Tuesday, April 3, 2012

Complete DHS Daily Report for April 3, 2012

Daily Report

Top Stories

• The Department of Energy identified serious cybersecurity gaps at the Bonneville Power Administration, which supplies wholesale electric power to regional utilities in the Pacific Northwest. – Infosecurity

2. March 30, Infosecurity – (National) Serious cybersecurity lapses found at Pacific Northwest electricity supplier. The Department of Energy (DOE) identified serious cybersecurity gaps at the Bonneville Power Administration, which supplies wholesale electric power to regional utilities in the Pacific Northwest, Infosecurity reported March 30. An audit by DOE’s Office of the Inspector General (OIG) found Bonneville did not implemented controls designed to address known IT system vulnerabilities. “Specifically, technical vulnerability scanning conducted on nine applications used to support business functions such as financial management, human resources, and security management identified a significant number of high-risk weaknesses in the areas of access controls, patch management, and validation of user input,” according to the audit. In addition, OIG’s testing of five operational security control systems identified issues with configuration management, access controls, and contingency and security planning. A number of IT system development efforts suffered from cost, scope, and schedule overruns due to weaknesses in project planning and management. Source: http://www.infosecurity-magazine.com/view/24869/serious-cybersecurity-lapses-found-at-pacific-northwest-electricity-supplier/

• A data breach at the Global Payments payments processing firm potentially compromised up to 1.5 million credit and debit card numbers from all of major card brands. – CNNMoney. See item 7 below in the Banking and Finance Sector

• The Department of Agriculture confirmed that citrus greening, a plant disease that has killed millions of citrus trees and cost growers billions of dollars across Florida and Brazil, was detected in California. – Associated Press

18. April 1, Associated Press – (National) Deadly citrus disease turns up in California. A citrus disease that has killed millions of citrus trees and cost growers billions of dollars across Florida and Brazil has been detected in California, despite the industry’s best efforts to keep it at bay, the Associated Press reported April 1. After a week of testing the U.S. Department of Agriculture confirmed citrus greening was detected in a lemon-grapefruit hybrid tree in a residential neighborhood of Los Angeles County. The disease stands to threaten not only California’s nearly $2 billion citrus industry but backyard trees scattered throughout the state. “Huanlongbing is called the world’s worst disease of citrus,” said an official with the California Department of Food and Agriculture. The bacterial disease is carried by the Asian citrus psyllid and attacks a tree’s vascular system, producing bitter fruit and eventually killing the tree. Sap-sucking pysllids that feed on an infected tree become carriers of the disease. The disease is present in Mexico and across the southern U.S., but nowhere is the problem more severe than in Florida, where the disease first appeared in 2005. The University of Florida estimates it has cost 6,600 jobs, $1.3 billion in lost revenue to growers, and $3.6 billion in lost economic activity. The pest and the disease also are present in Texas, Louisiana, Georgia, and South Carolina. The states of Arizona, Mississippi, and Alabama have detected the pest but not the disease. Source: http://nhregister.com/articles/2012/04/01/news/doc4f7908eb4ddbc220182535.txt

• A bomb squad discovered wired explosives, chemicals, and gunpowder in the apartment of a dead man in Mont Belvieu, Texas, prompting an evacuation. – KRIV 26 Houston (See item 51)

51. March 30, KRIV 26 Houston – (Texas) Police discover dead man, evidence of bomb inside Mont Belvieu apartment. Following the evacuation of a Mont Belvieu, Texas apartment complex March 30, a bomb squad discovered wired explosives, chemicals, and gunpowder in the apartment of a dead man. Police were called to a man’s apartment after the man’s employer called police to check on him. When officers entered the apartment, they found the man dead, apparently of natural causes. While taking the body away, emergency crews discovered a number of weapons and information on anti-government activities and bomb making. The Alcohol, Tobacco, and Firearms Bureau was alerted as a result. Bomb squads were sent to the scene, and police evacuated nearly half of the complex surrounding the man’s apartment. The bomb squad found explosives resembling homemade improvised explosive devices. The search for those devices proved difficult as it seemed the dead man was a hoarder. Crews had to clear the hoarded material as they searched. Source: http://www.myfoxhouston.com/dpp/news/local/120330-apartments-evacuated-bomb-squads-searching-home


Banking and Finance Sector

7. April 2, CNNMoney – (International) 1.5 million card numbers at risk from hack. A data breach at a payments processing firm potentially compromised up to 1.5 million credit and debit card numbers from all of major card brands. Global Payments, a company that processes card transactions, confirmed March 30 that “card data may have been accessed.” It said it discovered the intrusion in early March and “promptly” notified others in the industry. Global Payments released a statement April 1 with more details. The company said that while more than 1 million card numbers were potentially compromised, cardholder names, addresses, and Social Security numbers were not affected. Global Payments did not say which card companies were affected, but Visa released a statement March 30 saying it was all of the major companies. MasterCard said it alerted payment card issuers “regarding certain MasterCard accounts that are potentially at risk.” Discover and American Express said they are monitoring the situation. Global Payments held a conference call April 2 to provide more details on the debacle. Executives stressed that an investigation is ongoing. Until the investigation is complete, they are waiting to release specifics on how the hack occurred. A U.S. Secret Service spokesman said March 31 the agency also is investigating the incident. Global Payments said the breach was limited to only “a handful of servers,” and appears to be confined to accounts in North America. Global Payments processed $167 billion worth of transactions in its last fiscal year. Source: http://money.cnn.com/2012/04/02/technology/global-payments-breach/

8. April 2, Associated Press – (Nevada; National) FTC targets alleged payday scam, race car driver. A payday lending operation that offers quick cash over the Internet to desperate people, and the race-car driver allegedly running it, are under federal scrutiny after more than 7,000 complaints to authorities, the Associated Press reported April 2. The Federal Trade Commission (FTC) filed a complaint in U.S. district court in Nevada against the driver, his brother, and several Internet-based lending companies, including AMG Services, Inc. The FTC charges that the driver and others controlled lending companies that piled on undisclosed and inflated fees — in some cases more than triple the amount borrowed — and then collected on the loans illegally by threatening borrowers with arrests and lawsuits. In one example, a consumer was told a $500 loan would cost him $650 to repay. Instead, the FTC says, the defendants attempted to charge him $1,925 to pay off the loan. The agency said he was threatened with arrest if he did not pay that amount. Over the last 5 years, more than 7,500 complaints about the operation were filed with law enforcement authorities. The driver and his brother are accused of transferring more than $40 million collected from payday loans to consumers to another company, Level 5 Motor Sports. The FTC said the money was transferred as “sponsorship” fees for the drivers racing career. Source: http://www.miamiherald.com/2012/04/02/2727611/ftc-targets-alleged-payday-scam.html

9. April 2, Associated Press – (International) Temporary outage of Visa card network Sunday. A technical problem affecting the Visa network barred some people around the United States from using their credit and debit cards for about 45 minutes April 1, the company said. The outage was caused by a recent update Visa made to its system, a Visa Inc. spokeswoman said. She said Visa had trouble processing some transactions as a result, but the system is operating normally now. The spokeswoman said the problem was unrelated to the security breach potentially affecting Visa and MasterCard customers reported March 30 by credit card processor Global Payments Inc. The outage occurred from around 2:40 p.m. to 3:20 p.m., a person from a major bank said. Visa notified the banks that are members of its network of the problem. Consumers and merchants reported having Visa cards rejected April 1. Source: http://www.wishtv.com/dpps/money/business_news/temporary-outage-of-visa-card-network-sunday-nt12-jgr_4124112

10. April 1, Fort Worth Star-Telegram – (Texas; International) Computer hacker tries to steal $1.8 million from Arlington’s bank account. A computer hacker tried to steal $1.8 million from the city of Arlington, Texas’ bank account in late February, but officials would not release details, citing an ongoing investigation. City treasury staff, using internal audit controls, detected the fraudulent transfers and recovered the money, an Arlington spokeswoman told the Fort Worth Star-Telegram March 31. It was not revealed how and when the hacker accessed the account information, how much was in the account, or what the city did to improve security. Arlington Police initially handled the investigation, but a source said the FBI is taking over. After the breach, the spokeswoman said the city is reviewing systems and control measures and is working closely with security consultants, banking regulators, and investigators. Source: http://www.star-telegram.com/2012/04/01/3850876/computer-hacker-tries-to-steal.html#storylink=cpy

11. March 30, Douglasville Patch – (Georgia) Douglasville business involved in identity theft scheme. A jury in Atlanta’s federal district court returned a guilty verdict March 29 against two defendants on charges of stealing the identities of more than 85 individuals in the Atlanta area. According to a U.S. attorney, between May 2006 and March 2010, the pair stole mail, credit cards, and other personal information from individuals in the Atlanta area, and then opened a variety of financial accounts under the victims’ names. As part of the scheme, one of the defendants obtained a job as a mail carrier in the Hiram Post Office under an identity she stole from another person from Nigeria before she entered the United States in 2004. She obtained a social security card and a U.S. passport and, in March 2009, was naturalized as a U.S. citizen — all under the assumed name. Using the information stolen from the mail route customers, the pair applied for credit cards and bank loans in their victims’ names. They deposited the fraudulent loan proceeds into bank accounts opened under yet other victims’ names and then wrote checks from those accounts to their two fraudulent businesses, GMO Auto Services in Douglasville and Gabmike Limousine Service in Smyrna. They also used the fraudulent credit cards at their businesses. In March 2010, law enforcement officers stopped the defendants driving a Lincoln Navigator and found dozens of American Express, Walmart, and Target gift cards that were purchased with stolen credit cards issued to individuals residing on the woman’s mail route. The jury returned guilty verdicts on all 44 counts it considered, including conspiracy, access device or credit card fraud, aggravated identity theft, bank fraud, mail theft, immigration fraud, social security fraud, and passport fraud. Source: http://douglasville.patch.com/articles/douglasville-business-involved-in-identity-theft-scheme

Information Technology

39. April 2, H Security – (International) Rails 3.2.3 makes mass assignment change. The Ruby on Rails developers published Rails 3.2.3 which includes the mass assignment change that appeared in the wake of March’s GitHub incident. In that incident, a developer used a well-known vulnerability in the default configuration of Rails applications to manipulate GitHub projects. The problem was that, for ease of development, Rails allowed any field in a database record to be set in a mass assignment action and then left it to the developer to lock down the application. The change in Rails 3.2.3 now forces developers to whitelist fields for mass assignment by flipping the config.active_record.whitelist_attributes property to true by default. This change only affects new applications and developers should check their existing Rails applications for mass assignment vulnerabilities or to set the config.active_record.whitelist_attributes property to true in their applications. The 3.2.3 release also sees the addition of an option to change to how authenticity_tokens are handled when doing remote forms, and an update to rack-cache (to fix a cookie leak) and mail to address security vulnerabilities. Source: http://www.h-online.com/security/news/item/Rails-3-2-3-makes-mass-assignment-change-1498547.html

40. April 2, The Register – (International) Pastebin.com hiring staff to get rid of activists’ dumps. Pastebin.com has promised to police content on its site more tightly by hiring staff to delete data dumps and other sensitive information more quickly. The site, one of several of its type and originally set up primarily for programmers, has become a favorite dumping ground for hacktivists from Anonymous and LulzSec over recent months. Many of these posts revealed an array of personal information swiped from the insecure systems of targets including home addresses, e-mail passwords, and credit card details. The dumps are then linked to and publicized by Twitter updates from the various hacktivists. Source: http://www.theregister.co.uk/2012/04/02/pastebin_content_policing/

41. April 2, H Security – (International) Security vulnerability at TweetDeck. The TweetDeck Twitter client apparently suffered from a security breach March 30 that gave some users the ability to take over other people’s accounts. Twitter, which owns TweetDeck, reacted quickly and disabled the client’s access to the system. TweetDeck’s functionality was restored less than a day later, once the bug was fixed. A TweetDeck user discovered the bug which gave him access to the Twitter and Facebook accounts of hundreds of other TweetDeck users. TweetDeck allows its users to pull together both Twitter and Facebook accounts under a TweetDeck account to aggregate updates from both services. The user publicly reported the problem on Twitter, posting a screenshot to document the vulnerability. To back up his claims, he also posted several messages from other people’s accounts. In a statement to VentureBeat and other U.S. media, Twitter representatives said no account passwords were compromised and , as far as Twitter is aware, the vulnerability was not exploited maliciously. Facebook told the Wall Street Journal that fewer than 250 of its users were affected, no abuse of those accounts occurred, and it was working with Twitter to “understand the full scope of this issue.” Source: http://www.h-online.com/security/news/item/Security-vulnerability-at-TweetDeck-1498585.html

42. April 2, The Register – (International) Mac Java hole exploited by wild Flashback trojan strain. Security watchers have discovered a strain of Mac-specific malware that exploits an unpatched vulnerability in Java. A variant of the Flashback trojan exploiting CVE-2012-0507 (a Java vulnerability) was spotted in the wild, F-Secure warns. Oracle patched the vulnerability for Windows machines in February, but has yet to issue a fix for Mac OS X — creating a window of opportunity for virus writers. F-Secure advises users to disable Java, which is not needed to visit the vast majority of Web sites, on their Mac. Some banking Web sites mandate the use of Java, in which case security-conscious Mac users can re-enable Java for the duration of their session before turning it off again, the security firm suggests. Source: http://www.theregister.co.uk/2012/04/02/flashback_mac_malware/

43. April 2, Help Net Security – (International) Potential first Android bootkit spotted. Security researchers of NQ Mobile recently discovered what might be the first Android bootkit. Dubbed DKFBootKit, the malware piggybacks malicious payloads into legitimate apps that require root privilege. “Specifically, by taking advantage of the root privilege, DKFBootKit adds itself as a part of the boot sequence of the original Android system and replaces a number of utility programs (e.g., ifconfig and mount),” claim the researchers. “By doing so, the malware can get started even before the entire Android framework is bootstrapped.” The apps targeted for repackaging with the malicious payload are mostly utility apps, but a few are also apps that provide license keys for some paid apps. The malware’s final goal is to make itself run earlier than the Android framework, and to deliver a bot payload that connects the device to several command and control servers and waits to receive additional commands. Source: http://www.net-security.org/malware_news.php?id=2051&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+HelpNetSecurity+(Help+Net+Security)&utm_content=Google+Reader

44. March 31, Softpedia – (International) Expert shows how hackers can use CSRF browser vulnerability. The hacker who broke into GitHub to demonstrate a vulnerability warns that cross-site request forgery (CSRF), a security hole that affects all browsers, must be addressed immediately because it poses a great risk for unsuspecting users. He claims CSRF security holes have been present for a long time, but many underestimated the dangers hiding behind them. Unlike cross-site scripting attacks which exploit the trust of a user towards a particular site, CSRF attacks rely on the trust that a site has in a browser. The expert explains that when users sign in to any site, dubbed by the researcher as site1.com, they are remembered by the cookie mechanism. By leveraging the vulnerability, the hacker can shorten the Web site’s session and social engineer the victim into signing in again. The user signs in the second time and a malicious script is triggered. Then, when the user visits a second site, named site2.com, the exploit begins. Source: http://news.softpedia.com/news/Expert-Shows-How-Hackers-Can-Use-CSRF-Browser-Vulnerability-262109.shtml

For more stories, see items 2 above in Top Stories and 7 and 10 above in the Banking and Finance Sector

Communications Sector

45. April 1, KNDU 25 Kennewick; KNDO 23 Yakima – (Washington) Local radio station hijacked. The radio station Power 99.1 KUJ FM in Burbank, Washington, has been having their signal hijacked, KNDU 25 Kennewick and KNDO 23 Yakima reported April 1. The hijacker called himself the radio pirate and is breaking onto the airwaves making small statements and playing his choice of songs. The hijackings started March 28 and each day there were a few instances of piracy. The station was working with the Federal Communications Commission and local law enforcement to solve the case. Source: http://www.kndo.com/story/17307068/local-radio-station-hijacked