inc., a futures brokerage, has a customer fund shortfall of at least $200 million, the U.S. Commodity Futures Trading Commission (CFTC) claimed in a complaint filed in federal court, Bloomberg News reported July 10. The regulator is seeking a court order freezing the firm’s assets and the appointment of a receiver, as well as monetary relief including fines and restitution. The FBI is also participating in the federal probe, according to an agency spokeswoman. The National Futures Association, an industry self-regulator July 9 said Peregrine had reported it held about $400 million in customer-segregated funds as of June 29, of which $225 million was on deposit at U.S. Bank. The regulator was then made aware that its chairman “may have falsified bank records” after finding only $5 million was on deposit. Source:

8. July 10, WNBC 4 New York – (Connecticut) FBI seeks gang of armed bank robbers in Conn. Bank officials and the FBI released surveillance photos July 10 of a group of armed bank robbers who have struck at least five banks in Connecticut and stolen almost $500,000 since September 2010. Authorities are looking for three to five men who have entered banks armed with handguns and wearing work clothes and dark masks. The men subdue the patrons and tellers, then ransack the teller drawers before escaping, according to a FBI special agent. A FBI spokesman said, “The gang appears to be very well organized. They don’t speak and have assigned roles and then switch cars as they escape.” Source:

Information Technology Sector

42. July 11, H Security – (International) Formspring question-and-answer platform compromised. More than 400,000 passwords for Formspring accounts were compromised. This resulted in several million password hashes for the question-and-answer platform made public on the Internet. The H’s associates at heise Security discovered the Formspring hashes at the end of the week of July 6, but could not determine the origin of the data. Shortly afterward, a reader contacted The H with the crucial piece of information that hundreds of passwords contained the term “formspring.” After being informed of this discovery, the operators of the platform managed to trace the leak to a development server that allowed an attacker to access a production server. They said they successfully closed it. Formspring also reset all user passwords. The company used the opportunity to switch its hashing method from SHA-256 (salted) to bcrypt, a method that can currently only be cracked with substantial computing power and, therefore, an attack would take a significant amount of time. About half of the 400,000 hashes were already reconstructed by password crackers. Source:

43. July 11, Computerworld – (International) Microsoft urges death of Windows gadgets as researchers plan disclosures. Two weeks before researchers are to disclose bugs in Windows “gadgets” at Black Hat, Microsoft acknowledged unspecified security vulnerabilities in the software supported by Vista and Windows 7. To deal with the vulnerabilities, Microsoft provided a way to cripple all gadgets and disable the “sidebar” engine that runs them. “The purpose of this advisory is to notify customers that Microsoft is aware of vulnerabilities in insecure Gadgets affecting the Windows Sidebar on supported versions of Windows Vista and Windows 7,” Microsoft said in a security warning issued July 10. Microsoft did not detail the vulnerabilities or explain why it was letting users ditch gadgets, but the move may be linked to an upcoming presentation at Black Hat, the annual security conference held in Las Vegas. July 26, two researchers are scheduled to present research on gadget flaws and exploits. Source:

44. July 11, Help Net Security – (International) Targeted attacks focus on small businesses. Thirty-six percent of all targeted attacks (58 per day) during the last 6 months were directed at businesses with 250 or fewer employees, according to Symantec. During the first half of 2012, the total number of daily targeted attacks continued to increase at a minimum rate of 24 percent with an average of 151 targeted attacks being blocked each day during May and June. Large enterprises consisting of more than 2,500 employees are still receiving the greatest number of attacks, with an average 69 being blocked each day. “There appears to be a direct correlation between the rise in attacks against smaller businesses and a drop in attacks against larger ones. It almost seems attackers are diverting their resources directly from the one group to the other,” said a cybersecurity intelligence manager at Symantec. “It may be that your company is not the primary target, but an attacker may use your organization as a stepping-stone to attack another company,” he said. The defense industry was the targeted industry of choice in the first half of 2012, with an average of 7.3 attacks per day. The chemical/pharmaceutical and manufacturing sectors maintain the number two and three spots, respectively. These targets clearly received a smaller percentage of overall attention than in 2011, but the chemical/pharmaceutical sector is still hit by one in every five targeted attacks, while manufacturing still accounts for almost 10 percent of all targeted attacks. Source:

45. July 10, Threatpost – (International) More malware using a remote payload discovered on Google Play. Symantec warned of new malware masquerading as two applications on Google Play that claimed up to 100,000 victims before the trojan was removed. “What is most interesting about this Trojan is the fact that the threat managed to stay on Google Play for such a long time, clocking up some serious download figures before being discovered,” a Symantec researcher said July 10. “Our suspicion is that this was probably due to the remote payload.” In 2011, the researcher wrote about this evasion-driven technique, in which the payload is broken into separate modules and delivered independently, making it easier to hide and inject in other apps. In the case of this malware, called Android. Dropdialer, the first stage was posted on Google Play. Once installed, it downloaded an additional package via Dropbox called Activator.apk that sends SMS messages to a premium-rate number tied to Eastern Europe. Source:

46. July 10, Krebs on Security – (International) Plesk 0day for sale as thousands of sites hacked. Hackers in the criminal underground are selling an exploit that extracts the master password needed to control Parallels’ Plesk Panel, a software suite used to remotely administer hosted servers at a large number of Internet hosting firms. The attack comes amid reports from multiple sources indicating a spike in Web site compromises that appear to trace back to Plesk installations. A miscreant on a very exclusive cybercrime forum has been selling the ability to hack any site running Plesk Panel version 10.4.4 and earlier. The hacker, a longtime member of the forum who has a history of selling reliable software exploits, even developed a point-and-click tool he claims can recover the administrator password from a vulnerable Plesk installation, as well as read and write files to the Plesk Panel. The exploit is being sold for $8,000, and according to the seller, the vulnerability it targets remains unpatched. Multiple other members appear to have used it and vouched for its value. Source:

47. July 10, eSecurity Planet – (International) July Patch Tuesday: XML 5 still vulnerable. For a month now, Microsoft users have known about a critical XML flaw that has left their systems at risk. In Microsoft’s July Patch Tuesday update July 10, that XML flaw was partially addressed in one of nine security bulletins issued by Microsoft. The bulletins also address critical updates for flaws in Internet Explorer and Microsoft Data Access Components (MDAC). The MS12-043 bulletin details the Microsoft XML Core Services vulnerability first revealed in the June Patch Tuesday update. While Microsoft is now issuing a patch, it does not cover all possible vulnerable XML scenarios. The patch fixes Microsoft XML Core Services 3.0, 4.0, and 6.0 — but it does not patch version 5.0, which is still widely used and deployed in Microsoft’s Office products. However, Microsoft is not leaving its users entirely exposed to the XML 5 vulnerability — the company issued a fix-it patch for XML 5. Source:

48. July 10, Inquirer – (International) Hackers could target Chrome users’ webcams, security experts warn. Google announced a beta version of its Chrome Web browser in a blog post July 10, but experts warned of security threats it might cause for users. The Chrome Beta release grants Web applications access to users’ Web cams and microphones without a plugin through the Getusermedia application programming interface (API) — a method that allows users to interact with HTML5 applications through video and audio devices. However, the director of security research and communication at Trend Micro warned that Getusermedia will be attractive to criminals. Source:

49. July 10, Threatpost – (International) Microsoft revokes trust in 28 of its own certificates. In the wake of the Flame malware attack, which involved the use of a fraudulent Microsoft digital certificate, the software company reviewed its certificates and found nearly 30 that were not as secure as it would like and revoked them. Microsoft also released its new updater for certificates as a critical update for Windows Vista and later versions as part of the July 10 July Patch Tuesday. Microsoft did not say what the now-untrusted certificates were used for, but company officials said there were a total of 28 certificates affected by the move. Many of the affected certificates are listed simply as “Microsoft Online Svcs.” However, the company said it was confident none of the certificates were compromised or used maliciously. Source:

50. July 10, Ars Technica – (International) Web exploit figures out what OS victim is using, customizes payload. Security researchers found a live Web exploit that detects if the target is running Windows, Mac OS X, or Linux and drops a different trojan for each platform. The attack was spotted by researchers from antivirus provider F-Secure on a Columbian transport Web site, presumably after third-party attackers compromised it. The unidentified site then displayed a signed Java applet that checked if the user’s computer is running Windows, Mac OS X, or Linux. Based on the outcome, the attack then downloads the appropriate files for each platform. The exploit, however, was unable to infect modern Macs unless they were modified to run software known as Rosetta. The software allows Macs using Intel processors to run applications written for Macs using PowerPC processors, which were phased out 5 years ago. Source:

Communications Sector

51. July 10, Duluth News Tribune – (Minnesota) Man arrested after allegedly threatening to blow up Charter cable TV building in Duluth. A Duluth, Minnesota man is in jail pending felony charges of making terroristic threats after allegedly saying he was going to burn or blow up the Charter Communications building in Duluth, then showing up at that facility July 10. He was upset over his Internet service, Duluth police said in a news release. He was being held at the St. Louis County Jail. Police were called to the building after reports of a suspicious vehicle outside the building, according to scanner reports. The incident began when a Charter contact center adviser received a call from a Duluth customer threatening to harm the Duluth office and its employees, said a Charter spokeswoman. Employees in the Duluth office were notified and were evacuated to a safe location, she said. A Charter technical supervisor in Duluth had seen a man in a pickup truck parked in the lot in front of the building, she said. She said the man left the truck before police arrived, but he was apprehended and taken into custody. Source:

For another story, see item 45 above in the Information Technology Sector