Friday, May 30, 2008

Daily Report

• WUSA 9 reports that FBI estimates cargo theft and trailer hijackings to net $30 billion a year for thieves and to be relatively low risk. This has raised concerns that it may be an easy option for terrorists trying to raise money. (See item 13)

• The Associated Press reports that federal investigators arrived Thursday at the tracks outside Boston where two commuter trains collided and derailed during rush hour Wednesday, killing one person and injuring more than a dozen others. (See item 15)

Banking and Finance Sector

10. May 29, Boston Globe – (Massachusetts) Identity-theft services face legal test. IdentityTruth Inc. says it will reimburse customers up to $2 million if they are victims of identity theft. But a Phoenix lawyer says the identity-protection company’s promise is not worth nearly that much. IdentityTruth charges $10 a month or $100 a year to insure people against unauthorized use of their personal information. The privately held company posts fraud alerts with credit reporting agencies on behalf of its customers. These alerts warn banks and other businesses not to open new accounts unless they confirm the identity of the customer. In addition, IdentityTruth scours the Internet and a host of private and government-run databases, looking for evidence that somebody out there is pretending to be the customer. The company does not actually prevent identity theft. The IdentityTruth website states, “if you are a member of our service and are a victim of identity theft resulting in the loss of your money, we will reimburse you up to $2 million.” But a Phoenix law firm official said the fine print of the IdentityTruth guarantee belies this assertion. He recently filed a lawsuit in the US District Court of Arizona against a rival service, LifeLock Inc. of Tempe. The suit, which seeks class-action status, claims LifeLock’s $1 million guarantee is fraudulent because it contains loopholes that make it far less generous. He said the same loopholes are present in the IdentityTruth guarantee. For instance, the guarantee covers damages caused by a failure of the IdentityTruth service. But banks often ignore fraud alerts. If that happens and an IdentityTruth customer gets stung, the company is not liable, because the bank failed, not IdentityTruth. The president of Javelin Strategy said consumers should not be too quick to sign on with any identity theft preventers. Source: http://www.boston.com/business/articles/2008/05/29/identity_theft_services_face_legal_test/

11. May 28, Originator Times – (California) Home foreclosure ring scam broken up. San Diego and state officials announced that a huge real estate fraud scheme has been broken up after victimizing potentially 400 homeowners in San Diego County alone, with additional victims in other counties. There are many more victims throughout the state who have not yet come forward or do not yet realize they have been scammed. “The defendants preyed on mostly non-English speaking, Hispanic homeowners who were in foreclosure, claiming to offer assistance in preventing the victims from losing their home,” a District Attorney said. The defendants are facing more than 100 felony charges and that number is expected to increase. The defendants were allegedly engaged in a widespread foreclosure rescue scam by which they acquired grant deeds to homes in foreclosure based on untrue or misleading statements that their “land grant program” would prevent homeowners from losing their homes through foreclosure. Two methods were used for inducing owners of residences in foreclosure to participate in a so-called land grant program. One method required homeowners to pay a one-time fee of up to $10,000 to put their property in a land grant. The second method was a lease back scheme in which homeowners paid the suspects $500 or more and then transferred their property via grant deeds to the defendants for no consideration and then made monthly payments to the defendants, purportedly to rent their homes back from the defendants. In both scenarios, the homeowner was typically evicted from their property at the completion of foreclosure proceedings and retained no legally recognized title to their property. While the total loss is still being tallied, the defendants probably got away with hundreds of thousands of dollars. Source: http://originatortimes.com/content/templates/standard.aspx?articleid=3190&zoneid=5

12. May 27, Daily Local – (Pennsylvania) Data breach concerns residents. News of a teenager being arrested for hacking into the school district’s computer system and obtaining Social Security numbers has left some district residents wondering if their identity is in danger. Borough, Pennsylvania, police arrested the 15-year-old male connected with the computer breach on May 21. The student accessed a school district computer server, copied and duplicated computer data and transferred that data to his home computer. According to police, the files contained more than 41,000 taxpayers’ names and personal information including Social Security numbers and more than 15,000 students’ names and personal information. The district sent out letters to 16,595 residents whose names were included in the file. Personal information of 71 employees at one of the district’s schools was included in these files. Police have isolated another student that may have received part of the copied files from the arrested student. Source: http://www.dailylocal.com/WebApp/appmanager/JRC/Daily?_nfpb=true&_pageLabel=pg_article&r21.pgpath=%2FDLN%2FHome&r21.content=%2FDLN%2FHome%2FTopStoryList_Story_2110534

Information Technology

30. May 29, Register – (International) Comcast hack leaves users without email. The portal of U.S. communications giant Comcast was hacked on Wednesday night in an assault that left subscribers unable to access their emails for several hours. The comcast.net front page was replaced by a greeting from hackers on Wednesday night (28 May). The defacement was removed around two hours later. Before the site was restored in the early Thursday morning, users encountered a “page under construction” message. The site remained intermittently unavailable even after this time. Hackers calling themselves KRYOGENICS EBK and DEFIANT claimed the defacement. As a result of the attack, Comcast subscribers were unable to access their email or other services through the portal for more than two hours. The exact mechanism of the attack is unclear. However, an injected iFrame that served up content from sites under the control of hackers is suspected. Some form of DNS redirection attack may also have been involved. Normally defacement attacks simply involve the spraying of digital graffiti on a website. However, in the case of the Comcast attack it seems some attempt may have been made to snoop on its users’ login credentials. “There is still a lot of speculation about the details of this and why this happened,” said a Comcast user. “But it is clear now that a group of people (according to the hacker’s message) somehow rerouted the IP and DNS values of Comcast to an off site. (http://www.freewebs.com/kryogeniks911/).” “It appears there was no malicious codes or script being run but a lot of people are saying that ports were being ‘listened’ to which could have led to the compromising of username/passwords,” the user added. Source: http://www.theregister.co.uk/2008/05/29/comcast_hack/

31. May 28, Computerworld – (National) Apple updates Leopard, issues 68 fixes. More than three months after it last updated Mac OS X, Apple Inc. today released 10.5.3, an upgrade for its Leopard operating system that boasts nearly 70 stability, compatibility, and security improvements and fixes. Apple did not include patches for two of three iCal vulnerabilities that were made public a week ago, however. Mac OS X 10.5.3, the third upgrade to Leopard since Apple launched the current in October 2007, addresses issues in several components and bundled applications, ranging from the Address Book and Automator to Time Machine and VoiceOver. Apple also listed a baker’s dozen under a “General” category that included a fix for hard drives that would not show in the Finder; an improvement in Spotlight, the OS’s built-in search tool, for searches done on AFP volumes; and a patch for stuttering audio and video playback from certain USB-based hardware. AirPort, Apple’s label for its wireless technology, got a pair of fixes: one to improve wireless reliability in general, the other to boost reliability when used with the company’s relatively new Time Capsule router-cum-backup-device that debuted earlier this year. Apple also tucked eight fixes for iCal, its personal scheduling program, into the 10.5.3 update, but failed to patch two of the three security vulnerabilities disclosed last week by Core Security Technologies. It appears Apple did patch the most serious of the three – dubbed CVE-2008-1035 – which Core said was the only one of the three it had proven could be used to insert malicious code into a Mac. Source:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=9090338&taxonomyId=17&intsrc=kc_top

32. May 28, IDG News Service – (National) Symantec backtracks on Adobe Flash warning. After warning on Tuesday that hackers were exploiting an unpatched bug in Adobe Systems’ Flash Player software, Symantec has backtracked from this claim, saying the flaw is “very similar” to another vulnerability that was patched last month. Symantec’s initial warning described a disturbing threat – a previously unknown and unpatched flaw that was being exploited on tens of thousands of Web pages. The flaw allowed attackers to install unauthorized software on a victim’s machine and was being used to install botnet programs and password-logging software, Symantec said. Now Symantec believes that the bug was previously known and patched by Adobe on April 8, said a senior research manager with Symantec Security Response. However, the Linux version of Adobe’s stand-alone Flash Player, version 9.0.124, is vulnerable to the attack. On Tuesday Symantec researchers saw that the attack worked on Linux and that it caused Flash Player to crash on Windows XP, so they reasoned that they had a new bug that was just not working properly on the Windows platform, possibly due to a programming error by the hackers. “We thought it was a problem with the exploit,” he said. Now Symantec believes that the vulnerability was simply not properly patched in this one version of Adobe’s software, he said. Source: http://www.networkworld.com/news/2008/052808-symantec-backtracks-on-adobe-flash.html

Communications Sector

33. May 29, Register – (International) Hackers start poking holes in NFC. A researcher from the Fraunhofer Institute for Secure Information Technology used the recent EUSecWest event to demonstrate progress in attacking Near Field Communications (NFC) applications. Near Field Communications is the radio frequency identification (RFID)-based standard being built into mobile phones to allow them greater interaction with the physical world. NFC-enabled handsets can be used to pay for bus or train journeys, replacing existing contactless cards, and can read tags embedded in (Smart) posters that trigger a URL to be loaded or a phone number to be called. Currently, only Nokia sells an NFC-enabled handset, the 6131NFC, though they have another model planned for later this year. But NFC is compatible with previous contactless standards such as MiFare and Felica. Therefore, the Fraunhofer Institute for Secure Information Technology created a toolkit that turns a 6131NFC into a generic toolkit for testing deployments of those technologies, as well as looking at functionality unique to NFC deployments. Two hacks involved replacing the NFC tag on a vending machine, and spoofing a uniform resource identifier (URI) in a Smart Poster to connect the user to somewhere other than they wished. The vending machines in question are in Vienna where a phone is waved near the machine and an NFC connection asks the phone to send an SMS message. This premium-rate SMS message is used to pay for the snack. The hacker simply switches NFC tags between two machines and collects what is paid for using the other machine. It is also possible to display one URI to the phone’s user, while trigging the handset to connect to a different one. The Fraunhofer Institute for Secure Information Technology told Nokia about the problems last month; Nokia is already working on a fix. Source: http://www.theregister.co.uk/2008/05/29/first_nfc_hack/

No comments: