Tuesday, March 31, 2009

Complete DHS Daily Report for March 31, 2009

Daily Report

Headlines

 KTVT 11 Fort Worth reports that residents in the Ellis County, Texas town of Avalon evacuated their homes late Sunday after a fire inside a storage warehouse at the nearby PSC chemical plant. (See item 4)


4. March 29, KTVT 11 Fort Worth – (Texas) Fire at Ellis County chemical plant. Residents living in the Ellis County town of Avalon evacuated their homes late on March 29 after a fire at a nearby chemical plant. Hazardous material crews spent March 29 cleaning up after the fire. Authorities asked people living in a 1 mile radius around the plant to stay away from their homes until cleanup was complete. The fire was located inside a storage warehouse at the PSC chemical plant in Avalon. Fire officials in Avalon say even though the fire was out, there was concern over fumes from the smoldering fire. The fire is believed to have been caused by an electrical malfunction. It is unknown what chemical burned in the fire. Source: http://cbs11tv.com/local/ellis.county.avalon.2.971034.html


 According to IDG News Service, a security researcher at Symantec said that the March 26 disclosure of the GhostNet cyberespionage ring that targeted 1,295 computers in more than 100 countries underscores how highly targeted and sophisticated attacks are changing the security landscape. (See item 27)


27. March 30, IDG News Service – (International) GhostNet highlights evolving threat environment. The high-profile disclosure recently of the GhostNet cyberespionage ring that targeted 1295 computers in more than 100 countries underscores how highly targeted and sophisticated attacks, often run by criminals, are changing the security landscape, according to a security researcher at Symantec. “How much is the landscape changing? It is changing drastically,” said the vice president of research at Symantec Research Labs. GhostNet, documented in a report released on March 26 by the SecDev Group’s Information Warfare Monitor and the Munk Center for International Studies at the University of Toronto, used malware and social engineering to give attackers full access to compromised computers. It also let attackers control the video cameras and microphones of these computers, letting them remotely monitor activity in the room where the computer was located. “It is another example of the sophistication of the types of attacks that are being put together,” the vice president said. The highly targeted nature of GhostNet and similar attacks makes it difficult for antivirus vendors to respond quickly. “By the time we get a sample, it can be too late. They have already gone and morphed into another variant,” the vice president said. “There is no end in sight.” While there has been a lot of speculation that GhostNet was developed and controlled by the Chinese government, criminal groups are just as likely to be responsible for these types of attacks. Source: http://www.pcworld.com/businesscenter/article/162178/ghostnet_highlights_evolving_threat_environment.html


Details

Banking and Finance Sector

10. March 29, KCRG 9 Cedar Rapids – (Iowa) Dubuque police warn of phone scam. The Dubuque Police Department is warning of a telephone scam that took place on March 29. The Dubuque County Emergency 911 Dispatch Center has been inundated with calls/inquiries from citizens concerning telephone calls they have received about their credit card information being compromised. When the call is answered, a recording is played purporting to be DuTrac Community Credit Union. The recording states the person’s credit card information has been compromised and they are instructed to “press 1” for the “security department,” then they are instructed to enter their credit card information and personal identification number (PIN). Dubuque police contacted DuTrac concerning the inquiries and have learned the calls are not affiliated with DuTrac Community Credit Union in any way. The calls are a fraudulent attempt to acquire the call recipient’s credit card information. People are instructed to hang up as soon as they identify this type of phone call and are reminded to never provide personal financial information over the phone. Source: http://www.kcrg.com/news/local/42089042.html


11. March 28, Los Angles Times (California) FDIC orders changes at six California banks. Revealing the recession’s rising toll on financial firms, the Federal Deposit Insurance Corp. (FDIC) disclosed on March 27 that it had ordered six more California banks to clean up their acts in February after the agency examined their books and operations. The banks — two in Los Angeles County, two in Riverside County, and one each in Stockton and La Jolla — received “cease and desist” orders that spell out publicly what the banks must do, such as boost capital levels, beef up management, and rein in risky loans. The number of such regulatory actions has been increasing rapidly. The FDIC, a primary regulator of many state-chartered banks as well as the guardian of federally insured deposits, has announced 10 public enforcement actions against California banks and bankers in the first two months of this year, compared with 24 in all of 2008 and no more than seven in each of the preceding three years. By the end of 2009, two-thirds of the state’s banks will be operating under cease-and-desist orders or other regulatory actions, an Anaheim-based banking consultant predicts. Most banks targeted in such actions eventually tighten up operations and continue in business or merge with stronger institutions, but regulators are preparing for a major wave of failures. Source: http://www.latimes.com/business/la-fi-banks28-2009mar28,0,2513212.story


12. March 27, Tampa Bay Business Journal (Florida) Omni National Bank taken over by FDIC. The FDIC has taken over as receiver for Atlanta-based Omni National Bank, which was battered by rising losses stemming from souring real estate loans. Omni has one location in Tampa. As of June 30, the bank had $32.4 million in deposits locally, according to the most recent information from the FDIC. The Office of the Comptroller of the Currency on March 27 made the announcement, saying the $980 million-asset bank had “experienced substantial dissipation of assets and earnings” because of “unsafe and unsound” practices. OCC also said the bank “incurred losses that have depleted most of its capital, and there is no reasonable prospect that the bank will become adequately capitalized without federal assistance.” The bank’s holding company Omni Financial Services Inc. was put under a regulatory oversight plan by the Federal Reserve Bank of Atlanta on March 17. Source: http://www.bizjournals.com/tampabay/stories/2009/03/23/daily62.html


Information Technology


27. March 30, IDG News Service – (International) GhostNet highlights evolving threat environment. The high-profile disclosure recently of the GhostNet cyberespionage ring that targeted 1295 computers in more than 100 countries underscores how highly targeted and sophisticated attacks, often run by criminals, are changing the security landscape, according to a security researcher at Symantec. “How much is the landscape changing? It is changing drastically,” said the vice president of research at Symantec Research Labs. GhostNet, documented in a report released on March 26 by the SecDev Group’s Information Warfare Monitor and the Munk Center for International Studies at the University of Toronto, used malware and social engineering to give attackers full access to compromised computers. It also let attackers control the video cameras and microphones of these computers, letting them remotely monitor activity in the room where the computer was located. “It is another example of the sophistication of the types of attacks that are being put together,” the vice president said. The highly targeted nature of GhostNet and similar attacks makes it difficult for antivirus vendors to respond quickly. “By the time we get a sample, it can be too late. They have already gone and morphed into another variant,” the vice president said. “There is no end in sight.” While there has been a lot of speculation that GhostNet was developed and controlled by the Chinese government, criminal groups are just as likely to be responsible for these types of attacks. Source: http://www.pcworld.com/businesscenter/article/162178/ghostnet_highlights_evolving_threat_environment.html


28. March 30, The Register – (International) Busted! Conficker’s tell-tale heart uncovered. Security experts have made a breakthrough in their five-month battle against the Conficker worm, with the discovery that the malware leaves a fingerprint on infected machines which is easy to detect using a variety of off-the-shelf network scanners. The finding means that, for the first time, administrators around the world have easy-to-use tools to positively identify machines on their networks that are contaminated by the worm. As of March 30, signatures will be available for at least half a dozen network scanning programs, including the open-source Nmap, McAfee’s Foundstone Enterprise, and Nessus, made by Tenable Network Security. Up to now, there were only two ways to detect Conficker, and neither was easy. One was to monitor outbound connections for each computer on a network, an effort that had already proved difficult for organizations with machines that count into the hundreds of thousands or millions. With the advent of the Conficker C variant, traffic monitoring became a fruitless endeavor because the malware has been programmed to remain dormant until April 1. The only other method for identifying Conficker-infected computers was to individually scan each one, another measure that placed onerous requirements on admins. The discovery of Conficker’s tell-tale heart two days before activation may prove to be an ace up the sleeve of the white hat security world. Source: http://www.channelregister.co.uk/2009/03/30/conficker_signature_discovery/


29. March 30, PC World – (International) Adobe Reader, IE 7 holes under attack. A zero-day flaw, a security hole with no fix available before attacks could be launched, exists in Adobe Reader and Acrobat, and can be exploited by a poisoned PDF file in an attempt to take over a vulnerable computer. As Symantec reported in February, crooks have hit the flaw with small-scale attacks that e-mail PDF attachments to specific targets. Adobe says a patch should be ready shortly for version 9 of both programs, with fixes for earlier versions to follow. Individuals went after a bug in Internet Explorer 7 a week after Microsoft distributed a fix. Those attacks employed a malicious Word document, but the Internet Storm Center has warned that crooks could also add hidden code to a hijacked Web site to create a drive-by download attack. A user can install the patch for this browser flaw via Automatic Updates, or the user can download it. The same patch batch from Microsoft addresses a security vulnerability in the company’s Visio diagramming software; an attack through this hole can be triggered if a user opens a hacked Visio file. Source: http://www.washingtonpost.com/wp-dyn/content/article/2009/03/27/AR2009032703426.html


30. March 28, PC World – (International) Search for ‘Conficker’ could lure virus. Symantec is warning Web users that searching for information on computer viruses such as Conficker could put them at risk of unintentionally downloading the virus on to their PC. Conficker targets a flaw in Windows Server and despite Microsoft releasing an emergency patch and urging all Web users to download it, many machines remain unprotected. According to the security vendor, searching for ‘conficker’ in a number of the Web’s most popular search engines brings up a number of hoax Web sites that actually host the virus and infect any users that navigate to the site. Symantec warns Web users the best course of action is to use software that will block Web pages such as these from being visited. Source: http://www.pcworld.com/article/162149/search_for_conficker_could_lure_virus.html


31. March 27, Computerworld – (International) Hack contest sponsor confirms IE8 bug in final code. The final version of Microsoft Corp.’s Internet Explorer 8 (IE8) does contain the vulnerability used to hack a preview of the browser at the recent Pwn2Own, the contest’s sponsor confirmed on March 28. But the exploit used by the computer science student to break the release candidate of IE8 will not work on the final version of IE8 as long as it is running in Windows Vista Service Pack 1 or Windows 7, said the manager of security response at 3Com Corp.’s TippingPoint unit. Questions had arisen about the exploitability of IE8 almost immediately after the Pwn2Own hack because the German student hacked IE8 Release Candidate 1 (RC1), while Microsoft released the final code less than 24 hours later. On March 27, the manager confirmed that IE8’s RTW, or “release to Web” portions, were immune from the hack. “His exploit did, in fact, employ the technique found by Sotirov and Dowd,” said the manager, referring to work by two researchers who announced last summer that they were able to bypass two of Vista’s biggest security defenses, ASLR (address space layout randomization) and DEP (data execution prevention). Microsoft made changes to IE8 between RC1 and the final code that blocked the circumvention technique, thereby making the exploit moot, but only in some situations, said the manager. Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9130683&intsrc=news_ts_head

Communications Sector

32. March 30, Science Daily – (National) New material could lead to faster chips: Graphene may solve communications speed limit. New research findings at the Massachusetts Institute of Technology (MIT) could lead to microchips that operate at much higher speeds than is possible with today’s standard silicon chips, leading to cell phones and other communications systems that can transmit data much faster. The key to the superfast chips is the use of a material called graphene, a form of pure carbon that was first identified in 2004. Researchers at other institutions have already used the one-atom-thick layer of carbon atoms to make prototype transistors and other simple devices, but the latest MIT results could open up a range of new applications. The MIT researchers built an experimental graphene chip known as a frequency multiplier, meaning it is capable of taking an incoming electrical signal of a certain frequency — for example, the clock speed that determines how fast a computer chip can carry out its computations — and producing an output signal that is a multiple of that frequency. In this case, the MIT graphene chip can double the frequency of an electromagnetic signal. Frequency multipliers are widely used in radio communications and other applications. But existing systems require multiple components, produce “noisy” signals that require filtering, and consume large power, whereas the new graphene system has just a single transistor and produces, in a highly efficient manner, a clean output that needs no filtering. Source: http://www.sciencedaily.com/releases/2009/03/090324081443.htm

Department of Homeland Security Daily Open Source Infrastructure Report

Monday, March 30, 2009

Complete DHS Daily Report for March 30, 2009

Daily Report

Headlines

 The Associated Press reports that pirates armed with machine guns pursued and captured a Norwegian chemical tanker off the coast of Somalia on Thursday, less than 24 hours after a smaller Greek-owned chemical tanker was seized in the same area. (See item 5)


5. March 26, Associated Press – (International) Somali pirates hijack two tankers in 24 hours. Pirates armed with machine guns pursued and captured a Norwegian chemical tanker off the coast of Somalia on March 26, the owners said, less than 24 hours after a smaller Greek-owned vessel was seized in the same area. The U.S. 5th Fleet, which patrols the pirate-infested Gulf of Aden, confirmed both hijackings and said they happened in the same area but separate from the gulf, one of the world’s busiest — and now most treacherous — sea lanes. The 23,000-ton Norwegian-owned Bow Asir was seized 250 miles off the Somali coast on the morning of March 26, and the 9,000-ton Greek-owned Nipayia, with 19 crew members, was attacked about 450 miles off Somalia on March 25, the European Union’s military spokesman said. Both vessels are chemical tankers but their cargoes were not immediately made public. Source: http://www.google.com/hostednews/ap/article/ALeqM5gB7YMEDuCwwY9ncDOtPAkEI4-H2wD975S1G82


 According to the Associated Press, officials in North Dakota ordered Thursday a mandatory evacuation of one Fargo neighborhood and a nursing home after authorities found cracks in an earthen levee built around the area. (See item 41)


41. March 26, Associated Press – (North Dakota) Cracks in levee forces evacuations in Fargo, ND. Officials in North Dakota have ordered a mandatory evacuation of one Fargo neighborhood and a nursing home after authorities found cracks in an earthen levee built around the area. Authorities say the evacuation on March 26 is a precaution and that the 40 homes in the River Vili neighborhood are not in immediate danger. They say no water has breached the levee. They also say Riverview Estates nursing home is being evacuated. The number of residents affected is not immediately clear. Fargo is on high alert after forecasters said the Red River could crest higher than predicted — at a record 43 feet. A CNN journalist and seven other people have been arrested for standing on top of sandbag levees in the Fargo area. A Fargo Police sergeant did not have many details of the journalist’s arrest, but said the man appeared to be taking pictures at the time. He says officers made the arrests Wednesday and Thursday after seeing people climb on the dikes. He says police will arrest anyone they see on top of a dike out of concern for people’s safety and the integrity of the levees. He says it is likely all those arrested have been released. A CNN spokesman says the cameraman had been shooting video and was unaware of any restrictions on climbing the dikes. Source: http://www.google.com/hostednews/ap/article/ALeqM5hw95ek5Sllmi4SoQ_N4HJvwHE0ZAD9763H780

See also: http://www.google.com/hostednews/ap/article/ALeqM5jbDbGLQYkIoRmNUJwUMUm-ACfL3gD976H0MO1


Details

Banking and Finance Sector

12. March 26, Bloomberg – (International) Millennium Bank in Caribbean is Ponzi scam, SEC says. U.S. regulators said they halted a $68 million Ponzi scheme at Caribbean-based Millennium Bank, the second case this year accusing a bank in the islands of fraudulently selling certificates of deposit. Millennium, describing itself as the subsidiary of a Swiss bank, made “blatant misrepresentations and glaring omissions” while marketing the instruments to wealthy U.S. clients since 2004, the Securities and Exchange Commission (SEC) said in a statement on March 26. A federal judge in Texas agreed to freeze assets after the SEC sued both companies and five people, including residents of North Carolina and California. “The defendants disguised their Ponzi scheme as a legitimate offshore investment and made promises about exuberant returns that were just too good to be true,” said the director of the SEC’s office in Fort Worth, Texas in a statement. Attorneys for the defendants could not be located. Source: http://www.bloomberg.com/apps/news?pid=20601103&sid=amNA4iRaoNPs&refer=us


13. March 26, Reuters – (National) U.S. bank group opposes plan to expand FDIC powers. A top U.S. bank industry group said on March 26 it opposes a Treasury Department proposal to give the Federal Deposit Insurance Corp the power the wind down troubled non-bank financial firms. The American Bankers Association also raised concerns about an expansion of Federal Reserve powers, saying nothing should be done to detract from the Fed’s monetary policy responsibilities. “With regard to the resolution mechanism, ABA has serious concerns with formally giving the FDIC this power. It is dangerous to risk confusing the mission of the FDIC and detracting from the power of its image in the minds of depositors,” the ABA president said in a statement. He said the FDIC’s experience with resolving failed banks should be tapped, but the actual resolution power should be located elsewhere. The FDIC currently has the power to seize depository banks, but does not have similar authority for non-banks, including bank holding companies such as Citigroup Inc. or insurers such as American International Group Inc. Legislation was proposed recently that would give the government the power to seize a troubled non-bank financial firm whose outright failure could do broad damage to the economy. The legislation gives the FDIC the power to make loans to a troubled firm while keeping it open, buy a stake in the firm, assume obligations, take a lien on the firm’s assets, sell off the firm’s assets, or seize the whole firm. Source: http://www.reuters.com/article/governmentFilingsNews/idUSN2649825020090326


14. March 26, Spamfighter – (Colorado) Phishing mails attacked members of Pikes Peak Credit Union. The Pikes Peak of Credit Unions in Colorado is cautioning users to be careful about phishing mails being sent by hackers. The Pikes Peak of Credit Unions claims that the ID thieves and hackers did not breach credit union security systems to access phone numbers and e-mail addresses; instead, they are distributing unsolicited mails in the hope that someone will be deceived. According to the investigation done till now, mails carry authentic looking logos and other similar details copied directly from credit union sites, making the e-mails appear legitimate and anyone can be deceived. Like other phishing mails, this too asks for personal details such as passwords, account numbers, and social security numbers to gain access to consumers’ money. Further, credit unions and banks will not ask for private details of customers through mails. In addition, as the phishing mails were sent to members in the wild, the official Web site of Credit Union asks its members to contact with the fraud departments of all three important credit union bureaus, TransUnion, Equifax, and Experian, at their helpdesk numbers. Apart from this, it suggests Credit Union members to shut down any accounts that have been exploited or accessed by hackers as credit account includes all accounts with banks, credit unions, credit card companies and other lenders, phone companies, utilities, Internet Service Providers, and other service providers. Source: http://www.spamfighter.com/News-12073-Phishing-Mails-Attacked-Members-of-Pikes-Peak-Credit-Union.htm


Information Technology


Nothing to report

Communications Sector

34. March 27, Spamfighter – (International) Hackers using router to infect computers with malware. Security researchers at DroneBL have found that malware authors are employing routers to spread malware. They have also revealed that a sophisticated malware piece has been found that converts users’ DSL modems and routers into a dangerous botnet called ‘Psybot.’ The security company further said that Psybot was specifically designed to attack home network routers that include embedded Linux for Microprocessor without Interlocked Pipeline Stages (MIPS) CPUs. The botnet also employs deep-packet inspection technique to siege user names and passwords. This technology facilitates in the installation of advanced security functions on the system. DoneBL researchers also state that the new technique used by hackers is extremely sophisticated and advanced as end-users would not be able to know that their network has been hacked, as reported by The Register on March 24, 2009. They added that hackers would use it as an effective attack vector to steal personally identifiable information in future. Moreover, after taking control over the system, hackers use it to plant a malware ridden file on the target system which later on executed, explained security researchers. Once the malware is installed on the system, it does not allow legitimate users to connect with the devise by blocking Web access, SSHD (Solid State Hard Disk), and telnet (Telecommunication network). It then connects the hacked devise with the botnet. As “Netcomm NBS” (modem router) has several security vulnerabilities that could be easily exploited, it is another main target for hackers, said security experts. Source: http://www.spamfighter.com/News-12080-Hackers-Using-Router-to-Infect-Computers-with-Malware.htm


35. March 27, The Register – (International) Cisco patch bundle lances multiple DoS flaws. Cisco has released a bundle of security updates, designed to fix a variety of flaws in its core IOS networking software. The eight advisories cover security patches that address multiple vulnerabilities in the networking giant’s implementation of networking protocols. Left unchecked, the flaws create a possible mechanism for hackers to crash network hardware kit such as VoIP systems, remote access kit, and routers running IOS. The eight updates relate to a number of TCP, UDP, Mobile, and VPN-related vulnerabilities. Seven of the eight flaws create a possible means to crash or force a reload of affected systems. In most of these cases there is nothing, in theory at least, to stop malicious hackers from doing this repeatedly to run a denial of service attack. One flaw (an IOS secure copy privilege escalation bug) creates a means for an ordinary user to gain admin privileges, thus posing a hacking risk. None of the vulnerabilities create a means for hackers to inject hostile code into vulnerable systems, the most serious class of risk. Cisco’s summary, which contains links to individual advisories, can be found here. The networking giant said it was “not aware of any public announcements or malicious use” of the vulnerabilities it details. Put another way, this means that none of the flaws have been used in denial of service attacks to date, but patching insecure networking kit is still a good idea. Source: http://www.theregister.co.uk/2009/03/27/cisco_patch_bundle/

Friday, March 27, 2009

Complete DHS Daily Report for March 27, 2009

Daily Report

Headlines

 The Associated Press reports that government investigators testing the nation’s food tracing system were able to follow only five out of 40 foods all the way through the supply chain, according to a report released Thursday by the Health and Human Services inspector general’s office. (See item 28)


28. March 26, Associated Press – (National) Investigators say food tracing system full of gaps. Government investigators testing the nation’s food tracing system were able to follow only five out of 40 foods all the way through the supply chain, according to a report released Thursday. For 31 of the 40, investigators said they were able to identify the facilities that most likely handled the products. And in the case of four items, 10 percent of the total, investigators were unable to identify the facilities that handled them. An investigation by the Health and Human Services inspector general’s office found that the records many companies keep are not detailed enough. And one-quarter of the company managers were totally unaware of record keeping requirements. The inspector general recommended that the FDA consider seeking stronger legal powers to improve the tracing of food. Source: http://www.washingtonpost.com/wp-dyn/content/article/2009/03/26/AR2009032604210.html


 According to the Associated Press, fish caught near wastewater treatment plants serving five major U.S. cities had residues of pharmaceuticals in them, researchers reported on Wednesday. The findings have prompted the Environmental Protection Agency to significantly expand similar ongoing research to more than 150 different locations. (See item 31)


31. March 25, Associated Press (National) Study: Range of pharmaceuticals in fish across U.S. Fish caught near wastewater treatment plants serving five major U.S. cities had residues of pharmaceuticals in them, including medicines used to treat high cholesterol, allergies, high blood pressure, bipolar disorder, and depression, researchers reported March 25. Findings from this first nationwide study of human drugs in fish tissue have prompted the Environmental Protection Agency (EPA) to significantly expand similar ongoing research to more than 150 different locations. “The average person hopefully will see this type of a study and see the importance of us thinking about water that we use every day, where does it come from, where does it go to? We need to understand this is a limited resource and we need to learn a lot more about our impacts on it,” said the study’s co-author, a Baylor University researcher and professor who has published more than a dozen studies related to pharmaceuticals in the environment. A person would have to eat hundreds of thousands of fish dinners to get even a single therapeutic dose, he said. But researchers have found that even extremely diluted concentrations of pharmaceutical residues can harm fish, frogs, and other aquatic species because of their constant exposure to contaminated water. The research was published online March 25 by the journal of Environmental Toxicology and Chemistry and also was presented at a meeting of the American Chemical Society in Salt Lake City. Much of the contamination comes from the unmetabolized residues of pharmaceuticals that people have taken and excreted; unused medications dumped down the drain also contribute to the problem. In an ongoing investigation, the Associated Press has reported trace concentrations of pharmaceuticals have been detected in drinking water provided to at least 46 million Americans. The EPA has called for additional studies about the impact on humans of long-term consumption of minute amounts of medicines in their drinking water, especially in unknown combinations. Limited laboratory studies have shown that human cells failed to grow or took unusual shapes when exposed to combinations of some pharmaceuticals found in drinking water. Source: http://www.google.com/hostednews/ap/article/ALeqM5jHJX6cEHhC2MY51YVyPv7smDu9RQD975A5LO0


Details

Banking and Finance Sector

19. March 26, Economic Times – (International) Software labs warn of ATM virus that steals money from banks. Russia’s leading computer security labs have warned of a new software virus which infects Automatic Teller Machines (ATM) to steal money from bank accounts of their users. Two leading anti-virus software producers ‘Doctor Web’ and ‘Kaspersky Lab’ claimed to have discovered a new virus, in the networks of several bank ATMs, which is able to collect information from bank cards. “This is a malicious program intended to infect and survive in ATMs. It is possible that new software will appear, aimed at illegitimately using banking information and removing funds,” an official of the Kaspersky Lab was quoted as saying by RIA Novosti news agency. He said the virus is a Trojan which is able to infect the popular American Diebold brand of ATMs, used in Russia and Ukraine. Judging by the programming code used, there is a high probability that the programmer comes from one of the former Soviet republics, he added. The computer security experts say the number of infected ATMs is minimal but individual bank cardholders will not be able to detect whether an ATM is infected or not. Source: http://economictimes.indiatimes.com/Infotech/ATM-virus-that-steals-money/articleshow/4319363.cms


20. March 26, Bloomberg – (National) SEC plans new money manager rules after Madoff fraud. The U.S. Securities and Exchange Commission chairman said she will impose new rules on money managers to safeguard client holdings after a $65 billion fraud shattered investor confidence. The SEC will propose that all investment advisers who have custody of customer assets undergo annual audits that are “unannounced,” the chairman said on March 26 in testimony prepared for the Senate Banking Committee. Money managers may also be subject to compliance audits by professional examiners to make sure they are adhering to securities laws, she said. “For our markets to be fair and efficient and to operate in the best interests of investors, those who control access to our capital markets must be competent, financially capable and honest,” she said. The SEC is trying to strengthen oversight after lawmakers weighing the most sweeping overhaul of U.S. financial regulation since the 1930s questioned the agency’s effectiveness in the wake of the scandal. The chairman defended the SEC since taking the helm in January, arguing that the agency must remain independent of any regulator Congress assigns the role of monitoring risks posed to the economy by large banks, hedge funds, and private equity firms. “Congress created only one agency with the mandate to be the investors’ advocate,” she said. “If there were ever a time when investors need and deserve a strong voice and a forceful advocate in the federal government, that time is now.” Source: http://www.bloomberg.com/apps/news?pid=20601103&sid=a6._RWxwQh14&refer=news


21. March 26, Spamfighter – (Montana) Mountain West Bank consumers targeted by phishing scam. Phishing fraudsters appear to be constantly attacking some banks in the Missoula region of Montana with one being Mountain West Bank, whose authorities inform that the e-mail scam began recently in March and it has gained momentum. The e-mails that pose to be messages from web-admin@mtnwestbank.com or webadmin@mtnwestbank.com direct recipients to input their account details so that their account accessibility is not restricted. The e-mails also provide a link which takes the user to a Web site that appears like the actual homepage of the bank. Meanwhile, various forms of the phishing e-mail are being circulated, with different Web links pointing to www.mtnwestbank-web14.com or www.mtnwestbank.com. The president of Mountain West Bank Missoula Branch said that a few of their clients divulged their account details, and consequently, they lost money, as reported by Montana’s News Station. The president further said that the bank was able to shutdown more than 40 of the cloned sites, but they were arising from all over the world. Meanwhile, since the e-mail has been circulating within the customers’ mailboxes for several days now, the Bank’s official Web site is displaying an urgent alert message. Accordingly, the Bank’s officials inform people that the institution is not behind any of the fraudulent, phishing e-mails. Customers are required to be wary of these kinds of frauds to guard themselves. Moreover, none of the bank’s customer databases have been attacked. Source: http://www.spamfighter.com/News-12077-Mountain-West-Bank-Consumers-Targeted-by-Phishing-Scam.htm


Information Technology


39. March 26, IDG News Service – (International) Firefox fix due next week after attack is published. Online attack code has been released targeting a critical, unpatched flaw in the Firefox browser. The attack code, written by a security researcher, was published on several security sites on March 25, sending Firefox developers scrambling to patch the issue. Until the flaw is patched, this code could be modified by attackers and used to sneak unauthorized software onto a Firefox user’s machine. Mozilla developers have already worked out a fix for the vulnerability. It is slated to ship in the upcoming 3.0.8 release of the browser, which developers are now characterizing as a “high-priority firedrill security update,” thanks to the attack code. That update is expected sometime early next week. “We... consider this a critical issue,” said the Mozilla director of security engineering in an e-mail. The bug affects Firefox on all operating systems, including Mac OS and Linux, according to Mozilla developer notes on the issue. By tricking a victim into viewing a maliciously coded XML file, an attacker could use this bug to install unauthorized software on a victim’s system. This kind of Web-based malware, called a drive-by download, has become increasingly popular in recent years. While the public release of browser attack code does not happen all that often, security researchers do not seem to have much trouble finding bugs in browser software. Last week, two hackers at the CanSecWest security conference dug up four separate bugs in the Firefox, IE, and Safari browsers. Source: http://www.networkworld.com/news/2009/032609-firefox-fix-due-next-week.html


40. March 25, Computerworld – (International) New ransomware holds Windows files hostage, demands $50. Cyber crooks have hit on a new twist to their aggressive marketing of fake security software and are duping users into downloading a file utility that holds users’ data for ransom, security researchers warned on March 25. While so-called scareware has plagued computer users for months, those campaigns have relied on phony antivirus products that pretend to trap malware but actually only exist to pester people into ponying up as much as $50 to stop the bogus warnings. The new scam takes a different tack: It uses a Trojan horse that is seeded by tricking users into running a file that poses as something legitimate like a software update. Once on the victim’s PC, the malware swings into action, encrypting a wide variety of document types, ranging from Microsoft Word .doc files to Adobe Reader PDFs, anytime one is opened. It also scrambles the files in Windows’ “My Documents” folder. When a user tries to open one of the encrypted files, an alert pops up saying that a utility called FileFix Pro 2009 will unscramble the data. The message poses as a semiofficial notice from the operating system. “Windows detected that some of your MS Office and media files are corrupted. Click here to download and install recommended file repair application,” the message reads. Clicking on the alert downloads and installs FileFix Pro, but the utility is anything but legit. It will decrypt only one of the corrupted files for free, then demands the user purchase the software. “This does look like a new tactic,” said the global director of education at antivirus vendor Trend Micro Inc. “But all online fraud is just minor variations of classic con games. This is just the ‘Bank Examiner’ played out on the Internet.” On the Web, data-hostage scams like this are called “ransomware” for obvious reasons. This is not the first time the tactic has been used, but it is remarkably polished, said the director. “We have not seen ransomware with this level of sophistication,” he said. Source: http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=cybercrime_and_hacking&articleId=9130539&taxonomyId=82&intsrc=kc_top


Communications Sector

41. March 26, Bit-Tech.net – (International) Worm targets Linux routers. Users of Linux-based routers are being warned of a new worm in the wild which attempts to take control and add their device to a growing botnet. As reported over on vnunet.com on March 25, the ‘psyb0t’ worm was first spotted by security research group DroneBL recently, but may have been spreading since the start of the year. Designed to brute-force the password of routers running Linux compiled for the RISC-based MIPS chip, including ones running custom OpenWRT and DD-WRT firmwares, the worm takes control of poorly secured devices and joins a botnet which the DroneBL group estimates may have grown to as large as 100,000 compromised devices so far. Because the worm relies on insecure passwords, or devices which have not been reconfigured from their default settings, the group claims that “ninety per cent of the routers and modems participating in this botnet are [doing so] due to user error.” While it is always good advice to choose a very secure password for Internet-facing devices, it is unlikely that anyone reading a security blog needs telling. The payload of the worm is interesting: as well as allowing full remote control of the router via an IRC channel, the malware uses packet inspection techniques in an attempt to sniff traffic for usernames and passwords to Web sites and e-mail accounts. The worm also attempts to resist disinfection by locking out telnet, SSH, and Web access to the device’s management functionality — preventing the device from being flashed with a known-clean firmware. The group notes that “this is the first known botnet based on exploiting consumer network devices, such as home routers and cable/dsl modems” and warns that “many devices appear to be vulnerable.” Source: http://www.bit-tech.net/news/bits/2009/03/26/worm-targets-linux-routers/1


42. March 25, IDG News Service – (International) Cisco security updates squash router bugs. Cisco has released eight security updates for the Internetwork Operating System (IOS) software used to power its routers. The patches were released on March 25, the day Cisco had previously scheduled for its twice-yearly IOS updates. None of the bugs had been publicly disclosed ahead of the March 25 updates, but some of them were reported to Cisco by outside sources. Most of the bugs could be exploited by attackers to crash or somehow disrupt service to a router, typically if a specific, vulnerable service is enabled, Cisco said. For example, Cisco has fixed two bugs in its SSLVPN (Secure Sockets Layer Virtual Private Network) software that could be used to crash the device. Attackers could exploit one of these bugs by sending a specially crafted HTTPS packet to the router. The bug does not affect users of the company’s ASA 5500 appliance or of Cisco IOS XR or XE software, however. SSLVPN lets users outside of the corporate firewall access their company’s network using a Web browser, instead of installing special VPN software on their PC. Another serious bug affects those who have enabled the Secure Copy Protocol (SCP), used to allow file transfers over the network. Because of this bug, an authenticated user on the device could “transfer files to and from a Cisco IOS device that is configured to be an SCP server, regardless of what users are authorized to do,” Cisco said in its advisory. This could allow a user to mess with the router’s configuration files or sneak a peek at passwords, Cisco said. Source: http://www.pcworld.com/businesscenter/article/161959/cisco_security_updates_squash_router_bugs.html


43. March 25, WTHR 13 Indianapolis – (Indiana) AT&T to expand Indiana coverage. A&T announced on March 25 that it plans to add over 35 new cell sites in Indiana this year. AT&T says it is expanding its 3G wireless broadband network. New cell sites include Anderson, Bloomington, Carmel, Evansville, Fishers, Fort Wayne, Indianapolis, Lafayette, Muncie, Noblesville, Sheridan, South Bend, Terre Haute, and more. AT&T will also introduce 3G services in Anderson, Bloomington, Columbus, and Muncie, and expand its 3G footprint in Allen, Hamilton, Johnson, and St. Joseph counties. New sites will also expand coverage in several other Indiana counties including: Clark, Floyd, Lake, LaPorte, Porter, Spencer, and Vanderburgh. Source: http://www.wthr.com/Global/story.asp?S=10068237&nav=9Tai