Department of Homeland Security Daily Open Source Infrastructure Report

Tuesday, August 31, 2010

Complete DHS Daily Report for August 31, 2010

Daily Report

Top Stories

•Typically associated with banking fraud, Zeus malware has recently been used to try to compromise government networks, and steal intelligence and defense data and information,according to the Information Warfare Monitor. (See item 49)

49. August 28, Information Warfare Monitor – (International) Crime or espionage? Zeus is a well known crimeware tool kit that is readily available online. Typically, Zeus has been associated with banking fraud. Recently, there have been a series of attacks using the Zeus malware that appear to be less motivated by bank fraud and more focused on acquiring data from compromised computers. The themes in the e-mails — often sent out to .mil and .gov e-mail addresses — focus on intelligence and government issues. After the user receives such an e-mail, and downloads the file referenced in the e-mail, his or her computer will likely (due to the low AV coverage) become compromised by the ZeuS malware used by the attackers and will begin communicating with a command and control server. It will then download an additional piece of malware, an “infostealer,” which will begin uploading documents from the compromised computer to a drop zone under the control of the attackers. What appears to be a one-off attack using Zeus, the author believes, is actually another round of a series of Zeus attacks. These attacks appear to be aimed at those interested in intelligence issues and those in the government and military, although the targeting appears to be general rather than targeted. Details of such an attack were recently posted on contagiodump.blogspot.com. The e-mail used in the attack appeared to be from “ifc@ifc.nato.int” with the subject “Intelligence Fusion Centre” and contained links to a report EuropeanUnion_MilitaryOperations_EN.pdf that exploits CVE-2010-1240 in order to drop a Zeus binary. Source: http://www.infowar-monitor.net/2010/08/crime-or-espionage/

•CBS and The Associated Press report that federal officials are investigating an arson-fire that started overnight August 28 at the site of a new Islamic center in a Nashville, Tennessee suburb. (See item 69)

69. August 28, CBS & Associated Press – (Tennessee) Fire at Tenn. mosque building site ruled arson. Federal officials are investigating an arson-fire that started overnight August 28 at the site of a new Islamic center in a Nashville, Tennessee suburb. A special agent of the federal Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) told CBS News the fire destroyed one piece of construction equipment and damaged three others. Gas was poured over the equipment to start the fire. The ATF, FBI and Rutherford County Sheriff’s Office are conducting a joint investigation into the fire. WTVF reports firefighters were alerted by a passerby who saw flames at the site. One large earth hauler was set on fire before the suspect or suspects left the scene. Digging had begun at the site, which was planned as a place of worship for the approximately 250 Muslim families in the Murfreesboro area, but no structure had been built yet. The center had operated for years out of a small business suite. Planning members said the new building, which was being constructed next to a church, would help accommodate the area’s growing Muslim community. However, opponents of a new Islamic center said they believe the mosque will be more than a place of prayer; they are afraid the 15-acre site that was once farmland will be turned into a terrorist training ground for Muslim militants bent on overthrowing the U.S. government. Source: http://www.cbsnews.com/stories/2010/08/28/national/main6814690.shtml

Details

Banking and Finance Sector

18. August 28, Associated Press – (National) Bank of America online banking down for 4 hours. Bank of America Corp. said its online banking service was down for about 4 hours August 27 but service has been restored. A representative for the nation’s largest bank declined to specify a reason for the outage except to say that it was a “temporary system” issue. She could not say whether the site has experienced a similar across-the-board outage before. The bank, based in Charlotte, North Carolina, said service was restored at around 5:15 p.m. EDT. The outage began at around 1:25 p.m. EDT. Some customers may still have trouble signing on because of the volume of people trying to access the site. Customers can also get account information from ATMs or banking centers. The representative said none of Bank of America’s 18,000 ATMs were affected by the outage. Source: http://www.google.com/hostednews/ap/article/ALeqM5hmlAOFYZDoylSJe_v0DLxdUPe3-QD9HS3BU00


19. August 27, Bank Info Security – (National) Bank takes tough stand on fraud. An extreme decision made by one small bank in Utah to reduce fraud losses is not likely to become the norm. But the move by Provo, Utah-based Bonneville Bancorp ($34 million in assets) to block signature-based debit transactions in California, Georgia and Florida shows that banking institutions have avenues to pursue in their fight against card fraud. “I don’t think this decision to block entire states is indicative of a trend at all,” said a financial industry consultant and owner of PG Silva Consulting. “But I think it does show that banks have ways of combating fraud, even if it is heavy-handed, such as this move.” Bonneville Bank declined to comment on its decision; but according to the bank’s Web site, Bonneville announced July 6 that “high amounts of fraudulent card activity in California, Florida and Georgia,” pushed the bank’s leadership to cut off all signature-based debit transactions in those markets. Only PIN-debit will now be allowed. Signature-based debit transactions do not require the entry of a PIN. When the debit card is swiped, the transaction is run like a credit transaction, and therefore carries a higher interchange fee. But signature-based transactions also are more prone to fraud, because they do not have the second layer of authentication that the PIN provides. Source: http://www.bankinfosecurity.com/articles.php?art_id=2875


20. August 26, Bank Info Security – (National) ACH fraud: action plan in Oct. A working group created by the Financial Services Information Sharing and Analysis Center is working on developing best practices to fight corporate account takeover. These incidents, resulting from ACH and wire fraud against business accounts, have been the focus of industry experts for 1 year. The FBI said that at least one or two incidents [er weel of corporate account takeover are reported, resulting in financial losses for businesses and lawsuits against banks. An information security professional at a worldwide bank is leading FS-ISAC’s Corporate Account Takeover Working Group. Since the formiation of the 45-member task force in May, 31 financial services companies, including banks, have joined the group. Five industry associations, including the American Banking Association, the Independent Community Bankers Association, the Financial Services Roundtable technology arm BITS, NACHA and SWACHA, and eight government and law enforcement agencies have also joined the group. The group’s short term goals are a September 22 presentation at an FS-ISAC meeting on recommendations for advisories and best practices that will be presented during the National Cyber Security Alliance’s cyber awareness month in October. Source: http://www.bankinfosecurity.com/articles.php?art_id=2871


21. August 23, ZD Net – (International) ATM makers patch Black Hat cash-dispensing flaw. Two automated teller machine (ATM) manufacturers have shipped patches to block the cash-dispensing attack demonstrated by a researcher at the 2010 Black Hat conference. Hantle (formerly Tranax) and Triton released separate bulletins to address the issue, which lets a remote hacker overwrite the machine’s internal operating system, take complete control of the ATM and send commands for it to spew cash on demand. At the Black Hat conference, the researcher demonstrated two different attacks against Windows CE-based ATMs — a physical attack using a master key purchased on the Web and a USB stick to overwrite the machine’s firmware; and a remote attack that exploited a flaw in the way ATMs authenticate firmware upgrades. Source: http://www.zdnet.com/blog/security/atm-makers-patch-black-hat-cash-dispensing-flaw/7210


For another story, see item 61 below in the Communications Sector


Information Technology


56. August 30, Help Net Security – (International) Too many disclose sensitive information on social networks. Social networking users should be careful when accepting friend requests, and must be conscious of the data they share. According to a new study by BitDefender, social network users do not appear to be preoccupied with the real identity of the people they meet online or about the details they disclose while chatting with total strangers. The study revealed that 94 percent of those asked to “friend” the test profile, an unknown, attractive young woman, accepted the request without knowing who the requester really was. The study sample group included 2,000 users from all over the world registered on one of the most popular social networks. These users were randomly chosen in order to cover different aspects: sex (1,000 females, 1,000 males), age (the sample ranged from 17 to 65 years with a mean age of 27.3 years), professional affiliation, interests etc. In the first step, the users were only requested to add the unknown test profile as their friend, while in the second step, several conversations with randomly selected users aimed to determine what kind of details they would disclose. The study showed that more than 86 percent of the users who accepted the test-profile’s friend request work in the IT industry, of which 31 percent work in IT Security. It also found the most frequent reason for accepting the test profile’s friend request was her “lovely face” (53 percent.) After a half an hour conversation, 10 percent disclosed personal sensitive information, such as: address, phone number, mother’s and father’s name, etc –- information usually requested as answers to password recovery questions. Two hours later, 73 percent siphoned what appears to be confidential information from their workplace, such as future strategies, plans, as well as unreleased technologies/software. Source: http://www.net-security.org/secworld.php?id=9793


57. August 30, Computerworld – (International) American Eagle Outfitters learns a painful service provider lesson. As American Eagle Outfitters learned in July, even if a company does everything right to ensure disaster recovery and business continuity plans are in place, Murphy’s Law sometimes takes over. And problems can be compounded if one rely on an outsourcer for disaster recovery services. The multibillion-dollar clothing retailer suffered an 8-day Web site outage because its Oracle backup utility failed — and then an IBM disaster recovery site was not up and running as it should have been, according to a report from StorefrontBacktalk.com. American Eagle did not dispute the basic account of what happened, though a spokeswoman said a few details were incorrect. According to a reporter from StorefrontBacktalk.com, which monitors retail Web sites, the outage began with a series of server failures. The reporter, who said he spoke with an unnamed IT source at American Eagle, said a storage drive failed at an IBM off-site hosting facility. That failure was followed by a secondary backup disk drive failure. Once the drives were replaced, the company attempted a restore of about 400GB of data from backup, but the Oracle backup utility failed, possibly as a result of data corruption. Finally, American Eagle attempted to restore its data from its disaster recovery site, only to discover the site was not ready and could not get the logs up and running. In an e-mail response to questions from Computerworld, an American Eagle spokeswoman said StorefrontBacktalk.com was “off track” by saying the retailer should have directed Web traffic to its mobile Web site. That is because the mobile site was also down. Source: http://www.computerworld.com/s/article/9182159/American_Eagle_Outfitters_learns_a_painful_service_provider_lesson


58. August 27, The Register – (International) Once-prolific Pushdo botnet crippled. Security researchers have disrupted the botnet known as Pushdo, a coup that over August 26 and 27 has almost completely choked the torrent of junkmail from the once-prolific spam network. Researchers from the security intelLigence firm LastLine said they identified a total of 30 servers used as Pushdo command and control channels and managed to get the plug pulled on 20 of them. As a result, the torrent of junkmail spewing from it dropped to almost zero August 26, according to figures from M86 Security Labs. Also known as Cutwail, Pushdo has long maintained a strong presence. It is known for spam that attempts to trick recipients into installing malware, and it also excels at hiding itself from intrusion-prevention systems, security researches have said. Its output has varied over the years with estimates as high as 20 percent of the world’s spam at some points. Pushdo was also notable for other technical feats, including its ability to pierce Microsoft Live by defeating its audio captchas. Source: http://www.theregister.co.uk/2010/08/27/pushdo_botnet_crippled/


For another story, see item 63


Communications Sector

59. August 28, KGUN 9 Tucson – (Arizona) Power outage at KGUN 9 affects broadcast signal. A major storm August 28 hit the east side of Tucson, Arizona, striking the KGUN 9 studios with a lightning bolt, killing power. It happened at around 6:45 p.m. The power loss affected the over-the-air signal on KGUN 9 and KWBA. Source: http://www.kgun9.com/Global/story.asp?S=13061552

60. August 27, Mt. Carmel Daily Republican Register – (Illinois) Fiber line cut in Southern Illinois hits NewWave customers for hours. According to the vice president of marketing for NewWave Communications, a cut fiber optic line August 26 led to a 7-hour outage of Internet services, e-mail and cable television reception in Wabash County, Illinois. The outage was between McLeansboro and Enfield, Illinois, where a 24-count fiber line suffered the damage. “Most services were restored about 6 p.m.” he said. The outage affected about 4,500 customers, and occurred around 10:30-11 a.m. Source: http://www.tristate-media.com/drr/news/local_news/article_49505858-b1f0-11df-99c3-001cc4c002e0.html


61. August 27, Canton Repository – (Ohio) Severed line causes phone outages. A third-party contractor working August 26 near a section of Cleveland Avenue NW in Canton, Ohio, accidentally cut through an AT&T line. The accident caused customers in areas near and north of 30th Street to lose phone and/or Internet service. An AT&T Ohio spokesman said he was not certain of the number of customers affected, but added the company had fielded more than 100 reports of loss of service. “The good news is the estimated time of restoral is (Saturday) afternoon,” he said. The Stark Federal Credit Union branch at 3426 Cleveland Ave. NW is among those without service. The chief executive said that the office was closed August 27 and may not open August 28, either. Source: http://www.cantonrep.com/newsnow/x2077301906/Severed-line-causes-phone-outages


62. August 27, WINK 9 Fort Meyers – (Florida) 2 charged with stealing copper wire from Collier County tower. Information sharing between law enforcement agencies and detective work in Collier County, Florida, helped lead to the arrests of two men — including a career criminal — on multiple felony charges after deputies said the men stole copper wire from a communications tower owned by Renda Broadcasting in East Naples August 26. A 28-year-old man from Golden Gate, and a 32-year-old man from Golden Gate were each charged with burglary, grand theft $300 to $5,000 and possession of burglary tools. A search of the van turned up fresh-cut copper wire and cables, along with large bolt cutters, a pry bar and large channel lock pliers. The suspects were arrested and booked into the Collier County jail. The 32-year-old suspect was additionally charged with two felony counts of possession of a controlled substance after deputies found a small plastic bag containing Xanax and Oxycontin pills in his possession during the traffic stop, according to arrest reports. Source: http://www.winknews.com/Local-Florida/2010-08-27/2-charged-with-stealing-copper-wire-from-Collier-County-tower#ixzz0xpEUUyh2


63. August 27, IDG News Service – (International) Research experiment disrupts Internet, for some. An experiment run by Duke University and a European group responsible for managing Internet resources went wrong August 27, disrupting a small percentage of Internet traffic. The damage could have been far worse however, and the incident shows just how fragile one of the Internet’s core protocols really is, security experts said. The problem started just before 9 a.m. Greenwich Mean Time August 27 and lasted less than half an hour. It was kicked off when RIPE NCC (Reseaux IP Europeens Network Coordination Centre) and Duke ran an experiment that involved the Border Gateway Protocol (BGP) — used by routers to know where to send their traffic on the Internet. RIPE started announcing BGP routes that were configured a little differently from normal because they used an experimental data format. RIPE’s data was soon passed from router to router on the Internet, and within minutes it became clear that this was causing problems. “During this announcement, some Internet service providers reported problems with their networking infrastructure,” wrote RIPE NCC’s in a note posted to the NANOG (North American Network Operators Group) discussion list. “Immediately after discovering this, we stopped the announcement and started investigating the problem. Our investigation has shown that the problem was likely to have been caused by certain router types incorrectly modifying the experimental attribute and then further announcing the malformed route to their peers.” Source: http://www.computerworld.com/s/article/9182558/Research_experiment_disrupts_Internet_for_some

Department of Homeland Security Daily Open Source Infrastructure Report

Monday, August 30, 2010

Complete DHS Daily Report for August 30, 2010

Daily Report

Top Stories

•According to CBC News, one of three Ontario, Canada men who are suspects in what the Royal Canadian Mounted Police (RCMP) are alleging is a terrorist plot possibly against transit systems and government buildings in Canada, has been remanded into custody until September 1 after appearing in an Ottawa courtroom.

21. August 27, CBC News – (International) Bomb plot suspect appears in court. One of three Ontario, Canada men who are suspects in what the Royal Canadian Mounted Police (RCMP) are alleging is a terrorist plot against Canada has been remanded into custody until September 1 after appearing in an Ottawa courtroom. An RCMP chief described all three men during a August 26 press conference as being part of a conspiracy to commit "a violent terrorism attack." The men discussed specific targets in Canada, according to security sources CBC spoke with, including specific government buildings and transit systems, but didn't mention any of those targets by name. A former senior Canadian Security Intelligence Service officer told CBC News his sources had said Parliament Hill was among the targets discussed, and suggested Montreal's transit system was a possible target because two of the men had roots in the city, and had lived and studied there. Source: http://www.cbc.ca/canada/windsor/story/2010/08/27/canada-bomb-plot-charges.html#ixzz0xohjzLF1

•The Richmond Times-Dispatch reports that a massive computer failure is crippling Virginia government, knocking out Web sites to the governor's office and 26 state agencies, blocking the issuance of driver's licenses, preventing the processing of jobless benefits, and delaying welfare payments.

42. August 27, Richmond Times-Dispatch – (Virginia) State struggles with computer failures. A massive computer failure is crippling Virginia government, knocking out Web sites, blocking the issuance of driver's licenses, preventing the processing of jobless benefits, and delaying welfare payments. The outage, flaring August 25 and expected to disrupt some services through the weekend, is attributed to 228 malfunctioning servers, which supply shared software and applications to clusters of state agency computers. Twenty-six of more than 80 state agencies were hit by the shutdown, including the office of the governor. The incident is the latest embarrassment for Virginia Information Technologies Agency (VITA) and Northrop Grumman, the company the state hired in 2005 to provide computer and communications services under a $2.3 billion contract — Virginia's richest-ever privatization deal. VITA and the firm have quarreled for months over shoddy, expensive service. This past spring, VITA and the company announced a new agreement giving an additional $236 million to Northrop Grumman in return for a pledge of better service. Source: http://www2.starexponent.com/news/2010/aug/27/state-struggles-computer-failures-ar-475821/

Details

Banking and Finance Sector

11. August 27, Gainesville Sun – (Florida) Luis Orlando Martinezroque accused of using information gathered by credit card skimmers. A man accused of illegally using information gathered by credit card skimmers at Gainesville, Florida gas stations has been booked into the Alachua County jail. The 24-year-old suspect, of Orlando, was arrested August 24 in Orange County on charges of identity theft and scheming to defraud. Gainesville Police requested that the suspect be extradited to Gainesville. He is under investigation by police, the Alachua County Sheriff's Office, and the U.S. Secret Service in connection with skimmers found earlier this summer. Investigators said about 30 people have reported finding fraudulent charges on their credit cards after buying gas at area stores where skimmers were found. The skimmers were small electronic devices placed inside pumps to gather credit card information surreptitiously from unsuspecting consumers. Information "skimmed" from the card when it is swiped at the pump can then be used or sold. A week ago, industry officials and local investigators said the skimmers might have been the work of international crime rings. The suspect was identified by surveillance videos, and a witness. Source: http://www.gainesville.com/article/20100827/ARTICLES/100829548/1002


12. August 27, KNXV 15 Phoenix – (Arizona) 'Bad Tooth Bandit' strikes again. Police are investigating a bank robbery in Phoenix, Arizona that they said may be the work of the "Bad Tooth Bandit" who is wanted in connection with several other heists. According to a Phoenix Police Department spokesman, a Wells Fargo bank located inside the Albertson's store near Tatum and Shea boulevards was robbed around 5 p.m. August 26. It is unclear if the suspect was armed during the incident. The spokesman said officers searched the surrounding area for the suspect, but were unable to locate him. Police are reportedly investigating if the man is the "Bad Tooth Bandit," who is responsible for other robberies around the valley. Source: http://www.abc15.com/dpp/news/region_phoenix_metro/north_phoenix/'bad-tooth-bandit'-strikes-again-police-investigating-bank-robbery-in-phoenix


13. August 26, New York Times – (International) Young girl among those hurt by acid in letters. An 8-year-old girl was among those injured by letters containing acid that were sent to the families of Geneva, Switzerland bank executives in recent days, the magistrate investigating the case said August 26. The girl was taken by ambulance to a hospital after she opened a box inside one of the letters and her hands were burned by concentrated sulfuric acid, the magistrate said by telephone from Geneva. Two adults were also injured, but apparently less seriously, by the letters, which targeted Geneva private bankers and their families, he said. The magistrate said that a total of eight letters containing acid were mailed to eight different addresses, in several cases the wives of executives at Geneva private banks. The letters were mailed from within Switzerland, but were routed through a central post office so it was not possible to say from where. The letters were sent August 22, the Swiss newspaper Tribune de Geneve reported. The motivation for sending the letters is not yet clear. Source: http://www.nytimes.com/2010/08/26/world/europe/26iht-swiss.html?partner=rss&emc=rss


14. August 26, KXTV 10 Sacramento – (California) Bomb squad inspects two potential explosives at Wells Fargo bank in Tracy. An evacuation at a strip mall in Tracy, California was lifted after the San Joaquin County bomb squad determined two possible explosive devices inside a car were smoke bombs, police said. The incident began about 10:40 a.m. August 26 when officials at the Wells Fargo bank on Valpico Road and Tracy Boulevard reported a man tried to deposit a fake check at the branch, said a Tracy police lieutenant. He said officers determined the check was fraudulent and arrested the 26-year-old suspect, of Lathrop. A search of the suspect's car turned up two loaded guns in the vehicle as well as black clothing, ski masks, and two devices that looked like explosives in his trunk. The suspect said the cylinders were bombs. Officers evacuated the bank as well as a Subway, a Supercuts and a yogurt shop in the area. The bomb squad determined the devices were the type used to place in a gas pipe to check for leaks. The suspect was arrested on weapons and bad check charges. Source: http://www.news10.net/news/story.aspx?storyid=92670&catid=2


15. August 26, Poughkeepsie Journal – (New York) Central Hudson warns of scam seeking credit card data. Customers of Central Hudson Gas & Electric Corp. are being warned about a scam discovered recently. People posing as Central Hudson employees are seeking credit card information over the telephone and via text messages, said a spokesman for the utility company. “Several calls were made to residents indicating a balance due on their Central Hudson account, or offering a discount on future utility bills for a one-time payment,” he said. ”Several residents also received text messages on their cell phones advising them to reply with a ‘Yes’ or ‘No’ to obtain a discount on their utility bills.” These are neither authorized nor conducted by Central Hudson, and customers receiving these calls or messages are warned not to provide their utility account or credit card information. The spokesman said customers who get these inquiries should note the caller ID information and report the incident to police. Source: http://www.poughkeepsiejournal.com/article/20100826/BUSINESS/100826011/Central-Hudson-warns-of-scam-seeking-credit-card-data


16. August 25, Salt Lake Tribune – (Utah) Prosecutors: Mortgage worker got drunk, shot computer server. A Salt Lake City, Utah mortgage company employee allegedly got drunk, opened fired on his firm’s computer server with a .45-caliber automatic, and then told police someone had stolen his gun and caused the damage. The 23-year-old suspect has been charged in 3rd District Court with criminal mischief, a second-degree felony; carrying a dangerous weapon while under the influence and providing false information to police, both Class B misdemeanors; and public intoxication, a Class C misdemeanor. Salt Lake County prosecutors said the suspect called police August 12, claiming a man had stolen his gun and fired into the $100,000 computer server owned by RANLife Home Loans, located at 268 W. 400 South. However, investigators allege the suspect was drinking that night at a concert with a co-worker and had returned to his office afterward and shot the server. A probable cause statement alleges the suspect told police he had been “mugged, assaulted with his own firearm and drugged” by a mystery assailant. However, acquaintances of the suspect reportedly told police he had earlier been drunk, was armed and had threatened to shoot the computer and maybe himself. Source: http://www.sltrib.com/sltrib/home/50159264-76/campbell-computer-police-server.html.csp


17. August 25, Pasadena Star-News – (California) 'Drywaller bandit' suspected of robbing two Pasadena banks. Authorities have linked two recent Pasadena, California bank heists to a robber the FBI is calling "The Drywaller Bandit." The gun-wielding crook is believed to have held up a Wells Fargo branch August 24 as well as a Citibank branch August 13, a Pasadena police lieutenant said. The banks are within 1 mile of each. Because of the white dust mask worn during both crimes, "We're calling him `The Drywaller Bandit,' " said an FBI spokeswoman. In both cases, police said, the robber was described as a white man in his 30s, of medium to heavy build, wearing a dust mask and a baseball cap and armed with a handgun. The robber stuffed the stolen money into cloth bags in both robberies, officials said. Source: http://www.pasadenastarnews.com/news/ci_15897465#ixzz0xj6IhgCh


Information Technology


48. August 27, Computerworld – (International) Rootkit with Blue Screen history now targets 64-bit Windows. A new version of malware that crippled Windows PCs last February sidesteps safeguards designed to block rootkits from hijacking machines running 64-bit editions of Windows, researchers said August 26. "A new era has officially dawned; the era of x64 rootkits," said a Prevx researcher in a post to the company's blog. The updated rootkit, which goes by names including Alureon, TDL and Tidserv, is able to infect 64-bit Windows PCs. Both Prevx and Symantec have found evidence that hackers are actively using the rootkit. "The infection is spreading on the Web, by using both porn Web sites and exploit kits," he said, adding that U.K.-based Prevx spotted the new rootkit more than 1 week ago. Symantec's first sighting was August 25. The new rootkit sidesteps two, important anti-rootkit protections Microsoft built into 64-bit Windows, Kernel Mode Code Signing and Kernel Patch Protection, also known as PatchGuard. The pair are designed to make it more difficult for malware to tamper with the operating system's kernel. Rootkits that overwrite the hard drive's master boot record, where code is stored to bootstrap the operating system after the computer's BIOS does its start-up checks, are essentially invisible to the operating system and security software. Source: http://www.computerworld.com/s/article/9182238/Rootkit_with_Blue_Screen_history_now_targets_64_bit_Windows


49. August 27, V3.co.uk – (International) Russia, Turkey named 'most dangerous' web countries. Computer users in Turkey and Russia are at the greatest risk of online attacks, according to a recent report. Security firm AVG said the two nations had the highest concentration of attack attempts per citizen. The report compared attack attempts collected by its Threat Labs to the total number of users in a country. AVG said 1 in 10 of its Turkish users had been subject to an attack attempt this year. In Russia, 1 in every 14 users had been attacked. Ranking third on the list was Armenia, with 1 of every 24 users subject to attack, followed by Azerbaijan and Bangladesh. The U.K. ranked 31 on the list, with 1 in 63 users attacked. Users in the United States had a 1 in 48 chance of attack, earning it the ninth spot on the list. Among the safest countries to surf were Japan, which logged attacks on just 1 in every 404 users. Taiwan, Argentina and France were also noted for low attack levels. AVG's chief research officer said while the report reviewed risks residents take in visiting sites in their native countries and languages, users who are traveling in high-risk countries should exercise extra caution. Source: http://www.v3.co.uk/v3/news/2268820/russia-turkey-named-dangerous


50. August 27, SC Magazine – (International) Kaspersky Lab warns of advanced instant messenger threat. Warnings have been made about worms spreading via instant messaging (IM) clients. Kaspersky Lab said the new family of worms are multilingual and capable of infecting users via several IM clients simultaneously, including Yahoo! Messenger, Skype, Paltalk Messenger, ICQ, Windows Live Messenger, Google Talk and the XFire client for gamers. It said four variants of IM-Worm.Win32.Zeroll have been detected so far. Kaspersky Lab said once it penetrates a computer, the worm looks in the contact list of any IM client present and sends itself to all the addresses it finds. Infection occurs when a user follows what they think is a hyperlink in an IM to an interesting picture, that leads to a malicious file. IM-Worm.Win32.Zeroll also has backdoor functionality to gain control of a computer without the user's knowledge. Once it has penetrated a system, the worm contacts a remote command and control center, and after receiving its instructions, it starts downloading other malicious programs. Kaspersky Lab said it uses 13 different languages, including English, German, Spanish and Portuguese, sending users in various countries messages in a language that they will understand. At the present time, Mexico, Brazil, Peru and the United States have seen the greatest numbers of infections, but many instances have also been recorded in Africa, India and European countries, particularly Spain. Source: http://www.scmagazineuk.com/kaspersky-lab-warns-of-advanced-instant-messenger-threat/article/177649/


51. August 26, eWeek – (International) Researchers warn of .Zip file spam surge. Security researchers are reporting an uptick in malware hidden in .zip files being sent out in spam to Web users. According to IBM's X-Force, there has been a significant increase in the number of spam messages with malicious .zip file attachments. "Normally we see that between 0.1 and 1.5 percent of all spam messages contain a .zip attachment … Since [the] beginning of August, the percentage of .zip spam has increased significantly," said a joint August 24 blog post by X-Force researchers. Sophos reported August 26 a widespread campaign of spam posing as e-mails from FedEx with subject lines such as "Fedex Tracking number" and "Fedex Invoice copy." As a lure, the e-mails mention a failed package delivery. Unlike many of the other FedEx-related malware attacks in the past, the e-mails' message about a failed delivery comes in the form of an image rather than text — possibly in an attempt to avoid anti-spam filters. Anyone who makes the mistake of opening the attachment is greeted with a Trojan. Sophos has not linked the FedEx attack to any particular botnet, but as of approximately noon EDT, the Trojan represented a third of the malware the company was seeing August 26, a Sophos researcher said. According to IBM, the increase during the past few weeks has not been tied to a single malware campaign or spam botnet, and there are a few different types of malware used. Source: http://www.eweek.com/c/a/Security/Researchers-Warn-of-Zip-File-Spam-Surge-583404/


52. August 26, DarkReading – (International) Mariposa botnet operators didn't bite in 'cookie-stuffing' offer. The Slovenian man recently arrested for allegedly writing malware used to build the now-infamous Mariposa botnet also sold an additional feature for his bot software, a form of cookie fraud known as "cookie-stuffing." According to the researcher who helped take down Mariposa, the Spanish operators who purchased the bot software from the Slovenian man known as "Iserdo" and then built Mariposa, for some reason did not opt for the feature, which he offered for 200 euros, even though it would have increased their potential profits. "That was one module they didn't buy," said a technical director of PandaLabs, which teamed up with the FBI, Defence Intelligence, and Georgia Tech University researchers to derail the botnet in December of last year. "The most likely explanation is that they didn't even know what it was about. Otherwise, they could have multiplied the profit they were doing." Cookie-stuffing would have added another revenue stream for the Mariposa operators. This often-overlooked but lucrative form of crime is where a fraudster sticks his own cookies atop legitimate cookies planted for affiliate marketing purposes. Source: http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=227100051


Communications Sector

53. August 27, Reuters – (International) Car bomb explodes outside Mexico TV studio. A car bomb exploded in the northern Mexican city of Ciudad Victoria August 27 outside a studio of top broadcaster Televisa, but there were no injuries, Mexican media and witnesses said. Two witnesses saw the charred remains of a parked vehicle outside the TV studio in the city in Tamaulipas state, and Televisa's main morning news anchorman said nearby buildings were damaged, causing a power outage. No group was immediately blamed for the blast but drug cartels set off a car bomb in Mexico's most violent city Ciudad Juarez in July, the first of its kind, and another earlier this month in Tamaulipas in Mexico's escalating drug war. Source: http://www.publicbroadcasting.net/wxxi/news.newsmain/article/0/0/1693397/World/Car.bomb.explodes.outside.Mexico.TV.studio


54. August 27, Anderson Independent-Mail – (South Carolina) Phone service working again in Abbeville County. Phone service that was out in areas of Abbeville County, South Carolina August 26 is now back up, according to the South Carolina Emergency Management Agency. Service for phone numbers with the prefix 459 or 447 was out of order in some areas, causing a disruption of emergency phone service, according to the South Carolina Emergency Management Division. Service was restored that evening. Source: http://www.independentmail.com/news/2010/aug/27/phone-service-working-again-abbeville-county/


55. August 26, Steamboat Springs Pilot & Today – (Colorado) Jackson County communication severed after fiber optic line was cut. The Walden, Colorado area mostly was isolated from outside communication the afternoon of August 26 because of a cut fiber optic line. Officials reported that residents in the area could call one another but could not call out of the area or reach 911 services. Phone service was interrupted from about 1:30 to 6:30 p.m. Routt County Emergency ManÂÂÂÂÂÂÂ-agement's director said Jackson County officials notified his office of the outage. Jackson County communications workers asked to route 911 calls to the Routt County ComÂmunications center, and Routt CounÂÂty officials agreed, but the patch did not work. Emergency services in the area still could use radios to communicate and process some information through Routt County dispatchers. Most cell phones in the affected area also were not usable because they are routed from cell towers to the fiber optic line. That is especially common in rural areas, Routt County's communications dirÂÂ-ector said. No 911 calls made it from Jackson County to his dispatchers. Source: http://www.steamboatpilot.com/news/2010/aug/26/jackson-county-experiencing-communication-isolatio/


56. August 26, Associated Press – (South Dakota) Alltel service restored in Western SD. A South Dakota Public Utilities commissioner said Alltel has restored cellular service in the western part of the state after a 12-hour outage. The outage began about 3 a.m. August 26, and stretched from Pierre to Rapid City. Thousands of Alltel customers lost the ability to make voice calls, though they could still text. The state public utilities commission chairman said service was restored about 3 p.m. that day. The outage appears to have been caused by a technical problem, but the chairman said his commission will look into the incident. Source: http://www.kdlt.com/index.php?option=com_content&task=view&id=4706&Itemid=57


57. August 26, V3.co.uk – (National) Smartphones add to Wi-Fi data deluge. The demand for mobile connectivity is pushing the amount of data being sent over Wi-Fi networks ever higher, new figures from wireless network access firm WeFi reveal. Among the main findings of the WeFi Analytics Report Q2/2010: An Analysis of Global Wi-Fi, was a massive rise in the amount of data being sent to and from smartphones over Wi-Fi. The Android platform in particular saw tremendous growth, with 30 percent of Android platforms consuming 500MB to 2GB of data and 20 percent going over 2GB. Breaking down the figures for Android phones further reveals that 35 percent of devices monitored were in the United States, while the U.K. accounted for just 6 percent. Symbian devices are also gobbling up data, according to the report, with 32 percent of devices running the platform consuming between 100MB and 500MB per month, up from 20 percent in Q1, while 10 percent use over 2GB on Wi-Fi connections. Source: http://www.v3.co.uk/v3/news/2268801/wi-continues-grow-across-globe


For another story, see item 42 above in the Top Stories