Thursday, April 7, 2011

Complete DHS Daily Report for April 7, 2011

Daily Report

Top Stories

• Bloomberg reports a survey found most energy and utility companies do not use “state-of-the art” technology to defend their networks and are exposing critical infrastructure to sophisticated cyber attacks. (See item 2)

2. April 6, Bloomberg – (National) Energy infrastructure lacks advanced defense from cyber attacks. A majority of energy and utility companies do not use “state-of-the art” technology to defend their networks and are exposing critical infrastructure to sophisticated cyber attacks, a new industry survey said. Sixty-seven percent of information technology professionals surveyed said their organizations had not deployed the best available security to guard against hackers and Internet viruses, states a report released April 6 by Ponemon Institute LLC, an information-security research group. Of the 291 security practitioners who responded, 71 percent said their companies’ top executives do not understand or appreciate the value of information-technology security, according to the report. “One of the big surprises in this survey was that despite increasing cyber attacks on networks, the strategic importance of IT security among C-level executives hasn’t increased,” said the senior vice president of marketing and channels for Q1 Labs Inc., a software company that sponsored the survey. “It seems that the industry is very reactive in terms of IT security investment.” The report follows recent high-profile cyber attacks, including the Stuxnet computer worm, which affects machines sold by Munich-based Siemens AG and can take over networks that run factories and power plants. The Ponemon report also identified shortcomings in adhering to industrywide regulatory initiatives. Seventy-seven percent of survey respondents said compliance with industry security standards did not rank as a priority at their organizations. U.S. regulators currently lack the authority to issue and enforce rules for protecting electric grids from cyberthreats, leaving the industry to follow its own voluntary standards. Those guidelines are set by the North American Electric Reliability Corp., an industry self-regulatory group that helps companies assess their ability to respond to potential attacks. Source: http://www.bloomberg.com/news/2011-04-06/energy-infrastructure-lacks-advanced-defense-from-cyber-attacks.html

• According to Food Product Design, federal health officials said the Salmonella strain that sickened 12 people in 10 states and triggered the April 1 recall of 54,960 pounds of Jennie-O turkey burgers may be resistant to antibiotics. (See item 26)

26. April 5, Food Product Design – (National) Drug-resistant Salmonella linked to turkey recall. The Salmonella strain that sickened 12 people in 10 states and triggered the April 1 recall of 54,960 pounds of Jennie-O turkey burgers may be resistant to antibiotics, the Centers of Disease Control and Prevention (CDC) announced April 4. According to CDC, Salmonella Hadar is resistant to many commonly prescribed antibiotics, including ampicillin, amoxicillin/clavulanate, cephalothin, and tetracycline, which may increase the risk of hospitalization or possible treatment failure in infected individuals. Jennie-O Turkey Store recalled 4-pound boxes of frozen Jennie-O Turkey Store “All Natural Turkey Burgers with seasonings Lean White Meat” containing 12 individually wrapped one-third pound burgers after they were linked to 12 confirmed cases of Salmonella Hadar in Arizona, California, Colorado, Georgia, Illinois, Mississippi, Missouri, Ohio, Washington, and Wisconsin, with illnesses occurring between December 2010 and March 2011. Three of the patients in Colorado, Ohio, and Wisconsin specifically reported eating this product prior to illness onset and hospitalization; the last of these illnesses was reported March 14. Source: http://www.foodproductdesign.com/news/2011/04/antibiotic-resistant-salmonella-linked-to-turkey.aspx

Details

Banking and Finance Sector

13. April 6, Newark Star Ledger – (National) Two men to face fraud charges in alleged $30M insider trading scheme. A senior associate at a prominent Washington, D.C. law firm was arrested by the FBI April 6 on federal securities fraud charges in connection with a $30 million scheme that allowed him to trade on insider information related to pending corporate mergers, officials said. The lawyer, who specialized in merger and acquisitions for Wilson Sonsini Goodrich and Rosati, is expected to be arraigned in federal court in Newark, New Jersey, April 6, along with a banker, who allegedly traded on the information the lawyer provided. Officials at the U.S. Attorney’s office said the decades-long scheme involved insider trading based on information stolen from not only Sonsini Goodrich, but also from the law firms of Cravath, Swaine and Moore, and Skadden, Arps, Slate, Meagher and Flom — where the lawyer previously worked. Source: http://www.nj.com/news/index.ssf/2011/04/two_men_to_face_fraud_charges.html

14. April 6, La Crosse Tribune – (Wisconsin) La Crosse bank robbery suspect in custody. Federal prosecutors April 4 charged a 52-year-old Cottage Grove, Wisconsin man with robbing an Associated Bank in a Neenah grocery store January 5 by claiming to have a bomb, according to the complaint filed in U.S. District Court in Milwaukee. The man fled with $2,847 wearing a black hooded sweatshirt pulled over his forehead, according to the criminal complaint. He left behind a brown cardboard box filled with packaging material and wire. DNA recovered from the wire matched the suspect, the complaint states. La Crosse police April 5 asked the district attorney’s office to issue an arrest warrant for the March 28 robbery at the Associated Bank in the former Quillin’s Foodfest store at 3956 Mormon Coulee Road. A suspect matching the man’s description showed a teller a fake bomb of three blue metal canisters taped together and a timer taped to a black and red backpack. He pulled a black hooded sweatshirt over his forehead and fled with $6,300, according to the complaint. The man is also suspected in the February 17 robbery at a Guaranty Bank inside an Oconomowoc grocery store. The suspect is due back in court April 19 for an arraignment. A federal judge in November 2000 sentenced him to 137 months in federal prison and 3 years supervised release for robbing four Wisconsin and Minnesota banks in 2000 after threatening to detonate hoax bombs. He is still on supervised release. Source: http://lacrossetribune.com/news/local/article_62130f6c-600e-11e0-ae5d-001cc4c03286.html

15. April 5, Mobile Press-Register – (International) Atlanta attorney fifth man arrested in Synergy securities fraud case. An Atlanta, Georgia attorney has become the fifth man arrested in connection with what investigators called a scam by a Robertsdale, Alabama finance company that stole millions from investors through the sales of bogus securities, Press-Register reported April 5. The man was arrested March 22 in Atlanta by the Fulton County Sheriff’s Department on a 17-count indictment. The charges resulted from an Alabama Securities Commission investigation of illegal securities transactions involving Synergy Finance Group LLC, the commission and the Baldwin County District Attorney’s Office announced April 4. Charges include 5 counts of sale of securities by an unregistered agent, 1 count of conspiracy to commit securities fraud, 10 counts of securities fraud, and 1 count of first-degree theft of property. According to the indictment, the five men operated a “multi-billion dollar loan brokerage” and solicited money from U.S. and foreign investors seeking large, non-collateralized loans that involved illegal securities transactions, according to the news release. Investors were urged to wire thousands of dollars to Synergy accounts under the promise of multimillion-dollars in returns. Neither Synergy nor any of the indicted men was registered with the commission to conduct securities business in Alabama, according to the news release. Source: http://blog.al.com/live/2011/04/atlanta_attorney_fifth_man_arr.html

16. April 5, Wired.com – (International) Conde Nast got hooked by $8 million spear-phishing scam. A spear-phisher managed to reel in a prize catch in 2010 with a single hook when media giant Conde Nast took the bait and wired $8 million to his bank account after he posed as a legitimate business, according to a lawsuit filed March 30. The alleged swindler failed to withdraw any funds before federal authorities intervened and froze the money, but the case highlights how little effort a scammer needs to invest in order to get a big payday. According to the court document, last November Conde’s accounts payable department received an e-mail that purported to come from Quad/Graphics, the company that prints Conde’s magazines. The e-mail instructed Conde to send payments for its Quad/Graphics account to a bank account number in the e-mail, and included an electronic payments authorization form. The e-mail said the account was for Quad Graph, a name similar to the real printer’s name. Someone at Conde apparently signed the form and sent it back to a fax number in the e-mail, then began making electronic transfer payments to the bank account specified by the scammer. Between November 17 and December 30, the company wired $8 million to the Quad Graph account before a query December 30 from the real printer, Quad/Graphics, asking about outstanding bills, prompted Conde to investigate. The man suspected of perpetrating the attack has yet to be charged with any crime related to the scam, but Forbes found a previous charge against someone with the same name and address who pleaded no contest in December to “terroristic threat of family/household.” Source: http://arstechnica.com/tech-policy/news/2011/04/conde-nast-got-hooked-by-8-million-spear-phishing-scam.ars

17. April 5, Reno Gazette-Journal – (Nevada) Man arrested in Reno bank robbery, suspected in 2 others. A man accused of robbing a Bank of America office in Reno, Nevada April 5 and suspected in two other bank robberies, was arrested April 5 at a motel in Sparks, Nevada, Reno police reported. The 53-year-old suspect was booked on one federal count of bank robbery, police said. About 2:15 p.m. April 5, a man entered the Bank of America at 700 N. Virginia Street, handed a teller a note demanding money and said he had a weapon, police said. After receiving an undisclosed sum, he fled, authorities reported. Reno and Sparks police and the FBI found the vehicle and suspect in the parking lot of the Aloha Inn in Sparks, police said. When the suspect was taken into custody, unspecified evidence from the Bank of America robbery was found on him, police reported. Detectives and federal agents are continuing their investigation. They anticipate that the suspect will be charged with a March 30 bank robbery in Sparks, and a bank robbery April 1 in Reno, police said. Source: http://www.rgj.com/article/20110405/NEWS01/110405049/-1/blogs11/Man-arrested-Reno-bank-robbery-suspected-2-others?odyssey=nav|head

Information Technology

43. April 6, Bloomberg – (International) Freescale won’t reopen plant in Japan damaged by earthquake. Freescale Semiconductor Inc., the chipmaker partly owned by Blackstone Group LP, will not reopen a factory in Sendai, Japan, that was damaged by the March 11 earthquake and tsunami. Safety concerns and damage to infrastructure mean the plant, which had already been scheduled to close in December of 2011, will not return to full operation, Austin, Texas-based Freescale said in a statement. Freescale will concentrate on transferring work to alternative facilities, it said in the statement. The Sendai plant, which makes chips used in cars, was being closed as part of a company-wide effort to cut costs. Source: http://www.sfgate.com/cgi-bin/article.cgi?f=/g/a/2011/04/06/bloomberg1376-LJ7PYP6S972C01-01ESG9MSU7MJB3E50EOI421BDE.DTL

44. April 6, H Security – (International) DHCP client allows shell command injection. The Internet System Consortium’s (ISC) open source DHCP client (dhclient) allows DHCP servers to inject commands that could allow an attacker to obtain root privileges, according to a new ISC advisory. The problem is caused by incorrect filtering of metadata in server response fields. By using crafted host names, and depending on the operating system and what further processing is performed by dhclient-script, it can allow commands to be passed to the shell and executed. A successful attack does, however, require there to be an unauthorised or compromised DHCP server on the local network. Dhclient versions 3.0.x to 4.2.x are affected. The ISC has released an update. Source: http://www.h-online.com/security/news/item/DHCP-client-allows-shell-command-injection-1222805.html

45. April 6, Softpedia – (International) Several vulnerabilities patched in WordPress 3.1.1. The WordPress development team has released version 3.1.1 of the blog publishing platform in order to address multiple stability and security issues. In total, the new WordPress 3.1.1 fixes almost 30 bugs including 3 vulnerabilities discovered by core developers. One flaw was located in the media uploader component and allowed bypassing the cross-site request forgery (CSRF) protection. It was resolved by adding nonce checks to the code. This type of vulnerabilities allows attackers to hijack sessions of authenticated users by forcing their browser to perform unauthorized actions when visiting a maliciously crafted Web page. Such an attack abuses the inherent trust between Web sites and browsers and is resolved by associating unique codes (nonces) to requests. The second vulnerability was a minor cross-site scripting (XSS) issue located on the database upgrade screens. This type of flaw is the result of insufficient input validation and can be used, in the worst case scenario, to generate pages with rogue code inserted into them. The CSRF and XSS vulnerabilities were discovered and reported by a member of the WordPress security team. The vulnerability identified by one of the WordPress core developers concerns handling of certain links and can lead to a denial of service condition where the PHP process crashes. It can be exploited by inserting malformed links into comments. Source: http://news.softpedia.com/news/Several-Vulnerabilities-Patched-in-WordPress-3-1-1-193434.shtml

46. April 5, The Register – (International) Google Chrome to warn of malicious Windows executables. Google said it is expanding its blacklist of malicious Web sites to include those that use deceptive claims to push harmful Windows programs. The addition to Google’s Safe Browsing API will warn people when they are about to visit Web sites that offer Windows-based trojans disguised as screen savers or other innocuous applications. The company introduced the service 5 years ago to alert users when they try to browse sites that perform drive-by downloads that exploit security vulnerabilities in the operating system or browsing software. The underlying programming interface is already being used by browsers, including Google Chrome, Mozilla Firefox, and Apple Safari. It is also available to any Web master who wants to use the data available from Google to prevent malicious links from being posted to their sites. The new feature will initially be available only for Chrome users who subscribe to the browser’s development release channel. The company plans to integrate it into the next stable release of Chrome. There is no mention of it being made available to browser providers outside of Google. The warning will be displayed whenever users encounter a download from a URL that matches the latest list of malicious Web sites published by the Google API. Source: http://www.theregister.co.uk/2011/04/05/google_malicious_executables_warning/

47. April 5, Softpedia – (International) New DHL-themed malware distribution campaign in the wild. Security researchers warn of a new malware distribution campaign that produces e-mails with malicious attachments that pose as delivery notifications from DHL. The rogue e-mails have a subject “DHL Express Services” and their headers have been forged to appear as originating from a @dhl.com address. They inform recipients their package is on its way, and ask them to read the attached document for more information and to obtain the tracking number. The attached document is called dhl(dot)zip and contains an executable file of the same name which is a trojan downloader. This threat is responsible for downloading additional malware including a fake antivirus called XP Home Security, according to Vietnamese security vendor Bkis. Judging from dates of scans and comments on Virus Total for the malicious files involved in this attack, the campaign began sometime the weekend of April 2 and 3. It also appears to have different variations, one using FedEx as cover, probably using similar fake package delivery notifications. Currently, the fake antivirus program installed by this infection has a very low detection count on Virus Total with only 4 in 40 antivirus engines detecting it based on signatures and heuristics. Source: http://news.softpedia.com/news/New-DHL-Themed-Malware-Distribution-Campaign-in-the-Wild-193187.shtml

48. April 5, Softpedia – (International) Fired Gucci network engineer charged for taking revenge on company. A computer network engineer who worked for Gucci America has been indicted after hacking into his former employer’s computer systems and damaging data, Softpedia reported April 5. According to prosecutors, while working at Gucci, the 34-year-old Jersey City, New Jersey man created a VPN USB token in the name of a fictional employee. After being fired in May 2010, the man contacted the company’s IT department posing as that employee and asked for his token to be activated. In the months that followed, the man used his knowledge to repeatedly cause damage to Gucci’s operations by disabling servers, locking documents, and deleting e-mails. In one instance November 12, 2010, during the course of 2 hours, he deleted several virtual servers, shut down a storage area, and wiped clean an entire disk from the company’s e-mail server. These actions have resulted in severe disruptions to daily activities, not only for Gucci’s staff at the company’s Manhattan, New York headquarters, but also store managers across the country who were unable to access their e-mails. The damages sustained by Gucci as a result of loss productivity, attack mitigation, and data restoration is estimated at $200,000. The man has been indicted on 50 counts of computer tampering, identity theft, falsifying business records, computer trespass, criminal possession of computer related material, unlawful duplication of computer related material, and unauthorized use of a computer. Source: http://news.softpedia.com/news/Fired-Gucci-Network-Engineer-Charged-for-Taking-Revenge-on-Company-193321.shtml

49. April 4, IDG News Service – (International) About 50 clients hit by Epsilon e-mail marketing breach. About 50 companies were affected by a major security breach at e-mail service provider Epsilon Interactive that caused many U.S. corporations to warn their customers of online attacks April 4. Epsilon first warned of the incident April 1, saying that someone infiltrated company systems and obtained e-mail addresses and names belonging to some of its customers. However, it was not immediately clear how many of its 2,500 clients were at risk. Epsilon still has not disclosed much information about the problem, but it has now given a clearer picture of how many companies are affected. In a brief statement posted to Epsilon’s Web site April 4, the company said that “approximately 2 percent of total clients” — about 50 businesses — were hit. Customers of many of these businesses received e-mail warnings April 4, telling them that their e-mail addresses had been stolen, and that spam or malicious messages could be coming their way. So far, Epsilon has refused to provide a detailed list of all companies that were affected. Companies hire Epsilon to send out a total of more than 40 billion messages on their behalf each year. With millions of addresses thought to have been stolen, the problem may be worse than many people realize, security experts said April 4, because once scammers know their victims’ names and e-mail addresses, along with the companies that they do business with, they can craft very targeted “spear-phishing” e-mail attacks that try to trick victims into revealing more sensitive information such as passwords or account numbers. Source: http://www.computerworld.com/s/article/9215488/About_50_clients_hit_by_Epsilon_e_mail_marketing_breach

For another story, see item 2 above in Top Stories

Communications Sector

50. April 6, Reuters – (National) Verizon customers exposed in massive epsilon data breach. Customers of Verizon Communications had their e-mail addresses exposed in a massive online data breach the week of March 28, according to an e-mail to customers obtained by Reuters. In what could be one of the biggest such attacks in U.S. history, a computer hacker penetrated the online marketer Epsilon, which controls the customer e-mail databases for a broad swath of companies. Customers of about 50 companies, from banks to retailers and hotels, had their names or e-mail addresses exposed in the attack. Verizon, the largest U.S. mobile phone carrier, informed customers April 5 that it was part of the Epsilon data breach. “Epsilon has assured us that the information exposed was limited to email addresses, and that no other information about you or your account was exposed,” Verizon said in an e-mail to a customer sent April 5. Source: http://www.huffingtonpost.com/2011/04/06/verizon-epsilon-data-breach_n_845379.html

51. April 5, IDG NEWS Service – (National) Verizon simulates disaster near operations center. It was only a drill, but Verizon Communications’ emergency response team brought in its serious equipment for a hazardous materials test in Cockeysville, Maryland, April 4 and April 5. In the scenario, a truck carrying chlorine collided with a light-rail train within a few hundred yards of Verizon’s Cockeysville operations center, which provides nationwide customer support for the company’s enterprise and federal government customers, dispatches field technicians to Verizon customers in the Baltimore area, and houses support staff. In a real disaster, all 791 employees of the Verizon facility would have to evacuate their building, with the Verizon Major Emergency Response Incident Team’s mobile command center, a 51-foot truck trailer, restoring communications at the site. The trailer is a “completely autonomous unit,” said the disaster recovery team lead for Verizon. When Verizon arrives at a disaster site, it wants to avoid taxing the local infrastructure, said the chief business continuity officer at Verizon. While the mission of the command center trailer is primarily to restore Verizon networks, it also can provide Internet and radio communications for local emergency response agencies. Source: http://www.itworld.com/networking/152863/verizon-simulates-disaster-near-operations-center