DHS Daily Open Source Infrastructure Report

Daily Report Template - Version 1

Thursday, August 27, 2009

Complete DHS Daily Report for August 27, 2009

Daily Report

Much more in the Information Technology and Communications Sectors than usual! Many, if not all warrant YOUR attention!

Top Stories

 PC World reports that the Air Line Pilots Association is calling on the U.S. government to temporarily ban cargo shipments of lithium batteries, saying they represent a serious safety hazard. (See item 14)

14. August 26, PC World – (International) Airline pilots want ban on lithium battery shipments. An airline pilot union is calling on the U.S. government to temporarily ban cargo shipments of lithium batteries, saying they represent a serious safety hazard. The Air Line Pilots Association (ALPA), which represents pilots in the U.S. and Canada, asked that the U.S. government prohibit shipments of lithium batteries on all cargo and passenger flights until measures are taken to insure that such shipments are safe. The proposed ban on the batteries, which are widely used in electronic devices like phones and computers, would not prohibit passengers from carrying batteries on planes. During the last two months, there have been three incidents where fire or smoke on aircraft was caused by shipments of lithium batteries. On August 14, the crew of a plane that landed in Minneapolis received a warning of smoke in the plane’s forward cargo compartment. When fire crews opened the compartment, they found flames coming from a container filled with electronic cigarettes, each containing a lithium-ion battery. In another incident in July, a container filled with lithium-ion batteries on a flight to Santo Domingo, Dominican Republic, was found smoking and smoldering. In the third incident, which took place in June, a burned package containing a lithium-ion bicycle motor was discovered when cargo handlers unloaded a plane in Honolulu. ALPA said all three incidents recall a 2006 incident where lithium batteries caused a fire on board a UPS plane that injured three crew members and damaged cargo. Source: http://www.pcworld.com/article/170815/airline_pilots_want_ban_on_lithium_battery_shipments.html

 According to Softpedia, researchers at Web security company ScanSafe advise that a new mass compromise attack is underway and has affected over 62,000 URLs to date. A rogue IFrame injected into the compromised Web pages loads a cocktail of exploits and malware from other domains. (See item 40)

40. August 25, Softpedia – (International) Over 62,000 new URLs serving exploit cocktail. Security researchers advise that a new mass compromise attack is underway and has affected over 62,000 URLs to date. A rogue IFrame injected into the compromised Web pages loads a cocktail of exploits and malware from other domains. Web security company ScanSafe has been monitoring this new threat and advises that the infection pattern is a hidden IFrame loading JavaScript content from a domain called a0v.org. A Google search for “script src= reveals 62,100 results. A senior security researcher at ScanSafe, has told The Register that the infections are the result of SQL injection attacks. The x.js called from a0v.org has the role of loading exploits from a number of seven other domain names. At the moment of writing this article, Google’s Safe Browsing was tagging a0v.org as malicious. “The malware hosting domains were registered on or after August 3, 2009 and include: ahthja.info, gaehh.info, htsrh.info, car741.info, game163.info, car963.info, and game158.info. The most prolific observed by ScanSafe thus far has been ahthja.info,” the researcher writes on the company’s blog. If exploitation is successful, several malware installers are dropped and executed onto the victim’s computer as drive-by downloads. The security researcher warns that “post infection, additional malware may also be downloaded” from a different host. The exploits target vulnerabilities in popular software, including Internet Explorer, Mozilla Firefox, Adobe Flash Player, Adobe Reader and Acrobat or avast! Antivirus. AV detection rates for the malicious executables downloaded during the attack range from poor to moderate on Virustotal. Source: http://news.softpedia.com/news/Over-62-000-New-URLs-Serving-Exploits-Cocktail-120006.shtml

Details

Banking and Finance Sector

11. August 25, Bloomberg – (National) Court orders Fed to disclose emergency bank loans. The Federal Reserve must for the first time identify the companies in its emergency lending programs after losing a Freedom of Information Act lawsuit. The Manhattan chief U.S. district judge ruled against the central bank on August 24, rejecting the argument that loan records are not covered by the law because their disclosure would harm borrowers’ competitive positions. The Fed has refused to name the financial firms it lent to or disclose the amounts or the assets put up as collateral under 11 programs, most put in place during the deepest financial crisis since the Great Depression, saying that doing so might set off a run by depositors and unsettle shareholders. Bloomberg LP, the New York-based company majority-owned by the mayor of New York, sued on November 7, 2008 on behalf of its Bloomberg News unit. “The Federal Reserve has to be accountable for the decisions that it makes,” said a U.S. Representative, who is a Florida Democrat on the House Financial Services Committee, after the judge’s ruling. “It’s one thing to say that the Federal Reserve is an independent institution. It’s another thing to say that it can keep us all in the dark.” Source: http://www.bloomberg.com/apps/news?pid=20601087&sid=a7CC61ZsieV4

12. August 25, Dow Jones Newswires – (New York) NY businessman charged with $74 million bank fraud against Citigroup. A New York man was charged with allegedly defrauding Citigroup Inc. out of $74 million in loans. The U.S. attorney in Manhattan and the Federal Bureau of Investigations say the defendant, with residences in Manhattan and Katonah, New York, fraudulently applied for the loans for Nemazee Capital Corp., of which he is chairman and chief executive. Federal prosecutors contend Nemazee obtained the money by giving the banking giant “numerous documents that purported to establish the existence of accounts in Nemazee’s name at various financial institutions containing many hundreds of millions of dollars,” the Justice Department said in a statement. “In fact, those were fraudulent and forged documents.” According to an FBI report, the defendant first contacted Citigroup’s Citibank in December 2006 to borrow $25 million, and later raised the sum to $80 million. The defendant paid back more than $74 million on August 24, after being questioned by federal agents on August 23 as he was checking in to board a flight from Newark International Airport in New Jersey to Rome. Source: http://money.cnn.com/news/newsfeeds/articles/djf500/200908251258DOWJONESDJONLINE000315_FORTUNE5.htm

13. August 25, Computerworld – (National) Cybercrooks increasingly target small business accounts. An organization representing more than 15,000 financial institutions has issued a warning about a growing wave of attacks against small banks and businesses by cybercriminals using stolen banking credentials to plunder corporate accounts. In an alert to its members earlier this month, NACHA — the Electronics Payments Association — said that attackers are increasingly stealing online banking credentials, such as user names and paswords, from small businesses by using keystroke logging tools and other malware. The cybercriminals are using the stolen credentials to “raid” and “take over” corporate accounts and initiate the unauthorized transfer of funds over electronic payment networks. NACHA oversees the Automated Clearing House (ACH) electronic payments network. NACHA’s alert said that the cybercrooks are apparently targeting small businesses because of their relative lack of strong authentication procedures, transaction controls and “red flag” reporting capabilities. In some cases, the alert said, attackers are tricking small business workers into visiting phishing sites with the same look and feel as their company’s financial institution, where they would log on using their credentials. Source: http://www.computerworld.com/s/article/9137112/Cybercrooks_increasingly_target_small_business_accounts

Information Technology

36. August 26, Network World – (International) Trojan attacks up, phishing attacks down this year, IBM finds. Spam-based phishing attacks declined noticeably during the first half of the year, but cyber-criminals may simply be shifting to other technologies found to be more effective in stealing personal data, according to IBM in its semi-annual security threat report. “The decline in phishing and increases in other areas (such as banking Trojans) indicate the attackers may be moving their resources to other methods to obtain the gains that phishing once achieved,” is the explanation offered in the “IBM Internet Security Systems 2009 Mid-Year Trend & Risk Report.” It says Russia is the top country of origin for phishing e-mails, with 7.2 percent share, while China is the top hosting country for spam URLs. IBM’s semi-annual security report presents a broad view of trends based on its own analysis of volumes of sensor data, Web crawling technologies and other resources used to gather information through its Internet Security Systems division. In the first half of 2009, 55 percent of the new malware seen was Trojans, an increase of 9 percent over last year, the report says. Trojan malware, which includes components called downloaders and info-stealers, are mainly being used in the form of “public-available toolkits” that are “easy to use” by criminals, the report points out. The number of malicious Web links used to trick users into downloading malware or visiting dangerous sites has increased, up 508 percent in the first half of 2009 in comparison to the number discovered in the first half of 2008, says the report. The U.S. is the top country where such malicious Web links can be found, accounting for 36 percent of known malicious links, with China holding the second spot. Source: http://www.networkworld.com/news/2009/082609-ibm-malware-trojans.html

37. August 26, Daily Tech – (International) Apple reportedly using malware detection in Snow Leopard. Not wanting to be made the target of new PC ads mocking its lack of antivirus support, Apple reportedly is packaging its new OS X 10.6 “Snow Leopard”, set to air on August 28, with free antivirus software. Security research firm Intego, which maintains a Mac security blog that monitors various OS X-specific malware, first noticed and reported the development. The firm was running the new version of OS X, when they noticed it detected and removed malware. The process was carried out via a popup window, which they took a screenshot of, but they were either unable to determine or chose not announce who made the antivirus software. Intego’s post indicated that they were not making the product. ClamAV — currently the AV engine in Apple’s server operating system — also seems unlikely as the virus detected had the signature “OSX.RSPlug.A”, a signature that ClamAV currently doesn’t support (ClamAV does have a signature for “OSX.RSPlug” [1]). Similar, McAfee and Sophos use the names OSX/Puper.a [2] and OSX/RSPlug-A [3], respectively. That leaves Symantec as one possibility. Another is that Apple has developed its own proprietary antivirus software, which would not be surprising. Source: http://www.dailytech.com/Apple+Reportedly+Using+Malware+Detection+in+Snow+Leopard/article16083.htm

38. August 26, The Register – (International) MS phishing filter blacklists everything. A wide range of uk.com websites were misclassified as malign by anti-phishing technology built into the latest versions of Microsoft’s browser software on August 26. Microsoft’s SmartScreen Filter, which is built into IE7 and IE8, labelled every uk.com top level domain site as a phishing site following what appears to be a dodgy rule change applied overnight. Many of the sites have been unblocked, but many others remain labelled as potentially dangerous to surfers visiting the site running Microsoft’s consumer protection technology. The issue created a headache for UK ISPs, with hosting customers calling up wondering what the heck was going on. An ISP source who was the first to tell The Register about the problem said that its phones are “red hot” from calls about the issue. Microsoft responded to The Register’s queries promptly by saying it was investigating the issue. CentralNic, registrar for uk.com domains, published a statement saying Microsoft has promised to resolve the problem within two hours, by 1330 BST. “We have been made aware that the Microsoft SmartScreen filter included with Internet Explorer 8 is erroneously marking some domain names as being unsafe,” it said. “The most likely explanation is that a genuinely unsafe website under one of our suffixes was reported to Microsoft, but they incorrectly added all the domains under that suffix to their list of unsafe websites. Source: http://www.theregister.co.uk/2009/08/26/ms_phishing_filter/

39. August 25, CNET News – (International) Google patches severe Chrome vulnerabilities. Google has fixed two high-severity vulnerabilities in the stable version of its Chrome browser that could have let an attacker remotely take over a person’s computer. With one attack on Google’s V8 JavaScript engine, malicious JavaScript on a Web site could let an attacker gain access to sensitive data or run arbitrary code on the computer within a Chrome protected area called the sandbox, Google said in a blog post Tuesday. With the other, a page with XML-encoded information could cause a browser tab crash that could let an attacker run arbitrary code within the sandbox. Chrome 2.0.172.43 (click to download for Windows) fixes the issues and another medium-severity issue. Once Chrome is installed, it retrieves updates automatically and applies them when people restart the browser. Google won’t release details of the vulnerabilities until “a majority of users are up to date with the fix,” a engineering program manager said in the blog post. Source: http://news.cnet.com/8301-30685_3-10317320-264.html

41. August 25, Softpedia – (International) New Chinese social networking worm discovered. Security researchers warn that a new worm has been spotted on Chinese social networking website Renren.com. The worm masquerades a flash music video of Pink Floyd’s Wish You Were Here and spreads by exploiting a cross-site scripting hole. The message has the title “Pink Floyd – Wish You Were Here” and it contains a maliciously crafted Flash component loaded with AllowScriptAccess=“always” parameter. According to Adobe “When AllowScriptAccess is ‘always’, the SWF file can communicate with the HTML page in which it is embedded even when the SWF file is from a different domain than the HTML page.” The flash file is used to execute the JavaScript code present in the message body and load a script called evil.js from an external domain. As researchers indicate, the JavaScript code is used to exploit a cross-site scripting (XSS) flaw present in the website and spread the worm through its API. Social networking worms have been increasing in number for the past few years, suggesting that these new platforms are good hunting grounds for cybercrooks. Boris Lau, a virus researcher at antivirus vendor Sophos, which detects this new threat as W32/Pinkren-A, points out that “this is same technique used back in 2007 by the Okurt worm.” Renren is a Facebook-like website very successful in China. Such local threats are important to the Westerners as well, because Chinese computers compromised by worms like these will join to form large botnets. These armies of zombie computers will then be used to send spam and perform distributed denial of service attacks globally. Source: http://news.softpedia.com/news/New-Chinese-Social-Networking-Worm-Discovered-120021.shtml

42. August 24, The Register – (International) Scammers step up attacks on Warcraft players. A researcher from anti-virus firm Webroot has written how official forums offered by WoW creator Blizzard are being used to spread links that lead to malware that steals passwords and other game credentials. The scam employs the common technique of telling visitors that their Adobe Flash player needs to be updated and then offering a malicious trojan instead of the real installation file. Elsewhere, phishers are churning out emails that purport to be official communications from Blizzard, according to researchers from security provider Sophos. The emails claim the game maker is launching a new service and invites them to click on a link for a free sneak peak. The resulting website, in turn, phishes user credentials. The attack outbreaks come a few weeks after Blizzard issued an update for Warcraft III that fixed a gaping hole that could lead to the complete hijacking of machines running the real-time strategy game. According to a Webroot researcher it was exploited simply by getting vulnerable victims to join a custom game hosted with booby-trapped maps. Attackers targeted the vulnerability in a game called DotA, or Defense of the Ancients, by creating fake maps that used the same file configurations as legitimate custom maps. “What makes this exploit particularly nasty is the fact that your PC gets infected the moment you join a game where the infected DotA map is in use,” the researcher wrote. “Once downloaded, the game automatically unpacks the infected map and executes the malicious code.” Source: http://www.theregister.co.uk/2009/08/24/world_of_warcraft_attacks/

Communications Sector

43. August 26, Information Week – (International) Dell launches 10 gigabit ethernet in storage array. Dell on August 25 introduced an upgrade of its Dell/EMC CX4 storage arrays that includes a 10 Gigabit Ethernet, which the vendor says addresses the input/output needs for the growing compute density of virtualized environments within data centers. The latest version of the CX4 arrays contains an UltraFlex Modular I/O that enables customers to add ports supporting 8 Gb and 4 Gb Fibre Channel and 1 Gb and 10 Gb iSCSI. The latter enables companies to consolidate “stranded servers” onto an existing storage-area network, support more virtual servers and aggregate multiple 1 Gb iSCSI connections to fewer 10 Gb ones, Dell said. “Ethernet is increasingly being chosen as the networking technology for storage as customers look to consolidate and virtualize their data centers,” the vice president of enterprise storage and networking at Dell, said in a statement. “With a 10 gigabit option and its inherent advantages in virtualized environments, Ethernet’s case gets even stronger as the most simple and capable networking fabric.” In addition, Dell has added virtualization-aware Navisphere management software that provides automatic discovery of virtual machines and VMWare ESX servers, virtual-to-physical machine mapping and advanced search for VMs. Finally, the arrays upgrade includes drive spin-down as a standard feature to help reduce power and cooling requirements. The feature enables users to set policies for drives to power down when not in use. Source: http://www.informationweek.com/news/storage/virtualization/showArticle.jhtml?articleID=219401489

44. August 26, Wired News – (International) Cutbacks could be causing IT outages. When eBay’s PayPal unit suffered a worldwide outage early this month, Sailrite Enterprises Inc., a sailing supply company based in Churubusco, Ind., lost its critical customer payment services for six hours.The next day, August 4, PayPal’s services failed Sailrite again, this time for about an hour, according to the a vice president at Sailrite. He posted a blunt message on PayPal’s blog site: “This is not acceptable.” In an e-mail, San Jose-based PayPal blamed the outage on a problem with a “back-end router” that was complicated by a failure in the company’s redundancy measures. The PayPal electronic payment system is one of many Internet-based services that have been hit with outages. And based on news reports, the number of such incidents appears to have been increasing in recent months, analysts said. They cited shutdowns of the Google Apps software hosted by Google, outages at data centers run by Rackspace Hosting Inc. and a distributed denial-of-service attack on Twitter. Observers pointed to several possible reasons for the apparent uptick in online outages, including IT budget and personnel cutbacks, increasing corporate dependence on hosted applications, and bad luck. The chief security strategist at Citrix Systems in Fort Lauderdale, Florida, said he wonders whether a two-hour shutdown of Cisco Systems’s Web site this month “would [have] happened a few years agoâ_¦ when they had multiple people checking every single change.” Cisco blamed the outage on human error. IT staff cuts spurred by the economy are likely to continue throughout the remainder of the year. According to a survey of 300 IT center managers last year by the Association for Computer Operations Management, half of all data centers were planning to cut 2009 budgets by an average of 15%. Respondents at 14% of those companies said the cuts would include layoffs of IT staffers. A executive director of Uptime Institute Inc., a data center engineering and consulting firm, said such budget and personnel cutbacks can prove disastrous to IT. “We’re not doing the maintenance we should be doing, and when you don’t do maintenance, you increase the probability of catastrophic failure,” he said. The executive added that energy-efficiency efforts may be prompting data centers to cut back on redundant equipment and run their systems harder, exposing equipment flaws. Source: http://www.wired.com/epicenter/2009/08/cutbacks-could-be-causing-it-outages/

45. August 25, SCMagazine – (International) Wireless flaw could let hackers breach wired network. Researchers at a security firm on August 25 disclosed a vulnerability within the Cisco wireless framework that could offer intruders a gaping entryway into an organization’s network. The AirMagnet Intrusion Research Team said it discovered an exploit, known as “skyjacking,” which could enable someone, either on purpose or by accident, to take control of a wireless access point (AP) and point it to an outside Cisco controller. “Access points do not normally get connected to the wrong controller,” the AirMagnet’s director of product management told SCMagazineUS.com on August 24. “If [one does], you have a big problem. We’ve uncovered a way where, by accident or design, an access point could get connected to the wrong controller or a controller that’s not in its network.” By doing that, attackers could assume control of a legitimate access point, which not only gives them visibility into relayed data but also could open the gates into an organization’s wired network. “You’ve taken an approved AP and turned it rogue,” the director said. “At this point, you’ve got the keys to the castle. You have an authorized wireless connection into a wired network. Not only would you be able to see everything that access point does but, more importantly, you’ll have accessed your way into the wired part of that network...So you’ve got a full breach.” Researchers at AirMagnet, which has been acquired by Fluke Networks, also detected another problem in the Cisco network. Leveraging Cisco’s Over-the-Air Provisioning feature, engineers found that data belonging to wireless controllers, such as IP and media access control (MAC) addresses, is inadvertently broadcast unencrypted. With that information, attackers can target these devices, which support large numbers of access points, with attacks such as denial-of-service attempts, the AirMagnet director said. In addition, intruders can use the data to learn more about a company’s network topology. http://www.scmagazineus.com/wireless-flaw-could-let-hackers-breach-wired-network/article/147241/

46. August 25, Datamation – (International) 85 cloud computing vendors shaping the emerging cloud. The era of cloud computing is dawning amid great fanfare, supported by mountains of cash and reams of hype. Whether this change is positive is debatable, very real concerns plague cloud computing, but the tech industry has decided: the cloud is king. Just as the hulking mainframes of the 1960s were replaced by client server systems in the 1980s, the in-house datacenter is now shifting toward an externally-based model. Vendors of every size are maneuvering, targeting this new market. The U.S. government just unveiled plans to start offering cloud computing services to federal agencies. Currently, many vendors are slapping the term ‘cloud’ on their product. Cloud computing allows for access of software over the Web, instead of on a hard drive. Software might sit on a server in New York or New Delhi or New Haven, Connecticut. Or maybe that app combines services from apps that reside in New York and New Delhi, with an add-on from a New Haven provider. Microsoft, with its Azure cloud initiative, is quietly investing massively in leviathan datacenters across the country to host its cloud offering. IBM’s cloud push benefits greatly from the company’s global stance and deep focus on services. Google’s cloud strategy is supremely well positioned, with a well-tuned international server network and its Web-based Chrome OS. Some industry wags deride Amazon as the utility cloud provider whose offering isn’t differentiated enough, yet it keeps growing. Source: http://itmanagement.earthweb.com/entdev/article.php/3835941/85-Cloud-Computing-Vendors-Shaping-the-Emerging-Cloud.htm

No comments:

Blog Archive

Links

About Me