Department of Homeland Security Daily Open Source Infrastructure Report

Monday, November 30, 2009

Complete DHS Daily Report for November 30, 2009

Daily Report

Top Stories

 DarkReading reports that researchers at Red Condor detected a new phishing attack that promises to enhance the security of the user’s emailbox and then downloads a banking Trojan instead. Red Condor says it has stopped more than 3.5 million messages belonging to the spam campaign, which was detected on November 20. (See item 46 in the Information Technology Sector below)

 According to the Associated Press, the Governor of New Jersey asked the President on November 25 to declare much of the Jersey shore a disaster area due to damages exceeding $49 million from a recent coastal storm. Tourism is New Jersey’s second-largest industry, accounting for nearly $39 billion a year, much of it from the shore. (See item 54)

54. November 25, Associated Press – (New Jersey) NJ Governor Corzine seeks Presidential declaration of disaster area for Jersey Shore. The Governor of New Jersey asked the President on November 25 to declare much of the Jersey shore a disaster area due to damage from a recent coastal storm. The Governor wrote that damages will exceed $49 million. He said emergency funds to restore beaches, dunes and structures are needed immediately to protect lives and homes from further winter storms now that many coastal areas are unprotected. “Beach erosion is extensive,” the letter stated. “Many of the beaches along our coast have been eroded to the point they offer little protection from future storms. The damages already sustained to the beaches and dunes will render New Jersey particularly vulnerable to these weather systems until restoration is completed.” The Governor also wrote that the beaches are a crucial part of the state and local economies. Tourism is New Jersey’s second-largest industry, accounting for nearly $39 billion a year, much of it from the shore. The storm, which lasted from November 11 to 15, caused extensive erosion in Cape May, Atlantic and Ocean counties. Roofs were blown off buildings, a key shore bridge was damaged and had to be closed when it was struck by a wayward barge, dunes were wiped out and entire communities flooded. Source:


Banking and Finance Sector

13. November 27, Lansing State Journal – (Michigan) Williamston man pleads guilty in Ponzi scheme. A 28-year-old Williamston man has pleaded guilty in federal court to running a $1.3 million Ponzi scheme, authorities said. According to the U.S. Attorney’s Office in Grand Rapids, the man admitted the week of November 23 that he set up a stock trading company, known as Kingdom First Trading, and solicited investors by promising returns higher than market rate. He consistently lost money in trading, but hid that from investors by e-mailing fake account statements that said they were earning sizable profits and accumulating large balances, authorities said. He took money from new investors to pay earlier investors. He also used that money for rent, automobiles and jewelry, authorities said. He will be sentenced on March 15, 2010 and faces up to 20 years in prison. He pleaded guilty Monday to wire fraud, according to court records. As part of the plea agreement, he must pay more than $1.31 million in restitution to the victims. Source:

14. November 27, Wall Street Journal – (International) Technical glitch shuts London trade for hours. London Stock Exchange Group PLC (LSE) on November 26 was hit by a technical glitch, forcing it to suspend the trading of U.K. stocks for more than three hours. The exchange stopped trading of shares at 10:33 a.m. GMT (5:33 a.m. EST) after receiving reports that some stocks had “connectivity issues,” a spokesman said. Trading resumed at 2 p.m. GMT, but the cause of the problem was still being investigated. The glitch comes a day after the chief executive officer reiterated plans for the LSE to replace its TradeElect trading engine with a new, faster one. It also comes after another glitch earlier this month when 300 stocks could not be traded for an hour and a half before the market closed. An LSE spokesman said that “There were a number of connectivity issues this morning, so we placed all the order-driven securities into an auction period.” Source:

15. November 23, WRTV 6 Indianapolis – (Indiana) Police: Skimmers take unsuspecting customers’ cash. Several suspected ATM skimming incidents have been reported in recent weeks in communities north of Indianapolis, prompting police to release a surveillance picture of one man believed to be involved. A Carmel police detective said the man pictured recently used a victim’s credit card to buy electronics at Fry’s Electronics on 96th Street in Fishers and a Best Buy store on Michigan Road in Carmel. He said he thinks the victim’s credit card may have been swiped and reproduced through a skimmer at an area gas station and that similar crimes have occurred recently in Fishers, Westfield, Noblesville, Lawrence and Indianapolis. “There have been several victims throughout Hamilton County, and that card information has been used everywhere from Avon to Muncie...down to Greenwood and a lot of places in between,” said the Carmel police lieutenant. Consumers should closely look at any device in which they are swiping a credit or debit card. Source:

16. November 23, The Register – (International) iPhone worm infects devices and redirecs Dutch online bank users to a phishing site. The second worm to infect jailbroken iPhone users reportedly targets customers of Dutch online bank ING Direct. Surfers visiting the site with infected devices are redirected to a phishing site designed to harvest online banking login details, the BBC reports. ING Direct told the BBC it planned to warn users’ of the attack via its website, as well as briefing front line call center staff on the threat. The chief research officer at F-Secure said the threat had in any case been neutralized. “It [the worm] was targeting ING. The websites it needed for this to work have now been taken down.” Anti-virus analysts, still in the process of analyzing the malware, caution that the attack is a bit more complex than simple phishing and seems to involve an attempt to snatch SMS messages associated with online banking transactions. Although the “Duh” or Ikee-B worm exploits the same SSH backdoor as the original Ikee worm, the latest malware is far more dangerous than its predecessor. Doh turns compromised devices into a botnet under the control of unidentified hackers. The Rickrolling ikee worm, by contrast, only changes users’ wallpaper to an image of a pop singer. As previously reported, compromised phones are left under the control of a botnet server in Lithuania. Duh changes the root password of compromised iPhones, allowing crooks to log into compromised units and carry out malicious further actions. A SophosLabs researcher used a password cracking tool to discover the malware changes iPhone root passwords from ‘alpine to ‘ohshit’. In addition to the two iPhone worms, an earlier hacking/extortion attack (targeting iPhone users in the Netherlands) also exploited the default password SSH backdoor on jailbroken iPhones. Security experts strongly advise users of jailbroken phones to change their passwords from ‘alpine’ immediately to avoid further attacks along the same lines. Source:

For another story, see item 46 in the Information Technology Sector below

Information Technology

44. November 27, The Register – (International) Smut-ladened spam disguises WoW Trojan campaign. A malicious spam campaign that attempts to harvest online game passwords under the guise of messages containing smutty photos is doing the rounds. The tainted emails have subject lines such as “Do you like to find a girlfriend like me?”, and an attached archive file called “my photos.rar”. The supposed video files actually harbored video files and a password-stealing Trojan called Agent-LVF, which is designed to steal the login credentials of World of Warcraft gamers. Security firm Sophos reckons it is likely the stolen credentials and associated in-game assets will be sold through underground sites, earning hackers a tidy profit in the process. “A surprising amount of malware is designed to steal registration keys, passwords and data from players of computer games,” said a consultant at Sophos. “This isn’t just about doing better in a computer game. Criminals are stealing virtual assets like armour, money and weapons to trade for hard cash in the real world.” Source:

45. November 25, ComputerWorld Canada – (National) H1N1’s IT threats may not be taken seriously. It appears that the threat of an H1N1 outbreak has not prompted enterprises to re-evaluate their disaster recovery plans or better enable a mobile workforce, according to a new Cisco Systems Inc. study. The networking giant found that only 22 percent of survey respondents consider their remote-access infrastructure to be disaster-ready. The survey polled 500 IT security decision-makers at U.S. health-care, financial, retail, and public sector organizations last month. In addition, the reported indicated that 21 percent of respondents admitted to having no employees enabled to work remotely and 53 percent said that less than half of their employees are capable of working from home. The director of security solutions marketing at Cisco said many of these organizations will be the hardest hit in the event of a flu pandemic. But even less extreme circumstances, such as a major road closure or a winter storm, would probably have a noticeable impact on the business as well. Ensuring that all essential workers are enabled with remote-access capabilities is crucial, he added, to operating business as usual during unexpected events. Providing remote VPN connectivity back into the office might be enough for a mobile worker that just requires e-mail or a select few applications, but for employees who require real-time communication and full telephony capabilities, some investments should be made, he said. A security analyst at Fusepoint Managed Services Inc. said the first issues he would address as an IT security leader would be technology-related. “Do we have the tools and technologies in place for employees to be working remotely?” he said. “Do we have the bandwidth? Do we have the storage capability within our phone systems and e-mail servers to be able to queue two or more weeks of data from more than 40 percent of your missing staff?” Source:

46. November 25, DarkReading – (International) New exploit masquerades as Flash Player upgrade. Researchers have detected a new phishing attack that promises to enhance the security of the user’s emailbox — and then downloads a malicious Trojan instead. The email requests that recipients click on a link in the body of the email to update the “security mode” of their emailboxes, according to researchers at Red Condor, an email security tool vendor. Users who click on the link are taken to a Website that advises them to update to the latest version of the Macromedia Flash Player by downloading “flashinstaller.exe.” This executable is actually a banking Trojan that is known to disable firewalls, steal sensitive financial data, and provide hackers with remote access capabilities, Red Condor says. The malware is more commonly known as Win32:Zbot-MGA (Avast), W32/Bifrost.C.gen!Eldorado (F-Prot), PWS-Zbot.gen.v (McAfee), or PWS:Win32/Zbot.gen!R (Microsoft), the researchers note. The spam campaign was detected late on November 20; within the first six hours, Red Condor says it blocked more than 500,000 email messages. So far, the company says it has stopped more than 3.5 million messages belonging to this campaign. Source:

47. November 25, eWeek – (International) Symantec Web site hack exposes user data. A hacker recently demonstrated how a SQL injection vulnerability in a Symantec Web site could be exploited to reveal user data. Symantec says the vulnerability only impacts customers in Japan and South Korea. A Web site operated by security firm Symantec was hacked — giving an attacker a sneak peak at sensitive customer data. The Romanian hacker known as Unu exploited a blind SQL injection problem to get his hands on clear-text passwords associated with customer records and other data. Unu used sqlmap and Pangolin to demonstrate the vulnerability, and published screenshots to his blog. According to Symantec, the vulnerability was on its site, which is used to facilitate customer support for Symantec’s Norton products in Japan and South Korea. “At this time, we believe that this incident does not affect Symantec customers anywhere else in the world,” a Symantec spokesperson said November 24. “This incident impacts customer support in Japanand South Korea but does not affect the safety and usage of Symantec’s Norton-branded consumer products. Symantec is currently in the process of ensuring that the Website is appropriately secured and will bring it back online as soon as possible.” According to Unu, his goal was not to cause harm, but to create a stir so the problem would be fixed. A Trend Micro Advanced threats Researcher said sensitive data should never be stored in clear text and bounds checking of input data can help avoid buffer overflows and SQL injection attacks. Source:

48. November 25, IDG News Service – (International) Metasploit releases IE attack, but it’s unreliable. Developers of the open-source Metasploit penetration testing toolkit have released code that can compromise Microsoft’s Internet Explorer browser, but the software is not as reliable as first thought. The code exploits an Internet Explorer bug that was disclosed recently in a proof-of-concept attack posted to the Bugtraq mailing list. That first code was unreliable, but security experts worried that someone would soon develop a better version that would be adopted by cyber-criminals. The original attack used a “heap-spray” technique to exploit the vulnerability in IE. But for a while Wednesday, it looked as though the Metasploit team had released a more reliable exploit. They used a different technique to exploit the flaw, but Metasploit eventually pulled its code. Microsoft said via e-mail Wednesday afternoon that it was “currently unaware of any attacks in the wild using the exploit code or of any customer impact.” The two versions of the browser that are vulnerable to the flaw — IE 6 and IE 7 — are used by about 40 percent of Web surfers. The flaw lies in the way IE retrieves certain Cascading Style Sheet objects, used to create a standardized layout on Web pages. Concerned IE users can upgrade their browser or disable JavaScript to avoid an attack. Source:

49. November 24, Forbes – (International) The year of the mega data breach. According to the Identity Theft Resource Center (ITRC), government agencies and businesses reported 435 breaches as of November 17, on track to show a 50 percent drop from the number of breaches reported in 2008. That would make 2009 the first year that the number of reported data breaches has dropped since 2005, when the ITRC started counting. But the decrease in data breaches is deceptive. In fact, the number of personal records that were exposed by hackers has skyrocketed to 220 million records so far this year, compared with 35 million in 2008. That represents the largest collection of lost data on record. “Why are organizations that have these massive amounts of our data still not encrypting it?” the ITRC director says. “When we know we have these super breaches going on, why are they resisting a technology that could prevent them?” Setting aside 2009’s two “super breaches” — Heartland Payment Systems and the National Archive and Records Administration — the ITRC only recorded around 14 million lost records this year, a comparatively small number. But the chief executive of the Ponemon Institute doubts that the ITRC accounting is complete. Ponemon does not believe the adoption of DLP and encryption is stemming the flood of personal data. He says those technologies are often implemented spottily and can not keep up with all the new places from which data can be stolen, from smart phones to Web collaboration tools. “We shouldn’t take false comfort in the idea that companies are doing a better job of this,” Ponemon says. “There’s no question that more companies are using DLP and encryption tools. But there’s always a human factor, and many people simply don’t take these technologies seriously.” Source:

For more stories, see item 16 in the Banking and Finance Sector above and 53 below in the Communications Sector

Communications Sector

50. November 27, Associated Press – (Iowa) Animal knocks out cable in eastern Iowa town. An animal chewed through a cable line, knocking out cable and Internet service to roughly 1,000 customers in an eastern Iowa town. The disruption occurred Thursday afternoon in Bellevue, near Dubuque. Officials say service is slowly being restored to subscribers of Bellevue’s municipal cable system. One official says cable and Internet service was restored by about 8:30 p.m Thursday, but that it is taking time to get all customers back on line. Source:

51. November 25, ZDNet – (National) DreamHost customers hit with nightmare. Hosting company DreamHost had trouble keeping its customer sites up and running as it migrates to a new data center. The problems began to appear on November 22 and were stretching almost into Thanksgiving. Customers reported that their sites were down for 24 hours at a clip and when there was a recovery it was not a reliable one. Among the problems are the following. DreamHost has been upgrading their shared hosting hardware. The upgrade went wrong. Customer support did not know what was going on. Source:

52. November 25, U.S. Environmental Protection Agency – (National) Verizon Wireless voluntarily discloses environmental violations. Verizon Wireless has agreed to pay a $468,600 civil penalty to settle self-disclosed violations of federal environmental regulations discovered at 655 facilities in 42 states. Verizon voluntarily entered into a corporate audit agreement with the U.S. Environmental Protection Agency and conducted environmental compliance audits at more than 25,000 facilities nation-wide. The Environmental Appeals Board at EPA has approved an administrative settlement resolving violations Verizon found through its compliance audits. Verizon audited facilities that include cell towers, mobile switch centers, call centers, and administrative offices. As a result of its audit, the company reported violations of clean water, clean air, and emergency planning and preparedness regulations to EPA. Verizon promptly corrected the violations found during its audit, which included preparing and implementing spill prevention, control, and countermeasure plans, applying for appropriate air permits, and submitting reports to state and local emergency planning and response organizations informing them of the presence of hazardous substances. Source:!OpenDocument

53. November 25, IDG News Service – (International) Redirecting DNS requests can harm the Internet, says ICANN. The Internet Corporation for Assigned Names and Numbers (ICANN) on Tuesday condemned the practice of redirecting Internet users to a third-party Web site or portal when they misspell a Web address and type a domain name that does not exist. Rather than return an error message for Domain Name System requests for nonexistent domains, some DNS operators send back the IP address of another domain, a process known as NXDOMAIN substitution. The target address is often a Web portal or information site. Handling DNS requests this way has a number drawbacks that could lead to the Internet not working properly, according to ICANN. For example, users sending e-mail to a domain that does not exist should get an immediate error message. However, if the message is redirected to a site set up to handle Web traffic, it is likely to get queued and an error message will not arrive for days, ICANN said. Also, users will get longer response times if the site to which they are supposed to be redirected goes down. Redirection sites are prime targets for attacks by hackers that want to send users to their own servers. There are also privacy issues, according to ICANN. If sensitive data is redirected via a country with a different jurisdiction and local law, there could be consequences for both users and registries, it said. ICANN published its opinions and findings in a draft memo before the introduction of new generic top-level domains (gTLDs). The organization discourages the practice of redirecting requests for nonexistent domains, and suggested banning it in a draft of the agreement owners of the new gTLDs would have to sign. ICANN wants domain owners wishing to redirect DNS requests to first explain why doing so will not cause any problems. Source: