Thursday, September 6, 2012

Complete DHS Daily Report for September 6, 2012

Daily Report

Top Stories

• About 90 reports of oil and chemical releases due to Hurricane Isaac fouled Gulf of Mexico waters and closed fishing in a large area. – New Orleans Times-Picayune

3. September 4, New Orleans Times-Picayune – (Louisiana) Coast Guard investigating 90 reports of oil, chemical leaks following Hurricane Isaac. The Coast Guard is investigating about 90 reports of oil and chemical releases associated with Hurricane Isaac, including a leak from a closed storage facility in Plaquemines Parish, Louisiana, which killed several brown pelicans, officials said September 4. Separately, the Louisiana Department of Wildlife & Fisheries closed a stretch of coastline from Elmer’s Island to Belle Pass after a tar mat appeared in the Gulf of Mexico and tar balls washed ashore. The closure affects commercial and recreational fisheries from the shore to 1 mile offshore. The agency and State Department of Environmental Quality will determine the source of the oil, but its location has stoked concerns that it is remnants of the 2010 Deepwater Horizon explosion and subsequent oil leak. A ―defunct‖ terminal with storage tanks at Myrtle Grove leaked oil that has been contained, said the commander of Coast Guard Sector New Orleans and captain of the port of New Orleans. Other reports range from lose barrels to overturned rail cars and tanks that are not leaking. He also cited a chemical release in Braithwaite. Source:

• Two Chinese nationals face federal charges for allegedly trying to steal trade secrets from a plant in Missouri that makes glass used to insulate industrial piping systems and liquefied natural gas storage tank bases. – United Press International

7. September 5, United Press International – (Missouri) Two Chinese nationals charged in U.S. Two Chinese nationals face federal charges for allegedly trying to steal trade secrets from Pittsburgh Corning’s plant in Sedalia, Missouri. The two, both citizens of China, were charged with attempting to pay $100,000 for the stolen trade secrets from the Sedalia plant, which makes FOAMGLAS, said the acting U.S. attorney, the U.S. Justice Department said on its Web site. The two were charged in a federal criminal complaint, alleging they tried to illegally buy trade secrets for the purpose of opening a plant in China to compete with Pittsburgh Corning. The two were arrested in their hotel room August 26 by the FBI, the report said. The various grades of cellular glass insulation sold under the trade name FOAMGLAS are used to insulate industrial piping systems and liquefied natural gas storage tank bases largely used by energy and petro chemical companies and by natural gas facilities, the report said. The report said Pittsburgh Corning recently reported technological advances in these products and that the company treats its product formula and manufacturing process as proprietary and trade secrets. The report said Pittsburgh Corning is in negotiations to build a plant in China. Source:

• The future of the Bitcoin exchange Bitfloor was thrown into question when the company’s founder reported someone compromised his servers and made off with about 24,000 Bitcoins, worth almost $250,000. – Ars Technica See item 13 below in the Banking and Finance Sector

• Brawley, California officials shut off water as they worked to repair earthquake-damaged pipelines, streets, and structures. – El Centro Imperial Valley Press

21. September 5, El Centro Imperial Valley Press – (California) Brawley assesses earthquake damages. Seventy individuals were displaced, 21 mobile homes were red-tagged, and residents in Brawley, California, and the city were working to repair all earthquake-related damages, the Imperial Valley Press reported September 5. More than a week after swarms of earthquakes rocked Brawley, the city discussed the status of its impacts and damages during its September 4 council meeting. The city experienced multiple water breaks due to the quakes, costing the city about $30,000 in equipment, overtime, and street and utilities materials expenses. A 4-inch cast-iron pipeline was among the damages, breaking four times during the swarms, a Brawley city manager said. A 6-inch pipeline broke twice she said. The city approved a measure to spend $35,000 on an emergency fund to create a bypass for the Mansfield Canal Pipeline, which was significantly damaged, until reinforced concrete pipes are installed. The city will stop water to the pipe and drain it September 5, then officials will evaluate the pipeline and begin repairs September 6. The city will finish repairs and re-establish the water September 7. A total of 18 buildings were inspected and showed damages requiring further action, the city manager said. The city planned a visit with the Small Business Administration and California Emergency Management Agency to consider possible assistance and further data collection regarding local economic injuries from the earthquakes and refinement of cost, the city manager said. Julia Drive and Willard Avenue will remained closed through September 7. The city also issued a conserve water advisory for all commercial and residential use, due to the repairs. Source:,0,6717004.story

• A federal cyber emergency response team warned power utilities, railroad operators, and other large industrial players of a weakness in a widely used router that leaves them open to tampering by untrusted employees. – Ars Technica See item 43 below in the Information Technology Sector


Banking and Finance Sector

10. September 5, Ogden Standard-Examiner – (Missouri; National) Bucket List Bandit suspected in 2 Mo. bank robberies. The Bucket List Bandit, nicknamed because he passed a threatening note to a teller at a Wells Fargo Bank in Roy, Utah, July 6 claiming he only had 4 months to live, is now suspected of robbing a Landmark Bank in Columbia, Missouri, August 29 and a Lindell Bank in O’Fallon August 30, the Ogden Standard-Examiner reported September 5. In bank surveillance videos from the Missouri heists, the Bucket List Bandit appeared to be clad in the same blue polo shirt he wore during the Roy robbery. In addition to the Roy and Missouri robberies, the Bucket List Bandit is suspected of bank heists in Arvada, Colorado; Flagstaff, Arizona; Pocatello, Idaho; Winston-Salem, North Carolina; Chattanooga, Tennessee; and Bloomington, Illinois, since July. No one has been injured in any of the holdups. The suspect has not displayed a weapon but has implied that he had one in several robberies. Source:

11. September 5, KNBC 4 Los Angeles – (California) Kidnappers strapped device to bank employee for East LA robbery: LASD. Two men wearing ski masks kidnapped a bank employee held her overnight, attached a supposed bomb to her and then had her rob an East Los Angeles bank, according to the Los Angeles County Sheriff’s Department (LASD). She was abducted from her home in Huntington Park, California, September 4, an LASD captain said. The morning of September 5, the woman was at a Bank of America branch in Los Angeles, he said. ―She went into the bank, and she told another employee or employees that she had this device attached to her, and that she was demanded by the robbers to (get) the money from the bank and throw it outside.‖ A SWAT team, bomb squad, sheriff’s deputies, and the fire department responded to the branch on Atlantic Boulevard. Aerial video showed a deputy remove a small object from the bank and place it on a street curb. A bomb-squad member surrounded the device with sand bags, before a robot fired a projectile into the device. Authorities were searching for the two alleged robbers, who reportedly fled in a Kia, possibly white. At least one suspect had a gun. Late the morning of September 5, the area around Atlantic and Whittier boulevards remained closed, and a nearby high school was placed on lockdown. Source:

12. September 4, Reuters – (National) Former WaMu units reach $26 mln settlement in mortgage securities case. Two former Washington Mutual Bank (WaMu) units reached a $26 million settlement agreement over claims they misled investors over the sale of mortgage-backed securities, Reuters reported September 5. Lawyers for plaintiffs filed a notice of the settlement in U.S. federal court in Seattle, averting a trial that was scheduled to begin September 17. The lawsuit alleged that registration documents filed in connection to the securities failed to accurately describe WaMu’s underwriting practices. The settlement falls well short of the $558 million damages estimate made by an expert for the plaintiffs in court filings, but an attorney for the plaintiffs said he believed it was a good result given the limited funds available after WaMu’s bankruptcy. The settling WaMu defendants were WaMu Asset Acceptance Corp and WaMu Capital Corp. Source:

13. September 4, Ars Technica – (International) Hacker steals $250k in Bitcoins from online exchange Bitfloor. The future of the up-and-coming Bitcoin exchange Bitfloor was thrown into question September 4 when the company’s founder reported that someone compromised his servers and made off with about 24,000 Bitcoins, worth almost $250,000. The exchange no longer has enough cash to cover all of its deposits, and it suspended its operations while it considers its options. Bitfloor is not the first Bitcoin service brought low by hackers. In 2011, the most popular Bitcoin exchange, Mt.Gox, suspended operations for a week after an attacker compromised a user account and sold all of his Bitcoins in a firesale that temporarily pushed the price down to zero. The site survived the attack and remains the leading Bitcoin exchange today. Hackers made off with another $228,000 in Bitcoins from online services earlier this year. Bitcoin’s peer-to-peer design means that transactions are irreversible. Once a transaction appears in the blockchain, the global record of Bitcoin transactions, no one has the authority to reverse it. And the pseudonymous nature of Bitcoin makes it difficult to trace stolen Bitcoins to their new owners. Source:

14. September 4, GateHouse News Service – (Illinois) $21,000 stolen from ATM. Springfield, Illinois police were trying to determine how someone stole $21,000 from an ATM machine at a Marine Bank without damaging the machine, GateHouse News Service reported September 4. The thief stole $21,000 in $20 bills from the machine September 2. An alarm on the machine notified officers of the theft. According to a police report, video surveillance showed somebody around the ATM. However, it did not indicate how the person gained access inside the machine. The ATM was still locked when officers arrived. Police believed the thief may have used a code to get the machine to dispense money. Source:

15. September 4, KPTV 12 Portland – (Oregon) Police: Panda bandit arrested after DUI in Oregon. State troopers in Oregon pulled over a woman suspected of driving under the influence August 31, and soon learned the woman was a serial bank robber known as the ―panda bandit‖, KPTV 12 Portland reported September 4. Troopers stopped the woman after getting a complaint of erratic driving and found she was wanted on a felony warrant held by the FBI, accusing her of bank robbery. In addition to local charges of driving under the influence and possession of a controlled substance, she was likely to be charged with robbery in connection with an August 30 robbery of a U.S. Bank in Portland, an August 29 robbery at another U.S. Bank in Hilsboro, a July 11 robbery at a Wells Fargo Bank in Aloha, and a July 10 robbery at a U.S. Bank in Aloha. She was given the ―panda bandit‖ nickname because she wore a panda face hat during the July 10 robbery. Source:

16. September 4, Reuters – (International) U.S. SEC charges China Sky One with securities fraud. The U.S. Securities and Exchange Commission (SEC) charged China Sky One Medical Inc and its chief executive with securities fraud and said the company recorded fake sales of a weight loss product, Reuters reported September 4. China Sky One inflated revenues in its financial statements by booking $19.8 million in phony export sales, the SEC said. The company, based in China, said in 2007 securities filings it had entered into a distribution agreement with a Malaysian company that would generate the sales, but never entered into such an agreement. The company’s chief executive certified the overstated financial results, which appeared in financial statements through 2010. The case is the latest in a series of actions the SEC has taken against Chinese companies listed in the U.S. Dozens of such companies, which often go public by merging with shell companies, have disclosed auditor resignations or bookkeeping irregularities. The company’s auditor, MSPC, resigned in March after one of the company’s directors resigned and said he was having trouble getting in touch with the company’s finance executives. Source:

Information Technology Sector

39. September 5, Associated Press – (International) FBI denies report hackers leak 1 million Apple device IDs. September 4, the FBI disputed a computer hacker group’s claim that it stole personal identification data on millions of Apple device owners from an FBI agent’s laptop. FBI officials said the bureau never asked for and never possessed the database that the group, which calls itself AntiSec, posted on a Web site. ―The FBI is aware of published reports alleging that an FBI laptop was compromised and private data regarding Apple UDIDs was exposed,‖ a spokeswoman told Fox News. ―At this time, there is no evidence indicating that an FBI laptop was compromised or that the FBI either sought or obtained this data.‖ The group released a link to a database of more than 1 million unique identification numbers for Apple devices, which could include iPhones and iPads. AntiSec said the data is just a piece of the more than 12 million unique identification numbers and personal information on the device owners that the group obtained from a laptop used by an FBI agent. The FBI denied it ever had that information. Officials with the bureau said they could not verify the validity of the data AntiSec released. Federal officials also warned that computer users should be careful when clicking on such links because they sometimes may contain malware that can infect computers. Source:

40. September 5, Computerworld – (International) Apple patches Java 6 for OS X Snow Leopard, Lion. September 5, Apple issued a Java update for OS X Lion and Snow Leopard to make it more difficult for hackers to exploit vulnerabilities. The update brought Java 6 up to par with Oracle’s version 35, which it released August 30. Oracle’s so-called ―out-of-band,‖ or emergency patch, fixed three bugs in Java 7 that hackers already began exploiting, and made one change to Java 6. ―[The latter] represents a security-in-depth issue that is not directly exploitable but which can be used to aggravate security vulnerabilities that can be directly exploited,‖ Oracle said in its advisory of a week ago. Apple was required to provide the defense-in-depth update because it still maintains Java 6, which it bundled with 2009’s OS X Snow Leopard and offered to users running 2011’s Lion as an optional download when they encountered a Java applet on the Web. However, Apple is not responsible for Java 7; the company handed back control of the software to Oracle in 2010. The OS X patches for the three Java 7 flaws, then, were produced by Oracle and shipped the week of August 27 alongside the fixes for the Windows version of Java 7. Source:

41. September 5, The H – (International) Nine 0days: HP in the security dock again. The Zero Day Initiative published information about unpatched critical security holes in HP’s enterprise products: The zero-day holes all allow remote attackers to inject and execute arbitrary code into the server systems. Eight of the nine holes are rated at the highest risk level (Common Vulnerability Scoring System) of 10. Before the disclosure of the vulnerability details, HP had up to a year to close the nine critical security holes. Source:

42. September 4, KXAN 21 Austin – (Texas) Shots fired at Dell’s Round Rock campus. Authorities set up a perimeter around several buildings at Dell’s campus in Round Rock, Texas, September 3 after a witness said he saw someone with a gun riding a bicycle in one of the building’s parking lots. Round Rock police said they were called to the campus for a report of shots being fired. When officers got there, they discovered that one of the building’s first-floor break room glass windows was broken. No one was injured, and it was unclear how many shots were actually fired. Austin Police Department’s helicopter helped with the search. A spokesperson with Dell said an unknown individual fired gun shots at the east side of RR 7, breaking three windows. Building 8 was cordoned off as well because the two buildings are connected. Source:

43. September 4, Ars Technica – (International) Secret account in mission-critical router opens power plants to tampering. DHS’ Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned power utilities, railroad operators, and other large industrial players of a weakness in a widely used router that leaves them open to tampering by untrusted employees. The line of mission-critical routers manufactured by Fremont, California-based GarrettCom contains an undocumented account with a default password that gives unprivileged users access to advanced options and features, an expert in the security of industrial control systems told Ars Technica. The ―factory account‖ makes it possible for untrusted employees or contractors to significantly escalate their privileges and then tamper with electrical switches or other industrial controls that are connected to the devices. ICS-CERT issued an advisory recommending that users of the GarrettCom devices install a security update that locks down the factory account. Source:

44. September 4, SecurityWeek – (International) New Shamoon malware variant appears: Symantec. The Shamoon malware is still infecting computers throughout the world, this time with an updated variant, according to new findings by Symantec. The new version — detected by the firm as W32.Disttrack — wipes files by overwriting them with 192 KB blocks of randomly generated data as opposed to the previous version, which used a 192 KB block filled with a partial image of a burning U.S. flag. ―The initial infection vector remains unconfirmed and may vary in different organizations, but once W32.Disttrack is inside a network, it will attempt to spread to every computer within the local area network via network shares,‖ according to Symantec’s Security Response Team. Source:

For another story, see item 13 above in the Banking and Finance Sector

Communications Sector

For another story, see item 39 above in the Information Technology Sector