Friday, December 17, 2010

Complete DHS Daily Report for December 17, 2010

Daily Report

Top Stories

• The Columbus Dispatch reports Ohio State University is notifying up to 760,000 people that their names and Social Security numbers might have made it to cyberspace in one of the largest and most costly breaches to hit a college campus. (See item 42)

42. December 16, Columbus Dispatch – (Ohio) Server hacked at OSU; 760,000 affected. Ohio State University (OSU) is notifying up to 760,000 students, professors, and others that their names and Social Security numbers might have made it to cyberspace in one of the largest and most costly breaches to hit a college campus. Ohio State expects to spend about $4 million to pay for the forensic investigation and credit-protection services for those whose personal information was on a server that was hacked. University officials started notifying current and former students, employees, and businesses that have done work with the school about the breach December 15. There is no indication that any personal information was taken or that the incident will result in identity theft for any of the affected people, a provost said. In late October, a routine computer security review uncovered suspicious activity on a campus server with the names, Social Security numbers, birth dates, and addresses of up to 760,000 people associated with the university, including applicants, contractors, and consultants, he said. No OSU Medical Center patient records or student health records were involved. Source: http://www.dispatch.com/live/content/local_news/stories/2010/12/16/server-hacked-at-osu-760000-affected.html?sid=101

• According to the Sacramento Bee, federal officials planned to double water releases from Folsom Dam in California to make room for a major storm expected the weekend of December 18 and 19. (See item 68)

68. December 15, Sacramento Bee – (California) Water will be released from Folsom Dam to make way for major storm. Federal officials plan to double water releases from Folsom Dam in Folsom, California, December 15, to make room for a major storm expected the weekend of December 18 and 19. The U.S. Bureau of Reclamation, which owns and operates the dam, will boost releases into the American River from the current 15,000 cubic feet per second to 30,000. “We’re expecting some pretty good precipitation above Folsom Dam, so we’re looking to kind of evacuate that flood space,” said a Reclamation spokesman. The releases will cause the river to rise by 4 to 5 feet at Hazel Avenue. Officials were releasing water from four river outlets in the face of the dam. Source: http://www.sacbee.com/2010/12/15/3260396/water-will-be-released-from-folsom.html

Details

Banking and Finance Sector

17. December 16, Pottstown Mercury – (Pennsylvania) Two men arrested on multiple identity theft charges. A suspicious transaction at a Limerick, Pennsylvania outlet mall led to the arrest of two men and the discovery of portable hard drives containing hundreds of pieces of stolen personal information. The two male suspects, who both hail from Brooklyn, New York, first came to the attention of township police when they attempted to make several purchases from the True Religion store in the Philadelphia Premium Outlets November 19 using several different credit cards, according to court documents. The credit cards the suspects used were coming up invalid when store employees swiped them, according to court documents. As a result, the store clerk had to manually enter the credit card information into the store register. When this occurs, the customer must sign the receipt and an imprint must be taken of the credit card that is used, according to court documents. The suspects signed the receipts, but allegedly turned over different credit cards than those used for the transactions when the employee asked to make the imprints, according to court documents. Source: http://www.pottstownmercury.com/articles/2010/12/16/news/srv0000010311820.txt

18. December 16, Washington Post – (Virginia) Arrest in 6 N. Va. bank robberies. A West Virginia man has been charged with six bank robberies across Northern Virginia in October and November, according to the Loudoun County Sheriff’s Office. The 32-year-old male suspect was arrested December 11 in West Virginia on felony charges stemming from two bank robberies in Winchester, according to police. He is also charged with two bank robberies in Fairfax County, and two bank robberies in Sterling, authorities said. In each of the robberies, the suspect either implied that he had a weapon or pulled out a gun, according to a Loudoun sheriff’s spokesman. No one was hurt in any of the incidents, the spokesman said. No others have been charged in connection to the robberies, the spokesman said, but authorities continue to investigate whether the suspect was acting alone. A multi-jurisdictional investigation, including police in Loudoun, Winchester, and Fairfax and the FBI, first linked the bank robberies in November, police said. Source: http://voices.washingtonpost.com/crime-scene/fairfax/arrest-in-6-n-va-bank-robberie.html?hpid=newswell

19. December 15, ComputerWorld UK – (International) Bank of America claims ex-employees took databases. Bank of America has claimed in a lawsuit that four ex-employees copied confidential databases of its trade secrets, and executed a “coordinated” attack on its wealth management unit using the data. The password-protected database was taken by the employees, it said, as they left the company. The ex-employees “brazenly” announced they were taking the data, including client names, addresses, e-mails, and phone numbers, Bank of America said in papers filed the week of December 6 at the New York Supreme Court. The four accused now work at Dynasty Financial Partners, a wealth management and financial technology firm in New York. They left resignation letters stating they were allowed to take the information under a protocol agreed on by some banks, according to Bank of America. But the bank said it had not signed up for the protocol. Dynasty is also one of the defendants in the case. The employees and Dynasty deny the accusations. Bank of America said in its lawsuit that the databases provide “complete, comprehensive information” on clients and potential clients’ financial profile and investment preferences. The judge in the case has temporarily barred Dynasty and the four individuals from using or sharing the database to solicit new clients, according to a Bloomberg report. But it did not bar the individuals from advising their existing clients. Source: http://www.networkworld.com/news/2010/121510-bank-of-america-claims-ex-employees.html?hpg1=bn

20. December 15, San Diego North County Times – (California) FBI increases reward in effort to nab Geezer Bandit. The FBI announced December 15 the reward for helping to catch San Diego County’s most notorious bank robber has reached $20,000, up from $16,000, where it had been since last year. The armed, elusive, and apparently aged — although that is in dispute — bank robber has hit 12 California banks since August 2009: 10 in San Diego County, one in Temecula and, most recently, November 12, he robbed a bank in Bakersfield. The $20,000 reward money for information leading to the arrest and conviction of the Geezer Bandit comes from a combination of funding, including the FBI and several local banks, a FBI Special Agent said. Authorities have not released the amount of money the thief has stolen during his 17-month spree. Known to tote an oxygen tank during his earlier heists, and also seen carrying a gun, the robber has sparked some public fascination, including at least four Facebook fan pages. Source: http://www.nctimes.com/news/local/sdcounty/article_e66b5934-5ee2-54f8-8abc-b740d9504fee.html

21. December 15, KUSA 9 Denver – (Colorado) FBI: 3 Colorado banks robbed this week. Three separate, Denver, Colorado-area banks were robbed between December 10 and December 13. On December 10 at 5:55 p.m. the FBI said a woman robbed the Bellco Credit Union in Englewood. She was allegedly armed with a handgun. The FBI said they believe this robber is one of the “3-2-1 Bandits.” She is described as approximately 5 feet tall, 25 to 35 years old, with a medium to stocky build. Three days later, the FBI said a Bank of the West in Englewood was robbed at 2 p.m. December 13. The FBI describes the alleged robber as a man 20 to 25 years old 5 feet 4 inches to 5 feet 5 inches tall with a thin build. He was unshaven.” The FBI calls this person the “Itty Bitty Bandit” because of his size and stature. Three hours after that heist, another Bank of the West was robbed in Aurora by different people. The alleged robbers were a man and a woman both armed with handguns. The FBI says they think these alleged robbers are also part of the “3-2-1 Bandits.” The suspects are described as a man approximately 5 feet 8 inches tall with a thin build and a woman 5 feet 2 inches to 5 feet 3 inches tall with a heavy build. Source: http://www.9news.com/news/local/article.aspx?storyid=169989&catid=346

For more stories, see item 58 below in the Communications Sector

Information Technology

51. December 16, H Security – (International) Back door in HP network storage solution. HP’s MSA 2000 G3 Storage As a Network (SAN) product contains a hidden and undocumented account with more privileges than the normal customizable account (manage:!manage). Apparently included for support purposes, the account (admin:!admin) is not visible in the user manager and cannot be deleted or modified. It allows unauthorized users to access these systems and the data stored there. When asked by a reader of heise Online, The H Security’s associated publication in Germany, who came across the problem, HP’s support team reportedly admitted the account allows users to “modify the SAN’s hardware settings and underlying operating system”, and that it is therefore not intended for customer use. HP has confirmed the problem and announced the release of a fix to solve it. Additionally, according to a post on SecurityFocus, users can change the password for the invisible user account using the command-line interface. Source: http://www.h-online.com/security/news/item/Back-door-in-HP-network-storage-solution-1154257.html

52. December 16, Help Net Security – (International) Metasploit 3.5.1 adds Cisco device exploitation. Metasploit now enables security professionals to exploit Cisco devices, performs passive reconnaissance through traffic analysis, provides more exploits, and evaluates an organization’s password security by brute forcing an ever increasing range of services. This latest release adds stealth features, exposing common flaws in IDS and IPS, and anti-virus threat detection. Team leaders may now impose network range restrictions on projects and limit access to specific team members. Adding to its social engineering capabilities, Metasploit can also now attach malicious files to e-mails, for example PDF and MP3 files that can take control of a user’s machine. The highlights of Metasploit version 3.5.1 are: gain access to Cisco devices; silently discover active networks; brute force UNIX “r” services, VNC, and SNMP; evade IPS/IDS and anti-virus systems; attach malicious PDF and MP3 files to e-mails; and run additional exploits. Source: http://www.net-security.org/secworld.php?id=10324

53. December 14, Sunbelt Blog – (International) Sunbelt Blog: Rogues now imitate utilities rather than anti-malcode apps. Since the week of December 5, the rogue security products (also called scareware) that were posted on the GFI-Sunbelt Rogue Blog have had a new look. Instead of impersonating anti-virus products, these new ones are claiming to be applications that fix disk errors on a victim’s machine: HDDDiagnostic, HDDRepair, HDDRescue, and HDDPlus. They are essentially clones and together they are members of a new family of rogues: FakeAV-Defrag. They do nothing except throw up phony warnings and demand that the victim purchase them before they “fix” the fictional problems they warn about. Since rogues began to circulate 7 or so years ago, they have always pretended to be anti-spyware or anti-virus products, imitating the look of many legitimate anti-virus products and even the structure of their product names. In the last 2 months, however, it has become clear rogue writers are trying something new to confuse potential victims. Source: http://sunbeltblog.blogspot.com/2010/12/rogues-now-imitate-utilities-rather.html

54. December 14, Softpedia – (International) New scareware distribution link emails link to malicious files hosted at RapidShare. Security researchers from Belgian e-mail security vendor MX Lab warned about a new wave of malicious e-mails that direct users to download scareware hosted at RapidShare. According to MX Lab, the e-mails are sent from randomly spoofed addresses and their message is brief. The body only contains a link of the form http(colon)//rapidshare.com/files/[censored]/surprise.exe. The file currently has a fairly low AV detection rate on Virus Total with 16 out of the 43 antivirus engines blocking it. Some of the products detect it as a fake antivirus program, also known as scareware or rogueware, while others as a Trojan downloader. Source: http://news.softpedia.com/news/New-Scareware-Distribution-Emails-Link-to-Files-Hosted-at-RapidShare-172651.shtml

55. December 14, Softpedia – (International) Hacked websites used to create counterfiet software stores. Security researchers have observed new attacks using compromised Web sites to create rogue online stores that sell counterfeit software and are promoted in Google. Compromised Web sites are a common component in many attacks, but are generally used as doorways to drive-by downloads, scareware pages, or spam sites. Users landing on an infected page are normally taken through a series of redirects that perform various checks, until they arrive at the final attack page. In the case of black hat search engine optimization (BHSEO) campaigns, legit compromised Web sites are used to poison the results for popular search keywords or topics. When the search engine crawlers arrive at such sites, they are served with content pertaining to the targeted search keywords and will index them accordingly. However, when users find the links on Google and click on them, they are automatically taken to a external page under the attackers’ control. Source: http://news.softpedia.com/news/Hacked-Websites-Used-to-Create-Counterfeit-Software-Stores-172644.shtml

56. December 14, TrendLabs Malware Blog – (International) Malicious .RTF files exploit Microsoft Office vunerability. A stack-based buffer overflow vulnerability in Microsoft Office was recently discovered to have been actively exploited in the wild. Trend Micro now detects the exploit .RTF files as TROJ_ARTIEF.SM. The malicious .RTF files have shell codes designed to overflow the stack and to cause Microsoft Word to crash. As a result, malicious users can execute arbitrary commands on an affected system. The malware employed a (NOP) sled to overflow the buffer and to execute codes in Microsoft Word. The malware which was encountered dropped another malicious file detected as TROJ_INJECT.ART. One of the more serious concerns is a malicious user could send an RTF email to target users. Since Microsoft Outlook uses Word to handle e-mail messages, the mere act of opening or viewing specially crafted messages in the reading pane may cause the exploit code to execute. Source: http://blog.trendmicro.com/malicious-rtf-files-exploit-microsoft-office-vulnerability/

Communications Sector

57. December 16, Softpedia – (International) WikiLeaks mirror hosted with cybercrime-friendly provider. Security researchers warned a highly trafficked unofficial WikiLeaks mirror is hosted by a Russian ISP known as a safe haven for cybercriminal gangs. Following the publication of leaked U.S. State Department cables, WikiLeaks was kicked out by Amazon and EveryDNS from their respective networks. In order to ensure the organization’s online presence is not disrupted again, volunteers have mirrored its Web site on hundreds of servers around the world. Some days ago, the WikiLeaks.org domain mysteriously started redirecting all traffic to WikiLeaks.info, a site hosted in Russia with a company called Heihachi Ltd., which according to researchers from Trend Micro, is a “known as a bulletproof, blackhat-hosting provider.” Spamhaus, the world’s leading anti-spam outfit, issued a warning about WikiLeaks.info saying: “Our concern is that any Wikileaks archive posted on a site that is hosted in Webalta [Heihachi] space might be infected with malware. Spamhaus has for over a year regarded Heihachi as an outfit run ‘by criminals for criminals’ in the same mould as the criminal Estdomains,” the organization added. They said as long as the Russian company offers them reliable hosting resilient to takedowns, they do not care about its other customers. According to Spamhaus, the IRC server used by Anonymous members to communicate is also hosted by the same shady provider. The Wikileaks.info team has since changed the page to display a list of official WikiLeaks mirrors located around the world and moved the old version of the Web site to mirror.wikileaks.info. Source: http://news.softpedia.com/news/WikiLeaks-Mirror-Hosted-with-Cybercrime-Friendly-Provider-173087.shtml

58. December 16, Alamogordo Daily News – (New Mexico) Consumers frustrated by electronic shutdown. Frustrations of many southern New Mexicans ran high December 14 when they found it difficult to make purchases on credit and debit cards or even access ATMs because fiber-optic data communications lines were cut in three separate incidents near Socorro, Tijeras, and Clovis. But a New Mexico State University economist said December 15 there should not be any long-lasting effects to the region’s economy. “If anything, the outage illustrates the need for high-quality services,” said the economist, who monitors economic trends and conditions for Las Cruces and New Mexico. But the economist said the frustration was understandable when consumers who tried to buy gas, food or other goods and services with a credit card or debit card for more than 3 hours December 14 could not do so. Source: http://www.alamogordonews.com/ci_16871367

59. December 15, InformationWeek – (International) Anonymous group abandoning DDoS attacks. The Operation Payback distributed denial of service (DDoS) attack is declining. Furthermore, the small scale and low sophistication of the attack has meant that almost any Internet service provider should have been able to block it. Those findings come from the chief scientist at Arbor Networks, who December 14 detailed what Arbor is billing as the biggest-ever study of real DDoS attack data, comprising 5,000 confirmed attacks over the past year that affected 37 large carriers and content providers around the world. Even at its peak, Operation Payback was “more of an annoyance than an imminent critical infrastructure threat,” said the scientist, who likened it not to “cyber war,” as some have characterized it, but rather simple “cyber-vandalism.” “While the last round of attacks lead to brief outages, most of the carriers and hosting providers were able to quickly filter the attack traffic. In addition, these attacks mostly targeted Web pages or lightly read blogs — not the far more critical back-end infrastructure servicing commercial transactions.” Entitled “Beyond Operation Payback”, the Arbor study offers new insights into DDoS trends and attacks, gleaned from data that Arbor began measuring in its own products 2 years ago, as well as by collecting anonymous ATLAS statistics, which are available from about 75 percent of all Internet carriers. Source: http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=228800667&cid=RSSfeed_IWK_News

60. December 15, IDG News Service – (International) U.S. ranks 25th in the world for Internet connection speed. The United States ranks 25th in the world in average Internet connection speeds, and nearly half of all U.S. residents’ Internet connections fall below the Federal Communications Commission’s (FCC) minimum definition of broadband, at 4 megabits per second download, according to a new report. The median download speed in the U.S. in 2010 is 3 mbps, a slight increase from 2009, said the report, released December 15 by the Communications Workers of America (CWA) and Speedmatters.org. South Korea’s average download speed is 34.1 mbps, Sweden’s is 22.2 mbps, Romania’s is 20.3 mbps, and Japan’s is 18 mbps, the report said. About 1 percent of U.S. Internet connections meet the FCC national broadband plan’s goal of 50 mbps for download speeds by 2015, the report indicated. Economic growth in the U.S. depends on high-speed broadband, it added. “It determines whether we will have the 21st century networks we need to create the jobs of the future, develop our economy, and support innovations in telemedicine, education, public safety, energy conservation, and provision of public services to improve our lives and communities,” the report said. “Most U.S. Internet connections are not fast enough in both directions to permit interactive home-based medical monitoring, multi-media distance learning, or to send and receive data to run a home-based business.” Source: http://www.computerworld.com/s/article/9201306/U.S._ranks_25th_in_the_world_for_Internet_connection_speed

61. December 15, IDG News Service – (National) AT&T iPad hacker fought for media attention, documents show. A member of the group of hackers credited with uncovering more than 100,000 iPad users’ e-mail addresses on AT&T’s Web site worked hard to get the story covered by the media, according to recently unsealed court documents. After the Goatse Security hacking group found a way to make AT&T’s Web site return the e-mail addresses of iPad users, the hacker apparently wanted the news to hit big, according to a sworn affidavit by a Special Agent with the FBI. The 114,000 e-mail addresses comprised a giant virtual Rolodex that included contact information for some major players in the media world. It was a tool the hacker seemed ready to use. Three days before Gawker Media broke the story, the hacker pitched it to a member of News Corp.’s board of directors, and “various executives at Thomson Reuters,” the FBI agent said in the affidavit, dated June 14. Both e-mails were sent “at a time when, according to AT&T’s internal investigation, the breach was still ongoing,” the agent said. The details could prove to be significant if charges are brought against the hacker. If federal investigators believe he sought to profit from the unauthorized access to AT&T’s servers, they could charge him with breaking federal computer crime laws, said a retired FBI agent who investigated computer crimes for the agency. Source: http://www.computerworld.com/s/article/9201309/AT_T_iPad_hacker_fought_for_media_attention_documents_show

62. December 14, Agence France-Presse – (International) Romania smashes international cybercrime ring. Romanian authorities said December 14 they dismantled a cybercrime network blamed for causing more than $13.5 million in losses to firms in the United States, Britain, South Africa, Italy, and Romania. About 50 people were part of the criminal ring headed by two Romanians, said the prosecutor’s office specializing in combating organized crime in a statement. Police arrested 42 people and took them into custody December 14 while several computers and hard disks were seized, the statement said. Ring members were accused of stealing confidential Voice over IP data by cracking servers on the Internet. They would then use the data to make thousands of calls towards surcharged numbers abroad which allowed them to get bonuses for every call, it added. The crackdown coincided with an international forum on cybercrime that ran until December 15. Source: http://www.google.com/hostednews/afp/article/ALeqM5hLUkhy4QJ8p2MIKEd7Zul-dkSLdA?docId=CNG.9d86bd1b9e1dcce9c1b3a0448d6af28b.3b1

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)