Monday, October 25, 2010

Complete DHS Daily Report for October 25, 2010

Daily Report

Top Stories

• According to TG Daily, the FCC on October 21 released a paper warning about a massive shortage of spectrum in coming years. Even if spectrum and device efficiency doubles and the number of cell towers continues to grow at its current pace, the U.S. will need around 300 additional megahertz of spectrum by 2014, the report said. See item 44 below in the Communications Sector.

• The Associated Press reports that part of a shopping mall in Roseville, California, was destroyed October 21 after police say a man barricaded himself inside and started a fire that damaged an entire arm of the mall. (See item 46)

46. October 22, Associated Press – (California) Major northern Calif. mall burns after standoff. Part of a high-end regional mall in Northern California was destroyed October 21 after police say a man barricaded himself inside and started a fire. Police said the man holed up in a video game store at the Roseville Galleria and started a small blaze that later blew up, damaging an entire arm of the mall. The 1.3 million-square-foot Galleria was evacuated by the time the fire erupted and spread to the roof, and no injuries were reported. City officials said part of the roof on the mall’s south end collapsed. A Roseville fire department spokesman said the fire burned a wing of the mall that appeared to extend several hundred yards between two anchor tenants, Macy’s and J.C. Penney. He said water and smoke damage was extensive beyond that wing. Police descended on the mall when a man claiming to have a gun entered a GameStop store and told employees to get out. The employees said the man then barricaded himself in a back room and started a fire. He was hiding outside the store when a SWAT team entered the mall, and he was arrested without further incident. Authorities had thought the mall’s sprinkler system doused the blaze. But police later said the fire began spreading as members of the bomb squad were checking the man’s backpack to see if it contained explosives, forcing them to flee the building. Source:


Banking and Finance Sector

14. October 21, Softpedia – (International) Avalanche gang switches from traditional phishing to ZeuS. Security researchers warn that one of the world’s largest phishing gangs, known in the security industry as Avalanche, is now relying on the infamous ZeuS trojan to steal sensitive data from users. The announcement came from the Anti-Phishing Working Group (APWG), an international association of security vendors, financial organizations and law enforcement agencies, that aims to prevent identity theft and fraud resulting from phishing attacks. The Avalanche gang is a large cybercriminal syndicate believed to operate out of Eastern Europe. According to APWG’s statistics, it was responsible for as much as two thirds of the phishing attacks recorded during the second half of 2009. Since then the group seems to have scaled back their traditional phishing operations significantly in favor of the more efficient ZeuS information stealing trojan. APWG reports that only four Avalanche-related phishing attacks were observed during July 2010, which is significantly lower than 2009. Source:

15. October 21, Softpedia – (National) FBI publishes detailed cyberfraud advisory for businesses. Following an unprecedented rise in cybercriminal activity targeting small- and medium-sized businesses, municipalities, schools, and other organizations, the IC3 has released a detailed advisory with information about preventing, detecting and responding to corporate account takeover incidents. The document was drafted by the FBI, the United States Secret Service, the Internet Crime Complaint Center (IC3) and the Financial Services Information Sharing and Analysis Center (FS-ISAC). The advisory starts by explaining the methods used by cybercriminals to target organizations and gain access to their bank accounts. These include sending phishing or infected emails to senior executives and other key employees, often posing as notifications from known institutions or services. Advices regarding protecting against such attacks range from educating workers about security practices, to enhancing the security of the organization’s computer network and strengthening internal banking protocols. For example, the document recommends that online banking operations be performed from dedicated computers only. This means that those systems should not be used for browsing, emailing, social networking or other unrelated activities. Furthermore, deploying all security updates for the operating system, as well as installed applications is mandatory, not to mention running a comprehensive and up-to-date anti-malware solution. The advisory also recommends enabling Data Execution Prevention (DEP) in Windows, blocking AutoRun and disabling JavaScript support in Adobe Reader, a common attack vector in corporate environments. As far as banking security is concerned, the law enforcement officials recommend enforcing a strict policy where two different persons using two separate computers are needed to authorize wire or ACH transfers. Source:

16. October 21, KXLY 4 Spokane – (Idaho) School bomb threat, bank robbery possibly connected. Investigators are trying to determine if a bomb threat and bank robbery are connected in North Idaho. The bomb threat was called into Garwood Elementary School in Rathdrum just after 10 a.m. October 21, and just an hour later a Wells Fargo bank was robbed. At Garwood, 340 students were bused from the elementary school to Lakeland High School. Concerned parents showed up to be reunited with their kids. While law enforcement focused its energies at Garwood responding to the bomb threat, the Wells Fargo along Highway 41 in Rathdrum was robbed. The Sheriff’s Department is trying to figure out if the bomb threat was used as a distraction. “This is often a ploy that’s used to divert police to a different location so they can try to get a clear getaway,” the police official said. Source:

17. October 21, KVOA 4 Tucson – (Arizona) Police looking for “Manila Bandit”. Tucson police are looking for a man they call the “Manila Bandit.” They say he has robbed at least three banks since July. In each of the incidents, the suspect has entered the bank carrying a large manila envelope. Police say he then places the money in it during the robbery. The following dates and locations are the three most recent known incidents involving this suspect: July 23, 2010 4752 East Sunrise Drive US Bank (Inside Safeway store) October 11, 2010 3275 North Swan Road Wells Fargo (Inside Basha’s store) October 18, 2010 7740 East Speedway Boulevard Pyramid Credit Union The suspect is described as a white male, 45 to 50 years old, 5’6” to 5’8” tall, 180 to 200 pounds, and wearing prescription-style glasses. In each case he has worn a baseball-style cap, and long-sleeved shirt. Source:

18. October 21, DarkReading – (National) FBI warns of ‘Corporate Account Takeover’ scams. Cybercriminals are targeting the financial accounts of small and midsize businesses (SMBs), fraudulently transferring money directly from their accounts, the FBI warned October 20. In a fraud alert issued October 20, the FBI said “corporate account takeover” attacks use malware to steal passwords and other credentials from senior executives at SMBs and then use those credentials to empty the companies’ coffers. “To obtain access to financial accounts, cyber criminals target employees—often senior executives or accounting, HR personnel, and business partners—and cause the targeted individual to spread [malware], which in turn steals their personal information and log-in credentials,” the FBI says in its full report. “Once the account is compromised, the cyber criminal is able to electronically steal money from business accounts,” the report explains. “Cyber criminals also use various attack methods to exploit check archiving and verification services that enable them to issue counterfeit checks, impersonate the customer over the phone to arrange funds transfers, mimic legitimate communication from the financial institution to verify transactions, create unauthorized wire transfers and ACH payments, or initiate other changes to the account.” In addition to targeting account information, attackers also seek to gain customer lists and other proprietary information, often using the same malware-spreading techniques, the report says. The FBI first began warning enterprises about corporate account takeovers in 2006, but they are rising in numbers because cybercriminals have found them rather easy to perpetrate—especially when it comes to SMBs that do not have a dedicated IT security staff, the report says. The rewards are great—often surpassing hundreds of thousands of dollars—and the risk is low. Source:

19. October 20, Bloomberg – (National) Computer expert pleads guilty to hacker stock scheme. An Arizona computer specialist who did time in prison for his role in an Internet stock-fraud scheme pleaded guilty in New Jersey October 20 to a similar scam. The suspect admitted in federal court in Trenton that he inflated the prices of thinly traded stocks between November 2007 and February 2009 by promoting them through mass e-mails, or spam, and by taking over the brokerage accounts of third parties. The suspect also pleaded guilty in August 2009 to his role in a scheme led by another man who prosecutors said was once “the world’s most notorious illegal spammer.” The suspect, who was sentenced to a year in prison in that case, was released in April, records show. The other man is serving a 51-month prison term. “The conspirators may have updated the fraud with technology, but strip away the army of computers and this is a classic pump and dump scheme,” the U.S. attorney said in a statement. The suspect, who pleaded guilty to conspiracy to commit securities fraud and fraud in connection with electronic mail, faces as many as five years in prison. The U.S. district judge set a sentencing date of February 2. Source:

Information Technology

38. October 22, The H Security – (International) Pidgin 2.7.4 closes DoS vulnerability. The Pidgin development team has released version 2.7.4 of its open source instant messenger application. According to the developers, this maintenance and security update addresses a medium-risk vulnerability in the libpurple library used by Pidgin and other instant messaging clients, including Adium and Meebo, that could lead due to a remote denial-of-service (DoS) attack. Pidgin 2.7.4 closes more than 20 bugs and adds support for new drop-down account options, such as the ILC cipher and HMAC options, a new plug-in action menu under Tools for the Voice and Video Settings plug-in and improvements for Yahoo file transfers under some scenarios. Other changes include three new Root Certificate Authorities (CA), support for the Gadu-Gadu protocol in the gevolution plug-in and updates to Bonjour, which now requires version 2.0.0 or later of Apple’s Bonjour Print Services. The developers also note that, due to the security issue, some translation updates that were submitted on October 20 did not make it into the release. Source:

39. October 22, The H Security – (International) FaceTime beta is a backdoor to Apple accounts. Until recently, the beta version of FaceTime, Apple’s video telephone software for Mac OS X, was quite careless with users’ personal data. When the just released FaceTime application was launched, the security question and the answer, along with the previous user’s birthday, from a previous log-in, could be accessed without having to log-in to that account. In combination with the Apple ID, which was also displayed, the password could be reset, providing complete access to the account currently registered making it possible, for instance, to go shopping in the iTunes Store with another user’s account. The issue was problematic when more than one user shared the same computer, such as is the case with a publicly used Mac. Even if a user had properly logged out, the account could still be accessed because the application automatically put the password into the log-in dialogue. Apple reacted quickly and remedied the problem within the server. Now, a click on “View details” brings the user back to the general settings page. Source:

40. October 21, GamePro – (International) Server attack disrupts Minecraft. On his blog, Minecraft’s creator explained that an attack on the server is the cause of the game’s multiplayer being unavailable, adding that he is not sure why his game was under attack. He explained how this distributed denial of service (DDoS) attack works and brought down the server, comparing the way a DDoS disrupts a server to how a person paying with coins, then finding out they do not have enough, can tie up a line at a supermarket. “As to why is being targeted, I’m not sure,” he said. According to Kotaku, a post on 4chan claims responsibility for the attack because they want the creator to provide more updates for the game. While there is no way to confirm if the post is valid, the poster claims that those behind the attacks are not active 4chan members or people from rival games. The post says, “[The attack’s] purpose is to send a clear message of how the future of Minecraft will turn out unless he gets to work, namely by influencing the amount of sales taking place, due to the attacks.” Source:

41. October 21, Help Net Security – (International) Global e-crime gang transitions to crimeware. The world’s most prolific phishing gang has completed a transition from using conventional phishing to massively propagating stealthy password-stealing crimeware that does not require user cooperation to surrender financial account credentials, according to a report by APWG. While the Avalanche botnet infrastructure had been used to launch conventional spam-based phishing attacks over the past two years, the phishing has been replaced with a scheme that infects users’ PCs with the potent Zeus Trojan, a powerful banking credential-stealing malware. The phishing syndicate had been successfully using the Avalanche botnet for conventional spam-based phishing attacks that provoke a user to visit a counterfeit website and enter or his or her credentials. This Avalanche phishing accounted for two-thirds of all phishing attacks observed worldwide in the second in late 2009. But the Avalanche infrastructure was involved in just four conventional phishing attacks in the month of July 2010. Instead, the Avalanche-based syndicate ramped up a concerted campaign of crimeware propagation to fool victims into receiving the Zeus crimeware and infecting their PCs with it. Avalanche has been sending billions of faked messages from tax authorities such as the IRS, false alerts/updates purporting to be from popular social networking sites, and other lures. These lures take victims to drive-by download sites, where the criminals infect vulnerable machines. Source:

42. October 21, IDG News Service – (International) Adobe warns of Shockwave bug. Adobe warned October 21 of a critical bug in its Shockwave Player that affects both Windows and Macintosh PCs. The bug, which was publicly disclosed October 21, “could cause a crash and potentially allow an attacker to take control of the affected system,” Adobe said in a message on its website. In its security advisory, Adobe said it considers the issue “critical,” and is working on a patch for the flaw. The company is not saying when that patch will ship, however. So far, there are not any reports of attacks that leverage the bug, but this type of public disclosure of a serious bug is often a harbinger of future attacks. Adobe’s Reader software has been a regular target for Web-based attacks over the past year, and while the Shockwave Player is used by about half as many people as Reader, it is probably good enough for many hackers. “Hundreds of millions of computers with Internet connectivity have Shockwave installed, so, this will obviously be an attractive target for attackers,” security vendor Symantec said October 21 in an e-mailed statement. If attacks do become a problem, users can disable Shockwave in their Web browsers until a patch becomes available. The bug was found by a security researcher who said he released details of the problem to celebrate the fact that he now has 1,000 followers on Twitter. He had earlier promised to release an Adobe 0day when he crossed that threshold. Source:

For more stories, see items 14, 15, and 18 above in the Banking and Finance sector

Communications Sector

43. October 22, Emergency Management – (National) Broadcasters file for more time for updating EAS. A number of broadcast groups has filed a request to extend the timeframe for broadcasters to re-equip their stations for the Emergency Alert System (EAS). As it stands, broadcasters have until late March of 2011 to install equipment that is capable of receiving messages using the Common Alerting Protocol (CAP). But, the broadcasters say they need more time. The National Association of Broadcasters and other broadcast groups told the Federal Communications Commission (FCC) the March 2011 deadline is simply too soon, since it was only late September 2010 when the clock started ticking on the mandatory upgrades. That is when FEMA announced it had approved the most recent version of CAP, a message standard. The broadcasters say they need more than the 180-day window they have been given to see which vendors will be declared CAP compliant, get operational and regulatory issues resolved, buy equipment, and install it. They would like the timetable pushed back to September 30, 2011, giving them a year to comply. Source:

44. October 22, TG Daily – (National) Spectrum crunch likely to be worse than expected. There will be a further, massive shortage of spectrum in coming years if more is not made available, the FCC has warned. In a paper released October 21, the FCC said it expects there to be 35 times as much mobile data traffic in 2014 than there was in 2009 — and that this may well be an underestimate, given the iPad boom. “The explosive growth in mobile communications is outpacing our ability to keep up,” said the FCC chairman. “If we don’t act to update our spectrum policies for the 21st century, we’re going to run into a wall — a spectrum crunch — that will stifle American innovation and economic growth and cost us the opportunity to lead the world in mobile communications.” According to the report, even if spectrum and device efficiency doubles and the number of cell towers continues to grow at its current pace, the U.S. will need around 300 additional megahertz of spectrum by 2014. The FCC estimates the economic value of this spectrum as $120 billion. The chairman said that the FCC was making progress with its plans to encourage broadcasters to give up spectrum in exchange for rewards — although he didn’t say how many, if any, had signed up. The FCC recently released the first block of spectrum to be sold off in 20 years. Source:

45. October 21, Urgent Communications – (Florida) Florida county makes transition to NG 911. Intrado announced that Charlotte County, Florida, recently launched a next-generation 911 system that leverages the vendor’s technology. The IP-based system will allow the county’s public-safety answering point to receive high-bandwidth files — such as building floor plans, digital photos and video — that are sent to them from wireless 911 callers. The platform will let the PSAP receive 911 texts, which is important for the hearing impaired, many of whom are abandoning their TTD/TTY devices, said Intrado’s vice president of marketing strategy. However, PSAPs only can receive texts from wireless 911 callers when carriers make such service available. So far, only one PSAP in the country actually can receive wireless 911 texts — in Black Hawk County, Iowa — but the director expects that to change over time. Source: