Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, August 4, 2010

Complete DHS Daily Report for August 4, 2010

Daily Report

Top Stories

• According to CNET news, the United States is leaving its energy infrastructure open to cyberattacks by not performing basic security measures, such as regular patching and secure coding practices, according to a report prepared by the Department of Energy (DOE). (See item 2)

2. August 3, CNET News – (National) DOE: Common security holes leave energy grid vulnerable. The United States is leaving its energy infrastructure open to cyberattacks by not performing basic security measures, such as regular patching and secure coding practices, according to a report prepared by the Department of Energy (DOE). Researchers at the Idaho National Laboratory tested 24 industrial control systems (ICSs) between 2003 and 2009 and compile a report in May that was publicly released in July. The secrecy expert at the Federation of American Scientists blogged about the report August 2. A rating of security vulnerabilities in ICSs used to run the energy grid in the United States, the report comes on the heels of a discovery of malware written specifically for systems used for controlling industrial manufacturing and utility systems. That worm, written for a Siemens Windows application, was a wake-up call to the security community focused on ICSs because it marked a shift from theory to reality, according to experts. Although the national lab researchers tested actual control systems used in running the energy infrastructure, such as the electricity grid, they did not disclose the names of any companies. By publishing the results, the DOE hopes energy companies can better assess and secure their computer systems. Source: http://news.cnet.com/8301-11128_3-20012459-54.html

• The Associated Press reports that a warehouse driver who was asked to resign his job at beer distributor Hartford Distributors in Manchester, Connecticut went on a shooting rampage August 3 that left nine people dead, including himself, and other people wounded. (See item 30)

30. August 3, Associated Press – (Connecticut) Official: 9 killed in Conn. warehouse shooting. A warehouse driver who was asked to resign his job at beer distributor Hartford Distributors in Manchester, Connecticut went on a shooting rampage August 3 that left nine people dead, including himself, and others wounded, company and government officials said. The number of dead was confirmed by a Connecticut government official who was not authorized to speak publicly and spoke to the Associated Press on the condition of anonymity. The driver had worked at the distributor for a couple of years and been called in for a disciplinary hearing. When police found him, he had been shot. About 50 to 70 people were in the warehouse during a shift change when the gunman opened fire around 7 a.m. Adding to the chaos was a fire at the warehouse, about 10 miles east of Hartford, that was put out. Police did not know whether the fire was related to the shootings. Two victims were taken to Hartford Hospital. One was in critical condition, and one was in fair condition. Source: http://www.google.com/hostednews/ap/article/ALeqM5jBNP73m9cp2g6qFtWxCbJH6IAD3gD9HC5I0O0

Details

Banking and Finance Sector

16. August 3, KTLA 5 Los Angeles – (California) ‘Chaw bandit’ strikes 5th L.A. county bank. The FBI and the Los Angeles Police Department are searching for a bank robbery suspect dubbed the “Chaw Bandit.” The suspect, who appeared to be chewing tobacco during one of his heists, is accused in at least five bank robberies in Los Angeles County since July 16. The latest robbery occurred the morning of August 2 at a Citibank in Canoga Park. The so-called “Chaw Bandit” also struck a Bank of America in Canoga Park July 26, two banks in Northridge and Winnetka July 22, and a Citibank in Reseda July 16, authorities said. The suspect, described as a white male wearing casual clothing, shows a yellow note through the teller’s window, demanding cash. He has also worn a similar white baseball hat with a possible checkered bill in most of his robberies, officials said. Investigators said it’s possible the suspect has a medical condition that may account for his physical facial appearance. Source: http://www.ktla.com/news/landing/ktla-chaw-bandit,0,1825907.story


17. August 3, NACS Online – (Arizona) Arizona reports 30 cases of skimmers at gasoline stations. Skimmers have come to Arizona, the Arizona Republic reports. During the last six months, the Arizona Department of Weights and Measures have reported at least 30 cases of illegal credit-card readers found attached to legitimate card readers at gasoline pumps across the state. It appears that the skimmer activity has popped up spontaneously during the past 12 months, but not in a concentrated effort or area, with the skimmers moving in and out of locations fast. In July, the governor asked the department to raise awareness of skimming with training and more inspections to catch the illegal devices. In August, state inspectors will increase fuel pump exams, provide extra training sessions for officers on technology used to catch skimmers, and work with the petroleum industry on finding and preventing skimming, said the director of compliance programs for the state agency. Sometimes, skimmers are used in other industries, too, such as in restaurants, said an individual who works in the restaurant industry. Waiters can hide skimmers in their wallets or belts to swipe cards undetected. Source: http://www.nacsonline.com/NACS/News/Daily/Pages/ND0803101.aspx


18. August 2, KCRA 3 Sacramento – (California) Bank of America ATM torched at UC Davis. A Molotov cocktail might have been used to torch an automated teller machine (ATM) at the University of California, Davis (UC Davis) August 2, a university representative said. A groundskeeper spotted the burning Bank of America ATM at about 5:41 a.m. near the east side of the Memorial Union building. UC Davis police responded and put out the fire with an extinguisher. A wall and the top part of the ATM were scorched. Bottle fragments were found near the scene, a university representative said. The Bank of America ATM seems to have been targeted. No money was taken. Because it is a bank machine, the FBI and Bureau of Alcohol, Tobacco, Firearms and Explosives were alerted. Source: http://www.kcra.com/r/24479655/detail.html


19. August 2, Bank Info Security – (National) GPS: The future of authentication. A new report published by Gartner Research places emphasis on another use for mobile technology in the financial transaction chain — as a security layer for user authentication via global positioning. If a card transaction is initiated at an ATM in Phoenix, but the GPS tracking says the cardholder’s phone is in Atlanta, the bank could flag the transaction as suspect. Gartner’s report, “Get Smart With Context-Aware Mobile Fraud Detection,” released July 29, estimates 1.8 billion smartphones will be used across the world by the end of 2011. And Gartner predicts that by the end of 2013, location or profile information from mobile devices will be used to validate and detect fraud on 90 percent of mobile transactions. Most smartphones, such as the iPhone, have built-in, global-positioning-system tracking. The feature provides security for the phone, in case it gets left at the grocery checkout or someone lifts it when the owner is not looking. “This is about stronger authentication, and the only device you can count on for this kind of tracking is the cell phone,” said a Gartner analyst and lead author of the report. Since most people always have their phones with them, GPS tracking of the mobile device offers a relatively reliable way to track a person’s location. As a way to authenticate a financial transaction, here is how it would work: When a user conducts a card transaction at an ATM or POS terminal, the location of the ATM or POS device would be compared with the location of the user’s mobile phone via GPS. So if a card transaction is initiated at an ATM in Phoenix, but the GPS tracking said the cardholder’s phone is currently in Atlanta, the bank could flag the transaction as suspect. Source: http://blogs.bankinfosecurity.com/posts.php?postID=645


20. August 1, WFLD Chicago – (Illinois) Feds one step closer to Wheaton bandit? The “Wheaton Bandit” is one of the most prolific serial bank robbers to hit the Chicago area. FBI agents believe he robbed 15 banks in four years. For the first time, investigators said they have a possible suspect in the case. They developed this lead by going back and taking another look at all of their evidence. The review uncovered bank security photos of a man taken a few weeks before the bank was robbed by the Wheaton Bandit that match the physical description of the bandit. The photos were snapped in late December 2004 at a Mid American Bank Branch on Roosevelt Road in Glen Ellyn. Investigators said the Wheaton Bandit robbed that same bank in January 2005. In addition to the man’s physical description matching the Wheaton Bandit’s, agents said the photos indicate he was not a bank customer. They said he appeared only to go in to the bank to get change and cased the bank while doing so. Based on this information, agents are calling the man in the photos a possible suspect or a person of interest. If he isn’t the Wheaton Bandit, investigators believe he may know who the bandit is. Source: http://chicagopressrelease.com/news/feds-one-step-closer-to-wheaton-bandit


For another story, see item 57 below in the Information Technology Sector


Information Technology


55. August 3, Help Net Security – (International) 63% consider international cyber-espionage acceptable. Sophos published the mid-year 2010 Security Threat Report, revealing the findings of a survey into attitudes towards cyberwarfare, and detailing other trends and developments in IT security for the first half of 2010. Sophos’s worldwide survey of 1,077 computer users uncovers some alarming attitudes towards international cyber-espionage. Respondents were asked questions, including whether they thought spying via hacking or malware attacks is an acceptable practice, and if the computer networks of private companies in other countries are legitimate targets. Some of the key findings of the survey indicate a relaxed attitude to state-sponsored cybercrime: 63 percent of those polled believe that it is acceptable for their country to spy on other nations by hacking or installing malware (23 percent said yes at any time. 40 percent said only during wartime, 37 percent said no); A staggering 1 in 14 respondents believe that crippling denial of service attacks against another country’s communication or financial Web sites are acceptable during peacetime (49 percent said only in wartime, 44 percent said never); 32 percent believe that countries should be allowed to plant malware and hack into private foreign companies in order to spy for economic advantage (23 percent said this was only acceptable in wartime, 9 percent said in peacetime, 68 percent said no). Source: http://www.net-security.org/secworld.php?id=9676


56. August 3, The Register – (International) Sophos downplays Android malware threat. Android users have little reason to fear an immediate onslaught of malware despite the demonstration of a rootkit-based attack at last week’s Defcon conference, according to a leading anti-virus supplier. Researchers at Spider Labs demonstrated proof-of-concept malware that could access messages and e-mails on an Android smartphone. A senior security advisor at Sophos who attended the presentation was underwhelmed. He pointed out that the demo was carried out on an already jailbroken HTC Legend. And, crucially, the researchers at Spider Labs failed to explain how end users might be at risk from malware along the lines of the proof-of-concept tool developed by the Spider Labs team. Sophos has yet to see any examples of Android malware in the wild. Two or three worms targeting jailbroken iPhone devices appeared last year, but the attacks have not reappeared as carriers have learned lessons from the outbreak and applied improved security controls, such as filtering SSH connections. Source: http://www.theregister.co.uk/2010/08/03/android_malware/


57. August 2, The Register – (International) Botnet with 60GB of stolen data cracked wide open. Researchers have cracked open a botnet that amassed more than 60GB of passwords and other stolen data, even as it cloaked itself using a state-of-the-art technique known as fast flux. When its command-and-control server was infiltrated, the Mumba botnet had snagged more than 55,000 PCs, according to the researchers from anti-virus provider AVG. The data-stealing operation is the work of the notorious Avalanche Group, a criminal operation that was responsible for two-thirds of all phishing attacks in the second half of 2009, according to a report earlier in 2009 from the Anti-Phishing Working Group. “These criminals are some of the most sophisticated on the internet, and have perfected a mass-production system for deploying phishing sites and ‘crimeware,’” AVG wrote in a report issued August 2. “This means that mitigating the threat by going after the servers hosting the data using the ‘Mumba’ botnet is now much harder than before.” Most botnet command-and-control channels run on compromised Web servers or Web-hosting services designed for criminals, making it possible to dismantle the network by taking down the central server. Mumba, by contrast, makes use of fast-flux technology, in which the operations are carried out on thousands of compromised PCs. That allows the IP address and host machine to change every few minutes, a measure that frequently foils takedown attempts by researchers and law enforcement. The botnet appears to have been spawned with an initial malware campaign that was launched in April. Its first week saw more than 35,000 infections. Several smaller campaigns were responsible for the remainder of the botnet’s 55,000 victims. The malware uses at least four variants of the latest Zeus crimeware kit, which allows well-financed criminals to deploy highly sophisticated botnets in a hurry. The stolen data includes log-in credentials for online bank, retail, and e-mail accounts, and social-networking sites. Source: http://www.theregister.co.uk/2010/08/02/mumba_botnet_infiltrated/


58. August 2, Compterworld – (International) Microsoft ships rush patch for Windows shortcut bug. As promised, Microsoft August 2 issued an emergency patch for the critical Windows shortcut bug attackers have been exploiting for several weeks. Also as pledged, Microsoft did not deliver a fix for users running Windows XP Service Pack 2 m support three weeks ago. There was little in the August 2 accompanying bulletin that was not already known, noted the director of security operations at nCircle Security. The director’s reference was to XP SP2 and Windows 2000. “There’s a ton of people still running SP2, and it just went end-of-life,” he argued. “And SCADA systems typically run on older versions of the OS. I thought Microsoft might be strong-armed by SCADA vendors into releasing a fix for SP2.” But Microsoft stuck to its long-standing policy and did not provide patches for machines running Windows XP SP2, Windows 2000 or any other off-support version. Source: http://www.computerworld.com/s/article/9180035/Microsoft_ships_rush_patch_for_Windows_shortcut_bug


59. August 2, Nextgov – (National) Defense agencies should provide ways for industry to fix security issues. The federal government has the right to refuse technology components that could introduce cybersecurity risks into the Defense Department’s classified systems, but it should provide manufacturers the opportunity to fix the vulnerabilities to ensure they don’t affect commercial and other federal networks, said a security expert. TechAmerica, a technology lobbying group in Washington D.C.; the Professional Services Council, a trade association; and other industry organizations called for Congress to drop Section 815(c) from the 2011 Senate Defense authorization bill, which would authorize Defense agency heads to exclude from procurements specific companies “to avoid unacceptable supply-chain risk.” The provision, which would apply only to the acquisition of classified national security systems, defines supply-chain risk as the potential for adversaries to gain access to and attack the system. The decision to exclude a company would be at the sole discretion of an agency head or a senior procurement executive, and would not be subject to review in a bid protest before the Government Accountability Office or in any federal court. But determining a company’s trustworthiness is difficult because so much technology development occurs overseas, which is harder to oversee and track, said the chairman and chief executive officer of security software company NetWitness, and former director of the Homeland Security Department’s National Cybersecurity Division. Defense agencies, however, should have the right to refuse a technology component that could pose a risk to classified systems, if they also provide industry with enough information to mitigate those risks, he said. Source: http://www.nextgov.com/nextgov/ng_20100802_9255.php?oref=topnews


60. July 30, Help Net Security – (International) Movie files run in QuickTime Player trigger malware download. Specifically crafted .mov files trigger the download of malware masquerading as a codec update and an installation file for another player when run in the latest (7.6.6) version of QuickTime Player, TrendLabs reported. A researcher said that both files pretend containing the latest movie Salt, but that his suspicion was aroused by the unusually small size of the files — small when compared to regular movie files, that is. Upon running the movie files in QuickTime, the “movie” does not start and the download windows for the malware pop up, asking you to save/run the codec update or the installation file. Trend Micro is still investigating the matter and it’s not yet known if this attack is possible due to a vulnerability or feature of QuickTime. Apple has, of course, been notified of the occurrence. Source: http://www.net-security.org/malware_news.php?id=1416


Communications Sector

61. August 2, Erie Times-News – (Pennsylvania) Erie County officials: Dial 911 from a cell phone if affected by telephone outage. the Erie County, Pennsylvania government’s department of public safety is advising 911 callers to use their cell phones to reach the service if they are affected by a widespread local telephone outage. The outage, reported August 2, is affecting customers of One Communications, according to county officials. Even though county government is a One Communications customer, the countywide 911 system is working, county officials said. Source: http://www.goerie.com/apps/pbcs.dll/article?AID=/20100802/NEWS02/308029931


62. August 2, Wall Street Journal – (West Virginia) Arrests in West Virginia for vandalism to Frontier Communications’ Network. West Virginia State Police have arrested three individuals suspected of vandalizing Frontier Communications’ network in Logan County, disrupting phone and Internet service and creating a public safety risk for customers. The three suspects are in custody and four more arrest warrants have been issued in connection with the vandalism. The suspects, who were arrested July 29, face multiple felony charges. There is a possibility of federal charges applying to the suspects, based on violations of laws pertaining to Homeland Security, interstate commerce and environmental protection. Frontier is also committing significant resources in Logan County and throughout West Virginia to identify and detain any individuals who vandalize company property and disrupt service to customers. Frontier is also putting recyclers and scrap dealers who deal in telecommunications materials on notice that they could also be subject to arrest and conviction for receiving stolen property, as well as aiding and abetting network vandalism. Source: http://www.marketwatch.com/story/arrests-in-west-virginia-for-vandalism-to-frontier-communications-network-2010-08-02?reflink=MW_news_stmp


63. July 31, Eureka Times-Standard – (California) Phones lines back up in Trinidad. The city of Trinidad, California, reported July 31 that phones lines in Trinidad and Westhaven seem to be operating at full capacity, despite a lack from communication from AT&T Inc. The city manager said the phone lines began working mid-morning July 29, but had strange connections, sometimes even creating a “party line” situation. By late afternoon, the lines seemed to be functioning again without any glitches. The city submitted one report July 27 and two reports July 28, after discovering that Trinidad and Westhaven residents received busy signals when dialing numbers that do not have a 677 prefix. When people from outside the area tried to call a 677 number, they also received a busy signal. AT&T Inc. released a statement July 28 saying that the company was working on correcting the issue. Both the city and business owners said they were having trouble getting any answers from the telephone company. An AT&T Inc. spokeswoman said the source of a situation, such as the outage, is not something the company typically reveals. Source: http://www.times-standard.com/localnews/ci_15647479