Monday, September 14, 2009

Complete DHS Daily Report for September 14, 2009

Daily Report

Top Stories

 According to USA Today, a group of top security analysts and researchers say that the latest Windows security hole, for which there is no patch, leaves hundreds of millions of Windows Vista PCs wide open for infection by a Conficker-like Internet worm. (See item 35)


35. September 10, USA Today – (International) Security experts warn of possible worm hitting Vista. A group of top security analysts and researchers say the latest Windows security hole, for which there is no patch, leaves hundreds of millions of Windows Vista PCs wide open for infection by a Conficker-like Internet worm. Security experts did not express much concern about Conficker when it first began to spread sporadically last fall, taking advantage of a similar unpatched vulnerability in Windows XP computers. At its peak, Conficker searched out and infected some 10 million Windows XP machines worldwide. Conficker continues to spread on its own and currently infects about 5 million Windows XP computers. This time around, the debate in security circles about how damaging this Vista flaw could turn out to be is heating up much quicker. “The likelihood of hackers launching a worm is great,” says a Shavlik researcher. “Any flaw that can be spread without user interaction is a gold mine.” Conficker turned out to be so pervasive partly because it targeted a fresh flaw in Windows XP, which runs 65 percent of the Microsoft PCs in use. By contrast, Vista, introduced two years ago, runs on just 30 percent of PCs, according to this InfoWorld report. From a security perspective, that is a good thing. “Overall, fewer users are vulnerable,” says a Purewire researcher. Still, the Shavlik researcher estimates that there are one billion personal computers in use. That means there is something north of 200 million Vistas PCs connected to the Internet and available as targets. That is plenty of incentive for today’s top-tier botnet controllers, who get rich amassing hundreds of thousands of infected PCs and using them to spread spam, steal data and perform other lucrative criminal activities. Source: http://blogs.usatoday.com/technologylive/2009/09/security-experts-warn-of-possible-worm-hitting-vista.html


 According to Central Florida News 13, the Daytona Beach, Florida Police Department has confirmed that suspects on a terror watch list took pictures of the Daytona International Speedway in July 2008 during one of the busiest weeks of the racing season. The FBI, Florida Department of Law Enforcement, and Florida Highway Patrol would not release information on what they called an open investigation. (See item 39)


39. September 11, Central Florida News 13 – (Florida) Agencies tight-lipped about terrorist scare at speedway. Law enforcement officials have confirmed that suspects on a terror watch list were involved in a suspicious incident last year at the Daytona International Speedway and that it was during one of the busiest weeks of the racing season. Much of the information remains secretive, despite the fact the incident happened July 2008 when NASCAR races at the speedway were about to get underway. It is information the FBI, Florida Department of Law Enforcement and Florida Highway Patrol said remains as an open investigation and therefore cannot reveal even minor details. The only law enforcement agency willing to share details about the incident that happened before the Coke Zero 400 in 2008 was the Daytona Beach Police Department. “Florida Highway Patrol saw a suspicious vehicle with four gentlemen taking pictures of the speedway. Now normally that wouldn’t be an issue but they were taking pictures as they were driving past the track,” said a deputy police chief. He added that when the gentlemen were asked to hand over the camera to see what pictures they had taken, they responded they were not taking pictures. The men were released after questioning. However, sources told News 13 the names of the men turned up on a terror watch list, and that a memory card contained pictures of the speedway. Source: http://www.cfnews13.com/News/Local/2009/9/10/agencies_tightlipped_about_terrorist_scare_at_speedway.html


Details

Banking and Finance Sector

12. September 10, U.S. Government Accountability Office – (National) Fannie Mae and Freddie Mac: analysis of options for revising the housing enterprises’ long-term structures. Fannie Mae and Freddie Mac have a mixed record in meeting their housing mission objectives, and both capital and risk management deficiencies have compromised their safety and soundness as follows: (1) The enterprises’ secondary market activities are credited with helping create a liquid national mortgage market, lowering mortgage rates somewhat, and standardizing mortgage underwriting processes. However, their capacity to support housing finance during periods of economic stress has not been established, and they only have been able to do so during the current recession with substantial financial assistance from Treasury and the Federal Reserve. (2)There is limited evidence that a program established in 1992 that required the enterprises to meet annual goals for purchasing mortgages serving targeted groups materially benefited such groups. (3) The enterprises’ structures (for-profit corporations with government sponsorship) undermined market discipline and provided them with incentives to engage in potentially profitable business practices that were risky and not necessarily supportive of their public missions. For example, the enterprises’ retained mortgage portfolios are complex to manage and expose them to losses resulting from changes in interest rates. Further, the enterprises’ substantial investments in assets collateralized by subprime and other questionable mortgages in recent years generated losses that likely precipitated the conservatorship. Source: http://www.gao.gov/products/GAO-09-782


13. September 10, U.S. Department of Justice – (National) Former global director of security for Stanford Financial Group indicted for obstructing a federal investigation. A former global director of security at the Fort Lauderdale, Florida office of Stanford Financial Group (SFG) has been charged on September 10 in a three-count superseding indictment with conspiracy to obstruct a U.S. Securities and Exchange Commission (SEC) proceeding and to destroy documents in a federal investigation; obstruction of a proceeding before the SEC; and destruction of records in a federal investigation. The initial indictment in the case was unsealed by the U.S. District Court for the Southern District of Florida on June 19, 2009 and charged a former global security specialist at the Fort Lauderdale SFG office with one count of destruction of records in a federal investigation. According to court documents, SFG, headquartered in Houston, was the parent company of numerous affiliated financial services entities, including the Stanford International Bank Ltd. (SIBL). According to the superseding indictment, SIBL, an offshore SFG bank affiliate located in St. John’s, Antigua, allegedly lured U.S. investors to buy into its certificates of deposit (CDs) by touting high investment returns not available through domestic banks. SIBL is alleged to have misrepresented that it held $8 billion in client funds that had been invested primarily in its CDs. The SEC filed a complaint in the U.S. District Court for the Northern District of Texas against SIBL and its affiliated entities on February 16, 2009, in which it alleged that the SIBL CD program was the mechanism by which the principals of SIBL orchestrated a “massive, ongoing fraud.” Also on February 16, 2009, a receiver was appointed to assume exclusive control of all SFG-related entities in order to protect SIBL assets from potential waste and depletion by SIBL’s principals. The U.S. District Court for the Northern District of Texas additionally issued an order instructing that all SFG and SIBL employees preserve all company documents and records, protecting them from destruction. Source: http://www.usdoj.gov/opa/pr/2009/September/09-crm-947.html


14. September 10, Californian – (California) Two Monterey men charged in $100 million fraud. A federal grand jury has indicted two Monterey men on charges of conspiracy to commit mail and wire fraud, mail fraud, wire fraud and securities fraud, according to the U.S. Attorney and Monterey County District Attorney’s offices. The pair were indicted Tuesday, but the indictment remained under seal until one of the men surrendered to authorities in San Jose earlier Thursday. One remains a fugitive. The indictment accuses the two of defrauding investors in Cedar Funding, a Monterey-based “hard money” lender, in connection with investments in loans purportedly secured by deeds of trust and in a fund that invested in those same loans. According to the court document, Cedar Funding had more than 1,000 investors and the loss to those investors could exceed $100 million. The indictment further alleges that the men defrauded investors in fractional interests in loans secured by deeds of trusts, and in Cedar Funding Mortgage Fund, LLC, by making materially false statements, failing to disclose material facts, and creating a materially deceptive and misleading scheme, plan and artifice to defraud. The indictment alleges in part that through, among other things, documents provided to investors, advertisements, interest payments and verbal communications, the two created the false and misleading appearance that the investors’ funds were invested in sound, secured real estate loans, which offered high returns and safety of principal. In truth, by in or about 2004 and increasingly thereafter, most of the loans were not performing, and the investors’ funds were not secure. Source: http://www.thecalifornian.com/article/20090910/NEWS01/90910029/1002/Two+Monterey+men+charged+in++100+million+fraud


Information Technology


30. September 1, The Register – (International) Apple unloads 47 fixes for iPhones, Macs and QuickTime. Apple has issued fixes for more than 47 security bugs in the Mac, iPhone and QuickTime media player, some that allowed attackers to take complete control of the underlying device. The patches, which were released over a 24-hour period starting Wednesday, fix critical vulnerabilities in a variety software made both by Apple and third parties. OS X components included Alias Manager, CarbonCore, ClamAV, ColorSync, and CoreGraphics and Adobe Flash. The updates were available for both the Tiger and Leopard versions of the OS. An update for the iPhone patched holes in CoreAudio, WebKit and MobileMail, among other things. A third update fixed four vulnerabilities in QuickTime, some of which allowed attackers to hijack a machine by tricking users into opening specially manipulated H.264 and MPEG-4 files. For the most part, Snow Leopard, Apple’s latest and greatest version of Mac OS X, was left out of the security patch. It received a single fix that updated Flash to the latest, most secure, version. As previously reported, the new OS shipped with a version of the media player that left users susceptible to attack. Snow Leopard was also updated to fix a host of non-security issues, including a vexing problem that prevented some users from being able to use the Mac’s automatic feature for adding printers. Source: http://www.theregister.co.uk/2009/09/11/apple_security_updates/


31. September 11, Sydney Morning Herald – (International) Rudd hackers escalate threats against .gov.au websites. The hackers who brought down the Australian prime minister’s website the week of September 7 have already outlined their plans for round two, signaling a marked escalation in their attacks. A new message posted on their website, which has been used to rally supporters of their anti-internet filtering hacking campaign, outlines plans to attempt to break into back-end government systems rather than simply knocking government websites offline by flooding them with traffic. A security consultant said: “It won’t take them long to get to a more dangerous and annoying skill level, which enables them to perform more successful and damaging attacks on the .gov.au domain space. Hope the Government has been performing their own penetration testing of their systems.” The hackers, who say they belong to a group called Anonymous, are now taking their attempts further underground after zone-h.org Thursday revealed embarrassing chat discussions between them, which occurred while they were carrying out the attacks on pm.gov.au on September 9. The logs also showed that their main aim was to achieve publicity for their campaign against the communications minister’s internet censorship policy. The September 9 attacks are known as distributed denial of service (DDoS) attacks and involved them flooding government sites including pm.gov.au with traffic. However, now the hackers have signaled an attempt to move beyond DDoS and to start attacking government back-end systems in an effort to retrieve data such as usernames and passwords. This could be achieved by using a method called “SQL injection”, which exploits security vulnerabilities in websites’ databases. On September 10, a spokeswoman for the Attorney-General’s Department said the Cyber Security Operations Center in the Defense Signals Directorate was providing IT security advisers in each of the targeted Australian government agencies to assist with monitoring and responding to the threats. Source: http://www.smh.com.au/technology/security/rudd-hackers-escalate-threats-against-govau-websites-20090911-fk2x.html


32. September 11, The Register – (International) Scareware scumbags exploit 9/11. Fraudsters have set up websites supposedly containing info about September 11 but actually geared towards running fake anti-virus (scareware) scams. Net security firm Sophos reports a number of “9/11-related” webpages that actually host malicious code are using search engine manipulation techniques to boost their rankings on Google. “The websites we’ve seen point unsuspecting users to a fairly bog-standard fake anti-virus page,” explained a senior technology consultant at Sophos. Visitors to the malicious web pages, whether they are using a Mac or a PC, are confronted with a list of viruses that have supposedly infected their system and invited to try out fake security software of little or no utility. “Some of the search results we have seen contain content related to a woman who claimed to have been in the Twin Towers on September 11 but was later exposed as a fraud,” the consultant added. The ruse joins a growing list of incidents whereby unscrupulous cybercrooks latch onto interest in tragedies, natural disasters and other news events to distribute junk. Source: http://www.theregister.co.uk/2009/09/11/9_11_scareware/


33. September 11, Washington Post – (International) Clamping down on the ‘Clampi’ Trojan. Finding the notorious Clampi banking Trojan on a computer inside a network is a little like spotting a single termite crawling into a crack in the wall: Chances are, the unwelcome little intruder is part of a much larger infestation. At least, that is the story told by two businesses which recently discovered Clampi infections, compromises that handed organized cyber gangs the access they needed to steal tens of thousands of dollars. In early August, attackers used Clampi to swipe the online banking credentials assigned to the Sand Springs Oklahoma School District. The thieves then submitted a series of bogus payroll payments, totaling more than $150,000, to accomplices they had hired throughout the United States. The Sand Springs superintendent said the district has since been able to get about half of those transfers reversed, while the district’s bank graciously covered the rest of the loss. Initially, the superintendent said, suspicion fell on one school computer on which the Clampi Trojan was indeed found. But a forensic investigation later revealed that a large number of other systems on the board’s network also were sickened with Clampi. “It was all over the whole office complex,” the superintendent said. “Unfortunately, like most schools, we need about three times the number of people in our IT department than we have now.” Clampi is known for its stealth and sophistication: Indeed, a noted computer security researcher for Atlanta-based SecureWorks recently published a paper calling it “one of the largest and most professional thieving operations on the Internet.” Less well-known, however, is its ability to spread. Unlike computer viruses and worms, most Trojans cannot spread on their own. Technically, Clampi can not either, but it often downloads a legitimate Microsoft remote control utility called PsExec, which it uses to seek out new hosts on a compromised network. Clampi also struck multiple computers at a dermatologist’s office in Michigan in August. The company’s owner asked Security Fix not to publish his name or that of his company, so as not to frighten existing and future patients about the security of their health data. Source: http://voices.washingtonpost.com/securityfix/2009/09/clamping_down_on_clampi.html


34. September 10, Network World – (International) The Internet is now like the Wild West: IBM consultant. ”The Internet has finally taken on the characteristics of the Wild West where no one is to be trusted,” said the senior security consultant and regional X-Force expert for IBM Internet security systems, IBM ASEAN. He was referring to the results of the tech giant’s X-Force 2009 Mid-Year Trend and Risk Report. The report found that there has been a 508 percent increase in the number of new malicious Web links discovered in the first half of this year. This problem is no longer limited to malicious domains or untrusted websites. The report notes an increase in malicious content on trusted sites, including popular search engines, blogs, bulletin boards, personal websites, online magazines and mainstream news sites. “Safe browsing does not exist in today’s cyberspace; neither is it only the red light district sites, such as gambling and pornographic sites, that are responsible for malware,” he added. “Search engines and social media websites like blogs and bulletins are also top categories of websites compromised now. We’ve reached a point where every website should be viewed as suspicious and every user is at risk. The threat convergence of the Web ecosystem is creating a perfect storm of criminal activity.” Web security is no longer just a browser or client-side issue; criminals are leveraging insecure Web applications to target the users of legitimate websites. The X-Force report found a significant rise in Web application attacks with the intent to steal and manipulate data and take command and control of infected computers. On taking responsibility, the researcher points to application developers, not the operating system or Web server vendors, for allowing their codes to be easily compromised. “Web application developers are not doing the necessary pre-release code checks,” he said. Source: http://www.networkworld.com/news/2009/091009-the-internet-is-now-like.html


35. September 10, USA Today – (International) Security experts warn of possible worm hitting Vista. A group of top security analysts and researchers say the latest Windows security hole, for which there is no patch, leaves hundreds of millions of Windows Vista PCs wide open for infection by a Conficker-like Internet worm. Security experts did not express much concern about Conficker when it first began to spread sporadically last fall, taking advantage of a similar unpatched vulnerability in Windows XP computers. At its peak, Conficker searched out and infected some 10 million Windows XP machines worldwide. Conficker continues to spread on its own and currently infects about 5 million Windows XP computers. This time around, the debate in security circles about how damaging this Vista flaw could turn out to be is heating up much quicker. “The likelihood of hackers launching a worm is great,” says a Shavlik researcher. “Any flaw that can be spread without user interaction is a gold mine.” Conficker turned out to be so pervasive partly because it targeted a fresh flaw in Windows XP, which runs 65 percent of the Microsoft PCs in use. By contrast, Vista, introduced two years ago, runs on just 30 percent of PCs, according to this InfoWorld report. From a security perspective, that is a good thing. “Overall, fewer users are vulnerable,” says a Purewire researcher. Still, the Shavlik researcher estimates that there are one billion personal computers in use. That means there is something north of 200 million Vistas PCs connected to the Internet and available as targets. That is plenty of incentive for today’s top-tier botnet controllers, who get rich amassing hundreds of thousands of infected PCs and using them to spread spam, steal data and perform other lucrative criminal activities. Source: http://blogs.usatoday.com/technologylive/2009/09/security-experts-warn-of-possible-worm-hitting-vista.html

Communications Sector

36. September 11, Open PR – (International) Survey shows that companies are not properly protected against connection loss. A recent survey found that 80 percent of business users were concern about loss of productivity if their company network connection went down and 56 percent said that they currently had no method of secondary connection. The new research found that the internet connections and wide area networks of enterprises in the United Kingdom could be at risk of serious downtime if a secondary connectivity system was not implemented as a method of protection. Out of the 110 IT executives that participated in the survey the number admitting that in the last 12 month their company had experienced some form of network outage can to 51 percent. It was indicated that at least 57 percent of outages that affect the primary network links could have been avoided if the company had invested in a secondary link of some sort to avoid these kinds of problems, according to the research, which looked at companies that either supported remote workers or needed to connect to multiple locations. The managing Director of CI-net, which is a fully managed hosting, wide area networks, and internet service provider, took part in the conducting of the survey and he advised “56 per cent of those we polled said they didn’t have any secondary systems to maintain connectivity if there was a problem. This is all the more surprising because most organisations are aware that an outage that disrupts connectivity between offices or disables network access for remote workers could seriously hamper their operations. In the same survey, business continuity was actually the most frequently quoted priority that IT executives highlighted for their networks over the next twelve months. It rated higher than cost cutting as a priority – which indicates how important staying connected is for many organisations.” Source: http://www.broadband-expert.co.uk/blog/broadband-news/survey-shows-that-companies-are-not-properly-protected-against-connection-loss/774276


37. September 11, Mitchell Daily Republic – (South Dakota) Second complaint filed over cut cable. A second official complaint has been filed with the state Public Utilities Commission over the South Dakota Network communications cable that was severed August 26 outside the State Library in Pierre. Internet and e-mail services were interrupted for several hours to about half of the school districts in South Dakota and to government offices in the Sioux Falls area while the cable was repaired. The latest complaint is against Sharpe Enterprises of Fort Pierre. The previous one was against Larry’s Electric of Pierre. Both were filed by a representative of South Dakota Network LLC in Sioux Falls. The representative alleges there was a call-before-dig violation by one of the two contractors, who were working on the State Library remodeling project. The initial complaint claimed that Larry’s Electric checked with the South Dakota One-Call office but started work before any of the utility lines were marked. The representative has now amended that version of events. He now says the one-call permit issued to Larry’s Electric for the work had expired, while Sharpe Enterprises had obtained a onecall permit that hadn’t become valid yet. Either way, he alleges, the underground lines were not marked before digging began. Source: http://www.mitchellrepublic.com/event/article/id/36816/