Wednesday, November 30, 2011

Complete DHS Daily Report for November 30, 2011

Daily Report

Top Stories

• A cellphone service that is supposed to grant priority to emergency government and public safety calls failed during the August earthquake that rocked the East Coast, a DHS official said November 28. – NextGov (See item 32)

32. November 28, NextGov – (National) Cellphone emergency call service failed following East Coast quake. A cellphone service that is supposed to grant priority to emergency government and public safety calls failed during the August earthquake that rocked the East Coast, a DHS official said November 28. The Wireless Priority Service, a voice feature that does not require a special cellphone, was overwhelmed by text-messaging traffic in the aftermath of the 5.8 magnitude shaker August 23, said the acting director of the DHS National Communications System. It is widely acknowledged that many Americans were unable to make personal calls for several minutes following the earthquake. DHS officials are working with carriers to modify their circuitry by the time of the Republican and Democratic national conventions late summer of next year, he said. "That is a significant requirement that we must have," he said. He told Nextgov that Alcatel-Lucent's hardware should be fixed by Christmas. Source: http://www.nextgov.com/nextgov/ng_20111128_2122.php

• Researchers found a HP LaserJet printer vulnerability that could allow hackers to remotely control the device to launch cyberattacks, steal data, and even instruct its components to overload until it catches fire. – Softpedia See item 36 below in the Information Technology Sector

Details

Banking and Finance Sector

10. November 29, BankInfoSecurity – (California) Fraud scheme hits grocer. Modesto, California-based grocery chain Save Mart Supermarkets issued a consumer advisory November 23 about card-reader breaches at 20 of its stores. According to a statement posted on Save Mart's Web site, tampered card-readers at self-service checkout lanes in 19 Lucky Supermarkets locations and one Save Mart store were discovered during routine maintenance. The statement did not say when the tampering might have occurred or what method of tampering was used. It is not clear if skimmers were installed, or if the card readers were replaced with readers manipulated to collect details. Save Mart did say, however, that it replaced readers on all of the affected terminals and added additional security to point-of-sale card readers in all of its 234 locations soon after the tampering was discovered. "We are not aware nor have we been notified of any reports that customer accounts were compromised," the company statement said. "The appropriate authorities have been notified of this situation and consumer notices have been posted at credit/debit terminals in the affected stores as well as placed on our Web sites." Source: http://www.bankinfosecurity.com/articles.php?art_id=4280

11. November 28, CNN – (National) Citigroup's mortgage securities fraud settlement with SEC rejected. A judge rejected a proposed $285 million mortgage securities fraud settlement between Citigroup and the Securities and Exchange Commission (SEC) November 28, saying the deal was "neither fair, nor reasonable, nor adequate, nor in the public interest." A judge said that the settlement announced in October 2011, under which Citi neither admitted nor denied the SEC's allegations, deprived the public "of ever knowing the truth in a matter of obvious public importance." He instead ordered Citi to face trial over the allegations in July 2012. A spokeswoman for Citi said the bank was "declining to comment, pending a review of the decision." The SEC has alleged that in 2007, Citi created and sold a mortgage-related collatarized debt obligation, or CDO, called Class V Funding III. After marketing the CDO, Citi then took a short position — or bet against — the security as the housing market deteriorated, bringing in a net profit of $160 million for the bank. Investors, meanwhile, lost more than $700 million. Source: http://www.chicagotribune.com/business/breaking/chi-citigroups-mortgage-securities-fraud-settlement-with-sec-rejected-20111128,0,5534190.story

12. November 28, WDEF 12 Chattanooga – (Georgia) Debit card scam not linked to any local retailers. Hundreds of north Georgia residents found themselves in the middle of a scam the week of November 21. Officials believe the scam started November 23, when many Walker County residents found themselves with a depleted bank account. "We've seen charges made from people's card from Spain to Egypt to Europe to Mexico," a LaFayette Police Department sergeant said. Officials believe this is an elaborate crime ring that used the holiday to take advantage of people's accounts. "We have not tracked this source back to any particular business in our jurisdiction. I can tell you that with absolute certainty," the sergeant said. Officials said about 400 to 500 residents have reported the issue to local banks in the Walker County and LaFayette area. There has also been reports of the same scam in other counties. "There could be as many as 100 victims in the Chattooga County area," the Walker County sheriff said. Officials said the scam starts with the credit card processing company, not a local retailer. The FBI is assisting in the investigation. Source: http://www.wdef.com/news/story/Debit-Card-Scam-Not-Linked-To-Any-Local-Retailers/-hTdSz-59kC2wPBqNRpFYw.cspx

13. November 28, Grand Rapids Press – (Michigan) Grand Rapids-area broker described as 'mini-Madoff' in alleged Ponzi scheme. A Grand Rapids, Michigan stockbroker is facing federal allegations linked to a $6-million Ponzi-style scheme, the Grand Rapids Press reported November 28. The government has filed felony information accusing the broker of mail fraud for sending falsified account statements to clients. The U.S. Securities and Exchange Commission (SEC) earlier filed a civil injunction against the broker and his companies, Wealth Resources Inc. and Wealth Resources LLC, alleging he acted as an unregistered broker and investment adviser to raise funds from at least 20 investors. "Based upon representations made by [the broker] investors gave money to [the man] to place in Wealth Resources LLC and invest on their behalf," an assistant U.S. attorney wrote in court documents. "[He] induced his clients to withdraw money from their retirement accounts, investment accounts, bank accounts and from other sources on the premise that [he] would invest their money into legitimate investment opportunities. However, [he] lied about the success of Wealth Resources LLC, and other investment opportunities that he recommended, and diverted some of his clients’ money for his own use." The attorney said he "fabricated" account statements that led "clients to believe that their investment was safe and growing." The broker was a registered representative of New England Securities from December 1998 to April 2010. When the broker filed for bankruptcy in June 2010, clients filed a complaint to prevent discharge of his $4.3 million debt to them, court records showed. The government said he used some of the money to "make Ponzi-like payments to other customers who requested a return of all or part of their investment." Source: http://www.mlive.com/news/grand-rapids/index.ssf/2011/11/grand_rapids-area_broker_descr.html

14. November 28, Fort Worth Star-Telegram – (Texas) 2 UNT freshmen accused of printing fake money in dorm. Two University of North Texas freshmen were arrested November 7 on suspicion of forgery, and accused of running a counterfeiting operation from a dorm room until a store clerk reported receiving a fake $20 bill to Denton, Texas, police. Denton officers arrested the students after an officer found fake $1 and $20 bills atop a printer in one of their dormitories, police said. The students face a felony charge of forgery, which carries a sentence of 180 days to 2 years in state jail, and a fine of up to $10,000. The case came under police scrutiny when a convenience store clerk reported a questionable-looking $20 bill, a Denton police spokesman said. The investigation led to a search of a student's dorm room which turned up a scanner/printer, and a computer used to print money. "Apparently there was money on top of it that they were still in the process of making money," the Denton police spokesman said. He said the counterfeit bills were passed at area fast-food restaurants and convenience stores. Source: http://www.star-telegram.com/2011/11/28/3556376/2-unt-freshmen-accused-of-printing.html#storylink=omni_popular

15. November 23, Federal Bureau of Investigation – (National) FBI Denver Cyber Squad advises citizens to be aware of a new phishing campaign. The FBI Denver Cyber Squad advised citizens of a new spear phishing campaign involving personal and business bank accounts, financial institutions, money mules, and jewelry stores. The campaign involves a variant of the "Zeus" malware called "Gameover." The campaign features e-mails claiming to be from the National Automated Clearing House Association (NACHA), and advising the user of a problem with an ACH transaction at their bank that was not processed. Users that click on the link are infected with the Zeus or Gameover malware, which can key log as well as steal online banking credentials, defeating several forms of two-factor authentication. After accounts are compromised, the perpetrators conduct a Distributed Denial of Service (DDoS) attack on the financial institution. The belief is the DDoS is used to deflect attention from the wire transfers as well to prevent a reversal of the transactions (if found). A portion of the wire transfers is being transmitted directly to high-end jewelry stores, wherein the money mule comes to the actual store to pick up his $100,000 in jewels (or whatever dollar amount was wired). An investigation has shown the perpetrators contact the high-end jeweler requesting to purchase precious stones and high-end watches. The perpetrators advise they will wire the money to the jeweler’s account and someone will come pick up the merchandise. The next day, a money mule arrives at the store, the jeweler confirms the money has been transferred or is listed as "pending" and releases the merchandise to the mule. Later on, the transaction is reversed or cancelled (if the financial institution caught the fraud in time), and the jeweler is out whatever jewels the money mule was able to obtain. Source: http://www.fbi.gov/denver/press-releases/2011/fbi-denver-cyber-squad-advises-citizens-to-be-aware-of-a-new-phishing-campaign?utm_campaign=email-Immediate&utm_medium=email&utm_source=denver-press-releases&utm_content=51037

For another story, see item 38 below in the Information Technology Sector

Information Technology

35. November 29, The Register – (International) 13 million gamers in ID theft scare after Nexon breach. An estimated 13 million gamers have been left at greater risk of ID theft following a breach at gaming firm Nexon. Data including names, usernames, encrypted resident registration numbers, and password hashes was exposed as a result of the breach at Nexon, which maintains the popular online role-playing game, Maple Story. The data breach followed a hack on a backup server for Maple Story late the week of November 21. Details of the 5 million customers of other games maintained by Nexon were not exposed. Nexon promised to bolster its security in the wake of the attack, the Korean Herald reports. In addition, it is offering game items to gamers who change their passwords. Source: http://www.theregister.co.uk/2011/11/29/nexon_data_breach/

36. November 29, Softpedia – (International) HP printers may be remotely set on fire, researchers say. Researchers at Columbia University in New York City found a HP LaserJet printer vulnerability that could allow a hacker to remotely control the device to launch cyberattacks, steal data that is being printed, and even instruct its mechanical components to overload until it catches fire. According to MSNBC, the researchers revealed the flaw they found does not affect only HP printers, but also other devices utilized by millions of individuals and companies that so far were considered to be safe. In the case of the HP printers which they thoroughly tested, the researchers relied on the fact remote software updates are not checked for signatures or certificates when they are being installed. In another demonstration, by sending a specially crafted print job, they were able to inject a code that would automatically scan printed documents for sensitive information, transmitting the data to a Twitter feed. They showed an infected computer could instruct the printer’s fuser, the one used to dry off the paper, to continuously heat up until the device self-destructs or, if it lacks a fuse, to set itself on fire. They also proved a hijacked printer could act as a gate-opener for a full-effect attack on a company network. They even made a demo from computers running Mac and Linux operating systems. HP representatives argue the situation might not be all that disastrous, claiming their newer models check for signatures while performing firmware updates. However, they are currently investigating the issue to determine exactly what is affected and what can be done about it. Even though later printer models should be more secure, the researchers claim one of the printers used in their tests was purchased not long ago. Source: http://news.softpedia.com/news/HP-Printers-May-Be-Remotely-Set-On-Fire-Researchers-Say-237254.shtml

37. November 29, Softpedia – (International) Russian spammers rely on new techniques to mask phone numbers. Some spam messages contain phone numbers instead of links that point to locations where different products are advertised. To make sure they successfully avoid spam filters, Russian spammers devised new ways to keep phone numbers secret. Symantec researchers reveal the large number of methods utilized by Russian spammers to list phone numbers in e-mail messages without raising the suspicion of any anti-spam solution. One of the simpler methods implies placing symbols between the figures that compose the number. In some cases, Russian characters that resemble figures will be utilized to replace some numbers. Also, in some scenarios, the numbers were actually spelled in Russian words. One final strategy involves writing the area code with the actual name of the city it represents. Source: http://news.softpedia.com/news/Russian-Spammers-Rely-on-New-Techniques-to-Mask-Phone-Numbers-237269.shtml

38. November 29, The Register – (International) Danger worm hijacks Facebook accounts to inject banking trojan. A dangerous worm is using Facebook to spread itself by posting malicious links on the social networking Web site that point to malware-tainted sites loaded with a variant of the Zeus banking trojan as well as other pieces of malware. The malware uses stolen Facebook account credentials to log into compromised accounts and post links, according to security researchers at CSIS in Denmark, who were the first to detect the threat. The malicious links generated by the worm pose as links to a photo file posted by the account-holder's friend or online acquaintance. In reality, the file is a booby-trapped screensaver file with a .jpg file extension. Users have to download and open the file but if tricked into doing so, the consequences can be serious –- especially since anti-virus detection rates are quite low. CSIS added the worm is also using other domains to spread. Source: http://www.theregister.co.uk/2011/11/29/facebook_worm_spreads/

39. November 29, Help Net Security – (International) FakeScanti rogue sends users to download additional fake AV solution. The Blackhole exploit kit has been getting a lot of attention recently, because it is continually updated with exploits for various flaws in popular software, and can deliver practically any malware the attackers want it to. Among those malware are rogue AV solutions such as those belonging to the FakeScanti malware family. One of the variants — named "AV Protection 2011"— can modify the infected computer's HOSTS file (the file that allows the system to connect hostnames to IP addresses) so that when the user tries to visit the Google Search engine, Facebook, or Bing, he/she is redirected to a page hosted in Germany that serves up another variant of the same family. The hijacking of the HOSTS file is not unusual behavior when it comes to worms and backdoors, but it not often seen in rogue AV solutions, said a GFI researcher. The technique is also often used by phishers for seamlessly redirecting users to phishing pages when they try to visit legitimate ones. Source: http://www.net-security.org/malware_news.php?id=1920

40. November 28, H Security – (International) Google+ security attracts praise and criticism. Security researchers at University College London subjected Google+ to a first IT security analysis, the main focus of which was on privacy. The currently preliminary results are ambivalent: the researchers commended new functions which improve networking security among friends, but they have also highlighted several potentially problematic details. Among these concerns is the way in which Google+ currently handles images. The researchers showed that photos uploaded to the network retain their metadata. However, they say the service does not inform users about this. Another problem area is the Google+ "About" section. There, Google is apparently prompting users to list previous addresses, previous names, and their maiden name. The researchers said this information could be particularly useful to identity thieves. The researchers commended the fact that Google+ uses SSL encryption by default, for the entire Google+ network connection. Facebook only uses this encryption for its lo-gin page, unless a user explicitly enables the security feature. The researchers concluded that, therefore, Google+ sessions offer better protection against "man-in-the-middle" attacks. Source: http://www.h-online.com/security/news/item/Google-security-attracts-praise-and-criticism-1386437.html

For another story, see item 15 above in the Banking and Finance Sector

Communications Sector

41. November 28, Internet Retailer – (National) The Thanksgiving weekend brings site headaches for multiple online retailers. PC Mall Inc. and Crutchfield Corp. were among the retailers experiencing significant downtime on their e-commerce sites November 28, according to Web site, performance-monitoring firm Catchpoint Systems Inc. The e-commerce site operated by PC Mall had suffered 77 minutes of downtime as of noon Eastern time, Catchpoint said. The Crutchfield site had 60 minutes of downtime. Other e-commerce site also experienced problems over the holiday weekend, according to a report from Web site performance monitoring firm AlertBot. The site operated by American Eagle Outfitters Inc. was down for a little over 8 hours between about 9 p.m. Eastern time November 23 and November 28, an AlertBot sales and marketing manager said. "An error message appeared numerous times over the Thanksgiving break," he said. The e-commerce site operated by Target Corp. experienced loading problems for more than 2 hours November 25, the day after Thanksgiving — the latest difficulty for the redesigned site since its introduction in August. The problems occurred between 3:30 p.m. and 4:10 p.m. and 5:10 p.m. and 6:45 p.m. Eastern time November 25, AlertBot said. Source: http://www.internetretailer.com/2011/11/28/thanksgiving-weekend-brings-multiple-site-headaches

For more stories, see item 32 above in Top Stories and items 38 and 40 above in the Information Technology Sector