Monday, August 20, 2012 

Daily Report

Top Stories

 • Nuclear safety regulators said the operator of the San Onofre power plant in San Diego County, California, failed to develop procedures to monitor electronic devices related to security. – U-T San Diego

8. August 16, U-T San Diego – (California) Security violation at San Onofre. Nuclear safety regulators confirmed a security violation at the San Onofre power plant in San Diego County, California, after operator Southern California Edison declined to contest the finding, U-T San Diego reported August 16. The Nuclear Regulatory Commission (NRC) said the company failed to develop procedures to monitor electronic devices related to security, but withheld further information because of security concerns. The commission is still determining the appropriate response to the violation. The NRC conducted an inspection at the plant in May to gather more information about the security lapse. The San Onofre plant in northern San Diego County normally supplies about 20 percent of the region‘s electricity but has been offline since January because of an equipment failure. Attempts to repair and restart the two reactors are ongoing. Source:

• The U.S. Coast Guard was working to clear the outbound shipping lane in the St. Marys River in Sault Ste Marie, Michigan, after a grounded 1,000-foot coal freighter blocked it for more than 26 hours. The issue delayed about 11 ships. – Associated Press

16. August 16, Associated Press – (Michigan) Grounded coal freighter freed, channel still shut. The U.S. Coast Guard was working to clear the outbound shipping lane in the St. Marys River in Sault Ste Marie, Michigan, after efforts to refloat a grounded 1,000-foot coal freighter created blockage. The Coast Guard said August 16 that crews were at work trying to remove a shoal that developed during the refloating of the ship, which became grounded August 15 and was freed more than 26 hours later. The Coast Guard said about 11 ships heading from lake Superior to Lake Huron were delayed by the blockage. The Paul R. Tregurtha is owned by Interlake Shipping Co. of Richfield, Ohio, and is carrying about 62,000 tons of coal. There was no effect on ships heading toward Lake Superior. Source:

• An audit by the NASA Office of Inspector General found the agency‘s Security Operations Center does not currently monitor all of NASA‘s computer networks. – Government Computer News

30. August 16, Government Computer News – (National) Audit finds some holes in NASA’s cybersecurity center. NASA‘s Office of Inspector General (OIG) conducted an audit to evaluate the cybersecurity effectiveness of the agency‘s consolidated Security Operations Center (SOC), Government Computer News reported August 16. The audit found the SOC improved NASA‘s computer security incident handling by providing continuous incident detection coverage for all NASA centers, said a summary of the report released by NASA. However, it also found the SOC does not currently monitor all of NASA‘s computer networks. ―Even though networks we reviewed had their own incident management program that included network monitoring, dedicated staff to respond to incidents and documented processes, the networks‘ management programs do not provide the centralized continuous monitoring coverage afforded by the SOC,‖ it said. The OIG said NASA ―needs to increase its readiness to combat sophisticated but increasingly common forms of cyber attacks known as Advanced Persistent Threats.‖ The audit warned that ―even after the target organization addresses the vulnerability that permitted the attack to succeed, the attacker may covertly maintain a foothold inside the target‘s system for future exploits.‖ Source:

• AT&T said that unknown attackers targeted the company‘s DNS infrastructure in two locations, causing a day of intermittent disruptions of Internet services for its business customers. – SecurityWeek See item 43 below in the Communications Sector

• Police and fire departments responded to hundreds of Carmike Cinemas locations across the country August 17 after a bomb threat was made to the company‘s corporate office. – Raycom News Network

44. August 17, Raycom News Network – (National) Bomb threats made to movie theaters nationwide. Police and fire departments responded to Carmike Cinemas locations across the country August 17 after a bomb threat was made to the company‘s corporate office, the Raycom News Network reported. Hundreds of movie theaters in multiple states, including Alabama, Georgia, Illinois, North Carolina, Texas, and Virginia, had activity from emergency responders starting around 11:30 a.m. ET. There have been no reports of explosive devices found, and multiple Raycom stations announced local sites had been cleared by law enforcement. According to WSFA 12 Montgomery, Auburn, Alabama police said the threat originated at the corporate office, which is located in Columbus, Georgia. Carmike has not released a statement on the matter. Carmike said it operates 236 theaters in 35 states. It is the fourth largest movie theater chain in the country. Source:


Banking and Finance Sector

9. August 17, Agence France-Presse – (International) Australia probes theft of 500,000 credit card numbers. Australian police said August 17 they were investigating the theft of some 500,000 credit card numbers which resulted in $26.2 million worth of fraudulent transactions. ―The Australian Federal Police can confirm it is currently investigating a series of merchants whose individual computer systems have been compromised,‖ a spokeswoman said. Reports said eastern European hackers were responsible, although police did not confirm this, only saying that international and private sector cooperation was critical to its ability to target this type of fraud. Source:

10. August 17, BankInfoSecurity – (Michigan) Takeover scheme targets Bank of America. Seven people have been accused by Michigan authorities of pulling off a unique account takeover scheme that targeted Bank of America (BofA) and involved nearly $360,000 in fraudulent funds transfers. According to an indictment filed August 9 by the U.S. Attorney for the Eastern District of Michigan, from June 2010 through April 2012, the suspects moved funds from legitimate BofA accounts to accounts opened under false pretenses. The indictment alleges the leader used new accounts opened by runners to transfer stolen funds from legitimate accounts. He allegedly opened joint accounts in the names of runners and existing customers by accessing personally identifiable information about those customers through BofA‘s telephone and online banking systems. A fraud analyst at Gartner says it was probably an easy task to pull off through the bank‘s call center. Once the joint accounts were opened, the suspects allegedly initiated funds transfers online or through the call center from legitimate customer accounts to the fraudulent joint accounts. After funds appeared in the joint accounts, prosecutors say they were transferred to the runners‘ accounts. Another suspect has been accused of driving runners to different BofA branches to open accounts and withdraw funds, as well as for taking runners to area businesses, where they could make fraudulent debit purchases. Source:

11. August 16, Reuters – (National) Sharpie parties fuel rampage on foreclosed homes. Five years into the U.S. foreclosure crisis, ―Sharpie parties‖ are a new form of blight on the landscape of boarded-up homes and the latest iteration of collective home-trashing spurred by social media, Reuters reported August 16. Partygoers are handed Sharpie pens on arrival by their hosts and urged to graffiti the walls — a destructive binge that often prompts other acts of vandalism including smashing holes in walls and doors, flooding bathrooms, and ripping up floors. At least six Sharpie parties were reported in one California county in recent months, where invitations posted online drew scores to foreclosed homes. The California spree follows a similar outbreak earlier this year, when teenagers wrecked homes in states including Texas, Florida, and Utah. In a recent case of ―extensive destruction‖ to a foreclosed property, the host of the Sharpie party posted an invitation on a Facebook page, and at least 100 people turned up, according to an investigator with the Merced, California district attorney‘s office. Three men were arrested on suspicion of felony vandalism, burglary, and conspiracy. One of them was the son of the evicted former owner. Banks that own the foreclosed homes are reluctant to pursue the perpetrators, a California realtor said, because they do not have the resources to hunt down the miscreants. Source:

12. August 16, Associated Press – (Georgia; West Virginia) Ex-UGA coach charged in Ponzi scheme. A former University of Georgia football coach used his influence to get high-profile college coaches and former players to invest $80 million into a Ponzi scheme, the U.S. Securities and Exchange Commission (SEC) said August 16. He and an Ohio business partner convinced investors to put money into a liquidation company that bought and resold appliances and furniture, the SEC said. The pair raised about $80 million from nearly 100 investors, but only about $12 million was used to buy merchandise while the remainder was used to pay false returns or was pocketed by the two men, the SEC said. The company, West Virginia-based GLC Limited, promised returns ranging from 50 percent to nearly four times what investors put in. The individual losses ranged from a few thousand dollars to about $4 million, said an associate director of the SEC‘s Atlanta office. The SEC said it sought to recover the ill-gotten gains as well as undetermined civil penalties against the former football coach and his partner. Source:

Information Technology Sector

37. August 17, Softpedia – (International) Symantec’s Road Runner Safe Storage hacked, SwapDrive flaw possibly leveraged. Symantec sent out notification emails to Road Runner Safe Storage customers alerting them to a security incident involving WhaleMail and SwapDrive accounts. ―Recently, an unauthorized third party accessed one of our databases. As soon as we learned of the attack, we limited all access to the database and thus the vulnerability was eliminated. However, as a result of this incident, your account credentials may have been exposed,‖ the emails read. While the company reassured users their credit card numbers and Social Security numbers are safe, the attackers may have stolen names, email addresses, usernames, passwords, secret questions and answers, and, in some cases, billing addresses. To prevent any incidents, all passwords were disabled. Source:

38. August 17, The H – (International) PostgreSQL patches XML flaws. A flaw in the built-in XML functionality of PostgreSQL (CVE-2012-3488) and another in its optional XSLT handling (CVE-2012-3489) were patched, and the developers released updated versions of the open source database with relevant fixes. The patched holes were related to insecure use of the widely used libxml2 and libxslt open source libraries and the PostgreSQL developers advise anyone using those libraries to check their systems for similar problems. Both problems in PostgreSQL allow authenticated users of the database to read arbitrary files on the system, and the XSLT flaw allows writing of files. Details are limited, but the release notes for 9.1.5 note how xml_parse() and xslt_process() could be used to access information about files or parts of those files. To fix the problem, the PostgreSQL developers released versions 9.1.5, 9.0.9, 8.4.13, and 8.3.20. Source:

39. August 16, Infosecurity – (International) Adobe’s patches for Windows and OS/X expose Linux. During June, Google researchers seeking to strengthen the security posture of the embedded PDF reader for Chrome discovered numerous vulnerabilities in Adobe Reader. Most of these were patched in Adobe‘s security update the week of August 13 — but not for Linux. It is the patched vulnerabilities rather than the unpatched vulnerabilities that are the cause of most concern. The problem is that attackers can now compare the old versions of Windows or OS/X Reader with the new ones and discover the bugs. Source:

40. August 16, The H – (International) The alleged flood of Android trojans. According to Kaspersky Lab, the amount of Android malware tripled in the second quarter of 2012 and now stands at 15,000. However, competitor F-Secure saw only a moderate increase of about 40 new pieces of Android malware. Kaspersky‘s number is one that — like most anti-virus companies — counts so-called unique samples. F-Secure bases its numbers for malware distribution on malware families or variants, and therefore provides a much different measurement of the real threat compared to the unique samples values. Both antivirus vendors agree Android is the preferred mobile platform for malware. Source:

41. August 16, The Register – (International) Experts argue over whether shallow DNS gene pool hurts web infrastructure. Four in five (80 percent) of the world‘s Internet-facing Domain Name System (DNS) servers rely on the same DNS code base, according to DNS vendor Secure64. Secure64 was unable to cite a clear example of a critical security bug in BIND that might create the potential for a global Internet wobble in the event of a sophisticated attack or virus. The firm nonetheless maintains the risk from a lack of diversity in DNS systems is real. However, other DNS experts, while agreeing that diversity is important on the wider scale, said Secure64 was overstating the case for businesses to switch to a two-supplier approach while ignoring some of the practical problems involved in maintaining a relationship with two or more suppliers. Source:

42. August 16, Network World – (International) Symantec says it has plugged hole in Norton Online Backup. August 16, Symantec said it plugged a hole in its Norton Online Backup service that inadvertently allowed some users to view and access data of other Norton Online Backup customers. ―On July 30, as part of our ongoing server maintenance, Symantec made a change in the way that they cached certain HTML files and other static assets that, through a temporary misconfiguration, may have resulted in certain users incorrectly receiving other users‘ session cookies,‖ said Symantec in a statement. ―These cookies impact the data that is displayed when a user logs into their Norton Online Backup account.‖ Source:

For more stories, see items 30, above in Top Stories and 43 below in the Communications Sector

Communications Sector

43. August 17, SecurityWeek – (National) AT&Ts DNS outage on Wednesday resulted from DDoS attack targeted at two locations. AT&T said August 16, that unknown attackers were responsible for intermittent disruptions that affected Internet services for its business customers August 15. In a statement, an AT&T spokesperson said a DDoS attack targeted the company‘s DNS infrastructure in two locations, and that engineers and SOC (Security Operations Center) staff worked to mitigate the situation. ―Due to a distributed denial of service attack attempting to flood our Domain Name System servers in two locations, some AT&T business customers experienced intermittent disruptions in service on Wednesday. Our network and security teams quickly worked to mitigate the impact and service is currently running normally,‖ the statement said. Source:

For more stories, see items 37, 40, and 41 above in the Information Technology Sector