Thursday, December 6, 2012
Daily Report
Top Stories
• Fire officials
estimated damage to a Mobile Transformer burned in a December 4 fire at the
Maui Electric Company’s Pu’ukoli’i Substation at one million dollars. The Maui
Police Department also reported a water outage in the Ka’anapali resort area. –
Mauinow.com
1.
December 4, Mauinow.com – (Hawaii) Pu’ukoli’i
substation fire causes $1 million damage. Fire officials estimated damage
to a Mobile Transformer burned in a morning fire at the Maui Electric Company’s
(MECO) Pu’ukoli’i Substation at one million dollars, Maui Now reported December
4. The Maui Fire Services chief said the fire was reported at Pu’ukoli’i Road.
The fire resulted in a power outage for much of the Ka’anapali resort area.
MECO officials said electrical service has since been restored to remaining
customers in Pu’ukoli’i. No injuries were reported and the cause of the fire
was undetermined, said the fire chief. The Maui Police Department also reported
a water outage in the Ka’anapali resort area. Officials have been notified and
work crews were on scene. County officials had indicated that a power outage
caused by the Pu’ukoli’i substation may have affected one of the county’s pump
stations and water service in the area. Source: http://mauinow.com/2012/12/04/puukolii-power-outage-fire-at-substation/
• The cybercrime group behind the Gameover
Zeus Trojan that steals online banking credentials and credit card numbers is
waging a massive malicious email campaign that enlists the massive Cutwail
spamming botnet to blast its emails. More than half of the Top 20 Fortune 500
firms were infected with the trojan as of this summer. – Dark Reading See item 4 below in the Banking and Finance Sector
• The investigation into Legionnaire’s disease
at Pittsburgh’s Veterans Affairs (VA) hospitals has widened to include claims
that some union workers have gotten sick there, and the death of a man in
October. A VA spokesman confirmed that Pittsburgh VA officials found Legionella
bacteria in the water supply. – Associated Press
18.
December 5, Associated Press –
(Pennsylvania) Legionnaire’s probe at Pittsburgh VA widening. The investigation
into Legionnaire’s disease at Pittsburgh’s Veterans Affairs (VA) hospitals has
widened to include claims that some union workers have gotten sick there, and
the death of a man in October, the Associated Press reported December 5. The
U.S. Centers for Disease Control and Prevention have previously been
investigating five cases reported last month, including one patient who died. A
- 10 - widow said her husband died October 23 after he was diagnosed with
Legionnaire’s shortly after staying at a VA hospital for heart problems,
according to the Pittsburgh Post-Gazette. And the Pittsburgh Tribune-Review
reported that union officials claim three hospital workers have gotten
Legionnaire’s in the past several weeks. VA spokesman said he could not comment
on the claims by the widow regarding the death of her husband. He also would
not comment on claims about the sick workers made by American Federation of
Government Employees Local 2028 president. A VA spokesman confirmed that
Pittsburgh VA officials found Legionella bacteria in the water supply at its
H.J. Heinz Campus, near Aspinwall, and were restricting water use there while
the filtration system was treated with chlorine. Source: http://www.militarytimes.com/news/2012/12/ap-legionnaries-probe-at-pittsburgh-va-widening-120412/
• A San Francisco consumer protection lawyer
reported December 4 that more than 100,000 patients of Alere Home Monitoring
were alerted that their personal information may have been compromised after
the company discovered a laptop containing patient records was stolen from an
employee’s vehicle. – Justice News Flash
20.
December 4, Justice News Flash –
(California) Alere Home Monitoring data breach affects more than 100,000 patients.
A San Francisco consumer protection lawyer reported December 4 that more
than 100,000 patients of Alere Home Monitoring were alerted that their personal
information may have been compromised after the company discovered a laptop
containing patient records was stolen from an employee’s vehicle. According to
the News-Press.com, the laptop contained the names, Social Security numbers,
addresses, and diagnoses of more than 100,000 patients who take drugs to
prevent blood clots, such as Warfarin or Coumadin. Although the information on
the laptop was password protected, it was not encrypted. According to the News-
Press.com, affected individuals are now at risk of identity theft as a result
of the data breach. Source: http://www.justicenewsflash.com/2012/12/04/bay-area-consumer-protection-
lawyer-alere-home-monitoring-leaks-patient-info_20121204108038.html
Details
Banking and Finance Sector
2. December 5, Help Net Security – (International)
How the Eurograbber attack stole 36 million euros. Check Point has
revealed how a sophisticated malware attack was used to steal an estimated 36
million euros from over 30,000 customers of over 30 banks in Italy, Spain,
Germany, and Holland over summer, Help Net Security reported December 5. The
theft used malware to target the PCs and mobile devices of banking customers.
The attack also took advantage of SMS messages used by banks as part of
customers’ secure login and authentication process. The attack worked by
infecting victims’ PCs and mobiles with a modified version of the Zeus trojan.
When victims attempted online bank transactions, the process was intercepted by
the trojan. Under the guise of upgrading the online banking software, victims
were duped into giving additional information including their mobile phone
number, infecting the mobile device. The mobile Trojan worked on both
Blackberry and Android devices. The attackers could then intercept and hijack
all the victims’ banking transactions, including the bank’s SMS to the customer
containing the ‘transaction authentication number’ (TAN). With the account
number, password, and TAN, the attackers were able to stealthily transfer funds
out of victims’ accounts while victims were left with the impression that their
transaction had completed successfully. Source: http://www.net-security.org/malware_news.php?id=2344&utm_source=feedburner&utm_medium=fee
d&utm_campaign=Feed:+HelpNetSecurity+(Help+Net+Security)&utm_content=Goog
le+Reader
3. December 5, ZDNet – (Connecticut) Apple
trader arrested in $1 billion wire fraud. A trader for Rochdale Securities
in Stamford, Connecticut, was arrested December 5 based on a federal criminal
complaint charging him with wire fraud involving an unauthorized stock purchase
that caused Rochdale a $5 million loss. In a “get-rich-quick” scheme, the
trader allegedly orchestrated an unauthorized purchase of roughly $1 billion in
Apple stock, which left his employer with severe financial losses. Within the
criminal complaint, the FBI said that the trader cooked up a quick way to make
money by purchasing 1.625 million Apple shares with the brokerage’s money
October 25, the same day that Apple was due to release their quarterly
earnings. The trader expected the stock prices to rise, but when they fell he
left the company at a - 4 - severe loss. As the shares were bought with the
brokerage’s money, Rochdale bore the $5 million financial loss. Authorities
also said that the trader may have defrauded another broker-dealer at the same
time. Through “misrepresentations” it is alleged that the trader convinced an
unrelated company to sell 500,000 Apple shares in order to conduct the larger
scheme at Rochdales. Source: http://www.zdnet.com/apple-trader-arrested-in-1-billion-wire-fraud-
7000008349/
4. December 4, Dark Reading – (International) ‘Gameover
Zeus’ gang launches new attacks. The cybercrime group behind the Gameover
Zeus Trojan that steals online banking credentials and credit card numbers is
waging a massive malicious email campaign that enlists the massive Cutwail
spamming botnet to blast its emails, Dark Reading reported December 4. Millions
of emails — many of which pose as coming from major U.S. banks — have been
spammed out in recent weeks, according to Dell SecureWorks’ Counter Threat
Unit. “You have received a new encrypted message or a secure message from [XYZ]
Bank,” one of the email campaigns reads. The message includes an infected
attachment that the “bank” requires for download and registration to the supposed
secure email system. Once downloaded, it executes the pony downloader trojan
that installs Gameover and steals online banking credentials, credit card
account numbers, and other information. Another email campaign claims the
recipient has received a fax, scan, or voicemail, and includes a “free program”
for retrieving the message. This installs the malware. The Gameover gang,
unlike some cybercrime groups, does not lease or sell its malware or services.
It is a closed operation that, instead, sometimes contracts resources such as
the Cutwail botnet to transport its attacks. More than half of the Top 20
Fortune 500 firms were infected with the trojan as of this summer, according to
SecureWorks, which in July published a report on Gameover. Source: http://www.darkreading.com/advanced-threats/167901091/security/attacks-breaches/240143802/gameover-zeus-gang-launches-new-attacks.html
5. December 4, Associated Press – (Iowa) Officials:
More than 90,000 Iowa residents affected by nationwide insurance data breach. Iowa
officials said more than 90,000 residents in the State have been affected by a
nationwide insurance breach that has impacted more than a million people, the
Associated Press reported December 4. The breach affected customers for
Nationwide Insurance and Allied Insurance. The Ohio-based company posted news
on its Web site about the October 3 intrusion, which explains personal data was
compromised from both policy holders and non-policy holders. The company said
it is not aware of any misuse of the information. The Iowa attorney general
said Iowa residents may have been affected by the breach if they were seeking a
competitive insurance quote through a company or third party agent that ran
information through Nationwide. Source: http://www.therepublic.com/view/story/ca836963edeb4ddda06405de389f6e52/IA--
Data-Breach-Iowa
6. December 4, Krebs on Security – (International)
ATM thieves swap security camera for keyboard. Authorities in Brazil
arrested a man who allegedly stole more than - 5 - $41,000 from an ATM after
swapping its security camera with a portable keyboard that let him hack the
cash machine, Krebs on Security reported December 4. According to the O Estado
de S. Paulo newspaper, a crook approached an ATM at the Bank of Brazil and
somehow removed the security camera from the machine. Apparently, the camera
was a USB-based device, because the thief then was able to insert his own USB
stick into the slot previously occupied by the camera. The attacker was then
able to connect a folding keyboard to the ATM’s computer and restart the
machine. After the thief rebooted the ATM’s computer, he was reportedly able to
type the value of the currency notes that he intended to withdraw. The thief
started by removing all of the R $100 bills, and then moved on to the R $50
notes, and so on. Police were alerted by the central bank’s security team, and
caught the thief in the process of withdrawing the funds. Brazilian authorities
said they believe the man was being coached via phone, but that the man they
apprehended refused to give up the identity of his accomplice. Source: http://krebsonsecurity.com/2012/12/atm-thieves-swap-security-camera-for-keyboard/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+KrebsOnSecurity+(Krebs+on+Security)&utm_content=Google+Reader
For another story,
see item 31 below in the Information Technology Sector
Information Technology Sector
31.
December 5, Help Net Security – (International)
Spoofed RapidFax alert carries hard-to-detect trojan. Malicious email
alerts purportedly being sent by RapidFax, a service that allows users to send
faxes online without the need for a fax machine, have been hitting inboxes in
the last few days, warns MX Lab. The spoofed “From” email address is reports @
rapidfax.com, and the subject line contains variations of “RapidFax: New
Inbound Fax”. The body of the email states that a fax has been received, and
gives information on when it was received, how many pages it contains, etc. The
email also contains an attachment which supposedly contained the sent fax. An
extremely long file name is used to make the .exe extension less noticeable,
and the file sports a PDF icon for the same reason. The file is actually a
trojan, and when the malicious spam campaign was first spotted, the malware was
detected by only 2 of the 46 antivirus engines used by VirusTotal. That number
has risen to 24. Source: http://www.net-security.org/malware_news.php?id=2345&utm_source=feedburner&utm_medium=fee
d&utm_campaign=Feed:+HelpNetSecurity+(Help+Net+Security)&utm_content=Goog
le+Reader
32.
December 5, Help Net Security –
(International) Antivirus solutions inadequate in detecting new viruses. Imperva
collected and analyzed more than 80 previously non- cataloged viruses against
more than 40 antivirus solutions. They found that less than 5 percent of
anti-virus solutions in the study were able to initially detect previously non-
cataloged viruses and that many solutions took up to a month or longer
following the initial scan to update their signatures. Imperva utilized various
methods for collecting more than 80 viruses. These 82 unreported viruses were
tested in a virtual execution environment that ensured that they displayed behavior
indicative of viruses and that limited the vulnerability to computing
resources. The key findings and implications of the report included that
antivirus solutions have a difficult time detecting newly created viruses,
antivirus solutions lag in updating signatures, and that investment in
antivirus is misaligned. While Imperva did not find a single antivirus product
that provided complete protection, the solutions that had the best detection
rates included two freeware antivirus products. - 15 - Source: http://www.net-security.org/malware_news.php?id=2343&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+HelpNetSecurity+(Help+Net+Security)&utm_content=Goog
le+Reader
33.
December 5, Help Net Security –
(International) 80% of attacks are redirects from legitimate sites. Sophos
released its Security Threat Report 2013, an assessment of what has happened in
IT security for 2012 and what is expected for 2013. The increasing mobility of
data in corporate environments has forced IT staff to become even more agile.
2012 was also a retro year driven by resurgence in traditional malware attacks,
specifically malware distributed via the Web. For example, more than 80 percent
of attacks were redirects, the majority of which were from legitimate Web sites
that were hacked. While a large proportion of cybercrime continues to be
opportunistic, Sophos believes that, in 2013, increased availability of malware
testing platforms — some even providing criminals with money back guarantees –
will make it more likely for malware to slip through traditional business
security systems. The report also includes predictions concerning
“irreversible” malware, attack toolkits with premium features, a decrease in
vulnerability exploits, an increase in social engineering attacks, and attacks
tied to the increasing integration of GPS and near field communication (NFC)
functions. Source: http://www.net-security.org/secworld.php?id=14066&utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+HelpNetSecurity+(Help+Net+Security)&utm_content=Google+R
eader
34.
December 4, Softpedia –
(International) Vulnerability Lab researchers find 3 remotely-exploitable
vulnerabilities in Skype. Vulnerability Lab researchers have identified
another series of flaws in the popular Skype messaging application. Two of them
are mail encoding Web vulnerabilities that affect the Skype Community. The
first – a high-severity persistent input validation vulnerability bug – can
allow a remote attacker to inject arbitrary code on the application-side of the
Skype Community Web site. The second Web problem identified by the researchers
is a filter and mail encoding vulnerability that affects the same Skype
Community Web site. The security hole affects the outgoing email service and
can be leveraged to execute persistent code against forum customers,
administrators, and moderators. The third flaw refers to a persistent software
vulnerability that affects the Windows version of Skype v5.11.0.102. A remote
attacker could exploit this problem to manipulate configuration app login index
files. This allows cybercriminals to persistently execute (API). This
high-severity issue can be addressed by disallowing bound requests out of the
software’s context. The mail encoding Web vulnerabilities have been addressed
by Skype, but according to the researchers, last time they checked, the
persistent software issue was not fixed. Source: http://news.softpedia.com/news/Vulnerability-Lab-Researchers-Find-3-
Remotely-Exploitable-Vulnerabilities-in-Skype-311886.shtml
35.
December 3, SC Magazine –
(International) “Changeup” cases climb as worm exploits AutoRun. Researchers
have seen a significant uptick in cases of Changeup, a worm that spreads the
banking trojan Zeus and other malware via removable media, such as USB sticks,
or file-sharing programs. In a six-day period between November 23 and November
28, security firm Symantec noted that Changeup detections rose from around
8,000 cases to more than 14,000. The worm – which goes by a number of other
names, including “AutoRun,” coined by McAfee – is capable of infecting users’
machines that run older Windows operating systems employing AutoRun by default.
Source: http://www.scmagazine.com/changeup-cases-climb-as-worm-exploits-autorun/article/270991/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed:+SCMagazineNews+(SC+Magazine+News)&utm_content=Google+Reader
For
another story, see item 4 below in the Banking and Finance Sector
Communications Sector
36.
December 4, Softpedia –
(International) DefCamp 2012: Flaws in mobile networks allow users to surf
the Web for free. An independent researcher at DefCamp 2012 security
conference showed that a flaw in the systems of mobile operators allowed users
to have unlimited access to mobile data traffic, Softpedia reported December 4.
The expert found that many companies allow their customers to access the
operator’s Web page even after they have eaten all the monthly data included in
their contract, in order to allow them to access their user accounts. However,
this access can be exploited by utilizing two different methods. If the
operator does not check the type of traffic that passes through the DNS port, users
can set up a VPN server – with a routable IP – on the UDP port 53, which is the
same one utilized by the DNS. By making a connection from the mobile phone (or
from a modem connected to a computer) to the VPN server, and by ensuring that
all the traffic passes through this VPN tunnel, users can gain unlimited access
to the Web. The second scenario is the one in which the mobile operators allows
only DNS queries on the specific port and not through VPN. Some of the mobile
operators contacted by the researcher claim they are aware of the issue.
However, they will not address it, unless they discover that the flaw is being
abused. Source: http://news.softpedia.com/news/DefCamp-2012-Flaw-in-Mobile-Networks-
Allows-Users-to-Surf-the-Web-for-Free-311811.shtml
For
another story, see item 34 above in the Information Technology
Sector
Department of Homeland Security
(DHS)
DHS Daily Open Source Infrastructure Report Contact Information
About the reports - The DHS Daily Open Source Infrastructure Report is a daily [Monday through Friday]
summary of open-source published
information
concerning significant critical infrastructure issues. The DHS Daily Open Source Infrastructure Report is archived for ten days on
the
Department of Homeland Security Web site: http://www.dhs.gov/IPDailyReport
Contact Information
Content and Suggestions: Send mail to cikr.productfeedback@hq.dhs.gov or contact the DHS
Daily Report Team at (703)387-2314
Subscribe to
the
Distribution List: Visit the
DHS Daily Open Source Infrastructure Report and follow
instructions to
Get e-mail updates when this information
changes.
Contact DHS
To report physical infrastructure incidents or to request information, please contact the National Infrastructure
To report cyber infrastructure incidents or to
request information,
please contact US-CERT at soc@us-cert.gov or visit their Web
page at www.us-cert.go v.
Department of Homeland Security Disclaimer
The DHS Daily Open Source Infrastructure Report is a non-commercial publication intended to
educate and
inform personnel engaged
in infrastructure protection. Further reproduction
or redistribution is subject to original copyright
restrictions. DHS provides no
warranty of ownership of the copyright,
or accuracy with respect to
the
original
source material.