Friday, October 19, 2012
Daily Report
Top Stories
• A Bangladeshi man snared in an FBI terror sting
considered targeting the U.S. President and the New York City Stock Exchange
before plotting a car bomb attack on the Federal Reserve, an official told the
Associated Press October 18. – Associated Press See item 7 below in the Banking and Finance Sector
• BB&T Corp. acknowledged October 17 that
its Web site was suffering from intermittent outages related to a distributed
denial-of-service (DDoS) attack. The institution is the ninth U.S. bank to be
affected by a DDoS strike in the last 5 weeks. – BankInfoSecurity See item 9 below in the Banking and Finance Sector
• California pharmacy regulators began an
investigation of reports of irregularities in prescription refills at CVS
pharmacies. Investigators are probing complaints that CVS renewed doctors’
prescriptions and billed insurers without customers’ consent, and in some cases
enrolled the customers in automatic refill programs without their knowledge. – United
Press International
28.
October 17, United Press International –
(California) California investigates CVS pharmacies. California pharmacy
regulators have begun an investigation of reports of irregularities in
prescription refills at CVS pharmacies. The executive officer of the California
Board of Pharmacy said October 16 investigators are probing complaints that CVS
Caremark Corporation renewed doctors’ prescriptions and billed insurers without
customers’ consent, and in some cases enrolled the customers in automatic
refill programs without their knowledge. A spokesman for CVS said the company’s
policy requires a patient’s consent “be obtained before a prescription is
filled,” and added the company would provide the pharmacy board with any
information needed. The week of October 8, the U.S. Department of Health and
Human Services began another investigation of CVS into allegations the company
billed Medicare for medication patients had not ordered or picked up, and in
2011 the company agreed to pay $17.5 million to resolve allegations it
falsified prescription drug claims for Medicaid programs in California and nine
other States, the Los Angeles Times reported October 17. Source: http://www.upi.com/Top_News/US/2012/10/17/California-investigates-CVS-
pharmacies/UPI-57311350501834/
• Cherryville, North Carolina’s police chief
and a police captain were suspended after investigators found they allegedly
used their credentials and legal authority to let trucks full of stolen goods
pass through Gaston County. – WBTV 3 Charlotte
33. October
18, WBTV 3 Charlotte – (North Carolina) Cherryville police chief, officer suspended
due to FBI probe. Cherryville, North Carolina’s police chief and a police
captain were suspended after investigators found they allegedly let trucks full
of stolen goods pass through Gaston County, WBTV 3 Charlotte reported October
18. Two federal indictments unsealed in U.S. District Court in Charlotte,
charge a reserve deputy
sheriff with the Gaston County Sheriff’s Office and police officers with the
Cherryville Police Department with multiple counts related to the misuse of
their official position to provide protection for the transportation of goods they
believed to be stolen, announced a U.S. Attorney for the Western District of
North Carolina. Two non-law enforcement defendants were also charged for their
role in the conspiracy. According to allegations contained in the two
indictments, on multiple occasions, the men used their credentials and legal
authority to assist with the transfer or transport of stolen goods and/or cash
proceeds from the sale of stolen goods, in exchange for monetary bribes.
Source: http://www.wbtv.com/story/19843917/cherryville-police-chief-officer-
suspended-due-to-fbi-probe
• Police provided the name of the gunman who
stormed into a Casselberry, Florida salon October 18 and shot four women —
killing three — before driving away and committing suicide. – Orlando
Sentinel
48.
October 18, Orlando Sentinel –
(Florida) Police ID gunman in Casselberry salon mass shooting. Police
provided the name of the gunman who stormed into a Casselberry, Florida salon
October 18 and shot four women — killing three — before driving away and
committing suicide. The suspect killed his ex-girlfriend, the salon manager,
and several of her coworkers at the Las Dominicanas M & M Salon on Aloma
Avenue. Both the salon manager and the owner of the salon filed domestic
violence injunctions against the suspect in recent weeks. He was supposed to
report to the Orange County Courthouse October 18 for a hearing in the domestic
violence case. A fourth employee was taken to an area hospital, and her
condition is unknown. Police said the suspect left the salon, located in a
small strip mall near a Family Dollar store, and then shot himself several
miles away at a home on Paradise Lane. Source: http://www.orlandosentinel.com/news/local/breakingnews/os-casselberry-
shooting-three-dead-20121018,0,289503,print.story
Details
Banking and Finance Sector
7. October
18, Associated Press – (New York) U.S. President was considered potential target. A
Bangladeshi man snared in an FBI terror sting considered targeting the U.S.
President and the New York City Stock Exchange before plotting a car bomb
attack on the Federal Reserve, a law enforcement official told the Associated
Press October 18. The official stressed that the suspect never got beyond the
discussion stage in considering
an attack on the U.S. President. In a September meeting with an undercover
agent posing as a fellow jihadist, the suspect explained he chose the Federal
Reserve as his car bomb target “for operational reasons,” according to a
criminal complaint. The suspect also indicated he knew that choice would “cause
a large number of civilian casualties, including women and children,” the
complaint said. FBI agents grabbed the man — armed with a cellphone he believed
was rigged as a detonator — after he made several attempts to blow up a fake
1,000-pound the bomb inside a vehicle parked next to the Federal Reserve
October 17 in lower Manhattan, the complaint said. The suspect appeared in
federal court October 17 to face charges of attempting to use a weapon of mass
destruction and attempting to provide material support to a terrorist group.
Source: http://abcnews.go.com/US/wireStory/feds-indicted-plot-attack-federal-reserve-
17502296#.UIAqjK74LxM
8. October
17, Reuters – (New Jersey) SEC charges Yorkville with securities fraud. Securities
regulators October 17 sued Yorkville Advisors LLC and its top executives,
accusing the New Jersey hedge fund of reporting false and inflated values for
some of its investments. The Securities and Exchange Commission (SEC) lawsuit
targeted Yorkville, which has been one of the largest funds specializing in thinly
traded micro-cap and small-cap companies, the founder and president, and the
chief financial officer. The firm misreported values as the financial crisis
hit in 2008 and 2009 and market conditions deteriorated, and its returns during
the period consisted mostly of unrealized gains from marked-up investments, the
SEC said. The scheme let Yorkville improperly boost its management fees and led
it to improperly receive more than $10 million in unearned fees, the SEC said.
The SEC accused Yorkville, which once managed more than $1 billion in assets,
of creating and providing false and misleading documents to its auditors to
further the scheme. The firm also made false and misleading statements to its
investors between April 2008 and January 2010 about the value of its
investments and other matters, the SEC said. The “false portrayal of Yorkville
as a firm that employed ‘robust’ internal controls caused pension funds and
funds of funds to invest over $280 million in the Funds,” the SEC said. Source:
http://www.reuters.com/article/2012/10/17/us-sec-yorkville-
idUSBRE89G14L20121017
9. October
17, BankInfoSecurity – (National) BB&T site outages linked to DDoS. BB&T
Corp. acknowledged October 17 that its Web site was suffering from intermittent
outages related to a distributed denial-of-service (DDoS) attack. The $178.5
billion institution is the ninth U.S. bank to be affected by a DDoS strike in
the last 5 weeks. “BB&T is experiencing intermittent outages on BBT.com due
to a ‘Denial of Service’ event,” a bank spokesman said October 17. BB&T’s
site outage is the second attack apparently waged by a hacktivist group the
week of October 15. October 16, Capital One’s online banking and corporate
sites suffered outages believed to be caused by a second attack aimed at the
bank by the same group. Capital One’s Web site was back up and running by
October 17, said a spokeswoman, although some customers may continue to suffer
from periodic glitches linked to ongoing system upgrades. Source: http://www.bankinfosecurity.com/bbt-site-outages-linked-to-ddos-a-5208?rf=2012-10-18-
eb&elq=f35dac9ed1d9430aad0f418cc8491d5f&elqCampaignId=4861
10. October
17, Bloomberg News – (Georgia) Former American United Bank officers, directors
sued by FDIC. Former American United Bank officers and directors were sued
by the Federal Deposit Insurance Corporation (FDIC) for $45.2 million over
their alleged negligence in managing the bank’s lending operations. The
lawsuit, filed October 17 in federal court in Atlanta, names the defendants as
the former president and chief executive officer, former senior vice president,
and the chief lending officer. “Rather than manage the bank’s lending function
in a sound and responsible manner, the defendants took unreasonable risks with
the bank’s loan portfolio,” the FDIC said in the complaint. American United
Bank, based in Lawrenceville, Georgia, was closed by State regulators in 2009.
Ameris Bank of Moultrie, Georgia, agreed to assume all American United Bank’s
deposits, the FDIC said in 2009. Source: http://www.bloomberg.com/news/2012-10-17/former-american-united-bank-
officers-directors-sued-by-fdic.html
Information Technology Sector
37. October
18, The H – (International) Information leak in ZENworks Asset Management
disclosed. The Metasploit developers discovered an information leaking
vulnerability in Novell ZENworks Asset Management 7.5 that allows a remote
attacker to read files that have system-level privileges and extract all
information stored by the application. A researcher from Rapid7 explained that
the Web console of ZENworks Asset Management provides two maintenance calls
that can be used with hard-coded credentials. One of the calls allows remote
attackers to gain access to the filesystem, while the other call gives details
of the software’s backend database credentials in clear text. The researcher
discovered the vulnerability in August and immediately wrote a Metasploit
module to exploit it. He then disclosed it to Novell and the U.S. Computer
Emergency Readiness Team, and now published the exploit and corresponding
Metasploit module. Source: http://www.h-online.com/security/news/item/Information-leak-in-ZENworks-
Asset-Management-disclosed-1732130.html
38. October
18, The H – (International) Apple updates Java for older Mac OS X - kills
browser plugin. Following Oracle’s CPU patch day, in which a large number
of Java vulnerabilities were fixed, Apple released an update for Java 6 on Mac
OS X 10.6.8, 10.7, and 10.8. The update brings Apple’s Java 6 in line with
Oracle’s Java 6 Update 37, but also removes the Apple-provided Java applet
plugin from all Web browsers. Apple previously modified its plugin to reduce
unnecessary exposure to Java-based malware by disabling the plugin if it went
unused for a period of time. This policy has apparently not been sufficient and
now the update completely removes the plugin; browsers will display a “missing
plugin” message, which, if clicked, will take the user to Oracle’s site where
they can download the latest Java applet plugin from Oracle. Source: http://www.h-online.com/security/news/item/Apple-updates-Java-for-older-
Mac-OS-X-kills-browser-plugin-1732089.html
39. October
18, The Register – (International) One year on, SSL servers still cower before
the BEAST. The latest monthly survey by the SSL Labs project discovered
that many secure sockets layer (SSL) sites remain vulnerable to the Browser
Exploit Against SSL/TLS (BEAST) attack, more than a year after the underlying
vulnerability - 16 -
was demonstrated by security
researchers. The stealthy piece of JavaScript works with a network sniffer to
decrypt the encrypted cookies that a targeted Web site uses to grant access to
restricted user accounts. October figures from SSL Pulse survey of 179,000
popular Web sites secured with the ubiquitous SSL protocol reveals that 71
percent (127,000) are still vulnerable to the BEAST attack. The latest
statistics show little change from September figures, down just 1 percentage
point from the 71.6 percent vulnerable to the BEAST attack recorded in
September. Exposure to the so-called CRIME attack was also rife, 41 percent of
the sample support SSL Compression, a key prerequisite of the attack. The
so-called CRIME technique lures a vulnerable Web browser into leaking an
authentication cookie created when a user starts a secure session with a Web
site. Once the cookie is obtained, it can be used by hackers to log in to the
victim’s account on the site. Source: http://www.theregister.co.uk/2012/10/18/ssl_security_survey/
40. October
18, Softpedia – (International) Citadel trojan Rain Edition represents
Fraud-as-a-Service at its best, RSA says. The developers of the Citadel
trojan recently released the 1.3.5.1 version, dubbed Rain Edition. The new
variant costs more than its predecessor, but it also possesses new features.
One of the most noteworthy new features is called “Dynamic Config.” It allows
botmasters to interact faster with their victims via browser injection
technology. “This nifty function allows Trojan operators to create web
injections and use them on the fly, pushing them to selected bots without the
hassle of pushing/downloading an entire new configuration file,” an RSA
researcher explained. “Citadel-infected machines are going to have an
instruction to reach out to the C&C every 2 minutes and update themselves
with a predefined file where injection ‘packs’ will be ready to go. The whole
system will be managed by a clever distribution mechanism dictating which injection(s)
go to which bot or group of bots,” he added. This new mechanism makes Citadel a
representative for the Fraud-as-a-Service (FaaS) model. That is because
botmasters are not forced to do all the work by themselves. Instead, they can
hire up to five subordinates to help them create injections. They all have
their own section on the administrator panel, which gives them only limited
access to the entire operation. The advantage for the injection sellers in this
case is that they can work with multiple botmasters. Source: http://news.softpedia.com/news/Citadel-Trojan-Rain-Edition-Represents-
Fraud-as-a-Service-at-Its-Best-RSA-Says-300441.shtml
41. October
17, Threatpost – (International) Oracle leaves fix for Java SE zero day until
February patch update. Oracle will not patch a critical sandbox escape
vulnerability in Java SE versions 5, 6, and 7 until its February Critical Patch
Update (CPU), according to the researcher who discovered the flaw. The
researcher, from security firm Security Explorations, told Threatpost that
Oracle said it was deep into testing of another Java patch for the October CPU
released October 16, and that it was too late to include the sandbox fix. The
researcher said he plans to present technical details on the flaw November 14
at the Devoxx Java Community Conference in Belguim. The exploit relies on a
user landing on a site hosting the exploit; an attacker would use a malicious
Java applet or banner ad to drop the malware and ultimately have full remote
control of a compromised machine. - 17 -
42. October
17, Softpedia – (International) Researcher finds denial of service
vulnerability in Window 7. A researcher claims to have identified a
denial-of-service (DoS) vulnerability that affects fully updated versions of
Windows 7 and possibly even Windows Vista. He revealed that a blue screen of
death (BSOD) can be triggered by making a “very specific set of operating
system calls.” Although he has not been able to determine if the security hole
can be used by an attacker to execute arbitrary code, he confirmed that it
could be utilized to corrupt kernel memory and cause a DoS state. Source: http://news.softpedia.com/news/Researcher-Finds-Denial-of-Service-
Vulnerability-in-Window-7-300118.shtml
43. October
17, Threatpost – (International) Nitol Botnet shares code with other China-
based DDoS malware. Microsoft learned that much of the code used by the
Nitol malware family is copied from free malware resources hosted on Chinese
Web sites. Microsoft posted portions of the code online the week of October 15,
where similar lines used for denial-of-service (DoS) attack functionality are
present in Nitol and on the sites in question. An antivirus researcher at
Microsoft said that Nitol.A and Nitol.B also resemble malware used by the
IMDDOS and Avzhan botnets, both of which, like Nitol, are used to carry out
distributed denial-of-service (DDoS) attacks. Nitol.A and Nitol.B are the most
active variants of the Nitol family. The Nitol botnet was recently taken down
by Microsoft after it was given permission by the U.S. District Court for the
Eastern District of Virginia to take control of the 70,000 sub-domains hosting
malware on the 3322.org domain. Source: http://threatpost.com/en_us/blogs/nitol-botnet-shares-code-other-china-based-
ddos-malware-101712
44. October
17, Softpedia – (International) Vodafone ‘account update’ notifications lead
to phishing sites. Vodafone phishing emails have been seen landing in
inboxes in the past few days, informing customers that they need to update
their accounts. Cybercriminals are not only after bank account details. The
information stored in accounts that customers register on their mobile
carrier’s site could be just as valuable. Spammers have started sending out
alerts entitled “Your Vodafone accounts update.” The link does not point to the
legitimate Vodafone site, but a Web page designed to trick users into
disclosing their usernames and passwords. By gaining access to their victims’
accounts, the scammers also gain access to billing information and other
sensitive data that can be used to commit identity theft-related crimes.
Source: http://news.softpedia.com/news/Vodafone-Account-Update-Notifications-
Lead-to-Phishing-Sites-300149.shtml
45. October
17, SC Magazine – (International) Security beefed up in new Adobe Reader,
Acrobat. The week of October 15, Adobe released new versions of its
flagship Reader and Acrobat products to include a number of new security
capabilities. Reader XI extends previously introduced sandbox “Protected View”
controls — in which PDFs are displayed in a confined environment to prevent
malware from running elsewhere on the machine — to now include “read-only”
activities so hackers are unable to steal data via attacks, including so-called
screen scrapes. The new Reader and Acrobat editions also include a built-in
security feature known as Address Space Layout Randomization, or ASLR. Introduced
with the release of Windows Vista in early 2007, ASLR randomizes memory space
and significantly lowers the chances for certain code execution attacks to
succeed. “Force ASLR improves the effectiveness of existing ASLR
implementations by ensuring that all DLLs (dynamic-link libraries) loaded by
Adobe Reader or Acrobat XI, including legacy DLLs without ASLR enabled, are
randomized,” a researcher with the Adobe Secure Software Engineering Team said
October 17. Source: http://www.scmagazine.com/security-beefed-up-in-new-adobe-reader-
acrobat/article/264112/
Communications Sector
46.
October 18, NorthEscambia.com –
(Florida; Alabama) Frontier, Verizon customers report widespread telephone
outages. There was no immediate word October 17 on the cause of
communications problems in North Escambia, Florida, that left many residents
unable to make or receive phone calls. Frontier Communications customers from
Molino, Florida north through Walnut Hill and Atmore into Monroe County,
Alabama, reported that they were unable to make phone calls outside of Frontier
exchanges and unable to receive phone calls from non-Frontier customers.
Numerous Verizon Wireless customers also reported problems making and receiving
calls or text messages, particularly in the Molino area. Source: http://www.northescambia.com/2012/10/frontier-verizon-customers-report-
widespread-telephone-outages
Department of Homeland Security
(DHS)
DHS Daily Open Source Infrastructure Report Contact Information
About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday]
summary of open-source published
information
concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on
the
Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport
Contact Information
Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS
Daily Report Team at (703)387-2314
Subscribe to
the
Distribution List: Visit the
DHS Daily Open Source Infrastructure Report and follow
instructions to
Get e-mail updates when this information
changes.
Contact DHS
To report physical infrastructure incidents or to request information, please contact the National Infrastructure
To report cyber infrastructure incidents or to
request information,
please contact US-CERT at soc@us-cert.gov or visit their Web
page at www.us-cert.go v.
Department of Homeland Security Disclaimer
The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to
educate and
inform personnel engaged
in infrastructure protection. Further reproduction
or redistribution is subject to original copyright
restrictions. DHS provides no
warranty of ownership of the copyright,
or accuracy with respect to
the
original
source material.