Friday, April 27, 2012

Complete DHS Daily Report for April 27, 2012

Once again, apologies to all for the delay in this report! I normally obtain the full report directly from DHS at 5AM EDST. Today, it became available at 09:45AM

Daily Report

Top Stories

An international operation April 26 shut down dozens of Web sites, including many in the United States, which offered for sale information from about 2.5 million credit cards as well as other private data. – BBC News See item 13 below in the Banking and Finance Sector

A report found the Florida Highway Patrol lieutenant who ordered the reopening of a fog- and smoke-shrouded interstate shortly before a series of crashes killed 11 people was unaware of the agency’s procedures. The lieutenant also had no formal training in opening and reopening roads. – Associated Press

17. April 26, Associated Press – (Florida) Report: Fla. Highway Patrol erred in opening smoke-shrouded I-75 before crashes that killed 11. A Florida Highway Patrol lieutenant who ordered the reopening of a fog- and smoke-shrouded interstate highway shortly before a series of crashes killed 11 people was unaware of the agency’s procedures and had no formal training in opening and reopening roads, a state report said April 26. The Florida Department of Law Enforcement report concluded troopers made errors but found no criminal violations. A highway patrol sergeant expressed concerns about reopening Interstate 75 in north Florida in January, after heavy smoke from a wildfire had forced its closure. But a lieutenant gave the order because he was worried keeping the highway closed also would be dangerous. At least a dozen cars, pickup trucks, and a van, six semi-trailer trucks, and a motorhome collided in six separate fatal crashes in north Florida near Gainesville. Some vehicles burst into flames, making it difficult to identify the victims. Smoke from a wildfire mixed with fog blanketed the highway where it cut through Paynes Prairie State Park. Source: http://www.washingtonpost.com/national/fla-highway-patrol-set-to-release-report-on-fog--smoke-shrouded-i-75-crash-that-killed-11/2012/04/26/gIQAsvmXiT_story.html

• Cyberattacks on the U.S. federal government's IT systems skyrocketed 680 percent in 5 years, an official from the Government Accountability Office testified at a Congressional hearing. – Infosecurity

39. April 25, Infosecurity – (National) Cyberattacks on U.S. federal IT system soared 680% in five years. Cyberattacks on the federal government's IT systems skyrocketed 680 percent in 5 years, an official from the Government Accountability Office (GAO) testified the week of April 23 on Capitol Hill. Federal agencies reported 42,887 cybersecurity incidents in 2011, compared with just 5,503 in 2006, the director of information issues for the GAO told a House Homeland Security Committee panel. The incidents reported by the agencies included unauthorized access to systems, improper use of computing resources, and the installation of malicious software, among others. The GAO official said the sources of the cyberthreats included criminal groups, hackers, terrorists, organizational insiders, and foreign nations. “The magnitude of the threat is compounded by the ever-increasing sophistication of cyber attack techniques, such as attacks that may combine multiple techniques. Using these techniques, threat actors may target individuals, businesses, critical infrastructures, or government organizations,” he testified. The federal government's IT systems continue to suffer from "significant weaknesses" in information security controls, he said. Eighteen of 24 major federal agencies have reported inadequate information security controls for financial reporting for fiscal year 2011, and inspectors general at 22 of these agencies identified information security as a major management challenge for their agency, he told the House panel. ”Reported attacks and unintentional incidents involving federal, private, and infrastructure systems demonstrate that the impact of a serious attack could be significant, including loss of personal or sensitive information, disruption or destruction of critical infrastructure, and damage to national and economic security,” he warned. Source: http://www.infosecurity-magazine.com/view/25393/cyberattacks-on-us-federal-it-system-soared-680-in-five-years/

• Researchers found that equipment using RuggedCom's industrial networking gear has a password that is easy to crack, which can give attackers the means to sabotage myriad industrial operations. The researchers said that for years, the firm did not warn the power facilities, military facilities, and municipal traffic departments that use its technology about the flaw. – Ars Technica See item 49 below in the Information Technology Sector

Details

Banking and Finance Sector

13. April 26, BBC News – (National; International) Credit card 'info for sale' websites closed in global raids. Dozens of Web sites offering credit card details and other private information for sale have been taken down in a global police operation, BBC News reported April 26. Britain's Serious Organized Crime Agency (SOCA) said the raids in Australia, Europe, the United Kingdom, and the United States were the culmination of 2 years of work. Two Britons and a man from Macedonia were arrested, with 36 sites shut down. Some of the Web sites have been under observation for 2 years. During that period the details of about 2.5 million credit cards were recovered — preventing fraud, according to industry calculations, of about $809 million. The head of SOCA's cyber crime unit said criminals were selling personal data on an "industrial" scale. He said traditional "bedroom" hackers were being recruited by criminal gangs to write the malware or "phishing" software that steals personal data. Other information technology experts are used to write the code that enables the Web sites to cope, automatically, with selling the huge amounts of data. Joint operations April 26 in Australia, the United States, Britain, Germany, the Netherlands, Ukraine, Romania, and Macedonia led to the Web sites being closed down. Source: http://www.bbc.co.uk/news/uk-17851257

14. April 25, Associated Press – (Florida) FBI: South Florida bank robberies on rise. The FBI said bank robberies are on the rise in south Florida in fiscal year (FY) 2012 and may surpass the totals for each of the past 2 years, the Associated Press reported April 25. The FBI's Miami Field Office said there were 49 bank heists between October 1, 2011 and the end of March in Florida counties stretching from Martin to Monroe. Those numbers are up 25 percent compared with the same time frame in FY 2011. If the trend holds, south Florida could see 100 bank stickups in FY 2012. That compares with 75 in FY 2011 and 87 in FY 2010. FBI agents said most robberies are non-violent and do not involve the display of a weapon. About half of the FY 2012 bank robberies in south Florida have been solved. Source: http://www.businessweek.com/ap/2012-04/D9UC1ENG0.htm

15. April 25, Reuters – (National; International) Former Morgan Stanley star in China pleads guilty. A former Morgan Stanley executive has pleaded guilty to conspiring to evade internal controls required by a U.S. anti-bribery law, in a case that underlines the fall of a once high-flying dealmaker for the firm in China. The executive, who was a managing director in Morgan Stanley's real estate investment and fund advisory business, also settled related charges with securities regulators April 25, and agreed to roughly $3.7 million in sanctions and a permanent bar from the industry. The defendant secretly arranged to have millions paid to himself and a Chinese official and disguised the payments as finder's fees charged to Morgan Stanley, regulators said. Such payments violated the Foreign Corrupt Practices Act, which bars bribes to officials of foreign governments, the U.S. Securities and Exchange Commission (SEC) said. Morgan Stanley, which cooperated in the government's investigation, was not charged. The former executive had a personal friendship with the former chairman of a Chinese state-owned entity, Yongye Enterprise (Group) Co., which had influence over the success of Morgan Stanley's real estate business in Shanghai, the SEC said. He secretly arranged for both of them to acquire a valuable Shanghai real estate interest from a Morgan Stanley fund, it said. Source: http://www.reuters.com/article/2012/04/25/us-sec-morgan-stanley-idUSBRE83O1DY20120425

16. April 24, Associated Press – (California) 2 dozen arrested at Wells Fargo meeting, protest. Authorities have arrested about two dozen people who demonstrated inside and outside Wells Fargo's annual shareholders meeting April 24 in San Francisco. A San Francisco police sergeant said police arrested 20 protesters. At least 14 of them were inside the meeting in the city's financial district. Six others were arrested for trespassing. He said the San Francisco Sheriff's Department arrested another four people. The bank protest drew several hundred protesters criticizing the San Francisco-based company for pursuing home foreclosures, predatory lending, not paying enough taxes, and investing in private prison companies. Dozens of officers were stationed around the Merchant's Exchange Building in the city's financial district ahead of the 1 p.m. meeting. Bank stockholders were asked to show certificates or other proof of ownership before being corralled past gates erected in front of the doors. Source: http://www.businessweek.com/ap/2012-04/D9UBIU9O0.htm

For more stories, see items 39 above in Top Stories

Information Technology

44. April 26, H Security – (International) Security improvements in Opera 12 beta. A beta of version 12 of the Opera Web browser was released with privacy and security-focused improvements. The browser now runs plugins out-of-process and includes optimizations for better SSL handling. Running plugins in their own process not only improves the smoothness and stability of the browser but also can limit the damage from some plug-in exploit. Privacy is enhanced with support for the "Do Not Track" (DNT) header, which is used to tell Web sites the browser user wishes to opt-out of online behavioral tracking. The DNT header is designed to help users retain their privacy when faced with online advertising networks that use cookies and other Web technologies to recognize them and serve them tailored advertising. Source: http://www.h-online.com/security/news/item/Security-improvements-in-Opera-12-beta-1559714.html

45. April 26, Help Net Security – (International) Hotmail remote password reset 0-day bug found, patched. A critical security flaw affecting Microsoft's Hotmail was detected almost simultaneously by Vulnerability Lab researchers and a Saudi Arabian hacker and, until a temporary fix was made by Microsoft April 20, it was used by hackers to hijack users' Hotmail/Live account. "The vulnerability allows an attacker to reset the Hotmail/MSN password with attacker chosen values. Remote attackers can bypass the password recovery service to setup a new password and bypass in place protections (token based)," explained Vulnerability Lab's researchers. Source: http://www.net-security.org/secworld.php?id=12818&utm

46. April 26, Softpedia – (International) Expert accidentally finds how DoS attacks can be launched via Google. A computer scientist working at New York University learned Google can be used to launch successful denial-of-service (DoS) attacks against sites with minimal effort. The researcher explained it started when he saw Amazon Web Services was charging him with 10 times the usual amount because of large amounts of outgoing traffic. After analyzing traffic logs, he was able to determine that every hour a total of 250 gigabytes of traffic was sent out because of Google’s Feedfetcher, the mechanism that allows the search engine to grab RSS or Atom feeds when users add them to Reader or the main page. It appears Google does not want to store the information on its own servers so it uses Feedfetcher to retrieve it every time, thus generating large amounts of traffic. This enabled the expert to discover how a Google feature can be easily used to launch attacks against a site simply by gathering several big URLs from the target and putting them in a spreadsheet or a feed. If the feed is placed into a Google service or a spreadsheet and the image(url) command is used, a DoS attacks is initiated. Source: http://news.softpedia.com/news/Expert-Accidentally-Finds-How-DOS-Attacks-Can-Be-Launched-Via-Google-266613.shtml

47. April 26, Computerworld – (International) Obstinate' Conficker worm infests millions of PCs years later. April 25, Microsoft said the long-suppressed Conficker botnet is still actively infecting millions of new machines, giving Windows enterprise users a 2.5-year problem. Conficker infected or tried to infect 1.7 million Windows PCs in the fourth quarter of 2011, 3 years after it first appeared. The 1.7 million was an uptick of 100,000 from the previous quarter, said Microsoft. The worm first appeared in the fall of 2008, exploiting a just-patched Windows vulnerability. It soon morphed into a more effective threat, adding new attack techniques, including one that relied on weaknesses in Windows XP's and Vista's AutoRun feature. By January 2009, some security firms estimated Conficker compromised millions of PCs. Concern about Conficker reached a crescendo when the media reported it would update itself April 1, 2009. Because of the size of the Conficker botnet — estimates ran as high as 12 million — and other mysteries, hype ran at fever pitch. In the end, Conficker's April 1 update passed quietly. However, the worm, although prevented from communicating with its makers, has not completely disappeared. According to Microsoft, detections of Conficker jumped 225 percent since 2009. The current size of the Conficker botnet — those PCs now infected — is approximately 7 million, Microsoft claimed. Source: http://www.computerworld.com/s/article/9226619/_Obstinate_Conficker_worm_infests_millions_of_PCs_years_later

48. April 26, IDG News Service – (International) Most of the Internet's top 200,000 HTTPS websites are insecure, group says. Ninety percent of the Internet's top 200,000 HTTPS-enabled Web sites are vulnerable to known types of secure sockets layer (SSL) attack, according to a report released April 26 by the Trustworthy Internet Movement (TIM), a nonprofit organization dedicated to solving Internet security, privacy, and reliability problems. It is based on data from a new TIM project called SSL Pulse, which uses automated scanning technology developed by security vendor Qualys to analyze the strength of HTTPS implementations on Web sites in the top 1 million published by Web analytics firm Alexa. SSL Pulse checks what protocols are supported by HTTPS-enabled Web sites, the key length used for securing communications, and the strength of the supported ciphers. An algorithm is used to interpret scan results and assign a score between 0 and 100 to each HTTPS configuration. The score is then translated into a grade, with A being the highest (over 80 points). Half of the almost 200,000 Web sites in Alexa's top 1 million that support HTTPS received an A for configuration quality. The sites use a combination of modern protocols, strong ciphers, and long keys. Despite this, only 10 percent of the scanned Web sites were deemed truly secure. Seventy-five percent — around 148,000 — were found to be vulnerable to an attack known as BEAST, which can be used to decrypt authentication tokens and cookies from HTTPS requests. Source: http://www.computerworld.com/s/article/9226623/Most_of_the_Internet_39_s_top_200_000_HTTPS_websites_are_insecure_group_says

49. April 25, Ars Technica – (International) Backdoor in mission-critical hardware threatens power, traffic-control systems. Equipment running RuggedCom's Rugged Operating System networking gear has an undocumented account that cannot be modified and a password that is trivial to crack. According to researchers, for years the company did not warn the power utilities, military facilities, and municipal traffic departments using the industrial-strength gear the account can give attackers the means to sabotage operations that affect the safety of many people. The backdoor uses the login ID of "factory" and a password recovered by plugging the media access control (MAC) address of the targeted device into a simple Perl script, according to a post published April 23 to the Full Disclosure security list. To make unauthorized access easy, paying customers of the Shodan computer search engine can find the IP numbers of more than 60 networks that use the vulnerable equipment. The first thing users who telnet into them see is its MAC address. Equipment running the Rugged Operating System act as the switches and hubs that connect programmable logic controllers to the computer networks used to send them commands. They may lie between the computer of a electric utility employee and the compact disk-sized controller that breaks a circuit when the employee clicks a button on their screen. To give the equipment added power, Rugged Operating System is fluent in the Modbus and DNP3 communications protocols used to natively administer industrial control and supervisory control and data acquisition systems. The U.S. Navy, the Wisconsin Department of Transportation, and Chevron are just three of the customers who rely on the gear, according to RuggedCom's Web site. Source: http://arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars?utm

For more stories, see items 13 above in the Banking and Finance Sector, 39 above in Top Stories and 50 and 51 below in the Communications Sector

Communications Sector

50. April 25, Norfolk Virginian-Pilot – (Virginia) Verizon working to fix outage in Norfolk. Several hundred Verizon Communications Inc. customers in Norfolk, Virginia, lost telephone and Internet service after April 20, when a contractor for another company damaged underground cables. The contractor cut into two Verizon underground cables serving about 700 lines, a Verizon spokesman wrote in an e-mail. Verizon learned of the extent of the outage over the April 21 weekend, he wrote. Because some customers have more than one line into their homes or businesses, the number who lost service is likely less than 700, he wrote. The company hoped to replace the cable and restore service for all customers by April 26. The process is complicated because the conduit carrying the damaged cables had no room for additional lines, requiring repair workers to find an alternate path for the replacement cable, the spokesman wrote. Source: http://hamptonroads.com/2012/04/verizon-working-fix-outage-norfolk

51. April 25, Whidbey Examiner – (Washington) Outage angers Whidbey Telecom customers. Residents on Whidbey Island, Washington endured 5 days of electronic frustration the week of April 23 as Whidbey Telecom suffered a complete breakdown of its e-mail service during an equipment upgrade. The problems began April 20 as technicians worked on making changes to the equipment that handles e-mail. Customers had been warned in advance that a temporary outage was possible. But throughout the weekend of April 21, customers reported not being able to send or receive e-mail. For residential customers, it was mostly an inconvenience. But for small businesses that rely on the locally owned telecommunications firm for e-mail service, the outage that dragged on into the beginning of the week of April 23 had begun to threaten their bottom line. By about 8:30 a.m. April 25, some customers confirmed that their e-mail service was up and running again. Source: http://www.whidbeyexaminer.com/main.asp?SectionID=1&SubSectionID=1&ArticleID=7622

For another story, see item 45 above in the Information Technology Sector