Wednesday, August 3, 2011

Complete DHS Daily Report for August 3, 2011

Daily Report

Top Stories

• A study said Iran recently had to replace thousands of expensive nuclear centrifuges damaged by the Stuxnet worm that targets supervisory control and data acquisition systems, eWeek reports. (See item 7)

7. July 26, eWeek – (International) Iran rips-and-replaces centrifuges post-Stuxnet. A new report suggests Iran's nuclear program has not recovered from the Stuxnet worm as previously believed. It appears Iran is still replacing thousands of expensive centrifuges that were damaged by the worm. Stuxnet was not entirely purged from Iran's nuclear facilities and it resurfaced again to damage more systems, "Western intelligence sources" told DEBKAfile July 20. DEBKAfile claimed Iran had replaced an estimated 5,000 centrifuges to remove the threat. "Iran finally resorted to the only sure-fire cure, scrapping all the tainted machines and replacing them with new ones," according to the report, noting a spokesperson from Iran's foreign ministry said July 19 it was installing newer and faster centrifuges at its nuclear plants to speed up operations. The worm was among the most sophisticated pieces of malware ever discovered in the wild. It exploited the AutoRun functionality on Windows to infect computers from USB drives. It then used a hardcoded default password for Siemens management applications to compromise the machine before taking over specialized industrial-control computers that ran a proprietary operating system from Siemens. The worm also hijacked the facility's monitoring system to falsely show the machines were functioning normally, preventing officials from catching on to what was really happening. While Stuxnet specifically targeted Siemens industrial process control computers used in nuclear centrifuge operations, an ESET researcher noted there are "plenty other" industrial process automation and control systems being used on "modern critical infrastructure", and that network operators have to assess their threat exposure level and how to mitigate it. Source: http://securitywatch.eweek.com/scada/iran_rip-and-replaces_centrifuges_post-stuxnet.html?kc=rss&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+RSS/security_watch+(eWEEK+Security+Watch+Blog

• Hackers said they posted the names, addresses, and Social Security numbers of 7,000 law enforcement officers stolen from a Missouri Sheriff's Association Web site, according to The Register. (See item 32)

32. August 1, The Register – (International) Hackers dump secret info for thousands of cops. Hackers said they posted the names, addresses, and other personal information of 7,000 law enforcement officers that were stolen from a Missouri Sheriff's Association training academy Web site they compromised, The Register reported August 1. One of the identified individuals confirmed with The Register that the data listed for him in the 938 kilobyte file was accurate. Many of the entries include officers' Social Security numbers, e-mail addresses, and the usernames and passwords for their accounts on the Web site. AntiSec claimed responsibility and said the data dump was made in retaliation for the recent arrest of 14 people accused of participating in a Web attack in December that strained server capacity for PayPal. Many of the passwords employed by the officers were ordinary dictionary words, or were identical to their names or badge numbers, demonstrating some of the same mistakes other users make in setting up security pass codes. Assuming the officers used the same password for other accounts, as is common, their e-mail accounts would also be compromised. The file suggests the training site failed to follow industry best practices by securing the password database with one-time hashes to prevent them from being read by attackers. Source: http://www.theregister.co.uk/2011/08/01/missouri_cops_hacked/

Details

Banking and Finance Sector

12. August 2, phillyBurbs.com – (New Jersey) Former TD Bank worker indicted in fraud scheme that included county branches. A federal grand jury July 28 indicted a former TD Bank employee for her alleged role in a scheme involving fraudulent withdrawals totaling nearly $70,000 from branches in Burlington and Camden counties in New Jersey between October 2010 and February 2011. The 27-year-old of Philadelphia was charged with conspiracy, bank fraud, and aggravated identity theft, states an indictment filed July 28 with the U.S. attorney’s office in Philadelphia. The woman, who worked as a call-center representative and then as a customer-service representative, faces a maximum sentence of 41 years in prison, a fine of $2 million, and 5 years of supervised release if convicted. The indictment alleges a co-conspirator provided Social Security numbers to the woman in exchange for account information. The co-conspirator then used the improperly obtained data to withdraw $67,800 from three accounts using check runners who presented fake identification to access the accounts, the indictment says. A federal complaint filed against the co-conspirator and another accomplice alleges the two executed, aided, and abetted a scheme to defraud a federally insured bank; committed, aided, and abetted aggravated identity theft; and possessed and conspired to distribute Oxycodone. TD Bank officials confirmed August 1 the woman no longer is employed with the company, and that the affected customers were notified. Source: http://www.phillyburbs.com/news/local/burlington_county_times_news/breaking_news/former-td-bank-worker-indicted-in-fraud-scheme-that-included/article_9d6f8c55-eeb2-5561-a767-e50285c45304.html

13. August 2, Philadelphia Inquirer – (Pennsylvania) Bandit wanted in spree of bank robberies captured. A convicted bandit wanted in a string of bank robberies last month was captured July 31 at a motel near Philadelphia, Pennsylvania. Authorities said the 48-year-old suspect had been holed up in Trevose at the Lincoln Motel on Route 1. The suspect, wanted in four bank heists and a suspect in several others, did not surrender peacefully, according to an FBI spokesman. When confronted by Bensalem police, he fled back to his room. The suspect, whom the FBI considered armed and dangerous, refused to follow officers' commands, authorities said. Police released a K-9 dog, and the suspect became less uncooperative and was taken into custody. He had previously served 6 years for bank robberies before being released from federal custody July 2. Nine days later, authorities said, he returned to his old tricks. According to the FBI, the suspect attempted to hold up the Bank of America office at 1841 E. Allegheny Avenue shortly after 12 p.m. July 11. Though he ran away without cash, authorities said, 5 successful heists came in quick succession. Source: http://www.philly.com/philly/news/pennsylvania/126558183.html

14. August 1, Houston Chronicle – (Texas) Regulators: Salinas' ruse topped $50M. A basketball booster, his companies, and an associate engaged in "fraudulent schemes" with more than $50 million in investors' money, including sales of bogus corporate bonds and loans to affiliated companies, regulators alleged in civil documents August 1. The booster committed suicide in July as regulators began investigating the alleged scheme that reportedly included prominent college coaches among its victims. In a lawsuit filed August 1 in U.S. district court in Houston, the U.S. Securities and Exchange Commission (SEC) alleged the booster, his companies, and the associate sold fake corporate bonds. The SEC also alleged the associate's firm, Select Asset Management, created two private funds that raised $13.9 million from investors without telling them the funds made loans to affiliated companies — including $2 million to Selected Market Insurance Group, a company owned mostly by the booster. The SEC asked the court to appoint a receiver to oversee the companies, and to freeze the assets of the companies and the estates of the booster and his associate. The State Securities Board also took action in the case August 1, moving to revoke the security registrations of the associate and Select Asset Management, which regulators allege sold bonds through the booster's firm. Source: http://www.chron.com/disp/story.mpl/business/7678901.html

Information Technology Sector

35. August 2, IDG News Service – (International) Zero-day vulnerability found in a Wordpress image utility. Hackers are exploiting a problem with an image-resizing utility called TimThumb that is widely used in many themes for the blogging platform WordPress, although some fixes have been made to the latest version. The CEO of Feedjit discovered the problem when his own blog started loading ad content when previously his blog contained no ads. He blogged about the problem, tracing it to an issue with the "timthumb.php" library, which is used within the theme he purchased for his blog. TimThumb is "inherently insecure" because it writes files into a directory when it fetches an image and resizes it, the CEO said. An attacker can compromise the site by figuring out how to get TimThumb to grab a malicious PHP file and put it in the Wordpress directory. The code will be executed if an attacker then accesses the file using a Web browser. To stop the problem, the CEO said users should remove TimThumb or limit its access to other Web sites. And users should update to the latest version of TimThumb. Source: http://www.networkworld.com/news/2011/080211-zero-day-vulnerability-found-in-a.html

36. August 1, The Register – (International) Sneaky trojan exploits e-commerce flaws. A security flaw in osCommerce, an open source e-commerce package, created a means for criminals to compromise 90,000 Web pages with redirection scripts that ultimately directed surfers towards a site serving up an exploit toolkit designed to compromise visitors' PCs. "The attackers inserted an iframe that leads to certain URLs in each of these sites, triggering several redirections," an analysis of the attack published by Trend Micro explains. "The redirections finally lead to an exploit kit that abuses the following vulnerabilities in an attempt to download a malicious file onto systems," it noted. "This malware searches for internet caches, cookies, and histories in order to steal login credentials and other data used for specific websites, usually banks and other financial institutions," Trend Micro adds. "Joric-BRU then forwards the stolen information to specific websites." The attack plants exploit code on e-commerce sites, where surfers expect a more trusted environment. In addition, the malware used in the attack attempts to delete itself from compromised systems after riffling compromised systems for log-in credentials, a feature that differentiates the banking trojan from better known threats such as the ZeuS Trojan. Older versions of osCommerce are subject to a directory traversal vulnerability as well as an XSS vulnerability for version 2.2-MS2. Source: http://www.theregister.co.uk/2011/08/01/banking_trojan_exploits_ecommerce_website_flaws/

37. July 30, Softpedia – (International) Anonymous develops new denial of service tool. Anonymous supporters appear to have built a new denial of service tool that is said to exploit SQL vulnerabilities to support the group's future campaigns. The tool is very effective, a 17-second attack from a single machine resulted in a 42-minute outage on Pastebin July 29, Softpedia reported July 30. According to The Tech Herald which spoke with its creators, the new tool is called RefRef and is developed in JavaScript. This means that it works in any modern browser on any operating system, including those in smartphones and tablets. The effectiveness of RefRef is due to the fact it exploits a vulnerability in a widespread SQL service. The tool works by turning the servers against themselves. It sends malformed SQL queries carrying the payload, which in turn forces the servers to exhaust their own resources. The flaw is apparently known but not widely patched yet. The tool's creators do not expect their attacks to work on a high-profile target more than a couple of times before being blocked, but they do not believe organizations will rush to patch this flaw en masse before being hit. Source: http://news.softpedia.com/news/Anonymous-Develops-New-Denial-of-Service-Tool-214313.shtml

38. July 28, BBC News – (International) Millions hit in South Korean hack. South Korea has blamed Chinese hackers for stealing data from 35 million accounts on a popular social network. The attacks were directed at the Cyworld Web site as well as the Nate Web portal, both run by SK Communications. Hackers are believed to have stolen phone numbers, e-mail addresses, names, and encrypted information about the sites' many millions of members. It follows a series of recent cyber attacks directed at South Korea's government and financial firms. Government ministries, the National Assembly, the country's military HQ, and networks of U.S. Forces based in Korea were also hit. The Korean Communications Commission claimed to have traced the source of the incursion back to computer IP addresses based in China. Source: http://www.bbc.co.uk/news/technology-14323787

Communications Sector

39. August 2, The Register – (International) Sun compo entrants' privates exposed in public. Security lapses at News International exposed the e-mail addresses and other personal data of readers who entered competitions in The Sun, England's biggest selling daily newspaper. The names, addresses, phone numbers and dates of birth of thousands of people were also exposed by the hack, reckoned to have probably taken place at the same time The Sun's Web site was hacked in July to redirect surfers towards a fictitious story on the supposed death of the paper's media mogul founder and owner. Some of the data, including applications for the Miss Scotland beauty contest, has already been posted online. Entrants to a Wrigleys football competition, an Xbox competition, details of royal wedding well-wishers, and information from a forum for bullied people was also uploaded to Pastebin, The Guardian reported. The data was uploaded by an individual who praised the actions of Anonymous as a whole and LulzSec, the hacktivist sub-group that returned from semi-retirement to carry out the July 19 Sun redirection hack. Miscreants could use the stolen data to mount targeting phishing scams. Neither financial information nor passwords were exposed by the breach. Source: http://www.theregister.co.uk/2011/08/02/sun_compo_entrants_email_hack/

40. August 1, Nashville Tennessean – (Tennessee) AT&T cell tower problem affects Music Row-area customers. A problem with a cellular tower was leading to dropped calls and spotty service for AT&T customers in the Music Row area of Nashville, Tennessee, August 1. A spokeswoman for AT&T, said the company was aware of a problem in the area, and that technicians were working “around the clock” to address it. ”AT&T customers may be experiencing a temporary service interruption while placing or receiving calls on their wireless device,” she said. The company did not have a timetable for resolving the problem. Source: http://www.tennessean.com/article/20110801/NEWS01/308010061/AT-T-cell-tower-problem-affects-Music-Row-area-customers?odyssey=mod|newswell|text|FRONTPAGE|s

41. August 1, Federal Commincations Commission – (International) FCC announces major spectrum-sharing agreements with Canada and Mexico enabling 4G wireless broadband and public safety communications in the border areas. The Federal Communications Commission (FCC) announced August 1 it has reached arrangements with Industry Canada and Mexico's Secretariat of Communications and Transportation (SCT) for sharing commercial wireless broadband spectrum in the 700 MHz band along the U.S.-Canadian and U.S.-Mexican border areas. The FCC also reached an arrangement with Industry Canada for sharing spectrum in the 800 MHz band. These actions will help support commercial broadband services and public safety mission-critical voice communications. The technical sharing principles reached on 800 MHz will pave the way for completion of 800 MHz rebanding by U.S. public safety and commercial licensees operating along the U.S.-Canadian border. The FCC ordered rebanding to alleviate interference to public safety licensees in the band caused by commercial cellular licensees. The arrangement specifies (1) how primary channels will be allotted between the United States and Canada, (2) the technical parameters for operation on these channels within 140 kilometers (87 miles) of the common border, and (3) a schedule for transitioning facilities from the channels needed by the United States to complete rebanding along the U.S.-Canadian border. Source: http://www.fcc.gov/document/fcc-announces-major-spectrum-sharing-agreements-canada-and-mexico-enabling-4g-wireless-broa

No comments: