Wednesday, October 20, 2010

Complete DHS Daily Report for October 20, 2010

Daily Report

Top Stories

•The Minneapolis Star Tribune reports that about 250 people were evacuated from their homes, and students on a college campus were advised to stay indoors October 18, after anhydrous ammonia leaked from a farm tractor tank in Morris, Minnesota. (See item 28)

28. October 19, Minneapolis Star Tribune – (Minnesota) Ammonia leak prompts evacuation in Morris. Part of Morris, Minnesota, was evacuated October 18 after anhydrous ammonia leaked from a tank attached to a farm tractor, a city official said. No one was reported injured. The director of emergency response in Morris said five or six blocks were evacuated on the north end of the city as a precaution. Stevens County sheriff’s officials said about 250 people were evacuated from their homes. At midnight, the leak had been stopped and officials were waiting for the cloud of gas to dissipate, but it was taking a long time because there was nearly no wind in the area, the emergency response director said. KSAX-TV reported residents were allowed to return to their homes about 1 a.m. October 19 after the gas dissipated. The University of Minnesota, Morris, sent an alert advising students not to go outside. Source: http://www.startribune.com/local/105233963.html?elr=KArksLckD8EQDUoaEyqyP4O:DW3ckUiD3aPc:_Yyc:aUvckD8EQDUX

•According to CNN, at least five shots were fired at the Pentagon in Arlington, Virginia October 19, authorities said, striking a building window, causing a partial lockdown of parking lots, and forcing the temporary closure of a busy highway. (See item 42)

42. October 19, CNN – (Virginia) Shots fired at the Pentagon, police say. Shots were fired at the Pentagon in Arlington, Virginia October 19, authorities said, striking a window of the building. A Pentagon police spokesman said it is not known who fired the shots. Pentagon police officers heard at least five shots around 4:50 a.m. According to another Pentagon Force Protection Agency spokesman, two bullets hit the Pentagon on the south side of the building — one striking a window and the other hitting the building itself. This is an unoccupied part of the building that is being renovated. The spokesman said a fragment of one of the bullets is lodged in the window. The windows, which are bullet-proof, did not shatter. There was a partial lockdown of the Pentagon’s south parking lot and south entrance for about 1 hour after the shooting, and authorities briefly shut down a portion of Interstate 395 going out of the capital — which runs along the south side of the Pentagon — to conduct a search in the investigation. Source: http://www.cnn.com/2010/CRIME/10/19/dc.pentagon.shots.fired/index.html?hpt=T1

Details

Banking and Finance Sector

11. October 19, Softpedia – (International) Multi-bank phishing attack targets Indian taxpayers. Security researchers warn of a new phishing attack exploiting the tax return filing period in India, which uses fake pages for a large number of banks. Floods in certain parts of India led the country’s Central Board of Direct Taxes to extend the due date for filing income tax returns from September 30 to October 15. According to a security researcher with Symantec, this decision attracted phishing attacks, which distributed links to a fake version of the Indian Income Tax Department Web site. The rogue page instructed visitors to select their bank from a list of over a dozen financial institutions to complete the refund request. “Once a bank was selected from the list, the customer was redirected to a phishing site spoofing the log-in page of the selected bank. “After the log-in credentials were entered into the phishing site, the customer was redirected back to the legitimate bank’s Web site,” the security researcher explained. Phishing e-mails claiming to originate from tax collection agencies are common during tax filing periods, especially in countries like the United States, U.K., Canada, or Australia. However, attacks targeting so many banks at once are relatively rare. Source: http://news.softpedia.com/news/Multi-Bank-Phishing-Attack-Targets-Indian-Taxpayers-161682.shtml

12. October 19, Softpedia – (International) Phishers use mobile credit bait. Security researchers from Symantec warn of a phishing campaign, which promises free mobile credits in order to trick online banking users into exposing their credentials and phone numbers. This particular attack targeted customers of an Italian bank, but it’s a good indication of the various methods used by phishers to lure victims. The phishing page was hosted on a domain that was a typo of the bank’s real Web address, a technique known as typosquatting. The site claimed that if the users recharged their mobile credit through the bank system with 10 euros, they would receive an additional 40 euros as a bonus. This attack is a double phishing attempt, because the users are first asked to log in to their accounts, which exposes online banking credentials, and then they must input mobile phone numbers. Source: http://news.softpedia.com/news/Phishers-Use-Mobile-Credit-Bait-161597.shtml

13. October 18, WIAT 42 Birmingham – (Alabama) Mountain Brook bank robbed; employees evacuated. The chief of Mountain Brook Police tells CBS42 that employees of Wells Fargo, located at 100 Office Park Drive in Mountain Brook, Alabama, were evacuated due to a robbery October 18. A police spokesman said the suspect arrived at the location in a vehicle, passed a note to a teller claiming there was a bomb on the roof and then drove off. Officials think the man got away with some money. The suspect is a black male in a white Chevrolet; the police spokesman said he is still on the loose. Officials from the Hoover Police Department were called to the scene and determined there was no bomb at the bank. Source: http://www.cbs42.com/content/localnews/story/Mountain-Brook-Bank-Robbed-Employees-Evacuated/4_nLqVtOdUSScYhhply9hw.cspx

14. October 18, Softpedia – (International) Number of fake electronic tax payment emails has spiked. Security researchers warn that a ZeuS distribution campaign producing e-mails about failed electronic tax payments, has significantly increased its aggressiveness the weekend of October 16-17. The rogue e-mails started hitting in-boxes from October 11-15 and come with a subject of “Your Tax Payment ID ######### is failed. Update information.” The from field is spoofed to appear as if the e-mail is originating from “EFTPS Tax Payment,” and it tells users their tax payments submitted through the Electronic Federal Tax Payment System (EFTPS) has failed. Also, the messages claim the payment failed with an R21 error code and provide a link to obtain additional information. Clicking on the link takes recipients through a series of redirects until they land on a drive-by download page, where their computers are targeted with exploits for outdated versions of many popular applications. Successful exploitation results in a variant of the ZeuS banking Trojan being installed. This malware is commonly used by fraudsters to steal online banking credentials, credit card details and other sensitive data. According to researchers from e-mail security provider AppRiver, the number of these ZeuS distribution e-mails spiked October 16, with over 100 new domains being used in the attack. Source: http://news.softpedia.com/news/Number-of-Fake-Electronic-Tax-Payment-Emails-Has-Spiked-161368.shtml

15. October 18, IDG News Service – (International) U.K. arrests man accused of organizing money ‘mules’. United Kingdom police arrested a 34-year-old man October 18 on suspicion of creating counterfeit credit cards and organizing a network of people involved in money laundering, officials said. Authorities from the Metropolitan Police’s .Central e-crime Unit also seized data and equipment believed to be used to created fraudulent payment cards, including blank dummy cards with magnetic strips, during a raid October 18 in London. The man is also accused of organizing money “mules” — people recruited to accept stolen funds and transfer them to other bank accounts for a small share of the amount. The latest action follows a spate of arrests in the United Kingdom, United States and Ukraine in one of the largest coordinated computer crime actions by law enforcement. Source: http://www.computerworld.com/s/article/9191618/U.K._arrests_man_accused_of_organizing_money_mules_

16. October 16, BankInfoSecurity.com – (National) Three banks closed on Oct. 15. Federal and state banking regulators closed three banks October 15. These closures raise the total number of failed institutions to 152 so far in 2010. The latest failed banks include: Security Savings Bank, F.S.B, Olathe, Kansas was closed by the Office of Thrift Supervision, and the Federal Deposit Insurance Corporation (FDIC) was appointed receiver. FDIC arranged for Simmons First National Bank, Pine Bluff, Arkansas, to assume all deposits. The nine branches of Security Savings Bank will reopen as branches of Simmons. Security Savings had $508.4 million in assets. The estimated cost to the Deposit Insurance Fund (DIF) will be $82.2 million. WestBridge Bank and Trust Company, Chesterfield, Missouri was closed by the Missouri Division of Finance. FDIC was appointed receiver. FDIC arranged for Midland States Bank, Effingham, Illinois, to assume all deposits. The sole branch of WestBridge will reopen as a branch of Midland States. WestBridge had $91.5 million in total assets. The estimated cost to the DIF will be $18.7 million. Premier Bank, Jefferson City, Missouri, was closed by the Missouri Division of Finance, and the FDIC was appointed receiver. FDIC arranged with Providence Bank, Columbia, Missouri, to assume all the deposits. The nine branches of Premier will reopen as branches of Providence. Premier had $1.18 billion in assets. The estimated cost to the DIF will be $406.9 million. Source: http://www.bankinfosecurity.com/articles.php?art_id=3015

17. October 15, DataBreaches.net – (Illinois) Illinois AG sues Payday Loan Store over improper disposal of customer data. The Illinois attorney general filed a lawsuit in Cook County Circuit Court October 15 against The Payday Loan Store of Illinois, Inc. (PLS), for allegedly failing to safeguard customer data. The attorney general filed the suit after learning that documents containing customers’ personal information had turned up in trash bins outside four store locations. “Data security is absolutely critical to protecting consumers from identity theft,” the attorney general said. PLS, which sells high-cost, short-term loans throughout Illinois, provides customers with a privacy policy that promises the company will protect personal information by maintaining physical, electronic and procedural safeguards in compliance with federal regulations. The attorney general’s complaint alleges, however, that PLS did not maintain those safeguards and instead disposed of customers’ personal data in publicly accessible trash containers. The complaint alleges a concerned individual alerted Bolingbrook police that he had found documents containing sensitive information in a trash container behind the PLS location in Bolingbrook. The police retrieved approximately two boxes of documents containing nonpublic personal information, including Social Security numbers, driver’s license numbers, financial account numbers and PLS loan account numbers. Source: http://www.databreaches.net/?p=14735

For another story, see item 55 below in the Information Technology Sector

Information Technology

48. October 19, Help Net Security – (International) Kaspersky download site hacked, redirecting users to fake AV. For three and a half hours October 17, the Kaspersky’s USA download site provided download links that redirected users to a malicious Web page where windows telling them their computer was infected were popping up and they were encouraged to buy a fake AV solution. The fact was noted by various users on three separate forums. Among those was Kaspersky’s own forum, and judging by the comment left by someone with the username “Micha” — who appears to be an employee of the security firm stationed in Japan — the problem was solved. According to ITPro, the incident was first denied, then confirmed by Kaspersky. They said they took the server offline as soon as they found out about the breach, that the compromise was caused by a vulnerability in a third party application for Web site administration, and that customer details contained on company servers were not compromised. Source: http://www.net-security.org/malware_news.php?id=1499

49. October 19, V3.co.uk – (International) RealPlayer receives critical security update. Real Networks has issued a security update for RealPlayer, addressing flaws in versions 1.1.4 and earlier of the application. The company said RealPlayer 1.1.5 and later for Windows is not believed to be vulnerable to attack, neither is the Mac RealPlayer 12.0.0.144 and later release, or the latest RealPlayer Enterprise and RealPlayer for 11.0.2.1744 for Linux release. The update patches seven vulnerabilities ranging from buffer overflow and injection flaws to issues that could allow an attacker to remotely execute code on a targeted system. Real Networks advised administrators to upgrade RealPlayer installations to the most current stable version. No active exploitations of the flaw have been reported in the wild. Source: http://www.v3.co.uk/v3/news/2271764/realplayer-receives-critical

50. October 19, IDG News Service – (International) Tests show consumer antivirus programs falling behind. The latest tests of consumer of antivirus software released October 19 show the products are declining in performance as the number of malicious software programs increases. NSS Labs tested 11 consumer security suites and found that the products are less effective than 1 year ago as far as blocking the download and execution of malicious software programs. The company also tested if those programs detected and blocked malicious Web sites. The download and execution blocking rate for the top performing product, Trend Micro’s Titanium Maximum Security, fell from 96.4 percent to 90.1 percent from the third quarter of 2009 to the same period this year. All of the rates were lower except for two products: McAfee’s Internet Security and F-Secure’s Internet Security 2010, which upped their detection and blocking rates by 3.6 percent and .4 percent respectively. The biggest drop occurred for AVG’s Internet Security 9, which fell 18.5 percent, and Kaspersky’s Internet Security 2011, which fell 16.5 percent. The tested security products have not necessarily fallen in quality, but rather the threats are evolving at a rapid pace, said the president of NSS Labs. Source: http://www.computerworld.com/s/article/9191718/Tests_show_consumer_antivirus_programs_falling_behind?taxonomyId=17&pageNumber=1

51. October 18, Softpedia – (International) Scammers impersonate Adobe employees to sell fake Reader upgrade. Security researchers warn of scam e-mails purporting to come from Adobe employees, who advise users to buy a fake upgrade for Adobe Reader. The e-mails bear a subject of “Action Required : Active Your New Adobe PDF Reader” and come from an “Adobe Support” address. A link is included and receipients are advised to open it in order to download the upgrade. The domain has been registered through a Russian registrar and redirects to a professionally looking Web site that advertises a program called PDF Pro 2010, which asks for registration and money. It appears this campaign has been running for weeks. There are reports about it on Adobe’s forum dating back to September 27, but an ESET blogger wrote about one sent October 17. “Adobe doesn’t send out unsolicited stuff like this, even when it concerns security patches and the like. If you’re not subscribed to one of their lists, that’s red flag number one,” the researcher warned. Source: http://news.softpedia.com/news/Scammers-Impersonate-Adobe-Employees-to-Sell-Reader-Upgrade-161580.shtml

52. October 18, Softpedia – (International) Drive-by kit generates fake Twitter home pages. Security researchers warn of the increasing popularity of a drive-by kit, which allows attackers to create fake copies of the Twitter home page and use them to distribute malware. The real Twitter main page currently promotes a video about the site’s new design. The malware toolkit, which was discovered by researchers from Sunbelt Software (now part of GFI), allows attackers to edit the part of the page where the video is located and change it with whatever their wish. In some live examples, the malware pushers used a video thumbnail depicting a scantily-dressed woman. Clicking the image prompted the execution of a malicious Java applet. The applet tried to exploit a vulnerability in older versions of Java to install malware on the victim’s computer. The attackers upload these pages to free Web hosting accounts and then target users on Twitter via shortened URLs included in spam messages. They hope that when users open them, they will click on the intriguing picture without verifying the URL in the address bar. Source: http://news.softpedia.com/news/Drive-By-Kit-Creates-Fake-Twitter-Home-Pages-161536.shtml

53. October 18, Computerworld – (International) ‘Unprecedented wave’ of Java exploits hits users, says Microsoft. Microsoft said October 18 that an “unprecedented wave” of attacks are exploiting vulnerabilities in Oracle’s Java software. According to a manager at Microsoft’s Malware Protection Center, attempts to exploit Java bugs have skyrocketed in the past 9 months, climbing from less than half a million in the first quarter of 2010 to more than 6 million in the third quarter. She noted that the bulk of the attacks in the quarter that ended September 30 were exploiting just three Java vulnerabilities, all of which had been patched months or even years ago. “IDS/IPS vendors ... have challenges with parsing Java code,” she alleged. “Think about incorporating a Java interpreter into an IPS engine. ... [T]he performance impact on a network IPS could be crippling. [So] the people that we expect to notice increases in exploitation might have a hard time seeing this. Call it Java-blindness.” Source: http://www.computerworld.com/s/article/9191640/_Unprecedented_wave_of_Java_exploits_hits_users_says_Microsoft

54. October 18, Softpedia – (International) Exploit toolkit infects one in ten users via outdated Java. While analyzing a live drive-by download attack, researchers from M86 Security found that 1 in 10 users visiting the compromised pages were being infected because they had an outdated version of Java installed. The exploit toolkits used in drive-by download attacks target known arbitrary code execution vulnerabilities in older versions of popular applications, such as Adobe Flash Player, Adobe Reader, Java, or even the browsers themselves. The exploit pack used in this attack is called Zombie Infection Kit and is neither the most popular, nor the most sophisticated. The toolkit exploits two Java vulnerabilities, four Adobe Reader ones (via a single PDF document), the Windows XP Help Center (HCP) flaw discovered earlier this year, an old one in IE6, and two in Adobe Flash Player. According to its control panel, the two Java vulnerabilities accounted for a bit over 60 percent of all successful infections. This is consistent with numbers seen in other exploit toolkits. Given that the overall infection rate achieved by this installation of Zombie Infection Kit was 15.39 percent, it can be concluded that 9 percent of users, who landed on the infected pages, were compromised through Java exploits. Source: http://news.softpedia.com/news/Exploit-Toolkit-Infects-One-in-Ten-Users-via-Outdated-Java-161579.shtml

55. October 18, Computerworld – (International) Microsoft’s anti-Zeus tool cleans quarter-million PCs. Microsoft said its free malware cleaning tool had scrubbed the money-stealing Zeus bot from nearly 275,000 Windows computers in under 1 week. On October 12, Microsoft added Zeus/Zbot detection to its Malicious Software Removal Tool (MSRT), a free malware-removal program that the company updates each month and distributes alongside its Patch Tuesday security fixes. MSRT does not prevent attack code from getting on a Windows machines. Instead, it detects infected machines and then deletes the malware. Since October 12, MSRT has removed 281,491 copies of Zeus from 274,873 PCs, Microsoft announced in a post to a company blog October 17. Those numbers put the Zeus bot into the top spot on MSRT’s hit list. Zeus infections accounted for 20.4 percent of all machine cleanings since October 12, said the director of Microsoft’s Malware Protection Center. Source: http://www.computerworld.com/s/article/9191599/Microsoft_s_anti_Zeus_tool_cleans_quarter_million_PCs

56. October 18, Commtouch – (International) Report: Malware delivery technique focus on HTML attachments. Use of malicious HTML e-mail attachments increased significantly in the third quarter, Commtouch reported October 18 in its third quarter Internet Threats Trend Report. The HTML attachments displayed phishing pages on the user’s local computer or redirected users to sites hosting malware or spam products. The Q3 report examines the methodology within blended attacks, such as the “Here You Have” worm, which spread widely in September using Outlook contact lists from infected PCs. Both Here You Have and numerous fake LinkedIn invitations relied on a combination of social engineering and masked hyperlinks to lead users to Web sites with malware scripts. During Q3, the PayPal, LinkedIn, CraigsList, Bell Canada, NewEgg, and Amazon brands were used by spammers to inspire action by consumers. The report also features the unusual bedfellows of a pharmacy spam campaign based on solidarity with several European politicians and celebrities. The increased use of HTML attachments shows how prominent the multi-stage attack vector has become, said a Commtouch vice president. Source: http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=227900192&subSection=Application+Security

Communications Sector

57. October 19, TMCnet – (Pennsylvania) AT&T helps Philadelphia businesses prepare for potential disasters. AT&T announced the results of a new study conducted on how Pennsylvania businesses prepare to ensure business continuity and save their businesses from unforeseen natural or manmade disasters. According to the 2010 Business Continuity Study, businesses are proactively preparing to face these challenges and protect their operations and maintain communications in times of disruption. Many businesses in Philadelphia and Pittsburgh are preparing for potential disasters and investing in additional technology, according to AT&T. About 81 percent of AT&T survey participants in these metro areas said they have business continuity plans, and two-thirds of executives indicated their companies are investing in new technologies in 2010. The survey found business continuity is essential as these businesses allowed most employees to work from home or remote locations, and use communications facilities like automated calling systems to reach employees by telephone or cell phone outside of work. A majority (78 percent) of survey participants were concerned about the increasing use of mobile networks and devices and their impact on security threats. AT&T also announced it is working with officials and business leaders to conduct a full-scale disaster recovery simulation — a Network Disaster Recovery or “NDR” exercise — in King of Prussia, Pennsylvania, October 19 to 20. The company conducts NDR several times a year as part of its strategies to test, refine and strengthen the business continuity and disaster recovery services to minimize network downtime. Source: http://mpls.tmcnet.com/topics/business-continuity/articles/109843-att-helps-philadelphia-businesses-prepare-potential-disasters.htm

58. October 18, Network World – (International) Gap between IPv4 depletion, IPv6 adoption widens. With the Internet’s largest-ever upgrade looming, network operators are using up address space based on the current standard — known as IPv4 — much faster than they are adopting IPv6, the next-generation standard. The Internet’s regional registries, which dole out blocks of IPv4 and IPv6 address space to carriers, will announce October 18 that less than 5 percent of the world’s IPv4 address space remains unallocated. IPv4 is the Internet’s main communications protocol. It uses 32-bit addresses and can support 4.3 billion devices connected directly to the Internet. IPv6, on the other hand, uses 128-bit addresses and supports a virtually unlimited number of devices — 2 to the 128th power. Overall, more than 200 million IPv4 addresses have been allocated from the so-called free pool of available IPv4 addresses since January 2010, with most of the addresses being snapped up by Asian carriers. Allocation of the remaining blocks of IPv4 addresses is “imminent,” according to the chairman of the Number Resource Organization (NRO), which represents the five regional registries. “It is critical that all Internet stakeholders take definitive action now to ensure the timely adoption of IPv6,” he said in a statement. The NRO warned the last IPv4 address blocks will be allocated from the free pool to the regional registries in early 2011. Experts predict the registries will hand out these addresses to network operators by the end of 2011, leading to full-fledged depletion of IPv4 addresses. Once IPv4 addresses are depleted, ISPs must give their new customers IPv6 addresses or use carrier-grade network address translation to share a single IPv4 address among multiple customers. Source: http://www.computerworld.com/s/article/9191761/Gap_between_IPv4_depletion_IPv6_adoption_widens

59. October 18, Wired.com – (International) Outage forces Peek to upgrade older devices. An unexpected glitch felled older models of Peek, the email-only device, and has forced the company to offer a free replacement upgrade to users. The outage, which started October 14, bricked Peek models — the Pronto and Classic. “Unfortunately, one of the connectivity providers we were using went down for good. That’s the bad news,” wrote the Peek CEO on the company blog. But Peek said its customers will gain because it is replacing existing bricked out devices with its latest model Peek 9. Peek 9 offers push e-mail, access to Facebook, Twitter, weather and maps for $69 and a monthly service plan of $20. However, the device does not require long term contracts with the wireless carrier. Source: http://www.wired.com/gadgetlab/2010/10/outage-forces-peek-to-upgrade-older-devices/

60. October 18, McClatchy-Tribune Information Services – (International) Airline may let fliers use cellphones. Early next year, Singapore Airlines will begin to install technology in dozens of planes to let passengers surf the Internet and send e-mail from 35,000 feet in the air, the airline has announced. The circuitry it plans to install in at least 40 long-haul jets by 2013 would also allow passengers to make airborne cellphone calls. But Singapore Airlines remains undecided whether to allow cellphone calls. “As we get closer to the launch date, we will decide whether voice calling in the cabin will be activated,” said a Singapore Airlines spokesman. One consideration, he said, is whether passengers want to make calls in flight. The hesitation is not surprising. Although a handful of airlines in the Middle East and Europe allow cellphone calls, U.S. regulators prohibit the practice, saying the calls may interfere with navigation systems. But the problem may not be the technology. After all, Emirates airline has allowed cellphone calls since 2008. Cathay Pacific announced plans in July to let passengers use their cellphones in the plane by 2012. A bigger issue may be that passengers and airline crews hate the idea of turning a crowded, airborne cabin into a flying phone booth. The Federal Communications Commission considered lifting the ban in 2004, but it stopped looking into the idea after being inundated with letters, e-mails and calls in opposition. The pending reauthorization bill for the Federal Aviation Administration includes a proposal to ban all cellphone calls on U.S. commercial planes — except by airline crews and law enforcement. In a 2005 survey by the National Consumers League and the Association of Flight Attendants, 63 percent of airline passengers said they opposed cellphone use on planes. Source: http://voices.washingtonpost.com/dr-gridlock/2010/10/early_next_year_singapore_airl.html

No comments: