Wednesday, August 22, 2012 

Daily Report

Top Stories

 • An 80-car CSX train carrying coal derailed in downtown Ellicott City, Maryland, killing at least 2 people, crushing several vehicles in a parking lot, and dumping coal into a river. – Washington Post

10. August 21, Washington Post – (Maryland) Two killed as CSX train derails in Ellicott City overnight. An 80-car CSX train carrying coal derailed in downtown Ellicott City, Maryland, late August 20 killing at least 2 people, authorities said. According to Howard County police, the derailment happened when an eastbound freight train came off the tracks of a rail bridge near Main Street. Police said 21 of the train’s 80 cars derailed or overturned about 12 miles outside of Baltimore, falling off the tracks that run along the Patapsco River to the east. The train was en route from Grafton, West Virginia, to Baltimore. The 3,000-foot-long train was carrying 9,000 tons of coal and traveling at 25 miles per hour, officials said. They said one of the train cars fell off the bridge onto a county-owned lot beneath the tracks, crushing several parked vehicles. Cranes were brought in to remove the railcars from the vehicles. Crews were cleaning up the spilled coal, which also fell into the Patapsco River. The Associated Press reported about 100 pounds of coal spilled into a tributary of the river. A Maryland Department of the Environment spokesman said they were worried the coal would boost the acidity of the water or threaten aquatic life. Main Street and Frederick Road were closed from Ellicott City into Baltimore County. Source:

 • An 11-mile stretch of the Mississippi River near Greenville, Mississippi, was closed August 20 to most vessel traffic because of low water levels, idling nearly 100 boats and barges. – CNN

12. August 20, CNN – (Mississippi) Coast Guard halts traffic on low-water stretch of Mississippi. An 11-mile stretch of the Mississippi River near Greenville, Mississippi, was closed August 20 to most vessel traffic because of low water levels, idling nearly 100 boats and barges, according to the U.S. Coast Guard. “We are allowing a limited number of vessels based on size” to attempt to pass, said a New Orleans-based Coast Guard spokesman adding that the closure was affecting 97 vessels and was halting northbound and southbound traffic. The same area near Greenville, which sees about 50 vessels pass on an average day, has been closed “intermittently” since August 12, when a vessel ran aground, he said. The Coast Guard and the U.S. Army Corps of Engineers have continued surveying the area and deemed it “dangerous for vessels to travel through,” he said. The Corp also has being dredging in the area to deepen the channel and help navigation. A historic drought and excessive heat have reduced water levels and scorched wide sections of the U.S. Midwest. Flooding in 2011 may have worsened the situation on the Mississippi by leaving deposits of silt and debris in areas that would normally be clear. Source:

 • AT&T Wireless partially disabled 16 cell phone towers after federal investigators found they were disrupting Oakland, California’s police radio communications systems for months. – San Francisco Chronicle

22. August 20, San Francisco Chronicle – (California) Oakland police radio culprit: cell towers. The San Francisco Chronicle reported August 20 that Oakland, California officials said they and federal investigators have discovered a major source of disruption to the city’s police radio communications system: Interference from cell phone towers. Specifically, officials said, cell phone towers operated by AT&T Wireless have been interfering with the city’s public safety communications frequency and causing radio failures among police and firefighters on city streets. AT&T, notified by the city of the problem the week of August 13, is cooperating and has partially disabled 16 towers. The towers constantly interfered with the radios, but the problems became particularly pronounced when a police car was within a quarter to a half mile of a tower, said Oakland’s public safety systems adviser. The city’s public safety radio communications system has suffered repeated failures. Officers routinely have been unable to connect to dispatchers or to communicate with other officers. In addition, the radios do not work in hundreds of buildings, including the basement of Oakland police headquarters. Source:

 • Microsoft warned customers about the availability of the ChapCrack tool a researcher built to crack the VPN credentials for systems built on MS-CHAPv2 protocol. – Threatpost See item 27 below in the Information Technology Sector

 • Security researchers found a new trojan that tries to covers its tracks by crippling the victim’s computer after stealing data. They said the malware was used in targeted attacks at specific individuals or firms, including at least one in the energy sector. – Computerworld See item 27 below in the Information Technology Sector


Banking and Finance Sector

6. August 21, Cleveland Plain Dealer – (Ohio) Ponzi schemer pleads guilty to securities fraud, gets nine years. A Ponzi schemer pleaded guilty August 20 in Cuyahoga County, Ohio, to 11 felony counts for bilking $60 million from nearly 900 investors in her failed Parma Heights Cornerstone Project. The woman ran an investment fraud scheme with her husband which involved a proposed multimillion-dollar retail and entertainment development that was never built. Prosecutors said that between 2003 and January 2005, she solicited family members, friends, and co-workers to invest in many development projects, including Cornerstone. She promised a high rate of return. A spokesman for the Ohio Department of Commerce said the scheme unraveled when the department’s division of securities received a complaint from a family member who became suspicious after his mother was promised a 16 to 20 percent return on her investment. After the division investigated, it issued a cease-and-desist order against the woman in May 2004 for selling unregistered promissory notes. She continued selling the notes, and the spokesman said the State then obtained a preliminary injunction against her. A few months later, she was found to have violated the preliminary injunction by continuing to sell securities without the court’s permission. A receiver was then appointed to take possession of the couple’s joint assets and of the woman’s individual assets. The receiver recovered $10.5 million for the investors. Source:

7. August 20, Reuters – (National) U.S. broker-dealer audit problems found in Ponzi scheme-inspired review. Nearly 4 years after a broker-dealer admitted using his firm for a massive Ponzi scheme, a U.S. audit watchdog group says it is disturbed by problems that persist in audits of broker-dealers, including a failure to assess the risk of fraud, Reuters reported August 20. In its first report on inspections of broker-dealer auditors, the Public Company Accounting Oversight Board (PCAOB) said it found problems in all 23 audits it reviewed, including failure to test controls over customer funds. The problems were found during inspections of small broker-dealer audits conducted between October 2011 and February 2012. In 13 of the 23 audits the PCAOB checked, audit firms did not do enough to assess and respond to risks of material misstatements due to fraud, the board said. In two cases, audit firms helped prepare the financial statements they audited, a violation of Securities and Exchange Commission independence rules. Source:

8. August 20, CNNMoney – (International) U.S. seizes $150 million linked to Hezbollah money laundering. Federal officials said August 20 that they seized $150 million as part of a crackdown on a money laundering scheme linked to the Lebanese militant group Hezbollah. The seizure came following a complaint filed in December 2011 alleging that the now-defunct Lebanese Canadian Bank laundered money for Hezbollah-controlled groups around the world. Officials said that between 2007 and 2011, Lebanese Canadian Bank and other financial institutions routed at least $329 million in proceeds from drug sales and other criminal activity to the United States, where this money bought used cars that were later sold in West Africa. These proceeds were then funneled back to Lebanon via Hezbollah-controlled channels. In September 2011, the majority of Lebanese Canadian Bank’s assets were purchased by Societe Generale de Banque au Liban, another Lebanese bank. At least $150 million from that sale was being held in escrow in an account at Lebanon’s Banque Libano Française, so U.S. officials seized an equivalent amount of money from a U.S. correspondent account of Banque Libano Française. Neither of the two banks were accused of wrongdoing. Source:

9. August 20, Dayton Daily News – (Ohio) Local credit card scam may be part of larger ring. Two men who allegedly used personal information from consumers to create hundreds of fake credit and debit cards may be part of a larger ring, officials said. Both men were indicted the week of August 20 in Warren County, Ohio, after they were arrested at the Franklin Walmart after they allegedly bought about $2,400 in merchandise and gift cards with credit and debit cards they created using stolen bank account information, according to a prosecutor. The prosecutor said the two allegedly obtained credit and debit card numbers and then used some sort of equipment to make the fake cards or at least used the bank data to obtain the cards. He said he was not certain where they obtained the numbers, but since many different banks were involved it did not appear to be an inside bank job. Alert cashiers apparently noticed the men were using many different bank cards at the self check-out to purchase mainly gift cards. Source:

Information Technology Sector

25. August 21, The H – (International) Apache Server 2.4.3 fixes over fifty bugs and two security holes. The Apache Software Foundation released version 2.4.3 of the Apache HTTP Server, fixing over 50 bugs and closing 2 security holes. The two vulnerabilities are present in the mod_proxy_aip, mod_proxy_http, and mod_negotiation modules. The two gaps were listed as CVE-2012-3502 and CVE-2012-2687, but there is little information available on the actual problems. The first bug happens with mod_proxy_sjp and mod_proxy_http in the backend when a connection is closing which “could lead to privacy issues due to a response mixup.” The second problem, in mod_negotiation, concerns a possible cross-site scripting (XSS) where untrusted users are uploading files; it is fixed by escaping file names. Source:

26. August 21, The H – (International) Apple Remote Desktop update fixes VNC security problem. Apple released version 3.6.1 of its Apple Remote Desktop application for remotely managing Mac OS X systems to fix an information disclosure vulnerability. According to Apple, the security update addresses a serious problem when connecting to third-party VNC servers that may result in data not being encrypted when the “Encrypt all network data” setting is enabled. Additionally, when this happens, no warning is produced to alert users that their connection may be insecure. Source:

27. August 20, Threatpost – (International) Microsoft warns users about ChapCrack tool availability. Microsoft is warning customers about the availability of the ChapCrack tool a researcher built to crack the VPN credentials for systems built on MS-CHAPv2 protocol. The company said that while it is unaware of any active attacks using the tool, customers can protect themselves by implementing protected extensible authentication protocol or changing to a more secure VPN tunnel. In its advisory, Microsoft says that while the ChapCrack tool does not take advantage of a security vulnerability, it still represents a risk to users. “An attacker who successfully exploited these cryptographic weaknesses could obtain user credentials. Those credentials could then be re-used to authenticate the attacker to network resources, and the attacker could take any action that the user could take on that network resource,” the company said in its advisory on ChapCrack. Source:

28. August 20, Threatpost – (International) Own the email, own the person. For attackers looking to take control of a victim’s online presence, there is no better place to start than the target’s email account. New research done by a member of IOActive shows just how simple it can be to get control of a target’s email account, and from there, everything else. The researcher started a research project to see how easily he could access volunteers’ email accounts. Targeting friends and family members who agreed to the experiment, the researcher found that with just the data he gathered online from Facebook and other sites, he had little trouble accessing the target’s inboxes. The best mechanism for obtaining access, in most cases, was the password-reset function on various sites and email services Source:

29. August 17, Computerworld – (International) Shamoon malware cripples Windows PCs to cover tracks. A new trojan tries to covers its tracks by crippling the victim’s computer after stealing data, a security researcher said August 17. Dubbed “Shamoon” by most antivirus companies, the malware has been used in targeted attacks aimed at specific individuals or firms, including at least one in the energy sector. According to security company Seculert, Shamoon relies on a one-two punch, first taking control of a system connected to the Internet before spreading to other PCs on an organization’s network. The second stage overwrites files and the Master Boot Record (MBR) of the machine. The latter makes the PC unbootable. Seculert and other security companies, including Kaspersky Lab and Symantec, have not yet figured out what kind of data Shamoon is looking for, then stealing. They assume that because the malware uses a second infected system to communicate with a hacker-controlled command-and-control (C&C) server, Shamoon is copying files from pillaged PCs and sending that information to its masters. Malware rarely destroys files or wipes the MBR. Most threats try to work quietly to avoid detection as long as possible. Crippling a computer only brings unwanted attention. “Threats with such destructive payloads are unusual and are not typical of targeted attacks,” Symantec said August 16. Since a list of overwritten files is transmitted to the C&C server, Seculert’s CTO speculated that Shamoon’s makers wanted to “know what and how much got wiped.” Source:

Communications Sector

30. August 20, WCBD 2 Mount Pleasant – (South Carolina) SCE&G equipment failure interrupts WCBD-TV newscast. WCBD 2 Mount Pleasant in South Carolina experienced broadcast interruptions August 20 during its evening newscast due to an SCE&G equipment failure. WCBD is located in the utility service area affected by the power outage. The outage caused WCBD to periodically lose news content, audio, and lights during its newscast. A SCE&G spokesperson said power crews were working to fix the equipment and restore electricity to area homes and businesses that were impacted. There was no report on what caused the SCE&G equipment to fail. Source:

For another story, see item 22 above in Top Stories