Tuesday, September 11, 2012

Complete DHS Daily Report for September 11, 2012

Daily Report

Top Stories

• Residents near a chemical plant in Braithwaite, Louisiana, remained under an evacuation order September 10, many days after Hurricane Issac hammered the facility, pushing more than 100 rail cars off of tracks, and knocking storage tanks off of their foundations. – WWL 4 New Orleans

7. September 10, WWL 4 New Orleans – (Louisiana) Evacuation order still in effect surrounding Braithwaite chemical plant. People in Braithwaite, Louisiana, who live half a mile north or south of the Stolthaven chemical plant remained under an evacuation order September 10 because officials are still cleaning up damage caused by Hurricane Isaac. State police have been working to repair the facility for days. Flooding at the facility pushed more than 100 rail cars off tracks, some of which carried hazardous material. Some tanks were also knocked off their foundations; others carried chemicals that can become explosive if they exceed a certain temperature, a big concern because the plant lost power. HAZMAT teams brought in chillers and inhibitors to curb chemical reactions. A State police spokesman said there was no immediate threat and no evidence of a chemical release, but the potential remained. An attorney filed a class action lawsuit against England-based Stolthaven September 4 on behalf of residents impacted by the situation. Much of the water in Braithwaite receded, and officials should have results of surface water tests later the week of September 10, said a Louisiana Department of Environmental Quality spokesman. Air quality samples had not revealed dangerous levels of chemicals, he added. Stolthaven’s Web site said the firm provides integrated transportation solutions for bulk liquid chemicals, edible oils, and acids. Source: http://www.wwltv.com/home/Evacuation-order-still-in-effect-surrounding-Braithwaite-chemical-plant-169125596.html

• A fire at a subway station that suspended service on three lines in Lower Manhattan and Brooklyn, New York, September 7 may have been caused when someone tried to steal copper wire. – Associated Press

19. September 7, Associated Press – (New York) Fire at Delancey St. station may have started during copper wire theft: Sources. A fire at a subway station suspended service on three lines in Lower Manhattan and Brooklyn, New York September 7, and sources said there was evidence it started after someone tried to steal a copper wire underground. A Metropolitan Transportation Authority spokesperson said a J train became stuck inside a “no power area” at the Essex Street station. The train reversed back to the Essex Street Station and about 500 passengers were evacuated. Sources told NBC 4 New York September 7 that the fire could have been sparked when a cable fell across the third rail and a track rail as someone tried to steal the copper wire. The spark of electricity along the rail caused the fire and smoke condition. A source said it appears the theft has been going on for months, and in all, as many as 2,000 feet of cable appear to be missing from the station. Service to the J, Z and M trains was fully restored after several hours. Source: http://www.nbcnewyork.com/news/local/smoke-condition-m-train-j-train-delancey-essex-train-station-lower-east-side-168952266.html

• An analysis of government breach data shows the number of data breaches increased manifold since January 2009, with the number of hacking incidents for 2012 expected to more than double that of 2011. – Help Net Security

33. September 10, Help Net Security – (National) Data breaches expose 94 million records in the government sector. An analysis of government breach data shows that the government sector reported 268 incidents of data breaches from January 1, 2009 to May 31, 2012, which exposed more than 94 million records containing personally identifiable information (PII), according to Rapid7. The research revealed a 50 percent increase in the number of compromises affecting the government sector from 2009 to 2010, as well as a skyrocketing rise in the number of records exposed each year, with the number tripling from 2010 to 2011. Unintended disclosure, the loss/theft of portable devices, physical loss, and hacking continue to be the leading causes of breaches. Analyzing data collected and categorized by the Privacy Rights Clearinghouse Chronology of Data Breaches, Rapid7 discovered additional details regarding breach incidents and government records that were exposed. The number of hacking incidents increased nearly 50 percent year-over-year between 2009 and 2011, with 2012 on pace to more than double that of 2011 entirely. Between January 1, 2012 and May 31, 2012, government agencies reported more hacking incidents than any other type of incident. California (21), District of Columbia (20) and Texas (16) reported the greatest amount of incidents across the country. Source: http://www.net-security.org/secworld.php?id=13553

• The source of the database containing 1 million Apple unique device identifiers published online by hacking group AntiSec was identified September 10 as BlueToad, a Florida-based application publisher and analytics provider. – InformationWeek See item 42 below in the Information Technology Sector

• Four people were taken to the hospital after being among dozens trampled during a storm-induced evacuation at an arena in Upper Marlboro, Maryland. – WUSA 9 Washington

56. September 8, WUSA 9 Washington – (Maryland) Four people taken to hospital in Show Place Arena. Four people were taken to the hospital by Prince George’s County Fire/EMS Department after being stampeded during a storm-induced evacuation at an arena in Upper Marlboro, Maryland, September 8. The Prince George’s Fire Department public information officer said the Show Place Arena, which is an open-air area, was playing host to the Prince George’s County Fair. When a severe thunderstorm moved into the area, the fairgrounds were evacuated. The exit areas were congested as people tried to head to shelter and some trampling occurred as people tried to get out. There were about a dozen people with injuries, but emergency officials evaluated them and only four were transported to the hospital. None of the injuries were major. There was some damage to structures and tents at the fairgrounds. Source: http://www.wusa9.com/news/article/220411/158/Up-To-A-Dozen-Injuries-Reported-In-Show-Place-Arena-Trampling-Incident-in-Md

• Existing levees will be raised in two northeast Louisiana parishes within a few weeks to bring them up to 500-year flood protection levels. – Associated Press

62. September 10, Associated Press – (Louisiana) Levees to be raised in 2 Louisiana parishes. Existing levees will be raised in two northeast Louisiana parishes within a few weeks, the Associated Press reported September 10. The levees held during the Mississippi River flooding of 2011, but settled gradually since being built in 1973. The president of the 5th Louisiana Levee District board said the changes will bring all of East Carroll Parish and most of Concordia Parish to 500-year flood protection levels. The U.S. Army Corps of Engineers said the levees will be raised about 1.5 feet at their three lowest spots. Each section is about 1,000 feet long. One spot is 3 miles south of Transylvania and another 7 miles south of the town. The third is about 15 miles south of Vidalia. Work should be complete by November. Source: http://www.wafb.com/story/19496196/levees-to-be-raised-in-2-ne-louisiana-parishes


Banking and Finance Sector

13. September 7, U.S. Securities and Exchange Commission – (International) SEC charges asset manager lied to investors, hid major losses while boasting remarkable performance during financial crisis. The Securities and Exchange Commission (SEC) September 7 announced an emergency enforcement action against an asset manager who boasted remarkable investment success throughout the global financial crisis while allegedly exaggerating the value of the assets he manages and concealing major losses from investors. The SEC alleges the asset manager claims to manage $1.5 billion on behalf of investors around the world. But contrary to his proclaimed track record of exceptional risk-adjusted returns for his investors, he actually suffered major losses in 2008 due to his investments in a huge Ponzi scheme and a failed derivative investment program. Rather than admit the losses, he has been overstating the value of his investments in many ways. By boasting benchmark-beating returns, he has continued to attract new investors. However, during the past several months, investors asked for redemptions on their investments. Instead of paying them, he provided a series of excuses ranging from the MF Global collapse to others placing a hold on investors’ money due to government investigations. The SEC sought and obtained a freeze of U.S.-based assets belonging to the manager and two of his firms, BC Capital Group S.A. based in Panama and BC Capital Group Limited based in Hong Kong. In addition to the manager and his companies, the SEC charged an unregistered broker-dealer who was banned from the industry in a previous SEC enforcement action for his involvement with the program. Source: http://www.sec.gov/news/press/2012/2012-185.htm

14. September 7, U.S. Securities and Exchange Commission – (National) SEC shuts down San Diego-based real estate investment fraud. The Securities and Exchange Commission (SEC) September 7 announced an asset freeze against a San Diego-based firm and its owner accused of running a real estate investment fraud that raised approximately $50 million from hundreds of investors nationwide. The SEC alleges Western Financial Planning Corporation and its owner sold units in partnerships that Western had organized to buy vacant land in Nevada and hold for sale at a profit at a later date. The owner and Western failed to tell investors that they were paying an exorbitant mark-up on the land, in some cases more than five times its fair market value. The owner and Western also failed to tell investors the land held by the partnerships was often encumbered by mortgages that Western used to help finance the initial purchase of the land. The SEC’s complaint alleges Western and its owner misled investors since 2007 by providing them with comparative prices of supposedly similar plots of land that were in no way comparable to the land sold by Western. The SEC also alleges that since the spring of 2011, Western’s owner paid “hush money” to silence investors who discovered they had been defrauded, allowing the scheme to continue. Source: http://www.sec.gov/news/press/2012/2012-183.htm

15. September 7, Atlanta Journal-Constitution – (Georgia) Suspicious package cleared after DeKalb bank robbery. A robbery attempt at a SunTrust bank branch inside a Publix grocery store in DeKalb, Georgia, led to the temporary evacuation of the entire shopping center September 7 after a suspicious package was left behind, DeKalb County police said. The package, however, turned out to be harmless, according to WSB 2 Atlanta. A bomb squad checked out the package, said a DeKalb police spokeswoman. It was not immediately known whether the robber got away with any money. Source: http://www.ajc.com/news/news/crime-law/suspicious-package-found-after-dekalb-bank-robbery/nR5pc/

Information Technology Sector

42. September 10, InformationWeek – (International) Apple device ID leak traced to BlueToad. The source of the database containing 1 million Apple unique device identifiers (UDIDs) published online the week of September 3 by hacking group AntiSec was identified September 10 as BlueToad, an application publisher and analytics provider based in Orlando, Florida. AntiSec said it obtained the database from the FBI, which subsequently disputed that claim. A security researcher working for the Intrepidus Group said he identified BlueToad from patterns in the database itself. In a blog post published September 10, he explained how he sorted the data, identified some 15,000 duplicated UDID numbers, and then linked some of those numbers to BlueToad. He found names in the database shared by BlueToad employees and also discovered passwords from the company that were leaked online. September 5, in response to queries, BlueToad’s CIO contacted the security researcher and the company began working on a response. September 10, BlueToad’s CEO acknowledged the firm’s systems were compromised the week of September 3, and that the list of Apple UDIDs came from its servers. Source: http://www.informationweek.com/security/privacy/apple-device-id-leak-traced-to-bluetoad/240007032

43. September 10, The H – (International) Foxit Reader 5.4 fixes DLL hijacking vulnerability. The 5.4 release of Foxit Software’s proprietary PDF Reader addresses a Dynamic Link Library (DLL) hijacking vulnerability that could be exploited by an attacker to compromise a victim’s system. According to the company, previous versions of its software contained a security hole that allowed it to call and execute malicious code stored in an infected DLL file. For an attack to be successful, a victim must first open a PDF file in the same directory as a specially crafted version of a system DLL file. Versions up to and including Foxit Reader are affected. Source: http://www.h-online.com/security/news/item/Foxit-Reader-5-4-fixes-DLL-hijacking-vulnerability-1703878.html

44. September 10, Softpedia – (International) DarkShell keylogger comes as Windows help file. Sophos researchers discovered a sample of malware that can hide within a .hlp file. The file is called Amministrazione.hlp (Italian for “administration”) and once it is executed, it downloads several additional elements onto the affected system: Windows Security Center.exe and RECYCLER.DLL. According to experts, the dynamic library file is actually a keylogger part of the DarkShell trojan. The malicious element records every keystroke, stores the data in a file, and then sends it back to a remote server. Source: http://news.softpedia.com/news/DarkShell-Keylogger-Comes-as-Windows-Help-File-291124.shtml

45. September 10, Ars Technica – (International) Guild Wars 2 officials say password attack, blocked accounts, generates 8,500 requests. A password-cracking campaign against players of the popular game Guild Wars 2, combined with account log-in problems, generated more than 8,500 support requests the weekend of September 8, company officials said, adding the account takeover attacks were in part aided by compromised credentials siphoned from an unknown fan site that was recently hacked. Officials with Guild Wars 2 developer ArenaNet recently began the practice of proactively emailing customers when someone logs into an account from a new location. They also advised users to choose long, random passwords that are unique to their accounts and to check email only from trusted devices. From September 7-9, officials said they received about 8,500 support requests related to hacked accounts or blocked accounts. By September 10, the company’s support team helped 2,574 players with hacked accounts get back into the game. It also restored service to another 2,867 players with other blocking log-in issues. Source: http://arstechnica.com/security/2012/09/guild-wars-2-password-attack-affects-10000-accounts/

46. September 10, The H – (International) Pre-release version of Windows 8 contains Flash hole. The upcoming version 10 of Microsoft’s Internet Explorer includes an integrated version of Flash Player and updates it automatically. However, Windows 8 continues to use version 11.3.372.94, released July 19, even though Adobe released a security update August 15 that was followed by another update a week later. Microsoft’s Malware Protection Center warned customers of this bug, advising them to update Flash Player or implement other security measures. However, Adobe explains Windows 8 users no longer have the option of manually updating the player, and they need to rely on Microsoft’s automatic updates. Source: http://www.h-online.com/security/news/item/Pre-release-version-of-Windows-8-contains-Flash-hole-1703494.html

47. September 8, SecurityWeek – (International) RSA: Not enough proof that China is behind the Elderwood gang. September 7, Symantec released a report claiming the Aurora attackers used the same methods to target more than 1,000 in various industry sectors and non-governmental organizations in recent years. The group, dubbed the “Elderwood gang” by Symantec for a parameter used in the attack source code, used a combination of zero-day vulnerabilities and compromised Web servers to launch the attacks, according to a research report released by Symantec Security Response. While there were some commonalities in the attack infrastructure and scripts used, RSA researchers, who were independently tracking the same attacks over the summer of 2012, were not convinced links existed between the Elderwood gang and the Aurora attackers, the senior manager at RSA’s advanced threat intelligence team said. Source: http://www.securityweek.com/rsa-not-enough-proof-china-behind-elderwood-gang

48. September 7, Threatpost – (International) Backdoor.LV samples on the rise. A strain of malware called Backdoor.LV that uses a custom protocol over port 80 to communicate with its command and control (C&C) server has been consistently increasing its reach since May, according to a report from FireEye. The security firm observed Backdoor.LV determining its host’s NetBIOS name, user, date, locale, and Windows OS name and relaying that data to its C&C server via a customized protocol on port 80. It also identifies itself, letting the C&C server know which particular version of Backdoor.LV it is. Backdoor.LV is distributing itself with malicious executables hidden on many Web sites with IP addresses emanating primarily from countries in North Africa, the Arabian Peninsula, and the Middle East. Source: http://threatpost.com/en_us/blogs/backdoorlv-samples-rise-090612

For more stories, see items 33 above in Top Stories and 49 below in the Communications Sector

Communications Sector

49. September 8, North Andover Eagle-Tribune – (Massachusetts) Verizon expects to have repairs done this weekend. Verizon officials said they restored service to all but 50 customers who lost their Internet and phone after a fire in Lawrence, Massachusetts, nearly 2 weeks ago, the North Andover Eagle-Tribune reported September 8. A spokesman for Verizon said all but 50 of the roughly 8,000 customers who lost service were restored, and the company expected the remainder to be fixed the weekend of September 8. A smoldering mattress destroyed tens of thousands of copper and glass fiber optic lines under the Central Bridge in Lawrence August 27. The mattress was one of several laid over PVC conduits carrying the telecommunications cables by homeless people who slept under the bridge at night. The outage temporarily knocked out thousands of residents’ and businesses’ communications services, along with a regional hospital-to-ambulance service and North Andover’s 9-1-1 system. Source: http://www.eagletribune.com/local/x1709875070/Verizon-expects-to-have-repairs-done-this-weekend

Department of Homeland Security (DHS)

DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport

Contact Information

Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List: Send mail to support@govdelivery.com.

Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure

Coordinating Center at nicc@dhs.gov or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at soc@us-cert.gov or visit their Web page at www.us-cert.go v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.