Friday, May 23, 2008

Daily Report

• According to Bloomberg, Swedish bomb technicians found no unusual objects in a nuclear reactor they investigated after police arrested two men yesterday on suspicion of sabotage. The plant was turned off Wednesday and was searched by police Thursday. (See item 3)

• The Day reports that several hundred thousand People’s United Bank customers in Connecticut were hit by a data breach in February when the Bank of New York Mellon lost an unencrypted backup tape provided by People’s Bank. The state’s attorney general’s office said the tape included bank account information, Social Security numbers and other data about depositors and investors tied to the bank, and involved about 4.5 million accounts. (See item 10)

Banking and Finance Sector

10. May 22, The Day – (Connecticut) People’s Bank customers at risk from data breach. Several hundred thousand People’s United Bank customers in Connecticut have been hit by a data breach that potentially exposed their personal information, a state Attorney General said Wednesday. He said the Bank of New York Mellon lost an unencrypted backup tape provided by Bridgeport-based People’s Bank, resulting in the data breach involving about 4.5 million accounts. The tape included bank account information, Social Security numbers and other data about depositors and investors tied to the bank, he said. The official was particularly concerned with the amount of time that elapsed between the discovery of the data breach and the reporting of it. Bank of New York lost the information in February but did not start informing consumers until six weeks ago, the official said. He said the Bank of New York Mellon on February 27 gave an unencrypted backup tape as well as nine other tapes to a storage firm, Archive Systems Inc. of Fairfield, New Jersey, which was assigned to store the information. But when a storage company vehicle arrived at the storage facility, one of the tapes could not be found. According to a letter from the official to the Bank of New York, a lock on the truck was broken, and the truck had been left unattended several times. People’s Bank has 10 locations in southeastern Connecticut and more than 150 locations statewide. Source:

11. May 22, Washington Post – (District of Columbia) Banker admits to role in tax office scam. A former Bank of America manager pleaded guilty yesterday to participating in a massive embezzlement at the District of Columbia tax office, admitting that he deposited nearly $18 million in fraudulent checks and helped distribute the stolen money to others in the scam. Authorities say up to $50 million in property tax money was stolen in the form of fraudulent refund checks in a scam allegedly orchestrated by a former tax office manager, who is in jail awaiting trial. She has pleaded not guilty. The theft was the biggest municipal fraud in memory in the Washington area. Only a small fraction of the money has been recovered. Source:

12. May 21, Reuters – (Idaho) Five indicted in $20 million Idaho mortgage scam. An Idaho bank officer and four others accused of masterminding a mortgage scam were indicted in Boise on Wednesday on charges of defrauding an Idaho bank of $20 million, according to federal prosecutors. Authorities say the accused, including two building contractors, a mortgage broker and a Realtor, all from the Boise, Idaho area, provided false financial data and fraudulently fronted applicants -- known as straw buyers -- in attempt to obtain 49 house loans. The FBI has linked a jump in mortgage fraud to “an ideal climate” created by the slump in the U.S. housing market. Source:

13. May 21, U.S. World News – (National) Warning: Chinese earthquake scam reported. The FBI is warning consumers to be on the lookout for E-mails purportedly soliciting funds to support the victims of the recent earthquake in China. “Some of the Chinese earthquake scam messages claim to be offering free vacation trips to the largest donors and even use fake logos of legitimate online pay services to fool people,” the FBI said in a release. Similar fraudulent efforts followed other recent tragedies, such as 9/11, Hurricane Katrina, and the shootings at Virginia Tech, the FBI said. Criminals apparently use such events to prey upon the sympathy of individuals. Source: http://www.banktech\.com/aml/showArticle.jhtml?articleID=207800150&cid=RSSfeed_BankTech_News

Information Technology

33. May 22, BetaNews – (National) iCal bugs can lead to DoS and code execution attacks. Researchers with Core Security have found three vulnerabilities in Mac OS X’s calendaring application that could create havoc for users. The most serious vulnerability deals with a memory corruption issue that is triggered by the execution of a specially-crafted .ics file. At the heart of it is a resource liberation bug which is triggered through the file, thus allowing code execution. A user could lose control of his or her Mac through this bug, the firm warned. While it appears the bug needs to be exploited with some intervention from the end-user, Core said it may be exploitable without as well. Both of the remaining flaws deal with denial of service issues, where repeated crashes prevent use of the iCal application. As with the previous bug, a specially-crafted .ics file is launched, which then takes advantage of a null-pointer dereference bug in the software. Core could not find any evidence that this issue could also result in code execution. “Exploitation of these vulnerabilities in a client-side attack scenario is possible with user assistance by opening or clicking on specially crafted .ics file send over email or hosted on a malicious web server; or without direct user assistance if a would-be attacker has the ability to legitimately add or modify calendar files on a CalDAV server,” the firm said in an advisory. The flaw was found on iCal 3.0.1 running on Mac OS X 10.5.1. Upgraded versions of the software are not affected. Source:

34. May 21, Dark Reading – (National) ‘Hack-and-Pier’ Phishing on the Rise. Researchers have witnessed a growing trend in phishers hacking into legitimate Websites to host their phishing exploits, enabling them to keep their attacks alive longer. In a blog post Wednesday from F-Secure noted a series of so-called ‘hack-and-pier’ phishing exploits that had been reported to phishing clearinghouse PhishTank. “Instead of setting up their own sites, we’re seeing more and more evidence of phishing from hacked sites; legitimate sites that are unknowingly hosting phishing,” the blog said. “And then the site cannot simply be pulled offline without collateral damage to the legitimate business. So the Website’s administrator must be contacted to repair the damage.” According to MarkMonitor, only a small percentage of phishing sites today are created with purchased domain names or hosting. “A study we did in late 2007 showed that over 80 percent of phishing sites were hacked legitimate sites or free Webhosting sites,” says the director of anti-phishing for MarkMonitor. Traditionally, a phisher would register a bogus URL that looked a lot like the real thing, but was a letter or two off, such as “paypol” rather than “paypal,” or a more obscure URL that was less likely to get flagged. But those URLs can be easy to spot and shut down, so phishers have been moving to legit Websites as a way to extend the life of their exploits. An F-Secure representative said in an interview that his firm in the past has seen many examples of hacked legit sites for phishing and other cybercrime uses. “It is a growing trend,” he says. “Like any other technique, practice makes perfect.” As long as there are vulnerable Websites, hack-and-pier phishing isn’t going anywhere. “Until the Website’s vulnerabilities are resolved, the phishers will just continue to hack and pier,” he said. Source:

Communications Sector

35. May 22, IDG News Service – (National) Cisco patches router flaw ahead of rootkit talk. Cisco has issued three security patches, fixing bugs that could crash its products and drawing a warning from the SANS Internet Storm Center. The updates, issued Wednesday, fix denial of service bugs in the SSH (Secure Shell) software in Cisco’s Internetwork Operating System (IOS), used to power its routers, and in the Cisco Service Control Engine, which is provides carrier-grade networking services. Cisco has also patched a privilege escalation vulnerability in its Voice Portal automated telephone customer service software. In its security advisories Cisco said that all of the bugs had been discovered by its own researchers, but SANS warned that researchers are likely reverse-engineering the patches and may release exploit code publicly. These particular updates are getting extra attention from the security community, which is now closely investigating how malicious software might work on IOS, an operating system that has largely evaded serious scrutiny. On Thursday, for example, Core Security is slated to give a widely anticipated presentation on a Cisco rootkit it calls the DIK (Da Ios rootKit) at the EuSecWest conference in London. Cisco recently changed its software update policy, saying it will now only issue IOS patches in March and September each year, unless forced to rush out a fix for serious bugs that were publicly disclosed or which were being actively exploited. Source: