Thursday, December 8, 2011

Complete DHS Daily Report for December 8, 2011

Daily Report

Top Stories

• Hundreds of customers who used their debit cards at a California supermarket chain had money stolen from their bank accounts while company executives diligently checked self-checkout terminals at the chain's 233 stores. – Santa Rosa Press Democrat See item 10 below in the Banking and Finance Sector

• Adobe confirmed December 6 an unpatched vulnerability in Adobe Reader is being exploited by hackers in attacks that may be targeting defense contractors. – Computerworld See item 32 below in the Information Technology Sector

Details

Banking and Finance Sector

10. December 7, Santa Rosa Press Democrat – (California) Outwitted by high-tech scammers, Lucky delayed warning customers of security breach. Lucky Supermarket executives, foiled by criminals using wireless technology to download customer financial information from self-checkout terminals in Petaluma, California, and across the Bay Area, delayed notifying customers because they thought they had prevented a security breach, the Santa Rosa Press Democrat reported December 7. However, as officials took 3 weeks to diligently check each terminal at the company's 233 stores, criminals continued to access debit card and pin numbers and then began draining cash from bank accounts of Lucky customers. Most debit and credit card skimmers store data and then are physically retrieved by someone who downloads the information, the chief financial officer (CFO) of Lucky's corporate owner, Save Mart Supermarkets, said. Because Lucky officials seized the devices, they believed any data in them was secure. On December 6, reports from Petaluma residents who discovered unauthorized withdrawals from their bank accounts after shopping at Lucky continued to pour into the Petaluma Police Department and swelled to 112, a Petaluma police lieutenant said. Also, more reports of suspicious bank withdrawals flooded the company's customer service hotline, company officials said. Officials eventually learned the devices transmitted financial data using Bluetooth wireless technology. The U.S. Secret Service is investigating what appears to be a widespread scheme. They sent the device for analysis to a unit with special technology skills, the CFO said. Lucky Supermarkets maintenance crews first noticed a suspicious device November 3 in a self checkout terminal at a Mountain View store, company officials said. On November 11, technicians began examining terminals at the company's stores across California and Nevada. They discovered out-of-place computer boards at 15 stores and removed them that day. The last suspicious device was removed November 16, and by November 22 technicians had checked all of the company's 233 stores. The computer devices had been installed in one terminal per store. On November 23, the company posted an alert about the breach on its Web site, which it updated to include all 23 stores December 6. Source: http://www.pressdemocrat.com/article/20111206/ARTICLES/111209657/1033/news?p=all&tc=pgall&tc=ar

11. December 6, KMOV 4 St. Louis – (Missouri) 'Logo bandit' connected to multiple bank robberies in St. Louis area. The FBI believes there is a serial bank robber working in the St. Louis area, and agents are calling him the "logo bandit," KMOV 4 St. Louis reported December 6. The suspect has been connected to four area bank robberies. The robberies happened over the last 3 months. In each case, officials said the suspect had a similar physical description, a similar method of operation of using a demand note but no weapon, and each time he was seen wearing clothing or a baseball cap with a logo. Source: http://www.kmov.com/news/local/Logo-bandit-connected-to-multiple-bank-robberies-in-St-Louis-area-135145958.html

For another story, see item 28 below in the Information Technology Sector

Information Technology

27. December 7, IDG News Service – (International) Cross-site scripting flaws plague Web apps, report says. Cross-site scripting flaws are the most prevalent vulnerabilities found in Web applications, posing a risk to data and intellectual property, according to a study of thousands of applications by vendor Veracode released December 7. Veracode analyzed more than 9,900 applications that were submitted to its cloud-based scanning service over the last 18 months. For Web applications, 68 percent contained cross-site scripting flaws, Veracode found in its study. Cross-site scripting is an attack in which a script drawn from another Web site is allowed to run even though it should not, and it can be used to steal information or potentially cause other malicious code to run. Veracode also found that 32 percent of Web applications contained a SQL injection problem, a type of issue where commands entered into Web-based forms are executed, potentially returning sensitive data. Other prevalent flaws Veracode found were CRLF (Carriage Return Line Feed) injection issues, which can allow an attacker to control a Web application or steal information, the report said. Source: http://www.computerworld.com/s/article/9222474/Cross_site_scripting_flaws_plague_web_apps_report_says?taxonomyId=17

28. December 7, Help Net Security – (International) Fake Verizon notification carries malware. A spam e-mail campaign aiming to infect users with a banking trojan is currently underway and is targeting mobile carrier customers, Microsoft has warned, Help Net Security reported December 7. The e-mail purports to be coming from Verizon, and tries to make the recipient feel a sense of urgency by claiming it contains important account information from Verizon Wireless. The message starts with the unusual greeting of "Hello Dear!," and proceeds to try and convince the users they have to pay a rather large bill (the amount varies from $250 to over $1,500). "View all your recent bills in application materials," says the e-mail, and offers an attached ZIP file named Verizon-Wireless-Account-StatusNotification_#######.zip, with random numbers used in the name. The archive contains a similarly named executable, which is detected as a variant of the Zeus banking trojan, and Microsoft warns a similar campaign carrying the same payload has already been started using e-mails pretending to deliver a critical update for Adobe Acrobat Reader and Adobe X Suite. Source: http://www.net-security.org/malware_news.php?id=1926

29. December 7, H Security – (International) XSS vulnerabilities can affect embedded browsers in mobile apps. A security researcher has noted the use of embedded browsers in mobile applications can make those applications vulnerable to cross site scripting (XSS) attacks, H Security reported December 7. Developers of mobile software found it can be effective to embed a smartphone operating system's Web browser and then create their user interface using HTML, CSS, and JavaScript. The user interface is then more portable to other devices and is easier to customize using CSS. However, this convenience comes at a cost. A researcher, who is presenting his findings at TakedownCon, found some developers do not clean the data being sent to their HTML-based user interface. Source: http://www.h-online.com/security/news/item/XSS-vulnerabilities-can-affect-embedded-browsers-in-mobile-apps-1391326.html

30. December 6, The Register – (International) CNET slammed for wrapping Nmap downloads with cruddy toolbar. CNET has come under fire for wrapping downloads of the popular Nmap network analysis tool and other open-source software packages with a toolbar of dubious utility. Nmap is a popular open-source network auditing and penetration-testing tool that allows sysadmins to run network troubleshooting and penetration tests. Over the last few days, users who downloaded the tool from CNET popular download.com site have been, by default, offered it in conjunction with the Babylon Toolbar. Sysadmins can opt out of receiving the toolbar, which changes their browsing experience, home page, and default search engines, but they are clearly directed towards accepting the software, Sophos demonstrates. The developer of Nmap cried foul over the way the toolbar has been pushed, objecting in a post to the North American Network Operators' Group mailing list. He added that consumers downloading VLC, the popular open-source media player software, are also being offered the Babylon toolbar, via what he described as a a "trojan installer." Several anti-virus firms apparently agree with this assessment because CNET's Nmap installer is already detected as a trojan by BitDefender and F-Sc and as a potentially unwanted program by Panda, McAfee, and others, according to VirusTotal. Source: http://www.theregister.co.uk/2011/12/06/cnet_nmap_toolbar_wrapping_row/

31. December 6, IDG News Service – (International) Symantec says spam levels fall to lowest in three years. Global spam fell to the lowest level in 3 years in a sign that spammers may be getting a better rate of return by hitting social-media Web sites instead, according to the latest figures released December 6 from Symantec. About 70.5 percent of all e-mail was spam, a still-high figure but one that is much lower than a few years ago, when it was well over 90 percent. Symantec calculated the percentage by analyzing some 8 billion messages it processed a day in November, according to the company's latest MessageLabs Intelligence Report. Spam volumes dipped in March after Microsoft, law enforcement, and other companies joined forces to take down Rustock, a large botnet responsible for sending up to 30 billion spam messages per day. Source: http://www.computerworld.com/s/article/9222447/Symantec_says_spam_levels_fall_to_lowest_in_three_years?taxonomyId=17

32. December 6, Computerworld – (International) Hackers exploit Adobe Reader zero-day, may be targeting defense contractors. Adobe confirmed December 6 an unpatched vulnerability in Adobe Reader is being exploited by criminals. Those attacks may have been aimed at defense contractors. Adobe promised to patch the bug in the Windows edition of Reader and Acrobat 9 no later than the end of the week of December 12. "A critical vulnerability has been [found] in Adobe Reader X (10.1.1) and earlier versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for Unix, and Adobe Acrobat X (10.1.1) and earlier versions for Windows and Macintosh," Adobe said in an early-warning e-mail. "This vulnerability could cause a crash and potentially allow an attacker to take control of the affected system." The company issued a security advisory with what information it was willing to share. Adobe acknowledged the vulnerability is being exploited in what it called "limited, targeted attacks" against Reader 9.x on Windows, but did not provide any additional information about where and when the attacks were occurring, or who had been targeted. Adobe identified the bug as a "U3D memory corruption vulnerability." U3D (universal 3D) is a compressed file format standard for 3-D graphics data promoted by a group of companies, including Adobe, Intel, and Hewlett-Packard. Reader vulnerabilities are typically exploited by attackers using malicious PDF documents that are attached to e-mail messages with baited subjected heads that try to dupe recipients into opening the document. Doing that also executes the malicious code — in this case, likely malformed U3D data — hidden in the PDF, compromising the victim's PC and letting the attacker infect the machine with other malware. The attacks exploiting the unfixed flaw may have targeted U.S. defense contractors: Adobe originally credited the security response teams at both Lockheed Martin and MITRE with reporting the vulnerability. Source: http://www.computerworld.com/s/article/9222454/Hackers_exploit_Adobe_Reader_zeo_day_may_be_targeting_defense_contractors?taxonomyId=17

For more stories, see items 10 above in the Banking and Finance Sector and 33 and 34 below in the Communications Sector

Communications Sector

33. December 7, WLFI 18 Lafayette – (Indiana) Cut fiber behind Frontier outage. A cut fiber was to blame for a service outage for Frontier Communications customers in the Lafayette, Indiana area December 6. A Frontier Communications manager said the fiber was cut somewhere between Lafayette and Milford. He said the cut fiber impacts high speed and long-distance customers. As of 6:45 p.m. December 6, he said some service had already been restored. Source: http://www.wlfi.com/dpp/news/local/cut-fiber-behind-frontier-outage

34. December 7, Associated Press – (South Dakota) Outage hits AT&T wireless customers in central South Dakota; cut fiber optic line is blamed. A cut Century Link fiber optic line was blamed for an outage that affected AT&T wireless customers in South Dakota December 6. KCCR 1240 Pierre reported voice and data services were disrupted for about 7 hours December 6. Police in Pierre said there was no apparent disruption to the emergency 911 system in the capital city. The state public utilities commission gathered information December 7 about the outage that ended about 11 p.m. December 6. Source: http://www.aberdeennews.com/news/sns-bc-sd--cellserviceoutage,0,4108517.story

For another story, see item 28

No comments: