Monday, December 20, 2010

Complete DHS Daily Report for December 20, 2010

Daily Report

Top Stories

• Voice of America News reports U.S. and Yemeni officials said no one was hurt when an attacker tossed a grenade at a parked vehicle in Yemen that had been carrying American embassy personnel. (See item 36)

36. December 16, Voice of America News – (International) Bomb targets US Embassy vehicle in Yemen. U.S. and Yemeni officials said a group of American embassy personnel came under attack December 15 when a bomb exploded near their vehicle outside a restaurant in Yemen’s capital. A U.S. State Department spokesman said no one was injured in the blast, which took place in a commercial district of Sana’a. An investigation is ongoing. Another U.S. official said the explosion disabled the vehicle, and that the embassy believes it was “likely” an attempt to target U.S. interests. Yemeni officials said police arrested several suspects, including a Jordanian in his 20s. They said the attacker threw a hand grenade at a car carrying a number of Americans as it was parked outside a restaurant frequented by foreign nationals. It is unclear whether the attack is linked to al-Qaida militants in the country. Source: http://www.voanews.com/english/news/middle-east/Bomb-Targets-US-Embassy-Vehicle-in-Yemen-112020384.html

• After the WikiLeaks security leak, the National Security Agency is operating on the assumption foes may have pierced the most sensitive computer networks under its guard, Reuters said. (See item 40)

40. December 16, Reuters – (National) U.S. code-cracking agency works as if compromised. The U.S. government’s main code-making and code-cracking agency now works on the assumption that foes may have pierced even the most sensitive national security computer networks under its guard. “There’s no such thing as ‘secure’ any more,” a spokeswoman with the National Security Agency said December 16 amid U.S. anger and embarrassment over disclosure of sensitive diplomatic cables by the web site WikiLeaks. She heads the NSA’s Information Assurance Directorate, which is responsible for protecting national security information and networks from the foxhole to the White House. “The most sophisticated adversaries are going to go unnoticed on our networks,” she said. More than 100 foreign intelligence organizations are trying to break into U.S. networks, the Deputy Defense Secretary wrote in the September/October issue of the journal Foreign Affairs. Some already have the capacity to disrupt U.S. information infrastructure, he said. Source: http://uk.reuters.com/article/idUKTRE6BF6DN20101216

Details

Banking and Finance Sector

15. December 17, Melrose Patch – (Massachusetts) Robbery, shooting at Main Street Citizens Bank in Malden. Melrose Police and several other police departments combed the area between Oak Grove and Forestdale December 16 for a gunman who robbed a Citizens Bank branch on Main Street in Malden, Massachusetts. The suspect fits the description given in recent robberies in Reading and Lynnfield. Two Malden schools were placed under lockdown. According to a Malden police spokesman, the suspect entered the bank before 1 p.m., and approached a teller with a note demanding money. She complied, and he moved to leave the bank. When he got to the door, however, it was locked. The gun didn’t come out until the man realized he was locked in. At that point, he pulled out a silver handgun and fired five rounds into the door, the police spokesman said. Malden, Melrose and state police swarmed the area and began searching for the man, described as a black male, about 5-feet, 9-inches tall, wearing a dark jacket and a gray Red Sox hat. Source: http://melrose.patch.com/articles/robbery-shooting-at-main-street-citizens-bank-in-malden

16. December 17, WHIO 7 Dayton – (Ohio) State authorities investigate detonation of explosive device. The Ohio fire marshal, Bureau of Alcohol, Tobacco, Firearms and Explosives, Huber Heights fire and police departments and the Dayton Bomb Squad continue to investigate after an incident at the Fifth-Third Bank on Taylorsville Road December 16. Investigators said a homemade explosive device exploded and ignited the base of an ATM between midnight and 12:15 a.m. The device caused superficial damage to the ATM and no one was injured. Authorities said they are trying to determine who made and detonated the device. Pieces of the exploded device are being analyzed and it could be 7 to 10 days before results are available. Source: http://www.whiotv.com/news/26171988/detail.html

17. December 16, Associated Press – (International) Texas couple accused of funneling money to Iran. A Texas couple and the head of an Oregon charity secretly sent millions of dollars to an Iranian bank and to a contact in Iran for 9 years, violating the U.S. embargo on the Middle East country, according to a federal indictment. The indictment describes an alleged scheme in which the Texas couple got tax exemptions for their donations to the Portland-based Child Foundation charity. The head of the charity allegedly funneled money meant for food and other assistance to his cousin, and to a bank controlled by the Iranian government. Working through Iranian corporations and banks in Switzerland and Dubai, the Texas couple and charity head’s cousin masked their transfers by using food shipments and other commodities to cover financial donations intended for a sister charity in Iran run by the cousin, federal prosecutors said. “These defendants are charged with going to extraordinary lengths to conceal the transfer of large sums of money in violation of the Iranian embargo,” the U.S. Attorney for Oregon said in a statement December 16. A 26-page indictment alleged the Texas couple conspired to defraud the government, and laundered money by purporting to transfer charitable donations to Iran while actually keeping control of the money. Source: http://www.foxnews.com/us/2010/12/16/indictment-alleges-texas-couple-broke-iran-embargo/?test=latestnews

18. December 16, El Paso Times – (Texas) The FBI has arrested the ‘Lipstick Bandit’ accused of robbing 2 banks. The FBI Violent Crimes Task Force arrested the man believed to be the bank robber dubbed the Lipstick Bandit. FBI officials December 16 said a tip led to the arrest of a 31-year-old male suspect in the heists in El Paso, Texas. The suspect faces two counts of bank robbery and possession of a firearm. He was jailed on unrelated charges. On December 8, a bank robber wearing lipstick, big sunglasses, and carrying a woman’s vinyl purse used a handgun to rob the Compass Bank at 9870 Gateway North. As the robber fled, a red dye pack that was hidden in a bundle of money exploded in his truck, the FBI said. A week prior, the same man allegedly robbed the Compass Bank at 6044 Gateway East. Source: http://www.elpasotimes.com/ci_16878356?source=most_viewed

19. December 16, KXXV 25 Waco – (Texas) 4 women accused of stealing background check information. Four Waco, Texas-area women were arrested December 16 on accusations they stole personal information from fingerprint applications. The four were indicted by a federal grand jury on one count of conspiracy to commit identity theft. One woman is also charged with six substantive aggravated identity theft counts; two of the others are also charged with one aggravated identity theft count. From March 2008 to July 2008, one of the accused was employed as a Live Scan Operator by Integrated Biometrics Technology in Waco, where applicants provide personal information, such as Social Security numbers and dates of birth. The suspect employee allegedly stole thousands of background check applications when she left the company, and the four women then used them to fraudulently obtain credit cards, open accounts, and purchase items throughout the country. Their hearings are scheduled for December 21 and if convicted, they each face up to 15 years in federal prison. Source: http://www.kxxv.com/Global/story.asp?S=13688249

Information Technology

45. December 17, H Open Source – (International) Google questions results of malicious site protection test. In a test conducted by NSS Labs, the beta version of Internet Explorer 9 warned testers about visiting malicious sites or downloading infected files in 99 percent of cases. Internet Explorer 8 achieved a respectable result of 90 percent. The good result for Internet Explorer 9 was reportedly due to the previously existing SmartFilter URL filtering and the newly added SmartFilter reputation-based filtering. The test by NSS Labs was financed by Microsoft. Google’s Chrome 6 browser reportedly only detected 3 percent of threats, although it had still warned users in 14 percent of cases in a previous test. Google has questioned the validity of the test results, arguing there is no description of the testing methodology that would allow the tests to be independently verified. Although NSS Labs did describe the test set-up in its results publication, there are no details about which set of URLs was used for the test, and which criteria were used to determine potential threats. According to the description, the test only investigated URLs where a link directly lead to an infected file being downloaded — sites containing exploits for drive-by downloads were apparently omitted. Source: http://www.h-online.com/open/news/item/Google-questions-results-of-malicious-site-protection-test-1155534.html

46. December 16, Computerworld – (International) Google adds Flash sandbox to Chrome beta. Two weeks after it debuted a sandbox to isolate Adobe’s Flash Player plug-in, Google pushed the security enhancement to the more reliable beta channel of its Chrome browser December 16. Chrome users already running the beta build will be automatically updated to the version that includes the sandboxed Flash. A “sandbox” isolates processes on the computer, preventing or at least hindering malware from escaping an application to wreak havoc on the machine. That has become increasingly important for Flash, as the popular media player has been aggressively targeted by hackers in 2010. Adobe has had to patch Flash five times since January, and in several cases was forced to scramble to release emergency fixes as new attacks surfaced. Chrome’s Flash sandbox relies on some elements of the already-in-place technology that the browser uses to protect HTML and JavaScript. But much of the new work was created from scratch in cooperation with Google, an Adobe executive said when the two companies announced the inclusion of the sandbox in Chrome’s “dev” channel December 1. Source: http://www.computerworld.com/s/article/9201419/Google_adds_Flash_sandbox_to_Chrome_beta

47. December 16, SC Magazine – (International) Malware targeting Google Android quadruples in 2010. Malware aimed at Google’s Android mobile operating system rose fourfold in 2010, compared to 2009, research has shown. This represented the most significant jump in comparison to other platforms, claimed mobile security specialists AdaptiveMobile. Reported exploits targeting the iPhone fell, as did new Symbian malware, which dropped by 11 percent. However, the overall number of mobile malware infections reported went up 33 percent, again compared with 2009 figures. Source: http://www.securecomputing.net.au/News/241877,malware-targeting-google-android-quadruples-in-2010.aspx

48. December 16, H Security – (International) When a smart card can root your computer. A buffer overflow flaw in the open source smart card library OpenSC can be exploited to inject and execute malicious code on a system. According to UK security company MWR InfoSecurity, the bug in the library is triggered when reading serial numbers from smart cards. The card-atrust-acos.c, card-acos5.c, and card-starcos.c drivers in OpenSC version 0.11.1 are all affected. Starcos and Acos5 cards are used to store private cryptographic keys and are deployed in the Public Key Infrastructure (PKI) field. The bug is unlikely to be exploitable using standard chip cards, although card simulators are able to send a crafted serial number to a terminal. MWR reports that it has developed a proof-of-concept exploit. MWR does not discuss specific targets for such an attack, but attacks on systems which require chip card authentication are conceivable. Under Windows, code injected via the OpenSC vulnerability would be able to run with system privileges. The OpenSC development team has released patches to fix the vulnerabilities in all three drivers. Source: http://www.h-online.com/security/news/item/When-a-smart-card-can-root-your-computer-1154829.html

49. December 15, Social Barrel – (International) Yahoo image search hacked. Yahoo’s image search began to display pornographic images December 14, the same day Yahoo laid off over 600 employees. The pornographic images seemed to appear no matter what someone searched on Yahoo. They would not appear immediately, but if a user clicked on a thumbnail image at the top of the search results, what has been described as a XXX photo would appear. Yahoo first pulled down the image thumbnails to avoid any further appearance of the images, and by December 15 it appeared the issue had been fixed. Many industry observers are suggesting, although there does not appear to be any concrete evidence as of now, that it could have been a disgruntled Yahoo employee who was let go during the series of layoffs. Yahoo released about 4 percent of the company’s workforce December 14 in an attempt to streamline operations and better compete with rivals such as Facebook and Google. Source: http://socialbarrel.com/yahoo-image-search-hacked/1598/

50. December 15, iTnews – (International) Sydney honeypots attract morphing botnet malware. The Sydney, Australia branch of West Coast Labs’ global honeynet was amongst the first to record two new malware variants the week of December 5, as the RBot family continued to wreak havoc on global networks. Of the 41 malware threats detected by West Coast Labs’ Sydney honeypots the week of December 6, 29 were received there for the first time. The honeypots detected a compressed file — generally agreed to be a member of the polymorphic Virut family of viruses. This virus infects files with encrypted code, which spreads further when each infected file is run. The honeypots were also the first in the West Coast Labs network to pick up a worm December 4 thought to be part of the Allaple family. This worm spreads via networks and e-mail, dropping the file urdvxc.exe into the System32 system directory of Windows machines and using this to spread itself further. One in five new malware threats detected by the honeynet were variants of the RBot family. The RBot family of malware uses an exploit in the Windows operating system that leaves open IRC (internet relay chat) channels 24 hours a day. Source: http://www.itnews.com.au/News/241772,sydney-honeypots-attract-morphing-botnet-malware.aspx

Communications Sector

51. December 17, Ecommerce Journal – (National) HDTVs are vulnerable to cyber and hacking attacks. Hackers can potentially use Internet-connected HDTVs to infiltrate malware into home networks, said the latest report by a maker of security software for smartphones, VoIP devices, and TVs. Mocana conducted the tests on a range of inter-connected TVs, during which a security flaw was discovered in the kit of an unspecified manufacturer. The firm does not elaborate on the firm involved or the security weakness, at least until a fix is released. In its press release, Mocana said the security bug is a way to hack into consumers’ home network and potentially intercept and redirect internet traffic to and from the HDTV to mount phishing scams, gain access to backend services from third-party organizations (such as video streaming), or monitor and report on consumers’ private internet usage habits. Mocana’s researchers managed to deploy hacking techniques familiar to the world of PC skullduggery (such as “rogue DNS”, “rogue DHCP server”, or TCP session hijacking techniques) to inject JavaScript onto a vulnerable device “allowing attackers script integrity before running code”. Source: http://www.ecommerce-journal.com/news/30660_hdtvs-are-vulnerable-cyber-and-hacking-attacks

52. December 16, Minneapolis Star Tribune – (Minnesota) FBI seeks victims of ‘cramming’. Two days after it raided a Forest Lake, Minnesota company called Alternate Billing Corp., the FBI announced it wants to hear from people who think the company put unauthorized charges on their phone bills. The practice is called cramming, and charges linked to Alternate Billing could carry many names, including MyIProducts, Safeguard My Credit, My411Connect, and others. Other media outlets reported he investigation is connected to the FBI’s probe into an Indiana businessman, whose investment firm collapsed earlier this year. On its Web site, Alternate said it helps online companies do business with “savvy online browsers” who are reluctant to purchase goods or services over the Internet with a credit card. Instead, Alternate lets those companies put those charges on a customer’s land-line phone bill. Such transactions have earned the ire of many telephone customers, who complain mysterious charges start showing up on their phone bills after filling out online surveys. A U.S. Senator sent a letter to the Federal Communications Commission (FCC) last month urging the agency to consider new rules that would prevent cramming. State law requires phone companies to remove unauthorized third-party charges and reimburse customers for up to 6 months of charges. A former employee of Alternate said he was taking up to 120 calls a day from people complaining about unwanted services that showed up on their phone bills. The worker, who left the company about 3 years ago, said he has spoken to the FBI and the Minnesota attorney general’s office. Source: http://www.startribune.com/investigators/112011079.html?elr=KArksLckD8EQDUoaEyqyP4O:DW3ckUiD3aPc:_Yyc:aUvckD8EQDUF

53. December 14, Wired – (National) Warrant needed to get your e-mail, appeals court says. The government must obtain a court warrant to require internet service providers to turn over stored e-mail to the authorities, a federal appeals court ruled December 14. The decision by the 6th U.S. Circuit Court of Appeals was the first time an appellate court said Americans had that Fourth Amendment protection. “The government may not compel a commercial ISP to turn over the contents of a subscriber’s e-mails without first obtaining a warrant based on probable cause,” the appeals court ruled. The decision — one stop short of the Supreme Court — covers Kentucky, Michigan, Ohio, and Tennessee. The legal brouhaha centered on the founder of an Ohio herbal-supplement company that marketed male-enhancement tablets. As part of a fraud investigation, the government obtained thousands of his e-mails from his ISP without a warrant. He appealed his 25-year conviction on those and other grounds, and the circuit court tossed his sentence on issues unrelated to the court’s language concerning e-mail privacy. At issue in the e-mail flap was a 1986 law that allows the government to obtain a suspect’s e-mail from an ISP or Webmail provider without a probable-cause warrant, once it has been stored for 180 days or more. The appeals court said December 14 this part of the Stored Communications Act is unconstitutional. Source: http://www.wired.com/threatlevel/2010/12/fourth-amendment-email/

Friday, December 17, 2010

Complete DHS Daily Report for December 17, 2010

Daily Report

Top Stories

• The Columbus Dispatch reports Ohio State University is notifying up to 760,000 people that their names and Social Security numbers might have made it to cyberspace in one of the largest and most costly breaches to hit a college campus. (See item 42)

42. December 16, Columbus Dispatch – (Ohio) Server hacked at OSU; 760,000 affected. Ohio State University (OSU) is notifying up to 760,000 students, professors, and others that their names and Social Security numbers might have made it to cyberspace in one of the largest and most costly breaches to hit a college campus. Ohio State expects to spend about $4 million to pay for the forensic investigation and credit-protection services for those whose personal information was on a server that was hacked. University officials started notifying current and former students, employees, and businesses that have done work with the school about the breach December 15. There is no indication that any personal information was taken or that the incident will result in identity theft for any of the affected people, a provost said. In late October, a routine computer security review uncovered suspicious activity on a campus server with the names, Social Security numbers, birth dates, and addresses of up to 760,000 people associated with the university, including applicants, contractors, and consultants, he said. No OSU Medical Center patient records or student health records were involved. Source: http://www.dispatch.com/live/content/local_news/stories/2010/12/16/server-hacked-at-osu-760000-affected.html?sid=101

• According to the Sacramento Bee, federal officials planned to double water releases from Folsom Dam in California to make room for a major storm expected the weekend of December 18 and 19. (See item 68)

68. December 15, Sacramento Bee – (California) Water will be released from Folsom Dam to make way for major storm. Federal officials plan to double water releases from Folsom Dam in Folsom, California, December 15, to make room for a major storm expected the weekend of December 18 and 19. The U.S. Bureau of Reclamation, which owns and operates the dam, will boost releases into the American River from the current 15,000 cubic feet per second to 30,000. “We’re expecting some pretty good precipitation above Folsom Dam, so we’re looking to kind of evacuate that flood space,” said a Reclamation spokesman. The releases will cause the river to rise by 4 to 5 feet at Hazel Avenue. Officials were releasing water from four river outlets in the face of the dam. Source: http://www.sacbee.com/2010/12/15/3260396/water-will-be-released-from-folsom.html

Details

Banking and Finance Sector

17. December 16, Pottstown Mercury – (Pennsylvania) Two men arrested on multiple identity theft charges. A suspicious transaction at a Limerick, Pennsylvania outlet mall led to the arrest of two men and the discovery of portable hard drives containing hundreds of pieces of stolen personal information. The two male suspects, who both hail from Brooklyn, New York, first came to the attention of township police when they attempted to make several purchases from the True Religion store in the Philadelphia Premium Outlets November 19 using several different credit cards, according to court documents. The credit cards the suspects used were coming up invalid when store employees swiped them, according to court documents. As a result, the store clerk had to manually enter the credit card information into the store register. When this occurs, the customer must sign the receipt and an imprint must be taken of the credit card that is used, according to court documents. The suspects signed the receipts, but allegedly turned over different credit cards than those used for the transactions when the employee asked to make the imprints, according to court documents. Source: http://www.pottstownmercury.com/articles/2010/12/16/news/srv0000010311820.txt

18. December 16, Washington Post – (Virginia) Arrest in 6 N. Va. bank robberies. A West Virginia man has been charged with six bank robberies across Northern Virginia in October and November, according to the Loudoun County Sheriff’s Office. The 32-year-old male suspect was arrested December 11 in West Virginia on felony charges stemming from two bank robberies in Winchester, according to police. He is also charged with two bank robberies in Fairfax County, and two bank robberies in Sterling, authorities said. In each of the robberies, the suspect either implied that he had a weapon or pulled out a gun, according to a Loudoun sheriff’s spokesman. No one was hurt in any of the incidents, the spokesman said. No others have been charged in connection to the robberies, the spokesman said, but authorities continue to investigate whether the suspect was acting alone. A multi-jurisdictional investigation, including police in Loudoun, Winchester, and Fairfax and the FBI, first linked the bank robberies in November, police said. Source: http://voices.washingtonpost.com/crime-scene/fairfax/arrest-in-6-n-va-bank-robberie.html?hpid=newswell

19. December 15, ComputerWorld UK – (International) Bank of America claims ex-employees took databases. Bank of America has claimed in a lawsuit that four ex-employees copied confidential databases of its trade secrets, and executed a “coordinated” attack on its wealth management unit using the data. The password-protected database was taken by the employees, it said, as they left the company. The ex-employees “brazenly” announced they were taking the data, including client names, addresses, e-mails, and phone numbers, Bank of America said in papers filed the week of December 6 at the New York Supreme Court. The four accused now work at Dynasty Financial Partners, a wealth management and financial technology firm in New York. They left resignation letters stating they were allowed to take the information under a protocol agreed on by some banks, according to Bank of America. But the bank said it had not signed up for the protocol. Dynasty is also one of the defendants in the case. The employees and Dynasty deny the accusations. Bank of America said in its lawsuit that the databases provide “complete, comprehensive information” on clients and potential clients’ financial profile and investment preferences. The judge in the case has temporarily barred Dynasty and the four individuals from using or sharing the database to solicit new clients, according to a Bloomberg report. But it did not bar the individuals from advising their existing clients. Source: http://www.networkworld.com/news/2010/121510-bank-of-america-claims-ex-employees.html?hpg1=bn

20. December 15, San Diego North County Times – (California) FBI increases reward in effort to nab Geezer Bandit. The FBI announced December 15 the reward for helping to catch San Diego County’s most notorious bank robber has reached $20,000, up from $16,000, where it had been since last year. The armed, elusive, and apparently aged — although that is in dispute — bank robber has hit 12 California banks since August 2009: 10 in San Diego County, one in Temecula and, most recently, November 12, he robbed a bank in Bakersfield. The $20,000 reward money for information leading to the arrest and conviction of the Geezer Bandit comes from a combination of funding, including the FBI and several local banks, a FBI Special Agent said. Authorities have not released the amount of money the thief has stolen during his 17-month spree. Known to tote an oxygen tank during his earlier heists, and also seen carrying a gun, the robber has sparked some public fascination, including at least four Facebook fan pages. Source: http://www.nctimes.com/news/local/sdcounty/article_e66b5934-5ee2-54f8-8abc-b740d9504fee.html

21. December 15, KUSA 9 Denver – (Colorado) FBI: 3 Colorado banks robbed this week. Three separate, Denver, Colorado-area banks were robbed between December 10 and December 13. On December 10 at 5:55 p.m. the FBI said a woman robbed the Bellco Credit Union in Englewood. She was allegedly armed with a handgun. The FBI said they believe this robber is one of the “3-2-1 Bandits.” She is described as approximately 5 feet tall, 25 to 35 years old, with a medium to stocky build. Three days later, the FBI said a Bank of the West in Englewood was robbed at 2 p.m. December 13. The FBI describes the alleged robber as a man 20 to 25 years old 5 feet 4 inches to 5 feet 5 inches tall with a thin build. He was unshaven.” The FBI calls this person the “Itty Bitty Bandit” because of his size and stature. Three hours after that heist, another Bank of the West was robbed in Aurora by different people. The alleged robbers were a man and a woman both armed with handguns. The FBI says they think these alleged robbers are also part of the “3-2-1 Bandits.” The suspects are described as a man approximately 5 feet 8 inches tall with a thin build and a woman 5 feet 2 inches to 5 feet 3 inches tall with a heavy build. Source: http://www.9news.com/news/local/article.aspx?storyid=169989&catid=346

For more stories, see item 58 below in the Communications Sector

Information Technology

51. December 16, H Security – (International) Back door in HP network storage solution. HP’s MSA 2000 G3 Storage As a Network (SAN) product contains a hidden and undocumented account with more privileges than the normal customizable account (manage:!manage). Apparently included for support purposes, the account (admin:!admin) is not visible in the user manager and cannot be deleted or modified. It allows unauthorized users to access these systems and the data stored there. When asked by a reader of heise Online, The H Security’s associated publication in Germany, who came across the problem, HP’s support team reportedly admitted the account allows users to “modify the SAN’s hardware settings and underlying operating system”, and that it is therefore not intended for customer use. HP has confirmed the problem and announced the release of a fix to solve it. Additionally, according to a post on SecurityFocus, users can change the password for the invisible user account using the command-line interface. Source: http://www.h-online.com/security/news/item/Back-door-in-HP-network-storage-solution-1154257.html

52. December 16, Help Net Security – (International) Metasploit 3.5.1 adds Cisco device exploitation. Metasploit now enables security professionals to exploit Cisco devices, performs passive reconnaissance through traffic analysis, provides more exploits, and evaluates an organization’s password security by brute forcing an ever increasing range of services. This latest release adds stealth features, exposing common flaws in IDS and IPS, and anti-virus threat detection. Team leaders may now impose network range restrictions on projects and limit access to specific team members. Adding to its social engineering capabilities, Metasploit can also now attach malicious files to e-mails, for example PDF and MP3 files that can take control of a user’s machine. The highlights of Metasploit version 3.5.1 are: gain access to Cisco devices; silently discover active networks; brute force UNIX “r” services, VNC, and SNMP; evade IPS/IDS and anti-virus systems; attach malicious PDF and MP3 files to e-mails; and run additional exploits. Source: http://www.net-security.org/secworld.php?id=10324

53. December 14, Sunbelt Blog – (International) Sunbelt Blog: Rogues now imitate utilities rather than anti-malcode apps. Since the week of December 5, the rogue security products (also called scareware) that were posted on the GFI-Sunbelt Rogue Blog have had a new look. Instead of impersonating anti-virus products, these new ones are claiming to be applications that fix disk errors on a victim’s machine: HDDDiagnostic, HDDRepair, HDDRescue, and HDDPlus. They are essentially clones and together they are members of a new family of rogues: FakeAV-Defrag. They do nothing except throw up phony warnings and demand that the victim purchase them before they “fix” the fictional problems they warn about. Since rogues began to circulate 7 or so years ago, they have always pretended to be anti-spyware or anti-virus products, imitating the look of many legitimate anti-virus products and even the structure of their product names. In the last 2 months, however, it has become clear rogue writers are trying something new to confuse potential victims. Source: http://sunbeltblog.blogspot.com/2010/12/rogues-now-imitate-utilities-rather.html

54. December 14, Softpedia – (International) New scareware distribution link emails link to malicious files hosted at RapidShare. Security researchers from Belgian e-mail security vendor MX Lab warned about a new wave of malicious e-mails that direct users to download scareware hosted at RapidShare. According to MX Lab, the e-mails are sent from randomly spoofed addresses and their message is brief. The body only contains a link of the form http(colon)//rapidshare.com/files/[censored]/surprise.exe. The file currently has a fairly low AV detection rate on Virus Total with 16 out of the 43 antivirus engines blocking it. Some of the products detect it as a fake antivirus program, also known as scareware or rogueware, while others as a Trojan downloader. Source: http://news.softpedia.com/news/New-Scareware-Distribution-Emails-Link-to-Files-Hosted-at-RapidShare-172651.shtml

55. December 14, Softpedia – (International) Hacked websites used to create counterfiet software stores. Security researchers have observed new attacks using compromised Web sites to create rogue online stores that sell counterfeit software and are promoted in Google. Compromised Web sites are a common component in many attacks, but are generally used as doorways to drive-by downloads, scareware pages, or spam sites. Users landing on an infected page are normally taken through a series of redirects that perform various checks, until they arrive at the final attack page. In the case of black hat search engine optimization (BHSEO) campaigns, legit compromised Web sites are used to poison the results for popular search keywords or topics. When the search engine crawlers arrive at such sites, they are served with content pertaining to the targeted search keywords and will index them accordingly. However, when users find the links on Google and click on them, they are automatically taken to a external page under the attackers’ control. Source: http://news.softpedia.com/news/Hacked-Websites-Used-to-Create-Counterfeit-Software-Stores-172644.shtml

56. December 14, TrendLabs Malware Blog – (International) Malicious .RTF files exploit Microsoft Office vunerability. A stack-based buffer overflow vulnerability in Microsoft Office was recently discovered to have been actively exploited in the wild. Trend Micro now detects the exploit .RTF files as TROJ_ARTIEF.SM. The malicious .RTF files have shell codes designed to overflow the stack and to cause Microsoft Word to crash. As a result, malicious users can execute arbitrary commands on an affected system. The malware employed a (NOP) sled to overflow the buffer and to execute codes in Microsoft Word. The malware which was encountered dropped another malicious file detected as TROJ_INJECT.ART. One of the more serious concerns is a malicious user could send an RTF email to target users. Since Microsoft Outlook uses Word to handle e-mail messages, the mere act of opening or viewing specially crafted messages in the reading pane may cause the exploit code to execute. Source: http://blog.trendmicro.com/malicious-rtf-files-exploit-microsoft-office-vulnerability/

Communications Sector

57. December 16, Softpedia – (International) WikiLeaks mirror hosted with cybercrime-friendly provider. Security researchers warned a highly trafficked unofficial WikiLeaks mirror is hosted by a Russian ISP known as a safe haven for cybercriminal gangs. Following the publication of leaked U.S. State Department cables, WikiLeaks was kicked out by Amazon and EveryDNS from their respective networks. In order to ensure the organization’s online presence is not disrupted again, volunteers have mirrored its Web site on hundreds of servers around the world. Some days ago, the WikiLeaks.org domain mysteriously started redirecting all traffic to WikiLeaks.info, a site hosted in Russia with a company called Heihachi Ltd., which according to researchers from Trend Micro, is a “known as a bulletproof, blackhat-hosting provider.” Spamhaus, the world’s leading anti-spam outfit, issued a warning about WikiLeaks.info saying: “Our concern is that any Wikileaks archive posted on a site that is hosted in Webalta [Heihachi] space might be infected with malware. Spamhaus has for over a year regarded Heihachi as an outfit run ‘by criminals for criminals’ in the same mould as the criminal Estdomains,” the organization added. They said as long as the Russian company offers them reliable hosting resilient to takedowns, they do not care about its other customers. According to Spamhaus, the IRC server used by Anonymous members to communicate is also hosted by the same shady provider. The Wikileaks.info team has since changed the page to display a list of official WikiLeaks mirrors located around the world and moved the old version of the Web site to mirror.wikileaks.info. Source: http://news.softpedia.com/news/WikiLeaks-Mirror-Hosted-with-Cybercrime-Friendly-Provider-173087.shtml

58. December 16, Alamogordo Daily News – (New Mexico) Consumers frustrated by electronic shutdown. Frustrations of many southern New Mexicans ran high December 14 when they found it difficult to make purchases on credit and debit cards or even access ATMs because fiber-optic data communications lines were cut in three separate incidents near Socorro, Tijeras, and Clovis. But a New Mexico State University economist said December 15 there should not be any long-lasting effects to the region’s economy. “If anything, the outage illustrates the need for high-quality services,” said the economist, who monitors economic trends and conditions for Las Cruces and New Mexico. But the economist said the frustration was understandable when consumers who tried to buy gas, food or other goods and services with a credit card or debit card for more than 3 hours December 14 could not do so. Source: http://www.alamogordonews.com/ci_16871367

59. December 15, InformationWeek – (International) Anonymous group abandoning DDoS attacks. The Operation Payback distributed denial of service (DDoS) attack is declining. Furthermore, the small scale and low sophistication of the attack has meant that almost any Internet service provider should have been able to block it. Those findings come from the chief scientist at Arbor Networks, who December 14 detailed what Arbor is billing as the biggest-ever study of real DDoS attack data, comprising 5,000 confirmed attacks over the past year that affected 37 large carriers and content providers around the world. Even at its peak, Operation Payback was “more of an annoyance than an imminent critical infrastructure threat,” said the scientist, who likened it not to “cyber war,” as some have characterized it, but rather simple “cyber-vandalism.” “While the last round of attacks lead to brief outages, most of the carriers and hosting providers were able to quickly filter the attack traffic. In addition, these attacks mostly targeted Web pages or lightly read blogs — not the far more critical back-end infrastructure servicing commercial transactions.” Entitled “Beyond Operation Payback”, the Arbor study offers new insights into DDoS trends and attacks, gleaned from data that Arbor began measuring in its own products 2 years ago, as well as by collecting anonymous ATLAS statistics, which are available from about 75 percent of all Internet carriers. Source: http://www.informationweek.com/news/security/attacks/showArticle.jhtml?articleID=228800667&cid=RSSfeed_IWK_News

60. December 15, IDG News Service – (International) U.S. ranks 25th in the world for Internet connection speed. The United States ranks 25th in the world in average Internet connection speeds, and nearly half of all U.S. residents’ Internet connections fall below the Federal Communications Commission’s (FCC) minimum definition of broadband, at 4 megabits per second download, according to a new report. The median download speed in the U.S. in 2010 is 3 mbps, a slight increase from 2009, said the report, released December 15 by the Communications Workers of America (CWA) and Speedmatters.org. South Korea’s average download speed is 34.1 mbps, Sweden’s is 22.2 mbps, Romania’s is 20.3 mbps, and Japan’s is 18 mbps, the report said. About 1 percent of U.S. Internet connections meet the FCC national broadband plan’s goal of 50 mbps for download speeds by 2015, the report indicated. Economic growth in the U.S. depends on high-speed broadband, it added. “It determines whether we will have the 21st century networks we need to create the jobs of the future, develop our economy, and support innovations in telemedicine, education, public safety, energy conservation, and provision of public services to improve our lives and communities,” the report said. “Most U.S. Internet connections are not fast enough in both directions to permit interactive home-based medical monitoring, multi-media distance learning, or to send and receive data to run a home-based business.” Source: http://www.computerworld.com/s/article/9201306/U.S._ranks_25th_in_the_world_for_Internet_connection_speed

61. December 15, IDG News Service – (National) AT&T iPad hacker fought for media attention, documents show. A member of the group of hackers credited with uncovering more than 100,000 iPad users’ e-mail addresses on AT&T’s Web site worked hard to get the story covered by the media, according to recently unsealed court documents. After the Goatse Security hacking group found a way to make AT&T’s Web site return the e-mail addresses of iPad users, the hacker apparently wanted the news to hit big, according to a sworn affidavit by a Special Agent with the FBI. The 114,000 e-mail addresses comprised a giant virtual Rolodex that included contact information for some major players in the media world. It was a tool the hacker seemed ready to use. Three days before Gawker Media broke the story, the hacker pitched it to a member of News Corp.’s board of directors, and “various executives at Thomson Reuters,” the FBI agent said in the affidavit, dated June 14. Both e-mails were sent “at a time when, according to AT&T’s internal investigation, the breach was still ongoing,” the agent said. The details could prove to be significant if charges are brought against the hacker. If federal investigators believe he sought to profit from the unauthorized access to AT&T’s servers, they could charge him with breaking federal computer crime laws, said a retired FBI agent who investigated computer crimes for the agency. Source: http://www.computerworld.com/s/article/9201309/AT_T_iPad_hacker_fought_for_media_attention_documents_show

62. December 14, Agence France-Presse – (International) Romania smashes international cybercrime ring. Romanian authorities said December 14 they dismantled a cybercrime network blamed for causing more than $13.5 million in losses to firms in the United States, Britain, South Africa, Italy, and Romania. About 50 people were part of the criminal ring headed by two Romanians, said the prosecutor’s office specializing in combating organized crime in a statement. Police arrested 42 people and took them into custody December 14 while several computers and hard disks were seized, the statement said. Ring members were accused of stealing confidential Voice over IP data by cracking servers on the Internet. They would then use the data to make thousands of calls towards surcharged numbers abroad which allowed them to get bonuses for every call, it added. The crackdown coincided with an international forum on cybercrime that ran until December 15. Source: http://www.google.com/hostednews/afp/article/ALeqM5hLUkhy4QJ8p2MIKEd7Zul-dkSLdA?docId=CNG.9d86bd1b9e1dcce9c1b3a0448d6af28b.3b1