Tuesday, March 17, 2009

Complete DHS Daily Report for March 17, 2009

Daily Report

Headlines

 According to the Associated Press, the Australian government sent a navy mine hunting ship to search Monday for hundreds of tons of chemicals lost overboard during the March 11 freighter mishap that also blackened miles of Australian beaches with fuel oil. (See item 4)


4. March 16, Associated Press – (International) Australian navy to help spill clean up. The Australian government sent a navy mine hunting ship to search Monday for hundreds of tons of chemicals lost overboard during a mishap that also blackened miles of beaches with fuel oil. Authorities said they have scraped the slick off of more than half of the affected beaches just north of the Queensland state capital Brisbane, five days after Wednesday’s spillage from the freighter Pacific Adventurer. The spill happened when 31 containers lashed to the ship’s deck broke free during a storm and fell overboard, ripping a hole in a fuel tank as they pitched into the sea. Each of the containers held some 22 tons of ammonium nitrate. Authorities say ammonium nitrate dilutes easily in water and that at worst the spilled containers could cause an algal bloom. Still, they should be located and recovered as soon as possible, Australia’s environment minister said. The Queensland deputy premier said Sunday an estimated 66,000 gallons of oil spilled from the ship. Britain’s Swire Shipping Ltd., the Hong Kong-registered ship’s owner, has not publicly confirmed the amount. Source: http://www.google.com/hostednews/ap/article/ALeqM5hyxN0-euQHg86qF7mqlLLPeUgn-QD96UVS580


 DarkReading reports that the Romanian police on March 11 arrested a Romanian resident accused of hacking into several U.S. government servers — including NASA’s — and multiple university servers. The hacks on NASA alone cost the space agency some $5 million, according to news reports. (See item 32)


32. March 13, DarkReading – (International) Major cybercrime busts take place in Romania. The Romanian police on March 11 arrested a Romanian resident accused of hacking into several U.S. government servers — including NASA’s — and multiple university servers. The hacker had set up several servers in the United States, which he controlled from Romania and used to carry out the hacks, according to reports. The hacks on NASA alone cost the space agency some $5 million, according to news reports. The accused attacker has previously been accused of breaking into computers at the U.S. Navy and Department of Energy between 2005 and 2006. The accused attacker reportedly said he made the hacks only to prove vulnerabilities in the key government systems, and that he did not expect to make any material gains. However, NASA was forced to rebuild its systems and temporarily had to change over to manual communications when the hack was discovered. He previously was indicted for his alleged participation in a hacker group called the “Whitehat Team,” whose goal was to break into the most secure systems in the world. U.S. authorities have claimed $2 million in damages from the attack. He was charged with breaking into government computers last November. He has been indicted on 10 counts, including charges of conspiracy, unauthorized access to government computers, and causing intentional damage to computers. He will be brought to Los Angeles for trial after his Romanian proceedings conclude, authorities said. Source: http://www.darkreading.com/security/cybercrime/showArticle.jhtml;jsessionid=55MMQXQOXACUEQSNDLRSKH0CJUNN2JVN?articleID=215900249


Details

Banking and Finance Sector

11. March 16, Berkshire Eagle – (Maine) Phone scam targets Greylock Federal’s customers. Dozens of Greylock Federal Credit Union members were targeted by a phone scam recently, but very few fell prey to the illegal solicitation, according to credit union officials. The senior vice president said the “vast majority” of customers contacted were not victimized by the pre-recorded message, claiming to represent Greylock Federal, that was sent throughout Berkshire County starting on March 14 and ending on March 15. The senior vice president could not say how many of the credit union’s 65,000 members received the phone call, but it was far greater than the nearly 70 Pittsfield residents city police said called them to complain about the scam. The message was seeking vital credit card information, such as account and pin numbers, to verify an alleged claim of fraudulent purchases against that person’s credit card. Once Greylock Federal was notified of the scam, the senior vice president said the financial institution put out an alert to its weekend answering service and called in staff members to deal with customers who still had concerns, or actually gave out their credit card numbers. Source: http://www.berkshireeagle.com/ci_11923291


12. March 13, DarkReading – (International) Major cybercrime busts take place in Romania. The Romanian police on March 11 broke up a major bank fraud ring. According to news reports, the Romanian police, working along with the FBI, arrested 20 individuals who allegedly built cloned bank sites and then drained the accounts of users who were lured into logging in to them. The cloned sites, which were deployed in Italy and Spain, looked and operated like the actual bank Web sites, but they asked users questions that ultimately led to the divulging of personal bank details, according to the chief of the Romanian police’s organized crime division. Once obtained, the hackers allegedly used that information to access the real bank Web sites and transfer or withdraw cash. Nearly 100 police officers from special troops entered suspects’ houses in major cities across Romania, the reports said. Investigators said the ring stole at least 350,000 euros. Source: http://www.darkreading.com/security/cybercrime/showArticle.jhtml;jsessionid=55MMQXQOXACUEQSNDLRSKH0CJUNN2JVN?articleID=215900249


13. March 13, Holland Sentinel – (Michigan) Credit union closed as canine unit searches for ‘suspicious threat.’ Ottawa County sheriff’s deputies investigated what they called a “suspicious threat” at a credit union in Holland Township on March 13. Deputies were called to Nu Union Credit at 10:24 a.m., and they evacuated the building. The credit union remained closed for two hours while deputies and a canine unit searched the premises, but the search turned up nothing, a sergeant of Ottawa County Sheriff’s Office said. A manager at the credit union refused to say if the reported threat involved a robbery or a weapon. No one was injured in the incident, he said. Source: http://www.hollandsentinel.com/news/x679797639/Credit-union-closed-as-canine-unit-searches-for-suspicious-threat


14. March 13, Bank Technology News – (International) Visa: two firms noncompliant. Visa Inc. has pulled Heartland Payment Systems Inc. and Royal Bank of Scotland Group PLC’s RBS WorldPay from its list of companies that comply with the Payment Card Industry data security standards. Heartland and RBS WorldPay will stay off the list until the two processors close the holes that led to the massive data breaches reported in January and December, Visa said on March 13 in an e-mail. “Visa will consider relisting both organizations following their submissions of their PCI DSS reports on compliance,” the San Francisco company said. Both continue to handle Visa transactions. Heartland has said it met the standards when its systems were last assessed in April. On March 13 it said it is undergoing a PCI assessment, which it expects to complete by May “and will result in Heartland, once again, being assessed as PCI-DSS compliant.” WorldPay said in an e-mail statement on March 13 it expects its assessment to be complete by the end of April. “Because of the criminal intrusion, we need to be recertified earlier than the normal schedule.” Visa has voiced support for the PCI standards, saying they remain “an effective security tool when implemented properly” and “the best defense for businesses against the loss of sensitive data.” After Heartland disclosed its breach, its chief executive called for the industry to move to end-to-end encryption and for companies to share information about specific incidents. The American Bankers Association has advocated that other payment companies be subject to the Gramm-Leach-Bliley Act risk-based standards that banks must follow. Source: http://www.americanbanker.com/btn_article.html?id=20090313F6IR46WE


Information Technology


38. March 16, Computer Business Review – (International) Egress addresses data loss with secure exchange. A new data exchange system that will secure information wherever it is sent as an email attachment, by file transfer, or on a CD, DVD, or USB stick could finally put an end to breaches after data is forwarded in error, stolen, or lost in the post. Launched on March 16 by Egress Software Technologies, Switch uses encryption and a Web-based policy engine to enforce security rules on files before and after they are shared. “Switch uses strong AES 256-bit encryption and builds a secure package around files to be shared,” the president of US Operations said. “It assigns an identity to each package and applies real-time controls on what a recipient can do with a file that is shared with them.” “We believe it is a very important aspect of security that is under-served. We have done a lot of research in the market and found that although there are plenty of different secure messaging offerings, they each only address a piece of the puzzle.” He said the company had considered the various merits of file and full disk encryption, PKI and EDI, data leakage, and enterprise rights management software before deciding on a strategy for Switch. “With Switch we wanted to develop a system that would enforce the same strong security policies as are used internally, to the business of sharing sensitive data with people outside the perimeter” the president said. He explained that the system does not interfere with business processes in any way, so a file can go out by a courier on a disc, or sent across an FTP network. Either way, it is secured by Switch’s ‘follow-the-data protection.’ Source: http://www.cbronline.com/news/egress_addresses_data_loss_with_secure_exchange_160309


39. March 13, IDG News Service – (International) Foreign Web attacks change security paradigm. Traditional security systems may be ineffective and become obsolete in warding off Web attacks launched by countries, according to the founder of Attack Research. New attack trends include blog spam and SQL injections from Russia and China, he said during his talk at the Source Boston Security Showcase on March 13. “Client-side attacks are where the paradigm is going,” the founder of Attack Research said. “Monolithic security systems no longer work.” Hackers use Web browsers as exploitation tools to spread malware and collect sensitive information. The founder of Attack Research used examples from clients of his company, which analyzes and researches computer attacks, to demonstrate the threat posed by blog spam and SQL attacks. Attackers targeted high-traffic sites with blog spam and posted comments on blogs, he said. The comments looked odd and tended to have non-English phrases placed in large blocks of text with random words hyperlinked, he said. Clicking on such links took users to sites that seemed like blogs but were pages loaded with malware, he said. A Chinese bank owned the domains for each malware site, but the IP (Internet Protocol) addresses traced to Germany. Studying the links revealed that each one contained words in Russian or Romanian, said the founder of Attack Research. By placing an international spin on their nefarious activities, the hackers hoped to confuse anyone investigating their work, he said. Source: http://www.pcworld.com/businesscenter/article/161247/foreign_web_attacks_change_security_paradigm.html


40. March 13, Softpedia – (International) Windows server man-in-the-middle attack vulnerability is patched. On March 10, Microsoft released three security bulletins designed to deal with vulnerabilities in Windows client and server platforms. Security Bulletin MS09-008 rated Important is focused on patching issues in DNS and WINS Server impacting Windows 2000 Server, Windows Server 2003, and Windows Server 2008. The past week, Microsoft dismissed claims that MS09-008 did not actually patch the DNS Server Vulnerability in WPAD Registration Vulnerability- CVE-2009-0093. MSRC Engineering and Windows Core Networking made available documentation describing in detail the security holes associated with MS09-008 and the updates made available by Microsoft. “There are claims that this update is ineffective. Let me be clear that this update will protect you and it should be deployed as soon as possible. Below is an overview on how the complete security update helps protect a system,” an analyst of MSRC Engineering stated. The Response Communications, MSRC, manager also dismissed the possibility of MS09-008 being ineffective. He indicated that Microsoft managed to review all the feedback it received, and ensured Windows Server customers that deployed the security bulletin that they were indeed protected against attacks targeting the vulnerabilities patched via MS09-008. The software giant informs that it is now aware of any attacks targeting security holes plugged by MS09-008. Source: http://news.softpedia.com/news/Windows-Server-Man-in-the-Middle-Attack-Vulnerability-Is-Patched-106865.shtml


41. March 13, SoftPedia – (International) Exploit for Foxit Reader flaw released. Several serious vulnerabilities affecting the Adobe Reader alternative, developed by Foxit Software, have been recently disclosed. Security professionals now warn that proof-of-concept (PoC) exploit code for one of the more critical ones has also been made available and could be used in future attacks. On March 9 Foxit released security updates for its Reader product versions 3.0 and 2.3. As explained in the accompanying advisory, these addressed three serious flaws reported by CORE Security and Secunia, two vulnerability research companies. One of the bugs reported by CORE was categorized as a stack-based buffer overflow and allowed an attacker to run commands or execute files by tricking a potential victim into opening a maliciously-crafted PDF file. A programmer identifying himself as “SkD” has made available a fully-working exploit for this vulnerability. According to the code comments, he has written the PoC for Windows XP SP3 and it is based on information published by CORE. This is particularly interesting, because it means that users of the two most popular PDF reading applications for Windows, Adobe Reader and Foxit Reader, are now susceptible to attacks at the same time. As previously reported, a similar arbitrary code execution vulnerability in Adobe Reader 9 and earlier has been actively exploited in the wild. Adobe released a patch for the flaw affecting its Adobe Reader and Acrobat products only recently, on 10 March, almost three days after it was reported as a 0-day. Even so, the patch is only available for version 9 of the products, users of earlier versions being required to upgrade first. Because the vulnerability made the subject of active attacks and initially suggested workarounds like disabling JavaScript did not help much, some people recommended switching to Foxit Reader, which now does not sound like such a great solution either. Source: http://news.softpedia.com/news/Exploit-for-Foxit-Reader-Flaw-Released-106739.shtml

Communications Sector

Nothing to report.