Tuesday, November 6, 2012


Daily Report

Top Stories

• In the area's second significant leak, some 7,700 gallons of fuel spilled from Phillips 66's Bayway refinery in Linden, New Jersey, after Hurricane Sandy, the U.S. Coast Guard said November 5. – Reuters

1. November 5, Reuters – (New Jersey) Fuel spill reported at NJ refinery after
Sandy. Some 7,700 gallons of fuel spilled from Phillips 66's Bayway refinery in Linden, New Jersey, after Hurricane Sandy, the U.S. Coast Guard said November 5, reporting the second significant leak at the New York harbor oil trading hub. The spill was reported after residents in nearby Bayonne, New Jersey, complained about diesel fumes. It was not clear what type of fuel leaked from the refinery or what measures were taken to contain it. A similar-sized spill was reported the week of October 29 at Motiva Enterprise's Sewaren, New Jersey, terminal, which was one of the hardest hit among the oil docks, tank farms, and truck depots that dot the harbor and supply fuel to the New York City metropolis. It was unclear whether the spill at Phillips 66's Bayway refinery would have any impact on operations at the refinery, a major gasoline producer in the region. Source: http://af.reuters.com/article/commoditiesNews/idAFL1E8M56R020121105

• November 2, banks in the New Jersey shore towns were stocking up on cash; six area banks suffered complete closures while seven others could not be reached by regulators. – Dow Jones Newswires

11. November 2, Dow Jones Newswires – (New Jersey) Banks, customers struggle in Sandy's wake. Banks in the New Jersey shore towns that took the brunt of superstorm Sandy were stocking up on cash as tens of thousands of customers were left largely without access to electronic payment methods such as credit cards and online purchasing, the Dow Jones Newswires reported November 2. The nearly 50 bank companies that operate in the region were plugging away at serving them while assessing damage to branches and other facilities. Out of 300 banks with their headquarters in New Jersey and New York, 6 suffered complete closures and 7 others could not be reached by regulators, the Federal Deposit Insurance Corporation said. Bankers were reluctant to quantify cash demands and inventories for security purposes, but generally said withdrawals and branch activity were high. Meanwhile, businesses that receive payments in cash, such as gas stations that were unable or unwilling to accept electronic payments, were making large cash deposits. One bank in the area had not yet been able to resume armored-car cash deliveries, and was limiting customer withdrawals to $500. All the bank's ATMs were down because there was no Internet service. The bank also began trying to determine the damage to retailers, motels, restaurants, and homes comprising its loan portfolio. Federal bank regulators said they would not criticize "prudent efforts" to change terms on loans to borrowers affected by the storm. Regulators also said they did not expect to assess penalties for missing regulatory data deadlines. Source: http://www.foxbusiness.com/news/2012/11/02/banks-customers-struggle-insandy-Wake/

• The recall of hundreds of drugs by Ameridose Llc., may be exacerbating shortages for surgery and heart failure medicines. The Food and Drug Administration said November 2 that they are working with other manufacturers to ramp up production and may consider foreign suppliers. – Bloomberg

25. November 2, Bloomberg – (National) Ameridose recalls cause shortage of medicines. Regulators said the recall of hundreds of drugs by Ameridose Llc., a compounding pharmacy associated with the U.S. meningitis outbreak, may be exacerbating shortages of medicines used for surgery and heart failure. The Food and Drug Administration is working with other manufacturers to ramp up production and may consider foreign suppliers, the FDA commissioner said November 2. The drugs Ameridose made were already in short supply and include local anesthesias, muscle relaxers to prevent movement during surgery, and high-dose diuretics to remove fluids during congestive heart failure. "We have doubled the number of staff members who work in drug shortage prevention and response," the commissioner said. Source: http://www.star-telegram.com/2012/11/02/4384649/ameridose-recalls-causeshortage.Html

• Seven people were wounded when someone opened fire November 3 at the Coastal Empire Fair in Savannah, Georgia. Police continued to search for the gunman and investigators have not ruled out the possibility there was more than one shooter. – Associated Press; CBS News

42. November 5, Associated Press; CBS News – (Georgia) Seven people wounded during shooting at crowded Ga. fair, police say. Seven people were wounded November 3 when someone opened fire at the crowded Coastal Empire Fair in Savannah, Georgia. Police continued to search for the gunman, who was described as wearing a dark jumpsuit, although investigators have not ruled out the possibility there was more than one shooter. Several people were detained and questioned, but they were all released by investigators. Police announced no arrests November 4 and released no further information on what happened inside the fairgrounds or what motivated the shootings. The police spokesman said the victim believed to be most seriously wounded underwent surgery and was listed in fair condition. None of the injuries were considered life-threatening. Source: http://www.cbsnews.com/8301-504083_162-57544966-504083/seven-peoplewounded-during-shooting-at-crowded-ga-fair-police-say/

Details

Banking and Finance Sector

9. November 4, WGCL 19 Atlanta – (Georgia) Hall of Fame coach accused in Ponzi
scheme. A college football Hall of Fame coach was charged in an $80 million Ponzi
scheme, WGCL 19 Atlanta reported November 4. The former University of Georgia
coach is accused of swindling millions from fellow coaches, sports commentators, and
athletes in purported investments. He allegedly paid himself $14 million. The Securities
and Exchange Commission (SEC) launched an investigation into allegations that the coach orchestrated a Ponzi scheme for his own profit. "What was represented to investors was that their money would be used to invest in loads, usually truck loads of unsold merchandise from various chains that would then be resold at a profit. Often investors were told that it was pre-sold and that there was little risk," a SEC Associate Regional Director said. But the SEC investigation found very little merchandise was ever purchased, making it impossible for the company to ever pay out the returns that the coach promised. Source: http://www.cbsatlanta.com/story/19990120/hall-of-fame-coach-jim-donnanaccused-in-ponzi-scheme

10. November 4, KREX 5 Grand Junction – (Colorado) FBI searches for suspect wanted in multiple Colo. bank robberies. The FBI joined the effort to catch the suspect known as the "Clearinghouse Bandit", wanted in 11 bank robberies from Denver to Colorado Springs, KREX 5 Grand Junction reported November 4. The robberies occurred between August 1 and November 1. Seven were in Denver, 3 were in Aurora, and 1 was in Colorado Springs. Multiple witness accounts, as well as pictures, show the suspect carrying a "Publisher's Clearing House" magazine. Source: http://www.krextv.com/news/around-the-region/FBI-Searches-for-Clearinghouse-Bandit-177122901.html

11. November 2, Dow Jones Newswires – (New Jersey) Banks, customers struggle in Sandy's wake. Banks in the New Jersey shore towns that took the brunt of superstorm Sandy were stocking up on cash as tens of thousands of customers were left largely without access to electronic payment methods such as credit cards and online purchasing, the Dow Jones Newswires reported November 2. The nearly 50 bank companies that operate in the region were plugging away at serving them while assessing damage to branches and other facilities. Out of 300 banks with their headquarters in New Jersey and New York, 6 suffered complete closures and 7 others could not be reached by regulators, the Federal Deposit Insurance Corporation said. Bankers were reluctant to quantify cash demands and inventories for security purposes, but generally said withdrawals and branch activity were high. Meanwhile, businesses that receive payments in cash, such as gas stations that were unable or unwilling to accept electronic payments, were making large cash deposits. One bank in the area had not yet been able to resume armored-car cash deliveries, and was limiting customer withdrawals to $500. All the bank's ATMs were down because there was no Internet service. The bank also began trying to determine the damage to retailers, motels, restaurants, and homes comprising its loan portfolio. Federal bank regulators said they would not criticize "prudent efforts" to change terms on loans to borrowers affected by the storm. Regulators also said they did not expect to assess penalties for missing regulatory data deadlines. Source: http://www.foxbusiness.com/news/2012/11/02/banks-customers-struggle-insandy-wake/

12. November 2, Infosecurity – (International) New FakeToken Android banking Trojan steals logins directly. A new variant of the ―FakeToken‖ financial attack on Android devices has targeted customers of several banks in Europe this year, warn security researchers, according to Infosecurity November 2. Unlike other banking Trojans making the rounds, this new threat has no need to first infect PCs to steal bank account passwords. According to analysis by a malware researcher at McAfee Labs, a new version of the Android/FakeToken malware goes back to basics: it is distributed through phishing emails pretending to be sent by the targeted bank. This malware attack simulates the real Internet banking site by asking for confidential information like personal email and phone number, which is then used to initiate the mobile attack. Additionally, unlike previous Trojan bankers for Android such as the first FakeToken version and Zitmo/Spitmo, both authentication factors (Internet password and mTAN) are stolen directly from the mobile device. The trojan also has other means of distribution, including Web page injection and redirects that lead to a fake security app. Source: http://www.infosecurity-magazine.com/view/29134/new-faketoken-androidbanking-trojan-steals-logins-directly/

13. November 2, East Valley Tribune – (Arizona) Gilbert man, sons arrested on suspicion of bank fraud, money laundering, ID theft at Chandler store. A father and his two sons face federal charges following their arrests involving a $10 million money order scheme authorities said stemmed from a market in Chandler, Arizona. The father and his sons were arrested on suspicion of conspiracy, bank fraud, money laundering, and aggravated identity theft charges October 31 following a 46-count indictment by a federal grand jury, according to Immigration and Customs Enforcement (ICE). The 46-count indictment alleges the trio operated a money order fraud scheme from the Mama Mia Panaderia and Market, which is owned by the father. According to the indictment, the father contracted with Merchants Bank of California in order for the store to sell the bank’s Unigram money orders. The store also maintained two business accounts with Wells Fargo Bank. Beginning around May 2010, the trio is alleged to have conspired to operate a scheme in which the store issued thousands of false, worthless money orders, utilizing fictitious names. These false money orders were then deposited into the Wells Fargo business accounts, thus artificially inflating the account balances, so that funds were made available to pay Merchants Bank for issuing the money orders. The indictment alleges that the
defendants issued and deposited more than 10,000 false money orders totaling approximately $10 million. A portion of those funds were unlawfully withdrawn by the defendants for their personal and business use. Source: http://www.eastvalleytribune.com/local/cop_shop/article_05bebe12-2544-11e2-9274-001a4bcf887a.html

14. November 2, KDVR 31 Denver – (Colorado) FBI looking for serial robber called ‘Brady Bunch Bandit’. The FBI was asking for the public’s help in finding a man they have dubbed the "Brady Bunch Bandit", who is responsible for robbing six banks in the Denver metro area, KDVR 31 Denver reported November 2. According to the FBI, the man robbed banks in Centennial and Aurora. The first robbery happened at a Chase Bank September 1. The most recent robbery was at a TFC Bank October 29 in Aurora. The FBI named the man the Brady Bunch Bandit because witnesses said he resembles one of the male co-stars from the early 1970’s American sitcom The Brady Bunch, a FBI spokesman said. Officials have said the man will enter the bank and give the teller a demand note. He then flees on foot, the spokesman said.

15. November 2, Softpedia – (International) Malware alert: Discover Card account notes. A couple of malicious Discovery Card emails were making the rounds for several days, attempting to trick recipients into clicking on links that point to malware serving Web sites, Softpedia reported November 2. They both purport to come from "Discover Account Notes." One of them informs recipients of "detail changes" and the other one is entitled "Substantial Information about your Discover Account." Source: http://news.softpedia.com/news/Malware-Alert-Discover-Card-Account-Notes-304055.shtml

Information Technology Sector

35. November 5, Softpedia – (International) Researchers find smishing vulnerability in Android, all versions affected. Researchers from North Carolina State University identified a smishing vulnerability that affects all versions of Android, including Jelly Bean, Ice Cream Sandwich, Froyo, and Gingerbread. Smishing attacks are phishing attacks that rely on SMS messages. They are often utilized by cybercriminals to steal information from unsuspecting mobile phone users. According to an associate professor at the university’s Department of Computer Science, the security hole can be leveraged by an application to create fake arbitrary SMS messages. ―One serious aspect of the vulnerability is that it does not require the (exploiting) app to request any permission to launch the attack (In other words, this can be characterized as a WRITE_SMS capability leak.),‖ he explained. Google was informed of the vulnerability. The company promised to address the issue in a future Android release. Source: http://news.softpedia.com/news/Researchers-Find-Smishing-Vulnerability-in-Android-All-Versions-Affected-Video-304464.shtml

36. November 5, Softpedia – (International) F-Secure releases Mobile Threat Report for Q3 2012. F-Security released its Mobile Threat Report for the third quarter of 2012. The study focuses on potentially unwanted software, the pieces of spyware, and the pieces of malware that posed the greatest threat to mobile phone users in the past 4 months. For Android, a number of 51.447 unique pieces of malware were detected in the third quarter. Although Google introduced Bouncer as an extra layer of security for Google Play, the number of malicious samples still increased. Experts believe this increase is most likely caused by the growth in Android smartphone adoption. As Crossbeam representatives highlighted, it is not easy for mobile network operators to secure their infrastructures when millions of new devices are added almost simultaneously. The same must also be true for Web sites that host mobile phone applications. The smartphone markets of Russia and China have grown considerably and experts say that this expansion has ―also been notable for the proliferation of less secure third-party apps markets, which are popular with users for various reasons. This factor may also account for the increasing number of malicious samples seen this quarter,‖ the report reads. In total, a number of 42 new malware families and new variants of existing families were spotted. Source: http://news.softpedia.com/news/F-Secure-Releases-Mobile-Threat-Report-for-Q3-2012-304439.shtml

37. November 5, The H – (International) Malware disguised as an MMS message. Cybercriminals are currently spreading malware by sending a large number of email messages purporting to be from Vodafone's MMS gateway. These emails have the subject "You have received a new message" and claim that the recipient has been sent a picture message over MMS from a Vodafone customer. The Vodafone email address used and the supposed telephone number sending the messages varies; even the country code is changed based on the location being targeted. The messages say that a picture message is in the attached "Vodafone_MMS.zip" file. However, once unzipped, it only contains an executable named "Vodafone_MMS.jpg.exe" that will install malware onto a victim's system when launched. According to VirusTotal, the malware is currently only detected by just 8 of 44 anti-virus programs used by the online virus scanner service. An analysis of the file in a sandbox leaves no doubts about its malicious intentions: among other things, it copies itself to C:\Documents and Settings\All Users\svchost.exe and then hides itself under SunJavaUpdateSched to launch when Windows first boots. Source: http://www.h-online.com/security/news/item/Malware-disguised-as-an-MMSmessage-1743608.html

38. November 5, The Register – (International) More VMware secret source splattered across Internet. VMware confirmed that the source code for old versions of its ESX technology was leaked by hackers the weekend of November 3, but played down the significance of the spill. The visualization company said November 4 that the exposed portions of its hypervisor date back to 2004, and the leak follows the disclosure of VMware source code in April. "It is possible that more related files will be posted in the future," VMware's director of platform security explained. "We take customer security seriously and have engaged our VMware Security Response Center to thoroughly investigate." He said customers who apply the latest product updates and patches, in addition to following system hardening guidelines, should be protected against attacks developed in the wake of the code leak. Source: http://www.theregister.co.uk/2012/11/05/vmware_source_code_leak/

39. November 3, Softpedia – (International) Hackers use malware to steal photos, blackmail users. Experts identified an piece of malware whose main goal is to steal all the picture files from an infected computer and upload them to a remote FTP server. .JPG, .JPEG, and .DMP file can contain information cybercriminals can use for identity theft, blackmail, or targeted attacks. This is probably why the main goal of the TSPY_PIXSTEAL.A malware identified by Trend Micro is to steal these types of files from infected computers. TSPY_PIXSTEAL.A scans the affected machine for the aforementioned files and copies them all into its own directory. When this task is complete, it connects to an FTP server and uploads the first 20,000 files.

40. November 2, The Register – (National) One in seven North American home networks full of malware. One in seven home networks in North America are infected with malware, a recent study reveals. Half the threats detected during the third quarter of 2012 were made up of spam-distributing zombies or banking trojans, while the remainder were mostly adware and other lesser threats, according to the study by Kindsight Security Labs. The study was based on data gathered from the security firm' service provider customers. Consumers most commonly get infected with malware after visiting Web sites contaminated with exploit kits via drive-by attacks. Kindsight names the ZeroAccess botnet as among the worst menaces to Internet safety. ZeroAccess was the most active botnet in the third quarter, with more than 2 million infected users worldwide with 685,000 in the United States alone. Source: http://www.theregister.co.uk/2012/11/02/malware_infestation_us_survey/

Communications Sector

41. November 4, ZDNet – (National) Verizon, AT&T networks more than 95 percent working post-Sandy. Verizon, the country's largest cellular network by subscribers, and AT&T, the second largest, said November 4 that their networks are close to being fully operational on the East Coast, days after Hurricane Sandy hit more than 10 States. While many remain without Internet access and have no estimate as to when their service will resume, cellular networks are beginning to operate semi-normally across major metropolitan areas. AT&T said nearly 97 percent of its cell masts in Sandy-hit regions are now operational. Also, more than 90 percent of its cell masts in New York City are running again, up from 80 percent November 1. Verizon said 98.1 percent of cell masts in the Northeast are now working, and that voice and text messaging overages will be credited to Verizon cellular subscribers in New York City and New Jersey. Sandy knocked out 25 percent of the country's wireless companies' cell sites in the States affected by the storm, the Federal Communications Commission said October 30.



Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport

Contact Information

Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to support@govdelivery.com.


Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at  nicc@dhs.gov or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at  soc@us-cert.gov or visit their Web page at  www.us-cert.go v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.