Tuesday, December 4, 2012

Daily Report

Top Stories

 • The latest storm system to drench northern California — the third to hit the area in less than a week — moved across the region the weekend of December 1, toppling trees and knocking out electrical service to tens of thousands of people. – Associated Press

1.               December 3, Associated Press – (California) Third storm in a week drenches NorCal, flood warning issued in Solano. Across northern California December 2, a powerful storm drenched the area with yet another round of pounding rain and strong winds. The latest storm system — the third to hit the area in less than a week — moved across the region the weekend of December 1 and 2 dropping as much as an inch of rain per hour in some areas, toppling trees and knocking out electrical service to tens of thousands of people, officials said. In Solano County, the National Weather Service issued a small stream flood advisory that remained in effect through December 3. The National Weather Service warned that several rivers were in danger of topping their banks. Flood warnings were in effect for the Napa and Russian rivers, two rivers north of San Francisco with a history of flooding, as well as the Truckee River, near Lake Tahoe. In bracing for the storm, city officials handed out more than 8,000 sandbags and about 150 tons of sand. Around 94,000 people from Santa Cruz to Eureka, including about 21,000 people in the San Francisco Bay area, were without electricity December 2, said a Pacific Gas & Electric (PG&E) spokesman. About 2,000 PG&E crews were working to try to restore power. Wind gusts, recorded as high as 60 miles per hour in parts of the Bay area, were blamed for knocking over a big rig truck as it drove over the Richmond-San Rafael Bridge December 2. Tow crews had to wait for the winds to subside later in the morning before they could remove the truck, officials said. Train service on the Bay Area Rapid Transit was disrupted for about an hour December 2 because of an electrical outage blamed on the weather. Source: http://www.thereporter.com/ci_22113711/third-storm-week-drenches-norcal-flood-warning-issued

 • Federal authorities were hunting November 29 for more than 100 rifles stolen from a boxcar parked in an Atlanta train yard, the Associated Press reported November 30. The weapons include assault rifles that a Bureau of Alcohol, Tobacco, Firearms and Explosives spokesman described as “AK-style.” – Associated Press

12. November 30, Associated Press – (Georgia) Atlanta train car robbery: Over 100 rifles stolen. Federal authorities were hunting November 29 for more than 100 rifles stolen from a boxcar parked in an Atlanta train yard, the Associated Press reported November 30. The weapons were taken from a CSX rail yard on the city’s northwest side in mid-November, said a spokesman for the U.S. Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF). The weapons include assault rifles that the ATF spokesman described as “AK-style.” The boxcar was parked at the CSX Tilford Yard, about 4 miles northwest of downtown Atlanta. A spokesman for rail line CSX Corp. said the Jacksonville, Florida-based company was cooperating with law enforcement to recover the weapons and investigate the theft. The rifles were stolen on or around November 12, authorities said. The Tilford Yard is one of the company’s major rail yards in Georgia, according to the company’s website. Source: http://www.huffingtonpost.com/2012/11/30/atlanta-train-car-robbery-rifles_n_2217171.html

 • At least 42 people in 20 States have fallen ill with Salmonella in the outbreak linked to peanut butter made by Sunland Inc. in Portales, New Mexico, according to the U.S. Centers for Disease Control and Prevention. The outbreak is believed to have ended, Food Safety News reported November 30. – Food Safety News

22. November 30, Food Safety News – (National) Final case count on peanut butter Salmonella outbreak hits 42. At least 42 people in 20 States have fallen ill with Salmonella in the outbreak linked to peanut butter made by Sunland Inc. in Portales, New Mexico, according to the U.S. Centers for Disease Control and Prevention. The outbreak is believed to have ended, Food Safety News reported November 30. One new case was reported in North Carolina since the previous update November 8. The outbreak was first reported in September after a number of patients fell ill with Salmonella that was traced back to Trader Joe’s Valencia Peanut Butter, manufactured by Sunland. The U.S. Food and Drug Administration suspended the registration of Sunland November 26 to prevent it from selling its products anywhere in the U.S. until proving they are produced safely. It was the first time the agency has used that authority since being granted with the passing of the federal Food Safety Modernization Act in January 2011. Source: http://www.foodsafetynews.com/2012/11/final-case-count-on-peanut-butter-salmonella-outbreak-hits-42/

 • A town in northwest Louisiana was evacuated November 30, and State Police were starting a criminal investigation of a company after finding about 6 million pounds of explosive material used in howitzers they said was stored illegally. – Associated Press

29. December 3, Associated Press – (Louisiana) La. town evacuates; police relocate explosives. A town in northwest Louisiana was evacuated, November 30, and State police were starting a criminal investigation of a company after finding about 6 million pounds of explosive material used in howitzers they said was stored illegally. Boxes and small barrels of the M6 artillery propellant were found both outdoors and crammed into unauthorized buildings leased by Explo Systems Inc. at Camp Minden, the former Louisiana Army Ammunitions Plant, a State Police superintendent said December 2. Police were evacuating the town of Doyline. About half the town’s 800 residents left November 30. The company’s “careless and reckless disregard made it unsafe for their own employees, for schoolchildren in Doyline, for the town of Doyline,” a State Police official said. The company is located on a portion of the former ammunition plant’s 15,000 acres that is leased for commercial use. Other sections are used for National Guard training. Company officials could not be reached December 2. Source: http://www.wsvn.com/news/articles/national/21009223761427/la-town-evacuates-police-relocate-explosives/


Banking and Finance Sector
4. December 2, Chicago Sun-Times – (Illinois) ‘Stringer Bell Bandit’ in custody. The ‘Stringer Bell Bandit’ — who allegedly robbed or tried robbing at least 10 Chicago banks since October — is in custody, according to the FBI’s Bandit Tracker Web site, the Chicago Sun-Times reported December 2. Among the banks allegedly robbed by the bandit was a Citibank branch November 26. He allegedly passed a note to the teller demanding cash and then ran on foot. The bandit allegedly struck the same bank November 13, according to the FBI. That same day, he also attempted a bank robbery at a Chase branch, but for some reason he fled without grabbing any cash, authorities claimed. According to the FBI, the man is also suspected of robbing a Bank of America branch October 1; a Citibank branch October 17; a PNC Bank branch October 23; a Fifth Third Bank branch November 2; a Citibank branch November 8; and a Harris Bank branch November 16. Source: http://www.suntimes.com/news/16771485-418/stringer-bell-bandit-in-custody.html

5. December 1, Associated Press – (California) ‘Tiger Bandit’ linked to 6 Calif. bank robberies. The FBI said a suspected robber dubbed the Tiger Bandit may be connected to six southern California bank heists in eight days, the most recent taking place at a U.S. Bank branch in Lomita November 30. A FBI spokeswoman said the suspect got his name because he was caught in surveillance photos wearing a Detroit Tigers baseball cap. He is also linked to bank robberies in Santa Monica, Huntington Beach, Marina del Rey, Long Beach, and Cerritos since November 23. The suspect demands cash in various denominations. Investigators believe there is a possibility that the Tiger Bandit may actually be two men working together who dress similarly. Source: http://www.mercurynews.com/breaking-news/ci_22106014/tiger-bandit-linked-6-calif-bank-robberies

6. December 1, Associated Press – (North Dakota) Guilty pleas entered in ND mortgage fraud case. Two people charged in the case of a defunct Arizona mortgage lender accused of swindling Bismarck, North Dakota-based BNC National Bank out of about $27 million pleaded guilty, the Associated Press reported December 1. The former director of accounting with American Mortgage Specialists Inc. (AMS) and an independent auditor were among four people charged in federal court. Two AMS executives pleaded guilty earlier to conspiracy to commit bank fraud and wire fraud. Authorities said AMS defrauded the bank by providing it with false financial statements and other information about the status of loans the bank had financed. Source: http://www.wahpetondailynews.com/article_8019725a-3bca-11e2-b5bb-001a4bcf887a.html

7. November 30, Kansas City Business Journal – (Missouri) Grand jury indicts Liberty woman in $5M mortgage fraud. A Liberty, Missouri woman was indicted by a federal grand jury November 28 for her role in a $5 million mortgage fraud scheme. According to the indictment, she helped people buy homes with no money down by filling out false and fraudulent applications. She allegedly pocketed $400,000 from loan proceeds and fees in the scheme. She was charged with five counts of bank fraud, two counts of wire fraud, and one count of money laundering. She was also charged with obstruction of justice for allegedly destroying documents sought in the investigation. Additionally, she was charged with theft of government property. The indictments claim she received almost $79,000 in Social Security disability payments to which she was not entitled. Source: http://www.bizjournals.com/kansascity/news/2012/11/30/grand-jury-indicts-liberty-woman-in.html

8. November 30, Rockford Register-Star – (Illinois) Rock River Valley’s Alpine Bank hit with security breach. Alpine Bank, the largest financial institution in Rock River Valley, Illinois, notified some customers that hackers gained access to Social Security and bank account numbers in September, the Rockford Register-Star reported November 30. The Alpine Bank president and CEO said that September 1 someone “gained access to customer information in a database which was located on a Web server managed by a third party that Alpine Bank contracted with for Web hosting services.” The information on the server was encrypted, but a forensic expert notified the bank that personal information was at risk despite the encryption. The president and CEO said so far the bank was not aware of any attempts to misuse the personal information stored in the database. Still, the bank notified affected customers to warn them to take extra steps to monitor their identity, credit, and financial accounts. Alpine Bank is offering those customers one year of credit monitoring at no cost. Source: http://www.rrstar.com/blogs/alexgary/x1156349536/Alpine-Bank-hit-with-security-breach

9. November 30, Associated Press – (Connecticut) Conn. investment industry executive pays $1.4M to settle federal insider trading charges. A Westport, Connecticut investment industry executive paid $1.4 million to settle insider trading charges, federal regulators said November 30. The executive, who founded investment advisory firm Compass Group Management, gained access to nonpublic information at an Internet site where bidding companies could learn more about the financial condition of Patriot Capital Funding Group before its sale, the U.S. Securities and Exchange Commission (SEC) said. For access to the data, Compass Group had to agree to keep information confidential, which prohibited employees from buying Patriot Capital stock. The executive still purchased shares soon after Compass Group gained access to the confidential information and bought even more stock after he learned that Compass Group’s bid was what he described as “waaaaay off” compared with bids from other companies, regulators said. Patriot Capital’s share price more than doubled after a merger was publicly announced, and the executive realized more than $676,000 in illegal profits, the SEC said. Source: http://www.washingtonpost.com/business/conn-investment-industry-executive-pays-14m-to-settle-federal-insider-trading-charges/2012/11/30/7a02ff9c-3b13-11e2-9258-ac7c78d5c680_story.html
For another story, see item 36 below in the Information Technology Sector

Information Technology Sector

33. December 3, Softpedia – (International) Dockster Mac malware planted on website dedicated to Dalai Lama. Researchers from security firm F-Secure have identified a new Mac malware planted on a Web site dedicated to Dalai Lama. The malicious element, Dockster, uses a Java-based exploit which leverages the same vulnerability as Flashback. Once it finds itself on a computer, Dockster drops a backdoor identified as Backdoor:OSX/Dockster.A, which allows the attacker to download arbitrary files and log keystrokes. According to experts, the latest versions of Mac OS X are not affected by this malware. Furthermore, internauts who have disabled their Java browser plugins should also be safe. Mac users are not the only ones who should refrain from visiting the Web site. Researchers reveal that it also hosts a Windows payload identified as Trojan.Agent.AXMO. The site is not the official Dalai Lama Web site, but it has been around since 2009/2010. Source: http://news.softpedia.com/news/Dockster-Mac-Malware-Planted-on-Website-Dedicated-to-Dalai-Lama-311499.shtml

34. December 3, Softpedia – (International) Sophos releases technical paper on BlackHole exploit kit. A Sophos Labs researcher released a technical paper that details the notorious BlackHole exploit kit. The paper details the evolution of BlackHole, its source code, the control panel, encryption, and its origins. According to the researcher, there is evidence to support the theory that the exploit kit was developed in Russia. The default time zone of the installation is hardcoded to Europe/Moscow, the user interface language default is set to Russian, and the date format is set to Little Endian, which is different than the one utilized in the U.S. or China. Furthermore, the English user interface text is less correct than the one in the Russian interface. Source: http://news.softpedia.com/news/Sophos-Releases-Technical-Paper-on-BlackHole-Exploit-Kit-311408.shtml

35. December 3, The H – (International) Season’s gr3371ng5 - hacker releases exploits for MySQL and SSH. The hacker who goes by the name KingCope released several exploits December 2, some of which date back to 2011. The exploits mostly target the now-Oracle-owned MySQL open source database, but the SSH servers by SSH Communications Security and FreeSSHd/FreeFTPd are also at acute risk. The MySQL exploits do, however, require a legitimate database connection to execute injected code. Exploits such as “mysqljackpot” then, for example, misuse the connection’s “file privilege” to provide the attacker with shell access at system privilege level. The hacker also describes a hole that allows attackers to trigger a database crash and another hole that enables them to find valid user names. Apparently, both holes can be exploited to bypass the password check and log in with an arbitrary password. With SSH’s Tectia server, the exploit description says that attackers can modify a legitimate user’s password by calling input_userauth_passwd_changereq() before logging in. In case of the FreeSSHd/FreeFTPd server, all that appears to be required is to ignore a refusal message by the server and declare the session to be open at the right time. All the exploit has to do is add an extra call to the existing ssh_session2() function of the regular openssh client. Source: http://www.h-online.com/security/news/item/Season-s-gr3371ng5-hacker-releases-exploits-for-MySQL-and-SSH-1761125.html

36. December 1, eWeek.com – (International) Microsoft can retain control of Zeus botnet under federal court order. A federal court granted Microsoft permission to keep two major Zeus banking fraud botnets down for the next two years to allow more time to clean up trojan-infected computers. Microsoft won the court order November 28 to allow the company and its financial-services partners to continue to administer command-and-control servers for two Zeus botnets that had been shut down by the company’s legal and technical campaign in March. The motion for a default judgment, which was granted by the U.S. District Court in the Eastern District of New York, gives Microsoft and the National Automated Clearing House Association (NACHA) an injunction that allows the companies to keep the two Zeus botnets and their associated domains disabled for another 24 months. The original takedown, codenamed Operation b71, seized command-and-control servers in Pennsylvania and Illinois and disrupted the online-fraud networks. “This additional time will allow Microsoft to continue to work with Internet service providers and Computer Emergency Response Teams (CERTs) to clean those computers that are still infected with the malware,” the senior attorney for Microsoft’s Digital Crimes Unit said in an email interview. Source: http://www.eweek.com/security/microsoft-can-retain-control-of-zeus-botnet-under-federal-court-order/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+RSS/eweeksecurity+(eWEEK+Security)&utm_content=Google+Reader

Communications Sector

37. December 1, Port Townsend & Jefferson County Leader – (Washington) Cell, Internet, phone service disruption caused when communication cable nicked by dump truck. A dump truck disrupted cell phone, landline phone, and Internet connections in Port Townsend, Washington, and other parts of East Jefferson County December 1. It also knocked out access to local law enforcement and emergency services, bank ATMs, and credit card machines. According to a CenturyLink crew chief in Jefferson County, more than 144 fiberoptic splices must be made before communications are running again. Representatives said that repairs should be completed by December 1. Source: http://www.ptleader.com/main.asp?SectionID=36&SubSectionID=55&ArticleID=32606

Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport

Contact Information

Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to support@govdelivery.com.

Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at  nicc@dhs.gov or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at  soc@us-cert.gov or visit their Web page at  www.us-cert.go v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.