Thursday, December 1, 2011

Complete DHS Daily Report for December 1, 2011

Daily Report

Top Stories

• A 700-square-mile freshwater basin in Louisiana that farmers use for irrigation to grow rice and farm fish, cattle, and alligators, is in grave danger from incursions by saltwater from the Gulf of Mexico. – Associated Press (See item 18)

18. November 29, Associated Press – (Louisiana) Coastal region in Louisiana declares state of emergency over threat from Gulf’s salt water. A rice and crawfish farming region on the low-lying southwest Louisiana coast has declared a state of emergency because a large freshwater basin that farmers rely on for irrigation is being spoiled by saltwater from the Gulf of Mexico, the Associated Press reported November 29. Vermilion Parish declared an emergency and pleaded for help from state and federal officials to prevent the saltwater from fouling the Mermentau River basin, a 700-square-mile area of mostly freshwater marsh. The rising salt level in the basin threatens thousands of acres of farmland used for crawfish ponds, cattle ranches, duck hunting, rice fields, and alligator and fish farms. Farmers rely on freshwater from the basin. Saltwater intrusion is a growing problem in Louisiana because the state is losing its shoreline buffer against the Gulf. Since the 1930s, coastal Louisiana has lost about 2,000 square miles of land. The erosion can be pinned to levees built by the U.S. Army Corps of Engineers, oil drilling, hurricanes, and sea level rise, among other factors. November 29, state officials said they would step up their efforts to stop the saltwater encroachment. State officials vowed to press the Corps to speed up work to stop the saltwater. Saltwater levels have been rising for the past 8 months in the basin due to a combination of drought and gaps in the shoreline that have allowed the Gulf to penetrate into the basin, said a coastal biologist with the Louisiana State University AgCenter. Source:

• An Android app developer published what he says is conclusive proof millions of smartphones are secretly monitoring the key presses, geographic locations, and received messages of its users. – The Register See item 30 in the Information Technology Sector


Banking and Finance Sector

13. November 30, KMOV 4 St. Louis – (Illinois) Routine traffic stop uncovers credit card, ID fraud operation. A routine traffic stop by an Illinois state trooper November 29 turned out to be anything but routine after uncovering fraudulent credit cards, fake identification cards, and other illegal items. According to officials, the Itrooper was patrolling Interstate 55 near Springfield when he pulled over a grey Dodge Caravan for no front license plate, and improper lane usage. Upon further investigation, including a search, the trooper discovered a significant number of fraudulent credit cards, debit cards, and gift cards. Blank driver’s licenses and identification cards from multiple states were also found in the vehicle, along with machines used to produce fraudulent identification cards, holograms, driver’s licenses, and credit cards. Among the three suspects, $12,362 in cash was also collected. The three were arrested at the scene and charged with possession of altered credit cards, possession of stolen goods, possession of fraudulent credit cards, and possession of a machine to make fraudulent credit cards. Illinois State Police investigators and the U.S. Secret Service were contacted for further investigation. Source:

14. November 30, The Register – (International) Anonymous launches OpRobinHood against banks. Anonymous and other hacktivists have joined together to launch an attack on banks in response to recent crackdowns against the Occupy protest movement. TeaMp0isoN and Anonymous are joining forces to run OpRobinHood, which will involve using stolen credit details to donate to charities and others, supposedly at the expense of banks. TeaMp0isoN and Anonymous claim to have already taken Chase, Bank of America, and CitiBank credit cards with “big breaches across the map” and to have begun donating thousands to many protests around the world, as well as to homeless charities and other philanthropic organizations. The hacktivists want bank account holders to withdraw their funds and deposit them in credit unions instead, something started with the Operation Cash Back scheme a few weeks ago. Source:

Information Technology

30. November 30, The Register – (International) Busted! Secret app on millions of phones logs key taps. An Android app developer published what he says is conclusive proof millions of smartphones are secretly monitoring the key presses, geographic locations, and received messages of its users. In a YouTube video posted November 28, the developer showed how software from a company known as Carrier IQ recorded in real time the keys he pressed into a stock EVO handset, which he reset to factory settings just prior to the demonstration. Using a packet sniffer while his device was in airplane mode, he demonstrated how each numeric tap and every received text message is logged by the software. The developer then connected the device to a Wi-Fi network and pointed his browser at Google. Even though he denied the search company’s request that he share his physical location, the Carrier IQ software recorded it. The secret app then recorded the precise input of his search query, even though he typed it into a page that uses the SSL protocol to encrypt data sent between the device and the servers. In an interview the week of November 21, Carrier IQ’s VP of marketing rejected claims the software posed a privacy threat because it never captured key presses. He said Carrier IQ was a diagnostic tool designed to give network carriers and device manufacturers detailed information about the causes of dropped calls and other performance issues. The app developer said he chose the HTC phone purely for demonstration purposes. Blackberrys, other Android-powered handsets, and smartphones from Nokia contain the same snooping software, he claims. Source:

31. November 30, Softpedia – (International) HP: ‘Thermal breakers’ installed in printers prevent fires. After researchers at Columbia University in New York City demonstrated a series of attack methods that rely on vulnerabilities found in Hewlett Packard (HP) LaserJet printers, HP issued a statement to argue it is not as bad as it looks. According to DailyTech, HP claims that so far no customers reported anything that would indicate a device catching on fire as a result of a malevolent software update. “HP LaserJet printers have a hardware element called a ‘thermal breaker’ that is designed to prevent the fuser from overheating or causing a fire. It cannot be overcome by a firmware change or this proposed vulnerability,” HP stated. However, they admit some of the vulnerabilities that could allow unauthorized access may be plausible, but the attack only works on machines placed in a public network that does not benefit from the protection offered by a firewall. “In a private network, some printers may be vulnerable if a malicious effort is made to modify the firmware of the device by a trusted party on the network. In some Linux or Mac environments, it may be possible for a specially formatted corrupt print job to trigger a firmware upgrade,” the statement adds. It appears HP is working on a firmware upgrade that will mitigate the issue, but in the meantime, their customers are advised to secure the devices by placing them behind a firewall and by disabling the remote firmware upload when possible. Source:

32. November 29, Computerworld – (International) Hackers launch millions of Java exploits, says Microsoft. Hackers continue to launch attacks exploiting vulnerabilities in Oracle’s Java software in record numbers, Microsoft said November 28. Citing research from a recent report, a director in the company’s Trustworthy Computing group said up to half of all attacks detected and blocked by Microsoft’s security software over a 12-month period were Java exploits. Altogether, Microsoft stopped more than 27 million Java exploits from mid-2010 through mid-2011. Most of those exploits targeted long-ago-patched vulnerabilities, the director said. The most commonly-blocked Java attacks — over 2.5 million — in the first half of 2011 exploited a bug disclosed in March 2010 and patched by Oracle the same month. Second on the popularity chart for the 12-month stretch was an exploit of a bug patched in December 2008. Other bugs that made the actively-exploited list were quashed in November 2009 and March 2010. Source:

33. November 29, CNET News – (International) Apple issues late XProtect update for Flashback trojan. To help combat malicious software, Apple incorporated a feature into OS X called XProtect that is a rudimentary scanner for newly downloaded files that notifies users if they contain malware. But when the scanner’s definitions are updated, criminals will likely release new variants. Currently there is no new known malware for OS X, but criminals behind one of the newer attacks, called Flashback, have been creating new variants. Flashback was first found in late September packaged as an installer for the popular Flash Player plug-in. When run, the malware installed a loader into the user’s preferences folder. In its second revision (found in late October), the malware changed to inject code into Web browser applications (Safari and Firefox), which would launch the malware when these programs were run. In both cases, the malware attempts to send personal information to remote servers. Apple’s XProtect definitions were updated to tackle the first Flashback malware (OSX/Flashback.A); however, XProtect was last updated November 1 to include definitions for the DevilRobber malware. On November 29, Apple updated XProtect again to deal with Flashback — however, despite there being a number of new Flashback variants, the update only includes definitions for the second release of Flashback (OSX/Flashback.B), which was found about a month ago. Security company Intego recently reported that the Flashback malware has undergone a number of changes that allow the code to slide past malware detection schemes, even though the behavior of the malware has not changed much. Source:

34. November 29, The Register – (International) Google researchers propose fix for ailing SSL system. Security researchers from Google proposed an overhaul to improve the security of the Secure Sockets Layer encryption protocol that millions of Web sites use to protect communications against eavesdropping and counterfeiting. The changes are designed to fix a structural flaw that allows any one of the more than 600 bodies authorized to issue valid digital certificates to generate a Web site credential without the permission of the underlying domain name holder. The consequences of fraudulently issued certificates was underscored in late August when hackers pierced the defenses of Netherlands-based DigiNotar and minted bogus certificates for Google and other high-profile Web sites. One of the fraudulent credentials, for Google mail, was used to snoop on as many as 300,000 users, most of them from Iran. Under changes proposed November 29 by Google security researchers, all certificate authorities would be required to publish the cryptographic details of every Web site certificate to a publicly accessible log that has been cryptographically signed to guarantee its accuracy. The overhaul, they said, is designed to make it impossible –- or at least much more difficult –- for certificates to be issued without the knowledge of the domain name holder. Source:

35. November 29, IDG News Service – (International) Facebook settles FTC privacy complaints. Facebook agreed to settle U.S. Federal Trade Commission (FTC) charges that it deceived consumers “on numerous occasions” by telling them they could keep their personal information private, then repeatedly sharing that information, the agency said November 29. The FTC found a “number of instances” when Facebook made privacy promises it did not keep, the agency said in a statement. The FTC charged Facebook with unfair and deceptive business practices in an eight-count complaint made public November 29. Under the proposed settlement, Facebook is barred from making further deceptive claims about privacy, and the company must get approval before it changes the way it shares consumer data. The proposed settlement also requires Facebook to obtain periodic assessments of its privacy practices by independent auditors over the next 20 years, the FTC said. The settlement has no fines. Source:

36. November 29, Information Age – (International) Hackers accessed city infrastructure via SCADA – FBI. Hackers recently accessed the critical infrastructure of three unnamed cities by compromising their supervisory control and data acquisition (SCADA) systems, the deputy assistant director of the FBI’s Cyber Division said November 29. Speaking at the Flemings Cyber Security conference in London, England, the deputy assistant director said the hackers could theoretically have dumped sewage into a lake, or shut off the power to a shopping mall. The attack “was sort of a tease to law enforcement and the local city administration, saying ‘I’m here, what are you going to do about it,” he said. He would not clarify whether the attacks in question realated to a reported SCADA attack on a water facility in Springfield, Illinois. On November 23, the DHS denied there was any hacking involved in the failure of a water pump at the Springfield facility. Source:

37. November 23, SC Magazine Australia – (International) 250k users exposed in Naijaloaded hack. Almost 250,000 user details of popular Nigerian youth forum Naijaloaded were exposed after the site was hacked. A hacker by the name of TheMrX uploaded a shell on the Web site and accessed its 42 MB user database. The database contained names, usenames, passwords, and location information of 243,089 users. Naijaloaded is a popular African social forum site that includes hacking and software tutorials, and discussion on music, movies, and business. The hackers said they would not publish the database, seen by SC Magazine, but said the US HostGator Web server that hosted Naijaloaded contained 79 other domains that may be vulnerable. “It is running one of the newest 2011 kernals, so most public exploits are outdated yet, it may still be possible to get in,” a member of the Team Infra hacking group said. The hacker also showed two invoice databases with customer e-mail exchanges and sales data purportedly held by hosting providers and The group said the data was obtained through a local file inclusion exploit in the WHMCS client management and billing system. Source:,250k-users-exposed-in-naijaloaded-hack.aspx

For another story, see item 14 above in the Banking and Finance Sector

Communications Sector

See item 30 above in the Information Technology Sector