Thursday, October 21, 2010

Complete DHS Daily Report for October 21, 2010

Daily Report

Top Stories

•Today’s Sunbeam reports that for the first time in more than 7 years, all three reactors at PSEG Nuclear’s Artificial Island generating complex in Lower Alloways Creek Township,New Jersey were off line at the same time October 17. (See item 7)

7. October 19, Today’s Sunbeam – (New Jersey) All 3 Artificial Island reactors shut down at same time for first time in more than seven years. For the first time in more than 7 years, all three reactors at PSEG Nuclear’s Artificial Island generating complex in Lower Alloways Creek Township, New Jersey were off line at the same time October 17. An outage at one of the plants had been scheduled, but the shutdowns at the other two were unplanned and are both being blamed on a problem with voltage regulators on the non-nuclear side of the facilities. “We will conduct a review to look at that piece of equipment and there will be a thorough examination of both reactor trips and what led up to them,” a spokesman for PSEG Nuclear said October 18. The utility’s Hope Creek reactor was shut down at 8 p.m. October 15 for a planned refueling outage. Later on October 15, at 11:21 p.m., Salem Unit I automatically tripped off line, according to the spokesman. The shutdown was caused by a problem with a voltage regulator which controls the amount of power being sent out over the regional power grid. Operators of the grid had requested a reduction in the amount of power coming from the plant, and Salem 1 control room operators had manually taken control of the regulator just before the shutdown occurred, the spokesman said. Source: http://www.nj.com/sunbeam/index.ssf?/base/news-7/1287471008318730.xml&coll=9

•Federal investigators said they have evidence an Oregon defense contractor sold phony replacement parts to the military that could cause attack helicopters to crash, according to the Associated Press. (See item 15)

15. October 18, Associated Press – (Oregon) Oregon company target of helicopter parts probe. Federal investigators said they have evidence an Oregon defense contractor sold phony replacement parts to the military that could cause attack helicopters to crash. In affidavits filed in federal court in Eugene, U.S. Department of Defense investigators said they have evidence Coos Bay-based Kustom Products Inc. and related companies sold fake replacement parts to the military. The affidavits said the companies provided lock nuts meant for tanks and trucks in place of more expensive and differently designed lock nuts that secure the rotors on Kiowa attack helicopters. Source: http://www.businessweek.com/ap/financialnews/D9IUDSCO0.htm

Details

Banking and Finance Sector

16. October 20, WMBF 13 Myrtle Beach – (National) FBI warning targets work-from-home schemes. The FBI has issued a consumer warning October 13 as thousands of consumers continue to lose money from work-from-home scams. Officials claim scam victims are often recruited by organized cybercriminals through a variety of outlets, ranging from newspaper ads to online employment services, and unsolicited e-mails. Once a person is recruited for the job, officials said often times the consumer becomes a “mule” for cyber criminals to steal and launder money. Now, federal officials are warning consumers to be on the lookout for these types of scams and to take precautions to avoid becoming a victim. Those looking for work are asked to be wary of work-from-home opportunities and to research a company before signing on for work. Source: http://www.wmbfnews.com/story/13355810/fbi-warning-targets-work-from-home-schemes

17. October 20, msnbc.com – (National) FBI stepping into foreclosure-document mess. The foreclosure-document crisis just keeps on growing, and now the FBI is getting into the fray. A federal law enforcement official told the Associated Press the agency is in the initial stages of trying to determine whether the financial industry may have broken criminal laws in the mortgage foreclosure crisis. The official said the question is whether some in the industry were acting with criminal intent or were simply overwhelmed by events in the wake of the housing market’s collapse. The official spoke on condition of anonymity because the investigation is just getting under way. Big lenders are trying to move past the foreclosure-document crisis, saying they are now confident their paperwork is accurate. But they are facing so much organized resistance that they can not just snap up their briefcases, declare the crisis over and move on. Consider the opposition: (1) Attorneys general in all 50 states are jointly investigating whether lenders violated state laws (2) Lawyers for evicted homeowners are preparing lawsuits against major lenders (3) State judges have signaled they will review the banks’ foreclosure documents with skepticism and (4) Lawmakers on Capitol Hill plan to hold hearings. Source: http://www.msnbc.msn.com/id/39757497/ns/business-real_estate/

18. October 19, Associated Press – (Maryland) Md. court approves emergency rules on foreclosures. An emergency measure approved October 19 by a Maryland court clarifies what methods state courts can use to review the paperwork behind foreclosures, including bringing in attorneys to explain questionable documents, and hiring outside experts to examine them at a bank’s expense. The measure approved by the state’s highest court spells out how state judges can review foreclosures and stop them if the documents are found to be invalid. However, it is still up to individual judges to decide how to use the tools. The head of the state judicial committee that drafted the measure told the court of appeals that it will send a clear message that courts will scrutinize paperwork. “Nothing in this rule mandates any particular action by the court,” said the chairman of the Maryland Standing Committee on Rules of Practice and Procedure. “This flexibility is essential, because the context and circumstances may be different from case to case.” Unfair foreclosure practices are being investigated around the country because of questionable paperwork. Preliminary audits have found that hundreds of bogus affidavits have been filed in Maryland courts. Source: http://www.forbes.com/feeds/ap/2010/10/19/general-md-foreclosure-mess-maryland_8026823.html?boxes=Homepagebusinessnews

19. October 19, KPTV 12 Portland – (Oregon) Reward offered in strolling hat bandit case. The Oregon Financial Institutions Security Taskforce and the FBI are offering a combined reward of up to $6,000 for information leading to the arrest of a woman believed to robbing banks in the Eugene area. Investigators have nicknamed her the “Strolling Hat” bandit because she has worn a hat in each of the three robberies that have occurred. The robberies took place over the last 3 weeks. In each case, the woman walked into the bank, approached a teller, demanded cash and left with an undisclosed amount of money. Witnesses describe her as being white with shoulder-length brown and/or dyed maroon hair. Investigators believe the robber is in her late teens to early 20s, between 5 feet 2 inches and 5 feet 6 inches, and between 110 and 125 pounds. The FBI and the Eugene Police Department are working together on the investigation. Source: http://www.kptv.com/news/25440889/detail.html

20. October 19, Northwest Cable News – (Washington) ‘Bicycle Bandit’ accused of stealing $17,000 from Spokane bank. Spokane, Washington police released the identity of the alleged “Bicycle Bandit,” the man suspected of robbing half a dozen banks around Spokane over the last year. Police say he is a 33-year-old. The suspect was arrested October 14 after allegedly robbing the Washington Trust Bank near Francis and Ash. He was on a bicycle when he was hit by a Spokane police sergeant’s patrol car on his way to the crime scene. Police said a witness saw a gun fly out of the victim’s hand after he was hit, and the witness kicked the gun away while the officer made the arrest. The suspect appeared in U.S. District Court in Spokane October 15. According to federal court documents, he forcibly took approximately $17,479.30 from the Washington Trust Bank October 14 and put the bank tellers in danger by pointing a handgun at them. The suspect is also being investigated for six other robberies, starting in December. Police and the FBI have been tracking the “Bicycle Bandit” for months. In each robbery, tellers reported the suspect got away on a bicycle. Source: http://www.nwcn.com/news/washington/Bicycle-Bandit-accused-of-stealing-17000-from-Spokane-bank-105296933.html

21. October 18, Reuters – (North Carolina; New York) Man pleads guilty in $80 million ATM Ponzi scheme. A man pleaded guilty October 18 to helping orchestrate what prosecutors called an $80 million Ponzi scheme that lured victims into investing in automated teller machines that were never purchased. The suspect, a Raleigh, North Carolina resident, pleaded guilty in federal court in Manhattan, New York to nine counts of wire fraud and one count of conspiracy, his lawyer said. The suspect is in custody and could face 8 to 10 years in prison when he is sentenced January 20, the lawyer said. The defendant also agreed to forfeit $50 million, court records show. Prosecutors in September 2009 accused the suspect and a co-defendant of soliciting investments for the purchase of about 4,000 ATMs, promising that the machines would generate fees from cash withdrawals. In fact, about 3,600 of the ATMs did not exist or were never owned by the suspects, and the men used proceeds to enrich themselves and further their scheme, prosecutors said. Source: http://www.reuters.com/article/idUSTRE69H5AD20101018

For another story, see item 53 below in Information Technology

Information Technology

52. October 20, Softpedia – (International) Fake Firefox and Chrome warning pages distribute malware. Security researchers warn a new malware distribution campaign uses fake versions of the malicious site warnings commonly displayed by Firefox and Google Chrome. Both Chrome and Firefox tap into Google’s Safe Browsing service to check if the accessed URLs are known attack sites. Security researchers from F-Secure now warn malware pushers are increasingly abusing the trust users associate with these warnings to infect them. Malicious Web sites that mimic both Firefox’s “Reported Attack Page” alert, as well as Chrome’s “this site may harm your computer” warning, have been spotted. The pages look exactly the same as the real thing, except for a button that reads “Download Updates,” suggesting that security patches are available for the browsers. The executable files served when these buttons are pressed install rogue antivirus programs, which try to scare users into paying a license fee. However, the users who land on these latest sites discovered by F-Secure are also exposed to drive-by downloads via a hidden IFrame, which loads the Phoenix exploit kit. Source: http://news.softpedia.com/news/Fake-Firefox-and-Chrome-Warning-Pages-Distribute-Malware-162022.shtml

53. October 20, Trusteer – (International) Trusteer reports hackers improve Zeus Trojan to retain leadership in crimeware race. Trusteer reported October 20 it has captured and analyzed a new version (2.1) of the Zeus financial malware. New capabilities include: URL matching based on a full implementation of the Perl Compatible Regular Expressions (PCRE) library. This allows much more flexibility for Zeus’s configuration to define targets. The injection mechanism now uses sophisticated regular expressions based on PCRE as well, which helps avoid detection. Zeus now has a fine-grained “grabbing” mechanism, again based on PCRE, which can extract very specific areas of the page (e.g. the account balance) and report them to the Command &Control (C&C) host. As other researchers have already pointed out, Zeus 2.1 completely changed the way it communicated with its C&C servers with a daily list of hundreds of C&C hostnames, through which it cycles trying to find a live one which is a considerable improvement over the previous scheme. Zeus has added a 1024-bit RSA public key, which will probably be used for one-way encryption of data and authenticating the C&C server to Zeus clients. Source: http://www.trusteer.com/company/press/trusteer-reports-hackers-improve-zeus-trojan-retain-leadership-crimeware-race

54. October 20, CNET News – (International) China pledges to crack down on pirated software. The Chinese government is starting a new campaign against the production and distribution of counterfeit and pirated software and DVDs, according to the country’s official news service. Citing comments made at a state council meeting at which the Chinese premier presided, the Xinhua News Agency reported the week of October 18 that the goal is to clamp down on both the import and export of phony software, DVDs, publications, and other products that violate trademarks and patents. Scheduled to start the end of October, the campaign will run for 6 months and will also target Internet piracy and fake goods sold online. The news report said the government would “mete out stern punishment to businesses involved in the import and export of such goods.” To launch the new initiative, Chinese government agencies have been ordered to use only authorized software, said Xinhua. Source: http://news.cnet.com/8301-1023_3-20020138-93.html

55. October 20, Softpedia – (International) Fake Battle.net emails direct gamers to phishing site. Security researchers from McAfee warn that gamers are targeted in new Battle.net and World of Warcraft phishing campaigns, which produce very convincing e-mails purporting to come from Blizzard. The attack comes in the form of fake e-mail address change notifications, which attempt to scare users into logging in on a fake Battle.net site. The messages come with a subject of “New Request Notification - Change the Login Address.” Clicking on the link takes users to a fake Battle.net log-in page, hosted on a domain that is not associated with Blizzard Entertainment. Source: http://news.softpedia.com/news/Fake-Battle-net-Emails-Direct-Gamers-to-Phishing-Site-161987.shtml

56. October 19, Softpedia – (International) Phishers target Xbox players via fake Gamertag changer. Security researchers from Sunbelt warn that phishers are trying to steal Live IDs from Xbox users, through a fake program which promises a free Gamertag change. According to a senior threat researcher at Sunbelt (now part of GFI Software), there is a program called “Gamertag Changer” going around that does nothing more than steal Windows Live credentials from Xbox gamers. The application claims that it will file numerous complaints regarding the user’s Gamertag in order to trigger an automatic change from the system. Users who fall for the trick and input their credentials will see a message asking them to leave the application open for at least 2 minutes and then try to re-login on Xbox LIVE. Meanwhile in the background, the program sends the captured Gamertag, Live ID, and password to an e-mail address controlled by the phisher. Source: http://news.softpedia.com/news/Phishers-Target-Xbox-Players-via-Fake-Gamertag-Changer-161812.shtml

57. October 19, Computerworld – (International) Mozilla quashes 12 Firefox bugs. Mozilla patched 12 vulnerabilities in Firefox, including a second patch for a “binary planting” problem in Windows that researchers publicized last year. Two-thirds of the vulnerabilities patched October 19 were rated “critical.” Of the remaining vulnerabilities, two were labeled “high” and one each was judged “moderate” and “low.” Some have dubbed the “binary planting” problem “DLL load hijacking.” The flaw existed in Windows applications that do not call DLLs (dynamic linked libraries) or executable files using a full path name. Instead, they rely on the filename alone. The latter can be exploited by attackers, who can trick the program into loading a malicious file with the same title as a required DLL or executable. Source: http://www.computerworld.com/s/article/9191958/Mozilla_quashes_12_Firefox_bugs

58. October 19, The H Security – (International) Trojan trouble at Lenovo. Lenovo’s Web site for service and support-related training is infected and is spreading the hackload.AD trojan. Although Lenovo was informed of the issue October 18, the vendor appears to have difficulties with solving the problem or even officially warning its users. At least the page has now been marked as dangerous in Google’s Safe Browsing API, which allows browsers such as Firefox or Chrome, to block the page. The virus scanners by ESET, Kaspersky, and Avast all reportedly now detect the attack and prevent an infection from the site. First analyses have shown that the trojan is retrieved from an external server via a link to some JavaScript code in the Lenovo page. However, it remains unclear whether the link, which leads to a marketing firm, was injected by criminals in order to act as a retrieval mechanism for the malicious code. The code for loading the trojan uses a multi-stage approach and tries to obscure the actual origin of the malware. Source: http://www.h-online.com/security/news/item/Trojan-trouble-at-Lenovo-1110581.html

59. October 19, The H Security – (International) Root privileges through vulnerability in GNU C loader. A vulnerability in the library loader of the GNU C library can be exploited to obtain root privileges under Linux and other systems. Attackers could exploit the hole, for instance, to gain full control of a system by escalating their privileges after breaking into a Web server with restricted access rights. Various distributors are already working on updates. The loading of dynamically linked libraries when starting applications with Set User ID (SUID) privileges has always been a potential security issue. The new problem is rooted in the way in which the loader expands the $ORIGINS variable submitted by the application. While the researcher who discovered the hole said that the ELF specification recommends that the loader is to ignore $ORIGIN with SUID and SGID binaries, it appears that the glibc developers have not implemented this recommendation. Using various tricks involving hard links, redirected file descriptors, and environment variables, the researcher managed to exploit the vulnerability and open a shell at root privilege level. According to the developer’s tests, at least glibc versions 2.12.1 under Fedora 13, and 2.5 under Red Hat Enterprise Linux 5, are vulnerable. Source: http://www.h-online.com/security/news/item/Root-privileges-through-vulnerability-in-GNU-C-loader-1110182.html

For another story, see item 62 below in the Communications Sector

Communications Sector

60. October 19, Bloomberg – (National) U.S. lawmakers request FCC to review China’s Huawei, ZTE. U.S. lawmakers asked the Federal Communications Commission (FCC) to review the security risks of domestic companies ordering network equipment from China’s Huawei Technologies Co. and ZTE Corp. The Chinese companies are in “active” discussions to supply at least two U.S. companies, Sprint Nextel Corp. and Cricket Communications Inc., an Arizona Senator wrote in a letter co-signed by three other lawmakers October 18. It is at least the second time in 2 months that U.S. lawmakers have prodded the Presidential administration to review the risks of buying Chinese telecommunications equipment. Eight U.S. lawmakers August 18 warned that a Sprint contract with Huawei would “undermine U.S. national security.” In September, the Chinese equipment maker said it hired a U.S. company to audit its programs and allay security concerns as it seeks greater market access. The latest letter to the FCC “unfairly characterizes ZTE,” the president of ZTE Solutions in the United States said in an e-mail October 19. Source: http://www.bloomberg.com/news/2010-10-20/u-s-lawmakers-request-fcc-to-review-china-s-huawei-zte-on-security-risks.html

61. October 19, The Hill – (National) FCC workshop will address critical cybersecurity threats. The Federal Communications Commission (FCC) will hold a workshop November 5 to discuss the most critical cyber threats to the communications grid. The National Broadband Plan tasked the FCC with developing a Cybersecurity Roadmap that identifies and addresses the five most critical cyber threats to the communications infrastructure and its users. Participants in the workshop will provide input on what should be included in the roadmap and how those threats can be mitigated. The commission’s workshop is open to the public, but seating is limited and the deadline to register is November 3. The event will also be broadcast live over the Web. Source: http://thehill.com/blogs/hillicon-valley/technology/124867-fcc-workshop-will-address-critical-cybersecurity-threats

62. October 19, CKWX Vancouver – (International) Privacy Commissioner wants Google to delete data. Google may have picked up personal information through Wi-Fi while it created Street View. Now, Canada’s Privacy Commissioner is demanding that data be deleted.A UBC Internet and Privacy expert said if one’s Wi-Fi is unsecured, Google’s Street View camera cars may have picked up things a person would not want the company to see. Blame a glitch in the imaging software. The data included complete e-mails, the addresses, user names, passwords, names and residential phone numbers, et cetera. The privacy commissioner called it a careless error that likely affected thousands of Canadians and the company should have addressed privacy concerns before developing Street View. She added if the data cannot be deleted right away, it should be secured with restricted access. Source: http://www.news1130.com/news/local/article/117075--privacy-commissioner-wants-google-to-delete-data

63. October 19, FierceTelecom – (International) BT strikes back at copper theft. Anyone that thinks of stealing copper from BT’s network should think twice about their actions. While many U.S.-based service providers have posted rewards for information that leads to arrests of copper thieves, the United Kingdom headquartered BT has taken an even more extreme action by placing “smartwater” bombs that spray not only the culprits, but also the copper itself. This SmartWater liquid carries a DNA fingerprint that links the thief to the crime scene, and makes stains on the thief that can be detected by police carrying ultra-violet light detectors. What’s contributed to the increase in copper theft in recent years has been the rising price of copper. “There’s a direct correlation between the price of copper and the level of theft,” said the head of security for BT Openreach. Copper theft is not just a U.K. problem, however. AT&T and Frontier have in the past year reported various incidences of copper theft-crimes that also caused outages on their respective networks. Source: http://www.fiercetelecom.com/story/bt-strikes-back-copper-theft/2010-10-19

64. October 18, Nextgov – (National) Researcher reveals GPS vulnerabilities. GPS timing signals that control base stations in some cellular networks, and other gadgets the size of small refrigerators that power the smart electric grid can fall prey to sophisticated spoofing attacks, according to a University of Texas researcher. He said he successfully spoofed a type of laboratory time reference receiver of the code division multiple access — network technology Sprint and Verizon use that relies on GPS time — with a transmitter he built for about $1,000. He said the spoof, which took about 1 hour, literally dragged the time of the reference receiver backward, inducing a 10-microsecond delay in an hour that could incapacitate the base stations. He also spoofed a type of timing receiver that provides precise signals to synchrophasors, which measure voltages and currents at diverse locations on a power grid so operators can assess the state of the electrical system. The North American SynchroPhasor Initiative, a partnership of the Energy Department and the North American Electric Reliability Corp., plans to install synchrophasors in power systems nationwide to help manage the smart grid; in turn the grid will use communications systems to manage distribution of power from generator to home or office. A spoofing attack against synchrophasors today would not bring down the power system, but “it would make the smart grid less smart,” the researcher said. Attacks against multiple cellular base stations in any city could shut down the network, he added. Source: http://www.nextgov.com/nextgov/ng_20101018_4273.php?oref=topnews

65. October 14, FierceWireless – (National) The Android IM app that brought T-Mobile’s network to its knees. According to T-Mobile’s filings with the Federal Communications Commission (FCC), close to 1 year ago an Android-based instant messaging application “caused an overload of T-Mobile’s facilities for an entire city.” the director of T-Mobile’s national planning and performance engineering, described in a statement filed with the FCC in January 2010. “T-Mobile network service was temporarily degraded recently when an independent application developer released an Android-based instant messaging application that was designed to refresh its network connection with substantial frequency,” the director wrote in the filing. “One study showed that network utilization of one device increased by 1,200 percent from this one application alone. These signaling problems not only caused network overload problems that affected all T-Mobile broadband users in the area; it also ended up forcing T-Mobile’s UMTS radio vendors to re-evaluate the architecture of their Radio Network Controllers to address this never-before-seen signaling issue. Ultimately, this was solved in the short term by reaching out to the developer directly to work out a means of better coding the application.” Source: http://www.fiercewireless.com/story/android-im-app-brought-t-mobiles-network-its-knees/2010-10-14

No comments: