DHS Daily Open Source Infrastructure Report

Wednesday, November 2, 2011

Complete DHS Daily Report for November 2, 2011

Daily Report

Top Stories

• At least 48 chemical and defense companies, many in the United States, were victims of a coordinated cyber attack traced to a man in China, said security firm Symantec Corp. – Reuters (See item 6)

6. October 31, Reuters – (International) New cyber attack targets chemical firms: Symantec. At least 48 chemical and defense companies were victims of a coordinated cyber attack traced to a man in China, according to a report from security firm Symantec Corp. Computers belonging to these companies were infected with malicious software known as "PoisonIvy," which was used to steal information such as design documents, formulas, and details on manufacturing processes, Symantec said October 31. It said the firms included multiple Fortune 100 corporations that develop compounds and advanced materials, along with businesses that help manufacture infrastructure for these industries. The bulk of the infected machines were based in the United States and United Kingdom, Symantec said, adding the victims include 29 chemicals companies, some of which developed advanced materials used in military vehicles. "The purpose appears to be industrial espionage, collecting intellectual property for competitive advantage," Symantec said in a white paper on the campaign that it dubbed the "Nitro" attacks. The cyber campaign ran from late July through mid-September and was traced to a computer system in the United States owned by a man in his 20s in Hebei province in China, according to Symantec. Researchers said they were not able to determine if the hacker, who they dubbed "Covert Grove", acted alone or conducted the attacks on behalf of another party or parties. Symantec said the Nitro attackers sent e-mails with tainted attachments to between 100 and 500 employees at a company, claiming to be from established business partners or to contain bogus security updates. When a recipient opens the attachment, it installs "PoisonIvy," a Remote Access Trojan that can take control of a machine and that is easily available over the Internet. While the hackers' behavior differed slightly in each case, they typically identified desired intellectual property, copied it, and uploaded it to a remote server, Symantec said in its report. Dow Chemical Co said it detected "unusual e-mails being delivered to the company" last summer, and worked with law enforcers to address this situation. Source: http://www.reuters.com/article/2011/10/31/us-cyberattack-chemicals-idUSTRE79U4K920111031

• MF Global failed to protect customer accounts by keeping them separate from the firm's funds, leading to the disappearance of hundreds of millions of dollars, according to a U.S. regulator. – Reuters (See item 20)

20. November 1, Reuters – (National; International) Clients scramble for money after MF Global shock. MF Global failed to protect customer accounts by keeping them separate from the firm's funds, a top U.S. regulator said November 1, as administrators to the collapsed brokerage's United Kingdom (UK) arm scrambled to close out billions of dollars worth of client positions. The fall of the group sent shockwaves through commodities markets, as traders feared the damage could spread, or similar problems occur with other players. KPMG, appointed as administrators to MF Global's UK arm, said it had been busy closing out positions all day under a new UK regime set up to prevent a repeat of the slow and painful work-out of the 2008 collapse of Lehman Brothers. KPMG's head of restructuring told Reuters he was confident clients would see their money again: "Our strategy this morning has been ... where we have clients whose position is reconciled, and are due funds, then that money will flow," he said. MF Global's main exchange regulator, the Chicago Mercantile Exchange Group (CME), said the futures broker failed to keep customers accounts separate from the firm's funds, violating a central tenet of futures brokerage. "CME has determined MF Global is not in compliance with Commodity Futures Trading Commission and CME customer segregation requirements," the company's chief executive said. The New York Times reported federal regulators discovered that hundreds of millions of dollars in customer money — supposed to be segregated, and protected from the rest of the business — had gone missing. MF Global filed for bankruptcy protection October 31. In Australia, trading in grain futures and options was suspended by bourse operator ASX Ltd , prompting concerns about the integrity of the country's agricultural futures market. The London Metal Exchange said in a statement it had suspended MF Global from trading with immediate effect, following a similar move by the CME Group. Source: http://www.reuters.com/article/2011/11/01/mfglobal-exchanges-idUSL5E7M12NY20111101

Details

Banking and Finance Sector

17. November 1, Philadelphia Inquirer – (National) 'Little Nicky' Scarfo's son charged in massive fraud. The son of a jailed Philadelphia mob boss was arrested November 1 on racketeering and fraud charges tied to what federal authorities allege was a massive scheme to defraud a Texas-based financial firm out of millions of dollars. He was one of more than a dozen individuals named in the indictment announced by the U.S. attorney's office in Camden, New Jersey. The man's father and another jailed mob boss were named as unindicted coconspirators in what the indictment charges was a mob-linked criminal enterprise set up to siphon millions from FirstPlus Financial. A former Elkins Park businessman, a south Jersey criminal defense attorney, and several former officials with FirstPlus Financial were among the 13 defendants named in the indictment. Other defendants include accountants, lawyers, and company officials who the indictment alleges were part a scheme set up to loot FirstPlus. The indictment capped a 3-year investigation by the FBI that became public after search warrants were issued in May 2008 for businesses and homes in Philadelphia, New Jersey, Florida, and Texas. Authorities allege the mobster's son and the Elkins Park businessman were behind-the scenes operatives who orchestrated a series of business deals in which FirstPlus bought or invested in companies the two had set up in Philadelphia and south Jersey. Authorities allege those companies were shells that performed little or no work, but were set up to allow the pair to take more than $12 million out of FirstPlus. The indictment charges the defendants with being part of a mob-connected racketeering enterprise that engaged in wire fraud, mail fraud, bank fraud, securities fraud, money-laundering, extortion. and obstruction of justice. Source: http://www.philly.com/philly/news/132988533.html

18. November 1, Delaware County Daily Times – (Pennsylvania) Ex-Wachovia Bank employee busted in $500G embezzlement scam. A former Wachovia Bank "financial specialist" is behind bars at the Delaware County, Pennsylvania prison, charged with attempting to embezzle more than $500,000 by transferring cash from customer accounts — many belonging to senior citizens — into accounts he had set up, county authorities said October 31. The man faces multiple felony theft, forgery, identity theft, and related offenses. From February 4, 2008, through March 5, 2009, he allegedly transferred $574,314.69 from customer accounts into accounts he established. On March 3 and 5 in 2009, authorities allege he made three unsuccessful attempts to remove funds from the accounts he had set up. The attempts were thwarted by Wachovia after a signature on a check and two suspicious electronic transfers were questioned. Two additional checks drawn on the man's Wachovia accounts in the amount of $9,500 were presented to PNC Bank on March 2 and 3 in 2009 — both of which were returned to PNC based on what authorities said was Wachovia becoming aware of the man's actions. Source: http://www.delcotimes.com/articles/2011/11/01/news/doc4eaf61089d262924546625.txt

19. November 1, Chicago Tribune – (Illinois) Dozen real estate loans at center of FDIC's $127M suit in Mutual Bank failure. The Federal Deposit Insurance Corporation (FDIC) brought a $127 million lawsuit against officers and directors of the Harvey, Illinois-based Mutual Bank, which failed in July 2009. The lawsuit outlines how nearly $1.1 million of the bank's assets were "wasted" on extravagances, such as a $250,000 wedding and a $300,000 board meeting in Monte Carlo, Monaco. Insiders also paid themselves $10.5 million in dividends as the bank was tanking. The bulk of what the FDIC is seeking to recover is the more than $115 million in losses on 12 real estate loans. The FDIC said many of the bank's bad loans, which were concentrated in the hotel industry, originated after the real estate market began its "precipitous" decline in late 2006. Source: http://www.chicagotribune.com/business/ct-biz-1101-bank-suit-follow-20111101,0,2780049.story

21. October 31, Des Moines Register – (Iowa) Former Clarksville bank cashier to plead guilty. A former cashier at Iowa State Bank in Clarksville will plead guilty November 4 to embezzling $6 million over the past two decades, court records show. The former cashier is charged with stealing the money between 1991 and 2010. A bank examination by the Federal Deposit Insurance Corporation in May revealed discrepancies in the bank’s general ledger. The FBI and U.S. Secret Service took over the investigation. The bank filed a civil lawsuit against the man in Butler County District Court in June, accusing him of transferring bank funds to his own accounts and hiding the thefts by creating false accounts and transactions. The U.S. attorney’s office October 24 filed the embezzlement and the identity theft charges accusing the former cashier of using someone else’s name and Social Security number to help him embezzle the money. Source: http://www.desmoinesregister.com/article/20111101/BUSINESS/311010052/-1/GETPUBLISHED03wp-content/Former-Clarksville-bank-cashier-plead-guilty

22. October 31, Associated Press – (Texas) Ex-Laredo bank officer pleads guilty in $8M fraud. A bank officer in south Texas blamed for stealing more than $8 million from customer accounts pleaded guilty October 31 in a fraud investigation. Prosecutors said the former officer pleaded guilty to conspiracy to commit bank fraud, and conspiracy to launder money. The woman was an international banking officer with Compass Bank in Laredo when an audit revealed the 2009 scheme. The officer, in the plea deal, said she used the stolen funds to buy vehicles, make investments, and purchase a condominium on South Padre Island. The woman, who must make restitution, faces up to 30 years in prison on the bank fraud count, and 10 years for conspiracy to launder money. Source: http://www.businessweek.com/ap/financialnews/D9QNF5P01.htm

23. October 31, Hickory Daily Record – (North Carolina) Hickory man pleads guilty to mortgage fraud. A Hickory, North Carolina man pleaded guilty October 31 in federal district court to five charges that he defrauded dozens in the region who sought to buy or finance manufactured homes. He was charged with one count of conspiracy to commit wire fraud and making false statements to the Department of Housing and Urban Development (HUD), two counts of making false statements to HUD, and two counts of wire fraud. He was the manager of Homes America (HA) in Hudson, which was a branch of Phoenix Housing Group out of Greensboro. According to a press release from the U.S. attorney’s office, he was involved with up to 154 HUD-insured mortgage loans from 2004 to 2008. Those loans were worth $16 million, and the losses surpassed $4.8 million. He lured customers to HA by misrepresenting financial terms, including stating the business had a rent-to-own program — something it never had, the U.S. attorney’s office said. He also collected down payment funds without giving borrowers credit for it, collected borrowers’ information through documents, and gave that data to lenders. On some of the documents, he altered or forged information about the customers’ assets, income, and credit so they would qualify for mortgages they otherwise would not qualify for. Information from the U.S. attorney’s office also stated he obtained inflated appraisals, misrepresented the source of down payment money, and coerced consumers to sign closing documents. He faces a maximum of 29 years in prison and $1.25 million. Phoenix Housing Group, including HA, closed in January 2011 as part of a settlement with the North Carolina Attorney General’s Office, according to the U.S. attorney’s office. Source: http://www2.hickoryrecord.com/news/2011/oct/31/hickory-man-pleads-guilty-mortgage-fraud-ar-1558720/

Information Technology Sector

40. October 31, SC Magazine – (National) Researcher finds way to send executable file on Facebook. Researchers have discovered a way to evade Facebook security controls to deliver a message on the social networking site that contains an executable file. Facebook normally strips out messages that contain executables from its private messaging feature. But a yet-to-be-fixed vulnerability, discovered by a penetration tester could enable someone to undermine these security controls by altering the 'POST' request, which is used to send data to a server. The researchers captured the POST query that is sent when attempting to upload an attachment, and altered the coding. "It was discovered the variable 'filename' was being parsed to determine if the file type is allowed or not," according to the vulnerability disclosure. "To subvert the security mechanisms to allow an .exe file type, we modified the POST request by appending a space to our filename variable." Doing this allowed the researchers to "trick the parser" and attach an executable to the message. A bug like this is dangerous because it could allow criminals to send messages that contain malware. Power reported the vulnerability to Facebook September 30, and the company acknowledged its existence October 26. Source: http://www.scmagazineuk.com/researcher-finds-way-to-send-executable-file-on-facebook/article/215679/

41. October 31, SC Magazine – (International) German researchers disclose Amazon cloud vulnerability. Amazon has fixed a cryptographic hole in its Elastic Compute Cloud (EC2) and Simple Storage Service (S3) services that could allow hackers to compromise customer accounts. The signature-wrapping and cross-site scripting (XSS) attacks hijacked control interfaces used to manage cloud computing resources, which allowed attackers to create, modify, and delete machine images, and change administrative passwords and settings. “Effectively, a successful attack on a cloud control interface grants the attacker a complete power over the victim's account, with all the stored data included,” researchers at Germany's Ruhr University wrote in a paper. In one attack, researchers discovered weaknesses in control interfaces that opened them up to new and known XML signature-wrapping attacks. They generated arbitrary Simple Object Access Protocol (SOAP) messages that were accepted by the control interface because application signature verification and XML interpretation were handled separately. Full compromise required knowledge of a signed SOAP message, while a single arbitrary cloud control operation could be executed with knowledge of a public X.509 certificate. "This attack was made possible by the simple fact the Amazon shop and the Amazon cloud control interfaces share the same login credentials, thus any XSS attack on the (necessarily complex) shop interface can be turned into an XSS attack on the cloud control interface," the researchers wrote. Similar injection attacks also worked against the Eucalyptus cloud computer software. Amazon confirmed the attacks and closed the security holes prior to disclosure, according to the chair of network and data security at the university. Source: http://www.scmagazineuk.com/german-researchers-disclose-amazon-cloud-vulnerability/article/215678/

42. October 31, IDG News Services – (International) Old image resize script leaves 1 million Web pages compromised. A serious code injection vulnerability affecting timthumb, a popular image resize script used in many WordPress themes and plugins, has been exploited in recent months to compromise more than 1 million Web pages, IDG News Services reported October 31. Estimating the impact is not an easy task, according to Web site integrity monitoring vendor Sucuri Security, which monitored the fallout of this flaw since it was first announced at the beginning of August. The company's researchers have devised a method that involves using Google to search for compromised pages where the malicious code malfunctioned. "If you are familiar with PHP/WordPress, you'll notice that [the attack] is adding the output of this function (counter_wordpress, which calls 91.196.216.30/bt.php) to the header of the compromised site," a Sucuri security spokesman said. Searching for this error on Google returned over 1 million results and using filters for the last 30 days, returned over 200,000. There are other factors to consider as well when trying to estimate the impact, such as the fact Google results correspond to compromised pages, not Web sites, as one Web site can have multiple pages infected. Also, not all servers have the display_errors feature enabled in PHP, which means no error will be outputted even if a site is affected. There is no telling how many Web sites compromised by different exploits targeting this vulnerability are out there. The spokesman believes there could be a few million. Source: http://www.computerworld.com/s/article/9221328/Old_image_resize_script_leaves_1_million_Web_pages_compromised

43. October 31, Softpedia – (National) Phishing campaign fake legitimate Apple emails, steals victims ID and password. A phishing campaign that involves the reputation of Apple has been seen invading in-boxes, Softpedia reported October 31. The rogue message perfectly replicates alerts received by customers when the company notifies them on changes to their accounts. A Trend Micro researcher came across a message that looked very much like the genuine message he had received not long ago from the Cupertino, California, firm. The fake e-mail seems to come from “do_not_reply@itunes.com” and is sent via smtp.com. Coming with the subject ”Account Info Change,” it perfectly replicates most visual aspects of the real deal. The link mentioned before is masked to look authentic, but in fact it leads the unsuspecting user to a phishing site hosted on a free domain. It asks the customer to provide an ID and a password, the information being sent to the masterminds that designed the whole scheme. These operations provide access to one's Apple account, which contains a lot of sensitive data such as credit card information, address, and phone numbers. Source: http://cyberinsecure.com/phishing-campaign-fake-legitimate-apple-emails-steals-victims-id-and-password/

44. October 30, Dark Reading – (National) Nearly a third of execs say rogue mobile devices are linked to their networks. Organizations are concerned about the dangers posed by unauthorized mobile devices, according to a study published the week of October 24, but many are not sure what is being done about it. According to a Deloitte poll of nearly 1,200 U.S. IT and business executives about mobile security, some 28.4 percent of survey respondents believe there are unauthorized PDAs, tablets, or a combination of both connecting to their enterprise intranets, and particularly their e-mail servers. Nearly 87 percent of respondents think their companies are at risk for a cyberattack originating from a mobile security lapse, the survey said. Yet, according to the survey, 40 percent of respondents do not know whether their organizations have strategies, policies, procedures, or technology controls in place to effectively enforce mobile security. Source: http://www.darkreading.com/insider-threat/167801100/security/news/231901935/nearly-a-third-of-execs-say-rogue-mobile-devices-are-linked-to-their-networks.html

For another story, see item 47 below in the Communications Sector

Communications Sector

45. November 1, Hartford Courant – (Connecticut) AT&T says crews making progress restoring cell phone service. AT&T said November 1 it is progressing in its efforts to restore cell phone service in Connecticut. About 150 of the telecommunication companies' Connecticut cell towers, sustained damage as a result of the October 29 Nor'easter, resulting in spotty service for some of its wireless phone customers. Cell towers require electricity to function. "We have deployed generators and crews across the storm-impacted areas and are working around the clock to address service issues," the AT&T spokeswoman for the Northeast Region said. "We also continue to work with local Connecticut utility companies as they restore commercial power to affected cell sites and facilities." Bloomfield residents, for example, had their service restored November 1. On October 30, AT&T told state officials 152 cell towers had been damaged by the storm, and that cell phone service would likely be disrupted in some portions of the state, according to the Connecticut governor. Verizon Wireless said October 31 that 10 percent of its network was affected by storm damage. "Overall, the network is performing well. Any scattered service issues we have seen have been attributable to local cable/landline network outages, or lack of available power," a Verizon Wireless spokesman said. Neither telecommunications company would disclose how many cell phone towers they operates in the state, or how many were affected by the storm. Source: http://www.courant.com/business/hc-mobile-phone-outages-20111031,0,4486469.story

46. November 1, Devner Post – (Colorado) Cell phone service restored to northern and central Colorado mountain areas. Wireless cell phone service, and long-distance telephone land line service, was restored in the Colorado mountains November 1. Service went down October 31 at about 2 p.m. after a "third party" cut a fiber-optic line, a CenturyLink spokesman said. The cut line, in Summit County, knocked out cell phone service to Verizon, AT&T, Sprint, and T-Mobile customers. It affected 32 cell phone tower locations northwest of Frisco, including Steamboat Springs, Craig, and Winter Park. The cut also disrupted long-distance service for land lines. Source: http://www.denverpost.com/breakingnews/ci_19238668

47. October 31, FierceCable – (National) Cable MSOs hustle in snowstorm's wake to restore TV, phone, Internet service. A winter storm that impacted communities from Maryland to Maine over the weekend of October 29 and 30 left cable operators hustling to restore cable TV, phone, and Internet service to subscribers. With leaves still on trees in the Northeast, falling tree limbs sparked power outages and impacted telecom services. "We have a significant number of Connecticut, New Jersey and Westchester/Hudson Valley customers experiencing service disruptions, primarily related to the loss of electrical power," a Cablevision spokesman said October 31. "We have crews in the field and are working around the clock, in cooperation with local utilities, to restore service as quickly as possible," he added. Verizon said it has seen a spike in outages in areas hit hardest by the storm such as parts of New York and Massachusetts. "Our crews are working to restore service, repair downed poles, and do any other necessary work. We've assigned additional field technicians and customer service reps to ensure repairs are tended to," a Verizon spokeswoman said. Some subscribers to Service Electric in northwestern New Jersey also reported October 30 that they had lost phone and high-speed Internet service. Comcast and Time Warner Cable also operate systems in areas impacted by the storm. Source: http://www.fiercecable.com/story/cable-msos-hustle-snowstorms-wake-restore-tv-phone-internet-service/2011-10-31

For more stories, see items 40 and 44 above in the Information Technology Sector

No comments:

Blog Archive

Links

About Me