Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, June 16, 2010

Complete DHS Daily Report for June 16, 2010

Daily Report

Top Stories

• Reuters reports that police have arrested 178 people in Europe and the United States suspected of cloning credit cards in an international scam worth over 20 million euros, Spanish police said June 15. Police in 14 countries participated in a two-year investigation that discovered 120,000 stolen credit card numbers and 5,000 cloned cards. (See item 23 below in the Banking and Finance Sector)

• According to the Spokane Headlines Examiner, envelopes containing a white powder were sent to seven federal offices in two states, Monday. The envelopes have been traced back to Spokane, Washington where they were postmarked. (See item 31)

31. June 15, Spokane Headlines Examiner – (Washington; Idaho) White powder envelopes traced back to Spokane. Several envelopes containing a white powder were sent to federal offices Monday. The envelopes have been traced back to Spokane, Washington where they were postmarked. There will be an investigation as to whether the postmarks are authentic. The white powder within the envelopes has not yet been identified, nor have the motives behind why they were sent. The seven envelopes showed up at federal offices in Bellevue and Seattle, Washington, Boise and Coeur d’Alene, Idaho, and in Spokane. The envelopes were dealt with in different fashions, including the evacuation of the Boise U.S. Attorney’s Office, and a lockdown of two people that came into contact with one of the envelopes in the Seattle downtown courthouse. It appears that the white powdery substance is nontoxic, but it has not been revealed what it actually is yet. All of the envelopes arrived at offices June 14, and were opened at different points of the day. KXLY of Spokane reported that authorities across the Pacific Northwest plan to continue the investigation. Source: http://www.examiner.com/x-7460-Spokane-Headlines-Examiner~y2010m6d15-White-powder-envelopes-traced-back-to-Spokane

Details

Banking and Finance Sector

22. June 15, KPAY 1290 Chico – (California) Local credit union warns of text phishing scam. A phishing texting scam is making the rounds in Chico, California. Star Credit Union’s Web site said it appears AT&T cell users have been targeted. The text message alert appears to be from Star Credit Union and asks the recipient to call a secure phone line and give their debit card information. The credit union said police are investigating the scam. Source: http://newstalk1290.wordpress.com/2010/06/15/local-credit-union-warns-of-text-phishing-scam/


23. June 15, Reuters – (International) Police arrest 178 in global credit card scam. Police have arrested 178 people in Europe and the United States suspected of cloning credit cards in an international scam worth over 20 million euros, Spanish police said June 15. Police in 14 countries participated in a two-year investigation, initiated in Spain, where police have discovered 120,000 stolen credit card numbers and 5,000 cloned cards, arrested 76 people and dismantled six cloning labs. The raids were made primarily in Romania, France, Italy, Germany, Ireland and the United States, with arrests also made in Australia, Sweden, Greece, Finland and Hungary. The detainees are also suspected of armed robbery, blackmail, sexual exploitation and money-laundering, police said. Source: http://www.reuters.com/article/idUSTRE65E1JJ20100615


24. June 14, WRAL 5 Raleigh – (North Carolina) Raleigh police: Bank robber getting ‘more dangerous’. A bank robber suspected in a series of crimes in Raleigh, North Carolina is “getting progressively more dangerous with each crime,” authorities said June 14, and they are concerned he could become even more violent. The Raleigh Police Department and the FBI is investigating at least six bank robberies since November 2009 in which they believe the same person is responsible. In each case, the robber was described as a masked black man with a slender-to-medium build who is about 5-foot-8 to 5-foot-11 and has noticeably misshapen teeth and unusual eyebrows. The latest robbery happened June 2 at a Wachovia Bank on Hillsborough Street in Raleigh. The same bank was also robbed March 31. Other banks in Cary and Raleigh were also robbed – SunTrust Bank at 910 Kildaire Farm Road in Cary November 25; Wachovia at 6623 Falls of Neuse Road in Raleigh December 29 and January. 21; and SunTrust at 3620 Six Forks Road in Raleigh on February 26. During the February 26 robbery, police have said, the robber hit the teller in the head with his gun. In other robberies, he has assaulted bank employees, even though none resisted his demands. Source: http://www.wral.com/news/news_briefs/story/7777715/


25. June 14, Better Business Bureau – (National) New tab napping scam targets your bank information. Tab napping is more sophisticated than phishing scams and doesn’t rely on persuading a user to click on a link to a scammer’s Web page. Instead, it targets Internet users who open lots of tabs on their browser at the same time. It works by replacing an inactive browser tab with a fake page set up specifically to obtain personal data - without the user even realizing it has happened. So, it is not safe to assume that after a user has opened a new tab and visited a Web page, that the Web page will stay the same even if the user does not return to it for a time while using other windows and tabs. Malicious code can replace the Web page a user opened with a fake version which looks virtually identical to the legitimate page one originally visited. Users can guard against tab napping by keeping a close eye on tabs they open. Make sure the URL in the browser address page is correct before entering log-in details. A fake tabbed page will have a different URL to the Web site one thinks she is using. Always check that the URL has a secure https:// address even if tabs are not open on the browser. Source: http://www.bbb.org/us/post/new-tab-napping-scam-targets-your-bank-information-3813


26. June 14, Bradenton Herald – (Florida) Manatee sheriff: Woman’s bomb/bank robbery claims ring true. There is evidence that a woman who claims she was told by kidnappers that a bomb had been strapped to her back and that it would be detonated if she didn’t rob a bank may be true, Manatee County Sheriff’s Office officials said June 15. The 47-year-old woman caused a bomb scare at about 5:40 p.m. June 11 that shut down streets surrounding downtown Palmetto, Florida for hours, after she entered the Bank of America at 700 Eighth Ave. W., wrapped in chains with what turned out to be a fake explosive device strapped to her back. Swarms of sheriff’s deputies and Palmetto police officers shut off much of downtown Palmetto as a bomb squad secured the area and found the device strapped to the woman to be fake. But the investigation took a strange twist as the woman told detectives that she had been kidnapped, with her attackers throwing the chains on her and strapping the device to her back, before forcing her to enter the bank to rob it, according to sheriff’s reports. A sheriff’s spokesman said June 15 that detectives have found parts of the woman’s story rings true, with the woman claiming that more than one person took part in her kidnapping at gunpoint. The woman also told detectives her kidnappers told her she had 20 minutes to get in and out of the bank with money or they would blow up the bomb. Source: http://www.bradenton.com/2010/06/14/2360569/manatee-sheriff-womans-bombbank.html


Information Technology


47. June 15, The H Security – (Internatioanl) Mass website hack aimed at online gamers. According to the latest analysis, the mass Web site hacks which have been showing up over the last week are aimed at stealing access credentials for online games. The hackers’ most prominent victims serving the malware have been the Wall Street Journal and the Jerusalem Post Web sites. The hacked Web servers are all Microsoft Internet Information Server (IIS) and ASP-NET-based, but analysis by a number of security services providers has shown that the attacker has used SQL injection vulnerabilities in custom Web applications to hack the sites. Administrators are advised to check their systems for any signs of interference and tampering. The SQL injection vulnerability allows attackers to write their own HTML and JavaScript to the hacked sites content-management system’s database. Specifically, the attackers embedded code which uploads an exploit for the recently discovered vulnerability in Flash Player into an iFrame. The code then tries to infect the hacked sites visitors’ systems with trojans. It appears the attackers objective is to steal access data to Asian gaming Websites such as aion.plaync.co.kr, aion.plaync.jp and df.nexon.com. The Flash Player vulnerability has been fixed in version 10.1. A Chinese group known as dnf666, which was also responsible for a major SQL injection attack in March, appears to be behind the attack. Source: http://www.h-online.com/security/news/item/Mass-website-hack-aimed-at-online-gamers-1022506.html


48. June 15, Help Net Security – (International) Remote working poses threat to corporate security. A recent survey of 200 UK IT directors has found that 92 percent believe that, by allowing more staff to work remotely, they are increasing their security risks. Even though all respondents said that their workforce was increasingly mobile, 80 percent admitted they found it difficult to manage and secure ever-more sophisticated mobile devices. A researcher from Aruba Networks comments: “As smart phones and other mobile devices become increasingly popular, they pose an increasing security threat to the unprepared business. For an easier life, many IT departments would choose to limit the devices that are allowed to access corporate networks – but with demand for the coolest gadgets often coming from senior executives – this choice is often taken away from them.” As demonstrated by the survey, today’s challenge is how to support such a wide variety of devices, particularly as most of these devices were not built with business needs in mind. Source: http://www.net-security.org/secworld.php?id=9413


49. June 15, SC Magazine – (International) Fresh ‘likejacking’ attack on Facebook, as revisions are made on page controllers. Facebook is now allowing the removal of a page creator by an appointed administrator. After it recently stepped up application development with developers now required to have an approved account on the social networking site before they can add applications, the original creator of Facebook pages can now be removed as an administrator by any of the other administrators of that page. A blogger writing on allfacebook.com, commented that this was a serious issue for a number of companies who were looking to shift control of their pages from a third-party company to someone internal, as in some instances pages have been sold, but administrators have remained. The social networking site was also hit by a fresh “clickjacking” attack last weekend. AVG’s chief research officer warned of another “likejacking” campaign on Facebook, with the lure of a picture of actress Jessica Alba on a page of the “101 hottest women in the world.” He said that if a user wants to see the other 100, he has to click somewhere on the page, although there is nothing else to click other than to go back or close the browser, and no matter where the user clicks, his Facebook page is updated to show that he “likes” this page. Source: http://www.scmagazineuk.com/fresh-likejacking-attack-on-facebook-as-revisions-are-made-on-page-controllers/article/172487/


50. June 15, UPI – (National) Report: U.S. passport risk persists. A U.S. government contractor is still assembling a key passport component in Thailand despite repeated warnings about security risks, ABC News reported. In a report conducted jointly with the Center for Public Integrity, a watchdog group, ABC said the Government Printing Office inspector general has warned the GPO lacks a basic security plan for protecting blank e-Passports from theft by terrorists, foreign spies or counterfeiters. Such passports contain a chip in the cover designed to deter counterfeiting. Despite offering assurances production of passports would be moved to the United states, a government contractor is still assembling the electronic component in Thailand, ABC and the CPI reported June 14. A former Department of Homeland Security inspector general called the report “extremely troubling. Something like that ought to be produced only in the United States, under only the most rigorous security standards,” he told ABC News. Source: http://www.upi.com/Top_News/US/2010/06/15/Report-US-passport-risk-persists/UPI-20851276580166/


51. June 14, Sophos – (International) ‘Teacher nearly killed this boy’ - rogue spamming Facebook app at large. Over 190,000 people have so far clicked on a link sent by a rogue Facebook application, which tempts users into giving the application access to their Facebook profile in exchange for seeing a “shocking video” of what is alleged to be a teacher physically assaulting a boy. A quick search on Facebook reveals thousands of users are promoting the link on their newsfeeds, encouraging their friends and acquaintances to also add the application. A typical message reads: “I am shocked!!! The teacher nearly killed this boy: hxxp://bit.ly/aWeBMl - Worldwide scandal!” Clicking on the bit.ly link redirects Facebook users to a page promoting a Facebook application called “Teacher nearly kills a 13 year old boy. SHOCKING!”, which offers what appears to be a video thumbnail of the attack and the encouragement to “Click here, then ALLOW, to see the shocking video.” However, anyone who follows the on-screen instructions to view the video will also be allowing the third-party application to gain access to one’s profile, and to re-post the spam message to the individual’s own wall. Source: http://www.sophos.com/blogs/gc/g/2010/06/14/teacher-killed-boy-rogue-spamming-facebook-app-large/


52. June 14, DarkReading – (International) New paper outlines potential vulnerabilities in software supply chain. Application security problems do not just occur when developers are writing code — they can occur as that code is exchanged or distributed, a new report argues. Sometimes security vulnerabilities are introduced when software makers exchange code — or when it is sent out to customers, according to “An Overview of Software Integrity Controls: An Assurance-Based Approach to Minimizing Risks in the Software Supply Chain,” a white paper issued June 14 by the Software Assurance Forum for Excellence in Code (SAFECode). “Most of the studies on software development so far have really looked only at the security issue,” said the executive director of SAFECode, a nonprofit organization backed by major software vendors. “What we’re saying here is that software integrity and authenticity need to be part of the discussion.” The paper outlines software integrity controls used by major software vendors to address the risk that insecure processes, or a motivated attacker, could undermine the security of a software product as it moves through the links in the global supply chain. The controls cover issues ranging from contractual relationships with suppliers, to securing source code repositories, to helping customers confirm the software they receive is not counterfeit. The work builds on SAFECode’s previously released “Software Supply Chain Integrity Framework,” which defines a taxonomy for describing supply-chain security in the context of software assurance. Source: http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=225700096&subSection=Application+Security


53. June 14, Krebs on Security – (International) Cloud Keyloggers? Keystroke-logging computer viruses let crooks steal passwords, and sometimes even read e-mails and online chats. Recently, however, anonymous criminals have added insult to injury, releasing a keylogger strain that publishes stolen information for all the world to see at online notepad sharing sites such as pastebin.com. During the week of June 7 through 11, security experts at BitDefender discovered a continuing stream of new entries at pastebin.com and pastebin.ca that included text files laid out in the format typically used by keystroke-logging malware. For example, each keypress in the log posted to pastebin.com is preceded by a listing of the program currently in focus on the victim’s screen, and each function key pressed is spelled out, so that when the victim hits the backspace or down arrow key, for instance, the keystroke log will show a “[back]” or “[down]” entry in place of each corresponding keypress. Typically, keystroke-logging malware will submit stolen data to a Web server specified in the malware that the attacker controls. BitDefender theorizes that those responsible for creating this keylogger variant may have chosen pastebin.com because it is unlikely to be blocked by Web filters or malware blacklists. Source: http://krebsonsecurity.com/2010/06/cloud-keyloggers/


54. June 14, IDG News Service – (International) Twitter’s service woes and outages persist. Twitter’s persistent and disruptive service outages entered a second week, as the company scrambles to bring its site availability back to acceptable levels. After multiple incidents brought Twitter.com and its platform for third-party applications down several times last week, the company said June 11 that it had identified the causes, and had taken concrete steps to resolve the problem. Specifically, Twitter blamed errors in planning, monitoring and configuring its internal network, and said that in response it had doubled the capacity of its internal network, sharpened its monitoring, and improved its load balancing, “By bringing the monitoring of our internal network in line with the rest of the systems at Twitter, we’ll be able to grow our capacity well ahead of user growth. Furthermore, by doubling our internal network capacity and rebalancing load across the internal network, we’re better prepared to serve today’s tweets and beyond,” wrote an individual from Twitter’s engineering team on the company’s official blog. However, problems continued throughout the weekend and into June 14, as acknowledged on the official Twitter Status blog, as the site returns its notorious “fail whale” error message. Not even at its halfway point yet, June is already the worst month in terms of downtime for Twitter since October of last year, according to Web-performance-monitoring company Pingdom. So far this month, Twitter has been down for 3 hours and 3 minutes. Source: http://www.computerworld.com/s/article/9178029/Twitter_s_service_woes_and_outages_persist


55. June 14, Newsfactor Network – (Florida) iPad still vulnerable, hackers say in refuting ATT. The iPad could have more security flaws than the one found on AT&T’s Web site last week. In a posting June 14, hacker site Goatse Security said “all iPads are vulnerable” because of a weakness in Apple’s Safari browser. The notice was in response to an e-mail sent to iPad owners this weekend by AT&T, in which the carrier apologized but blamed the incident on “malicious” hackers. According to Goatse, a user could click a malicious link in the browser and the security hole could allow unauthorized access to the iPad. The site said Safari does not block off high-numbered, illegitimate ports, or communication channels. This, in combination with the browser’s ability to automatically fulfill software requests, could spell trouble. Apple has not released a fix or a statement. The posting about Safari’s vulnerability was a retort to AT&T’s apology. Goatse brought attention last week to a vulnerability in the carrier’s Web site that allowed the acquisition of more than 100,000 iPad users’ SIM card ID numbers and e-mail addresses. In its e-mail sent June 13, AT&T’s senior vice president and chief privacy officer called Goatse’s hack “malicious” and the result of “great effort.” She added that “unauthorized computer ‘hackers’ maliciously exploited a function designed to make your iPad log-in process faster.” AT&T said it turned off the Web-site feature that made the security breach possible. Some observers have said AT&T should not be storing confidential information on a publicly accessible Web site. The list of e-mail addresses included many high-profile individuals, including staff members in the U.S. Senate and House of Representatives, and employees at the Justice Department, NASA, Department of Homeland Security, The New York Times, Dow Jones, Viacom, Time Warner, and News Corp. Source: http://news.yahoo.com/s/nf/20100614/bs_nf/73852


For another story, see item 25 above in the Banking and Finance Sector


Communications Sector

56. June 15, The Starkville Dispatch – (Mississippi) Service restored to most WCBI customers. WCBI-TV has returned service to nearly all of its satellite and cable customers in Mississippi and Alabama after a technical glitch interrupted its signal last week, but over-the-air customers have to wait a while longer. The general manager for WCBI said a problem with the transmission line at its broadcasting tower, located in Montpelier, Mississippi in northwest Clay County, caused many customers to lose the channel. Now, he said, all satellite and cable customers have had their signal restored. Over-the-air customers, however, may not have WCBI restored until the week of June 21. Source: http://www.cdispatch.com/news/article.asp?aid=6654


57. June 12, Lafayette Advertiser – (National) ATT has 3G data outage again. AT&T’s 3G Data Network was down again June 11, and this time, Lafayette, Louisiana residents were not the only ones impacted. The failure affected customers across the southeastern United States, said an AT&T spokeswoman. Voice and text applications appeared to be working for most customers, but most could not send or receive multimedia messages or connect to the Internet. The spokeswoman said the company began receiving calls about the problem around 12:30 p.m. She said technicians had identified the cause of the outage as of 5 p.m. June 11 and were working to restore service. A similar outage occurred June 9 after a fiber-optic cable was cut in the Zachary area. The incident briefly disrupted data transfers in the Lafayette area. Source: http://www.theadvertiser.com/article/20100612/BUSINESS/6120307