Monday, February 14, 2011

Complete DHS Daily Report for February 14, 2011

Daily Report

Top Stories

• The Pittsburgh Post-Gazette reports an Indiana County, Pennsylvania, power plant already facing a series of pollution lawsuits was the scene of a steam pipe blast that injured six workers February 10. (See item 2)

2. February 11, Pittsburgh Post-Gazette – (Pennsylvania) Six hurt in power plant blast. An Indiana County, Pennsylvania, power plant already facing a series of pollution lawsuits was the scene of a steam pipe blast that injured six workers February 10. A 6-inch pipe containing steam under high pressure burst at 7:45 a.m. on the sixth floor of the plant’s Unit One, said a spokesman for Edison Mission Group, the parent company of plant operator, EME Homer City Generating LP. The break in the pipe tripped the unit’s automatic safety systems, shutting the unit down. The other two units were operating normally, he said. The rupture prompted an explosion of steam but did not cause a fire. The extent of damage has yet to be determined. Firefighters from the Coral/Graceton Volunteer Fire Department and the Homer City Fire Department were called to clear a landing site for three medical helicopters. Helicopters took three workers to West Penn Hospital, where a hospital spokeswoman said the men were in fair condition in the burn unit. The three other workers were driven to the Indiana Regional Medical Center, where they were treated and released, a hospital spokeswoman said. All of the employees at the 1,884-megawatt plant were evacuated and accounted for. Source: http://www.post-gazette.com/pg/11042/1124627-455.stm

• According to the Associated Press, safety experts are puzzled about why reports of mistakes by U.S. air traffic controllers in the past year have nearly doubled in a time of unparalleled aviation safety. (See item 20)

20. February 11, Associated Press – (National) Air traffic control error numbers double. Safety experts are puzzled about why reports of mistakes by air traffic controllers have nearly doubled in a time of unparalleled aviation safety in the United States. The Federal Aviation Administration said in the 12 months ending September 30, 2010, there were 1,889 operation errors — usually aircraft coming too close together. During the same period 1 year earlier, there were 947 errors. And the year before that — 1,008 errors. One air traffic controller at the facility in Ronkonkoma, New York, said there’s a lax atmosphere in the control room. He said he’s complained to the Transportation Department’s Inspector General and to the Office of Special Counsel about controllers sometimes watching movies and playing with electronic devices during nighttime shifts when traffic is slower. The facility where the air traffic controller works handled the latest near midair collision of an American Airlines jet with 259 people aboard and two Air Force transport planes southeast of New York City. Source: http://www.weartv.com/template/inews_wire/wires.national/2cde2cd8-weartv.com.shtml

Details

Banking and Finance Sector

12. February 9, Softpedia – (International) RSA researchers confirm ZeuS code and features in SpyEye. Security researchers from RSA have confirmed that the author of SpyEye is working on a “super trojan” by merging features from ZeuS into his own creation, sometimes by copying entire chunks of code. The most important addition from ZeuS so far is the HTML injection engine for Internet Explorer, which is a core component in such banking trojans. The author of SpyEye acknowledged that ZeuS’s mechanism was practically copied it in its entirety without any major modifications. According to the RSA researchers, the main reason why ZeuS’s injection component was better is its handling of cached pages. The old SpyEye mechanism was only capable of injecting code into HTML pages as they were being downloaded from the Internet, however, on repeated visits, the browser loads the page from its cache. Because of this, SpyEye deleted the cache after every injection to make sure the page is always downloaded from the server. Meanwhile, ZeuS is capable of injecting rogue code in cached pages, making its mechanism more reliable. Source: http://news.softpedia.com/news/RSA-Researchers-Confirm-ZeuS-Code-and-Features-in-SpyEye-183464.shtml

13. February 10, Help Net Security – (International) Credit score checking app triggers Trojan download. The main reason people get scammed and/or their computer infected online is because they can not contain their curiosity, and that is precisely the thing on which the peddlers of a small application for checking credit scores and criminals records of Brazilian citizens count on. The application is offered for download on a public forum and is simple — it only presents the information harvested from public sites in a tidy manner: But unbeknownst to the user, the application also downloads a banking Trojan. That is why, Trend Micro researchers said, users should always keep in mind that a certain level of trust should be involved when it comes to installing and utilizing applications, and that they should download and install software only from verified sources. Source: http://www.net-security.org/malware_news.php?id=1628

14. February 11, Reuters – (National) Bank robbing ‘Granddad bandit’ pleads guilty. A 53-year-old male, from Baton Rouge, Louisiana, pleaded guilty to 2 counts of bank robbery carrying a maximum penalty of 20 years in prison each as part of a plea agreement. In exchange, 24 other counts from robberies committed between 2008 to 2010 in 14 states outside of Virginia will not be charged against the suspect, according to a statement from the U.S. Attorney’s Office for the Eastern District of Virginia. The robber admitted to robbing 26 banks throughout the country, including 2 in Virginia, by walking into each bank and passing a note to the teller that announced the robbery and stated the desired amount, the statement said. In court, the man said that he had stolen $83,868 in cash through his robberies. Source: http://www.reuters.com/article/2011/02/11/us-robbery-granddad-idUSTRE71A3J120110211

15. February 11, Houston Chronicle – (Texas) Hunt’s on for Houston-area serial bank robber. A man who held up a pair of banks in Spring, Texas, within about 30 minutes has been linked to at least four other similar robberies in the Houston area, FBI officials said February 10. The man struck about 1:30 p.m. February 9 at a Compass Bank branch in the 21000 block of Kuykendahl. About 2 p.m., the same robber demanded cash from employees at a Chase Bank branch in the 2100 block of FM 2920, officials said. The 2 banks are about 4 miles apart. No injuries were reported in either robbery, FBI officials said. The man is suspected in a recent string of area bank robberies beginning about 3 months ago. He is believed to have struck a Trustmark Bank branch November 16 in the 6800 block of FM 1960 West. On December 20, someone matching his description held up a Sterling Bank branch in the 800 block of FM 1960. He also hit a Regions Bank branch, 9480 College Park in The Woodlands, January 18 and February 1 robbed a Chase Bank branch in the 20700 block of FM 1485 in New Caney, FBI officials said. The robber is described as a 20- to 25-year-old clean shaven black man. He is about 5-feet-10 or slightly taller and has a slim build. The man wore a black knit cap, a dark sweater and pants, a white shirt with a dark tie and black-rimmed glasses, FBI officials said. Source: http://www.chron.com/disp/story.mpl/metropolitan/7422432.html

Information Technology

47. February 9, Softpedia – (International) Security fixes available for Shockwave Player and ColdFusion. Adobe has released security updates for its Shockwave Player and ColdFusion products to address critical vulnerabilities that could be exploited to compromise computers and information. The new Shockwave update fixes 21 security flaws that could lead to arbitrary code execution. The vulnerabilities are located in modules such as dirapi.dll, IML32, TextXtra, Shockwave 3D Asset, Font Xtra.x32, and other unspecified components. Adobe also released hotfixes for ColdFusion 9.0.1, 9.0, 8.0.1, and 8.0, which address five vulnerabilities on the platform. These security issues consist of two cross-site scripting weaknesses in the administrator console and the cfform tag, a CRLF injection flaw which allows adding headers, an information disclosure vulnerability, and a Session Fixation bug. Source: http://news.softpedia.com/news/Security-Fixes-Available-for-Shockwave-Player-and-ColdFusion-183442.shtml

48. February 9, Panda Security – (International) January malware update: PandaLabs found 43 percent of US PCs were infected. PandaLabs, Panda Security’s anti-malware laboratory, announced findings February 9 based on data from scans completed by Panda ActiveScan, the free online scanner offered by Panda Security, The Cloud Security Company. In January, PandaLabs found 43 percent of U.S. computers scanned were infected with malware, compared to 50 percent of total global users scanned. Trojans were found to be the most prolific malware threat, responsible for 58 percent of all U.S. cases, and 59 percent globally. The next most common culprits were traditional viruses and worms which caused 12 percent and 9 percent of cases worldwide, respectively. Although the United States made the top 10, Thailand, China, Taiwan, Russia, and Turkey held the top 5 highest rates of infection, ranging from 60 to 67 percent of cases. And with a 43 percent infection rate, the U.S. ranked tenth, only a few percentage points below historical “malware havens,” such as Brazil and Poland. Of the most prevalent malware threats detected this January, generic Trojans topped the list, followed by downloaders, exploits, and adware. Panda found the “Lineage” Trojan continues to spread and infect systems, indicating a lack of basic antivirus protection for even the most longstanding threats. Source: http://www.prnewswire.com/news-releases/january-malware-update-pandalabs-found-43-percent-of-us-pcs-were-infected-ranking-tenth-worldwide-115632469.html

49. February 10, Computerworld – (International) Low security awareness found across IT. A broad spectrum of IT people, including those close to security functions, appear to have little awareness of key security issues impacting their organizations, a new survey showed. The survey, which polled 430 members of the Oracle Application Users Group conducted by Unisphere Research and sponsored by Application Security Inc. included directors and managers of information technology, developers and programmers, database and systems administrators, systems architects and analysts, and professionals from the HR and financial functions. About 22 percent of respondents claimed to be extensively involved in security functions, 60 percent claimed a limited or supporting role, and the rest said they were not involved with security at all. About 100 respondents belonged to companies with more than 10,000 employees. What the survey showed was a surprising lack of awareness of security issues among the respondents. For instance, just 4 percent admitted to being fully informed about security breaches within their organizations. About 80 percent of those who said their organizations had suffered a data breach in the past year were unable to tell which IT components might have been impacted by the breach. Source: http://www.computerworld.com/s/article/9208890/Low_security_awareness_found_across_IT_

50. February 10, Computerworld – (International) Vendors tap into cloud security concerns with new encryption tools. A handful of vendors have begun rolling out technologies designed to let companies take advantage of cloud computing environments without exposing sensitive data. One vendor, CipherCloud, a Cupertino, California-based start-up, launched a virtual appliance technology February 10 that companies can use from within their premises to encrypt or to mask sensitive data before it hits the cloud platform. Unlike the case with encryption services offered by cloud providers, CipherCloud’s technology lets enterprises have complete control over the encryption and decryption process, the CEO and founder of the company said. The only set of encryption keys resides with the enterprise and not the cloud provider, ensuring that only authorized users can view the data, he said. CipherCloud’s algorithm works in a way that encrypts data without fundamentally altering the data format or function, he added. Source: http://www.computerworld.com/s/article/9208882/Vendors_tap_into_cloud_security_concerns_with_new_encryption_tools

51. February 10, Help Net Security – (International) Multiple vulnerabilities in Django. Vulnerabilities have been reported in Django, which can be exploited by malicious people to bypass certain security restrictions and conduct script insertion and cross-site request forgery attacks, Secunia said. The first vunerability is the cross-site request forgery protection does not properly verify requests with certain “X-Requested-With” headers that can be exploited to conduct attacks by using certain browser plugins and HTTP redirects to send cross-domain HTTP requests with spoofed headers. The second vulnerability is input passed via the filename of uploaded files is not properly sanitized within the file field before being used. This can be exploited to insert HTML and script code that will be executed in a browser session in context of an affected site if malicious data is viewed. Successful exploitation requires a file-storage backend that does not properly sanitize the file name used (no default file-storage backends are affected). Lastly, the file-based session storage system does not properly sanitize the key submitted in the session cookie, which can be exploited to conduct directory traversal attacks. Source: http://www.net-security.org/secworld.php?id=10571

52. February 11, Help Net Security – (International) Organizations spend 127 hours per month managing on-site security solutions. Organizations spend an average of 127 hours per month managing on-site security solutions and related problems, according to new research from Webroot. The top time thieves are updating software and hardware, re-imaging infected machines, and enforcing end user Internet and e-mail policies. Webroot surveyed 820 IT decision-makers in organizations with 100 to 5,000 employees in the United States, the United Kingdom, and Australia. The company found organizations with more remote or mobile employees face more problems when using on-premise security. Specifically, these companies are 43 percent more likely to experience phishing attacks and 33 percent more likely to experience viruses or worms than organizations using cloud security. Time spent repairing damage and addressing other repercussions is also more significant. Source: http://www.net-security.org/secworld.php?id=10575

53. February 11, The Register – (International) Malware endemic even on protected PCs. Many users remain infected with computer malware despite the fact the vast majority are running machines protected by anti-virus software, according to a study by European Union statistics agency EUROSTAT. The study found one-third of PC users (31 percent) were infected even though the vast majority (84 percent) were running security software (anti-virus, anti-spam, firewall) on their PCs. Of the survey’s respondents, 3 percent reported financial loss as a result of farming or phishing attacks, while a further 4 percent reported privacy violations involving data sent online. Bulgaria (58 percent) and Malta (50 percent) top the list of most infected users. By comparison, Finland (20 percent), Ireland (15 percent), and Austria (14 percent) did relatively well. Trojans (59.2 percent) were the most common types of infected found on compromised PCs, followed by viruses (11.7 percent). Source: http://www.theregister.co.uk/2011/02/11/malware_endemic_survey/

For another story, see item 12 above in the Banking and Finance Sector

Communications Sector

54. February 10, TMCnet – (International) Egypt shut down most of internet service by pulling single switch in Cairo. It is being reported that when Egyptian officials wanted to shut down Internet service last month — they did it the easy way: They pulled a single switch. Wired.com said recently the Egyptian government shut down most of the Internet service by pulling a switch in a data center located in Cairo. It had been speculated Egyptian officials had called Internet Service Providers (ISPs), one after another. Word of their approach comes from information presented by the U.S. Department of Homeland Security’s Infosec Technology Transition Council. “Most of the outage was effected through a breaker tripped in the Ramses exchange, and the rest was phone calls and arm-twisting,” Wired.com said, citing information from the presentation. Ramses exchange is located in a building in Cairo, “where Egyptian ISPs meet to trade traffic and connect outside of the country,” according to Wired.com. It is referred to as an Internet Exchange Point. Wired.com said turning off the Internet there made it easier to turn it back on, was more secure, and kept “spyware from being placed on the networks.” Given the millions of dollars it cost the economy, while the Internet was turned off, the presentation concluded it will be “unlikely that Egypt’s communications ministry will ever be asked to flip that switch again.” Forbes magazine estimated it cost the Egyptian economy $110 million. The Egyptian vice president estimated that the impact on the tourism sector was “at least $1B (billion).” Source: http://ipcommunications.tmcnet.com/topics/ip-communications/articles/143626-egypt-shut-down-most-internet-service-pulling-single.htm