Friday, October 26, 2012


Daily Report

Top Stories

 • A toxic cloud formed after 300 gallons of hydrochloric acid leaked at a storage facility near Texas City, Texas. The cloud forced thousands of residents indoors and sent nine people to hospitals, an emergency management official said October 25. – CNN

2. October 25, CNN – (Texas) Toxic cloud forces thousands in southeast Texas to stay indoors. A toxic cloud that formed after 300 gallons of hydrochloric acid leaked at a southeast Texas storage facility sent nine people to hospitals and forced thousands of residents indoors, an emergency management official said October 25. Four firefighters were among those who were hospitalized for exposure after a tank ruptured at a storage facility near the Port of Texas City, a spokesman of the local emergency management office said. More than 45,000 residents of Texas City were ordered to remain indoors, turn off air conditioning units, and make sure all windows and doors were closed until the vapor cloud dissipated. Officials did not immediately detail what caused the tank to rupture at the Dallas Group of America’s facility near the port. City officials were working to clean up the leak, the spokesman told KTRK 13 Houston. None of those exposed to the chemical cloud sustained life-threatening injuries, according to KTRK 13 Houston. Source: http://www.cnn.com/2012/10/25/us/texas-chemical-leak/index.html

 • The United States filed a civil mortgage fraud lawsuit against Bank of America, accusing it of selling thousands of toxic home loans to Fannie Mae and Freddie Mac that went into default and caused more than $1 billion of losses, Reuters reported October 24. – Reuters See item 10 below in the Banking and Finance Sector

 • A fraud ring that attacked financial transfer systems in an attempt to target wealthy high- end banking customers used a complicated web of malware and compromised servers in several countries to steal an estimated $78 million earlier in 2012, according to an analysis by McAfee and Guardian Analytics. – Threatpost See item 14 below in the Banking and Finance Sector

 • A federal cyber emergency response team issued a warning that DomainKeys Identified Mail (DKIM) verifiers that use low-grade encryption are open to being spoofed and need to be upgraded. This problem was found to affect some of the biggest companies in the tech industry and several large banks. – The Register See item 45 below in the Information Technology Sector

Details

Banking and Finance Sector

7. October 25, Help Net Security – (District of Columbia) Banker pleads guilty to sharing personal information of account-holders. A former personal banker from Washington, D.C., pleaded guilty to conspiracy to commit bank fraud for his role in an identity theft scheme involving $121,400 in forged checks, Help Net Security reported October 25. According to a statement of offense, he and others participated in the scheme from November 2009 until January 2010, conspiring to steal funds from the accounts of customers of Wachovia Bank, now operating as Wells Fargo Bank. He began participating in the scheme after he was approached by another person at the bank branch where he worked. The person offered to pay him for providing the type of customer information that would be needed to fraudulently obtain funds from customer accounts with balances of at least $15,000. He subsequently obtained this information concerning the accounts of seven customers, including their dates of births, addresses, telephone numbers, and Social Security numbers, then turned over the information and received $2,000 in cash. Various members of the conspiracy obtained $72,800 and attempted to obtain another $48,600 by forging checks drawn on five of the accounts targeted by the banker. Source: http://www.net-security.org/secworld.php?id=13839

8. October 24, American Banker – (International) ATMs may be top targets for crime: Verizon report. More than half of intrusions in the financial industry in a recent study led by Verizon involved tampering with ATMs, the company said in a report published October 24. Overall, 61 percent of security threats involved physical tampering, including the installation of skimming and camera devices on ATMs. Roughly one in four threats involved malware that captures user names and passwords. Another 22 percent involved hacking. According to the study, 56 percent of data breaches compromised ATMs. Another 21 percent of attacks compromised database servers, while 13 percent involved Web servers. Overall, 96 percent of threats to banks originated externally and emanated mostly from professional criminal organizations in Eastern Europe and elsewhere, according to the study. Still, 9 percent of breaches involved employees of the target company, one of the highest rates of internal breaches among industries the group examined. Insiders were people who typically handled financial transactions, such as bank tellers and loan officers, the study found. Source: http://www.americanbanker.com/issues/177_206/atm-may-be-top-targets-for- crime-1053833-1.html

9. October 24, Las Vegas Review-Journal – (Nevada; California) Henderson man faces charges in $15 million Ponzi scheme. A Henderson, Nevada man is facing federal charges in Los Angeles in what authorities allege is a $15 million Ponzi scheme, the Las Vegas Review-Journal reported October 24. The man was arrested in Las Vegas on charges including mail and wire fraud in the investment scheme, the Los Angeles U.S. Attorney’s Office said in a news release. According to the indictment, the man falsely told investors he was producing earnings of 1 percent to 5 percent a week through a commodity futures trading program. In reality, his trading activity was unprofitable, causing him to lose nearly all the money he used to trade commodities. Federal authorities think he took in at least $15 million in the scheme and that his investors lost at least $9 million. He solicited investments through Nevada-based companies, including Axcess Automation LLC, and a hedge fund he called Axcess Fund LP. In addition to the fraud allegations, he is accused of lying to the U.S. Securities and Exchange Commission. Source: http://www.lvrj.com/news/henderson-man-faces-charges-in-15-million-ponzi- scheme-175704591.html

10. October 24, Reuters – (National) U.S. sues BofA over alleged mortgage fraud. The United States filed a civil mortgage fraud lawsuit against Bank of America, accusing it of selling thousands of toxic home loans to Fannie Mae and Freddie Mac that went into default and caused more than $1 billion of losses, Reuters reported October 24. The case, originally brought by a whistleblower, is the U.S. Department of Justice’s first civil fraud lawsuit over mortgage loans sold to Fannie Mae or Freddie Mac. According to a complaint filed in Manhattan federal court, Countrywide in 2007 invented a scheme known as the “Hustle” designed to speed up processing of residential home loans. Operating under the motto “Loans Move Forward, Never Backward,” mortgage executives tried to eliminate “toll gates” designed to ensure that loans were sound and not tainted by fraud, the government said. This resulted in “defect rates” that were roughly nine times the industry norm, but Countrywide concealed this from Fannie Mae and Freddie Mac, and even awarded bonuses to staff to “rebut” the problems being discovered, it added. The scheme ran through 2009 and caused “countless” foreclosures, the lawsuit alleged. Source: http://bottomline.nbcnews.com/_news/2012/10/24/14671246-us-sues-bofa-over-alleged-mortgage-fraud?lite

11. October 24, Dark Reading – (National) Barnes & Noble stores targeted in nationwide payment card-skimming scam. Rogue PIN pad devices discovered at more than 60 Barnes & Noble stores nationwide appeared to be the handiwork of a well-orchestrated financial fraud scheme that rigged just one device at each store, Dark Reading reported October 24. The retail bookseller revealed that it had halted use of all PIN pad devices in most of its 700 stores as of September 14 in the U.S. and that the FBI is investigating the case. The compromised PIN pad devices represent less than 1 percent of the total number of these devices in Barnes & Noble stores, according to the retailer. The compromised devices were found in some stores in California, Connecticut, Florida, New Jersey, New York, Illinois, Massachusetts, Pennsylvania, and Rhode Island. Somehow, the criminals were able to gain physical access to the devices, which Barnes & Noble described as having been tampered with and implanted with “bugs” that let the fraudsters capture credit card and debit card PIN numbers. Barnes & Noble declined to provide details on the type or features in the rigged devices. Source: http://www.darkreading.com/insider-threat/167801100/security/attacks- breaches/240009697/barnes-noble-stores-targeted-in-nationwide-payment-card- skimming-scam.html

12. October 24, Softpedia – (International) Lloyds TSB scams: Account payment review notifications and errors. Lloyds TSB customers should be on the lookout for two particular phishing emails, Softpedia reported October 24. One of them is entitled “Error on your account” and the other one “Account payment review notification.” In both cases, users who take the bait and click on the links are directed to compromised Web sites that host cleverly designed fake Lloyds TSB Web pages. At the time of writing, the hijacked sites’ owners — one of the sites belongs to an educational institution from China and the other one is a Ukrainian site — had removed the phishing pages. However, Internet users must still be cautious when receiving such messages since the cybercriminals can easily hijack other Web sites and resume their operation. Source: http://news.softpedia.com/news/Lloyds-TSB-Scams-Account-Payment- Review-Notifications-and-Errors-301812.shtml

13. October 24, Canton Press-News – (Ohio) Aultman Hospital reports data breach. Aultman Hospital in Canton, Ohio, recently learned that an unidentified third party gained unauthorized access to credit card and debit card information relating to some purchases at the hospital’s gift shop between February and September 2012, the Canton Press-News reported October 24. Upon learning of the security breach, Aultman Hospital took immediate steps to investigate and resolve the situation. Aultman notified the appropriate law enforcement authorities, including the Secret Service and the Canton Police Department. Aultman replaced the hardware affected by the breach, and retained a forensic auditor to assist with the ongoing investigation. Currently, Aultman did not know how many individuals were affected by the breach, but the breach appeared limited to the gift shop. Source: http://www.the-press-news.com/local business/2012/10/24/aultman-hospital-reports-data-breach

14. October 24, Threatpost – (International) Operation High Roller banked on fast-flux botnet to steal millions. A fraud ring that attacked financial transfer systems in an attempt to target wealthy high-end banking customers used a complicated web of malware and compromised servers in several countries to steal an estimated $78 million earlier in 2012, Threatpost reported October 24. While the attacks targeted financial systems, the victims seem to be limited to companies involved in manufacturing, import-export businesses, and State or local governments. Operation High Roller was at its peak during the spring, using automated fast-flux techniques to move command and control and malware servers from host to host, using providers in Kemerovo, Russia, as well as other hosts in Albania, Scottsdale, Arizona, and San Jose, California. All of them had ties to servers in Albania and China and relied on a cocktail of the Zeus trojan and variants SpyEye and Ice IX, according to McAfee and Guardian Analytics who jointly discovered the fraud ring in February and completed a deeper analysis of the operation the week of October 22. “With no human participation required, each attack moves quickly and scales neatly. This operation combines an insider level of understanding of banking transaction systems with both custom and off the shelf malicious code...” one of the report’s authors said. Victims were generally lured in via phishing campaigns and were infected by malware adept at bypassing even two-factor authentication and other security devices in place. McAfee also found connections to the owners of a Pittsburgh pizza restaurant who owned domains originally hosted on the Chinese server hosting other Zeus malware. McAfee speculated that either the owners’ identities were stolen or they were involved in the scheme and the restaurant is a front for money laundering. Source: http://threatpost.com/en_us/blogs/operation-high-roller-banked-fast-flux- botnet-steal-millions-102412

For more stories, see items 38 and 45 below in the Information Technology Sector

Information Technology Sector

37. October 25, Softpedia – (International) Imperva experts reveal the best practices and tactics to mitigate insider threats. Insider threats have become a major issue, and many information security solutions providers have focused their efforts on precisely determining how such threats can be mitigated. Security firm Imperva contributed to this research with a report that examines the legal, psychological, and technological tactics deployed by some high-profile organizations to address these risks. A report published by Imperva in 2010 revealed that approximately 70 percent of employees planned to take copies of work-related files when leaving the organizations they worked for. Furthermore, according to the FBI, the U.S. economy suffers losses of over $13 billion each year because of insider threats. “The digital information age offers unfettered access for any actor trusted enough to enter our enterprise walls,” the co- founder and CTO of Imperva explained. “For most organizations, insider threats have moved beyond risk into reality; however, many threat vectors can be protected against with a measured approach to business security.” After analyzing the tactics and best practices employed by 40 organizations considered to be highly effective at preventing insider threats, experts determined that making a case for business security, employee education, control access with checks and balances, and security organizing are key elements. Furthermore, all employees with administrative and super user rights should be monitored constantly. IT operations, IT security, Human Resources, and legal - 16 -
departments should be organized to implement security processes into the business workflow. Source: http://news.softpedia.com/news/Imperva-Experts-Reveal-the-Best-Practices-and-Tactics-to-Mitigate-Insider-Threats-302141.shtml

38. October 25, Softpedia – (International) Advanced malware allows cybercriminals to empty a bank account in one go. Security firm AVG released its Community Powered Threat Report for the third quarter of 2012. The study focuses on the 2.0 version of the Blackhole exploit kit, the evolution of malware and other threats that marked the past quarter. According to AVG, the Blackhole exploit kit leads both the toolkit and the malware markets with a share of almost 76 percent, respectively 63 percent. Considering that the crimekit’s authors launched the 2.0 version, experts say its market share will grow even further and the attacks it utilizes in will become even more “aggressive” because of the advanced evasion techniques recently integrated into it. “Blackhole is a sophisticated and powerful exploit kit, mainly because it is polymorphic and its code is heavily obfuscated to evade detection by anti-virus solutions. The rapid update capabilities of the kit have also made it challenging for traditional antivirus vendors to track, which are the main reasons it has a high success rate,” said the CTO at AVG Technologies. “Through our multi-layered security approach with real-time analysis at the endpoint, AVG has been detecting a much higher rate of Blackhole Toolkit-based attacks than other toolkits, as Blackhole’s creator seeks to stay ahead of their competition,” he added. Source: http://news.softpedia.com/news/Advanced-Malware-Allows-Cybercriminals-to-Empty-a-Bank-Account-in-One-Go-302135.shtml

39. October 25, Softpedia – (National) RSA, AMD, Intel, Lockheed Martin and Honeywell team up for cyber security alliance. IT industry companies Advanced Micro Devices (AMD), Honeywell, Intel Corporation, Lockheed Martin, and RSA/EMC joined forces to form a non-profit research consortium known as Cyber Security Research Alliance (CSRA). Cybersecurity has become an important issue not only for private organizations, but also for governments. Major economic powers, including the United States, are focusing many of their resources on enhancing both their defensive and offensive capabilities and most of them have realized that collaboration with the private sector is vital. The consortium will focus on developing viable approaches to technology transfers, tackling cybersecurity R&D activities, and prioritizing the challenges posed by cybersecurity based on the collaboration of all stakeholders. The CSRA hopes to bring together all the key actors in an effort to address national cybersecurity R&D, and bridge the existent gap between the private sector and the government. Currently, the CSRA is also collaborating with the U.S. National Institute of Standards and Technology to arrange a symposium in early 2013 to bring together academia and researchers from both private and government sectors. Source: http://news.softpedia.com/news/RSA-AMD-Intel-Lockheed-Martin-and-Honeywell-Team-Up-for-Cyber-Security-Alliance-302273.shtml

40. October 25, Help Net Security – (International) Phishing Websites proliferate at record speed. A new phishing survey released by the Anti-Phishing Working Group (APWG) reveals that while the uptime of phishing Web sites dropped during the first half of 2012, cybercriminals were driving substantial increases in the numbers of phishing Web sites they established to steal from consumers. Meanwhile, cybercriminals are increasingly using hacked Web servers of existing, legitimate Web sites to host phishing Web sites, pointing up the need for Web site owners and hosting services need to be on guard. APWG found that average uptimes of phishing attacks dropped to a record low of 23 hours and 10 minutes in the first half of 2012, about half of what it was in late 2011, and by far the lowest since the report series was inaugurated in January 2008. The uptimes of phishing attacks are a vital measure of how damaging they are, and are a measure of the success of mitigation efforts. The longer a phishing attack remains active, the more money the victims and target institutions lose. However, the study’s authors also found that there were more phishing attacks in the period — at least 93,462, up 12 percent from the second half of 2011. Source: http://www.net-security.org/secworld.php?id=13837

41. October 24, Ars Technica – (International) Phony certificates fool faulty crypto in apps from AIM, Chase, and more. Researchers uncovered defects in a wide range of applications running on computers, smartphones, and Web servers that could make them susceptible to attacks exposing passwords, credit card numbers, and other sensitive data. The Trillian and AIM instant messaging applications and an Android app offered by Chase Bank are three apps identified as vulnerable to man-in-the-middle (MitM) attacks. The weak implementations caused the programs to initiate encrypted communications without first assessing the validity of the digital certificates on the other end. As a result, one of the fundamental guarantees of the secure sockets layer (SSL) — that the computer on the other end of the connection belongs to the party claiming ownership — was fundamentally compromised. Source: http://arstechnica.com/security/2012/10/faulty-ssl-fooled-by-phony- certificates/

42. October 24, V3.co.uk – (International) Focus: McAfee updates Endpoint Security to battle emerging threats. McAfee updated its Endpoint Security platform as part of an ongoing effort to block a new generation of advanced persistent threats (APTs). The company said that the update would better equip systems to block highly sophisticated attack techniques, such as the use of master boot record (MBR) sabotage techniques and the use of zero-day flaws for intrusion attempts. The senior vice president and general manager of Endpoint Security for McAfee told reporters the update would look to not only expand the scope of protections for Endpoint Security, but also the new form factors. In addition to the MBR protections introduced in a Deep Defender update, McAfee is updating the Enterprise Mobility manager to add support for iOS 6 devices and adding to the whitelisting protections on the McAfee Application Control administrator tool. Source: http://www.v3.co.uk/v3-uk/news/2219444/focus-mcafee-updates-endpoint-security-to-battle-emerging-threats

43. October 24, Government Computer News – (International) Hackers’ new superweapon adds firepower to DDoS attacks. Hackers now have access to what is dubbed the High Orbit Ion Cannon (HOIC). HOIC is a free-to-download, open-source program that can turn any user of any skill level into a powerful hacker, at least in terms of a distributed denial-of-service (DDoS) attack. It was designed to be extremely easy to use — the user simply types in the URL of the target, sets the HOIC to operate in supercharged or normal mode, and then launches the attack. The program sends traffic to that URL in an attempt to overload the site and disable it. Source: http://gcn.com/articles/2012/10/24/hackers-new-super-weapon-adds-firepower-to-ddos.aspx?admgarea=TC_SECCYBERSSEC

44. October 24, Softpedia – (International) ‘Download Microsoft Windows License’ spam used as launchpad for malware attack. GFI Labs experts issued an alert to warn users about a spam campaign that’s being used as a launchpad for a Blackhole- Cridex malware attack. It starts with an email entitled “Re:Fwd: Order 321312” which reads: Welcome, You can download your Microsoft Windows License here. Microsoft Corporation.” Microsoft has nothing to do with the emails and the emails have nothing to do with Windows licenses. Instead, when users click on the link that’s behind “here,” they are taken to a Web site hosted on a Russian domain, which contains and obfuscated JavaScript that is designed to load another Web page. While the victim is viewing a message that reads “Please wait a moment. You will be forwarded,” in the background, the Blackhole exploit kit is working on trying to find a security hole to push malware onto the victim’s computer. Source: http://news.softpedia.com/news/Download-Microsoft-Windows-License-Spam-Used-as-Launchpad-for-Malware-Attack-301923.shtml

45. October 24, The Register – (International) US-CERT warns DKIM email open to spoofing. The U.S. Computer Emergency Response Team (US-CERT) issued a warning that DomainKeys Identified Mail (DKIM) verifiers that use low-grade encryption are open to being spoofed and need to be upgraded to combat attackers wielding contemporary quantities of computing power. This problem has been found to affect some of the biggest names in the tech industry, including Google, Microsoft, Amazon, PayPal, and several large banks. The DKIM system adds a signature file to messages that can be checked to ascertain the domain of the sender by checking with DNS. It also takes a cryptographic hash of the message, using the SHA-256 cryptographic hash and RSA public key encryption scheme, so it cannot be altered en route. The problem stems from the very weak key lengths that are being used by the companies. Source: http://www.theregister.co.uk/2012/10/24/uscert_dkim_spoofing_flaw/

46. October 24, Threatpost – (International) Attackers turn to open DNS resolvers to amplify DDoS attacks. A recent tactic adopted by distributed denial-of-service (DDoS) attackers is the use of open DNS resolvers to amplify their attacks. This technique, while not novel, is beginning to cause serious problems for the organizations that come under these attacks. In a new report, researchers associated with Host Exploit, a volunteer organization that tracks malicious activity among hosting providers, said attackers have been making good use of the numerous poorly configured open DNS resolvers in recent months. These machines were plentiful, but it was not just open resolvers in and of themselves that represented a problem. The issue arose when they were misconfigured, allowing attackers to take advantage of weaknesses in the open resolvers to use them as amplifiers for their attacks. Source: http://threatpost.com/en_us/blogs/attackers-turn-open-dns-resolvers-amplify- ddos-attacks-102412

Communications Sector

47. October 24, Flint Journal – (Wisconsin, Indiana, Michigan) Cut fiber cables in Wisconsin, Indiana responsible for Genesee County phone outages. Cut fiber cables in Wisconsin and a computer card failure in Indiana led to the interruption of Windstream phone service to several schools and other customers across the region, the Flint Journal reported October 24. Fiber cables near Milwaukee, Wisconsin and Greencastle, Indiana, were cut, Windstream said in an email. There also was a computer card failure at a switching station in Fishers, Indiana. Windstream, a communications company based in Little Rock, Arkansas, said service was restored to Flint, Farmington Hills, and Grand Rapids in MIchigan. The company did not say how many customers were affected. Source: http://www.mlive.com/news/flint/index.ssf/2012/10/cut_fiber_cables_responsible_f.html


Department of Homeland Security (DHS)
DHS Daily Open Source Infrastructure Report Contact Information

About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday] summary of open-source published information concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on the Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport

Contact Information

Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS Daily Report Team at (703)387-2314

Subscribe to the Distribution List: Visit the DHS Daily Open Source Infrastructure Report and follow instructions to Get e-mail updates when this information changes.

Removal from Distribution List:     Send mail to support@govdelivery.com.


Contact DHS

To report physical infrastructure incidents or to request information, please contact the National Infrastructure
Coordinating Center at  nicc@dhs.gov or (202) 282-9201.

To report cyber infrastructure incidents or to request information, please contact US-CERT at  soc@us-cert.gov or visit their Web page at  www.us-cert.go v.

Department of Homeland Security Disclaimer

The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to educate and inform personnel engaged in infrastructure protection. Further reproduction or redistribution is subject to original copyright restrictions. DHS provides no warranty of ownership of the copyright, or accuracy with respect to the original source material.