Thursday, October 18, 2012
Daily Report
Top Stories
• Capital One Bank confirmed that its Web site
was hit by another distributed denial-of- service (DDoS) attack October 16. The
incident was the second attack allegedly waged by a hacktivist group against
the bank, with the group threatening new attacks on banks October 16-18. – BankInfoSecurity
See
item 11 below in the Banking and Finance Sector
• Distributed denial-of-service (DDoS) attacks
with an average bandwidth over 20Gbps have become commonplace in 2012, a 230
percent increase over 2011, according to new security research. High bandwidth
attacks were previously isolated incidents, and few organizations have the
infrastructure to handle such attacks. – IDG News Service See item 33 below in the Information Technology Sector
• Five people were found dead in a bar outside
Denver where a fire broke out October 17. Police believe the blaze was set to
cover up the murders. – Associated Press
38.
October 17, Associated Press –
(Colorado) 5 dead in apparent arson-homicide at Denver bar. Five people
were found dead in a bar outside Denver where a fire broke out October 17, and
police believed the blaze was set to cover up the murders. The fire at Fero’s
Bar & Grill was reported around closing time, the police chief said.
Firefighters found four women and one man dead inside the bar. Police do not
think they died in the fire. “The business has obviously been set on fire, an
arson, I’m guessing, to mask the homicide that occurred inside,” said a police
commander. “There is just trauma, enough information to believe that we have a
homicide that occurred here. They didn’t perish in the fire,” he said. The fire
did not appear to be a very large one. No damage to the bar was visible from
the street or aerial news coverage. The bar is located in a strip mall about
five miles south of downtown Denver just outside of the Cherry Creek North
shopping district on one of the city’s busiest streets, Colorado Boulevard.
Autopsies were expected to be conducted October 17. Source: http://www.seattlepi.com/news/article/5-dead-in-apparent-arson-homicide-at-
Denver-bar-3956039.php
• A study released by the U.S. Army Corps of
Engineers October 15 said the agency did what it could to manage the historic
2011 flooding on the Missouri River, but more repairs, research, and monitoring
are needed to mitigate damage in future high flow years. – Associated Press
42.
October 16, Associated Press –
(National) Corps study cites vulnerabilities in wake of Missouri River
flooding. A study released by the U.S. Army Corps of Engineers October 15,
said the agency did what it could to manage the historic 2011 flooding on the
Missouri River but that more repairs, research, and monitoring are needed to
mitigate damage in future high flow years. The flooding began after the Corps
released massive amounts of water from upstream reservoirs that had been filled
with melting snow and heavy rains. The onslaught lasted for more than 100 days,
busting levees, carving gouges up to 50 feet deep, and dumping debris on
farmers’ fields. The Corps said about $400 million would be spent to fix damage
along the Missouri River caused by the 2011 flooding. Most levee fixes are
expected to be done before spring of 2013, with work on the dams expected to
take longer. More funding might be required for the repairs, but the Corps said
it was still evaluating the amount. The study also said more water gauges are
needed on the Missouri River. It notes that between 1990 and 2010, 387 gauges
that once were monitored by the U.S. Geological Survey were discontinued.
Seventeen other gauges now provide less information. Source: http://www.columbiatribune.com/news/2012/oct/16/corps-study-cites-
vulnerabilities-in-wake-of/
Details
Banking and Finance Sector
6. October
17, Naperville Sun – (Illinois; California) Men from Naperville, Lisle accused in
$28 million scam. Two men were scheduled to be arraigned October 18 in U.S.
District Court in Chicago on charges of running a $28 million Ponzi-type scheme
targeting investors primarily in Illinois and California, according to a
statement from the U.S. attorney’s office. One man was a principal of USA
Retirement Management Services, which had offices in Oakbrook Terrace,
Illinois, and southern California. The other was a company salesman who
conducted seminars attended by victims of the alleged scam. A third man also
conducted estate planning seminars targeting primarily retirees. According to
the indictment, the men between 2005 and 2010 offered and sold promissory
notes, in which USA Retirement “absolutely and unconditionally” guaranteed
investors rates of 4.75 to 11 percent annually. Two of the men “falsely claimed
that the interest would be generated from investments in Turkish bonds,” the
statement declared. Instead they used the money to pay some investors and
themselves. The men falsely claimed that they had years of investment banking
experience and had profited in investing in Turkish bonds. The men had no
banking experience and did not make any investments. The company principal and
salesman are charged with five counts of wire fraud and four counts of mail
fraud. The man who conducted seminars is charged with three counts of wire
fraud and three counts of mail fraud. - 5 -
7. October
16, Atlanta Journal Constitution – (Georgia) Husband, wife
convicted in tax scheme. A Lawrenceville, Georgia couple was convicted for
a tax defiance scheme after claiming that they were “American citizens” and not
subject to federal income tax laws, the U.S. Attorney’s Office announced
October 16. The husband and wife were found guilty by a federal jury of
conspiring to defraud the United States and making false claims upon the
Internal Revenue Service (IRS) by a federal jury. According to the information
presented in court, the couple, who owned a yard furnishing store and general
contracting business in Duluth, conspired to avoid taxes from 1999 to 2009 and
submitted false claims for refunds. The couple stopped filing federal income
tax returns in the 1990s, then hired the now-defunct American Rights Litigators
(ARL) to fight the IRS on their behalf. ARL sold and promoted tax defiance
schemes, authorities said. The husband and wife’s ploys to avoid taxes included
sending “obstructive, frivolous, and harassing documents” to the IRS and
Department of the Treasury, and establishing business bank accounts using fake
tax identification numbers to hide money. In 2009, the couple submitted two
fraudulent tax returns claiming more than $420,000 in refunds. They also sent
the government a bogus $100 billion, private registered bond to pay off their
debts. Source: http://www.ajc.com/news/news/local/husband-wife-convicted-in-tax-
scheme/nSfTY/
8. October
16, Imperial Valley News – (Idaho; California) Former Elk Grove man
arrested in Idaho for $20 million investment fraud. A California man was
arrested October 15 on federal investment fraud and bankruptcy fraud charges in
Caldwell, Idaho, involving a $20 million investment fraud scheme. The man was
charged in a 24- count indictment with wire fraud, false statements in
bankruptcy, and bankruptcy bribery. The indictment alleges that he carried out
an investment fraud through an entity known as the Perfect Financial Group.
According to the indictment, he targeted 190 members of the ethnic Indian
Fijian community. He told investors that he was using their money for hard
money lending, but actually, he put it to other purposes. The indictment
alleges that he lost $12 million through gambling; diverted more than $2
million to personal bank accounts and withdrew much of that in cash; spent
$880,000 on a film project; and spent more than $1 million on other business
ventures. He also used the money to pay other victims, falsely representing
that the payments were profits from the short-term hard money lending business.
According to court documents August 19, 2010, the man declared bankruptcy and
committed fraud crimes in the bankruptcy. In the bankruptcy, he allegedly
failed to disclose bank accounts and tried to induce his victims not to
participate in the bankruptcy proceedings. Source: http://www.imperialvalleynews.com/index.php/news/latest-news/2000-former-
elk-grove-man-arrested-in-idaho-for-20-million-investment-fraud.html
9. October
16, Boulder Daily Camera – (Colorado) Boulder ‘Face-Off Bandit,’
pleads guilty to aggravated robbery. The “Face-Off Bandit” accused of
robbing four banks in Boulder, Colorado, pleaded guilty to one count of
aggravated robbery October 16. The robber was originally charged with four counts
of aggravated robbery but had three charges dropped as part of the plea deal. He
was accused in bank robberies dating back to December 16, 2011 at a Great
Western Bank; January 19 at a First Bank; February 15 at a Chase Bank; and
March 8 at a First National Bank in Louisville. He also robbed a bank in
Jefferson County. Authorities called him the “Face-Off Bandit” because he wore
fake beards as disguises and left them as he fled. Source: http://www.denverpost.com/opinion/ci_21783048/mark-edwards-boulder-face-
off-bandit-pleads-guilty
10. October
16, The H – (International) Santander’s online banking keeps passwords in
cookies. The retail Web site for Santander bank has been discovered to be
keeping customer passwords in plain text in cookies held while the user is
logged in, The H reported October 16. The discovery was revealed on the Full
Disclosure mailing list when an anonymous user posted details of how credit
card numbers and other information was stored in session cookies. According to
the report, the “NewUniversalCookie” is base64 decoded to reveal an XML
document which contains a name, alias, and user ID. In fact, the cookie
contains multiple fields; the base64 encoded XML document was just one of them.
The H found that, in at least one case, upon decoding an account the
innocuously named “alias” field in fact contained a plain text version of the
user’s password. The password alone is not sufficient to access a Santander
account as there is another registration number that needs to be used with it,
but the presence of a plain text password does raise questions about the
security practices of the bank’s online site. A Santander spokesperson told The
H: “The data items stored within our cookies, if compromised, would not allow
access to our online services on their own and our primary login processes do
not rely on cookie data.” Source: http://www.h-online.com/security/news/item/Santander-s-online-banking-
keeps-passwords-in-cookies-Update-1730364.html
11. October
16, BankInfoSecurity – (International) CapOne takes second DDoS hit. Capital One
confirmed that its Web site was hit by another distributed denial of service
(DDoS) attack, October 16. The incident was the second attack allegedly waged
in October by a hacktivist group against the bank. “Capital One is experiencing
intermittent access to some online systems due to a denial of service attack,”
a bank spokeswoman said. “There was minimal impact to the majority of our
customers.” The same day, a post claiming to be from the hacktivist group appeared
on Pastebin claiming new attacks against U.S. banks would be waged between
October 16 and October 18. The group noted that this new wave of DDoS attacks
is being initiated without advance warning. In earlier Pastebin posts, the
group named the eight banks it eventually attacked. A financial fraud and
security consultant with CEB TowerGroup said the October 9 attack against
Capital One, appeared to be one of the most damaging. “With CapOne, they seemed
to take a bigger hit than the others,” he said. “Other banks seemed to handle
the attacks better.” Source: http://www.bankinfosecurity.com/capone-takes-second-ddos-hit-a-5203
Information Technology Sector
33. October
17, IDG News Service – (International) High bandwidth DDoS attacks are now common,
researcher says. Distributed denial-of-service (DDoS) attacks with an
average bandwidth over 20Gbps have become commonplace in 2012, according to
researchers from DDoS mitigation vendor Prolexic. In 2011, such high-bandwidth
attacks were isolated incidents, Prolexic’s president said October 16. Very few
companies or organizations have the network infrastructure to handle such
attacks. Prolexic released its global DDoS attack report for the third quarter
October 17. According to the report, there is an 88 percent increase of attacks
from the same quarter of 2011. However, compared to the second quarter of 2012,
the number of attacks actually declined by 14 percent. The average attack
bandwidth during the third quarter of 2012 was 4.9Gbps, which represents a 230
percent increase compared to 2011, and an 11 percent increase compared to the
previous quarter. The average attack during the third quarter of 2012 lasted 19
hours, slightly longer than in the second quarter. The majority of attacks —
over 81 percent — targeted the infrastructure layer, while 18.6 percent of
attacks targeted the application layer. The top three countries where DDoS
attacks originated were China with 35 percent of attacks, the United States
with 28 percent, and India with 8 percent. Source: http://www.computerworld.com/s/article/9232487/High_bandwidth_DDoS_attacks_are_now_common_researcher_says
34. October
16, Softpedia – (International) Blackhole/Zeus threat comes via ‘You have
blocked your Facebook account’ spam. Malicious emails entitled “Verify your
account” were spotted by security experts. The alerts are part of a
cybercriminal campaign whose main goal is to lure users to Blackhole-infested,
Zeus-serving Web sites. Fake Facebook notifications are becoming more and more
interesting. Recently, instead of informing potential victims that their
accounts were suspended by Facebook, spammers tell users they somehow blocked
their own accounts. “You have blocked your Facebook account. You can reactivate
your account whenever you wish by logging into Facebook with your former login
email address and password” the shady emails read. GFI Labs experts indicate
that the links from these messages are designed to take Internet users to
compromised Web sites that further redirect them to fake Adobe Flash Player
update sites. Source: http://news.softpedia.com/news/BlackHole-Zeus-Threat-Comes-Via-You-
Have-Blocked-Your-Facebook-Account-Spam-299745.shtml
35. October
16, Threatpost – (International) Zero-day attacks thrive for months before
disclosure. Zero-day vulnerabilities and exploits dominate headlines and
most heated information security discussions. However, there are relatively few
of these attacks hitting
a small number of hosts, according to new research on the subject. Zero days
get so much attention because of their effectiveness in compromising targets
and avoiding detection. Two researchers from Symantec Research Labs examined a
period of malware activity on a host of Symantec detection platforms from 2008
to 2011 and quantified the window of exposure organizations face from attacks
that are active before vulnerabilities are publicly disclosed. The 18 attacks
they discovered in that 3- year timespan lasted anywhere between 19 days and 30
months, an average of 312 days, or 10 months. That means organizations targeted
by zero-day malware were likely compromised by a variety of malware attacking
undisclosed vulnerabilities on a number of platforms. “For cyber criminals,
unpatched vulnerabilities in popular software such as Microsoft Office or Adobe
Flash represent a free pass to any target they might wish to attack, from
Fortune 500 companies to millions of consumer PCs around the world,” the
researchers wrote in a paper. Once zero-day vulnerabilities are publicly
disclosed, attacks spike up, the researchers said, and most within 30 days of
disclosure. “Cyber criminals watch closely the disclosure of new
vulnerabilities in order to start exploiting them which causes a significant
risk for end users,” the paper said. Source: http://threatpost.com/en_us/blogs/zero-day-attacks-thrive-months-disclosure-
101612
Communications Sector
Nothing to
report.
Department of Homeland Security
(DHS)
DHS Daily Open Source Infrastructure Report Contact Information
About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday]
summary of open-source published
information
concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on
the
Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport
Contact Information
Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS
Daily Report Team at (703)387-2314
Subscribe to
the
Distribution List: Visit the
DHS Daily Open Source Infrastructure Report and follow
instructions to
Get e-mail updates when this information
changes.
Contact DHS
To report physical infrastructure incidents or to request information, please contact the National Infrastructure
To report cyber infrastructure incidents or to
request information,
please contact US-CERT at soc@us-cert.gov or visit their Web
page at www.us-cert.go v.
Department of Homeland Security Disclaimer
The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to
educate and
inform personnel engaged
in infrastructure protection. Further reproduction
or redistribution is subject to original copyright
restrictions. DHS provides no
warranty of ownership of the copyright,
or accuracy with respect to
the
original
source material.
No comments:
Post a Comment