Wednesday, October 10, 2012 


Daily Report

Top Stories

 • Gasoline prices continued to hit record highs across California, as the governor ordered emergency steps October 7 to increase the State’s supply. – KNSD 7 San Diego

4. October 7, KNSD 7 San Diego – (California) Gas prices hit new record Sunday. Gasoline prices continued to hit record highs across California, as the governor ordered emergency steps October 7 to increase the State’s supply. A run on supplies at the wholesale level prompted a massive spike in prices at the pump that has plagued consumers for the past week. Under pressure to help alleviate the tight market, the governor asked State regulators to allow refineries to start mixing and selling a particular type of gasoline that is usually only available in the State during the winter. The move was aimed at increasing the supply of gasoline available to small gas stations, and ultimately to consumers. A power outage at a major southern California Exxon refinery and fears of contamination in a Kern County pipeline drove supplies down further. To make matters worse, a northern California refinery struck by fire earlier in 2012 is still not back up to capacity. Source: http://www.nbcsandiego.com/news/national-international/Gas-Prices-Hit-New-Record-Sunday-los-angeles-auto-club-california-173031861.html

 • The United States brought charges against 530 people October 9, over mortgage schemes that cost homeowners more than $1 billion. More than 73,000 homeowners were victims of various frauds for which charges were filed during a year-long crackdown. – Bloomberg News See item 15 below in the Banking and Finance Sector

 • Hundreds of thousands of users who signed up for an inexpensive proxy service called Proxybox.name ended up installing a trojan linked to a botnet first detected during the summer. Researchers at Symantec reverse engineered the Backdoor.Proxybox malware and unearthed a major black hat operation and perhaps the actual malware developer. – Threatpost See item 60 below in the Information Technology Sector

Details

Banking and Finance Sector

15. October 9, Bloomberg News – (National) U.S. charges 530 in mortgage probe with $1 billion in losses. The United States brought charges against 530 people over mortgage schemes that cost homeowners more than $1 billion, the Attorney General said October 9. More than 73,000 homeowners were victims of various frauds for which charges were filed during a year-long crackdown, including “foreclosure rescue schemes” that take advantage of those who have fallen behind on payments, the Justice Department said in a statement. Typical schemes involved promises to homeowners that foreclosures could be prevented by payment of a fee, according to the statement. As part of the schemes, “investors” purchase the mortgage or the titles of homes are transferred to those taking part in the fraud, resulting in homeowners losing their property, the department said. Source: http://www.bloomberg.com/news/2012-10-09/u-s-charges-530-in-mortgage-fraud-probe-with-1-billion-losses.html

16. October 8, Lewiston-Auburn Sun Journal – (National) TD Bank notifies customers of March security breach. TD Bank is notifying an unknown number of customers that backup computer tapes containing their confidential personal information, including bank account and Social Security numbers, were “misplaced,” putting them at risk for identity theft, Lewiston-Auburn Sun Journal reported October 8. Although the security breach occurred in March, the bank only recently began sending letters to customers. A TD Bank spokeswoman said the delay was necessary as the bank conducted an internal investigation. The security breach occurred when two backup tapes from a computer server were shipped from one TD Bank location to another. The tapes were misplaced in Massachusetts. That investigation is ongoing and the bank contacted Massachusetts law enforcement, as well. TD Bank began telling customers about the security breach several weeks ago. A spokeswoman declined to say how many customers were affected, though she said they live throughout the bank’s East Coast coverage area, from Florida to Maine. Notification letters are being sent and will continue until late October. Only affected customers will receive a letter. Source: http://www.sunjournal.com/news/lewiston-auburn/2012/10/08/td-bank-notifies-customers-march-security-breach/1262474

17. October 8, Sarasota Herald-Tribune – (Florida) Sarasota mortgage broker indicted on fraud charges. A mortgage broker in Sarasota, Florida, who recruited investors to join him in a series of boomtime real estate deals, was indicted on 11 counts of bank fraud, the Sarasota Herald-Tribune reported October 8. From March 2003 through July 2008, the suspect bought and resold houses at higher prices to investors and filled out mortgage applications with false information so that investors could get loans, an indictment filed in Tampa’s U.S. District Court says. His management company later rented out the houses, however, the indictment said he failed to use the proceeds “to pay all the expenses associated with the residential properties” as promised. He pleaded “not guilty” to the charges. A trial date was tentatively scheduled for December. He bought and sold more than 41 new homes worth $11.6 million in Sarasota and Manatee counties from 2006 to 2007, and made more than $1 million in profits along the way. He recruited more than 30 investors into the property-sharing venture. Source: http://www.heraldtribune.com/article/20121008/ARTICLE/121009652/-1/news?p=1&tc=pg

18. October 7, Tampa Bay Times – (Florida) Police blame serial bandit for several Pinellas bank robberies. The suspect arrested in connection with a bank robbery in St. Petersburg, Florida, October 5 was accused of being a serial robber responsible for at least three similar heists since May. He remained jailed October 6 as authorities stacked a litany of robbery and kidnapping charges against him. In each of the robberies, which began May 26 at a PNC Bank in Clearwater, a man pointed a small silver handgun at tellers and demanded cash. The man wore a hat and sunglasses while concealing the lower half of his face with a scarf or shirt. He was arrested after a group of undercover St. Petersburg police detectives spotted him in front of a PNC Bank. He pulled a shirt over his face while donning a ball cap and sunglasses and walked inside, police said. He emerged moments later and ran to a car in a nearby lot where officers stopped him. He had a chrome Davis Industries P-380 handgun and a large sum of cash on him, authorities said. Bank tellers confirmed he robbed them. Authorities later added charges that accused the suspect of the May 26 robbery, in which, police said, he ordered several tellers to the ground at gunpoint before fleeing with more than $3,000. He also was charged in two robberies at banks in Clearwater and Largo, June 8 and 19, respectively. Source: http://www.tampabay.com/news/publicsafety/crime/police-blame-serial-bandit-for-several-pinellas-bank-robberies/1255246

19. October 5, U.S. Securities and Exchange Commission – (National) SEC charges four brokers with defrauding customers in $18.7 million scheme. October 5, the Securities and Exchange Commission (SEC) charged four brokers who formerly worked on the cash desk at a New York-based broker-dealer with illegally overcharging customers $18.7 million by using hidden markups and markdowns and secretly keeping portions of profitable customer trades. The SEC alleges that the brokers purported to charge customers very low commission fees that were typically pennies or fractions of pennies per transaction, but in reality they reported false prices when executing the orders to purchase and sell securities on behalf of their customers. The brokers made their scheme especially difficult to detect because they deceptively charged the markups and markdowns during times of market volatility in order to conceal the fraudulent nature of the prices they were reporting to their customers. The surreptitiously embedded markups and markdowns ranged from a few dollars to $228,000 and involved more than 36,000 transactions during a 4-year period. Some fees were altered by more than 1,000 percent of what was being told to customers. Source: http://www.sec.gov/news/press/2012/2012-207.htm

20. October 5, WLEX 18 Lexington – (Kentucky) Georgetown home builder indicted for bank fraud. A home builder from Georgetown, Kentucky, was accused of fraudulently obtaining more than a million dollars in loans from a Frankfort bank, WLEX 18 Lexington reported October 5. A federal grand jury in Lexington indicted the suspect for bank fraud, conspiracy, making false statements in a loan application, aiding and abetting bank embezzlement, and aggravated identity theft. The indictment alleges that starting in 2006, he began construction on a house and fraudulently obtained more loans from American Founders Bank (AFB) than he was entitled to receive. He obtained the loans by setting up shell corporations in the names of other people to bypass AFB’s loan limits. He allegedly used some of the money from loans obtained to construct a house in Frankfort to pay off debt on other construction projects. He fraudulently received approximately $1.4 million in loans from the bank, according to the indictment. The bank eventually foreclosed on the home, but allegedly suffered a significant financial loss. Source: http://www.lex18.com/news/georgetown-home-builder-indicted-for-bank-fraud

21. October 5, Orange County Register – (California) FBI: ‘Desperate Bandit’ robs bank in La Habra. A man police describe as the “Desperate Bandit” is believed to have struck October 5 at a Bank of the West in La Habra, California, marking the robber’s seventh hold-up. A man wearing a wig and a baseball cap entered the bank branch, handed a teller a typed note asking for money, and left with an undisclosed amount of cash, a FBI special agent said. Authorities previously described him as a white male, 35-40 years old, about 5-foot-10-inches to 6-feet tall with a light complexion and short, dark hair, although he reportedly wore a blond wig in the latest hold-up. While the man claimed to be armed, no weapon was seen and no injuries were reported. Authorities believe the robber is the “Desperate Bandit,” who has carried out previous hold-ups at banks in Placentia, Anaheim Hills, Tustin, Fullerton, Chino, and Corona. Source: http://www.ocregister.com/news/desperate-373778-bandit-bank.html

Information Technology Sector

53. October 9, Help Net Security – (International) New TDL4 rootkit successfully hiding from AV. A new variant of TDL4 was identified, and it is now ranked as the second most prevalent malware strain within 2 months since its detection. The characteristics are similar to the iteration of the TDL4 rootkit, detected by Damballa in September. Damballa detected the malware through its network behavioral analysis software, which detected the generated domain names the new variant apparently uses for command-and-control communication. Since Damballa could only determine the existence of the new malware by looking for domain fluxing, it was concluded that no binary samples of the new malware were identified and categorized by commercial antivirus products operating at the host or network levels. HitmanPro, however, detected Sst.c — also known as Maxss — a modification of the TDL4 strain, and it is spreading fast. This new variant is capable of infecting the Volume Boot Record (VBR) (also known as Partition Table), and commercial antivirus products are unable to detect it, let alone remove the malware. The vice president and GM Wave Systems EMEA provided the following commentary: “Following the success of TDL4, hackers have been able to use the rootkit to develop new variants that continue to go undetected by antivirus. The latest iteration, dubbed Sst.c, infects the Volume Boot Record.” Without embedded hardware security to detect anomalies of behavior in the boot process, it starts to cause havoc damaging the network. It also reduces the window of detection for the enterprise to contain the threat. Source: http://www.net-security.org/malware_news.php?id=2288

54. October 9, The Register – (International) Surprise! Microsoft patches latest IE10 Flash vulns on time. Microsoft surprised Windows 8 and Windows Server 2012 users October 8 by issuing a patch that fixes 25 security vulnerabilities found in the Adobe Flash Player component of Internet Explorer (IE) 10, mere hours after Adobe issued its own patch for the Flash Player plug-in used by other browsers. Unlike earlier versions of Internet Explorer, IE10 bundles Flash Player as an integral part of the browser, much like how Google bundles Flash with Chrome. That means Adobe’s patches, which are designed for the plug-in version of Flash, will not work on IE10. As with other IE10 security flaws, security fixes for IE10’s Flash component can only come from Microsoft. Source: http://www.theregister.co.uk/2012/10/09/ms_ontime_ie10_flash_fix/

55. October 9, The H – (International) CloudStack alert users to critical vulnerability. Citrix and the Apache Software Foundation alerted users to a critical vulnerability in the CloudStack open source cloud infrastructure management software. All versions downloaded from the cloudstack.org site will be vulnerable. CloudStack is also an incubating Apache project but there have been no official releases from Apache of that project. If users took the source from the Apache project, that software will be vulnerable. Details of the issue were disclosed October 7; it appears the system had a configuration issue which meant any use could execute arbitrary CloudStack API calls such as deleting all the VMs in the system. A workaround, detailed in the various announcements, involves logging into the MySQL database that backs the system and setting a random password on the cloud.user account. The Apache CloudStack code was updated with a fix for the issue and it is believed the issue should not affect any upcoming releases of the incubating Apache CloudStack project; version 4.0 has currently been frozen and a release candidate is expected soon. Source: http://www.h-online.com/security/news/item/CloudStack-alert-users-to-critical-vulnerability-1726599.html

56. October 9, The H – (International) Adobe releases 25 critical Flash patches. Adobe, Microsoft, and Google issued updates to their products to patch vulnerabilities in their various distributions of Adobe’s Flash Player. Nearly all of the 25 critical vulnerabilities fixed by the updates were discovered by the Google Security Team. Adobe said the Windows version of Flash Player is a “Priority 1” update which normally indicates that there is an exploit in the wild for one or more of the holes, but Adobe did not indicate this was the case. Adobe recommended that Windows users install the updates as soon as possible. The vulnerabilities are either characterized as buffer overflow or memory corruption vulnerabilities but no other details are currently available. As Microsoft and Google now embed Flash Player in their browsers, both had to issue updates through their normal update channels. Microsoft updated its Internet Explorer 10 Web browser for Windows 8 and Windows Server 2012 to close these Flash holes through Windows Update. The embedded version of Flash in Google’s Chrome was also updated with version 22.0.1229.92 of Chrome for Windows, Mac OS X, and Linux in the browser’s stable release channel. This release of Chrome also closes five other holes, one of which is rated critical and is due to a race condition in Chrome’s audio device handling. Source: http://www.h-online.com/security/news/item/Adobe-releases-25-critical-Flash-patches-1726163.html

57. October 9, Computerworld – (International) Windows 7 malware infection rate soars in 2012. Windows 7’s malware infection rate climbed by as much as 182 percent in 2012, Microsoft said October 9. However, even with that dramatic increase, Windows 7 remained two to three times less likely to fall to hacker attack than the aged Windows XP. Data from Microsoft’s newest twice-yearly security report showed that in the second quarter of 2012, Windows 7 was between 33 percent and 182 percent more likely to be infected by malware than in the second quarter of 2011. The infection rate for Windows RTM, or “release to manufacturing,” the original version launched in October 2009, was 33 percent higher in 2012 for the 32-bit edition (x86), and 59 percent higher for the 64-bit (x64) OS. Windows 7 Service Pack 1 (SP1) — the upgrade that shipped in February 2011 — saw even larger infection increases: 172 percent for x86, and 182 percent for x64. Microsoft blamed several factors for the boost in successful malware attacks, including less savvy users. Source: http://www.computerworld.com/s/article/9232188/Windows_7_malware_infection_rate_soars_in_2012

58. October 9, Softpedia – (International) Sality botnet scans entire Internet in search for vulnerable VoIP servers. Experts discovered the Sality botnet may have mapped all the IPv4 addresses in search for vulnerable voice-over-IP (VoIP) servers. In a paper called “Analysis of a “/0” Stealth Scan from a Botnet,” researchers from the University of California and the University of Napoli in Italy presented the results of a study performed with the aid of the UCSD darknet, designed to study malicious Internet activity. Sality is a piece of malware whose main goal has been to infect Web servers, spread spam, and steal data. However, the new research unveiled another purpose: to identify vulnerable VoIP targets that could be utilized in vishing or toll fraud attacks. By leveraging a technique called “reverse-byte order scanning,” Sality managed to scan possibly the entire IPv4 space without being identified. That is because the technique utilizes a low number of packets that come from different sources, Dark Reading wrote. Source: http://news.softpedia.com/news/Sality-Botnet-Scans-Entire-Internet-in-Search-for-Vulnerable-VoIP-Servers-Video-298049.shtml

59. October 8, The Register – (International) Bing is the most heavily poisoned search engine, study says. Bing search results are more affected by poisoning than those of other search engines, according to a study by SophosLabs. Search engine poisoning attacks are designed to skew results so that dodgy sites — anything from malware infected Web sites to payday loan sites — appear prominently in the index of sites related to popular search terms. In many cases, the tactic is so successful that malware sites appear in the first page of results for popular search terms, sometimes much higher than legitimate Web sites. More recently, miscreants began trying to manipulate image search results. Source: http://www.theregister.co.uk/2012/10/08/bing_worst_search_poisoning/

60. October 8, Threatpost – (International) Proxy service a front for malware distribution. Hundreds of thousands of users who signed up for an inexpensive proxy service called Proxybox.name ended up installing a trojan linked to a botnet first detected during the summer. Researchers at Symantec reverse engineered the Backdoor.Proxybox malware and unearthed a major black hat operation and perhaps the actual malware developer. The investigation started with a legitimate looking Russian Web site advertising access to thousands of proxies for an extremely low monthly fee that could be paid via WebMoney, Liberty Reserve, and RoboKassa. A closer inspection of the command-and-control server showed the botnet maintains some 40,000 users online at any time. Advertisements for Proxybox.name appear on four other Web sites all linked to the same author. They include vpnlab.ru, avcheck.ru, and whoer.net, which provides proxy testing. This led Symantec researchers to believe the same Russian hacker is behind the black hat operation. Source: http://threatpost.com/en_us/blogs/proxy-service-front-malware-distribution-100812

61. October 8, IDG News Service – (International) Facebook’s phone search can be abused to find people’s numbers, researchers say. Attackers can abuse Facebook’s phone search feature to find valid phone numbers and the names of their owners, according to security researchers. The attack is possible because Facebook does not limit the number of phone number searches that can be performed by a user via the mobile version of its Web site, an independent security researcher said October 5. Facebook allows users to associate their phone numbers with their accounts. Since most people do not change the default value of this setting, it is possible for an attacker to generate a list of sequential phone numbers within a chosen range — for example from a specific operator — and use Facebook’s search box to discover who they belong to, the researcher said. Connecting a random phone number to a name is every advertiser’s dream and these types of lists would fetch a large price on the black market, he said. Source: http://www.computerworld.com/s/article/9232178/Facebook_s_phone_search_can_be_abused_to_find_people_s_numbers_researchers_say?taxonomyId=244

Communications Sector

62. October 8, Kansas City Business Journal – (National) Sprint fixes network disruption in Pacific Northwest. Two fiber cuts to Sprint Nextel Corp.’s wireless network affected Pacific Northwesterners trying to make phone calls, use data on their smartphones, and even catch flights October 8. All services were restored by October 8, according to Overland Park-based Sprint. The first cut happened October 7 or October 8, botching service to customers between Chicago and Milwaukee. A Sprint spokeswoman said the incident was tied to work at a railroad involving non-Sprint employees. A second cut happened again October 8, somewhere between Tacoma, Washington, and Portland, Oregon, disrupting voice and data services for customers between northern California, parts of Oregon, and parts of Washington. Sprint has not determined the cause of the second cut, which slowed the terminal check-in process for Sprint customer Alaska Airlines October 8, leading to significant flight delays. Alaska Airlines, which uses Sprint’s data services, had to manually check in passengers until the fiber lines were repaired and services were restored, a spokeswoman for Sprint said. Source: http://www.bizjournals.com/kansascity/news/2012/10/08/sprint-fixes-network-disruption-in.html

63. October 8, El Dorado Hills Telegraph – (California) Phone service cut for 4,000 Folsom residents; repairs expected by Friday evening. October 4, a tractor digging at a construction site along Riley Street in Folsom, California, severed a major AT&T phone line, disrupting service to city facilities as well as nearly 4,000 AT&T residential customers. The disruption was expected to continue through October 5. The Folsom Police and Fire Department’s 9-1-1 emergency communications were forwarded to the Sacramento County Sheriff’s Communications Bureau to ensure public safety was not affected. Source: http://www.fireengineering.com/news/2012/10/08/phone-service-cut-for-4-000-folsom-residents-repairs-expected-by-friday-evening.html

64. October 8, Infosecurity – (International) Telecom vendors Huawei, ZTE, pose cyber-espionage threats, lawmakers conclude. Two top telecom infrastructure vendors from China, Huawei, and ZTE, pose potential cyber-espionage threats, according to a panel of U.S. lawmakers on intelligence, Infosecurity reported October 8. After an 11-month investigation, the U.S. House of Representatives’ Permanent Committee on Intelligence suggested that telecom networks built on Huawei and ZTE gear could provide a way for the Chinese government to bake in listening vectors, for instance. There is a “heightened threat of cyber espionage and predatory disruption or destruction of US networks if telecommunications networks are built by companies with known ties to the Chinese state, a country known to aggressively steal valuable trade secrets and other sensitive data from American companies,” the report said. The panel recommended that American telcos, cable MSOs, satellite companies, wireless operators, and broadband providers should consider other vendors going forward when building out or expanding networks. And, sensitive government systems should exclude Huawei or ZTE equipment or component parts — Huawei in particular has a large enterprise IT division that could supply federal and State networks. And, it said that it would seek to block mergers or acquisitions involving Huawei and ZTE due to national security concerns. Source: http://www.infosecurity-magazine.com/view/28672/telecom-vendors-huawei-zte-pose-cyberespionage-threats-lawmakers-conclude/

65. October 7, WFLI 18 Lafayette – (Indiana) Phone lines down in Lafayette. The Frontier Communications general manager said October 5 construction crews working in Lafayette, Indiana, accidentally pulled around 200 feet of fiber out of the ground, cutting the fiber cables in the process. Damage to the fiber cables led to a massive landline and Internet outage posing new problems for emergency personnel. Although people could not contact the non-emergency line, the West Lafayette Police lieutenant said police were still able to respond to emergencies. Source: http://www.wishtv.com/dpp/news/local/north_central/phone-lines-down-in-lafayette


Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport

Contact Information

Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to support@govdelivery.com.


Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at  nicc@dhs.gov or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at  soc@us-cert.gov or visit their Web page at  www.us-cert.go v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.