Thursday, September 17, 2009

Complete DHS Daily Report for September 17, 2009

Daily Report

Top Stories

 According to WBIR 10 Knoxville, five tanker cars each with 30,000 gallons of holding capacity overturned in a train derailment on Tuesday near downtown Knoxville, Tennessee. Two of the five tanker cars leaked about 1,500 gallons of ethanol, and several businesses and residents evacuated themselves from the area after the spill. (See item 4)

4. September 15, WBIR 10 Knoxville – (Tennessee) 3 tankers back on track, now working on overturned cars. Authorities said three tankers are now back on the tracks, following a train derailment near downtown Knoxville. Crews are now focusing on the five cars that were actually overturned. They will likely work until about 4 a.m. Wednesday, according to a Knoxville Fire Department spokesman. Everyone has been cleared to return to their homes and businesses. The businesses on Cooper Street between Bernard and Fifth avenues remained evacuated until late Tuesday, but they should be ready to reopen Wednesday morning. No one has yet arrived to ask for help at a Red Cross Shelter set up at West View Wesleyan Church on Joyce Avenue. Volunteers plan to stay into the early evening hours just in case. The R.J. Corman company headed to Knoxville from West Virginia, with a piece of equipment known as a sidewinder, to right five tanker cars that overturned near downtown Knoxville. Two of those five tanker cars leaked ethanol. This particular ethanol is normally added to gasoline at around a 10 percent blend. Each of the tankers holds 30,000 gallons. About 1,500 gallons of ethanol spilled overall. The Corman workers arrived around 6 p.m. Tuesday night. The sidewinder is a counter-weighted piece of equipment that can pick up the tankers and move them to where they need to be. Several businesses and residents evacuated themselves from the area after the spill, but no one reported to a Red Cross shelter set up on Joyce Avenue. Source: http://www.wbir.com/news/local/story.aspx?storyid=99008&provider=top

 KATU 2 Portland reports that vandals threw acid or paint stripper Sunday overnight on 15 expensive SUVs at the Vic Alfonso Cadillac Dealership in Portland, Oregon, damaging the exteriors. The FBI is helping in the investigation of the vandalism, which could be the effort of an eco-terrorism group. (See item 43)

43. September 15, KATU 2 Portland – (Oregon) Hummers vandalized at local dealership’s lot, FBI stepping in. Vandals in Portland targeted over a dozen expensive SUVs overnight Sunday, throwing acid or paint stripper that damaged the exteriors. Police said no one has claimed responsibility and there is no indication of how many people were involved. The damage is to as many as 15 cars, mostly Hummer models for sale at the Vic Alfonso Cadillac Dealership in Northeast Portland. Paint could be seen peeling off the exterior of one car and others were streaked and stained. The Portland Police Bureau has confirmed that 15 vehicles were damaged. Detectives investigating the case have not released any suspect information. However, they did confirm that agents from the Federal Bureau of Investigation are helping in the investigation. A sociology professor at Portland State University indicated that this could be the effort of an eco-terrorism group. “The environmental groups don’t typically kill anybody,” he said, “but they can cause millions of dollars in damages to property so they get the full attention of federal law enforcement for that reason.” The Earth Liberation Front said on its Web site that it is not claiming responsibility, but said that the act is “an evident response to the impact SUVs and Hummers have on the environment.” Police said there is a possibility that the incident was not an act of so-called eco-terrorism and that anyone could have damaged the vehicles. Source: http://www.katu.com/news/59278337.html

Details

Banking and Finance Sector

14. September 16, New York Times – (International) Billion-dollar pyramid scheme rivets Lebanon. Money disappeared, judicial authorities say, in a billion-dollar pyramid scheme that has riveted Lebanon, a New York Times writer writes from Tura. Its mastermind, a businessman, was charged with fraud on September 12. Bankers say it is the biggest fraud of its kind this country has ever seen. Although the scandal is not likely to affect Lebanon’s broader economy, it could create real problems in the Shiite community, where some major real estate owners and businessmen went into debt to finance their investments. The full extent of the alleged swindle remains unclear, but the judicial official said the amount lost appeared to be at least $700 million, and possibly more than $1 billion. Source: http://dealbook.blogs.nytimes.com/2009/09/16/billion-dollar-pyramid-scheme-rivets-lebanon/

15. September 15, U.S. Department of Justice – (International) California court bars four men from promoting alleged stock-loan tax fraud scheme. A federal judge in San Francisco has issued permanent injunctions barring four individuals from promoting what a government lawsuit describes as a complex tax-fraud scheme involving several entities located around the globe, the Justice Department announced on September 15. A U.S. District Judge signed the injunction orders against two individuals of South Carolina; one from New York; and one from Jilin, China. The four agreed to the injunctions without admitting the government’s allegations against them. The government complaint filed in the case alleges that these four men and other defendants promoted a so-called “90% Stock Loan” program, using entities located in the United States, Hong Kong and the Isle of Man, that falsely purported to enable customers to contribute appreciated stocks or other securities in exchange for payments equal to 90% of the securities’ value without paying income tax on capital gains. Through this scheme, also known as the “Derivium” scheme, named after one of the companies involved, customers were allegedly told that they could avoid income tax because the transaction was a loan rather than a sale. But in fact, the government alleges, customers’ securities were actually sold to raise the funds to pay the customers. According to the complaint, the defendants sold the scheme to approximately 1,700 customers nationwide, in transactions totaling over $1 billion. The complaint alleges that the scheme cost the U.S. Treasury an estimated $230 million or more. The same court barred another defendant from promoting the 90% loan program last year, after he agreed to a permanent injunction without admitting the government’s allegations. Source: http://www.reuters.com/article/pressRelease/idUS182611+15-Sep-2009+PRN20090915

16. September 15, Bloomberg – (New York) House panel to examine SEC, FDIC roles in takeover of Merrill. The Federal Deposit Insurance Corp. chairman and two U.S. Securities and Exchange Commission chairmen will be questioned by lawmakers over their roles in Bank of America Corp.’s takeover of Merrill Lynch & Co. The House Oversight and Government Reform Committee at a September 30 hearing will seek “to better understand the nature and extent of their involvement,” the committee chairman said on September 15 in a statement. The New York Democrat’s panel also will probe Bank of America’s proposed settlement with the SEC on claims the bank misled investors about Merrill Lynch bonuses. The SEC chairman and her predecessor, who led the agency during the Merrill takeover, will also testify, according to the statement. The committee previously questioned the Bank of America Chief Executive Officer, the Federal Reserve Chairman and the former Treasury Secretary. A U.S. District Judge in New York on September 14 rejected a proposed $33 million settlement that would have resolved the SEC’s claim that the company deceived investors about bonuses to be paid Merrill executives. The Judge said the accord appeared to be a “contrivance” between the regulator and Bank of America and questioned why executives or their lawyers were not being sanctioned for the disclosures. Source: http://www.bloomberg.com/apps/news?pid=20601087&sid=afyhuvXnq0FE

Information Technology

39. September 15, Tech Herald – (International) Study: IT focused on the wrong network threats. A new report that looks at data collected from March-August 2009, from the SANS Institute, TippingPoint, and Qualys, essentially says IT security teams are misdirected. Security operations within IT are focused on operating system issues, leaving the two largest security problems, client-side software and web applications, on the back burner. The attack data in the report comes from IPS appliances deployed by TippingPoint at some 6,000 companies and government agencies. Vulnerability data comes from Qualys, via various appliances and software that monitored more than 9,000,000 systems, running over 100,000,000 scans. The combined information from Qualys and TippingPoint was then vetted by the SANS Institute, and the Internet Storm Center. The report focuses on three things. The first is that IT operations for the most part are making great strides in patching and securing the infrastructure from operating system threats. Other than the issues with Conficker, there were no new Worms based on operating system flaws during the time the data was collected. With that said, the other side of the operating system coin is that the number of buffer overflow attacks tripled from May-June to July-August, accounting for more than 90-percent of the attacks against Windows. The other two issues, mostly ignored by IT security, are the reason buffer overflow attacks worked so well during the testing period. The jump in the overflow based attacks correlated with the increase in the number of client-side software and web application vulnerabilities. “Waves of targeted email attacks, often called spear phishing, are exploiting client-side vulnerabilities in commonly used programs such as Adobe PDF Reader, QuickTime, Adobe Flash and Microsoft Office. This is currently the primary initial infection vector used to compromise computers that have Internet access,” the report says while discussing client-side software. Source: http://www.thetechherald.com/article.php/200938/4443/Study-IT-focused-on-the-wrong-network-threats

40. September 15, The Register – (International) Australia mulls botnet takedown scheme. Australia is considering the adopting of a code that would oblige ISPs to contact, and in extreme cases perhaps even disconnect, customers with malware-infested computers. The voluntary eSecurity Code is designed to put a squeeze on the estimated 100,000 zombies in Australia, each of which might be capable of kicking out 10,000 junk emails a day. Pilot data sharing schemes in Australia are praised for resulting in the reduction of malware-infected systems. Around 68 ISPs were involved in a 2007 Australian Internet Security Initiative (AISI) programme credited with reports of 10,000 compromises every day. The scheme cost a relatively modest A$4.7 million over four years. Australia’s Internet Industry Association (IIA) is hoping to extend this scheme via a draft code of conduct, set to be applied from December onwards. A consultation scheme on the programme is due to run until 30 October 2009. Once an ISP following the code has detected a compromised computer, it should contact the customer and offer a clean-up advice. The scheme also covers a reporting system. ISPs that adhere to the scheme gain the right to display an IIA tortoise logo on their site. Technology for identifying and blocking compromised clients and for delivering “clean feed” internet traffic exists, but is not cheap. Whether ISPs will be able to create a business model for getting customers to pay the cost of security-enhanced services is a potential obstacle to the scheme. ISPs would be doing the cause of internet hygiene a favour in taking part in a zombie-clampdown scheme, but that’s not going to happen if it places them at a competitive disadvantage to those who carry on regardless. Source: http://www.theregister.co.uk/2009/09/15/oz_botnet_takedown_scheme/

Communications Sector

41. September 16, Sky News – (International) Businesses without phones for a week. Thousands of homes and businesses in Sydney’s CBD have lost phone and internet connections after a contractor accidentally severed crucial cables. Contractors working for Energy Australia cut through a bundle of 10,000 Telstra copper wires and some multiple-fiber optical cables near the corner of York and Erskine streets about 9.30pm (AEST) on September 15. The contractors have told Energy Australia they used ‘Dial Before You Dig’ plans before digging, but an audit of the contractors, work equipment and procedures is being carried out. A Telstra spokesman said thousands of customers across the northeast of the CBD would be without mobile, fixed and wireless services for about a week. “There will be many thousands, the exact number we don’t know because we’re still plotting where this cable serves in the city,” the spokesman told reporters in Sydney on September 16. Source: http://www.skynews.com.au/topstories/article.aspx?id=373303

42. September 16, Ventura County Star – (California) Outage upsets customers of Verizon. A small fire turned into a big headache this week for thousands of Conejo Valley residents in the incorporated Lynn Ranch area who have been left without telephone and Internet service. The fire burned some bushes on September 13 in an industrial park about a mile west of Lynn Ranch, going up a utility pole and damaging telephone and Internet copper lines in two cables. The cables are owned by Verizon, which said the fire disrupted service for 2,400 of its customers. About 900 of them should have their service restored by September 16, and the company hopes the rest will have service by September 18, a spokesman said. A Verizon spokesman said restoring service to thousands of customers is a labor-intensive process since workers must manually resplice both ends of each cable, including two wires going to each household. The outage has affected schools and other organizations. Madrona Elementary School, in the 600 block of Camino Manzanas, has been without phone service. No one could be reached at the school on September 15 by landline. Source: http://www.venturacountystar.com/news/2009/sep/16/outage-upsets-customers-of-verizon-telephone-way/

Wednesday, September 16, 2009

Complete DHS Daily Report for September 16, 2009

Daily Report

Top Stories

 According to Computerworld, the U.S. Department of Homeland Security is looking at a report by a research scientist in China that shows how a well-placed attack against a small power subnetwork could trigger a cascading failure of the entire West Coast power grid. (See item 3)

3. September 14, Computerworld – (National) DHS to review report on vulnerability in West Coast power grid. The U.S. Department of Homeland Security is looking at a report by a research scientist in China that shows how a well-placed attack against a small power subnetwork could trigger a cascading failure of the entire West Coast power grid. A network analyst at China’s Dalian University of Technology used publicly available information to model how the West Coast power grid and its component subnetworks are connected. He and another colleague then investigated how a major outage in one subnetwork would affect adjacent subnetworks, according to an article in New Scientist. The aim of the research was to study potential weak spots on the West Coast grid, where an outage on one subnetwork would result in a cascading failure across the entire network. A cascading failure occurs when an outage on one network results in an adjacent network becoming overloaded, triggering a similar set of failures across the entire network. The massive blackouts in the Northeast in August 2003, which affected about 50 million people, were the result of such a cascading failure. His research was expected to show that an outage in a heavily loaded network would result in smaller surrounding networks becoming overwhelmed and causing cascading blackouts. Instead, what the research showed was that under certain conditions, an attacker targeting a lightly loaded subnetwork would be able to cause far more of the grid to trip and fail, New Scientist reported, quoting the researcher. The article does not describe his research (paid subscription required) or any further details of the attack. His report, which appears to have been largely overlooked until the publication of the New Scientist article last week, was completed last November and has been available online since March. A spokesman for DHS’s science and technology directorate said DHS has not reviewed the research but is “very interested in the findings.” In an e-mailed comment, the spokesman said DHS is working on a “self-limiting, high-temperature superconductor” technology that is designed to prevent power surges in one network from affecting surrounding networks. The so-called inherently fault current limiting superconductor technology is part of the DHS’s Resilient Electric Grid project. Source: http://www.computerworld.com/s/article/9138017/DHS_to_review_report_on_vulnerability_in_West_Coast_power_grid

 An investigation by the New York Times has found that an estimated one in 10 Americans have been exposed to drinking water that contains dangerous chemicals or fails to meet a federal health benchmark in other ways. (See item 18)

18. September 14, Water Technology Online – (National) Contaminated water drunk by 1 in 10 Americans: NY Times. An estimated one in 10 Americans have been exposed to drinking water that contains dangerous chemicals or fails to meet a federal health benchmark in other ways, an investigation by The New York Times has found. “Those exposures include carcinogens in the tap water of major American cities and unsafe chemicals in drinking-water wells. Wells, which are not typically regulated by the Safe Drinking Water Act, are more likely to contain contaminants than municipal water systems,” the report said. It notes that many who consume dangerous chemicals through their drinking water do not realize it because “most of today’s water pollution has no scent or taste.” The Times said its research included the review of “hundreds of thousands of water pollution records” from all 50 states and the US Environmental Protection Agency (EPA) obtained through Freedom of Information Act requests, as well as from more than 250 interviews with state and federal regulators, water-systems managers, environmental advocates and scientists. The Times compiled a national database of water pollution violations “that is more comprehensive than those maintained by states or the EPA,” the report said. The Times says its research shows that 40 percent of the nation’s community water systems violated the Safe Drinking Water Act at least once last year. “Those violations ranged from failing to maintain proper paperwork to allowing carcinogens into tap water. More than 23 million people received drinking water from municipal systems that violated a health-based standard,” the report said. The Times reported that the federal Clean Water Act, a water pollution-control law passed in 1972, has been violated more than 506,000 times since 2004, by more than 23,000 companies and other facilities, according to reports submitted by polluters themselves. “Companies sometimes test what they are dumping only once a quarter, so the actual number of days when they broke the law is often far higher. And some companies illegally avoid reporting their emissions, say officials, so infractions go unrecorded,” according to the report. Source: http://watertechonline.com/news.asp?N_ID=72578

Details

Banking and Finance Sector

10. September 15, Bloomberg – (International) Alberta men collected C$400 million in Ponzi scheme, Globe says. The two Alberta men charged with allegedly defrauding as many as 3,000 investors in a Ponzi scheme may have raised as much as C$400 million ($368.3 million), the Globe and Mail reported. The Royal Canadian Mounted Police charged the pair on September 14 with fraud over C$5,000 and theft over C$5,000, the newspaper said. None of the allegations have been proven in court. A firm that the police say was controlled by one of the suspects is also linked to an alleged tax fraud that affected seven National Football League players, the Globe said. Source: http://www.bloomberg.com/apps/news?pid=20601082&sid=aQNCAHSb9SCw

11. September 15, Courthouse News Service – (National) Investors say bank abetted Ponzi scam. Former clients and creditors of bankrupt Summit Accommodators say Umpqua Bank loaned Summit millions of dollars to help it continue a $30 million Ponzi scheme, and that Umpqua knew about the scam. The bankruptcy trustee overseeing the defunct firm filed a similar lawsuit in June. The lead plaintiff says Summit Accommodators owners spent 13 years funneling millions from Summit’s bank accounts to affiliate Inland Capital before the company went bankrupt in 2008. Two more conspirators joined Summit as quarter-owners in 2006, according to the complaint. The owners allegedly embezzled from Inland and spent the money on themselves, causing liquidity problems that left Summit unable to pay its bills. That is when the owners started their Ponzi scheme, bringing in new investors to pay off the old ones, according to the complaint. In 2007, the owners “described in great detail all relevant aspects of their Ponzi scheme and embezzlement” to Umpqua’s CEO and then-President during a pitch to get a loan or equity investment from the bank, the lawsuit states. Umpqua granted Summit substantial loans despite its knowledge of Summit’s Ponzi scheme, according to the complaint. It allegedly encouraged Summit to shift all of its business to Umpqua, facilitating the exchange of millions because of the large fees it earned on Summit’s deposit base. Source: http://www.courthousenews.com/2009/09/15/Investors_Say_Bank_Abetted_Ponzi_Scam.htm

12. September 14, KMTR 16 Springfield – (Oregon) Bank robbery suspect dies of wounds. Officers responded to a holdup alarm at Key Bank in Eugene, Lane County around 5:15 p.m. on September 11. When they arrived in the area, the suspect fired a weapon at an officer who returned fire, according to a Eugene police spokesperson. There were reports that the suspect carried a bomb into the bank. Police say a suspicious device was found inside the bank, but it was later determined to be a “hoax” device. Source: http://www.kmtr.com/news/local/story/UPDATE-Bank-robbery-suspect-dies-of-wounds/qyKb2Gfj_0Wc9kjHr0OwKw.cspx

Information Technology

29. September 15, The Register – (International) Malware lingers months on infected PCs. Malware stays around on infected PCs far longer than previously thought, according to the latest research from Trend Micro. Previous estimates suggested that a compromised machine remains infected for approximately six weeks. Based on an analysis of around 100 million compromised IPs, Trend Micro concludes that many infected IPs are infected (or repeatedly infected) for more than two years, with a median infection length of 300 days. Four in five compromised machines are infected for more than a month. A graph from Trend Micro suggests that if systems are not disinfected quickly then infection tends to linger around indefinitely, possibly until the point users exchange compromised boxes for new machines. Trend’s study also looked at the botnet landscape. Three strains of botnet agent — Koobface, Zeus/Zbot and Ilomo/Clampi — are causing the most damage in terms of identity theft. The Koobface botnet, for example, has co-opted around 51,000 machines into its ranks. Koobface uses between five and six command and control centers (C&C) to control these zombie clients at any one time. If a particular control domain is taken down by a particular provider, then botnet herders behind the malware establish a new command outpost elsewhere. Between the middle of March and mid-August 2009, Trend Micro recorded around 46 Koobface control domains. Source: http://www.theregister.co.uk/2009/09/15/malware_persistence/

30. September 14, eWeek – (International) Microsoft backports Windows 7 security change to XP, Vista. Microsoft has backported changes to its AutoRun and AutoPlay features to Windows Vista and Windows XP to help users fight malware that spreads via USB devices. Microsoft made the change in Windows 7 earlier in 2009 to stop the spread of the infamous Conficker worm, which was taking advantage of the functionality to silently jump from PC to PC. With the change, Windows will no longer display the AutoRun task in the AutoPlay dialog except for removable optical media such as CDs and DVDs. The functionality was made available for XP, Vista, and Windows Server 2003 and 2008 on August 25. The decision to make the change followed the well-publicized growth of malware spreading via USB devices during the past couple of years. In fact, a report by Symantec found that self-copying to removable media was among the most common means of malware propagation in the second half of 2007. “McAfee expects increased attacks involving USB sticks and flash-memory devices used in cameras, picture frames and other consumer electronics,” the director of security research at McAfee Avert Labs, blogged in January. “This trend will continue due to the almost unregulated use of flash storage [devices] across enterprise environments as well as their popularity among consumers.” Source: http://securitywatch.eweek.com/microsoft_windows/microsoft_backports_windows_7_security_change_to_xp_vista.html

31. September 14, CSO – (International) New Facebook scam targets ‘Fan Check’ application. While incidents of identity theft, phishing attacks and other schemes that take place on Facebook have been well documented, it turns out the latest scam simply uses the popular social networking site as a scapegoat while leading users to outside malicious sites. Last week, rumors swirled around Facebook that a new application known as “Fan Check” was infecting users with a virus. The story spread as many users updated their status to read: “The FAN CHECK Application is a VIRUS that takes 48 hours to kick in. Even if you are tagged in a photo the virus still attacks you. Please inform all you friends and remove/delete the applications ASAP. Copy and paste this as your status so word gets around quickly.” However, according to several security firms, including United Kingdom-based Sophos, it is not the Fan Check application that is the problem, it is the so-called “removal kits” that are being hocked by hackers that are the real danger. As rumor of the alleged Fan Check virus made the rounds, the term skyrocketed in popularity on Google and other search engines. As a member of Sophos blogs, hackers have set up several malicious sites that prompt users to purchase fake anti-virus software. The sites, which users get to through their search engines results, “display bogus warnings about the security of your computer in an attempt to get you to install fraudulent software and cough-up your credit card details,” according to the blogger. Source: http://www.csoonline.com/article/502029/New_Facebook_Scam_Targets_Fan_Check_Application

32. September 14, The Register – (International) FreeBSD bug grants local root access. A security researcher has uncovered a security bug in the FreeBSD operating system that allows users with limited privileges to take full control of underlying systems. The bug in FreeBSD’s kqueue notification interface makes it trivial for those with local access to a vulnerable system to gain full root privileges, an independent security consultant in Poland, told The Register. It affects versions 6.0 through 6.4 of the operating system, the last two versions of which enjoy wide use and continue to be supported by the FreeBSD Foundation. Versions 7.1 and and beyond are not vulnerable. Those exploiting the bug must first have local access to a vulnerable system, either as a legitimate user or by exploiting some other flaw (say, a vulnerable PHP script) that gives an attacker a toe-hold in to the targeted system. The consultant said the vulnerability is trivial to exploit. The bug is the result of a race condition in the FreeBSD kqueue that leads to a NULL pointer dereference in kernel mode. Attackers can cause vulnerable systems to run malware by putting the code in a memory page mapped to address 0x0. The consultant said he notified FreeBSD officials on August 29 and has yet to get a response. A FreeBSD Core Team member told the Register that it appeared the email had gotten “lost in the slew” and he expected an advisory to be issued soon. Source: http://www.theregister.co.uk/2009/09/14/freebsd_security_bug/

Communications Sector

33. September 14, KSTU 13 Salt Lake City – (Utah) Lightning causes all Utah networks to go off-air, except Fox 13. Almost all the major broadcast television networks in Utah went dark on September 13, except FOX 13. DTV Utah, a group of stations that formed together to share the cost of a broadcast tower on Farnsworth peak, was hit by lightning on September 13 at about 8:15 p.m. A piece of equipment took the brunt of the hit, knocking all of the stations that use that tower off the air. DTV Utah houses eight broadcast stations. The FOX 13 facility is about 300 feet to the south and independent, meaning that FOX 13 was able to stay on the air when the other stations went out. The outage lasted about an hour. Some stations powered back up before others. All the other stations are back up to full power after going into a lower power mode on September 14 while crews fixed the problem. Source: http://www.fox13now.com/news/kstu-utah-tv-networks-go-off-air-lightning-not-fox,0,2130985.story